Systematic Email Forwarding Request
USER CERTIFICATION
Georgia Institute of Technology
GA Tech offers two email options for our faculty, staff, students and others: 1) On-Premise Exchange (for individuals with a security clearance and selected units) 2) O365 - Office 365 (for all other users).
O365 is traditionally a “Cloud service” and many researchers have been told by their sponsors and in their Technology Control Plans (TCP) that they cannot use any Cloud providers. The GT O365 email service is not the same O365 email provider that you may have at home. GA Tech OIT, CyberSecurity, Legal Affairs, Research Security and Export Controls have worked to put in place specific controls to make sure both systems meet all Federal, Institute, and Sponsor requirements including those for securing Export Controlled data and for preventing third party access to Proprietary and Institute Data. The GT O365 solution uses only servers located in the USA, utilizes end-to-end encryption, FIPS compliant and a uses a Lockbox to store the encryption keys.
Individuals working on or involved in Export Controlled research must use one of the two GA Tech provided email systems. Individuals no longer working on export controlled research may request to have restrictive flags removed from their account five years after the last restricted award has terminated if all restricted data if all export controlled information has been removed from the account. Upon request, the account will be reviewed and the User may certify that all email and data related to the restricted research award(s) have been removed. Each User account will be reviewed on a case-by-case basis for Export Controls.
Users should note that the review described above only takes into consideration Sponsored Research that had been flagged for Export Controls. Many other types of data and email are protected by Federal Regulations and Institute Policy. It is the Users responsibility to contact the appropriate office(s) or data stewards to request assistance in determining if data/email in their account is approved to systematic forwarding to a third party provided. It is noted in Institute Policy:
Data Users must use official Georgia Tech email services when emailing Category III data. Using third party email services (e.g. Gmail, Hotmail, Yahoo Mail) to send or store Category III data is prohibited.
Other Examples of Category III data Include:
Research Data (including research data on human or animal subject, and biochemical)
Data under a Non-Disclosure Agreement (NDA)
Data under a Proprietary Information Agreement (PIA)
Technology Licensing and Invention Disclosure Information
Intellectual Property Information Owned by the Institute
Active Library Circulation Records
Security Camera Recordings, Continuum System
Chematix Chemical Tracking System
Building HVAC Monitoring/Control Data
BuzzCard System, Building Safety Plans
Student Records Excluding Directory Information
Student Financial Aid and Grant Application Information
Login Passwords
Police Officer’s Personal Contact Information
Individual Benefits Elections
Social Security Numbers (SSN) (faculty, staff and students)
Student Financial Aid and Grant Application Information
Email Data Protection Policy and Employee Email Forwarding
Most users of the Microsoft Office 365 central email service are allowed to systematically forward their email to third party email service providers. Users that have Category III or Category IV data as described in the GIT OIT Data Security Classification Handbook may not systematically forward their email to third party email service providers. Individuals who work on Industry Sponsored research, Export Controlled research, or research with access or dissemination controls, or have access to Proprietary data, or data under a non-disclosure agreement (NDA), or users within some home departments may not systematically forward their email to third party email service provider. Georgia Tech employees who have their email in the on-premises Microsoft Exchange hosted with Georgia Tech Research Institute will not be allowed to systematically forward their Georgia Tech email to third party email service providers (e.g. Gmail, Yahoo!, Outlook.com). Georgia Tech Research Institute employees with permission from their Lab Director may systematically forward their email to a third party email service provider if none of the above restrictions apply.
GIT OIT Data Security Classification Handbook:
- Category III—Sensitive: This information is considered private and should be guarded from disclosure; disclosure of the information may contribute to financial fraud. Disclosure may also violate state and/or federal law.
- Category IV—Highly Sensitive: Data which must be protected with the highest levels of security, as prescribed in contractual and/or legal specifications.
Examples include: Business Information: Customer Credit Card.
Institute Data Access Policy:
Sensitive Data as it pertains to Email Services
Data Users must use official Georgia Tech email services when emailing Category III data. Using third party email services (e.g. Gmail, Hotmail, Yahoo Mail) to send or store Category III data is prohibited.
Data Categories
Georgia Tech Institute Data shall be classified into four major categories that are defined as described in this section.The Data Stewards, in consultation with the Data Coordinators and Data Administrators, are responsible for defining which data elements and data views fall into each data category.
- Category I – Public Use:This information is targeted for general public use. Examples include Internet website contents for general viewing and press releases.
- Category II – Internal Use:Information not generally available to parties outside the Georgia Tech community, such as directory listings, minutes from non-confidential meetings, and internal (Intranet) websites. Public disclosure of this information would cause minimal trouble to the Institute. This category is the default data classification category.
- Category III – Sensitive:This information is considered private and must be guarded from disclosure; unauthorized exposure of this information could contribute to ID theft, financial fraud and/or violate State and/or Federal laws.
- Category IV – Highly Sensitive:Data which must to be protected with the highest levels of security, as prescribed in contractual and/or legal specifications.
Systematic Email Forwarding Request
USER CERTIFICATION
Georgia Institute of Technology
I hereby certify that I have read and understand the information provided regarding compliance with Institutional Policy as well as Federal Laws and Regulations including the International Traffic in Arms Regulations (ITAR) 22 CFR Section 121.1 et seq., and the Export Administration Regulations (EAR) 15 CFR Section 774.
After reviewing the resources and categories above, I have determined that I do not work on or have access to any Export Controlled or Category III or Category IV data and hereby request to have my account reviewed to allow systematic email forwarding.
I understand that I shall be personally liable if I unlawfully disclose export controlled information without prior approval. Furthermore, I understand that the review conducted will only take into consideration Export Controlled information or projects and I will take responsibility for ensuring that no other Category III or Category IV data are forwarded or stored in my email.
To expedite reviews, email with the subject line “Systematic Email Forwarding Request for: enter User ID here.”
Signature ______Date______
(Signature may not be delegated. The Usermust sign)
Printed Name
User ID
Georgia Institute of Technology Systematic Email Forwarding Request
Office of Research Integrity Assurance January 2016
Export Control age 1