ITS Directive: Encrypted Email Program

Purpose: This directive defines the Encrypted Email Program.  The rules stated within this directive are enforced to protect sensitive Community College of Baltimore County ("CCBC") data being transmitted via approved vanity email accounts.

Scope: This directive is mandatory and applies to all employees with Encrypted Email Program roles and responsibilities. By using encrypted email, all users agree to abide by the terms of this directive.  Any exception to this directive must be submitted following the Exception Handling Directive.

General Requirements:

Encrypted email allows employees to protect the confidentiality of an email message by using encryption technology. Encrypted email ensures that messages are sent securely and can only be read by the message recipient. Encrypted email should only be utilized to send encrypted messages to non-CCBC email addresses. Since encrypted email technology will allow employees to circumvent some of the security tools in place, Encrypted Email will not be available to all employees. Encrypted email capabilities will only be available on vanity email accounts and not individual employee email accounts. For more information about Vanity Accounts please see the Vanity Email Account Directive.

Request and Approval Process

Request Process

The requester must be an owner of an existing or newly created vanity email account.

  • If encrypted email is being requested for an existing vanity email account, requester should open a ticket with the Help Desk that would be assigned to Information Assurance.
  • If a requester needs a new vanity email account, they must submit the Vanity Email/Shared Mailbox Account Request via the ITS Service Catalog. The request must include within the justification that an encrypted email is needed.

Approval Process

Once the Vanity Email/Shared Mailbox Account Request has been submitted, it will go through the vanity account approval process via the TDX workflow. All vanity account request must be approved by the following the individuals:

  • The requesters' Senior Director/Dean
  • The requesters’ area Vice President
  • IT Security Administrator
  • Director of Marketing and Communications
  • Chief Information Officer

When all approvals are received, the Information Assurance Team must:

  • Verify with the requester the type(s) of data that will be transmitted.
  • Confirm if encrypted email is needed indefinitely or has an end date.
  • Configure approved Vanity Email accounts into Encrypted Email accounts.
  • Provide user training on how to utilize the Encrypted Email Account

Encrypted Email Usage and Management

Encrypted Email accounts should only be utilized for the purpose specified in the business justification for the account.

Additionally, all account delegated users must abide by the related requirements specified in CCBC’s Acceptable Use of Technology Policy.  The account owner is responsible for managing the Encrypted Email account based on the requirements specified in the Vanity Email Account Directive.

All account delegated users are responsible for ensuring that the encrypted email and its contents are addressed to the correct recipient(s). If a user discovers having sent or recipient reports having received data containing sensitive personally identifiable information (PII) that is not relevant to them, for example due to sender making an error and sending the data to the wrong recipient, then the sender must report the exposure of PII to the Information Assurance Team for incident response and compliance actions. Additionally, to ensure the protection of the encrypted data, there will be a 30-day window for the recipient to utilize the encrypted data before access will be denied to the contents of the email.

Auditing, Expiration, Revocation, and Encrypted Email Deletion  

The Information Assurance Team will perform an annual audit of all Encrypted Email accounts based on the account's configuration date or last audit date. The goal of the audit is to confirm with the vanity account owner if the encrypted email mail functionality will be needed for another year. If so, the account owner will be required to verify that the business justification, account owner and delegated user(s) are accurate. The Encrypted Email functionality will be removed if it is determined during the annual audit that functionality is no longer needed. Additionally, the Information Assurance Team reserves the right to remove the Encrypted Email functionality due to policy violations or security risks.

 

Print Article

Related Articles (1)

The instructions provided will show approved users how to send an encrypted email from a CCBC (Community College of Baltimore County) vanity email account to a external recipient outside of CCBC.

Related Services / Offerings (2)

Departments can request a Vanity Email account to use in certain situations.