Faculty and Staff Electronic Mail Policy
Effective Date Jun 1, 2010
Scope – This policy applied to all Faculty and Staff excluding Student Employees and GSA’s
Functional Changes – The Department of Information Technology may change the functionality of the electronic communicates systems as required to provide reliable service and to meet current and future best practices.
Legal Requirements – All Electronic Communications must comply with Federal and State legal requirements including but not limited to CAN-SPAM, FERPA and HIPPA.
Authorized Usage — Florida Institute of Technology electronic communications systems generally must be used for business activities only. Incidental personal use is permissible as long as it does not consume more than a trivial amount of system resources, does not interfere with worker productivity, and does not preempt any business activity. Florida Institute of Technology electronic communication systems must not be used for, political advocacy efforts, religious efforts, private business activities, or personal entertainment. News feeds, electronic mail mailing lists, push data updates, and other mechanisms for receiving information over the Internet must be restricted to material that is clearly related to both Florida Institute of Technology business and/or the duties of the receiving workers. Workers are reminded that the use of information system resources must never create the appearance or the reality of inappropriate use.
Default Privileges — Electronic communication systems must be established and maintained so that only the privileges necessary to perform a job are granted to a worker. For example, when a worker’s relationship with Florida Institute of Technology comes to an end, all of the worker’s privileges on Florida Institute of Technology electronic communications systems also must cease. With the exception of emergencies and regular system maintenance notices, broadcast facilities must be used only after the permission of a department manager has first been obtained.
User Separation — Where electronic communications systems provide the ability to separate the activities of different users, these facilities must be implemented. For example, electronic mail systems must employ personal user IDs and secret passwords to isolate the communications of different users. Unless a computerized fax mailbox system is employed, fax machines that do not generally have separate mailboxes for different recipients, so such user separation is not required. Florida Institute of Technology has established user separation, workers must not employ the user ID or the identifier of any other user under the terms of Acceptable Use Policy.
User Accountability — Regardless of the circumstances, individual passwords must never be shared or revealed to anyone else besides the authorized user. Information Technology Department staff must never ask users to reveal their passwords. If users need to share computer resident data, they should utilize message forwarding facilities, public directories on local area network servers, groupware databases, and other authorized information-sharing mechanisms. To prevent unauthorized parties from obtaining access to electronic communications, users must choose passwords that are difficult to guess. For example, users must not choose a dictionary word, details of their personal history, a common name, or a word that reflects work activities.
User Identity — Misrepresenting, obscuring, suppressing, or replacing another user’s identity on an electronic communications system is forbidden. The user name, electronic mail address, organizational affiliation, and related information included with electronic messages or postings must reflect the actual originator of the messages or postings. With the exception of hot lines that are intended to be anonymous, workers must not send anonymous electronic communications. Electronic mail "signatures" indicating job title, company affiliation, address, and other particulars are strongly recommended for all electronic mail messages. Digital certificates are also recommended for electronic mail as a way to authenticate the sender's identity.
Respecting Intellectual Property Rights — Although the Internet is an informal communications environment, the laws for copyrights, patents, trademarks, and the like still apply. Workers using Florida Institute of Technology electronic mail systems must repost or reproduce material only after obtaining permission from the source, quote material from other sources only if these other sources are properly identified, and reveal internal Florida Institute of Technology information on the Internet only if the information has been officially approved for public release. All information acquired from the Internet must be considered suspect until confirmed by another source. There is no quality control process on the Internet, and a considerable amount of information posted on the Internet is outdated, inaccurate, and/or deliberately misleading.
Respecting Privacy Rights — Except as otherwise specifically approved by the Information Security Officer, workers must not intercept or disclose, or assist in intercepting or disclosing, electronic communications. Florida Institute of Technology is committed to respecting the rights of its workers, including their reasonable expectations of privacy. Florida Institute of Technology is also responsible for operating, maintaining, and protecting its electronic communications networks. By making use of Florida Institute of Technology systems, users consent to permit all information they store on Florida Institute of Technology systems to be divulged to law enforcement at the discretion of Florida Institute of Technology management.
To accomplish legal objectives, it is occasionally necessary to intercept or disclose, or assist in intercepting or disclosing, electronic communications and may employ content monitoring systems, message logging systems, and other electronic system management tools.
