Policy Number: IT.1.2.1S
Category: Acceptable Use of Technology
Effective: February 4, 2019
Revision History: None
Review Date: February 3, 2022
Purpose, Scope, and Responsibilities
- As identified in the Electronic Mail Policy, West Virginia University (“University”) will provide email accounts to employees, students, and others affiliated with it to communicate and conduct University business. Official University Email Accounts may only be created by either WVU Information Technology Services (“WVUITS”) or Health Sciences Center Information Technology Services (“HSCITS”).
- The purpose of this Standard is to identify the minimum requirements for University Email Accounts. The Chief Information Security Officer is responsible for the implementation and enforcement of this Standard.
- WVUITS is responsible for managing the @mail.wvu.edu and @retiree.wvu.edu Office 365 domains and the @mix.wvu.edu Gmail domain, including generating individual employee accounts and student email accounts on all campuses; handling standard administrative rights such as creating shared mailbox accounts and associating permissions; and global email settings and configuration such as automatic forwarding.
- HSCITS is responsible for managing the @hsc.wvu.edu Office 365 domain which includes issuing HSC employee accounts, handling standard administrative rights, and global email settings/configurations.
- All email Account Holders are responsible for using University Email Accounts in accordance with both the Electronic Mail Policy and the Acceptable Use of Data and Technology Resources Policy. The use of an External Email Account to conduct University business is strictly prohibited.
Employee Email Accounts
- Office 365 (O365) is the official University Email Account automatically provisioned
to University faculty and staff with active appointments. O365 email accounts
must meet the following requirements:
- The employee email address format is email@example.com or firstname.lastname@example.org.
- Outgoing email aliases are assigned to all employee accounts as email@example.com or some derivation of that format if that alias has already been used; however, student employees will not be assigned an outgoing email alias.
- Automatically forwarding email from an employee’s O365 to an External Email Account, either through use of global forwarding or inbox rules, is prohibited.
- The use of IMAP/POP with O365 is prohibited.
- The employee’s access to their O365 email account is automatically removed on the end date indicated in Mountaineer Administrative Processes (“MAP”).
- O365 accounts are deleted within 30 days of employee’s end date unless specifically retained for legal purposes or the supervisor has been granted access to the mailbox.
- Pursuant to Section 3, Student Email Accounts, a separate MIX email account is provided to employees that also have student status.
- A MIX account is also provided to teaching faculty to communicate with students.
- The email address format for faculty MIX accounts is username@MIX.wvu.edu.
- Faculty may automatically forward their MIX account to their O365 account using global forwarding or automatic forwarding rules.
- Faculty may use IMAP/POP to access MIX using their O365 account.
- Faculty MIX accounts may not be automatically forwarded to an External Email Account.
- Access to faculty MIX accounts is removed when the employee’s faculty role ends.
- Office 365 (O365) is the official University Email Account automatically provisioned to University faculty and staff with active appointments. O365 email accounts must meet the following requirements:
Student Email Accounts
MIX is the official University Email Account provided to all admitted and enrolled
students. MIX accounts must meet the following requirements:
- The student email address format is firstname.lastname@example.org.
- Aliases will not be assigned to MIX accounts.
- Students may automatically forward their MIX account to an External Email Account, but they do so at their own risk.
- Enrolled students’ MIX accounts are assigned for life.
- Admitted students who do not enroll at the University will have their MIX accounts deleted.
- Students that are employed by the University (e.g., student workers, graduate
assistants) may also be provided an O365 account if email is required to
fulfill the terms of their employment.
- Supervisors are responsible for requesting the creation of an O365 account for student employees.
- Student O365 accounts must meet the requirements outlined above for Employee Email Accounts.
- Student employee O365 accounts are disabled once it has been identified that the student is no longer an employee. Preferably, this will be achieved by the Expert Business Office (“EBO”) ending the student’s employee role within MAP.
- The account is deleted within 30 days of the employee role end date unless specifically retained for legal purposes or the supervisor has been granted access to the mailbox.
- MIX is the official University Email Account provided to all admitted and enrolled students. MIX accounts must meet the following requirements:
Retiree Email Accounts
- All employees who retire from the University will be granted a University Email
Account within Microsoft Online which must meet the following requirements:
- The retiree email address format is email@example.com.
- Retirees must claim their email account within one (1) year of it being created. All retiree email accounts not claimed within 366 days of creation are automatically deleted.
- It is the responsibility of the retiree to export any contacts they want to retain from their active employee O365 account to their new retiree account prior to their access being removed from the account.
