Ñý¼§Ö±²¥

student working on a laptop sitting outside leaning against a tree

Information Technology

UM Electronic Communications Standard

UM Information Security Office - Area: Information Security Policy

Document History

Date Document Version Revision Description Author
4/15/2023 1.0 New Document Neff, CISO

Approvals

Approval Date Approved Version Approver Role Approver
5/1/2024 1.0 CISO Neff, CISO

Introduction

This UM Electronic Communications Standard outlines the necessary actions each person or organization with access to Ñý¼§Ö±²¥ System electronic communications is responsible for taking to ensure the integrity of the systems and data for which UM is responsible.

Electronic Communication (such as electronic mail, instant messaging, and audio/video conferencing) is a primary means of communication both within the UM and externally. It allows quick and efficient conduct of University Business.

Compliance with this Standard ensures that University Data is appropriately managed and secured and ensures recipients of Electronic Communications can feel confident of the integrity and authenticity of the source, further safeguarding the reputation of the University.

Departments and units may impose more, but not less, stringent procedures as they deem appropriate or necessary to preserve the University's information assets.

The authority for implementation and enforcement of this Electronic Communications Standard is based on the UM Information Security Policy. The implementation of this Electronic Communications Standard will adhere to the UM Appropriate Use of Technology Resources Standard, including provisions on the privacy and confidentiality of Electronic Communications.

Definitions

Electronic Communications or Electronic Communications Platform

For the purposes of this Standard, Electronic Communications are any method of exchanging or transmitting University Data or conducting University Business over electronic mail (email), instant messaging (including chat or text message functionality), video conferencing, or audio conferencing.

University Data (Institutional Data)

All data that the University is responsible and accountable for protecting. This data includes, but is not limited to, data the University owns, collects, intellectual property owned by faculty or others, staff data, student data, faculty data, research data, personal information, alumni data, vendor and contractor data, and data that the university shares or provides to third parties for storage, processing, and analysis.

University-owned Systems or Devices

Information Technology equipment (including, without limitation, laptops, desktops, tablets, mobile phones, and IoT devices) that are the responsibility of the University to account for and provide appropriate safeguards. This includes equipment purchased (either directly or by reimbursement) or devices with documented ownership or responsibility transferred to the University from another institution or organization.

Personal or Personally-owned Devices

Information Technology equipment (including, without limitation, laptops, desktops, tablets, mobile phones, and IoT devices) that are wholly owned by an employee, student, or affiliate of the University. This includes devices for which a user receives a stipend or subsidy, such as a mobile communication allowance.

University Business

Any activity carried out under the auspices of the Ñý¼§Ö±²¥ and in furtherance of the University’s mission.

University Network

The University Network is the infrastructure and equipment that connects information and communication technology to enable the exchange of data and information at UM and UM System. This includes connections limited to within the university and the broader Internet. The University Network includes both physical wired (wall jacks, wiring, routers, switches, etc.) and wireless network components, including ad-hoc wireless networks. The University Network also includes connections provided by a third-party telecommunications provider but managed by UM IT, or network paths over hardware or software (such as VPN, site-to-site tunnel, etc.) by which a user or device receives a UM-managed IP address, telephone number, or another UM-owned network descriptor.

STANDARD

Purpose

Per this Standard, only an approved Ñý¼§Ö±²¥ Electronic Communications Platform may be used whenever University Business is conducted, or Institutional Data is exchanged via Electronic Communications. Specifically, all email, instant messaging, and videoconferencing for University Business must be conducted on a platform provided by and/or approved by Ñý¼§Ö±²¥ Information Technology (UM IT) for that purpose.

Scope

The scope of this Standard applies to all information and communication technology that can be used to transmit or receive Electronic Communications (such as email, instant messaging, or videoconferencing). The audience of this Standard is everyone – faculty, staff, Ñý¼§Ö±²¥, and affiliates – who performs University Business on behalf of the University.

Control Requirements

The following are foundational and fundamental control requirements that all sectors and business units must follow. University sectors or business units that have additional regulatory or contractual requirements may require specific control requirements or capabilities in addition to what is defined below.

