7-4: Electronic Mail – Procedures

EMAIL ACCOUNTS 

All faculty, staff, students, governing board members, and temporary employees will be provided with an Outlook account from Office365. Email addresses are typically firstname.lastname@sfcc.edu. The email address may also include a number. The assigned usernames are created based on provided legal names.

Requests for changes of email addresses must begin in Human Resources for an employee or the Records Office for a student. Name changes require documentation of legal name change. Email address changes are not automated and additionally require a ticket using the OIT Service desk icon on the desktop. See Policy 7-1 for additional information about username and account name changes.

Contractors may occasionally be issued an email account.  Contractors issued an email address are expected to follow this and all other SFCC policies and procedures. Contractor email accounts must be requested by the Department sponsoring the contractor. The request requires the approval of the appropriate VP or Executive Director. Contractor accounts will only be active for three months at a time. When the account expires the departments must complete the request again.

Email accounts are provided for official SFCC business. All users of SFCC email are expected to check and respond to email regularly.

ACCESSING EMAIL FROM AN SFCC OWNED DEVICE

Outlook Web App, Outlook for Mac, and Outlook 2013, 2016 or 2019 are the supported software for accessing email from SFCC owned devices.

Typically campus devices have Outlook 2013, 2016 or 2019 installed and clicking on the icon will automatically set up a user profile.

ACCESSING EMAIL VIA A WEB BROWSER

Email may be accessed by logging in to https://my.sfcc.edu and clicking on the Outlook Web App icon from the menu on the left side of the page.

ACCESSING EMAIL ON A PERSONAL MOBILE DEVICE

OIT provides limited configuration support for email access on personal devices. Outlook is the supported tool for accessing email.

Employees who have email delivered to a personal mobile device are responsible for ensuring that their device is secured with a passcode and is auto-locking. Mobile devices should also be kept current with patches and the operating system version must be supported. Mobile devices should have anti-virus and anti-malware software.  No other person should be able to access an employee’s SFCC email on mobile devices.

OIT reserves the right to limit access to any device which does not meet SFCC security requirements. OIT may also enforce security requirements for personal devices, including requirements for a passcode, encryption, or other basic security settings. When an employee is terminated, OIT may attempt to delete SFCC email settings and data from any registered personal device.

Students are strongly encouraged to ensure that their mobile devices have appropriate security settings, and are kept up-to-date, and have strong passwords. SFCC reserves the right to limit access to any insecure or problematic device.

INSTALLING OUTLOOK ON A PC OR MAC

Staff, faculty, and credit students enrolled in the current semester may download and install Office Pro Plus by logging in to https://my.sfcc.edu and clicking on the Office 365 link from the menu on the left. In the upper right of the Office 365 page click on Install Office. Follow the instructions to download the software to your device.

After the installation is complete it will require authentication with an SFCC username and password. Username is firstname.lastname@sfcc.edu. It may also contain a number. The password is the same as your password for mySFCC.

INSTALLING OUTLOOK ON ANDROID OR IOS DEVICES

Staff, faculty, and credit students enrolled in the current semester may download and install Outlook by visiting the appropriate app store and searching for Outlook. After the installation is complete it will require login with an SFCC username and password for subscription purposes.

OTHER EMAIL APPLICATIONS

Many email tools will allow access to Office 365 email accounts. Those wishing to use a tool other than Outlook should reference the tools support site for instructions on how to configure an Office 365 account. In general, the only information required is your SFCC username and password.

Employees are discouraged from using any tools but Outlook to receive or send an email on a mobile device. Employees should not receive, send or access confidential information on any device outside of Outlook.

OIT can’t guarantee the functionality or security of any third-party tools and will only provide limited configuration support. OIT will not provide troubleshooting support for other email tools installed on personal mobile devices.

FORWARDING EMAIL

Before you forward your email to another service, remember that OIT can’t guarantee the arrival of email at another email service. If forwarding fails, you may miss important information for which you are still responsible.

Employees are discouraged from forwarding their email to another email service. Anyone working with sensitive data or Personally Identifiable Information (PII) may not forward their email to another email service.

To set a forward from Outlook Web

1. Log into mySFCC
2. Click on the Outlook icon from the menu on the left.
3. Click the Settings icon (round gear) on the top right.
4. Click View All Settings
5. Click Forwarding
6. Check box Enable Forwarding
7. Enter Email in Forward Email To
8. Click Save

SEPARATION FROM THE COLLEGE

Staff and Full-time Faculty email accounts will be disabled upon termination. Email accounts will be kept for a minimum of 6 months after termination.

