Send Passwords and Restricted Data Securely
What does this mean?
Passwords and restricted data must be encrypted when they are sent electronically to reduce the risk of being intercepted and stolen.
What Should You Do
- For Passwords
- For Restricted Data
- For Confidential Data and Encrypted Restricted Data
What Should You Do?
- Make sure your email client (Thunderbird, Apple Mail, Outlook, etc.) is configured for secure authentication (sign-in) and secure sending and receiving of email. This will encrypt your password when you log in. For UCSC Google mail, see http://its.ucsc.edu/email/config-google/index.html or contact the ITS Support Center.
- See B, Web pages, below, for information about protecting your password on the Internet.
Restricted data must be encrypted when it is sent electronically -- either the transmission must be encrypted or the data itself must be encrypted. Follow the recommendations "For Confidential Data and Encrypted Restricted Data," below, whenever possible when sending encrypted restricted data.
Standard, unencrypted email, instant messaging (IM), FTP, unencrypted web pages and other unencrypted methods of transmitting information are not appropriate for use with restricted data. Where encryption is not available, always de-sensitize restricted data before sending it.
Note: Sending restricted data in encrypted, password protected attachments is acceptable as long as the password is communicated separately and securely.
For Confidential Data and Encrypted Restricted Data:
Always consider the following before hitting the "send" button:
- Can you reduce the level of sensitivity?
The easiest way to protect confidential data is not to send it in the first place. Is it possible to de-sensitize the information before you send it?
- Should you be emailing it at all?
Can you use the telephone or send a paper copy instead?
- Can you minimize the amount of confidential data you are sending?
- Always read the entire email message before adding to it, replying, or forwarding. Delete confidential data that does not need to be included.
- Start a fresh email when you're starting a new subject. Don't just add it on to another email -- especially one that contains confidential data. Include as little confidential data as possible in the new email.
- Limit distribution of any email containing confidential data to the smallest audience possible, and remember to include a conspicuous label that it is confidential (see below).
- Who are you sending it to?
- Don't distribute or forward confidential data widely or casually.
- Don't forward confidential data without appropriate authorization.
- If you absolutely have to send confidential data electronically, only send it to people who absolutely need to receive it for University business purposes.
- With email, check the entire "to" and "cc" fields before you hit "send" to make sure you know everyone you're emailing. Remove extra addresses. Also, don't use mailing lists if you're sending confidential data.
- Is it labeled correctly?
Email and files containing confidential data should clearly say so. Examples of language to include in files or email:
- “Confidential data: Do not redistribute or forward”
- “Confidential – Not For Public Disclosure”
- "The information in this e-mail is confidential and intended solely for the use of the individual(s) to whom it was addressed. It may only be distributed to those with a University business need to know."
- If you're sending an email, start the subject line with the word "CONFIDENTIAL".
Additional Instructions For:
Email and instant messaging (IM) are vulnerable to being intercepted. If you need to send or receive email, attachments, files, or IM containing restricted data, contact the ITS Support Center to set up a way to do this securely.
- Use known, trusted websites when you are logging in or providing information online. Don't log in or provide sensitive information to a web page you reached by clicking on a link -- in email, IM, text message, advertisements, Social Networks, search results, etc.
- Make sure that web pages have https (not http) in the web address (URL) before you enter a password or any sensitive or personal information. The https means the information you enter is being encrypted during transmission, including your password. Check for this before you enter sensitive or personal information, including your password, online. If the page is not https, don’t log in and don’t enter the information.
C. Sending files
If you transfer files containing restricted data, contact the ITS Support Center to set up a way to transfer them securely. Don't use FTP or Telnet to transfer files; use SFTP or SSH instead.
D. Using non-UCSC computers or networks
When you use a non-UCSC computer or mobile device, or you're working from an off-campus location, you need to be extra cautious about protecting your passwords and restricted data. It is important to ensure that necessary security is not overlooked. This may mean taking extra precautions or not doing certain tasks on shared or public machines, including home computers, if you’re not able to ensure proper security. Never send or access restricted data from an unknown computer -- or from a home computer or mobile device if you're not certain it is set up securely. See ITS' remote access requirements for ways to reduce the risk associated with using non-UCSC computers and networks, or contact the ITS Support Center for assistance. Additional information about home computer security and mobile device security is also available.
Special notes about wireless:
- Information sent via standard wireless is especially easy to intercept. Don’t connect to unknown wireless hot spots/access points if you’re concerned about security or privacy (or your passwords).
- Only use known, encrypted networks when working with sensitive information. UCSC’s eduroam secure wireless is encrypted and is available to all UCSC students, researchers, faculty, and staff. Most coffee shop/hotel/airport-type wireless is not encrypted. If you’re not sure about a wireless network, assume it’s not encrypted.
- Set devices to “ask” before joining networks so you don’t unknowingly connect to insecure wireless networks.
- You may not send/transmit credit card data via wireless unless your department has received formal approval from the Campus Controller, and you are using an approved, secure method of transmission.
E. Compromised computers
If a computer appears to be infected or compromised, don't use it to send or access restricted data. Disconnect the computer from the network, turn off wireless, and contact the ITS Support Center for instructions.
Additional information about restricted data, including definitions and protection, is available on ITS' Restricted Data Resources web page.
Limited encryption information is available at http://its.ucsc.edu/security/encryption.html
Rev. February 2012