7-4: Electronic Mail – Procedures

EMAIL ACCOUNTS 

All faculty, staff, students, governing board members, and temporary employees will be provided with an Outlook account from Office365. Email addresses are typically firstname.lastname@sfcc.edu. The email address may also include a number. The assigned usernames are created based on provided legal names.

Requests for changes of email addresses must begin in Human Resources for an employee or the Records Office for a student. Name changes require documentation of legal name change. Email address changes are not automated and additionally require a ticket using the OIT Service desk icon on the desktop. See Policy 7-1 for additional information about username and account name changes.

Contractors may occasionally be issued an email account.  Contractors issued an email address are expected to follow this and all other SFCC policies and procedures. Contractor email accounts must be requested by the Department sponsoring the contractor. The request requires the approval of the appropriate VP or Executive Director. Contractor accounts will only be active for three months at a time. When the account expires the departments must complete the request again.

SFCC email accounts are provided solely for official SFCC business. All users are required to check their SFCC email regularly and respond to official communications in a timely manner.

ACCESSING EMAIL FROM AN SFCC OWNED DEVICE

Outlook Web App, Outlook for Mac, and the desktop version of Microsoft Outlook are the supported applications for accessing email on SFCC‑owned devices. Campus computers already have Outlook installed, and selecting the Outlook icon will typically create a user profile automatically. All users will be required to sign in with their SFCC credentials and complete multi‑factor authentication (MFA) when accessing email

ACCESSING EMAIL VIA A WEB BROWSER

Email may be accessed by logging in to https://my.sfcc.edu and clicking on the Outlook Web App icon from applications section in the middle of the page.

ACCESSING EMAIL ON A PERSONAL MOBILE DEVICE

OIT provides limited configuration support for email access on personal devices. Outlook is the supported tool for accessing email.

Employees who have email delivered to a personal mobile device are responsible for ensuring that their device is secured with a passcode and is auto-locking. Mobile devices should also be kept current with patches and the operating system version must be supported. Mobile devices should have anti-virus and anti-malware software.  No other person should be able to access an employee’s SFCC email on mobile devices.

OIT reserves the right to limit access to any device which does not meet SFCC security requirements. OIT may also enforce security requirements for personal devices, including requirements for a passcode, encryption, or other basic security settings. When an employee is terminated, OIT may attempt to delete SFCC email settings and data from any registered personal device.

Students are strongly encouraged to ensure that their mobile devices have appropriate security settings, and are kept up-to-date, and have strong passwords. SFCC reserves the right to limit access to any insecure or problematic device.

INSTALLING OUTLOOK ON A PC OR MAC

Staff, faculty, and credit students enrolled in the current semester may download and install Office Pro Plus by logging in to https://my.sfcc.edu and clicking on the Office 365 link from the applications section in the middle of the page. In the upper right of the Office 365 page click on Install Office. Follow the instructions to download the software to your device.

After the installation is complete it will require authentication with an SFCC username and password. Username is firstname.lastname@sfcc.edu. It may also contain a number. The password is the same as your password for MySFCC.

INSTALLING OUTLOOK ON ANDROID OR IOS DEVICES

Staff, faculty, and credit students enrolled in the current semester may download and install Outlook by visiting the appropriate app store and searching for Outlook. After the installation is complete it will require login with an SFCC username and password for subscription purposes.

OTHER EMAIL APPLICATIONS

Many email tools will allow access to Office 365 email accounts. Those wishing to use a tool other than Outlook should reference the tools support site for instructions on how to configure an Office 365 account. In general, the only information required is your SFCC username and password.

To ensure security and proper support, employees should use only the Outlook app for email on mobile devices. Employees should not receive, send or access confidential information on any device outside of Outlook.

OIT can’t guarantee the functionality or security of any third-party tools and will only provide limited configuration support. OIT will not provide troubleshooting support for other email tools installed on personal mobile devices.

FORWARDING EMAIL

Before you forward your email to another service, remember that OIT can’t guarantee the arrival of email at another email service. If forwarding fails, you may miss important information for which you are still responsible.

Employees who work with sensitive information or Personally Identifiable Information (PII) are strictly prohibited from enabling email forwarding. OIT does not support or assist with the setup of external email forwarding for employees.

SEPARATION FROM THE COLLEGE

Staff and Full-time Faculty email accounts will be disabled upon termination. Email accounts will be kept for a minimum of 6 months after termination.

Supervisors should ensure an Out of Office reply and email forwarding are configured in accounts for any departing employee. If this is not done in advance of the termination, supervisors may enter a request through the Tech Support OIT icon for email forwarding and an Out of Office Reply.

