Email Policy

1.0 Purpose

2.0 Scope

3.0 Policy

Brown provides electronic mail (email) services to faculty, staff and students, and to other affiliated classes of individuals, including alumni and official visitors. Use of Brown email services must be consistent with Brown's educational goals and comply with local, state and federal laws and university policies.

3.1 Brown Email Addresses and Accounts

Faculty and Staff

Email services are available for faculty and staff to conduct and communicate University business. Incidental personal use of email is allowed with the understanding that the primary use be job-related, and that occasional use does not adversely impact work responsibilities or the performance of the network.

Email services are provided only while a user is employed by the University and once a user's electronic services are terminated, as specified in the document Computing Privileges, employees may no longer access the contents of their mailboxes, nor should they export their mailbox to a personal account before departure.

Faculty and staff email users are advised that electronic data (and communications using the University network for transmission or storage) may be reviewed and/or accessed by authorized University officials for purposes related to University business. Brown has the authority to access and inspect the contents of any equipment, files or email on its electronic systems. The document Electronic Information Access Policy delineates the circumstances and process for handling these exceptions.

Students

Email services are available for students to support learning and for communication by and between the University and themselves. The services are provided only while a student is enrolled in the University and once a student's electronic services are terminated, as specified in the document Computing Privileges, students may no longer access the contents of their mailboxes.

Student email users are advised that electronic data (and communications using the University network for transmission or storage) may be reviewed and/or accessed in accordance with Brown University's Acceptable Use of Information Technology Resources Policy and in accordance with the procedures delineated in the document Emergency Information Access Policy. Brown has the authority to access and inspect the contents of any equipment, files or email on its electronic systems.

Alumni and Others

Individuals with special relationships with Brown, such as alumni or official visitors, who are neither employed nor enrolled at Brown, are granted limited email privileges, including an email address, commensurate with the nature of their special relationship. Brown is free to discontinue these privileges at any time.

3.2 Acceptable Use under University Policies

Email users have a responsibility to learn about and comply with Brown's policies on acceptable uses of electronic services. Violation of Brown policies (including this one) may result in disciplinary action dependent upon the nature of the violation. Examples of prohibited uses of email include:

Intentional and unauthorized access to other people's email;
Sending "spam", chain letters, or any other type of unauthorized widespread distribution of unsolicited mail;
Use of email for commercial activities or personal gain (except as specifically authorized by University policy and in accord with University procedures);
Use of email for partisan political or lobbying activities;
Sending of messages that constitute violations of Brown's Code of Conduct.
Creation and use of a false or alias email address in order to impersonate another or send fraudulent communications;
Use of email to transmit materials in a manner which violates copyright laws.

Abuses of Brown's email services should be directed to the Information Security Group at ISG@brown.edu.

3.3 Security and Privacy of Email

Brown attempts to provide secure, private and reliable email services by following sound information technology practices. However, Brown cannot guarantee the security, privacy or reliability of its email service. All email users, therefore, should exercise extreme caution in using Brown email to communicate confidential or sensitive matters.

3.4 Best Practices in Use of Email

Confidential Information

When sending Brown Restricted Information, the user must encrypt the message in an approved method as described in the Access, Storage, Transmission and Back-up of Restricted Information section of the document Policy on the Handling of Brown Restricted Information.

Malware

Brown email users should be careful not to open unexpected attachments from unknown or even known senders, nor follow web links within an email message unless the user is certain that the link is legitimate. Following a link in an email message executes code, that can also install malicious programs on the workstation.

Identity Theft

Forms sent via email from an unknown sender should never be filled out by following a link. Theft of one's identity can result.

Password Protection

Brown's policy requires the use of strong passwords for the protection of email. A strong password must contain digits or punctuation characters as well as letters. In addition, your email password should be different from your Brown network password. The Computing Passwords Policy contains information on how to choose and maintain compliant passwords.

Departmental Email Boxes

Departments that provide services in response to email requests should create a shared mailbox to help support departmental functional continuity for managing requests sent via email. Further information about shared mailboxes can be found in the IT Knowledgebase articles on Google Groups.

Forwarding Email

Brown email users may choose to have their email delivered to an OIT-managed or contracted mailbox or forwarded to another mail repository. However, a non-Brown forwarding address should not be used if there is a reasonable expectation that confidential information will be exchanged. Email is not considered a secure mechanism and should not be used to send information that is not considered public.

Staff email users on an extended absence should create an Out-Of-Office message, which should include the contact information for another staff member who can respond while the user is away from the office.

Staying Current

Official University communications such as urgent bulk email, course email, and Today@Brown should be read on a regular basis since those communications may affect day-to-day activities and responsibilities.

Compromised Accounts

An email account that has been compromised, whether through password-cracking, social engineering or any other means, must be promptly remedied. Response will include a password reset, review of account settings, computer scans and malware disinfection to prevent possible leakage of PII, spamming, potentially infecting others and degradations of network service. If the account is being used to harm others at Brown and the owner cannot be reached in a reasonable period of time (“reasonable” being driven by the negative impact to the Brown community), the Chief Information Security Officer will direct the office of Computing Accounts and Passwords (CAP) to reset the password. Should the same account be compromised three or more times in any 12-month period, the account will be immediately suspended, and will not be re-enabled until the user notifies the Chief Information Security Officer to ensure that all remediation has taken place, and is provided with remedial training.

4.0 Related Policies and Procedures