third party data transfer Policy
September 1st, 2009
To secure Fordham University data that is transferred or transmitted between Fordham University controlled systems and non-Fordham University controlled systems.
Any user or department that transfers or transmits University data to or from a system outside the administrative control of Fordham University is bound by this policy.
"Fordham University data" or "University data" means and includes all information, documents and things containing Fordham University's proprietary or confidential information or designated by Fordham University as proprietary and confidential.
- All transfers or transmission of data, to or from Fordham University to an external third party, vendor or system must be reviewed by the office of IT Risk and Integrity and approved prior to the transfer or transmission.
- To receive approval, the requestor must provide the following information via e-mail to firstname.lastname@example.org:
- The corporate name of the outside party and all individuals at the third party corporation that may have access to Fordham University data, or if to an individual, the individual's name, title and contact information.
- The specific data elements that will be transferred between Fordham University and the third party (including but not limited to: Social Security numbers, credit card numbers, family information, financial information, health records, other personally identifiable information, etc...)
- The method of transfer (including but not limited to: SFTP, VPN, HTTPS, etc...) and all security measures taken or to be implemented to ensure a secure transfer or transmission.
- The purpose of the transfer or transmission.
- Any external vendor that stores University data must have a signed contract with Fordham University. This contract must be approved by Fordham University's Legal Department prior to any transfer or transmission of University data. The Fordham University Legal Department must confirm that the proper legal protections and requirements for confidentiality are in place prior to execution of any such contract.
- Any protocol that transmits credentials in "clear text" (including but not limited to: FTP, TELNET or HTTP) is strictly prohibited.
- Any protocol that transmits data in "clear text" may be used, based upon the sensitivity of the data that is transmitted as defined by the Data Owner responsible for the data in question. The office of IT Risk and Integrity will have final approval of the protocols for specific applications on a case by case basis.