Objective
Suffolk’s electronic mail (email) services support the educational and administrative activities of the University and serve as a means of official communication by and between users and Suffolk University. The purpose of this policy is to ensure that this critical service remains reliable and is used for purposes appropriate to the University's mission.
Applicability
This policy applies to all members of the Suffolk University community who are granted access to Suffolk University email services. This includes students, full and part-time faculty and staff, and “Affiliated Users,” as that term is defined below.
Policy
Suffolk University provides electronic mail services to faculty, staff, students, and Affiliated Users (collectively, “Authorized Users”). No email services other than the University email services should be used by any Authorized User to conduct official University-related business. Use of Suffolk University email services, whether or not for official University-related business, must be consistent with Suffolk University's educational mission and values and must comply with all applicable local, state and federal laws and University policies.
Suffolk University Email Addresses and Accounts
Faculty and Staff
Email services are available for faculty and staff to conduct and communicate University business. University email services are not to be used for personal business and should use a private email account for personal correspondence.
Email services are provided only while a user is employed by the University and once a user's electronic services are terminated, employees may no longer access the contents of their mailboxes, nor should they export their mailbox to a personal account before departure. Faculty email account access ends 365 days after separation from the university. Emeritus faculty retains access to their accounts dependent upon usage. Inactive Emeritus accounts beyond 365 days may be terminated. Retirees can request an account on our user_rt@suffolk.edu domain.
Faculty and staff email users are advised that electronic data (and communications using the University network for transmission or storage) may be reviewed and/or accessed by authorized University officials for purposes related to University business. Suffolk University has the authority to access and inspect the contents of any equipment, files, or email on its electronic systems.
Students
Email services are available for students to support learning and for communication by and between the University and themselves. The University in its sole discretion may grant continued University email services access to alumni who graduated in certain classes – see “Affiliated Users,” below. For all other former students, the services are provided only while a student is enrolled in the University, and once a student's electronic services are terminated, students may no longer access the contents of their mailboxes.
Student email users are advised that electronic data (and communications using the University network for transmission or storage) may be reviewed and/or accessed in accordance with Suffolk University University's Acceptable Use Policy. Suffolk University has the authority to access and inspect the contents of any equipment, files, or email on its electronic systems.
Students may elect to forward emails sent to their University email address to another personal email address; however, students do so at their own risk and remain responsible for all information sent to their University assigned email address. Email accounts and passwords are nontransferable.
Affiliated Users
The University may grant access to University email services to certain individuals who have an affiliation with the University warranting such access, all as determined by the University in its sole discretion. Without limitation or obligation, Affiliated Users may include alumni who are members of graduating classes whose membership has been permitted to retain their student email accounts after graduation, and certain Suffolk authorized visitors or agents commensurate with the nature of their specific relationship. Suffolk University may discontinue this access to any Affiliated User at any time.
Acceptable Use under University Policies
Email users have a responsibility to learn about and comply with Suffolk University's policies on acceptable uses of electronic services. Violation of Suffolk University policies (including this one) may result in disciplinary action dependent upon the nature of the violation. Examples of prohibited uses of email include:
- Intentional and unauthorized access to other people's email;
- Sending "spam", chain letters, or any other type of unauthorized widespread distribution of unsolicited mail;
- Use of email for commercial activities or personal gain (except as specifically authorized by University policy and in accordance with University procedures);
- Use of email for partisan political or lobbying activities;
- Sending of messages that constitute violations of Suffolk University's Acceptable Use Policy, Student Handbook, Faculty Handbook, and or Employee Handbook.
- Creation and use of a false or alias email address in order to impersonate another or send fraudulent communications;
- Use of email to transmit materials in a manner that violates copyright laws.
Abuses of Suffolk University's email services should be directed to the Service Desk at servicedesk@suffolk.edu.
Security and Privacy of Email
Email privacy is not guaranteed, and users should have no general expectation of privacy in email messages sent through a University Email Account. The University cannot protect users from receiving emails they may find offensive. Email may be accessed as needed for purposes of system administration and maintenance, for resolution of technical problems, for compliance with federal, state, and local law
- including, without limitation, statutes and regulations, and subpoenas, court orders, litigation holds or other written authorizations
- and University policies or procedures, to perform audits, or to otherwise conduct the business of the University.
The author of any email on the University system assumes the responsibility for assuring that messages do not violate any University policies or procedures.
Best Practices in the Use of Email
Confidential Information
Email is not considered a secure mechanism and should not be used to send information that is not considered public. Users should be aware that disclaimers of confidentiality included in emails do not guarantee the sender that confidential information in an email will not be shared or disclosed inappropriately. If you must send sensitive information via email it must be encrypted. For more information and the requirements of handling Confidential Information please refer to the Suffolk University Written Information Security Program.
Malware and Phishing
Suffolk University email users should be careful to verify unexpected emails and not to open unexpected attachments from unknown or even known senders, nor follow web links within an email message, unless the user is certain that the request, attachment, and or link is legitimate. Following a malicious link in an email message can also install malicious programs on the device. Responding to malicious email can result in compromising user credentials or disclosing sensitive data. If you do respond to a malicious email, please inform the Service Desk immediately (servicedesk@suffolk.edu)
Password Protection
Suffolk University Email uses single-sign-on (the same user credentials for many Suffolk services) and therefore it is important that Email users always protect their password, do not share passwords or credentials, and follow the Password Policy which includes requirements on password strength and use. For more information, please refer to Suffolk University Password Policy
Forwarding Email
Faculty and Staff: University email accounts are to be used to communicate official University business and Faculty and Staff may not choose to have their University email delivered or forwarded to a non-Suffolk University email address or non-Suffolk University account.
Staff email users on an extended absence should create an Out Of Office message, which should include the contact information for another staff member who can respond while the user is away from the office
Staying Current
Official University communications such as urgent bulk email, university notices and course email should be read on a regular basis since those communications may affect day-to-day activities and responsibilities.
Compromised Accounts
An email account that has been compromised, whether through password-cracking, social engineering, or any other means, must be promptly remedied with the appropriate response. The appropriate response will include a password reset, review of account settings, computer scans and malware disinfection to prevent possible leakage of PII, spamming, potentially infecting others and degradations of network service. If the account is being used to harm others at Suffolk University and the owner cannot be reached within a reasonable period of time (“reasonable” being driven by the level risk or negative impact to the Suffolk University community or user), the account password will be reset or the account may be disabled and the user will need to contact the Service Desk for assistance to regain access. Should the same account be compromised three or more times in any 12-month period, the account will be immediately suspended, and will not be re-enabled until all remediation has taken place, and the user is provided with remedial training.
Email Retention
Email is considered transitory and should not be used to store any documents that require retention as defined in the University Records Retention Schedule. All emails and attachments that require record retention must be moved to an appropriate location for record retention, such as a secure University network drive, and placed in the appropriate folder to maintain the appropriate level of authorized access and security.
Emails and attachments that require retention should not be stored on general department shared drives or in locations where unauthorized users could view, copy, modify or delete.
Deleted emails will be retained on Suffolk systems for 30 days after which they are not recoverable.
Violation of Policy
The University reserves the right to monitor network traffic, perform random audits, and take other steps to ensure the integrity of its information and compliance with this Policy. Violations of this Policy may lead to appropriate disciplinary action, which may include temporary or permanent restrictions on access to certain information or networks. Willful or repeated violations of this Policy may result in discipline up to and including termination of employment from the University.
Revision History
Version | Date | Responsible University Office | Approved By |
1.0 | 01/09/24 | Information Security Office | CISO Paul Guarino |