Policy Statement

Effective 10 January 2025, all email accounts not assigned to individual users (e.g., FunctionalUnit@apu.edu.my) must be converted to shared mailboxes. This policy applies to all existing and newly created non-personal email accounts across the organisation. The policy is introduced to enhance security and ensure effective management of organisational email resources.

Purpose

The purpose of this policy is to:

1. Strengthen security by minimising the risk of unauthorised access to generic email accounts.

2. Streamline the management and monitoring of shared resources for operational efficiency.

Scope

This policy applies to:

• All existing and future email accounts created for roles, functions, teams, or functional units(e.g., support, admin, helpdesk) that are not tied to a specific individual.

• Email accounts used for automated services, group communications, or departmental operations.

Policy Requirements

1. Mandatory Conversion:

   • All existing non-personal email accounts will be reviewed and converted to shared mailboxes by the IT department before 31 January 2025.

   • All new non-personal email accounts created after 10 January 2025 must be set up as shared mailboxes.

2. Access Permissions:

   • Access to shared mailboxes will be limited to authorised users only.

   • Permissions (Full Access, Send-As, Send-On-Behalf) will be assigned based on users’ roles and operational needs.

Procedure

1. The Technology Services will identify all existing non-personal accounts and notify the respective department heads.

2. Unit heads will provide a list of authorised users and their required access permissions (Full Access, Send-As, Send-On-Behalf).

• Full Access:
  This permission allows a user to open and view the mailbox as if it were their own. They can read, delete, and modify the mailbox's contents, but they cannot send emails from the mailbox unless "Send-As" or "Send-On-Behalf" permissions are also granted.

• Send-As:
  This permission allows a user to send emails from the shared mailbox as if they were the mailbox owner. For example, when a user sends an email, it will appear to recipients as if it was sent directly by the shared mailbox (e.g., admin@staffemail.apu.edu.my).

• Send-On-Behalf:
  This permission allows a user to send emails on behalf of the shared mailbox. For example, when a user sends an email, it will appear to recipients as:
  "Sent by [User's Name] on behalf of admin@staffemail.apu.edu.my.

3. The IT team will perform the conversion and configure access permissions.

4. Post-conversion, a security audit will be conducted to verify proper implementation and compliance.

For new accounts:

• Requests for non-personal email accounts must be submitted to the IT department, specifying the intended purpose and required access permissions.

• The IT department will create the account as a shared mailbox and provide access to the authorised users.

Exceptions

Exceptions to this policy may be granted under the following conditions:

• Legal or regulatory requirements necessitate the use of individual accounts for specific roles.

• Other exceptional business needs, subject to approval by the Technology Services and senior management.

Effective Date: 10 January 2025