Tarleton Office of Innovative Technology Solutions (OITS)
Email Use Standard

Effective: February 11, 2020

Revised: April 25, 2025

Procedure Summary

Tarleton State University’s (Tarleton or university) information resources are strategic assets which, as property of the State of Texas, must be managed as valuable state resources in accordance with Texas Government Code Chapter 2054. Since a large portion of Tarleton business is conducted using email, it is important that email services function in an efficient and reliable manner. This standard, therefore, addresses expected standards for university email usage.

This standard provides information regarding the use of email through university owned information resources. The purpose of the implementation of this standard is to provide a set of measures that will mitigate information security risks associated with email use. There may also be other or additional measures that will provide appropriate mitigation of the risks. The assessment of potential risks and the application of appropriate mitigation measures are to be determined by the information resource owner or their designee. In accordance with Texas Administrative Code (TAC) Chapter 202 ‐ Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this standard based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated information security officer.

This standard administrative procedure (SAP) applies to any Tarleton employee, third-party vendor, student, guest, or visitor that may use any university information resource that has the capacity to send, receive and/or store email.

Please see the Tarleton Security Controls Catalog, specifically the Access Control (AC), System and Communications Protection (SC), and Assessment, Authorization, and Monitoring (CA) families, for additional information and requirements.

Procedures and Responsibilities

The following activities are prohibited:
- Sending email that is intimidating or harassing;
- Using email for conducting personal business;
- Using email for purposes of political lobbying or campaigning;
- Violating copyright laws by inappropriately distributing protected works;
- Posing as anyone other than oneself when sending email, except when authorized to send messages for another user based on job duties or when serving in a support role; and
- The use of unauthorized email software.
The following activities are prohibited because they impede the functioning of network communications and the efficient operations of electronic mail systems:
- Sending or forwarding chain letters;
- Sending unsolicited messages to large groups except as required to conduct university business;
- Sending excessively large messages; and
- Sending or forwarding email that is likely to contain computer viruses.
All sensitive and/or confidential Tarleton material transmitted over an external network should be encrypted.
All user activity on Tarleton information resources and/or assets is subject to monitoring and review.
Electronic mail users must not give the impression that they are representing, giving opinions, or otherwise making statements on behalf of Tarleton or any unit of the university unless appropriately authorized (explicitly or implicitly) to do so. Where appropriate, an explicit disclaimer will be included unless it is clear from the context that the author is not representing Tarleton. An example of a simple disclaimer is: “the opinions expressed are my own, and not necessarily those of my employer.”
Individuals must not send, forward or receive confidential or sensitive Tarleton information through non‐Tarleton email accounts. Examples of non‐Tarleton email accounts include, but are not limited to: Hotmail, Gmail, Yahoo mail, AOL mail, and email provided by other Internet Service Providers (ISP).
Auto‐forwarding, including mailbox or smtp forwarding, shall not be used to send or forward any email from internal staff/faculty/student worker email accounts to non‐Tarleton email accounts/domains. Any exceptions to this must be reviewed and approved by the Tarleton Information Security Officer (ISO)/Chief Information Security Officer (CISO).

Definitions

Confidential Information: information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g. the Texas Public Information Act.

Information Resources (IR): the standards, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.

Information Security Officer (ISO) / Chief Information Security Officer (CISO): responsible for administering the information security functions within the university and reports to the information resources manager (IRM).