Approval Date: 2010-03-25
Effective Date: 2013-11-05
Review Date: 2018-03-25
Vice-President (Administration and Finance) through the Director of Information Technology Services
All sensitive electronic data in the custody and/or control of the University; and all functional units and users of the data.
Computing resource(s) - all devices (including, but not limited to, personal computers, laptops, USB keys, PDAs, and smart phones) which are used to access, process, or store University data. Computing resources may be University- or user-owned; single- or multi-user; individually assigned or shared; stand-alone or networked; stationary or mobile.
Custody and/or control - having direct possession of, or authority over another’s direct possession of, sensitive electronic data.
Electronic data includes all data that belongs to or is used by the University that is processed, stored, transmitted and/or copied to or from computing resources.
Encryption - the conversion of readily comprehended plaintext into encoded ciphertext such that unauthorized Users cannot discern its original meaning.
Functional unit - any division, department, office, program, or other collective entity of the University.
Least privilege - the principle that each functional unit and User be granted the lowest level of access consistent with the performance of authorized duties.
Peer-to-peer (P2P) file sharing - any of a number of programs or protocols used to distribute files anonymously. Examples include Ares, Bearshare, eMule, Kazaa, and Limewire.
University funds - funds administered by the University including operating funds, research grant funds and trust funds.
User A member of the University Community or an individual including but not limited to employees (faculty, staff, and student workers), students, agents, consultants, vendors, volunteers, contractors, or sub-contractors of the University.
All Users have a responsibility to protect sensitive electronic data from unauthorized disclosure, modification, and destruction. All Users and functional units shall adhere to this policy, the related standards and the related procedures in the interest of protecting said data.
Standards for approved security software and configurations shall be set by the Information Technology Services, and periodically revised in response to best practices and emerging technologies.
Emerging security threats and incidents may require immediate response. When such circumstances arise, the Vice-President (Administration and Finance), Vice-President (Grenfell Campus) or Vice-President (Marine Institute), as appropriate, has the authority to revoke an existing standard and/or introduce a new one.
Sensitive data access shall be limited in accordance with the principle of least privilege. Users needing access to a subset of data shall not be granted access to all records for instance, nor shall they be provided write access if creating or modifying records is beyond the scope of their authorized duties. Application of the principle of least privilege can greatly limit damage resulting from user error and unauthorized access.
Use and Disclosure
Sensitive electronic data shall not be used nor disclosed except as provided by University policy, legislation, or court order or where access to the data is needed by officers of the University to conduct the business of the University.
Change of User Status
When a User who has been granted access changes responsibilities or leaves employment, his/her access rights shall be re-evaluated by the functional unit(s) involved and any access to data outside of the scope of the new position or status shall be revoked as soon as possible but not later than five working days.
All computing resources purchased with University funds shall run a currently supported operating system for which security patches are actively released and applied.
All desktops and laptops purchased with University funds shall run approved anti-virus software.
All laptops purchased with University funds and all laptops used to transport or store sensitive electronic data must have approved encryption software installed. Other devices (including, but not limited to, USB keys) that are used to transport or store sensitive electronic data must also employ approved encryption software.
Peer-to-Peer File Sharing
Peer-to-peer file sharing software shall not be installed on or operated from computers containing or accessing sensitive electronic data.
Email and Instant Messaging
Email to recipients external to the sender's campus, and all instant messages, pass through networks and/or servers operated by entities other than the University. As such, both are inherently insecure methods of transmitting sensitive electronic data. Sensitive electronic data transmitted via email to off-campus recipients, or via instant messaging to any recipient, shall therefore be encrypted using approved encryption software.
For internal emailing of sensitive electronic data, users must assess the data for sensitivity and necessity for encryption. If the necessity of encryption is unclear, clarity should be sought from the associated unit head or from the University’s Information Access and Privacy Protection office. When any doubt exists, approved encryption methods shall be used.
When encryption methods are used, decryption passwords must be exchanged separate from the data itself, preferably via a different means (e.g., face-to-face or over the phone).
Blackberry and other smartphone-like devices must employ approved security configurations and/or software. Encryption, versus PIN or password protection, is required in any instance where the latter does not lead to factory reset of the device after a finite number of failed password attempts.
Data that is critical to the mission of the University should be backed up to prevent accidental loss. Backup copies of sensitive electronic data shall be protected to the same standards set out in this policy.
Sensitive electronic data must be securely deleted from reassigned and/or surplus computing resources in accordance with the principle of least privilege and the Data Removal Policy.
Use of Non-University-owned Equipment
Sensitive electronic data preferably should not be stored on non-University-owned equipment. If such data must be stored on non-University-owned equipment, the user is responsible for ensuring the equipment meets the same security requirements set out in this policy.
Information and Training:
Information Technology Services shall provide information and training to members of the university community as it pertains to this policy.
Requests for exemption should be submitted in writing to the head of the campus information technology service. Requests should detail which subsection of the policy for which the exemption is being sought, and proposed compensating controls if any. Requests for exemption must be endorsed by the director/head of the requestor’s functional unit.
Functional units and Users who act in good faith and execute their responsibilities with a reasonable standard of care shall not be subject to disciplinary action in the event of a data security breach. Breaches arising from non-compliance with this policy may result in disciplinary action up to and including dismissal or expulsion.