Texas State Technical College will only transfer Confidential or Restricted data to external parties if the owner of the data explicitly approves its transfer. The data owner is the Data Trustee or their designee, who has direct authority over and full responsibility for the data—not the internal users of that data.
This data must be encrypted during transfer and at rest using an encryption strength of Asymmetrical Encryption Standard (AES)128, at a minimum. The preferred encryption strength is AES 256 bit or better. This can be achieved using encrypted ZIP files. If the data is being transferred via web upload, the in-transit encryption should be Transport Layer Standard (TLS) 1.2 (weak ciphers disabled) or TLS 1.3.
Texas State Technical College also has a Secure File Transfer Protocol (SFTP) server that we will allow secure file transfers of information through as well. To gain access to the SFTP server, a ticket will have to be created and an account for the SFTP server created for the data transfer.
The encryption key to the encrypted data must be transferred out of bounds. That is it cannot be transferred using the same mechanism as the data. For instance, if the data is sent via e-mail, the key must be exchanged via phone or letter.
The external party must acknowledge receipt of the data. E-mail acknowledgements are acceptable.
The data must be verified as secure by an authoritative member of Information Services before the transfer occurs. The Director of Information Security or designees can provide this service. The data must be securely archived so that in event of an issue, Texas State Technical College can verify the exact contents of the data shared.