Supervisors should ensure an Out of Office reply and email forwarding are configured in accounts for any departing employee. If this is not done in advance of the termination, supervisors may enter a request through the OIT Ticket Self Service icon for email forwarding and an Out of Office Reply.

Adjunct faculty will continue to have access for approximately 365 days after their last completed course, at which time their email account will be disabled. Email Accounts will be kept for a minimum of 6 months after this date.

Students will retain access to their Office 365 email for up to 6 semesters after their last successful course completion. After this time, the account will be disabled and kept for three months. Students who would like their accounts removed earlier should contact the OIT Service Desk at 505-428-1222.

SHARED EMAIL ACCOUNTS

Departments, student clubs, committees, and groups may request shared email accounts, which will show up as a separate account within Outlook. For security and tracking reasons, OIT will not create email accounts that may be logged into directly.

Any shared email account must have an owner assigned. The owner is responsible for ensuring the shared account is monitored, managed, and used appropriately. The owner is also responsible for delegating access or requesting and approving access to the shared mailbox.

Requests for a shared email account or access can be made by entering a ticket using the OIT Ticket Self Service link.

OIT will occasionally audit shared email accounts to ensure they are actively being used and monitored.  Shared email accounts which are unused for a year will be deleted.

DISTRIBUTION LISTS

OIT provides campus-wide distribution lists to distribute critical information to our campus community. These distribution lists include All Staff, All faculty and All Students.

The ability to send to these groups is limited to those below to encourage appropriate use. Care should be taken to ensure email is sent to the appropriate audience.

• All Staff – Staff Senate Chairs or Approval from the Director of Human Resources.
• All Students – Access requires approval from the Vice President for Student Success. SGA officers may also request this access.
• All Faculty – Faculty Senate Chairs or Approval from the Vice President for Academic Affairs.

Membership in these groups is based on a campus role. OIT is not able to complete any requests to opt-out of these distribution lists or other role-based distribution lists.

OIT also provides distribution lists for other official campus groups, clubs, project teams, organizations, and departments. A group requiring a distribution list should enter a ticket using the OIT Ticket Self Service Link. Please provide a list of the requested members and the name of the person who will own the distribution list.

Requesting an addition to a distribution list requires the permission of the distribution list owner. Typically the owner can update the list or may enter a Service Desk request by calling 428-1222 or utilizing the OIT Ticket Self Service link.

Distribution lists will be audited occasionally to ensure they are still required.

EMAIL ACCOUNT LIMITS

Email account size limits are based on the standards created by Microsoft. Current size limits include:

• Mailbox size limit: 50 GB
• Default Email send limit: 35 Mb
• Max of 100 users per email – Accounts seen sending over this limit may be blocked from use as this is seen as a potential security threat.

EMAIL SECURITY

The Office of Information Technology applies many technologies to limit the risk of email. However, email should not be regarded as a secure method to send confidential information, such as credit card numbers, or social security numbers. Individuals should ensure they are following all policies regarding PII and email.

All email users should be extremely cautious when opening email, clicking on links and replying to an email. Malware, phishing, whaling, and other security threats are increasingly prevalent. Criminals are attempting to steal information, paychecks, personal information, and student financial aid.

Tips for recognizing a malicious email:

1. Check the sender’s email address. Does it match the expected address?
2. Hover over links. Do they match an expected link? Check for typos.
3. The email contains a threat or a warning. For example, Your account is about to be closed.
4. Attempting to get you to click on a link or open an attachment.
5. Generic Greeting
6. Request to verify information
7. Request for personal information, such as your password
8. Typos and strange wording
9. Urgent tone
10. You weren’t expecting the email

This is not an exhaustive list, nor does this list ensure that an email is malicious. If you need to confirm, call the person or company using a known good phone number. Do not reply to a suspicious email or use any phone numbers found in an email. Phone numbers may be manipulated and an email account can be hacked.

If you believe you were the victim of an email scam or clicked on a malicious link, let your supervisor know and contact OIT immediately.

KNOWBE4 AND PHISH ALERT – EMPLOYEES ONLY

KnowBe4 is a leading Security Awareness Training organization. It allows us to create a human firewall, which can protect us against malicious emails. The program consists of both a training campaign and simulated phishing attacks. The goals are to increase security awareness and decrease the number of clicks on malicious links.

