MUN Data Security Policy FAQ

MUN policy on protection of personal and other confidential information

The following information applies to all employees and students of Memorial University and is compulsory as of Feb 27, 2008 unless otherwise stated. Answers to questions regarding these guidelines can be directed to the Ocean Sciences Centre Information Technology Division (OSCit) via telephone (864-6739/3120) or via e-mail (oscit@mun.ca)

Origin

Access to Information and Protection of Privacy Act which was signed into law in the Province of Newfoundland and Labrador and applies to all public institutions in NL.

Excerpt from official MUN advisory on Feb 27, 2008

Synopsis:

Given recent data breaches from a number of institutions, including Memorial University, the following mandatory safeguards are being implemented effective immediately.

This directive is being executed by Computing and Communications in consultation with the President's Office and the University's Information Access and Privacy Protection Office.


Mandatory Guidelines:
1. Use of file-sharing programs (e.g. LimeWire, Bearshare) and chat programs (e.g. MSN Messenger, ICQ) are not permitted on any Memorial owned computers.

2. It is not permissible to copy personal/and or confidential information to unencrypted portable storage devices (e.g. unencrypted flash drives, memory sticks, CDs).

3. Memorial will implement new contract language with external contractors/consultants requiring them to adhere to our data security policies and these guidelines. The contract schedule to be added to all contracts is located at http://www.mun.ca/iapp/resources/

4. Employees are not permitted to work with files containing personal or other confidential information on computers not owned by Memorial University except where such use is via Remote Desktop Connection.

5. The preferred means of accessing MUNet from any external computer, is via Remote Desktop Connection. VPN access will be limited and granted only on an exception basis.

6. Memorial University will be developing a policy on data/information security. (Ongoing process).

 

What does this mean for my operations at the OSC?

 

1. Ensure that you have reviewed the guidelines for what constitutes personal/confidential information on the MUN IAPP site. If you have any questions you should contact IAPP or call/e-mail OSCit staff.

2. Ensure that all members of your research laboratory understand the guidelines. You should take some time to inform them/review with them how these rules apply in the context of your research/laboratory operations.

3. Ensure that your students and staff understand that each individual is personally responsible for protection of confidential data within the framework of the best practices guidelines.

 

4. If you suspect that a privacy breach has occured, contact IAPP or OSCit immediately. A helpful checklist on dealing with a data breach can be reviewed using the provincial ATIPP office checklist (PDF).

 

5. Absolutely no P2P/file sharing programs will be allowed on MUN owned computers (this includes devices purchased with grant funds). OSCit is under institutional obligation to first inform you should any devices be found to violate this requirement. If the issue persists, OSCit will be required to report the infraction to the appropriate Computing and Communications division as well as IAPP. As a consequence, your MUNet network access may be interrupted until the device is compliant.

 

In the case of private computers, we require you to shut down any P2P software while attached to the MUNet.


6. While MUN understands that many legitimate uses for instant messaging programs exist, there are inherent security concerns when using these third party programs while discussing confidential information. These programs include but are not limited to: MSN messenger, Skype, Yahoo chat, AIM. Transacted information is usually not encrypted, not limited to your other chat party and due to the nature of the manner in which these programs work, relayed via servers frequently located in foreign countries. Once your data traverses a national boundary, this data is subject to that countries laws (eg. a legal event may suddenly become illegal and you may be charged under another country's laws). Even if you are conversing with another party also located at MUN, the traffic by no means remains at MUN. For that reason, no IM programs will be allowed from this point onward.

 

 

Q. => I use Skype to contact remote research sites and it is currently my only means to collaborate with other research groups and it is thus essential to my research endeavours. Does this still apply to me?

 

A.=> Yes, however, under certain circumstances, an exception might be neccessary. Understand that you are still personally responsible should a data breach occur. We would ask you to limit your use to a single IM program, preferentially Skype, and to refrain from using the file exchange feature, as well as not transmitting any information classified as personal/confidential.

 

OSCit as well as MUN CC are currently evaluating a MUN based IM program which would be a free to use, secure IM equivalent.

 

On privately owned PCs you may continue to use IM programs even if connected to the MUNet.

 

 

7. Saving confidential data: The best method of ensuring confidential data is not compromised is for it to never leave MUN property. Given that the OSC is by definition remotely located from campus this presents a challenge. However, if you save data to any of the suitable locations available to you on the OSCit server(s), you are automatically protected and within the rules set forth by MUN policy. You can access the OSCit server anytime from all locations on campus (even without using the remote access gateway). When located outside the MUN network, you can continue to access the data via the remote access gateway system. If you use this method, you needn't encrypt your files. Should it be required nevertheless, to store and transport confidential data on removable media such as a USB flash drive, ensure that you encrypt the file. All modern office programs such as MS office, allow you to password protect a file.

