University Policies and Procedures Manual (previously Business Policies and Procedures Manual)

E-Mail Use and Security

UPPM 87.07

For more information contact:
   Information Technology Services

1.0   Overview and Purpose

1.1    Information Assurance Policies Generally

The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:

  • Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;
  • Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and
  • Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.

The policies in this chapter comply with Federal Information Processing Standards (FIPS 199), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability.

To determine the potential consequence of a loss event, the Federal Information Processing Standards:

  • Define WSU Information Owners’ impact categorization rating (Low, Moderate, or High);
  • Dictate which security controls are mandatory based upon the categorization level;
  • Define the strength, frequency, and formalization of those controls; and
  • Influence audit burden and continuous monitoring rigor.

See UPPM 87.01 for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.

1.2    Specific Policy Overview and Purpose

WSU and each user of WSU email and systems have an obligation to ensure the security, integrity, and accessibility of records sent or received by email, as well as appropriate use of WSU email systems. To fulfill these obligations, this policy:

  • Clarifies the duties of all persons utilizing WSU email accounts, with additional duties for those persons conducting official WSU business;
  • Sets forth requirements to reduce the risk of unauthorized access or disclosure of WSU institutional data; and
  • Helps to ensure that public records are retained and accessible as required by law (see UPPM 90.01, 90.03, and 90.05).

2.0    Applicability

This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources. For purposes of this policy, email accounts include email, calendars, tasks, notes, and any other communications exchanged using the WSU email system.

Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with UPPM 87.23.

3.0    Roles and Responsibilities

3.1    Chief Information Officer

The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.

3.2    Information System Owners

Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy’s implementation. 

3.3   Office of Information Security and Assurance (OISA)

WSU’s Office of Information Security and Assurance (OISA) shall maintain the standard (PDF) associated with this policy and provide guidance for the associated procedures for the implementation of this policy (see examples (PDF)).

Note: While all units are required to adhere to the standard established by OISA (NIST SP 800-53), procedural examples for implementation are optional.

4.0   Requirements

All WSU email accounts are WSU assets. A user has no ownership or legal rights to their WSU email account. Once the user is no longer affiliated with WSU, the user has no rights or interests in keeping their WSU email account, or access to its contents, unless specifically addressed by other WSU policies or standards.

A user of a WSU email account has no expectation of personal privacy as it relates to their WSU email account. WSU may access a user’s University email account at any time without notice, and without the user’s permission, for legitimate business purposes, which include, but are not limited to:

  • Conducting authorized investigations;
  • Monitoring for illegal activity;
  • Collecting records for purposes of litigation or compliance with WSU’s obligations under the Washington State Public Records Act (RCW 42.56); and
  • Administration and support of email services.

4.1     All Users

Each user is responsible for:

  • Ensuring the integrity of their WSU email address;
  • Avoiding actions that would compromise the integrity of their WSU email account;
  • All activities conducted through their accounts; and
  • Being vigilant against phishing attacks and malicious attachments.

Users must promptly report the following:

  • Any compromise of their WSU email account, including disclosure of account credentials and/or being locked out of the user’s account (see also Section 5.0 regarding violations of this policy); and
  • Any suspicious activity to or from their WSU email account, including potential phishing emails, must be reported by submitting a report and/or forwarding the suspicious email to abuse@wsu.edu.

All users of WSU email accounts are prohibited from the following:

  • Using WSU email for illegal purposes or in violation of University policies, including but not limited to UPPM 10.60 prohibiting harassment and discrimination;
  • Disseminating illegal content, and
  • Sending unsolicited commercial email (“spam”) in violation of Washington law (RCW 19.190.020).

4.2    WSU Personnel

In addition to the above, the following prohibitions and requirements apply to WSU personnel. Student employees are subject to this section, except for email that is unrelated to their employment.

WSU personnel are required to:

  • Ensure that email is retained, archived, disposed of, or otherwise managed in accordance with the WSU records retention and disposition policy (see UPPM 90.01 and 90.03);
  • Comply with the Washington State Public Records Act (RCW 42.56) and WSU rules and policies regarding the maintenance and disclosure of public records. All emails sent or received in transacting official WSU business are covered by the Washington State Public Records Act and subject to disclosure unless otherwise exempted from disclosure under the law. (See RCW 42.56, WAC 504-45, and UPPM 90.05);
  • Comply with WSU and state law restrictions regarding personal use of WSU resources. Occasional personal use of WSU email is allowed if it does not exceed de minimis use as defined in UPPM 10.65 (University Ethics Policy); However certain uses of WSU email and other WSU resources, including uses for outside businesses or political campaigns, are not allowed, even if the use is de minimis. (See UPPM 10.65 and 60.90😉
  • Prevent improper disclosure of emails and information that is privileged and confidential in accordance with Washington law. Privileged and confidential communications include, but are not limited to, emails from WSU’s attorneys to WSU officials. See also UPPM 90.01 and 90.05 regarding confidential records requirements; and
  • Handle all WSU electronic correspondence in accordance with UPPM 87.53.

