This downloaded copy is unofficial. Check www.mun.ca/policy for the official version.

Memorial University of Newfoundland

  Memorial University of Newfoundland

Electronic Data Security

Approval Date: 2010-03-25

Effective Date: 2018-03-06

Review Date: 2022-03-25

Authority:

Vice-President (Administration and Finance) through the Director of Information Technology Services

Purpose

To outline the responsibilities of all Authorized Users in supporting and upholding the security of Sensitive Electronic Data, regardless of the Authorized Users’ affiliation or relation with the University, and irrespective of where the data are accessed, utilized, or stored. This Policy is not exhaustive of all Authorized User responsibilities, but is intended to outline specific responsibilities that each Authorized User acknowledges and agrees to follow when using Sensitive Electronic Data provided to and/or by the University. This Policy conforms with the University’s Privacy Policy and the Access to Information and Protection of Privacy Act (ATIPPA) of Newfoundland and Labrador.

Scope

All Sensitive Electronic Data in the custody and/or control of the University; and all Units and Authorized Users of the data.

Definitions

Authorized User — An individual permitted by a responsible Unit or University employee to make use of University Computing Resources. Authorized Users include faculty, staff, students, contractors, sub-contractors, consultants, retirees, alumni, and Guests who have an association with the University that grants them access to University Computing Resources.

Computing Resource(s) — All devices (including, but not limited to, personal computers, laptops, USB keys, PDAs, and Smart phones) which are used to access, process, or store University data. Computing resources are those used for University business and may be: single- or multi-user; individually assigned or shared; stand-alone or networked; stationary or mobile.

Custody and/or Control — Having direct possession of, or authority over another's direct possession of, Sensitive Electronic Data.

Electronic Data — Includes all data that belongs to or is used by the University that is processed, stored, transmitted and/or copied to or from computing resources.

Encryption — The conversion of readily comprehended plaintext into encoded ciphertext such that unauthorized users cannot discern its original meaning.

Least Privilege — The principle that each Unit and Authorized User be granted the lowest level of access consistent with the performance of authorized duties.

Peer-to-peer (P2P) file sharing — Any of a number of programs or protocols used to distribute files anonymously. Examples include Ares, Bearshare, eMule, Kazaa, and Limewire.

Sensitive Electronic Data — Electronic data that has been designated as private or confidential by law or by the University. Sensitive Electronic Data includes, but is not limited to, data protected by the Privacy policy and the Access to Information and Protection of Privacy Act, 2015, SNL 2015, CA-1.2 (ATIPPA), including employment, health, academic and financial records, unpublished research data, third-party business data and all internal or business use only data. To the extent there is any uncertainty as to whether any data constitutes Sensitive Electronic Data, the data in question shall be treated as such until a determination is made by the University or proper legal authority.

Unit — Academic or administrative unit, as defined in the University Calendar, or any board or other body appointed or elected to carry out University business.

University Funds — Funds administered by the University including operating funds, research grant funds and trust funds.

Policy

All Authorized Users have a responsibility to protect Sensitive Electronic Data from unauthorized disclosure, modification, and destruction. All Authorized Users and Units shall adhere to this policy, the related standards and the related procedures in the interest of protecting said data.

Standards for approved security software and configurations shall be set by the Information Technology Services, and periodically revised in response to best practices and emerging technologies. 

Emerging security threats and incidents may require immediate response. When such circumstances arise, the Vice-President (Administration and Finance), Vice-President (Grenfell Campus) or Vice-President (Marine Institute), as appropriate, has the authority to revoke an existing standard and/or introduce a new one.

Provincial legislation and the Privacy policy define personal information broadly. It is assumed that, except in extraordinary circumstances, all computing resources contain some degree of Sensitive Electronic Data (which includes personal information) requiring protection under this policy.

Access
Sensitive data access shall be limited in accordance with the principle of least privilege. Authorized Users needing access to a subset of data shall not be granted access to all records for instance, nor shall they be provided write access if creating or modifying records is beyond the scope of their authorized duties. Application of the principle of least privilege can greatly limit damage resulting from user error and unauthorized access.

Use and Disclosure 
Sensitive Electronic Data shall not be used nor disclosed except as provided by University policy, legislation, or court order or where access to the data is needed by officers of the University to conduct the business of the University.

