Instituto Superior Técnico

With the increasing number of digital procedures and documents, there is often the need to transmit document files between users and services, quite often by email. Sometimes, these documents include private data of dozens or hundreds of users, or other sensible data, requiring special care on treatment and processing. Some documents included in these categories include class grades with user identification, minutes of evaluation committees, lists of students or faculty including content information, and several others.

While the email system at IST complies with strict safety and security standards, and without any known vulnerabilities, its flexibility depends on the possibility of being assessed from any  terminal system, including private computers and cell phones from IST users. Therefore, any vulnerability in these terminal systems may be exploited to assess private or reserved user data, being well known that email messages are usually one of the first targets of such exploits. Therefore, the transmission by email of non encrypted documents with private user data or sensible data must be avoided in all cases, either between IST users and services or between IST and external users.

Considering the points above, whenever required the transmission of sensible files between IST users and services or between IST and external entities, the following procedures must be taken:

1. The transmission of documents within IST must be performed whenever possible using IST storage and file sharing Fenix drive system. Instructions to access and use this system are available in https://si.tecnico.ulisboa.pt/servicos/sistema-de-partilha-de-ficheiros/.
2. Whenever Fenix Drive is not fitted for the desired purpose, or if the transmission of files must be made to external services or users, the transmitted files must be protected and encrypted by password.
   • a) In word and excel files (.xlsx, .docx) is possible to use the built-in password encryption systems. This option is usually available under  “Save as”  and selecting “Options” (this option may not be available in older document formats). The encryption password must be sent to the destination user by an alternative communication channel (Text Message por other message platform).
   • b) For other data files, or folders with several files, it should be used an archive application (zip or similar) specifying an encryption password. As before, the encryption password must be sent to the destination user by an alternative communication channel (Text Message por other message platform).
3. For increased protection, it is possible to use a password storage system with a safe controlled access system (for example, https://passwords.ul.pt/). This system stores locally one password, which can be transmitted to the destination using an URL  link, which can be accessed only once by the destination user (or the number of times selected by the original user). The link becames inactive after the the number os selected accesses is exhausted.
4. For less critical data, it is possible to use the FCCN  File Sender platform (https://filesender.fccn.pt/).  This service is similar to the popular service “WeTransfer”, but is free for the Portuguese academic community and uses safe servers within the Portuguese Scientific System. The access to the file is only possible by the access link which is only available  to the original user, who must send the link to the destination using any available channel. Of course, the link and data file can obviously also be compromised by a malware system,  but as the link becomes unavailable after a pre-specified date (30 days by omission), the system protects at least access to older documents. We suggest, however, to shorten the link validation period  (3/4 days, but of course the exact validity period depends of course on the number of destination users and the specific process context).
5. Is strictly forbidden to send by email class grades with student identification. For the submission and signatures of grades to the academic administrative services, it must be used the Fenix system (specific instructions on this process are available on https://graduacao.tecnico.ulisboa.pt/submissao-de-pautas/.