Transfer of Sensitive Information

How to transfer sensitive information

Per the VCCS IT Security Standard 13.2 Information Transfer, Requirement: §13.2.3 - Electronic Messaging

“Emails containing information classified as Sensitive or Confidential shall not be sent over any email system, unless encrypted.”

If you need to transfer sensitive information electronically, please either encrypt the message using Microsoft 365, or use the Secure File Transfer System the VCCS has provided.

Encrypt with Microsoft 365 Message Encryption

Microsoft has provided a guide on how to encrypt email messages in Microsoft 365

Encrypt Email Messages

WorkSpace Secure File Transfer System

Alternatively, the VCCS has provided a file sharing space (“Workspace") for transferring files securely.

Workspace User Guide

The application itself can be accessed via your VCCS “My Applications” portal (click or tap on the Workspace icon, depicted here), or directly via https://workspace.vccs.edu/.

What is considered sensitive information?

This information is taken from the VCCS IT Security Guideline 8.2.1 Classification Guidelines.

“Any data of which the compromise with respect to confidentiality, integrity, and/or availability could have a material adverse effect on COV interests, the conduct of agency programs, or the privacy to which individuals are entitled. Data sensitivity is directly proportional to the materiality of a compromise of the data with respect to these criteria. Agencies must classify each IT system by sensitivity according to the most sensitive data that the IT system stores, processes, or transmits.”

The following is classified as Sensitive Information:

Student education records as governed by the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99).
Personally Identifiable Information (anything that could be used to identify an individual) as governed by the Government Data Collection & Dissemination Practices Act (Code of Virginia Title 2.2 Chap. 38). Note: Limited PII disclosure is allowed through exceptions provided under FERPA regulations.
Third Party Confidential information (both sent and received).
Federal Tax Information entrusted to the college by the Internal Revenue Services or other tax return or financial data (FAFSA) furnished to the college by a student or parent.
Financial Information as protected by the Payment Card Industry Data Security Standard (PCI DSS) or account information with a financial institution of any person or agency of the Virginia Community College System.
Contract Information declared to be proprietary or while under negotiation prior to award as governed by the Virginia Public Procurement Act.
The Chancellor’s or president’s working papers or correspondence used for his/her own deliberative purposes and not otherwise open to the public.
Public Safety Records as defined and governed by § 2.2-3705.2 of the Virginia Freedom of Information Act.
Administrative Investigation Records as defined and governed by § 2.2-3705.3 of the Virginia Freedom of Information Act.
Educational Records as defined and governed by § 2.2-3705.4 of the Virginia Freedom of Information Act.
Law-enforcement and criminal records as defined and governed by § 2.2-3706 of the Virginia Freedom of Information Act.
All data covered by Attorney Client privilege.

Data must be classified as Sensitive Information when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to VCCS or the colleges. The highest level of security controls must be applied to Sensitive Information. Sensitive Information is not necessarily confidential data but can be data whose integrity or availability require that it be protected from unauthorized alteration or loss.