Change of Authorized User Status
When an Authorized User who has been granted access changes responsibilities or leaves employment, their access rights shall be re-evaluated by the Unit(s) involved and any access to data outside of the scope of the new position or status shall be revoked as soon as possible but not later than five working days. 

Operating Systems 
All computing resources purchased with University funds shall run a currently supported operating system for which security patches are actively released and applied.

Antivirus 
All desktops and laptops purchased with University funds shall run approved anti-virus software.

Encryption 
All laptops purchased with University funds and all laptops used to transport or store Sensitive Electronic Data must have approved encryption software installed. Other devices (including, but not limited to, USB keys) that are used to transport or store Sensitive Electronic Data must also employ approved encryption software.

Peer-to-Peer File Sharing
Peer-to-peer file sharing software shall not be installed on or operated from computers containing or accessing Sensitive Electronic Data.

Email and Instant Messaging 
Email to recipients external to the sender's campus, and all instant messages, pass through networks and/or servers operated by entities other than the University. As such, both are inherently insecure methods of transmitting Sensitive Electronic Data. Sensitive Electronic Data transmitted via email to off-campus recipients, or via instant messaging to any recipient, shall therefore be encrypted using approved encryption software.

For internal emailing of Sensitive Electronic Data, Authorized Users must assess the data for sensitivity and necessity for encryption. If the necessity of encryption is unclear, clarity should be sought from the associated unit head or from the University’s Information Access and Privacy Protection office. When any doubt exists, approved encryption methods shall be used.

When encryption methods are used, decryption passwords must be exchanged separate from the data itself, preferably via a different means (e.g., face-to-face or over the phone).

Smartphones 
BlackBerry and other smartphone-like devices must employ approved security configurations and/or software. Encryption, versus PIN or password protection, is required in any instance where the latter does not lead to factory reset of the device after a finite number of failed password attempts.

Backups 
Data that is critical to the mission of the University should be backed up to prevent accidental loss. Backup copies of Sensitive Electronic Data shall be protected to the same standards set out in this policy.

Disposal 
Sensitive Electronic Data must be securely deleted from reassigned and/or surplus computing resources in accordance with the principle of least privilege and the Data Removal Policy.

Use of Non-University-owned Equipment 
Sensitive Electronic Data preferably should not be stored on non-University-owned equipment. If such data must be stored on non-University-owned equipment, the Authorized User is responsible for ensuring the equipment meets the same security requirements set out in this policy.

Information and Training: 
Information Technology Services shall provide information and training to members of the university community as it pertains to this policy.

Exemptions: 
Requests for exemption should be submitted in writing to the head of the campus information technology service. Requests should detail which subsection of the policy for which the exemption is being sought, and proposed compensating controls if any. Requests for exemption must be endorsed by the director/head of the requestor’s Unit.

Non-compliance: 
Units and Authorized Users who act in good faith and execute their responsibilities with a reasonable standard of care shall not be subject to disciplinary action in the event of a data security breach. Breaches arising from non-compliance with this policy may result in disciplinary action up to and including dismissal or expulsion.

Related Documents

Appropriate Use of Computing Resources policy
Data Removal policy
Enterprise Risk Management policy
Information Management policy
Privacy policy
Electronic Data Security Standards

Procedures

For inquiries related to this policy:

Information Technology Services, 709-864-4595

Sponsor: Vice-President (Administration & Finance)

Category: Operations

Previous Versions:

There is at least one previous version of this policy. Contact the Policy Office to view earlier version(s)

Approval Date 2010-03-25   Effective Date 2013-11-05
Approval Date 2010-03-25   Effective Date 2010-03-25

Procedure for Laptop Disk Encryption

Approval Date: 2014-12-01

Responsible Unit: Information Technology Services

St. John's Campus:
Clients purchasing a new Windows laptop through the Computer Purchasing Center should requisition McAfee Endpoint Encryption as part of their purchase, and complete a McAfee Endpoint Encryption Account Access form. Laptops purchased with University funds will automatically have McAfee Endpoint Encryption added to the requisition. The encryption software will then be installed by PC Support staff before the laptop is made available to the client.

Clients wishing to retrofit an existing Windows laptop should complete a McAfee Endpoint Encryption Account Access form then contact the ITS Service Desk to set up an appointment to have the software installed. 

Further details can be found on the Full Disk Encryption website. 

