Transmission and Sharing of UBC Electronic Information

Introduction

All UBC Electronic Information that is electronically or physically transmitted is at risk of being intercepted and copied by unauthorized parties. Users of UBC Systems have a responsibility to protect this information, according to its classification under the Security Classification of UBC Electronic Information standard.
This document provides standards on how to transmit or share UBC Electronic Information in a secure manner.
The Chief information Officer has issued this standard under the authority of Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems. Questions about this standard may be referred to information.security@ubc.ca.

Key Considerations when Transmitting and Sharing UBC Electronic Information

Only transmit the minimum amount of information required to complete a task (the Principle of Least Privilege). Do not transmit any information that is not required (e.g. do not include Social Insurance Number and Date of Birth unless necessary). Where possible, do not transmit information that could be used to identify unique individuals.
Where possible, do not copy, extract or download Medium, High or Very High Risk Information from ERPs.
Medium, High or Very High Risk Information may be shared with other UBC employees on a ‘need to know’ basis, when their role at UBC requires them to have access to perform their duties.
Computing services based outside of Canada (such as Gmail) are not permitted for transmission or sharing of Personal Information unless a Privacy Impact Assessment (PIA) has been conducted for that service, and the risks of storage outside of Canada have been considered and accepted. Please refer to the PIA Process Overview for more information.
Before Medium, High or Very High Risk Information is shared with Service Providers, Users must ensure the recipient is compliant with all requirements in the Outsourcing and Service Provider Management standard.

Acceptable Methods of Transmitting and Sharing UBC Electronic Information

The table below provides requirements for Users of UBC Systems on how to appropriately transmit or share UBC Electronic Information based upon the Security Classification of UBC Electronic Information standard.

Method of Transmission	Information Security Classification
Method of Transmission	Very High Risk	High Risk	Medium Risk	Low Risk
UBC Email Accounts (e.g. FASmail)	Acceptable only when placed in encrypted email attachments	Acceptable, although if you are sending significant amounts of this information it is best practice to put it in an encrypted attachment		Recommended
Personal Email Accounts (e.g. Gmail, Hotmail)	Not permitted			Not recommended
UBC File Sharing, Collaboration & Messaging Tools^[1] (e.g. SharePoint, OneDrive, Teams, Zoom, network shared folders)	Recommended
Other/Personal File Sharing, Collaboration & Messaging Tools (e.g. Dropbox, Google Drives / Docs / Hangouts, Skype, Slack, Facebook)	Not permitted, unless approved by PIA			Not recommended
Mobile Storage Devices/ Media (e.g. USB drives, CDs/DVDs, tapes)	Encryption is required		Encryption is strongly recommended	Acceptable
Websites Hosted Within Canada	Permitted with authentication and HTTPS (encrypted) connections			HTTPS (encrypted) strongly recommended^[2]
Websites Hosted Outside Canada	Not permitted, unless approved by PIA		Permitted with authentication and HTTPS (encrypted) connections	HTTPS (encrypted) strongly recommended^[2]
Other Internet Transmissions (e.g. SSH, FTPS, SFTP)	Permitted with authentication and encrypted connections (insecure internet transmissions e.g. Telnet, FTP are not permitted)
Fax	Only permitted when sending/receiving fax machines are in secure locations (see Faxing guideline)

Section 3.1 does not prevent the use of UBC scanners/copiers on the University network to scan documents and email them to UBC email accounts regardless of the classification of the information in those documents.
In addition to section 3.1, UBC Systems and services must also comply with the Internet-facing Systems and Services standard.
Subject to section 3.1, if the User is using personal accounts or other information sharing tools to share UBC Electronic Information, they are responsible for ensuring that a copy of this information is stored on UBC Systems, located in UBC Datacentres or in other authorized locations, in addition to any desktop computers and Mobile Devices, at all times.
For the purpose of section 3.4, the following are authorized locations:
1. Datacentres at other higher education institutions and health authorities in Canada;
2. EduCloud;
3. Q9 Datacentre (Kamloops);
4. Compute Canada;
5. AWS Canada; and
6. other third party locations approved by the CISO.
For detailed information about encryption requirements, including how to encrypt documents and Devices, refer to the Encryption Requirements standard.
For further guidance or assistance with protecting UBC Electronic Information, please contact University IT Support Staff.

Email Forwarding from UBC Email Accounts

Case Study: Receiving Emails from Students

Students sometimes send emails to their instructors containing personal information about themselves. It is acceptable for instructors to receive and respond to these emails, as long as they only do so using their UBC email accounts. If the student wants to send or receive some extremely sensitive information, such as a medical report, the instructor should encourage the use of encryption on the document to ensure it is secure.

Automatically forwarding or redirecting UBC email accounts to non-UBC accounts (”auto-forwarding”) is only acceptable for UBC faculty and staff members who have appointments at other institutions and have difficulty managing multiple work email accounts. Under these circumstances, it is acceptable to auto-forward the UBC email account to the email account at the other institution, provided that:
1. the other institution is a public sector institution located in Canada;
2. the other institution’s email system is at least as secure as UBC’s email system; and
3. the staff or faculty member ensures that copies of emails of business value are returned to UBC Systems, so that they are managed in accordance with UBC’s Records Management Policy.
Forwarding or redirecting UBC email accounts that are used to transmit UBC Electronic Information to a personal email account is not permitted.

Additional Requirements for Merchant Systems

Due to the sensitivity of Payment Card Industry (PCI) Information, it is subject to the following additional requirements:
1. PCI Information must only be stored in approved Merchant Systems;
2. PCI Information must never be transmitted via email or instant messaging systems. This activity is prohibited;
3. PCI Information must never be transmitted unencrypted by any of the other above methods;
4. media containing PCI Information must be sent by secured courier or other delivery method that can be accurately tracked; and
5. management must approve the transfer of PCI Information from a secured area.

Receiving Information from Third Parties

Individuals who are not UBC employees, such as students, sometimes use insecure transmission methods, such as personal email accounts, to transmit their information to UBC. While it is acceptable to receive information in this way, we should encourage these individuals to take measures to minimize the risk of interception by unauthorized parties, such as encrypting files.

Information Security Standard U3