Guidance on email security
This is intended to provide advice to Loughborough University users about email security.
2. Sensitive Data
Restricted Loughborough University data and data classified as “personal data” under the Data Protection Act must not be sent by email unless encrypted. Emails might be intercepted or misdelivered en route. Sending this type of data could be considered a breach of confidentiality and if personal data is lost of disclosed, the University could suffer a heavy fine as well as suffering damage to its reputation.
(i) Personal data is defined as “data which relates to a living individual who can be identified by that data”. Personal data includes but is not limited to:
• Student records;
• Employee records;
• Certain research data;
• Medical records;
• Financial records.
(ii) Restricted data or corporate data and intellectual property, includes but is not limited to:
• Strategic planning;
• Financial information.
There are several options available for encrypting email, not all of which are covered by this article.
3.1. Encrypted archives as attachments
Users wishing to send a sensitive attachment with an email that does not otherwise contain sensitive information my find that the simplest method is to create an encrypted archive containing the file and attach the encrypted archive to the email. The main advantages of this method are that it is simple, and the software required for decryption is freely available.
The main consideration with this method is that the password on to the archive must be passed to the recipient. This should be done by a medium other then email.
Also, a sufficiently strong encryption algorithm should be used. Most up to date archive software supports AES encryption eg a .zip archive created with 7-Zip can be opened with WinZip, WinRAR etc. 7-Zip is included as part of the Managed Desktop Service.
3.2. Public key encryption
Users wishing to encrypt email on a regular basis (content and/or attachments) are advised to use public key encryption, especially products using the OpenPGP standard. Public key encryption requires both the sender and recipient to set up a pair of cryptographic keys. A plugin for the email client and/or a separate program is required. Once this has been configured, encrypted emails can be exchanged without a need to exchange passwords as in 3.1.
Changing the frequency email is checked
- Click on the Send / Receive tab
- Select Define Send/Receive Groups [Fig. 1]
- Make sure All Accounts is selected in the Send / Receive Groups dialogue box
- Click ‘Edit’, and ensure ‘Include the selected account in this group’ is ticked, and click OK [Fig. 2]
- Change the ‘Schedule an automatic send/receive every 35 minutes’ [Fig. 3]
Figure 1 : Select Define Send/Receive Groups
Figure 2 : Select Include the selected account in this group
Figure 3 : Changing the frequency of checking for new email
What is my quota?
Users of the legacy system will have a minimum of 1GB while users who have migrated to Office 365 have 50GB.
I want to send email to lots of people. How do I do this?
If you want to email all staff or all students in the University, please see the University's Mass Email Policy.
If you want to email everyone in your department, or a group of people in the department, or in a programme, module, or hall, please see Automated Mailing Lists.
If you want to set up a mailing list which you manage yourself or to which people subscribe, including people outside of Loughborough University, please see Managed Lists (Majordomo).
If you want to send a file, also see below.
I want to send a file to lots of people, or a large file to one person. How do I do this ?
See our Distributing Files advice. If you want to send several files, also see below. If you want to send sensitive data, also see below.
I want to send several files. How do I do this?
Create a single zip file containing all of the files, then distribute that:
In Windows 7, right-click in any folder and select New and then select Compressed (zipped) folder, and choose a name for it. You can now copy and paste files into what appears to be a folder, and you can e-mail the folder as if it were a file.
However, if personal or sensitive information (all data covered by the Data Protection Act (1988)) needs to be transferred to a third party location, IT Services recommends that this be created in the form of a self-decrypting archive. In the Windows 7 service this can be achieved with 7zip.
Once you have your zip file or self-decrypting archive, follow our Distributing Files advice.
Why do I keep being prompted to enter my credentials ?
We have introduced enhanced security at Loughborough University for our Email and Groupware Service. This enhanced security is often called ‘Modern Authentication’,‘Modern Auth’ and ‘OAuth2’ and is automatically applied to all new mailboxes, with the rollout to existing mailboxes to follow soon!
When this enhanced security is applied to your mailbox, you may receive repeated prompts for credentials until you switch to using modern authentication.
