The purpose of this standard is to maintain the security of information transferred within the university and with any external parties.
This guideline is applicable to UNC Charlotte faculty, staff, and students as well as other authorized users who transfer university information through any communication mechanism. Every authorized user of university information resources has a responsibility to take appropriate measures to safeguard that information.
Direct any general questions about this guideline to your unit’s Information Security Liaison. If you have specific questions, please contact ITS Information Security Compliance at ISCompliancefirstname.lastname@example.org.
Prior to transferring any non-public (Level 1 or higher) university information, it is important to understand not only the classification level and handling restrictions described in the UNC Charlotte Guideline for Data Handling, but also any additional restrictions that may be in place for that data. Additional restrictions may include:
- Contracts which include language regarding the protection of data
- Data Security Plans which define how data used in research is to be handled
- Restrictions implemented by the Data Owner
- Restrictions implemented by a Data Security Officer
- Legal or regulatory restrictions
- Export Control regulations
After confirming that the transfer of data has proper approval, it is important to further protect university information by ensuring that:
- The data is sent, and access is given, only to those who have a need for the information and who are authorized to view that information.
- Recipient addresses are checked to ensure that information is being sent to the intended audience.
- Mechanisms such as encryption or secure file transfer (SFTP) are considered to help prevent unauthorized access or modification of the data. Encryption capabilities in current versions of Microsoft Word and Excel and Adobe Acrobat are good options for this. Encryption keys/passwords should be communicated separately.
- Malware/anti-virus software is in place at the sending and receiving end to prevent virus or malware spread through electronic communication.
Printers, copiers, facsimile machines, and multi-functional devices
Printers, copiers, facsimile (fax) machines, or multi-functional devices (MFD) used to copy, print or transmit university information resources should be set up to reduce the risk of data exposure due to loss, theft or compromise. Departments using, or considering use, of printers, copiers, fax machines or MFDs for the replication or transmission of university data should ensure the following:
- Work with ITS to ensure appropriate and secure network connectivity for the device.
- Where applicable, change default administrative password meeting UNC Charlotte standards (see UNC Charlotte Guideline for Account Passwords).
- Disable unused ports and all unneeded services and features.
- Work with manufacturer to set a job timeout value and, where possible, to erase or overwrite the hard disk between jobs.
Departmental devices used for copying, printing, or transmitting sensitive data should be located in a secure space with access limited to appropriate personnel.
Non-public data should not be copied, printed, or transmitted using a non-university device.
Perform firmware updates on a regular basis.
Secure use of fax functionality
Fax machines and MFDs with fax functionality present additional security issues. Departments with a business need to fax sensitive data should work with ITS to ensure the connection is setup on a secure and isolated network. Additional measures include but are not limited to:
- Confirming that the intended recipient is waiting to receive the transmission.
- Pre-programing frequently used fax numbers to avoid data entry errors.
- Visually checking the number on the fax machine before initiating transmission when entering a number manually.
NOTE: Payment card data must not be faxed using an MFD.
Secure transfer or disposal
Printers, copiers, MFDs and fax machines may contain hard drives which may be storing information. To ensure this information is not accessed inappropriately, drives should be handled according to the steps outlined in the UNC Charlotte Guideline for Hardware and Media Disposal.
ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.
Initial Draft 7/21/15
Information Assurance Committee Approval 8/07/15