Adjunct faculty will continue to have access for approximately 365 days after their last completed course, at which time their email account will be disabled. Email Accounts will be kept for a minimum of 6 months after this date.

Students will retain access to their Office 365 email for up to 6 semesters after their last successful course completion. After this time, the account will be disabled and kept for three months. Students who would like their accounts removed earlier should contact the OIT Service Desk at 505-428-1222.

SHARED MAILBOXES

Departments, student clubs, committees, and groups may request shared email accounts, which will show up as a separate account within Outlook. For security and tracking reasons, OIT will not create email accounts that may be logged into directly.

Any shared mailboxes must have an owner assigned. The owner is responsible for ensuring the shared mailbox is monitored, managed, and used appropriately. The owner is also responsible for delegating access or requesting and approving access to the shared mailbox.

Requests for a shared mailbox or access can be made by entering a ticket using the Tech Support OIT link.

OIT will occasionally audit shared mailboxes to ensure they are actively being used and monitored.  Shared mailboxes which are unused for a year will be deleted.

DISTRIBUTION LISTS

OIT provides campus-wide distribution lists to distribute critical information to our campus community. These distribution lists include All Staff, All faculty and All Students.

The ability to send to these groups is limited to those below to encourage appropriate use. Care should be taken to ensure email is sent to the appropriate audience.

• All Staff – Staff Senate Chairs or Approval from the Director of Human Resources.
• All Students – Access requires approval from the Vice President for Student Success. SGA officers may also request this access.
• All Faculty – Faculty Senate Chairs or Approval from the Vice President for Academic Affairs.

Membership in these groups is based on a campus role. OIT is not able to complete any requests to opt-out of these distribution lists or other role-based distribution lists.

OIT also provides distribution lists for other official campus groups, clubs, project teams, organizations, and departments. A group requiring a distribution list should enter a ticket using the OIT Ticket Self Service Link. Please provide a list of the requested members and the name of the person who will own the distribution list.

Requesting an addition to a distribution list requires the permission of the distribution list owner. Typically the owner can update the list or may enter a Service Desk request by calling 428-1222 or utilizing the Tech Support OIT link.

Distribution lists will be audited occasionally to ensure they are still required.

EMAIL ACCOUNT LIMITS

Email account size limits are based on the standards created by Microsoft. Current size limits include:

• Mailbox size limit: 100 GB
• Restricted sending to internal recipients 150 (Per Hour).
• Maxmimum resipient Limit 450 (Per Day).
• Accounts seen sending over this limit may be blocked for 24hrs from use as this is seen as a potential security threat. Exceptions to this limit can be made with the approval of the area Dean or Supervisors.  All requests for this need to be done through the OIT ticketing system.

EMAIL SECURITY

The Office of Information Technology applies many technologies to limit the risk of email including multi-factor authentication (MFA). However, email should not be regarded as a secure method to send confidential information, such as credit card numbers, or social security numbers. Individuals should ensure they are following all policies regarding PII and email.

All email users should be extremely cautious when opening email, clicking on links and replying to an email. Malware, phishing, whaling, and other security threats are increasingly prevalent. Bad Actors are attempting to steal information, paychecks, personal information, and student financial aid.

Tips for recognizing a malicious email:

1. Check the sender’s email address. Does it match the expected address?
2. Hover over links. Do they match an expected link? Check for typos.
3. The email contains a threat or a warning. For example, Your account is about to be closed.
4. Attempting to get you to click on a link or open an attachment.
5. Generic Greeting
6. Request to verify information
7. Request for personal information, such as your password
8. Typos and strange wording
9. Urgent tone
10. You weren’t expecting the email

This is not an exhaustive list, nor does this list ensure that an email is malicious. If you need to confirm, call the person or company using a known good phone number. Do not reply to a suspicious email or use any phone numbers found in an email. Phone numbers may be manipulated and an email account can be hacked.

If you suspect you were the victim of an email scam or clicked on a malicious link, you are responsible for notifying your supervisor and contacting OIT immediately.

KNOWBE4 AND PHISH ALERT – EMPLOYEES ONLY

KnowBe4 is a leading Security Awareness Training organization. It allows us to create a human firewall, which can protect us against malicious emails. The program consists of both a training campaign and simulated phishing attacks. The goals are to increase security awareness and decrease the number of clicks on malicious links.

OIT conducts simulated phishing attacks for all employees once a month. Clicking on one of the test links provides the user with an instructional website. If a user clicks on a link twice in a year they will be sent a training link for additional instruction.

