University Policy

.

Electronic Data Security

Approval Date: 2010-03-25

Effective Date: 2018-03-06

Review Date: 2022-03-25

Authority:

Vice-President (Administration and Finance) through the Director of Information Technology Services

Purpose

To outline the responsibilities of all Authorized Users in supporting and upholding the security of Sensitive Electronic Data, regardless of the Authorized Users’ affiliation or relation with the University, and irrespective of where the data are accessed, utilized, or stored. This Policy is not exhaustive of all Authorized User responsibilities, but is intended to outline specific responsibilities that each Authorized User acknowledges and agrees to follow when using Sensitive Electronic Data provided to and/or by the University. This Policy conforms with the University’s Privacy Policy and the Access to Information and Protection of Privacy Act (ATIPPA) of Newfoundland and Labrador.

Scope

All Sensitive Electronic Data in the custody and/or control of the University; and all Units and Authorized Users of the data.

Definitions

Authorized User — An individual permitted by a responsible Unit or University employee to make use of University Computing Resources. Authorized Users include faculty, staff, students, contractors, sub-contractors, consultants, retirees, alumni, and Guests who have an association with the University that grants them access to University Computing Resources.

Computing Resource(s) — All devices (including, but not limited to, personal computers, laptops, USB keys, PDAs, and Smart phones) which are used to access, process, or store University data. Computing resources are those used for University business and may be: single- or multi-user; individually assigned or shared; stand-alone or networked; stationary or mobile.

Custody and/or Control — Having direct possession of, or authority over another's direct possession of, Sensitive Electronic Data.

Electronic Data — Includes all data that belongs to or is used by the University that is processed, stored, transmitted and/or copied to or from computing resources.

Encryption — The conversion of readily comprehended plaintext into encoded ciphertext such that unauthorized users cannot discern its original meaning.

Least Privilege — The principle that each Unit and Authorized User be granted the lowest level of access consistent with the performance of authorized duties.

Peer-to-peer (P2P) file sharing — Any of a number of programs or protocols used to distribute files anonymously. Examples include Ares, Bearshare, eMule, Kazaa, and Limewire.

Sensitive Electronic Data — Electronic data that has been designated as private or confidential by law or by the University. Sensitive Electronic Data includes, but is not limited to, data protected by the Privacy policy and the Access to Information and Protection of Privacy Act, 2015, SNL 2015, CA-1.2 (ATIPPA), including employment, health, academic and financial records, unpublished research data, third-party business data and all internal or business use only data. To the extent there is any uncertainty as to whether any data constitutes Sensitive Electronic Data, the data in question shall be treated as such until a determination is made by the University or proper legal authority.

Unit — Academic or administrative unit, as defined in the University Calendar, or any board or other body appointed or elected to carry out University business.

University Funds — Funds administered by the University including operating funds, research grant funds and trust funds.

Policy

All Authorized Users have a responsibility to protect Sensitive Electronic Data from unauthorized disclosure, modification, and destruction. All Authorized Users and Units shall adhere to this policy, the related standards and the related procedures in the interest of protecting said data.

Standards for approved security software and configurations shall be set by the Information Technology Services, and periodically revised in response to best practices and emerging technologies. 

Emerging security threats and incidents may require immediate response. When such circumstances arise, the Vice-President (Administration and Finance), Vice-President (Grenfell Campus) or Vice-President (Marine Institute), as appropriate, has the authority to revoke an existing standard and/or introduce a new one.

Provincial legislation and the Privacy policy define personal information broadly. It is assumed that, except in extraordinary circumstances, all computing resources contain some degree of Sensitive Electronic Data (which includes personal information) requiring protection under this policy.

Access
Sensitive data access shall be limited in accordance with the principle of least privilege. Authorized Users needing access to a subset of data shall not be granted access to all records for instance, nor shall they be provided write access if creating or modifying records is beyond the scope of their authorized duties. Application of the principle of least privilege can greatly limit damage resulting from user error and unauthorized access.

Use and Disclosure 
Sensitive Electronic Data shall not be used nor disclosed except as provided by University policy, legislation, or court order or where access to the data is needed by officers of the University to conduct the business of the University.