No Guaranteed Message Privacy — Florida Institute of Technology cannot guarantee that electronic communications will be private. Workers must be aware that electronic communications can, depending on the technology, be forwarded, intercepted, printed, and stored by others. Electronic communications can be accessed by people other than the intended recipients in accordance with this policy. Because messages can be stored in backups, electronic communications actually may be retrievable when a traditional paper letter would have been discarded or destroyed. Workers must accordingly be careful about the topics covered in Florida Institute of Technology electronic communications, and should not send a message discussing anything that they would not be comfortable reading about on the front page of their local newspaper.
Contents of Messages — Workers must not use profanity, obscenities, or derogatory remarks in electronic mail messages discussing employees, customers, competitors, or others. Such remarks, even when made in jest, may create legal problems such as trade libel and defamation of character. It is possible that these remarks would later be taken out of context and used against Florida Institute of Technology. To prevent these problems, workers must concentrate on business matters in Florida Institute of Technology electronic communications. As a matter of standard business practice, all Florida Institute of Technology electronic communications must be consistent with conventional standards of ethical and polite conduct (no "flaming" is allowed).
Statistical Data — Consistent with generally-accepted business practice, Florida Institute of Technology collects statistical data about its electronic communication systems. For example, call detail reporting information collected by telephone switching systems records the numbers dialed, the duration of calls, the time of day when calls were placed, etc. Using such information, technical support personnel monitor the use of electronic communications to ensure the ongoing availability, reliability, and security of these systems. Florida Institute of Technology employs computer systems that analyze these types of statistical information to detect unauthorized usage, toll fraud, denial of service attacks, and other problems.
Incidental Disclosure — It may be necessary for technical support personnel to review the content of an individual worker's communications during the course of problem resolution. These staff members must not review the content of an individual worker’s communications out of personal curiosity or at the request of individuals who have not gone through proper approval channels. Advance approval by the Information Security Officer is required for all such monitoring.
Message Forwarding — Electronic communications users must exercise caution when forwarding messages. Blanket forwarding of messages to parties outside Florida Institute of Technology is prohibited unless the prior permission of the Information Security Officer has been obtained. Messages sent by outside parties must not be forwarded to other third parties unless the sender clearly intended this and such forwarding is necessary to accomplish a customary business objective. In all other cases, forwarding of messages sent by outsiders to other third parties can be done only if the sender expressly agrees to this forwarding.
Handling Alerts About Security — Users must promptly report all information security alerts, warnings, and reported vulnerabilities to the Information Security Department. Information Security is the only organizational unit authorized to determine appropriate action in response to such notices. Users must not utilize Florida Institute of Technology systems to forward these notices to other users, whether the other users are internal or external to Florida Institute of Technology. Users must promptly report all suspected security vulnerabilities or problems that they notice to Information Security (firstname.lastname@example.org).
Public Representations — Florida Institute of Technology, as a matter of policy, does not send unsolicited electronic mail. Nobody outside Florida Institute of Technology may be placed on an electronic mail distribution list without indicating their intention to be included on the list through an opt-in process. If Florida Institute of Technology workers are bothered by an excessive amount of unwanted messages from a particular organization or electronic mail address, they must not respond directly to the sender. Recipients must forward samples of the messages to the system administrator in charge of the electronic mail system for resolution. Workers must not send large number of messages in order to overload a server or user’s electronic mailbox in retaliation for any perceived issue.
Purging Electronic Messages — Messages no longer needed for business purposes must be periodically purged by users from their personal electronic message storage areas.
Use At Your Own Risk — Workers access the Internet with Florida Institute of Technology facilities at their own risk. Florida Institute of Technology is not responsible for material viewed, downloaded, or received by users through the Internet. Electronic mail systems may deliver unsolicited messages that contain offensive content.
Establishing Electronic Business Systems — Although Florida Institute of Technology implements electronic data interchange (EDI), Internet commerce, and other electronic business systems with third parties, all contracts must be formed by paper documents prior to purchasing or selling through electronic systems. EDI, electronic mail, and similar binding business messages must be releases against blanket orders, such as a blanket purchase order. All electronic commerce systems must be approved by the CIO (Chief Information Officer), the Information Security Officer, and the chief legal counsel prior to usage.