Purpose

The University of Maryland ("UMD" or the "University") provides an institutional email system to promote secure communication and collaboration, allow for business continuity, and maintain effective handling of institutional data. The use of email systems to conduct University Business is subject to federal, state, and local legal, regulatory, and statutory requirements, including but not limited to the Family Educational Rights and Privacy Act ("FERPA") and the State of Maryland's public records laws, as well as University and University System of Maryland policies and procedures. Noncompliance with these laws and regulations could result in a loss of federal funding, as well as civil and criminal penalties; noncompliance with these laws, regulations, and policies/procedures could have a severe adverse impact on UMD's mission, safety, finances, or reputation. This Email Standard (the "Standard") sets forth fundamental requirements for the appropriate use of email systems to conduct University Business. Compliance with this Standard is necessary for the University to meet all the requirements of the USM IT Security Standards and the UMD Policy on Acceptable Use of Information Technology Resources.

Top

Definitions

Terms used in this article and their definitions.

Term	Definition
University Business	The work performed on behalf of the University by its personnel (including faculty, staff, student employees, and other persons whose conduct falls under University operations), whether or not such persons receive compensation for performing this work.
Institutional Email	The UMD email system/platform provided and maintained by the Division of Information Technology (username@umd.edu) enabled by Google Workspace for Education, also known as UMD Gmail or UMD Email.
Approved Email System	UMD Institutional Email (aka UMD Gmail), plus any administrative, academic, or programmatic unit's email system granted a waiver by the Division of IT.

Top

Requirements

1. The University requires its personnel to use an Approved Email System to conduct University Business. Specifically, all email sent by University personnel regarding University Business must be sent from an Approved Email System.
2. Email is an inherently insecure medium for transmitting private or confidential information. Email must not be used to transmit data with a risk level of High (Level 3) or Restricted (Level 4) as defined by the IT-2 University of Maryland Data Classification Standard.
3. As State of Maryland employees, UMD personnel should not use an Approved Email System for private gains or personal matters, or matters that create or appear to create either a conflict of interest or an endorsement by the University. While incidental personal use of UMD Email is acceptable, employees are strongly encouraged to use a separate, non-UMD email system for personal matters.
4. There are significant differences in the agreement language and the data collected between a typical consumer Gmail account and UMD's Gmail (G Suite for Education) accounts. Therefore, automatically forwarding emails and documents from an Approved Email System to another email account/platform (e.g., @gmail.com, @yahoo.com, etc.) is prohibited. This practice greatly elevates the risks of sharing information that is protected as confidential by federal and/or state law or the University's contractual obligations. If University personnel are required by the terms of a University contract or other legal agreement to use a United States federal agency email account, the University may permit University email to be forwarded to a federal agency email account or otherwise defer to any federal agency requirements incorporated into the University's applicable collaboration or sponsored research agreement.
5. University personnel may enable a UMD Gmail account on multiple devices including mobile phones. To prevent accidental use of a personal email address when conducting University Business, it is strongly recommended that an Approved Email System is used as the default outbound setting on devices.

Top

Implementation

1. Each University administrative, academic, and programmatic unit must establish priorities and timetables to decommission their legacy email systems and transition their users to the UMD email system before June 30, 2020. Units were to communicate their plans to the Division of Information Technology at emailconsolidation@umd.edu before November 30, 2019.
2. Subject to approval by the respective relevant unit heads and deans, the use of legacy email addresses of the form @[unit].umd.edu may continue for both inbound and outbound email as long as this email is sent and delivered by an Approved Email System.

Top

Applies To

All members of the University Community who conduct University Business via email. Excludes TERPmail, which is the University of Maryland's institutional student platform for communicating academic information and providing cloud storage and productivity and collaboration tools. All students and accepted applicants may be granted a TERPmail address.

Top

Procedures

Waiver

A unit that has unique business requirements that cannot be met by the Institutional Email must submit a waiver form explaining, in detail, how conformance with this Standard would be noncompliant with federal or state laws. For example, University personnel conducting classified work are required to use an email system that meets federal government statutory or contractual requirements in specific situations. Waivers must be requested by a unit head responsible for overseeing the administrative, academic, or programmatic unit and approved by the respective Dean or Vice President and the Division of Information Technology. The Division of Information Technology VP/CIO may grant waivers to this security Standards for a period of up to 3 years (with the option for renewal). Consistent with the UMD Policy on Acceptable Use of Information Technology Resources, a waiver may be revoked at any time by the VP/CIO.

Waivers to forward Intuitional Email to U.S. federal agencies when required by contract, may be granted by the CIO in consultation with the Office of General Council. 

Top

Violation

Failure to comply with this standard constitutes a violation of the UMD Policy on Acceptable Use of Information Technology Resources.

Top

Review

The VP/CIO or a designee will initiate a review and necessary revisions of this standard as needed, with appropriate input from the Division of Information Technology staff and the IT Council.

Top

Responsibilities

The related responsibilities of the positions and offices mentioned in this document.

Position/Office	Responsibilities
Vice president/chief information officer	Consults with the President, the Senior Vice President and Provost, and the Office of General Counsel about this standard and its implementation. Decides and communicates whether waiver requests are approved.
Division of Information Technology	Provides oversight and management access to the Institutional email platform. Provides support and training as required and requested. Takes and resolves complaints about this security standard. Periodically initiates a review and approves the necessary revisions of this security standard. Manages integration with the University Directory, which contains information about users, calendars, and conference/meeting rooms. Provides daily backups to prevent loss of data due to unintentional deletion or system failure. Provides and supports spam and virus protection.
IT Council	Reviews and makes decisions related to this standard.
University administrative, academic, and programmatic units	Comply with the requirements of this security standard. Establish priorities and timetables for decommissioning their own legacy email systems and transitioning their email users to the Institutional email system. Request waiver to this security standard.
Faculty, staff, and student workers conducting business on behalf of the University	Understand and comply with this security standard. Inquire about and report concerns to the Division of Information Technology at itsupport@umd.edu.

Top

Resources

• DIT Email Standard FAQs
• State of Maryland Information Technology Security Manual
• USM IT Security Standards
• USM Regents Policy on USM Institutional Information Technology Policies
• UMD Policy on Acceptable Use of Information Technology Resources
• UMD FERPA Training
• UMD Student Privacy(FERPA explained)
• University of Maryland's Data Classification Standards

Top

Contacts

Subjects	Office	Telephone	Email/URL
IT Standard and complaints	Division of Information Technology	301.405.1500	itsupport@umd.edu
Training or technical help			it.umd.edu

Top