WSU personnel are prohibited from:

  • Using any external email account to conduct official WSU business;
  • Auto-forwarding emails received from their University email account to an external email account. (Auto-forwarding between University email accounts is permitted);
    • Note: Manual forwarding of individual/personal messages unrelated to WSU business to an external email account is generally permissible if in accordance with all other applicable WSU policies, standards, and procedures;
  • Transmitting or storing an unapproved data type (see UPPM 87.53 and 87.06); and
  • Saving restricted or sensitive attachments on non-WSU owned devices, in accordance with UPPM 87.10.

Users are responsible for all activity on their WSU email account. If a user shares their access and/or use of their WSU email account with another individual, the assigned user may still be responsible for misuse of that account and subject to corrective or disciplinary action.

Note: If the user’s email contains data that is limited by regulatory, contractual, or other data sharing agreement, it may only be shared with an individual who is authorized to access that data.

Providing access to another individual (e.g., an administrative assistant) is permitted only when:

  • There is a substantial business need;
  • The user’s approval of the other individual’s access is documented in writing; and
  • The user changes their password when password sharing is no longer needed.

4.3     Nonemployee Students

Students’ WSU accounts are used for all official email communications between students and WSU. Official interactions with WSU are only answered and considered official if they originate from the student’s assigned WSU email account.

WSU recommends that non-employee students refrain from auto-forwarding emails received by their WSU email account to an external email account. Student auto-forwarding may be discontinued at the discretion of WSU.

Students, including students employed by WSU, are required to review and follow college and/or department specific email procedures regarding checking and responding to WSU email communications directed to their WSU email accounts.

Active student: A student is a person who is in an academic program with the status of “AC” (active) or “LA” (leave of absence) and satisfies one of the following conditions:

  • They have an admit term that ends on or after today or that ended less than one year ago; or
  • They are enrolled in a class that ends on or after today or were enrolled in a class that ended less than one year ago.

Terminated Student: There are several ways in which a student is terminated (i.e., the program status is no longer active), including:

  • Administrative discontinuation. At any time, a person’s academic program may be manually discontinued. This is typically done in response to information provided by the student;
  • Automated discontinuation for non-enrollment at the end of the admit term. On or around the 30th day of each term, ITS identifies all students who were registered for the term, but who did not enroll in classes. The students’ academic programs are discontinued at the end of the term;
  • Automated discontinuation for non-enrollment after two consecutive terms: On or around the 30th day of each term, ITS identifies all students who did not enroll in classes and who were not enrolled in classes in the previous term (Fall and Spring only). The students’ academic programs are discontinued at the end of the term; or
  • Completion of academic program and conferral of degree: The students’ academic programs are completed, resulting in a departure from WSU.

WSU email accounts are deactivated according to the deactivation schedules established for current students and student employees who meet the following conditions:

  • They no longer have an academic program where the status is “AC” (Active);
  • They no longer have an academic program where the status is “LA” (Leave of Absence);
  • They have been expelled and WSU requests deactivation;
  • Their most recent admit term (including past, current, and future admit terms) ended more than one year ago;
  • They were never enrolled or their most recent class ended more than one year ago; or
  • They do not have a pending admission application.

Following this model:

  • An individual who becomes a new active student in March for the upcoming fall term who never enrolls has a WSU email account for 10 months (from March of that year until December of the same year).
  • An individual who becomes a new active student in March for the upcoming fall term who enrolls in the fall term but leaves and never returns has a WSU email account for 21 months (from March of that year until December of the following year).
  • A student who graduates in the spring term continues to have a WSU email account for one year.

ITS sends a reminder prior to termination, and a student on leave or absent due to another approved WSU activity may request an exemption from this rule.

4.4     E-Mail Administrators

WSU email administrators are required to scan all email messages created, sent, and received over WSU’s email system for viruses and malware to detect and remove malicious content.

WSU email administrators are required to use sandboxing and other techniques to review email attachments for malicious behavior. They must also implement and use mail authentication protocols and other measures to help detect and prevent email spoofing.

Spam protection mechanisms must be employed at email system entry and exit points to detect and act on unsolicited messages.

Spam protection mechanisms are updated when new releases are available, in accordance with UPPM 87.40. Moderate- and high-impact system spam protection mechanisms are automatically updated within a defined time frame.

Each WSU business unit must maintain a list of approved scripting languages and email plugins for web browsers and email clients through application whitelisting tools. Unauthorized email plugins are prohibited.

5.0     Violations

Access to and use of a WSU email account is a privilege and not a right. WSU may terminate access to and use of a WSU email account at any time.

Violation of this policy, including failing to promptly report the actual or potential compromise of a WSU email account, may subject a user to corrective or disciplinary action, as well as criminal/legal action when applicable. See UPPM 87.01 for more information regarding violations of UPPM Chapter 87.

6.0    Training

See UPPM 87.21 for training requirements related to UPPM Chapter 87.

In addition to the requirements in UPPM 87.21, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner’s authority.

_____________________
Revisions:  March 2026 (Rev. 654); Sept. 2025 – New policy (Rev. 648).