Employees may also use the Phish Alert icon available in Outlook for Mac, Outlook for Windows and Outlook online to submit phishing email for review. Emails from Knowbe4 will reduce your risk score, but other emails will be safely submitted to OIT for review.

Employees will be required to complete annual security awareness training through the Workday Learn platform. See Policy 7-1 for additional information.

EMAIL ENCRYPTION

Email is not considered a secure method for transmitting information. If email is sent over a public network, Wi-Fi, or even an internal network it may be intercepted and read. Encryption reduces the risk that information is readable before it reaches the destination.

Confidential or sensitive information, such as credit card numbers and social security numbers, should never be sent or stored in email.  Any other sensitive information, such as financial information or other PII should be sent using an encrypted method. Anyone sending sensitive information or PII should review policy 7-3 to ensure compliance with data requirements.

Encryption Methods within Office 365 – Outlook for Windows, Outlook for Mac and in Office 365.

1. [encrypt]Allows Internal SFCC Office 365 Accounts to send an encrypted message to external email accounts. This will not function for email sent between @sfcc.edu accounts.  Use this by typing [encrypt] within the subject of an email. You need to leave a space before the additional text.
2. [donotfoward] – Allows internal SFCC accounts to quickly send an encrypted message that may not be forwarded or printed. Use this by typing [donotforward] within the subject of an email. You need to leave a space before the additional text.
3. Do Not Forward:Only the recipients of the email or document will be able to view or reply. The message can’t be forwarded or printed. This message is also encrypted. Use this by clicking on Options-Permission-Do Not Forward.
4. Santa Fe Community College – Confidential– Only people inside of SFCC’s Office 365 tenant can access the content, make edits, or share the content. Use this by clicking on Options-Permissions-Santa Fe Community College – Confidential within an email message.
5. Santa Fe Community College – Confidential ViewOnly – Only people inside of SFCC’s Office 365 tenant can view the content. They can edit, but can’t print or share the content. Use this by clicking on Options-Permissions- Santa Fe Community College – Confidential View Only.

The Office of Information Technology also provides Microsoft Sharepoint and OneDrive for specific use cases that may not be covered by the list above. Examples include the need to send reporting data, which includes PII, sending legal data, tracking access to emailed data, and the need to request data from an external source. If you have a requirement not met by Office 365 encryption, please contact our Service Desk.

ATP SAFE LINKS

Safe Links is an Office 365 security feature that scans the URLs in incoming emails both at the time the message is delivered and again when the link is clicked, helping identify malicious websites. As part of this process, the link in the message is rewritten to route through Microsoft’s security service. The original URL can still be viewed by hovering over the link or inspecting the text, but the rewritten link ensures an additional layer of protection. While Safe Links helps block many dangerous links, it does not guarantee all links are safe. Employees must continue to use good judgment and follow best practices for identifying suspicious emails. Think before you click.

ATP SAFE ATTACHMENTS

Safe Attachments is an Office 365 security feature that scans email attachments for malware and other malicious content before they are made available to the user. In some cases, an email message may arrive in your inbox while its attachment is still being analyzed. Once scanning is complete and no malicious content is detected, the attachment will be released and become accessible. If Safe Attachments identifies a threat, the attachment is removed automatically to prevent exposure. Although this technology significantly reduces the risk of harmful files reaching your inbox, it does not eliminate all threats. Employees must continue to use good judgment and apply the recommended practices for recognizing suspicious emails and attachments. Think before you click.

PHISHING PROTECTION

Phishing scams are emails which attempt to present themselves as a well-known company or an executive-level employee in your company. Often at SFCC, these come across as variations of the current president’s   or another executive’s name. This system blocks attempts to use exact matches to SFCC’s user directory. Be aware that you may see variations on names attempting to avoid the software and trick people into buying gift cards, install malware, or give away credentials and personal information.

SPAM AND MALWARE SCANNING

All email is scanned for malware and spam as it arrives and as it is opened. If you are picking up email through an app other than Outlook please be cautious of clicking on links or responding to email. Accessing SFCC email on mobile devices introduces additional security risks. Employees must secure their devices with a passcode or biometric lock, keep software updated, and use only trusted apps. Devices should be configured with SFCC‑approved protections such as MFA. Although these measures help protect sensitive information, users must continue to use caution when interacting with email on mobile devices.

JUNK MAIL FOLDER

The Junk mail folder is a built-in feature of Office 365. The junk mail folder works best when you actively configure your safe and junk mail lists.

If messages are delivered to your inbox and you don’t want to see them, right-click on the message and choose Junk- Block Sender.

