IT Services Standard
Data Storage Security
IT Services Standard i Revision and Review
Revision History
Version Version Date Status Summary of Changes Author 0.1 Mar 24, 2015 Draft Initial draft Kevin Vadnais 0.2 Apr 2, 2015 Draft Including feedback from
ITS managers, and ULFA representatives
Kevin Vadnais
1.0 April 17, 2015 Final Implemented suggested changes from ITS and faculty reviewers
Kevin Vadnais
Document Reviews
Reviewer Name and Title Date
Darren Schell, Associate Exec Director, IT Services Mar 31, 2015
IT Services Standard Page 1 of 6 Authority & Alignment
Authority
UNIVERSITY OF LETHBRIDGE
INFORMATION AND TECHNOLOGY MANAGEMENT POLICY
Subsection 4 – Privacy, Information Security, and Identity Management Subsection 5 – Information Management
Alignment
Provincial Post-Secondary System ITM Strategic Direction Priority High Quality Teaching and Learning Environment
Overview
As the needs for digital storage continue to grow, the University will increase its utilization of the many different network and cloud storage options that are available for reliable, affordable and widely available access. This standard will define the responsibilities of data owners to ensure their information is stored in an appropriate location, and protected with the required measures to ensure its confidentiality, integrity and availability.
Scope
This standard applies to all University data, whether it is stored on campus or within a cloud storage service.
Compliance & Exceptions
Exceptions to this standard must follow the exception process defined below.
Failure to comply with this standard may result in disciplinary action. Disciplinary actions shall follow established University policies and procedures and shall be in accordance with the applicable Faculty Handbook, Sessional Lecturers Handbook, collective agreement and employee manuals.
IT Services Standard Page 2 of 6 Standard Requirements
1. University users shall store category 2, 3 and 4 information (see Appendix A below for definitions) that has conditions on the physical location of the storage (i.e. must be stored within Canada) on the University campus. These conditions will be known by the data owners.
2. University users that utilize cloud storage solutions (i.e. OneDrive, Google Drive, Dropbox, etc.), and have a requirement or desire for encryption shall encrypt all files before uploading their information to the cloud provider. Examples of solutions include, but are not limited to BoxCryptor, SharedSafe, or CryptSync (OpenSource). Not all third party solutions will be supported by IT Services, and users with questions should contact the ITS Solutions Centre for clarification. 3. All users that utilize cloud storage solutions shall complete provided training to
ensure they understand that third-party providers such as Microsoft, Google, and Dropbox will protect their data as much as possible but could be breached by attackers, or subject to other jurisdictions’ warrants to view their data.
4. Email shall not be used as a secure storage medium for data. By its nature, email
is not intended to be a data storage solution and users shall utilize other
technologies for that purpose. Any data within email that is deemed category 3 or 4 should be considered for encryption before being attached to a message and sent. Passwords to encrypted attachments shall not be sent within the same email as the attachment and must be communicated via phone or in person whenever possible. When these options are not available, a separate email which contains the password may be sent.
Exception Process
Should exceptions for this standard be required, users will need to engage the Information Security Office within IT Services to facilitate their request. All exception requests will undergo an assessment to determine if existing solutions can meet business requirements or if additional options need to be offered.
Related Content
Type Title
IT Services Standard Page 3 of 6 Data Classification
The information in this document is classified as No/Low Risk.
Measurement
Always set SMART criteria for measurement – Specific Measureable Attainable Result-focused and Time-Oriented. These measures should be linked to business goals. The Key Performance Indicator recommended to measure the effectiveness and efficiency of this procedure include:
1. All new hires and research grant recipients will complete the online training for data storage within 2 weeks of beginning their employment or research.
Training must be renewed on a bi-annual basis (every 2 years). Certain job types where data storage is not required may be excluded from the training upon request.
Contact
Kevin Vadnais – Manger, Information Security Office 403-332-4056
Authorization & Signature
_______________________________________ ___________________
IT Services Standard Page 4 of 6 Appendix A – Data Classification
To assist users in identifying and classifying their data, the following definitions should be used until an institution-wide classification system replaces it. As Data Classification is not a new concept we will utilize the definitions provided by the ITM control
framework which align with the classification used by the Provincial Government of Alberta (GoA).
Category Description1 Examples Example of Risks
1 Publicly available information.
Confidentiality: Not applicable Integrity: Low to High
Availability: Low to Medium
Public announcements Telephone directory Course descriptions University/college brochures Job listings Specific categories of employee and student information such as enrollment count, FTE count, etc.) No Personally Identifiable Information (PII) will fall into this category.
Little or no risk Minor inconvenience if unavailable
If compromised, would not result in injury to an individual or to the Institution
2 Includes personal information,
financial information and operational details. Available to authorized
individuals with a need-to-know for business purposes.
Confidentiality: Medium Integrity: Low to High Availability: Low to High
Internal memos Minutes of meetings Internal project reports Draft requests for proposals
Planning documents Documents containing personal information. (e.g. student work, summary department budget reports, preliminary research results) Unfair competitive advantage Disruption to business if not available Harm to individuals if disclosed, modified, stolen or destroyed without authorization
1 The terms “confidentiality”, “integrity” and “availability” are defined in the ITM Control Framework
IT Services Standard Page 5 of 6
3 Available to only specific and
explicitly assigned roles, functions or groups Confidentiality: High Integrity: High Availability: High
Documents containing personal information, such as:
Specific categories of employee and student information (e.g., Employee personnel files with
appraisals, disciplinary actions or medical records) Accounting information Unit budgets
Information protected by legal privilege
Student loan information Faculty unpublished research or other intellectual property Financial planning documents Third-party information shared in confidence Security operational controls Authentication information Serious harm to individuals if disclosed, modified, stolen or destroyed without authorization Loss of reputation Loss of competitive advantage Loss of intellectual property Financial loss Introduction of security vulnerabilities
Identity theft and fraud
4 Extremely sensitive information
that could cause extreme harm to the Institution, or to an individual causing loss of life or serious financial hardship Available only to explicitly assigned individuals, positions or roles, and regularly reviewed Confidentiality: High
Integrity: High Availability: High
Specific categories of employee and student information (e.g., legal suits, medical/health information, appeals, grievances, clinical patient data)
Serious administrative investigations with the potential of criminal sanctions
National interest
information received from the federal government
Extreme harm to the Institution (i.e., loss of charter)
Significant financial loss to the Institution Extreme harm to individuals (i.e., loss of life, financial ruin)
IT Services Standard Page 6 of 6
For ease of use in documents, rather than using numeric classification exclusively, the following terms will map to the various categories (using the GoA terminology):
Category Matching Term
1 No/Low Risk
2 Medium Risk
3 High Risk