OIT is currently testing all employees once a month. Clicking on one of the test links provides the user with an instructional website. If a user clicks on a link twice in a year they will be sent a training link for additional instruction.

Employees may also use the Phish Alert icon available in Outlook for Mac, Outlook for Windows and Outlook online to submit phishing email for review. Email from Knowbe4 will reduce your risk score, but other emails will be safely submitted to OIT for review.

Employees will be required to complete annual security awareness training through the KnowBe4 platform. See Policy 7-1 for additional information.

EMAIL ENCRYPTION

Email is a vulnerable method for sending information. If email is sent over a public network, Wi-Fi, or even an internal network it may be intercepted and read. Encryption reduces the risk that information is readable before it reaches the destination.

Confidential or sensitive information, such as credit card numbers and social security numbers, should never be sent or stored in email.  Any other sensitive information, such as financial information or other PII should be sent using an encrypted method. Anyone sending sensitive information or PII should review policy 7-3 to ensure compliance with data requirements.

Encryption Methods within Office 365 – Outlook for Windows, Outlook for Mac and in Office 365.

1. [encrypt]Allows Internal SFCC Office 365 Accounts to send an encrypted message to external email accounts. This will not function for email sent between @sfcc.edu accounts.  Use this by typing [encrypt] within the subject of an email. You need to leave a space before the additional text.
2. [donotfoward] – Allows internal SFCC accounts to quickly send an encrypted message that may not be forwarded or printed. Use this by typing [donotforward] within the subject of an email. You need to leave a space before the additional text.
3. Do Not Forward:Only the recipients of the email or document will be able to view or reply. The message can’t be forwarded or printed. This message is also encrypted. Use this by clicking on Options-Permission-Do Not Forward.
4. Santa Fe Community College – Confidential– Only people inside of SFCC’s Office 365 tenant can access the content, make edits, or share the content. Use this by clicking on Options-Permissions-Santa Fe Community College – Confidential within an email message.
5. Santa Fe Community College – Confidential ViewOnly – Only people inside of SFCC’s Office 365 tenant can view the content. They can edit, but can’t print or share the content. Use this by clicking on Options-Permissions- Santa Fe Community College – Confidential View Only.

The Office of Information Technology also provides Citrix Sharefile for specific use cases that may not be covered by the list above. Examples include the need to send reporting data, which includes PII, sending legal data, tracking access to emailed data, and the need to request data from an external source. If you have a requirement not met by Office 365 encryption, please call the Service Desk at 505-428-1222 or start a Service Request using the OIT Ticket Self Service icon on every employee PC.

ATP SAFE LINKS

Safe links is an Office 365 which scan email links both upon delivery and click to test the safety of an email link. The email link is rewritten after scanning is complete. While this is a technology to prevent malicious links from arriving at your inbox, good judgment and the tips for recognizing a malicious email must still be used. Think before you click!

ATP SAFE ATTACHMENTS

Safe Attachments is an Office 365 tool which scans attachments for malware and malicious content. Occasionally an email may be delivered, but the attachment is still being scanned. Once the scanning is complete the attachment will be delivered. Attachments found to have malicious content will be removed from any email.

While this is a technology to prevent malicious content from arriving at your inbox, good judgment and the tips for recognizing a malicious email must still be used. Think before you click!

PHISHING PROTECTION

Phishing scams are emails which attempt to present themselves as a well-known company or an executive-level employee in your company. Often at SFCC, these come across as variations of the current president’s   or another executive’s name. This system blocks attempts to use exact matches to SFCC’s user directory. Be aware that you may see variations on names attempting to avoid the software and trick people into buying gift cards, install malware, or give away passwords and personal information.

SPAM AND MALWARE SCANNING

All email is scanned for malware and spam as it arrives and as it is opened. If you are picking up email through an app other than Outlook please be cautious of clicking on links or responding to email. Also, make sure that your mobile devices have appropriate security software installed.

JUNK MAIL FOLDER

The Junk mail folder is a built-in feature of Office 365. The junk mail folder works best when you actively configure your safe and junk mail lists.

If messages are delivered to your inbox and you don’t want to see them, right-click on the message and choose Junk- Block Sender.

If messages are incorrectly delivered to your junk mail folder:

1. Make sure the message is not malicious, by confirming links and email addresses.
2. Right-click on the message and choose Junk – Never Block Senderto add the email address to your safe list.
3. Right-click on the message and choose Junk – Not Junkto move the message to your inbox.

