PART 1: AUTHORITY AND PURPOSE

1. Authority: Pursuant to Regents Policy Manual RPM 15.30 the Chief Information Officer (CIO) is responsible for proposing and advancing university system-wide IT policies, rules, procedures, and standards to support the mission of NMSU Information Technology (IT), through executive level jurisdiction over IT resources and associated risk. The Chief Information Security Officer (CISO) proposes and advances policies, rules, and procedures to protect university information and systems including monitoring, reporting, and addressing security risks.
2. Purpose: This policy establishes electronic mail (email) as the official mode of communication for the university system. It establishes administration requirements to enable security, access, processing, storage, and data security compliance through an effective framework. This policy clarifies acceptable use of email and services, the applicability of law and university policies, in order to maintain effective operations and minimize disruptions to university email and other electronic services and activities.

PART 2: KEY POLICY STATEMENT(S)

NMSU provides email services as an IT resource for the university system. Email services are a privilege and may be terminated by NMSU at any time in its sole discretion. NMSU email services are subject to the provisions of ARP 15.11 and this policy. The university community is responsible for using email services ethically and respectfully, in compliance with applicable federal and state laws, and policies established by the university. Under the direction of the CIO, Information Technology is the designated steward, custodian, and authority of NMSU email services.

1. Official Email and Communication: NMSU email is the official means of communication of university business for students, faculty, staff, affiliates or any authorized individual or group. NMSU email is for use in conducting university business and not for personal use except as permitted by ARP 3.14 - Non-Work Related Use of University Resources. Email addresses are assigned and populated in the electronic records as @nmsu.edu. All NMSU email is property of the university and is subject to federal and state regulatory requirements to include public disclosure under the New Mexico Inspection of Public Records Act (IPRA), unless exempted by law.
2. Email Standards: NMSU email security, use, and maintenance align with industry standards and are designed to secure and promote accountability throughout the university system. Email service users are responsible for adhering to NMSU IT security policies maintained in the ARP and standards located at Information Security Awareness. These required standards assist the university to mitigate risk of exposing NMSU sensitive and regulated data and are subject to change.
   1. User Responsibility: NMSU takes reasonable steps to protect assets against viruses, SPAM, or other threats resulting from email communication, that may cause damage to university systems. The user’s responsibility is to protect their email account by following proper safety protocols, see Information Security Awareness. While every effort is made to protect university email users from damaging messages, NMSU is not responsible for damages caused by NMSU email account holders.
   2. Access to Others: Access will not be provided to family members, or any other person or entity upon an employee’s separation (including termination and retirement) or death.
   3. Unauthorized Use: Unauthorized use, suspicious activity, unauthorized access to sensitive data or other actions that may compromise network security, may result in suspension or termination of access to NMSU email services.
   4. Automatic Email forwarding: Automatic email forwarding can lead to unintentional disclosure of protected, sensitive and restricted data, potentially posing a significant risk to the integrity and confidentiality of university data. Automatic or bulk forwarding of NMSU email to any address or service outside of the official NMSU email system is prohibited.
   5. Regulated and Controlled Data: NMSU email is not a mechanism to transfer regulated or controlled data, ARP 15.41. Users must exercise judgment in sending or requesting receipt of content that may be deemed protected under federal or state laws or confidential.
3. Affiliates, Third Parties or Other: NMSU email service privileges for affiliates, third parties, and other external individuals or groups may only be granted by written approval from NMSU administration and IT. These privileges are limited to a few categories as authorized under ARP 2.55. Requests for NMSU email services for affiliates and third parties must be submitted by using the Email Access Request Form , with accompanying documentation to support the identified business need. NMSU email access terminates at the conclusion of an affiliate or third-party business need or agreement.
4. Post-Employment Email Access: NMSU email services will be terminated 30 days after the employee separates from the university, except for qualified retirees and emeritus faculty.
   1. Retirees and Emeritus faculty access to email services requires each individual to maintain good standing with the university and meet all annual training requirements. Access to services is subject to security and other mitigating factors.
   2. Employees may apply for extension of email services under the following exceptions through submission of a completed Email Access Request Form, subject to final approval by the President:
      1. adjunct faculty;
      2. research faculty; and
      3. infrequent contingencies approved by the president.
5. Student Email: Student email access will terminate one year after the student becomes inactive.
6. Violations and Reporting: Violation of this policy may subject the email account holder to disciplinary action (up to and including employee termination or student expulsion), legal action or both. Contractors and vendors will be in material breach of their agreements with NMSU for violation of this policy.
7. Reporting: Suspected or known intentional or unintentional receipt or transmission of Regulated or Controlled Data must be immediately reported to itcompliance@nmsu.edu, NMSU IT compliance office or CISO.

PART 3. KEY PROCESS ELEMENTS

1. Exception Request: Request for exception is initiated by completing the Email Access Request Form
   1. Attach sufficient documentation to support the business need, i.e. continued research, teaching, other.
   2. Requests are reviewed and processed by the Privacy and IT Compliance Officer in collaboration with the CISO, subject to final approval by the president. Communication will be processed by IT Compliance via the NMSU email address of itcompliance@nmsu.edu.
   3. Incomplete forms are returned to preparer.

PART 4: DEFINITIONS

1. Controlled Data: Data specifically categorized by federal statute, executive order, or regulation as important to the nation’s interest or government operations, or Data categorized as proprietary through grant, contract or non-disclosure agreements.
2. Regulated Data: Data regulated by law or contract that is not Controlled Data, and if exposed to unauthorized parties, poses a risk of harm to third parties or risk of harm to NMSU interests (e.g. reputational) or exposes the university to potential liability.