Email Domain Policy

Title

University of North Carolina at Chapel Hill Email Domain Policy 

Introduction

Purpose

It is important to the University of North Carolina at Chapel Hill (“UNC-Chapel Hill” or “University”) that data is safe and can be easily found if needed. This includes taking extra care to protect sensitive information (Tier 2 or 3) when it is sent or received through email. Information Technology Services (ITS) provides a default campus email service. Some University departments and organizations currently manage their own email systems. All email accounts used to conduct University business have public records and University data requiring protection. Unauthorized access to email with University data puts the University’s assets and reputation at risk. 

Scope

This policy applies to: 

  • University Units other than ITS that use an Internet domain that includes an email service. 
  • University Units providing alternate email domains. 
  • Accounts for people who use those domains to conduct University business. 

This policy does not apply to:  

  • Management of domain names 
  • Arrangements for domain name registration and management  

Policy Statement

Any email system a unit provides that is used to conduct University business must have security, backup, and records-retention measures. The same security precautions apply to sub-domains and separate domains as apply to the systems and domains ITS provides.  

Departments may host or contract for separate emails systems with domains different from those the University uses to provide email. These domains can be one of two kinds. They may use either: 

  • unc.edu sub-domains (such as “physics.unc.edu”) or,  
  • entirely separate domains (such as “unclatindepartment.org”). 


Units maintaining email systems must have a Memorandum of Understanding (MOU) with ITS. ITS and the Unit must renew the MOU at least every three years, or sooner if there are important changes to the email system. The Unit and staff responsible for maintaining the email system must ensure and prove their system can comply with the University’s requirements for: 

  • legal hold,  
  • e-Discovery, 
  • public records requests,  
  • transfers to University Archives,  
  • release of data under applicable policies, and 
  • other University requirements. 

Email accounts on a Unit’s designated domain meeting these requirements may:  

  • be considered a person’s official University email account,  
  • be listed in the University directory,  
  • auto-forward email between the unit account and other University email accounts (including the one provided by ITS). 

Compliance

ITS and University Units must follow MOU agreements. University Units that do not comply with their MOU agreements will lose their authorization to have a separate email system. ITS will remove the affected email addresses from the University Directory and those affected individuals may no longer conduct any University business using affected email accounts. 

Failure to follow this policy may put the University at risk. Employees who don’t comply may face disciplinary consequences, up to and including losing their job. Students who don't comply may be referred to the Office of Student Conduct. Contractors and vendors who don't comply may face termination of their business relationships with UNC-Chapel Hill. 

Violation of this policy may also carry the risk of civil or criminal penalties. 

Roles and Responsibilities

Office of the CIO or delegate  – Prepare, finalize and maintain a valid MOU. 

Unit head of the University department or organization, or the Unit head’s designee – Start an MOU, follow the MOU, and renew the MOU as required. 

Definitions

Domain: An internet namespace usually associated with a particular web site or email system. A domain name is the portion of an email address that directly follows the "@" sign (e.g., unc.edu, email.unc.edu, med.unc.edu). 

Email Domain: A domain with an associated email system. (This policy is only concerned with domains with email systems). 

Memorandum of Understanding (MOU) : An agreement under this Policy between a University unit and ITS that the unit will follow certain practices to safeguard University information assets in the email accounts the unit provides. 

Public Record: Any record created or received in conducting University business, in whatever format, including but not limited to paper, photographs, recordings, emails or digital images, unless an exception applies under federal or state law. 

Related Requirements

 

External Regulations and Consequences 

North Carolina General Statutes Chapter 132: Public Records 

University Policies, Standards, and Procedures 

UNC-Chapel Hill General Records Retention and Disposition Schedule 

UNC-Chapel Hill Information Classification Standard 

Public Records Policy 

Contact Information

Subject Contact Telephone Online
MOU (New or Update) ITS Information Security Office 919-445-9393 security@unc.edu
Policy Questions ITS Policy Office 919-962-HELP its_policy@unc.edu

Document History

  • Effective Date and title of Approver: March 1, 2011, Vice Chancellor of IT and CIO
  • Revision and Review Dates, Change notes, title of Reviewer or Approver: September 16, 2011 June 29, 2016, Updated format and definitions, added clarifications about when MOU is required and purpose of the policy, Vice Chancellor for IT and CIO
Print Article

Related Articles (2)

Information Security Controls Standard
This Standard defines the minimum security standards “MSS” for Information Technology systems in use at UNC-Chapel Hill including personal and University-owned devices and third-party systems. Units within the University may apply stricter controls to protect information and technology in their areas of responsibility. The standard applies to each person in the University community and their devices. Please see the “Exceptions” section for phased implementation options through 2027.
Information Security Policy
This policy defines a framework for the Information Security Program. It gives direction for policies, standards, and procedures that relate to security. These documents tell us how to include information security in all the ways we work at the University of North Carolina at Chapel Hill.