Grenfell Campus: 
Clients should complete a McAfee Endpoint Encryption Account Access form then contact the Grenfell Campus C&C Help Desk to set up an appointment to have the software installed. 

Marine Institute: 
Clients should complete a McAfee Endpoint Encryption Account Access form then contact the Marine Institute Department of Information and Communications Technologies Help Desk.

 


Procedure for Managing a Privacy Breach

Approval Date: 2010-03-25

Responsible Unit: Information Access and Privacy Office

A privacy breach occurs when there is unauthorized access to or collection, use, disclosure or disposal of personal information.  Such activity is "unauthorized" if it occurs in contravention of Part IV of ATIPPA or, if applicable, a relevant provision of PIPEDA.  An example of a privacy breach would be personal information becoming lost or stolen or personal information being mistakenly emailed to the wrong person.

The recommended privacy breach incident protocol has five steps.  Step 1 is the responsibility of the individual or individuals who first become aware of the potential breach.  The second through fifth steps are the responsibility of the University Privacy Officer, working in cooperation with other University officials and staff, as necessary.

Step 1: Reporting the Breach

Any employee who becomes aware of a possible breach of privacy involving personal information in the custody or control of the University will immediately inform his or her immediate supervisor, the unit privacy officer and the University Privacy Officer.  The supervisor will inform the responsible unit head and will verify the circumstances of the possible breach.  As soon as the breach has been confirmed to have or have not occurred, the supervisor will inform both the responsible unit head and the University Privacy Officer.  This confirmation will occur within 24 hours of the initial report.

The unit head in consultation with the University Privacy Officer will decide whether or not to notify the respective Vice-President or the President as appropriate, by taking into consideration the seriousness and scope of the breach.

When a breach has been confirmed, the University Privacy Officer will implement the remaining four steps of the breach incident protocol.

Step 2: Containing the Breach

The University Privacy Officer will take the following steps to limit the scope and effect of the breach.  These steps will include:

1)  Work with units to immediately contain the breach by, for example, stopping the unauthorized practice, recovering the records, shutting down the system that was breached, or correcting weaknesses in security, and

2)  In consultation with University officials, notify the police if the breach involves, or may involve, any criminal activity.

Step 3: Evaluating the Risks Associated with the Breach

To determine what other steps are immediately necessary, the University Privacy Officer, working with other University staff as necessary, will assess the risks associated with the breach.  The following factors will be among those considered in assessing the risks:

1)  Personal Information Involved

a)  What data elements have been breached? Generally, the more sensitive the data, the higher the risk.  Health information, social insurance numbers and financial information that could be used for identity theft are examples of sensitive personal information.

b)  What possible use is there for the personal information?  Can the information be used for fraudulent or otherwise harmful purposes?

2)  Cause and Extent of the Breach

a)  What is the cause of the breach?

b)  Is there a risk of ongoing or further exposure of the information?

c)  What was the extent of the unauthorized collection, use or disclosure, including the number of likely recipients and the risk of further access, use or disclosure, including in mass media or online?

d)  Is the information encrypted or otherwise not readily accessible?

e)  What steps have already been taken to minimize the harm?

3)  Individuals Affected by the Breach

a)  How many individuals are affected by the breach?

b)  Who was affected by the breach: employees, students, alumni, retirees, public, contractors, clients, service providers, other individuals/organizations?

4)  Foreseeable Harm from the Breach

a)  Is there any relationship between the unauthorized recipients and the data subject?

b)  What harm to the individuals will result from the breach?  Harm that may occur includes:

i)  Security risk (e.g., physical safety)

ii)  Identity theft or fraud

iii)  Loss of business or employment opportunities

iv)  Hurt, humiliation, damage to reputation or relationships

c)  What harm could result to the University as a result of the breach? For example:

i)  Loss of trust in the University

ii)  Loss of assets

iii)  Financial exposure

d)  What harm could result to the public as a result of the breach? For example:

i)  Risk to public health

ii)  Risk to public safety

Step 4: Notification

Notification can be an important mitigation strategy in the right circumstances.  The key consideration overall in deciding whether to notify will be whether notification is necessary in order to avoid or mitigate harm to an individual whose personal information has been inappropriately collected, used or disclosed.  The University Privacy Officer will work with the units involved and the appropriate University officials to decide the best approach for notification.

