Critical information is to be used solely for the purpose for which it was collected, and in ways consistent with furthering the university’s mission. Never use this information for personal gain or profit, the gain or profit of others, to satisfy curiosity, or to engage in academic, personal, or research misconduct. Inappropriate handling of this data could result in criminal or civil penalties, identity theft, personal financial loss, invasion of privacy, and/or unauthorized access to this type of information by an individual or many individuals.
Immediately report any misuse of critical information to the appropriate authorities.
Transmission by hand
Transferring physical files from person to person is a common occurrence. Perhaps you need to send a class roster spreadsheet to an office assistant or a document containing a grant proposal to a colleague. In each of these cases, it's important to know what options are available to get your file from point A to point B using a method appropriate for the data being transferred.
When preparing the documents for transfer, consider the following:
Use reliable transport or couriers, and be sure to verify the identity of couriers prior to providing any information to them. See the Media Disposal Guide for a list of approved couriers.
Protect information from unauthorized disclosure or modification during transit (for example, use locked containers or tamper-evident packaging).
Always require a signature from the recipient.
Provide a full address for the recipient — not a P.O. Box.
Keep your shipping documentation, including the tracking number.
Follow up to ensure the information made it to the intended recipient.
Transmission electronically
Electronic documents containing critical information must be encrypted while in transit over the network and in storage. Strong authentication is also required with critical data to ensure both the sender and recipient are who they claim to be. If you cannot use an encrypted transit method, then encrypt the file itself prior to sending.
Secure Share (replacing Slashtmp Critical) encrypts data in transit and at rest, requires CAS authentication for those affiliated with IU, and requires password authentication for non-IU collaborators. Please note that Secure Share is not suitable for data covered by the PCI DSS, such as credit card data.
When transmitting payment card information or health information, comply with PCI DSS or HIPAA as appropriate.
Websites
Websites can also use and transmit critical information. These sites must be secure and transmit information over a secure channel. Generally, secure websites protect the confidentiality of web transactions using Transport Layer Security (TLS).
Faculty and staff who maintain servers and websites at IU can use the QualysGuard vulnerability scanners (more informally known as “Qualys”) to discover vulnerabilities. Periodically scanning and reviewing scan reports is required by IU’s information security policy, IT-12.
Learn about other methods of protecting data during electronic transmission at our Information Security & Policy website.