information security: email retention policy

III-1g Email Retention Policy

Overview

Version 1.0
Approval Date: Feb 15, 2012
Approval Authority:  CWRU Chief Information Security Officer

Purpose

Electronic mail (email) is a ubiquitous service that greatly enhances communication, both internally within the CWRU community (current students, faculty, and staff) and externally to alumni, prospective students, current students, and the public at large.

This policy establishes the default retention periods for email retained on active servers. It also confirms roles and responsibilities for implementation, including management of litigation holds.

Coordination with Other Policies and Procedures

The CWRU Email Retention Policy is closely aligned with these policies:

Cancellation

Not applicable.

Policy Statement

General

University electronic mail (email) is defined as any message composed, sent or received through the university’s email service, principally CWRU Google Apps for Education IMAP service. Such email may include any departmental level mail servers situated between the user and the university email service. Information in email may include, but is not limited to, correspondence, voice mail, file attachments, calendar schedule invitations, and electronic forms. Email does not include instant messaging, or SMS text messaging.

The university provides users with email capacity between 7 and 25 Gb storage, which is considered (at present) to be adequate to support email retention.

Three general classes of information in email messages are:

  1. Retained Records- email messages that contain content subject to university records retention schedules, including content of a legal nature, considered a vital record, or has historical value. Examples can be found in the University Records Retention Policy.
  2. Lasting Value- email message information that should be retained due to operational nature of the message content. Lasting value also describes email messages under retention schedules for which the retention time period has lapsed.
  3. Transitory- routine communication, scheduling, or any messages not deemed to have Lasting Value. Examples include meeting or event notices, internal requests for information, announcements, or unsolicited commercial email (spam), etc.

Policy

  1. Individual users (senders, recipients) are responsible for identifying and archiving information in their university email subject to university retention schedules, or in order to maintain compliance with Federal or state laws, university policies, or other reasons.
  2. Retained Records email messages shall be retained according to the University Records Retention Schedule.
  3. Lasting Value email messages are messages that have been under retention schedule requirements, and the active retention period for a particular record in email format has expired. Lasting Value email messages may be retained when useful to the user, but should be removed when the message becomes designated as Transitory.
  4. Transitory Messages shall be removed promptly from the CWRU email infrastructure by moving the message into either Trash or Spam folders. The university shall automatically and permanently delete messages placed into the Trash or Spam folders after 30 days.
    • A litigation hold directive overrides this email and IM retention policy, as well as any records retention schedules that may have otherwise called for the transfer, disposal or destruction of relevant documents, until the hold has been cleared.
  5. Certain information containing sensitive or Restricted (e.g. SSN data) information shall not be stored, transmitted, or processed using email infrastructure unless appropriate information security mechanisms (e.g. message encryption) are employed.
  6. For an employee who is terminated, the employee’s supervisor is responsible for evaluating the employee’s email records for required retention, in the course of the termination process, and taking appropriate action to retain email as required. After 30 days post termination, remaining email messages in the terminated employee’s account will be permanently deleted.
  7. Users are permitted to forward email to a non-university email service (e.g. Yahoo or personal Gmail account), but are reminded that all official email correspondence is to be performed from their CWRU email account.

Responsibility

Information Technology Services (ITS) will implement automated data purge mechanisms in the university’s email service.

University Archives will maintain records retention schedule.

End Users will manage information under their stewardship in accordance with university retention schedules.

Definitions

Standards Review Cycle

This standard will be reviewed every three years on the anniversary of the policy effective date, at a minimum. The standard may be reviewed on a more frequent basis depending on changes of risk exposure.

© 2013 Case Western Reserve University
Cleveland, OH 44106
216.368.2000
 
Information Technology Services
(legal notice)
 
Contact website owner
 
Contact our service desk
CWRU ITS Social Networks
Translate this page

Share |