1)  Notifying Affected Individuals

Some considerations in determining whether to notify individuals affected by the breach include:

a)  Contractual obligations require notification.

b)  There is a risk of identity theft or fraud (usually because of the type of information lost, such as SIN, banking information, identification numbers).

c)  There is a risk of physical harm (if the loss puts an individual at risk of stalking or harassment).

d)  There is a risk of hurt, humiliation or damage to reputation (for example when the information lost includes medical or disciplinary records).

2)  When and How to Notify

a)  When: Notification of individuals affected by the breach will occur as soon as possible following the breach.  However, if law enforcement authorities have been contacted, those authorities will assist in determining whether notification will be delayed in order not to impede a criminal investigation.

b)  How: The preferred method of notification is direct - by phone, letter or in person - to affected individuals.  Indirect notification - website information, posted notices, media - will generally occur only where direct notification could cause further harm, is prohibitive in cost or contact information is lacking.  Using multiple methods of notification in certain cases may be the most effective approach.

3)  What will be Included in the Notification?

Notifications will include the following pieces of information:

a)  Date of the breach

b)  Description of the breach

c)  Description of the information inappropriately accessed, collected, used or disclosed.

d)  The steps taken to mitigate the harm.

e)  Next steps planned and any long term plans to prevent future breaches.

f)  Steps the individual can take to further mitigate the risk of harm.

g)  Contact information for the University Privacy Officer.

4)  Others to Contact

Regardless of what obligations are identified with respect to notifying individuals, notifying the following authorities or organizations will also be considered:

a)  Police: if theft or other crime is suspected.

b)  Insurers or others: if required by contractual obligations.

c)  Professional or other regulatory bodies: if professional or regulatory standards require notification of these bodies.

d)  Applicable research ethics authority

e)  Office of the Information and Privacy Commissioner: The following factors are relevant in deciding when to report a breach to the OIPC:

i)  the sensitivity of the personal information;

ii)  whether the disclosed information could be used to commit identity theft;

iii)  whether there is a reasonable chance of harm from the disclosure including non pecuniary losses;

iv)  the number of people affected by the breach; and

v)  whether the information was fully recovered without further disclosure.

Step 5: Prevention

Once the immediate steps are taken to mitigate the risks associated with the breach, the University Privacy Office will investigate the cause of the breach.  If necessary, this will include a security audit of physical, organizational and technological measures.  As a result of this evaluation, the University Privacy Officer will assist the responsible unit(s) to put into effect adequate long term safeguards against further breach.  Policies will be reviewed and updated to reflect the lessons learned from the investigation and regularly after that.  The resulting plan will also include audit recommendations, if appropriate.


Procedure for Reporting Suspected Security Incidents

Approval Date: 2010-03-25

Responsible Unit: Information Technology Services

A security incident refers to any event in which sensitive electronic data may be disclosed, altered, or destroyed by an unauthorized individual. Theft or loss of a computer or storage device, interception of login credentials by a keystroke logger, or the presence of a ‘hacker' on a computer system are all examples of security incidents.

Any employee who becomes aware of a possible security incident involving sensitive electronic data will immediately inform his or her immediate supervisor and the campus specific IT Service Desk. The service desk will immediately notify the Senior IT Director/Manager at the appropriate campus, or their IT Security Officer. The supervisor will inform the responsible unit head and will verify the circumstances of the possible incident. As soon as the incident has been confirmed to have or have not occurred, the supervisor will inform both the responsible unit head and the University Privacy Officer if a breach of personal information is suspected. This confirmation will occur within 24 hours of the initial report.

IT Service Desk contact information:
St. John's Campus 864-4595
Marine Institute 778-0628 
Grenfell Campus 639-2049

If the system in question is powered on and running, do not shut it down; doing so will destroy whatever evidence currently resides in volatile memory. Instead unplug the systems' network cable, or switch off the wireless adaptor if the system is wirelessly networked. Doing so will have the desired effect of limiting the incident without destroying whatever evidence currently resides in volatile memory.

Suspected security incidents can be stressful, and stress can lead to panic and confusion. After isolating the affected system and informing the IT Service Desk, take a moment to document whatever details lead you to believe an incident has occurred; e.g., missing files, suspicious new files, strange programs running, where the device was last seen, etc. Doing so may aid in the resulting investigation.