Electronic Mail Policy

1.0 Purpose
2.0 Scope
3.0 Policy
3.1 Brown Email Addresses and Accounts
3.2 Acceptable Use Under University Policies
3.3 Security and Privacy of Email
3.4 Best Practices in Use of Email
4.0 Related Policies and Links

1.0 Purpose

Brown's email services support the educational and administrative activities of the University and serve as a means of official communication by and between users and Brown. The purpose of this policy is to ensure that this critical service remains available and reliable, and is used for purposes appropriate to the University's mission.

2.0 Scope

This policy applies to all members of the Brown community who are entitled to email services, as detailed in the Computing Privileges document.

3.0 Policy

Brown provides  electronic mail (email) services to faculty, staff and students, and to other affiliated classes of individuals, including alumni and official visitors. Use of Brown email services must be consistent with Brown's educational goals and comply with local, state and federal laws and university policies.

3.1 Brown Email Addresses and Accounts

Faculty and Staff
Email services are available for faculty and staff to conduct and communicate University business. Incidental personal use of email is allowed with the understanding that the primary use be job-related, and that occasional use does not adversely impact work responsibilities or the performance of the network.

Email services are provided only while a user is employed by the University and once a user's electronic services are terminated, as specified in the document Computing Privileges, employees may no longer access the contents of their mailboxes, nor should they export their mailbox to a personal account before departure.

Faculty and staff email users are advised that electronic data (and communications using the University network for transmission or storage) may be reviewed and/or accessed by authorized University officials for purposes related to University business. Brown has the authority to access and inspect the contents of any equipment, files or email on its electronic systems. The document Procedures for Emergency Account and Information Access delineates the circumstances and process for handling these exceptions.

Students
Email services are available for students to support learning and for communication by and between the University and themselves. The services are provided only while a student is enrolled in the University and once a student's electronic services are terminated, as specified in the document Computing Privileges , students may no longer access the contents of their mailboxes.

Student email users are advised that electronic data (and communications using the University network for transmission or storage) may be reviewed and/or accessed in accordance with Brown University's Acceptable Use Policy. Brown has the authority to access and inspect the contents of any equipment, files or email on its electronic systems.

Alumni and Others
Individuals with special relationships with Brown, such as alumni or official visitors, who are neither employed nor enrolled at Brown, are granted limited email privileges, including an email address, commensurate with the nature of their special relationship. Brown is free to discontinue these privileges at any time.

3.2 Acceptable Use under University Policies

Email users have a responsibility to learn about and comply with Brown's policies on acceptable uses of electronic services . Violation of Brown policies (including this one) may result in disciplinary action dependent upon the nature of the violation. Examples of prohibited uses of email include:

  • Intentional and unauthorized access to other people's email;
  • Sending "spam", chain letters, or any other type of unauthorized widespread distribution of unsolicited mail;
  • Use of email for commercial activities or personal gain (except as specifically authorized by University policy and in accord with University procedures);
  • Use of email for partisan political or lobbying activities;
  • Sending of messages that constitute violations of Brown's Standards of Student Conduct or the Employee Responsibilities & Rights handbook.
  • Creation and use of a false or alias email address in order to impersonate another or send fraudulent communications;
  • Use of email to transmit materials in a manner which violates copyright laws.

Abuses of Brown's email services should be directed to the Information Security Group at ISG@brown.edu.

3.3 Security and Privacy of Email

Brown attempts to provide secure, private and reliable email services by following sound information technology practices. However, Brown cannot guarantee the security, privacy or reliability of its email service. All email users, therefore, should exercise extreme caution in using Brown email to communicate confidential or sensitive matters.

3.4 Best Practices in Use of Email

Confidential Information
When sending Brown Restricted Information, the user must encrypt the message in an approved method as described in the Transmission section of the document Information to Comply with the Policy on the Handling of Brown Restricted Information.

Malware
Brown email users should be careful not to open unexpected attachments from unknown or even known senders, nor follow web links within an email message unless the user is certain that the link is legitimate. Following a link in an email message executes code, that can also install malicious programs on the workstation.

Identity Theft
Forms sent via email from an unknown sender should never be filled out by following a link. Theft of one's identity can result. More about: Identity Theft.

Password Protection
Brown's policy requires the use of strong passwords for the protection of email. A strong password should contain digits or punctuation characters as well as letters. The Computing Passwords Policy contains information on how to choose and maintain compliant passwords.

Departmental Email Boxes
Departments that provide services in response to email requests should create a shared mailbox to help support departmental functional continuity for managing requests sent via email. Further information about shared mailboxes can be found in the document Group Email Options.

Forwarding Email
Brown email users may choose to have their email delivered to a CIS-managed mailbox or forwarded to another mail repository. However, a non-Brown forwarding address should not be used if there is a reasonable expectation that confidential information will be exchanged. Email is not considered a secure mechanism and should not be used to send information that is not considered public.

Staff email users on an extended absence should create an Out Of Office message, which should include the contact information for another staff member who can respond while the user is away from the office. These procedures are described in section 3 of the document  Procedures for Emergency Account and Information Access.

Staying Current
Official University communications such as urgent bulk email, course email, and Morning Mail should be read on a regular basis since those communications may affect day-to-day activities and responsibilities.

Compromised Accounts
An email account that has been compromised, whether through password-cracking, social engineering or any other means, must be promptly remedied with the appropriate means. The appropriate means will include a password reset, review of account settings, computer scans and malware disinfection to prevent possible leakage of PII, spamming, potentially infecting others and degradations of network service.  If the account is being used to harm others at Brown and the owner cannot be reached in a reasonable period of time (“reasonable” being driven by the negative impact to the Brown community), the CISO will direct the office of Computing Accounts and Passwords (CAP) to reset the password. Should the same account be compromised three or more times in any 12-month period, the account will be immediately suspended, and will not be re-enabled until the user notifies the CISO to ensure that all remediation has taken place, and is provided with remedial training.

4.0 Related Policies and Procedures

The following listing if provided for the purpose of directing users to policies and procedures that are related to use of email, but it is not exhaustive of all university policies and procedures that might have application to email usage.

Questions or comments to: ITPolicy@brown.edu

Interim Policy Effective Date: November 10, 2004
Policy Approved: May 23, 2007
Last Reviewed: January, 2014
Next Scheduled Review: January, 2015