Please Enter a Search Term

Electronic Data Security

  

Purpose:

To outline the responsibilities of all Users in supporting and upholding the security of sensitive electronic data, regardless of the Users’ affiliation or relation with the University, and irrespective of where the data are accessed, utilized, or stored. This Policy is not exhaustive of all User responsibilities, but is intended to outline specific responsibilities that each User acknowledges and agrees to follow when using sensitive electronic data provided to and/or by the University. This Policy conforms with the University’s Privacy Policy and the Access to Information and Protection of Privacy Act (ATIPPA) of Newfoundland and Labrador.

 

Scope:

All sensitive electronic data in the custody and/or control of the University; and all functional units and users of the data.

 

Definitions:

Computing resource(s) - all devices (including, but not limited to, personal computers, laptops, USB keys, PDAs, and smart phones) which are used to access, process, or store University data. Computing resources may be University- or user-owned; single- or multi-user; individually assigned or shared; stand-alone or networked; stationary or mobile.

Custody and/or control - having direct possession of, or authority over another’s direct possession of, sensitive electronic data.

Electronic data includes all data that belongs to or is used by the University that is processed, stored, transmitted and/or copied to or from computing resources.

Encryption - the conversion of readily comprehended plaintext into encoded ciphertext such that unauthorized Users cannot discern its original meaning.

Functional unit - any division, department, office, program, or other collective entity of the University.

Least privilege - the principle that each functional unit and User be granted the lowest level of access consistent with the performance of authorized duties.

Peer-to-peer (P2P) file sharing - any of a number of programs or protocols used to distribute files anonymously. Examples include Ares, Bearshare, eMule, Kazaa, and Limewire. 

Sensitive electronic data - electronic data that has been designated as private or confidential by law or by the University. Sensitive electronic data includes, but is not limited to, data protected by the Privacy Policy and ATIPPA, including employment, health, academic and financial records, unpublished research data, third-party business data and all internal or business use only data. To the extent there is any uncertainty as to whether any data constitutes sensitive electronic data, the data in question shall be treated as such until a determination is made by the University or proper legal authority.

University funds - funds administered by the University including operating funds, research grant funds and trust funds.

User  A member of the University Community or an individual including but not limited to employees (faculty, staff, and student workers), students, agents, consultants, vendors, volunteers, contractors, or sub-contractors of the University. 

 

Policy:

All Users have a responsibility to protect sensitive electronic data from unauthorized disclosure, modification, and destruction. All Users and functional units shall adhere to this policy, the related standards and the related procedures in the interest of protecting said data.

Standards for approved security software and configurations shall be set by the Department of Computing and Communications, and periodically revised in response to best practices and emerging technologies. 

Emerging security threats and incidents may require immediate response. When such circumstances arise, the Vice-President (Administration and Finance), Vice-President (Grenfell Campus) or Vice-President (Marine Institute), as appropriate, has the authority to revoke an existing standard and/or introduce a new one.

Provincial legislation and the Privacy policy define personal information broadly. It is assumed that, except in extraordinary circumstances, all computing resources contain some degree of sensitive electronic data (which includes personal information) requiring protection under this policy.

Access
Sensitive data access shall be limited in accordance with the principle of least privilege. Users needing access to a subset of data shall not be granted access to all records for instance, nor shall they be provided write access if creating or modifying records is beyond the scope of their authorized duties. Application of the principle of least privilege can greatly limit damage resulting from user error and unauthorized access.

Use and Disclosure
Sensitive electronic data shall not be used nor disclosed except as provided by University policy, legislation, or court order or where access to the data is needed by officers of the University to conduct the business of the University.

Change of User Status
When a User who has been granted access changes responsibilities or leaves employment, his/her access rights shall be re-evaluated by the functional unit(s) involved and any access to data outside of the scope of the new position or status shall be revoked as soon as possible but not later than five working days. 

Operating Systems
All computing resources purchased with University funds shall run a currently supported operating system for which security patches are actively released and applied.

Antivirus
All desktops and laptops purchased with University funds shall run approved anti-virus software.

Encryption
All laptops purchased with University funds and all laptops used to transport or store sensitive electronic data must have approved encryption software installed. Other devices (including, but not limited to, USB keys) that are used to transport or store sensitive electronic data must also employ approved encryption software.

Peer-to-Peer File Sharing
Peer-to-peer file sharing software shall not be installed on or operated from computers containing or accessing sensitive electronic data.

Email and Instant Messaging
Email to recipients external to the sender's campus, and all instant messages, pass through networks and/or servers operated by entities other than the University. As such, both are inherently insecure methods of transmitting sensitive electronic data. Sensitive electronic data transmitted via email to off-campus recipients, or via instant messaging to any recipient, shall therefore be encrypted using approved encryption software.

For internal emailing of sensitive electronic data, users must assess the data for sensitivity and necessity for encryption. If the necessity of encryption is unclear, clarity should be sought from the associated unit head or from the University’s Information Access and Privacy Protection office. When any doubt exists, approved encryption methods shall be used.

When encryption methods are used, decryption passwords must be exchanged separate from the data itself, preferably via a different means (e.g., face-to-face or over the phone).

Smartphones
Blackberry and other smartphone-like devices must employ approved security configurations and/or software. Encryption, versus PIN or password protection, is required in any instance where the latter does not lead to factory reset of the device after a finite number of failed password attempts.

Backups
Data that is critical to the mission of the University should be backed up to prevent accidental loss. Backup copies of sensitive electronic data shall be protected to the same standards set out in this policy.

Disposal
Sensitive electronic data must be securely deleted from reassigned and/or surplus computing resources in accordance with the principle of least privilege and the Data Removal Policy.

Use of Non-University-owned Equipment
Sensitive electronic data preferably should not be stored on non-University-owned equipment. If such data must be stored on non-University-owned equipment, the user is responsible for ensuring the equipment meets the same security requirements set out in this policy.

Information and Training:
The Department of Computing and Communications shall provide information and training to members of the university community as it pertains to this policy.

Exemptions:
Requests for exemption should be submitted in writing to the head of the campus information technology service. Requests should detail which subsection of the policy for which the exemption is being sought, and proposed compensating controls if any. Requests for exemption must be endorsed by the director/head of the requestor’s functional unit.

Non-compliance:
Functional units and Users who act in good faith and execute their responsibilities with a reasonable standard of care shall not be subject to disciplinary action in the event of a data security breach. Breaches arising from non-compliance with this policy may result in disciplinary action up to and including dismissal or expulsion.

 

Related Documents:

Appropriate Use of Computing Resources Policy
Data Removal Policy
Records Management Policy
Privacy Policy

 

Procedures

Title: Electronic Data Security
Category : Operations Approval Date: 2010-03-25
Effective Date : 2013-11-05 Review Date: 2014-03-25
Authority:
Vice-President (Administration and Finance) through the Director of Computing and Communications
Sponsor:
Vice-President (Administration & Finance)
Contact:

Department of Computing and Communications, 709-864-4595

Previous Versions:
Please contact the Policy Office to view any of the following previous policy versions:

  • 2010-03-25