OIT can whitelist email addresses that may be arriving in the junk mail folder for a large number of users. To request whitelisting enter a ticket using the OIT Ticket Self Service link.

DATA LOSS PREVENTION

OIT has applied policies which attempt to block email sent to external email addresses containing:

1. Credit Card Numbers,
2. Social Security Numbers, and
3. Student ID Numbers

Senders are responsible for the content of their email and should take care to ensure they are sending data and information in accordance with this and all SFCC Policies and Procedures.

BACKUPS AND ARCHIVING

While SFCC currently archives all email for legal purposes, there are no backups of the Office 365 environment. Any deleted items are kept for 30 days after the trash has been emptied.

To recover an item, right-click on the deleted items folder and click on recover deleted items within Outlook or Outlook Web App. A list of any recoverable items will be shown.

SFCC uses an archiving tool to maintain a log of all sent and received email messages for a minimum of five years. Departments and individuals are responsible for any retention which exceeds the five-year time frame.

ACCESSING A CURRENT EMPLOYEE’S EMAIL OR FILES

On occasion access to an existing employee’s email or personal files may be required while a person is out with an illness or on vacation and the person can’t be reached to provide access. Supervisors should make every attempt to plan ahead and the employee should delegate access to email or move files to shared folders. However, on occasion emergencies may occur that require additional access. Every attempt should be made to limit the request to only the required access. OIT Staff will attempt to utilize archiving tools to find only relevant documents or email. To do so access requests must be made to the CIO and must include the following:

1. Approval of Area VP or Executive.
2. Specific details of the type of access, file names and dates are required.

Upon approval of the CIO, OIT Systems Administration staff will then provide the requested access to the relevant email or provide copies of requested files in an appropriate location. Permissions will never include the ability to send as the employee.

ACCESS TO EMAIL FOR LITIGATION PURPOSES

1. Requests from legal counsel must be made in writing to the Director of Human Resources or designee.
2. The request must identify the email addresses or usernames of individuals, any relevant keywords and the start and end dates of the searches. Contact information for the requesting legal counsel should also be included.
3. The Executive Director or appropriate VP will forward the request to the CIO or designee with approval.
4. OIT Systems administration staff will complete relevant searches within the current archival technologies.
5. If required the OIT systems administration employee may contact the requestor for clarification of the search parameters.
6. If changes to the original search, the method needs to be clarified or adjusted OIT will notify the CIO and the requestor of the changes.
7. OIT staff will then provide access to the files to the requester within 5 working days of receiving the approved search request.
8. If the Requester feels that additional changes are required then the request should be returned to the CIO or designee with the requested corrections.
9. Upon final approval, the files will be sent to the requester.

ACCESSING A FORMER EMPLOYEE’S EMAIL

OIT keeps former employee accounts, mailboxes and network files in their original state for no less than 6 months. However, accounts are disabled, the account is hidden, and email is either set to not accept email or is forwarded to another user. It is the responsibility of each department to request that email be forwarded and to transfer critical email within the 6-month time frame.

After 6 months accounts may be deleted from email, active directory and other systems. OIT does maintain an archive of individual mail and calendaring items for 5 years however they are no longer connected to a user account. OIT also maintains a former employee’s personal drive in the archive for 5 years.

The supervisor of the former employee may request that OIT forward email to another employee and request an auto-response to alert external and internal senders of the departure. This should be done in writing through the OIT ticketing system and should include the following:

1. The request must come from the former supervisor, Dean or VP
2. The former employee’s name or username.
3. The forwarding email address requested.
4. The language of the requested auto-reply message.

The supervisor of the former employee also may request that OIT grant temporary access to the mailbox through Outlook to transfer old email. This should be done in writing through the OIT ticketing system and should include the following:

1. The request must come from the former employee’s supervisor, Dean or VP.
2. The former employee’s name and username
3. The name and username of the person requiring access.
4. A description of the access required.

Access will not include the ability to send email as the former employee.
The supervisor of the former employee may also request that the files of the former employee be moved to a location accessible to themselves or another current employee. This should be done in writing through the OIT ticketing system and should include the following:

1. The request must come from the former supervisor.
2. Former employee’s name and username.
3. Location of current files.
4. The requested new location.

OIT may contact the appropriate VP or Executive to ensure that the documents are being handled correctly.