Table of contents
Purpose
The University of Maryland (“UMD” or the “University”) provides an institutional email system to promote secure communication and collaboration, allow for business continuity, and maintain effective handling of institutional data. The use of email systems to conduct University Business is subject to federal, state, and local legal, regulatory, and statutory requirements, including but not limited to the Family Educational Rights and Privacy Act ("FERPA") and the State of Maryland’s public records laws, as well as University and University System of Maryland policies and procedures. Noncompliance with these laws and regulations could result in a loss of federal funding, as well as civil and criminal penalties; noncompliance with these laws, regulations, and policies/procedures could have a severe adverse impact on UMD’s mission, safety, finances, or reputation. This Email Standard (the "Standard") sets forth fundamental requirements for the appropriate use of email systems to conduct University Business. Compliance with this Standard is necessary for the University to meet all the requirements of the USM IT Security Standards and the UMD Policy on Acceptable Use of Information Technology Resources.
Definitions
Term | Definition |
---|---|
University Business | The work performed on behalf of the University by its personnel (including faculty, staff, student employees, and other persons whose conduct falls under University operations), whether or not such persons receive compensation for performing this work. |
Institutional Email | The UMD email system/platform provided and maintained by the Division of Information Technology (username@umd.edu) enabled by Google Workspace for Education, also known as UMD Gmail or UMD Email. |
Approved Email System | UMD Institutional Email (aka UMD Gmail), plus any administrative, academic, or programmatic unit’s email system granted a waiver by the Division of IT. |
Requirements
- The University requires its personnel to use an Approved Email System to conduct University Business. Specifically, all email sent by University personnel regarding University Business must be sent from an Approved Email System.
- Email is an inherently insecure medium for transmitting private or confidential information. Email must not be used to transmit data with a risk level of High (Level 3) or Restricted (Level 4) as defined by the IT-2 University of Maryland Data Classification Standard.
- As State of Maryland employees, UMD personnel should not use an Approved Email System for private gains or personal matters, or matters that create or appear to create either a conflict of interest or an endorsement by the University. While incidental personal use of UMD Email is acceptable, employees are strongly encouraged to use a separate, non-UMD email system for personal matters.
- There are significant differences in the agreement language and the data collected between a typical consumer Gmail account and UMD's Gmail (G Suite for Education) accounts. Therefore, automatically forwarding emails and documents from an Approved Email System to another email account/platform (e.g., @gmail.com, @yahoo.com, etc.) is prohibited. This practice greatly elevates the risks of sharing information that is protected as confidential by federal and/or state law or the University’s contractual obligations. If University personnel are required by the terms of a University contract or other legal agreement to use a United States federal agency email account, the University may permit University email to be forwarded to a federal agency email account or otherwise defer to any federal agency requirements incorporated into the University’s applicable collaboration or sponsored research agreement.
- University personnel may enable a UMD Gmail account on multiple devices including mobile phones. To prevent accidental use of a personal email address when conducting University Business, it is strongly recommended that an Approved Email System is used as the default outbound setting on devices.
Implementation
- Each University administrative, academic, and programmatic unit must establish priorities and timetables to decommission their legacy email systems and transition their users to the UMD email system before June 30, 2020. Units were to communicate their plans to the Division of Information Technology at emailconsolidation@umd.edu before November 30, 2019.
- Subject to approval by the respective relevant unit heads and deans, the use of legacy email addresses of the form @[unit].umd.edu may continue for both inbound and outbound email as long as this email is sent and delivered by an Approved Email System.
Applies To
All members of the University Community who conduct University Business via email. Excludes TERPmail, which is the University of Maryland’s institutional student platform for communicating academic information and providing cloud storage and productivity and collaboration tools. All students and accepted applicants may be granted a TERPmail address.
Procedures
Waiver
A unit that has unique business requirements that cannot be met by the Institutional Email must submit a waiver form explaining, in detail, how conformance with this Standard would be noncompliant with federal or state laws. For example, University personnel conducting classified work are required to use an email system that meets federal government statutory or contractual requirements in specific situations. Waivers must be requested by a unit head responsible for overseeing the administrative, academic, or programmatic unit and approved by the respective Dean or Vice President and the Division of Information Technology. The Division of Information Technology VP/CIO may grant waivers to this security Standards for a period of up to 3 years (with the option for renewal). Consistent with the UMD Policy on Acceptable Use of Information Technology Resources, a waiver may be revoked at any time by the VP/CIO.
Waivers to forward Intuitional Email to U.S. federal agencies when required by contract, may be granted by the CIO in consultation with the Office of General Council.
Violation
Failure to comply with this standard constitutes a violation of the UMD Policy on Acceptable Use of Information Technology Resources.
Review
The VP/CIO or a designee will initiate a review and necessary revisions of this standard as needed, with appropriate input from the Division of Information Technology staff and the IT Council.
Responsibilities
Position/Office | Responsibilities |
---|---|
Vice president/chief information officer |
|
Division of Information Technology |
|
IT Council | Reviews and makes decisions related to this standard. |
University administrative, academic, and programmatic units |
|
Faculty, staff, and student workers conducting business on behalf of the University |
|
Resources
- DIT Email Standard FAQs
- State of Maryland Information Technology Security Manual
- USM IT Security Standards
- USM Regents Policy on USM Institutional Information Technology Policies
- UMD Policy on Acceptable Use of Information Technology Resources
- UMD FERPA Training
- UMD Student Privacy(FERPA explained)
- University of Maryland’s Data Classification Standards
Contacts
Subjects | Office | Telephone | Email/URL |
---|---|---|---|
IT Standard and complaints | Division of Information Technology | 301.405.1500 | itsupport@umd.edu |
Training or technical help | it.umd.edu |
History
Recommended by the IT Council and issued by the VP/CIO on: 10/01/2019. Revisions recommended by the IT Council Nov. 2020 and issued by the CIO Nov. 2020.