If the application you are using doesn’t support modern authentication you will need to switch to using one that does, including Microsoft Outlook (available on all devices). Please note that Microsoft Outlook is the only supported email client at Loughborough University.
If you are being repeatedly prompted for your credentials in Microsoft Outlook please contact the IT Services service desk.
How do I find e-mail addresses?
Outlook will allow you to search for Loughborough E-mail addresses. However, if you are off campus in a location with poor Internet connectivity, you can use our various directories:
If you are accessing these from off campus you should use the AnyConnect Client see Working Remotely
How do I change my name as known by the system?
For example, my first name, as known by the system in the Address Book, is not the one I use as I use an abbreviated version or I use my second name.
Staff who are not Research Students: Staff with access to myHR are able to update their preferred name via the personal information screen within myHR.
Those without access to myHR should send an email to email@example.com asking to change your "preferred name in Trent". (Trent is the HR information system, which feeds this information into the email directory.) You should include your staff number, name, and department, and the name you prefer to be known by (e.g. "Rob" rather than "Robert".) This could take several days to be changed.
Research Students: Send an email to StudentEnquiries@lboro.ac.uk or telephone 222472 (Student Records in the Academic Registry) asking to change your "preferred name in Student Records". You should include your student number, name, department, and the name you prefer to be known by (e.g. "Sam" rather than "Samantha"). This could take several days to be changed.
Guidance for dealing with unwanted and abusive communication
Sometimes members of the University receive inappropriate / unwanted emails, Jabber messages, LEARN forum posts etc. These can be from people they know or from strangers. It is not possible to define comprehensively what is and what is not an inappropriate communication, but generally it is one that is obscene or in some other way makes the reader feel uncomfortable, intimidated or upset.
In line with the University's IT Acceptable Use Policy, the University does not tolerate this kind of treatment of its members and has established procedures for dealing with such instances, as it takes this matter very seriously. This document is designed to offer guidance to those in receipt of an inappropriate message sent to any of their University accounts.
The University recognises that it can be very distressing to receive any communication of this nature. It is important that you do not feel guilty or responsible for receiving such a communication, as this can constitute a form of harassment and the fault lies with the sender, not the recipient. However distressing the communication is, if it is addressed to you personally, it is very important that you do not delete it, if you wish any action to be able to be taken. It is not advisable to engage in a dialogue with the sender.
A member of Confide, or a member of IT Services will be able to support and advise you further in dealing with this kind of issue. It is recognised that people might be embarrassed by the content of such communications. This is entirely understandable. Confide and IT Services will deal with the matter sensitively and confidentially. Information will not be passed on to any other party, without the explicit permission of the individual concerned unless it is felt that there is an unacceptable risk to another individual or group of people.
If you receive any communication, which causes you distress, you can contact Confide
Confide can also provide advice on whether the matter is serious enough to refer to the police and also be able to provide ongoing support to anyone who has received an email of this kind for as long as necessary.
I have shared my Calendar folder. How do I stop others from seeing what a particular appointment / all day event / meeting is about?
Either select or open the item, and then in the Appointment tab click the Private button. By default anybody with access to your calendar will only be able to see the appointment described as Private.
I would like selected delegates to see details of my Private Appointments. How can I set this up?
This setting can only be changed by the person who has delegated access to others.
- Click on File.
- Select Account Settings.
- Click on Delegate Access.
- In the new window add user if they are not there.
- Once the user is a delegate, click on the users name and select Permissions.
- For each folder select the appropriate permissions.
- At the bottom tick "Delegate can see my private items".
- Click OK and OK again to apply the settings.
With Microsoft Office 365, does everyone automatically see everyone's calendar and How do I change this?
Yes as Staff and Student are now on the same email system if you have the permissions set to everyone this means means your calendar could be visible.
You can specifically assign Calendar viewing permissions, determining who can and cannot see your calendar details. The default permissions on all calendars are Free/Busy. This means that all staff and students, assuming you have not changed permissions on your calendar, will be able to see which times you have booked out in your calendar, but not the details.