SP 6-10j – Email Security

Colorado Community College System / System Procedure

SP 6-10j

APPROVED: January 28, 2021
EFFECTIVE: January 28, 2021


Board Policy (BP) 6-10, Cyber Security Policy
System Procedure (SP) 6-10a, Acceptable Use of Information Asset
System Procedure (SP) 6-10e, Audit Logging and Monitoring
System Procedure (SP) 6-10k, Data Classification, Handling, and Protection


/ Joe Garcia /
Joseph A. Garcia


This procedure documents the requirements for the protection of Restricted or Sensitive information transmitted via email to and from the Colorado Community College System and its Colleges’ (“CCCS”) email system.


This procedure applies to employees, personnel affiliated via third party contracts, and volunteers that have access to Information Systems and Assets that are owned or leased by CCCS.


Malware is a collective term for any type of malicious software including viruses, ransomware, and spyware. Malware typically consists of malicious code designed to cause extensive damage to data and systems to gain unauthorized access to a network.

Spam is defined as unsolicited and unwanted junk email sent out in bulk to an indiscriminate recipient list.


The System Chancellor delegates to the System Vice Chancellor for Information Technology responsibility for oversight of compliance with and implementation of this procedure. Further, the System Chancellor delegates to the College Presidents the responsibility to implement and compliance with this procedure at their respective institution.

CCCS employees may not send Sensitive or Restricted information through CCCS’s email system, as defined in the Data Classification, Handling, and Protection Procedure (SP) 6-10k.

Several tools and layers of protection and prevention shall be put in place to protect data, and CCCS shall continue to review and improve on the data protection measures in place as the technology landscape evolves.


  • If malware is detected in an email attachment, the attachment will be removed prior to delivering the message to the end user’s mailbox.


  • If an email is identified as spam, the message will be flagged as such and delivered to the end user’s mailbox. If it is from a known bad sender, the message will not be delivered to the end user’s mailbox.


CCCS reserves the right to change any provision or requirement of this procedure at any time and the change shall become effective immediately.