Note on password use: when passwording numerous files, keeping track of keys can be difficult. You should be aware that if you choose a password which is too simple, it will easily be cracked by automated tools available for download off the internet. However, if you should forget the password, OSCit will not be able to retrieve it and your data remains inaccessible.

In order to streamline this process, OSCit has devised a password policy which should simplify most scenarios. A preset password will be provided to you which applies to all files intended for another MUN/OSC audience. A second password key will be provided for situations where you will be required to send an encrypted file to a collaborator not employed directly by MUN/OSC. In the latter case, you will be required to transmit the key to the recipient in advance. Ensure you do NOT send the key via e-mail. The best method to send the key is via telephone.

8. Computers not owned by MUN must not contain any confidential data saved to the hard drive nor is it permissible to edit/work on MUN confidential data on these devices. The primary reason for this is that even after deleting a file, remnants are cached on the system. Should this system be stolen, the confidential data can still be leaked.

Q.=> Some MUN employees (such as sessional/contract instructors) are not issued a MUN owned device. How are they expected to conduct MUN work?

A.=> According to the new MUN regulations, they are permitted to use a private PC as long as the work is conducted using the remote access gateway feature. In this manner, no data remains resident on the privately owned device.

Note that MUN may alter any of these guidelines in the future depending on risk and requirements.

9. Single e-mail policy. As of September 1, 2008, all MUN employees and students will be required to use their @mun.ca e-mail accounts for official MUN business. This will reduce risk of accidentally sending priviledged information to accounts where the intended user has been faked. This is currently a common practice and presents a severe potential risk for loss of information. It will also reduce the problems currently encountered with spam.

  • Without the single e-mail policy: an e-mail may appear legitimate but is in fact fake
  • important e-mail is not delivered because a user is re-directing their MUN e-mail to a server which has been tagged as a spam server
  • E-mail with sensitive information can unintentionally suffer the same problems as discussed with IM programs (information subject to other states laws)


Email Policy Issues:

a) The OSC frequently has discourse with potential graduate students long before they are issued a MUN account at time of registration (this point is being raised at the CIOS committee level) => For now, continue as usual, but refrain from sending sensitive data or if you need to do so, password protect files and send the key at least in a separate message if telephone contact is not possible.

b) Some contractual employees of third party collaborative organizations are not eligible for MUN accounts, but are working at the OSC within the scope of a MUN project. (this point is being raised at the CIOS committee level). => If this person is using an official e-mail address from recognized institution, which has proper IT governance, you should be able to use their external address. (Not valid would be a home @rogers.com account; valid would be a @aquabounty.com or an official DFO account)

c) I routinely collaborate with othe researchers from other universities and institutions. => Any external address from a reputable university, college, company or institution is acceptable as they will have similar privacy regulations as well as professional IT systems oversight. However always encrypt files if they are sensitive since e-mail is by default not encrypted in transit.

d) CIMS database: all e-mail tags not conformant to the rules set forth, will be deleted from the database and preferentially replaced with appropriate @mun.ca addressing. All users are personally responsible to check their @mun.ca accounts and silent/automatic re-directing will not be available.


10. Physical security:
Ensure that you do not leave your computer easily accessible and unsecured in your office. If you use a laptop, lock your office door before you leave or secure the device at a minimum with an anti-theft compliant tether lock (available at CPC). Never leave yourself logged in unattended. At a minimum, ensure that you lock your session by locking your screen. Not doing so, can leave you vulnerable to someone masquerading as you within your account or worse, stealing data without your ever being aware the data breach occured. The best procedure is to log out if you do not plan to return to your session shortly.


Steps OSCit has put in place to enhance data security procedures:

  1. Additional secure server storage for domain server
  2. Additional mirror (backup) server capacity
  3. Password key management
  4. Remote access gateway (windows RDP and UNIX NX)
  5. Information workshops for all OSC members
  6. OSC computing device security assessment
  7. Data security information web site
  8. System recovery procedures (in case of system software compromise)
  9. Legacy OS/system risk mitigation using virtualization techniques
  10. Off-site server backup location (in progress)
  11. Restore-on-boot software for high risk systems
  12. Point of use secure virtual desktops for high risk mobile systems
  13. Enhanced account generation process (watermarked account request forms/ID requirement).
  14. Further hardening of OSC central information database
  15. Full hard drive encryption services