Email Standards

Information Security Office

The following standards will be in effect when the University migrates to a new Email system in spring 2013.

Email Account Restrictions

  • Unless otherwise required, there should be a limit to the number of simultaneous (concurrent) connections for Email accounts

  • Account lockout after 5 failed login attempts

  • Account should be locked for a minimum of 30 minutes

Email Password Requirements

  • Minimum 8 alpha-numeric characters

  • Forced password change once per year

  • Recycled password restrictions enabled

Confidentiality and Integrity

  • For highly sensitive inter-office and inter-departmental Email communications, Email messages should be flagged as `private' or `confidential' by the sender, and treated as such by the recipient(s)

  • Highly sensitive Email messages (including attachments) sent outside the University Email system should be encrypted using a trusted encryption utility or service

  • To insure integrity and non-repudiation of highly sensitive Email messages and attachments, Digital Signatures should be used

  • Archived Email messages classified as sensitive or highly sensitive should be stored in an encrypted format

  • Communications between Email clients (fat and thin client software) are to be encrypted at all times using industry standards on encryption technologies (SSL v2, AES, Microsoft proprietary)

Email Threat Protection

  • All incoming and outgoing Email messages and attachments are to be scanned for viruses, malware and other forms of malicious code

  • SPAM filtering should be applied to all Email accounts

  • Email “fat client” software should be configured to disallow automatic launching of scripts found in Email messages, opening of attachments, pictures and other processes that could potentially threaten the safe operation of the software

  • Third party “plug-ins” on fat client software should not be allowed unless tested and approved by the TSC


  • Deleted Email messages should be purged automatically after a set time period

  • Administrators should not access an individual's Email content without permission from the account holder, department supervisor or the Chief Technology Officer

Auditing and Alerts

  • The Email system should generate log alerts for major system events, Administrative-level changes, system/service shutdown, suspicious activity, mass Emailing (SPAMing), account compromise or attempted compromise, and any other activities that threaten the integrity of the Email system

  • Audit logs should be made available to TSC Mail Administrators by the vendor on a regular basis and in a readable format

  • TSC Mail Administrators are to examine these logs in a timely manner and respond to abnormalities accordingly

Incident Response

  • There must be direct and open communications between the TSC and Email vendor should a major incident occur. If the vendor experiences problems with the Email service (availability), TSC Mail Administrators should be notified within a reasonable period

  • Incidents involving account compromise, SPAMing, abuse, or any other inappropriate action as outlined in the Computer Use Policy are to be handled according to procedures set in the IT Resource Incident Response Guideline