Re: Secure file transfers

[Matthew Gracie <graciem () CANISIUS EDU>]

Theresa M Rowe wrote:
> We have a big push for using outsourced ASP/data hosting services
> here.  We have a strong policy for contract review, including a
> security review.
>
> We've been insisting on secure file transfer methods for data
> exchanges between the university and the vendor.  We've accepted VPN
> or SFTP as methods for data exchange, especially for those contracts
> where the data exchanges include confidential data (we have a state
> law in Michigan that protects certain data such as social security
> numbers and credit card numbers).  Data exposure (unauthorized
> access) of those data elements can result in a maximum $750,000 fine
> for the university.
>
> We've been getting a push back from some vendors that "standard FTP"
> is secure enough.  We've been saying it isn't good enough.
>
> I am checking in on best practice.  I'd appreciate your thoughts on
> this.

We have a few vendors that we exchange information with via PGP or GPG
encrypted email; the Enigmail extension for Thunderbird, and the tools
at gpg4win.org are very helpful.

--Matt

--
Matt Gracie                         (716) 888-2403
Information Security Administrator  graciem () canisius edu
Canisius College ITS                425531N / 0785109W
http://www2.canisius.edu/~graciem/graciem_public_key.gpg