  • An Electronic Communications Platform approved by UM IT must be used whenever University Business is conducted. Everyone who performs University Business on behalf of the University (e.g., faculty, staff, Ñý¼§Ö±²¥ employed by the University, etc.) shall not use any unapproved communication platforms to send or receive Electronic Communications in the course of performing University Business.
  • Any Electronic Communications Platform not approved by UM IT may be submitted to the UM Information Security Office (ISO) for consideration of approval or exception. The UM Information Security Office, in consultation with the UM Information Security Advisory Committee (ISAC), will ensure communications platforms comply with applicable policies, standards, laws, and regulations to minimize the risk of Institutional Data being inadvertently sent or disclosed to unauthorized individuals or entities.
  • Electronic Communications records (e.g., emails, instant messages, videoconference recordings) that contain Confidential Data or Restricted Data (defined in the UM Data Classification and Stewardship Standard) may not be copied or downloaded to any devices or data storage platform that is not approved and secured according to Confidential or Restricted Framework Controls (as defined in the UM Data Security Standard). UM IT-approved Electronic Communication Platforms may be used on personally owned mobile devices such as mobile phones, tablets, watches, etc., for Restricted Data, if those devices are appropriately secured following University policies and standards for protection of endpoint devices.
  • Members of the University Community are advised that the use of personal devices (including mobile phones/devices) for University Business may result in such devices being subject to subpoenas or other legal discovery actions as personal devices may not be protected by UM legal processes.
  • Emails (including calendar entries and invitations), file attachments, and other Institutional Data shall not be automatically forwarded through any means to a non-approved third-party or affiliated Electronic Communications Platform or email domain.
  • Emails (including calendar entries and invitations) and file attachments may be manually forwarded by a University user to a non-approved third-party or affiliated email domain or Electronic Communications Platform as long as such forwarding is in furtherance of University Business, and/or and will not result in the inappropriate disclosure or loss of Institutional Data.
  • Requests for approval of Electronic Communications Platform not listed in this Standard may be submitted to the UM Information Security Office for review and approval.

Procedures

The following are foundational elements for ensuring compliance with the requirements outlined in this Standard. Additional requirements may be imposed for members of the University community with access to Confidential Data or Restricted Data.

Electronic Mail (Email)

All faculty, staff, Ñý¼§Ö±²¥ and other approved members of the University community doing University Business will be assigned an Official set of unique logon credentials and Email Address, which is the address that University Business is to be sent and received. The Official Email Address will be the address to which all official University correspondence is sent. Each Official Email Address will include a mailbox assigned to one of the UM-approved email systems:

  • Microsoft Exchange 365 (@umontana.edu, @mso.umt.edu, and @umconnect.umt.edu addresses)

Individuals may be provided multiple mailboxes to accommodate multiple types of University Business. For example, Ñý¼§Ö±²¥ may be assigned an additional mailbox for the purposes of teaching or research. Individuals with multiple mailboxes should use their Official Email Address for all University Business except that for which another mailbox was specifically assigned.

Personal use of an Official Email Address is allowed, provided that such personal use:

  • Does not materially interfere with performance of University Business;
  • Does not interfere with the performance of a University Network; and
  • Is in compliance with this and other University policies and standards.

NOTE: Personal communications through an Official Email Address may fall under the UM Appropriate Use of Technology Resources Standard and may be viewed by the University, for purposes outlined in that Standard.

Instant Messaging

Employees, Ñý¼§Ö±²¥, and approved contractors/affiliates are permitted to conduct University Business over instant messaging platforms approved by UM IT. The current approved instant messaging platforms are:

  • Microsoft Teams (when accessed through a user’s University-assigned Microsoft 365 account)
  • Chat capabilities within approved UM software applications, such as Zoom.

Audio or Video Conferencing

Employees, Ñý¼§Ö±²¥, and approved contractors/affiliates are permitted to conduct University Business over UM-provided or UM-approved video or audio conferencing. The current UM-provided video/audio conferencing platforms are:

  • Zoom (when accessed through a UM license)
  • Microsoft Teams (when access through a users’ University-assigned Microsoft 365 account)

Individuals should exercise caution when attending meetings hosted by platforms from outside UM, as UM cannot verify the security or integrity of the communication.

Other platforms for electronic communications, including, but not limited to, WebEx, GoTo Meeting, WhatsApp, or Google Chat are not approved business communication platforms and should be avoided when possible. When conducting University Business with external parties using these and other, unapproved platforms, members of the University community should exercise caution as the security and privacy of Intuitional Data is unknown.

Additional platforms may be approved as an exception by the UM Information Security Office for electronic communications at the individual college/school/unit level. If you have any questions about whether a specific platform can be used for University Business, please contact the UM Information Security Office.

Exceptions

Requests for any exceptions to this Standard should be submitted to the UM Information Security Office and will be reviewed in consultation with the UM Information Security Advisory Committee.

References

  • MUS BOR 1300.1
  • UM Information Security Policy
  • UM Acceptable Use of Technology Resources Standard
  • UM Data Classification and Stewardship Standard