Guideline for Information Transfer

I. Purpose

The purpose of this document is to provide guidance in maintaining the security of information transferred within the university and with any external parties.

II. Scope

This guideline is applicable to UNC Charlotte faculty, staff, and students as well as other authorized users who transfer university information through a communication mechanism. Every authorized user of university information resources has a responsibility to take appropriate measures to safeguard that information.

III. Contacts

Direct any general questions about this guideline to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance at ISCompliance-group@uncc.edu.

IV. Guidelines

Prior to transferring any non-public (Level 1 or higher) university information, it is important to understand not only the classification level and handling restrictions described in the UNC Charlotte Guideline for Data Handling, but also any additional restrictions that may be in place for that data. Additional restrictions may include:

• Contracts which include language regarding the protection of data
• Data Security Plans which define how data used in research is to be handled
• Restrictions implemented by the Data Owner
• Restrictions implemented by a Data Security Officer
• Legal or regulatory restrictions
• Export Control regulations

After confirming that the transfer of data has proper approval, it is important to further protect university information by ensuring that:

• The data is sent, and access is given, only to those who have a need for the information and who are authorized to view that information.
• Recipient addresses are checked to ensure that information is being sent to the intended audience.
• Mechanisms such as encryption or secure file transfer (SFTP) are considered to help prevent unauthorized access or modification of the data. Encryption capabilities in current versions of Microsoft Word and Excel and Adobe Acrobat are good options for this. Encryption keys/passwords should be communicated separately.
• Malware/anti-virus software is in place at the sending and receiving end to prevent virus or malware spread through electronic communication.

Printers, copiers, facsimile machines, and multi-functional devices

Printers, copiers, facsimile (fax) machines, or multi-functional devices (MFD) used to copy, print or transmit university information resources should be configured to reduce the risk of data exposure due to loss, theft or compromise. Departments using, or considering the use of printers, copiers, fax machines or MFDs for the replication or transmission of university data should follow the guidelines below.

NOTE: Individuals that need to print highly restricted university information (i.e., Level 3 data) should use a printer connected to a dedicated print server or a printer that is locally mapped to a university owned and managed computing device.

Secure configuration

• Work with OneIT to ensure appropriate and secure network connectivity for the device.
• Where applicable, change default administrative passwords to meet UNC Charlotte standards (see UNC Charlotte Guideline for Account Passwords).
• Disable unused ports and all unneeded services and features.
• Work with the manufacturer to set a job timeout value and, where possible, to erase or overwrite the hard disk between jobs.

Physical security

Departmental devices used for copying, printing, or transmitting sensitive data should be located in a secure space with access limited to appropriate personnel.

Non-university devices

Non-public data should not be copied, printed, or transmitted using a non-university device.

Device updates

Perform firmware updates on a regular basis.

Secure use of fax functionality

Fax machines and MFDs with fax functionality present additional security issues. Departments with a business need to fax sensitive data should work with OneIT to ensure the connection is on a secure and isolated network. Additional measures include but are not limited to:

• Confirming that the intended recipient is waiting to receive the transmission.
• Pre-programing frequently used fax numbers to avoid data entry errors.
• Visually checking the number on the fax machine before initiating transmission when entering a number manually.

NOTE: Payment card data must not be faxed using an MFD.

Secure transfer or disposal

Printers, copiers, MFDs and fax machines may contain hard drives which may be storing information. To ensure this information is not accessed inappropriately, drives should be handled according to the steps outlined in the UNC Charlotte Guideline for Hardware and Media Disposal.

Related Resources

• University Policy 311 Information Security
• University Policy 304 Electronic Communication System
• Guideline for Account Passwords
• Guideline for Data Handling
• Guideline for Data Security in Cloud Services
• Guideline for Hardware and Media Disposal
• Guideline for Network Security
• Guideline for Research Data Security
• ISO/IEC 27002

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initially approved by Information Assurance Committee 8/07/15
Updated 8/05/21