Data in Transit Policy
Version 1.4
For Students, Faculty, Staff, Guests, Alumni
Purpose
The purpose of this policy is to define how University data is electronically transmitted.
Scope
This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- The requirements for transmitting Fordham Protected, Fordham Sensitive, or Public Data via email or other electronic methods are listed in the table below.
- The type of data dictates the method of transmission as per the Data Classification Guidelines.
Rules for transmitting Fordham Protected, Fordham Sensitive, or Public Data1
| Fordham Protected Data | Fordham Sensitive Data | Public Data | |
|---|---|---|---|
|
Not permitted without express authorization or unless required by law.
|
Messages shall only be sent to authorized individuals with a legitimate need to know.
|
No protection requirements | |
| Electronic Transmission or Forwarding (e.g., LAN, Bluetooth, Wi-Fi) |
Secure, authenticated connections or secure protocols must be used for transmission of protected data via:
|
Data must be transmitted in either an encrypted file format or over a secure protocol or connection via:
|
No protection requirements. |
1 The information included in this table is not comprehensive. Refer to other IT policies for details related to the topics mentioned.
2 SpecialPublications/NIST.SP.800-52r2, RTC-8996, Deprecating TLS 1.0 and TLS 1.1
Definitions
Authentication is used when the server needs to identify who is accessing the information or site. Authentication does not determine what tasks the individual can do or what files the individual can view.
Authorization is a process by which a server determines if the individual has permission to use a resource or access a file. Authorization is usually coupled with authentication so the server can identify the individual requesting access.
Encryption involves the process of transforming data so that it is unreadable by anyone who does not have a decryption key. Encryption in transit means ensuring that all data sent over a network is encrypted.
IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.
Related Policies and Procedures
- Acceptable Uses of IT Infrastructure and Resources
- Data Classification Guidelines
- Data Classification and Protection Policy
- Data at Rest Policy
- Third-Party Data Transfer Policy
Implementation Information
| Review Frequency | Biennial |
|---|---|
| Responsible Person | Senior Director of IT Security and Assurance |
| Approved By | CISO |
| Approval Date | May 22, 2018 |
Revision History
| Version | Date | Description |
|---|---|---|
| 1.0 | 04/06/2018 | Initial policy |
| 1.0.1 | 05/22/2018 | Updated disclaimer statement |
| 1.1 | 06/09/2020 | Updated table |
| 1.2 | 07/02/2022 | Updated table |
| 1.3 | 12/22/2022 | Added TLS sources reference footnote |
| 1.4 | 03/05/2024 | Updated table, updated disclaimer |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.