Skip to main content

Data in Transit Policy

Version 1.0.1

Purpose

The purpose of this policy is to define how University data is electronically transmitted.

Scope

This IT policy, and all policies referenced herein, shall apply to all members of the University community including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

  • The requirements for transmitting University Protected, University Sensitive, or University Public Data electronically, via remote server access, via email, or via text messages are listed in the table below.
  • The type of data dictates the method of transmission.

Rules for transmitting Fordham Protected, Fordham Sensitive, or Fordham Public Data[1]

  Fordham Protected Data Fordham Sensitive Data Fordham Public Data
Electronic Transmission or Forwarding (e.g., LAN, Bluetooth, Wi-Fi)

Secure, authenticated connections or secure protocols must be used for transmission of protected data via:

  • Hyper Text Transfer Protocol Secure (HTTPS)
  • Secure File Transfer Protocol (SFTP) server
  • Transport Layer Security (TLS)

Data must be transmitted in either an encrypted file format or over a secure protocol or connection via:

  • Secure File Transfer Protocol (SFTP) server
  • Hyper Text Transfer Protocol Secure (HTTPS)
  • Transport Layer Security (TLS)
No protection requirements.
Remote server access The connection must be established over an authenticated and secure protocol or VPN. The connection must be established over an authenticated and secure protocol or VPN. No protection requirements.
Email

Not permitted without express authorization or unless required by law.

If authorized, data shall only be included in messages within an encrypted file attachment or via secure authorized services.

  • Hyper Text Transfer Protocol Secure (HTTPS)
  • Transport Layer Security (TLS)
  • Encrypt email
  • Encrypt file

Send file with password protection

Messages shall only be sent to authorized individuals with a legitimate need-to-know.

Messages can be sent via a secure protocol and/or process.

  • Hyper Text Transfer Protocol Secure (HTTPS)
  • Transport Layer Security (TLS)
  • Encrypt email
  • Encrypt file

Send file with password protection

No protection requirements.
Text Messaging Not permitted. Not permitted. No protection requirements.

[1] The information included in this table is not comprehensive. Refer to other IT policies for details related to topics mentioned.

Definitions

Authentication is used when the server needs to identify who is accessing the information or site. Authentication does not determine what tasks the individual can do or what files the individual can view.

Authorization is a process by which a server determines if the individual has permission to use a resource or access a file. Authorization is usually coupled with authentication so that the server can identify the individual requesting access.

Encryption involves the process of transforming data so that it is unreadable by anyone who does not have a decryption key. Encryption in transit refers to ensuring that all data sent over a network is encrypted.

IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

Related Policies and Procedures

Implementation Information

Review Frequency Annual
Responsible Person Director, IT Risk and Data Integrity
Approved By CISO
Approval Date May 22, 2018

Revision History

Version Date Description
1.0 04/06/2018 Initial policy
1.0.1 05/22/2018 Updated disclaimer statement

Policy Disclaimer Statement:

Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Willful failure to adhere to UISO written policies may be met with University sanctions.