Question

Why should attachments be password protected when sending information that has a classification rating of moderate confidentiality by encrypted email to an external stakeholder or email to State agencies within the ITS domain?

For example, sending a utility service provider an email with a customer complaint and the customer’s utility account, or transacting NY Green Bank deals.

Answer

  • Information may be intercepted in motion when sending an email to an external stakeholder.
  • Attachments must be converted to an Adobe or MS Word or Excel .xlsx password protected file for Confidential-Internal, Confidential-Private or Confidential-Restricted data before sending an encrypted email to an external stakeholder or emailing a State entity within the ITS domain.
    • For encrypted email, the content of the email is the only information that is encrypted. The password protected file ensures the information stays secure. Reference instructions on sending an encrypted email. The receiver of the email must have a Microsoft Account or be given a one-time password to access the information.
  • Instructions to Password Protect Documents
  • To password protect an Adobe Acrobat Pro PDF file, save the file as a PDF. Open the PDF. Click on “Tools” (right side). Click on “Protection”. Select “Encrypt”. Select “Encrypt with Password”. Click “Yes” to change security of the document.  Click “Require Password to Open Document”. Enter a secure password per the guidelines (last bullet).
  • To password protect an Excel file (.xlsx only), Select “Review”. Select “Protect Sheet”. Enter a secure password per the guidelines below. Excel password protected files must be saved as .xlsx only to meet New York State encryption requirements. Please be sure to select .xlsx when saving the file. Files in the .xls format must be recreated and saved as a new .xlsx file. The .xls format does not meet NYS security requirements and may be hacked.  Enter a secure password per the guidelines (last bullet).
  • To password protect a MS Word files, Select “File”. Select “Info”. Select “Protect Document”; then select the “Encrypt with Password Option”. Enter a secure password per the guidelines (last bullet).
  • Secure Password Guidelines
    • The password should be provided over the phone or in a separate email. With so many email accounts compromised at other entities, it is recommended to transmit the password over the phone if possible.
    • The password must be changed every 90 days and contain 8 characters of upper/lower case, number, and special characters.