Indiana University
University Information Technology Services
  
What are archived documents?
Login>>
Login

Login is for authorized groups (e.g., UITS, OVPIT, and TCC) that need access to specialized Knowledge Base documents. Otherwise, simply use the Knowledge Base without logging in.

Close

Should I send confidential information via email?

Unencrypted email is not a secure method for transmitting sensitive information over the Internet. However, you can take steps to make email more secure than it normally is. When deciding on the level of security necessary for sending data, choose a method of protection commensurate with the sensitivity of the data being transmitted and the level of security at the source and destination systems.

If you are affiliated with Indiana University and are unsure if email is appropriate for a particular situation, consult with the university Data Steward in charge of the data involved, as well as with the University Information Policy Office (UIPO). For information on the Committee of Data Stewards, see the UIPO's Data Management web site.

Different levels of data sensitivity

Do not send highly sensitive data, as indicated by legal or ethical requirements (which you as the sender are obligated to be aware of), via email unless it is adequately encrypted. For more information about IU's policies concerning sensitive data, see UIPO's information usage policies page.

Standard file password protection can usually be easily circumvented, and depending on the editing software being used, either uses weak encryption or no encryption at all. However, this may be an option for attachments to email where the data is minimally sensitive.

Other encryption products are more flexible and provide more security, but require you and the recipient to share a secret key (which is not generally recommended) or require that you each have your own individual public and private key set (the recommended method). An example of encryption software that uses the two-key method is Pretty Good Privacy (PGP).

Security of on-campus and off-campus destinations

If the mail is being sent from one IU email account on a central campus email server to another IU email account on the same campus, the message never leaves the campus data center and so never traverses the campus, university, or Internet networks. Such mailings can be considered reasonably secure, as the computers and the campus data centers in which they are located get dedicated security attention. However, you cannot usually know if the recipient forwards mail from the central campus email servers to a department computer or even an email service outside of the university (a practice which is becoming more common, especially among students).

While servers outside the university may be well-managed and reasonably secure, you can't know for sure; therefore, you should assume that they are not secure, to be safe. Another point to consider, related to exposure of the data on the network, is that if the message travels between IU campuses, the risk of exposure increases, though not dramatically. However, if the message leaves an IU campus for an external destination, you should consider this a high-risk situation.

For more, see UISO's Email Security page: http://protect.iu.edu/cybersecurity/Email_Security
This is document aktv in domain all.
Last modified on June 24, 2011.

Comments/Questions/Corrections

Use this form to offer suggestions, corrections, and additions to the Knowledge Base. We welcome your input!

If you are affiliated with Indiana University and would like assistance with a specific computing problem, please use the Ask a Consultant form, or contact your campus Support Center.

Contact Information

Note: We will reply to your comment at this address. If your message concerns a problem receiving email, please enter an alternate email address.