Data in Motion: Sending & Sharing Data
Rarely does important data stay at rest. Much of its value is based on its shared worth to a larger group. It is therefore critical that the data is protected when being transmitted between points.
And if it is Brown Restricted Information, more stringent care is required to ensure the privacy of Brown's students, employees and associated individuals.
Brown Restricted Information
The Policy on the Handling of Brown Restricted Information includes the following transmission requirements:
- Brown Restricted Information should never be transmitted over the network "in the clear." It should always be transmitted using an Information Security Group-approved encryption mechanism. Approved transport encryption includes: HTTPS, Secure Shell (scp/sftp), SSL/TLS, FTPS (TLS wrapped FTP) and IPSec.
- Brown Restricted Information should never be transmitted via unencrypted email. Password-protected documents or spreadsheets can be used as attachments in certain cases, with approval of the Chief Information Security Office. Approved file/email encryption includes: S/MIME signed and encrypted email, PGP/GnuPG encrypted email and files, password-protected zip files, and password-protected Microsoft Office documents.
While the University does not currently have an enterprise encryption solution, CIS can supply solutions for secure transmission on a case-by-case basis in the interim. These solutions include VPN transmission, secure FTP (free clients for both are available from the Software Distribution web site), and file encryption.
Remote Access to Brown's Network
Use VPN (Virtual Private Network) for secure access to Brown network services for off-campus and wireless users. When installed on a personal computer, a VPN connection provides a Brown IP (Internet Protocol) address at a remote location for a period of up to eight hours.
Google Apps and Sharing Documents
The following guidelines for sharing data securely are excerpted from the document Google Apps, Grades, Security, and Sensitive Information. Please visit it for full details.
- Check the email address: Be sure that you are choosing the proper email address, as there are many similar and duplicate names in our directory. It is also possible to share the document with any individual outside of the organization by simply entering an email address. In any of these scenarios it is essential that you are 100% certain that the entry made is that of the colleague that you intend to share the data with, and that they will use it responsibly.
- Check the scope of distribution: choose wisely as to whether you want those you are sharing a document with to have only "view" access, or the ability to edit the document. When you provide someone the ability to "can edit", they also have the ability to share it with others. Also, be aware of the option to "publish to the web", and recognize whether the info you are publishing is appropriate for that view.
- Read Google Docs Best Practices: Additional information and frequently asked questions on sharing Google docs can be found on this Brown web page.
When on campus and connecting via the wireless, use the Brown-Secure network for a better access options as well as a higher level of security and protection of data.
Data may also be transported on portable media such as a thumb drive (also known as flash or USB drives or memory sticks). Due to their small size, these are prone to loss. Therefore Personally Identifiable Information (PII) or restricted information should not be stored on them unless the drive is encrypted. Several vendors offer encrypted options (some product reviews are listed here). In addition, care should be taken to prevent a USB drive from being compromised by attackers. See the Secure IT! story Focus on Mobile Security - Thumb Drives for details and more tips.