Change of Authorized User Status
When an Authorized User who has been granted access changes responsibilities or leaves employment, their access rights shall be re-evaluated by the Unit(s) involved and any access to data outside of the scope of the new position or status shall be revoked as soon as possible but not later than five working days. 

Operating Systems 
All computing resources purchased with University funds shall run a currently supported operating system for which security patches are actively released and applied.

Antivirus 
All desktops and laptops purchased with University funds shall run approved anti-virus software.

Encryption 
All laptops purchased with University funds and all laptops used to transport or store Sensitive Electronic Data must have approved encryption software installed. Other devices (including, but not limited to, USB keys) that are used to transport or store Sensitive Electronic Data must also employ approved encryption software.

Peer-to-Peer File Sharing
Peer-to-peer file sharing software shall not be installed on or operated from computers containing or accessing Sensitive Electronic Data.

Email and Instant Messaging 
Email to recipients external to the sender's campus, and all instant messages, pass through networks and/or servers operated by entities other than the University. As such, both are inherently insecure methods of transmitting Sensitive Electronic Data. Sensitive Electronic Data transmitted via email to off-campus recipients, or via instant messaging to any recipient, shall therefore be encrypted using approved encryption software.

For internal emailing of Sensitive Electronic Data, Authorized Users must assess the data for sensitivity and necessity for encryption. If the necessity of encryption is unclear, clarity should be sought from the associated unit head or from the University’s Information Access and Privacy Protection office. When any doubt exists, approved encryption methods shall be used.

When encryption methods are used, decryption passwords must be exchanged separate from the data itself, preferably via a different means (e.g., face-to-face or over the phone).

Smartphones 
BlackBerry and other smartphone-like devices must employ approved security configurations and/or software. Encryption, versus PIN or password protection, is required in any instance where the latter does not lead to factory reset of the device after a finite number of failed password attempts.

Backups 
Data that is critical to the mission of the University should be backed up to prevent accidental loss. Backup copies of Sensitive Electronic Data shall be protected to the same standards set out in this policy.

Disposal 
Sensitive Electronic Data must be securely deleted from reassigned and/or surplus computing resources in accordance with the principle of least privilege and the Data Removal Policy.

Use of Non-University-owned Equipment 
Sensitive Electronic Data preferably should not be stored on non-University-owned equipment. If such data must be stored on non-University-owned equipment, the Authorized User is responsible for ensuring the equipment meets the same security requirements set out in this policy.

Information and Training: 
Information Technology Services shall provide information and training to members of the university community as it pertains to this policy.

Exemptions: 
Requests for exemption should be submitted in writing to the head of the campus information technology service. Requests should detail which subsection of the policy for which the exemption is being sought, and proposed compensating controls if any. Requests for exemption must be endorsed by the director/head of the requestor’s Unit.

Non-compliance: 
Units and Authorized Users who act in good faith and execute their responsibilities with a reasonable standard of care shall not be subject to disciplinary action in the event of a data security breach. Breaches arising from non-compliance with this policy may result in disciplinary action up to and including dismissal or expulsion.

Related Documents

Appropriate Use of Computing Resources policy
Data Removal policy
Enterprise Risk Management policy
Information Management policy
Privacy policy
Electronic Data Security Standards

Procedures:

For inquiries related to this policy:

Information Technology Services, 709-864-4595

Sponsor:

Vice-President (Administration & Finance)

Category:

Operations

Previous Versions:

There is at least one previous version of this policy. Contact the Policy Office to view earlier version(s)

Approval Date: 2010-03-25
Effective Date: 2013-11-05
Approval Date: 2010-03-25
Effective Date: 2010-03-25
Policy Amendment History

There are past amendments for this policy:

Action: REPLACED
Date: 2019-05-27 09:43:30
This policy was replaced with a new version. Comment provided: Connected definitions using the definitions from the glossary.
Action: REPLACED
Date: 2019-07-22 11:01:19
This policy was replaced with a new version. Comment provided: Updated the review date from 2018-03-25 to 2022-03-25 during the 2019 Annual Policy Review.
Action: REPLACED
Date: 2022-08-24 15:36:31
This policy was replaced with a new version. Comment provided: 8/24/2022 update broken link