Privacy & Cybersecurity, Faculty and Staff Email Auto-forwarding Retirement FAQ

As part of an administration-driven effort to better secure employee email and reduce cybersecurity intrusions, Technology Services Privacy and Cybersecurity will take actions on October 5, 2021, to restrict university employees' ability to auto forward from @illinois.edu, @uillinois.edu, and @uiuc.edu email addresses.

What is this all about?

University of Illinois and its employees who auto-forward official Illinois email face high and increasing risks, and liabilities related to account cybersecurity, privacy, phishing, and compliance with Illinois law.

Why is this happening?

In a time where the university's #1 cybersecurity risks overwhelmingly start with email phishing leading to account compromise and intrusion, we must make changes to things we've long enjoyed, but present great problems and risks now.

Forwarding faculty and staff email is risky and moves opportunities for university cybersecurity intrusions into less controlled or secured environments. It diminishes the university's ability to secure its people, information, university data, research, internal processes, and business interests.

Additionally, when auto-forwarding email to a personal account, your personal mailbox becomes subject to potential Illinois Freedom of Information Act (FOIA) reviews and disclosure. As a result, university personnel might potentially require access to any such personal accounts to identify FOIA items.

Which email accounts/who is affected?

Employees (faculty and staff) who currently auto-forward any mail from an Illinois email account are affected.

Employees who use the electronic directory editor (EDE) to redirect their individual Illinois mail to another account are affected.

Role accounts, group accounts, service accounts, mail enabled groups or lists and other non-individual email accounts are not affected.

What did the problem look like when we started?

A few thousand employees forwarded their official email via mail rules or electronic directory editor (EDE). There were two concerns:

1) Phishing and email are the most successful cybersecurity attack vectors upon our university. They continue to be the most effective vehicle for threat actors worldwide to spread malware, access our work, and steal our most valuable assets. Illinois' Cybersecurity cannot provide much value or relief when employee email is being sent to a place where attacks cannot be detected or dealt with.

2) (For offsite forwards only) Employee email forwarding as an allowed practice had the potential for putting personal accounts in scope for the Illinois State Records Act and FOIA. This put individual personal privacy at risk. It also put the university in a difficult position, being that it could not comply with laws unless owners somehow granted official access to their private email.

What did the university do about it?

The university implemented a new policy restricting email auto-forwarding for employees on October 5, 2021. This required new email habits for those used to fielding their official work email from other places, or with different solutions.

To prepare, the Chief Privacy and Security Officer, Tech Services, and partners all around the university did 4 things:

1) Identified and gave ample notice to university employees and support personnel of those who auto-forward their email in EDE or via O365 rules.

2) Provided guidance on how to eliminate rules or what to do.

O365 "how-to" guidance

EDE guidance

OR "do nothing" (existing rules disabled once we implement)

3) Provided support and guidance to non-technical audiences who need to convey the new requirement to their support people.

4) Implemented new policies within O365 and departmental mail services.

When was the policy implemented?

Tuesday, October 5, 2021

Where can I find related resources?

       (Identity Management) "Leaving Campus for Faculty and Staff" https://answers.uillinois.edu/47708
       (Illinois Email) "How to set up email redirection" https://answers.uillinois.edu/47593
       (EDE) "How to stop forwarding to an alternate email address": https://answers.uillinois.edu/illinois/86742
       (O365/Outlook) "How to Delete Inbox Rules from Outlook": https://answers.uillinois.edu/109993

What if I was forwarding to an Illinois Google Email account (g.illinois.edu)?

In addition to not having ability to know about or react to cybersecurity events outside the O365 environment, the university does not support use of Google email for employees. Email forwarding to Illinois Google will no longer be an option for those university employees who have a primary affiliation of faculty or staff.

NOTE: This item pertains to Google email only. All other Google apps licensed by the university are still supported.

What if I am forwarding to an Illinois subdomain or departmental Email account (*@dept.illinois.edu)?

People with Illinois email service provided within their unit by way of a local server or service will continue to be able to use such services. However, forwarding will no longer be an option for those employees in either the departmental subdomain or in the main O365 environment, including forwarding from one to the other.

How can I request more time to make the change, or request an exception?

The policy is now in place, and express exception request process ended. If for some reason, it is necessary to explore this path, it might be possible, but changes to the policy groups must be done manually, and will be processed as a work order, on roughly a 2 week timeline. You may still access your Illinois email in O365 until, see https://techservices.illinois.edu/email-how-to-log-in/. As was before, cases presented are subject to approval by campus governance and your unit executive's acceptance of the risks.

Which laws are in play here?

        Illinois State Records Act (5 ILCS 160/): https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=86
        Illinois Freedom of Information Act (5 ILCS 140/)
       https://www.cyberdriveillinois.com/departments/library/about/foia.html
       https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=85&ChapterID=2

Keywords:	email, security, forward, forwarding, inbox, rules, policy, staff, employee, policy rule, EDE, disabled redirect redirection Suggest keywords	Doc ID:	110048
Owner:	Security S.	Group:	University of Illinois Technology Services
Created:	2021-04-01 13:37 CDT	Updated:	2021-10-07 12:06 CDT
Sites:	University of Illinois System, University of Illinois Technology Services
Feedback:	0 11 Comment Suggest a new document Subscribe to changes