If messages are incorrectly delivered to your junk mail folder:

1. Make sure the message is not malicious, by confirming links and email addresses.
2. Right-click on the message and choose Junk – Never Block Senderto add the email address to your safe list.
3. Right-click on the message and choose Junk – Not Junkto move the message to your inbox.

OIT may whitelist email addresses that are consistently flagged as junk for many users. Whitelisting requests must be submitted through the ticketing system and will only be processed when accompanied by approval from the appropriate Area VP or Dean.

DATA LOSS PREVENTION

OIT has applied policies which attempt to block email sent to external email addresses containing:

1. Credit Card Numbers,
2. Social Security Numbers, and
3. Student ID Numbers
4. ACH
5. Swift

Senders are responsible for the content of their email and should take care to ensure they are sending data and information in accordance with this and all SFCC Policies and Procedures.

BACKUPS AND ARCHIVING

While SFCC continues to archive all email for legal purposes, the Office 365 environment is now backed up with a one‑year retention period. Deleted items remain recoverable for 30 days after the trash has been emptied, after which they fall under the one‑year backup retention policy.

To recover an item, right-click on the deleted items folder and click on recover deleted items within Outlook or Outlook Web App. A list of any recoverable items will be shown.

SFCC uses an archiving tool to maintain a log of all sent and received email messages for a minimum of five years. Departments and individuals are responsible for any retention which exceeds the five-year time frame.

ACCESSING A CURRENT EMPLOYEE’S EMAIL OR FILES

On occasion access to an existing employee’s email or personal files may be required while a person is out with an illness or on vacation and the person can’t be reached to provide access. Supervisors should make every attempt to plan ahead and the employee should delegate access to email or move files to shared folders. However, on occasion emergencies may occur that require additional access. Every attempt should be made to limit the request to only the required access. OIT Staff will attempt to utilize archiving tools to find only relevant documents or email. To do so access requests must be made to the CIO and must include the following:

1. Approval of Area VP or Executive.
2. Specific details of the type of access, file names and dates are required.

Upon approval of the CIO, OIT Systems Administration staff will then provide the requested access to the relevant email or provide copies of requested files in an appropriate location. Permissions will never include the ability to send as the employee.

ACCESS TO EMAIL FOR LITIGATION PURPOSES

1. Requests from legal counsel must be made in writing to the Director of Human Resources or designee.
2. The request must identify the email addresses or usernames of individuals, any relevant keywords and the start and end dates of the searches. Contact information for the requesting legal counsel should also be included.
3. The Executive Director or appropriate VP will forward the request to the CIO or designee with approval.
4. OIT Systems administration staff will complete relevant searches within the current archival technologies.
5. If required the OIT systems administration employee may contact the requestor for clarification of the search parameters.
6. If changes to the original search, the method needs to be clarified or adjusted OIT will notify the CIO and the requestor of the changes.
7. OIT staff will then provide access to the files to the requester within 5 working days of receiving the approved search request.
8. If the Requester feels that additional changes are required, then the request should be returned to the CIO or designee with the requested corrections.
9. Upon final approval, the files will be provided to the requester.

ACCESSING A FORMER EMPLOYEE’S EMAIL

OIT keeps former employee accounts, mailboxes and network files in their original state for no less than 6 months. However, accounts are disabled, the account is hidden, and email is either set to not accept email or is forwarded to another user. It is the responsibility of each department to request that email be forwarded and to transfer critical email within the 6-month time frame.

After 6 months accounts may be deleted from email, active directory and other systems. OIT does maintain an archive of individual mail and calendaring items for 5 years however they are no longer connected to a user account.

The supervisor of the former employee may request that OIT forward email to another employee and request an auto-response to alert external and internal senders of the departure. This should be done in writing through the OIT ticketing system and should include the following:

1. The request must come from the former supervisor, Dean or VP
2. The former employee’s name or username.
3. The forwarding email address requested.
4. The language of the requested auto-reply message.

The supervisor of the former employee also may request that OIT grant temporary access to the mailbox through Outlook to transfer old email. This should be done in writing through the OIT ticketing system and should include the following:

1. The request must come from the former employee’s supervisor, Dean or VP.
2. The former employee’s name and username
3. The name and username of the person requiring access.
4. A description of the access required.

Access will not include the ability to send email as the former employee.
The supervisor of the former employee may also request that the files of the former employee be moved to a location accessible to themselves or another current employee. This should be done in writing through the OIT ticketing system and should include the following:

1. The request must come from the former supervisor.
2. Former employee’s name and username.
3. Location of current files.
4. The requested new location.

OIT may contact the appropriate VP or Executive to ensure that the documents are being handled correctly.