UC Santa CruzInformation Technology Services
  Home About ITS Services ITS News Policies Governance ITS Staff Site Jobs Find An Answer Feedback

Cyber Security Basics: Send Passwords and Restricted Data Securely

Home > IT Security Awareness > Cyber Security Basics: Send Passwords and Restricted Data Securely

send passwords and restricted data securely
image from Wikipedia

What does this mean?

Passwords and restricted data should be encrypted when they are sent electronically to reduce the risk of being intercepted and stolen.

(Back to Minimum Requirements Main Page)

What should you do?

For passwords:

  1. Make sure your email client (Thunderbird, Apple Mail, Outlook, etc.) is configured for secure authentication (sign-in) and secure sending and receiving of email. This will encrypt your password when you log in. For CruzMail, see http://its.ucsc.edu/service_catalog/cruzmail/email_client.php or contact the ITS Support Center.
  2. See "Web pages", below, for protecting your password on the Internet.


For restricted data:

Always consider the following before hitting the "send" button:

  1. Is it restricted data?
    The easiest way to protect restricted data is not to send it in the first place. Is it possible to de-sensitize the information before you send it?

  2. Should you be emailing it at all?
    Can you use the telephone or send a paper copy instead?

  3. Can you minimize the amount of restricted data you are sending?
    • Always read the entire email message before adding to it, replying, or forwarding. Delete restricted data that does not need to be included.
    • Start a fresh email when you're starting a new subject. Don't just add it on to another email -- especially one that contains restricted data. Include as little restricted data as possible in the new email.
    • Limit distribution of any email containing restricted data to the smallest audience possible, and remember to include a conspicuous label that it is confidential (see below).
  4. Who are you sending it to?
    • Don't distribute or forward restricted data widely or casually.
    • Don't forward restricted data without appropriate authorization.
    • If you absolutely have to send restricted data electronically, only send it to people who absolutely need to receive it for University business purposes.
    • With email, check the entire "to" and "cc" fields before you hit "send" to make sure you know everyone you're emailing. Remove extra addresses. Also, don't use mailing lists if you're sending restricted data.
  5. Is it labeled correctly?
    Email and files containing restricted data should clearly say so. Examples of language to include in files or email:
    • “Restricted data: Do not redistribute or forward”
    • “Restricted Data – Not For Public Disclosure”
    • "The information in this e-mail is confidential and intended solely for the use of the individual(s) to whom it was addressed. It may only be distributed to those with a University business need to know."
    • If you're sending an email, start the subject line with the word "CONFIDENTIAL".


Additional instructions for:

1. Email
Email and instant messaging (IM) are vulnerable to being intercepted. If you send or receive email, attachments, files, or IM containing restricted data, contact the ITS Support Center to set up a way to do this more securely.

2. Web pages
Make sure that web pages have https (not http) in the web address (URL) before you enter a password or any sensitive or personal information. The https means the information you enter is being encrypted during transmission, including your password. Most web browsers also have a small locked padlock image of a locked padlock that appears near the URL or in a corner of the browser window to indicate that information is being encrypted. Check for these indicators before you enter sensitive or personal information, including your password, online. If they’re not there, don’t log in and don’t enter the information.

3. Sending files
If you transfer files containing restricted data, contact the ITS Support Center to set up a way to transfer them securely. Don't use FTP or Telnet to transfer files; use SFTP or SSH instead.

4. Using non-UCSC computers or networks
When you use a non-UCSC computer or you're working from an off-campus location, you need to be extra cautious about protecting your passwords and restricted data. It is important to ensure that necessary security is not overlooked. This may mean taking extra precautions or not doing certain tasks on shared or public machines, including home computers, if you’re not able to ensure proper security. Never send or access restricted data from an unknown computer -- or from a home computer if you're not certain it is set up securely. See ITS' remote access guidelines for ways to reduce the risk associated with using non-UCSC computers and networks, or contact the ITS Support Center for assistance. Additional information about home computer security is also available.

5. Compromised computers
If a computer appears to be infected or compromised, don't use it to send or access restricted data. Disconnect the computer from the network, turn off wireless, and contact the ITS Support Center for instructions.

6. IT Service Providers
If you are an IT service provider running an application that handles restricted data, make sure it is configured to require secure transmission of passwords and data.


Additional information about restricted data, including definitions and protection, is available on ITS' Restricted Data Resources web page.

GETTING HELP:

Contact the ITS Support Center or your ITS Divisional Liaison with questions or concerns about any of this information, or to make sure you have what you need to send and receive restricted data securely.

(Back to Minimum Requirements Main Page)

Rev. 1/20/09