Data classified as Level 3 or Level 4 under the University's Data Classification System should only be transmitted or transferred when absolutely necessary. This includes, but is not limited to, transmitting/transferring to other University staff, other University systems, non-University staff and non-University systems.
The following requirements must be followed to ensure that the security and integrity of the data is maintained at all times.
- Email should be sent with an appropriate notice advising any unintended recipient to destroy the email.
- Email must be encrypted or the contents otherwise protected from casual disclosure (i.e., placing the contents within a password protected document as an attachment).
- Sender must make every reasonable effort to ensure that the recipient(s)'s email address is correct.
- Sender must verify that the email has been received by the intended recipient. If receipt can't be confirmed, sender and/or intended (University) recipient must make every reasonable effort to determine whether the email was actually sent, to what address and that it is subsequently deleted. Additionally, the incident must be reported to the appropriate business unit ISO.
- Faxes should be sent with an appropriate cover letter advising any unintended recipient to destroy the fax.
- Sender and recipient must coordinate transmittal of the document prior to sending.
- Sender must make every reasonable effort to ensure that the recipient's fax number is correct.
- The original document must be shredded after transmittal unless retention is required.
- Fax machines must be in a secure, non-public location.
- The "store and forward" memory function must be disabled.
- Sender must verify immediately after transmittal that the fax has been received by the intended recipient. If receipt can't be confirmed, sender and/or intended (University) recipient must make every reasonable effort to track down the location of the fax.
Electronic Data and File Transfer
- Whenever possible, secure data transfers should be conducted internally and externally utilizing MOVEit Central, Secure TransmIT or an equivalent application/process provided or approved by the central IT department at each business unit.
- Live client-server interactions should be encrypted when technically feasible.
Physical Transfer of Paper Documents or Other Media
- Physical transport of paper documents or other media are allowed using:
- US Postal Service
- UPS, FedEx or other commercial delivery services
- Campus Mail (envelopes must be properly sealed and marked confidential)
- Intercampus couriers (items should be enclosed in properly marked and sealed containers)
- Intra- or inter-campus couriering must be handled by University-employed couriers when appropriate. When such couriers are not used, the delivery must be made by a known and trusted employee or volunteer.
- When possible, sender must be able to track progress during and after physical transport. (Signature receipt for a registered US Postal Service delivery is an example of an acceptable form of tracking.)
- If mailed or couriered documents or media are known to be lost the incident must be reported to the appropriate business unit ISO.