- All employees who retire from the University will be granted a University Email Account within Microsoft Online which must meet the following requirements:
Shared Mailbox Accounts
- Shared mailbox University Email Accounts may be created for use by multiple
authorized employees for a specific purpose (e.g., managing classroom audio/visual
access, departmental email, computer that must operate in a continuous processing
state) and must meet the following requirements:
- Shared mailbox accounts are created for official University business use only.
- Shared mailbox address format is firstname.lastname@example.org or email@example.com (e.g., ITsecurity@hsc.wvu.edu) or firstname.lastname@example.orgemail@example.com (e.g., firstname.lastname@example.org) but a display name may be indicated (e.g., “Employee Relations”).
- Shared mailbox name should be as close to the description of the department, service, or organization as possible.
- Shared mailbox access does not require a separate password. Authorized employees will access departmental email accounts using their individual O365 account credentials.
- One full access delegate (owner) must be assigned to the account who is responsible for establishing formal mechanisms for granting, tracking, and terminating individual access and activity to the shared account.
- Send As delegates may also be granted permission to a shared mailbox.
- Use of a departmental shared mailbox by a third-party email service is strictly prohibited.
- Shared mailbox University Email Accounts may be created for use by multiple authorized employees for a specific purpose (e.g., managing classroom audio/visual access, departmental email, computer that must operate in a continuous processing state) and must meet the following requirements:
Third-Party Email Services
- Third-party solutions that contain their own email delivery systems are outside of the University’s control; however, those that attempt to impersonate an official University Email Account or address to send directly on behalf of the University must submit a request to the appropriate domain manager to identify the appropriate solution, such as SMTP relay or use of Sender Policy Framework (SPF).
- The email address format for approved third-party email solutions is email@example.com (e.g., firstname.lastname@example.org) or email@example.com.
- Use of a departmental shared mailbox for third-party email services is strictly prohibited; however, a third-party email service address may be added as an alias on a shared mailbox address so that replies to system emails are all routed to one shared mailbox.
Meeting Room Accounts
- Meeting room accounts visible through O365 Global Address List may be created to schedule the room for meetings.
- Rooms must follow the naming convention format: BuildingCode_RoomNumber_Capacity_RoomType (e.g., OWP_4115_15seats_Conf).
- Request for meeting room accounts must come from individuals who oversee the physical room.
- Booking delegates may be designated to assist in the management of the location and resolving potential booking conflicts.
Health Science Center Accounts
- To prevent Sensitive University Data from leaving HSC email systems, HSCITS will add a conditional access policy for MAPI to be restricted to University IP Addresses only.
- Rules that automatically forward University email from O365 or MIX to a @*.wvu.edu email domain are permitted (e.g., @hsc.wvu.edu, @jan.wvu.edu, @math.wvu.edu).
- Options for accessing O365 email without using IMAP/POP include:
- Outlook for Windows or macOS;
- Outlook for Web using the online app;
- Outlook for iOS, Android, and Windows devices; or,
- Exchange ActiveSync through a secure mail application (e.g., Apple mail).
- Retirees who are granted Emeritus status are considered active employees and will not have their existing O365 email services interrupted until they are no longer considered an active employee.
- “Account Holder” means faculty, staff, students, and others affiliated with the University who have been assigned a University Email Account.
- “External Email Account” means any email account not created and issued by WVUITS or HSCITS such as Yahoo or Hotmail.
- “IMAP/POP” means Internet Message Access Protocol (IMAP) and Post Office Protocol (POP), which are two methods used to access email locally using a third-party application. POP downloads emails from the server for permanent local storage while IMAP leaves the messages on the server and temporarily stores email locally.
- “Internet Protocol (IP) Address” means a unique numerical label assigned to and identifying each device connected to and communicating over the University’s network.
- “Messaging Application Programming Interface (MAPI)” means email applications that are MAPI-enabled can work together to distribute email between each other.
- “MIX” means the Gmail account granted to University students and teaching faculty.
- “Mountaineer Administrative Processes (MAP)” means the authoritative source for financial and human resources data related to employees, vendors, and affiliates of the University.
- “Sensitive University Data” means data identified in the Sensitive Data Protection Policy that is subject to international, federal, or state restrictions governing its processing, storage, transmission, or use (e.g., personally identifiable information, credit card information, protected health information). If disclosed, Sensitive University Data could cause significant harm to the University or its constituents.
- “University Email Account” means all electronic mail services provided, owned, or funded in part by the University and operated by WVUITS or HSCITS. This term applies to processing, storage, transmission, and use of electronic mail data, including, but not limited to, email headers, summaries, and addresses associated with email records, attached files, or text. This term does not apply to voicemail, audio/video conferencing, or facsimile messages.