Electronic Data Security
All sensitive electronic data in the custody and/or control of the University; and all functional units and users of the data.
Computing resource(s) - all devices (including, but not limited to, personal computers, laptops, USB keys, PDAs, and smart phones) which are used to access, process, or store University data. Computing resources may be University- or user-owned; single- or multi-user; individually assigned or shared; stand-alone or networked; stationary or mobile.
Custody and/or control - having direct possession of, or authority over anothers direct possession of, sensitive electronic data.
Electronic data includes all data that belongs to or is used by the University that is processed, stored, transmitted and/or copied to or from computing resources.
Encryption - the conversion of readily comprehended plaintext into encoded ciphertext such that unauthorized Users cannot discern its original meaning.
Functional unit - any division, department, office, program, or other collective entity of the University.
Least privilege - the principle that each functional unit and User be granted the lowest level of access consistent with the performance of authorized duties.
Peer-to-peer (P2P) file sharing - any of a number of programs or protocols used to distribute files anonymously. Examples include Ares, Bearshare, eMule, Kazaa, and Limewire.
University funds - funds administered by the University including operating funds, research grant funds and trust funds.
User A member of the University Community or an individual including but not limited to employees (faculty, staff, and student workers), students, agents, consultants, vendors, volunteers, contractors, or sub-contractors of the University.
All Users have a responsibility to protect sensitive electronic data from unauthorized disclosure, modification, and destruction. All Users and functional units shall adhere to this policy, the related standards and the related procedures in the interest of protecting said data.
Standards for approved security software and configurations shall be set by the Department of Computing and Communications, and periodically revised in response to best practices and emerging technologies.
Emerging security threats and incidents may require immediate response. When such circumstances arise, the Vice-President (Administration and Finance), Vice-President (Grenfell Campus) or Vice-President (Marine Institute), as appropriate, has the authority to revoke an existing standard and/or introduce a new one.
Use and Disclosure
Change of User Status
Peer-to-Peer File Sharing
Email and Instant Messaging
For internal emailing of sensitive electronic data, users must assess the data for sensitivity and necessity for encryption. If the necessity of encryption is unclear, clarity should be sought from the associated unit head or from the Universitys Information Access and Privacy Protection office. When any doubt exists, approved encryption methods shall be used.
When encryption methods are used, decryption passwords must be exchanged separate from the data itself, preferably via a different means (e.g., face-to-face or over the phone).
Use of Non-University-owned Equipment
Information and Training: