University Policy
Electronic Data Security
Purpose
To outline the responsibilities of all Authorized Users in supporting and upholding the security of University Electronic Data, regardless of the Authorized Users’ affiliation or relation with the University, and irrespective of where the data are accessed, utilized, or stored. This Policy is not exhaustive of all Authorized User responsibilities, but is intended to outline specific responsibilities that each Authorized User acknowledges and agrees to follow when using University Electronic Data. This Policy conforms with the University’s Privacy Policy and the Access to Information and Protection of Privacy Act (ATIPPA) of Newfoundland and Labrador.
Scope
All University Electronic Data in the custody and/or control of the University; and all Units and Authorized Users of the data.
Definitions
Authorized User — An individual permitted by a responsible Unit or University employee to make use of University Computing Resources. Authorized Users include faculty, staff, students, contractors, sub-contractors, consultants, retirees, alumni, and Guests who have an association with the University that grants them access to University Technology Resources.
Cloud — Internet-based computing provided by a third party for computer processing resources and/or data storage.
Computing Resource(s) — All devices (including, but not limited to, desktops, laptops, tablets, phones, USB keys, hard drives) which are used to access, process, or store University Electronic Data. Computing resources are those used for University business and may be: single- or multi-user; individually assigned or shared; stand-alone or networked; stationary or mobile.
Custody and/or Control — Having direct possession of, or authority over another's direct possession of, Sensitive Electronic Data.
Encryption — The conversion of readily comprehended plaintext into encoded ciphertext such that unauthorized users cannot discern its original meaning.
IT-Classified Staff — Employed by the various technology service providers for Memorial University campuses (Marine Institute Information and Communications Technologies (ICT), Grenfell campus IT Services (ITS), Harlow campus systems, St. John's campus Office of the Chief Information Officer (OCIO), Labrador Institute (OCIO), Gander and Grand Falls Nursing Satellite Sites (OCIO)) and Select Units with Director/Head and Human Resources approval to provide local IT Support).
Least Privilege — The principle that each Unit and Authorized User be granted the lowest level of access consistent with the performance of authorized duties to protect University data.
Multi Factor Authentication (MFA) — Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. MFA requires one or more additional verification factors beyond username/password, which decreases the likelihood of a successful cyberattack. MFA may include, for example, an authentication app on your phone to verify identity.
Sensitive Electronic Data — Electronic data that has been designated as private or confidential by law or by the University. Sensitive Electronic Data includes, but is not limited to, data protected by the Privacy policy and the Access to Information and Protection of Privacy Act, 2015, SNL 2015, CA-1.2 (ATIPPA), including employment, health, academic and financial records, unpublished research data, third-party business data and all internal or business use only data. To the extent there is any uncertainty as to whether any data constitutes Sensitive Electronic Data, the data in question shall be treated as such until a determination is made by the University or proper legal authority.
Unit — Academic or administrative unit, as defined in the University Calendar, or any board or other body appointed or elected to carry out University business.
Unit Head — For the purposes of this policy, Unit Head is the term used to mean Deans, Department Heads, Division Heads, Heads of Schools, Directors, Executive Directors, University Librarian, University Registrar and other senior administrators at a comparable level; Associate Vice-Presidents and Vice-Presidents, as applicable.
University — Memorial University of Newfoundland.
University Electronic Data — Includes all data that belongs to or is used by the University that is processed, stored, transmitted and/or copied to or from Computing Resources. University Electronic Data may be considered Sensitive Electronic Data depending upon the data type.
University Funds — Funds administered by the University including operating funds, research grant funds, PDTER funds and trust funds.
University Owned — All Technology Resources purchased by Memorial University through University Funds.
University Technology Resources — Computers, Electronic Devices, networks, data storage, software applications, Cloud solutions, e-mail addresses, websites, domain names and identities that are either owned or funded (in whole or in part) by the University or by funds administered by the University.
Virtual Private Network (VPN) — A Virtual Private Network (VPN) is an encrypted private connection over the internet from a device to a network.
Policy
All Authorized Users have a responsibility to protect University Electronic Data and University Technology Resources from unauthorized disclosure, modification, and destruction. All Authorized Users and Units shall adhere to this Policy, the related standards and the related procedures in the interest of protecting University Electronic Data.
Unit Heads are responsible for ensuring compliance with this policy and its related standards and procedures. IT-Classified staff are responsible for initial secure setup and ongoing management of University-Owned Computing Resources and following technical guidelines per the Tangible Asset Policy and Data Removal Policy.
Standards for approved security software and configurations shall be set by the Office of the Chief Information Officer (OCIO) in consultation with the various campuses and periodically revised in response to best practices and emerging technologies.
Emerging security threats, vulnerabilities and incidents may require immediate response. When such circumstances arise, the OCIO, as appropriate, has the authority to revoke an existing standard and/or introduce a new one.
Provincial legislation and the Privacy policy define personal information broadly. It is assumed that, except in extraordinary circumstances, all Computing Resources contain some degree of Sensitive Electronic Data (which includes personal information) requiring protection under this policy. Sensitive Electronic Data shall not be used nor disclosed except as provided by University policy, legislation, or court order or where access to the data is needed by officers of the University to conduct the business of the University.
Account Access
University Electronic Data access shall be limited in accordance with the principle of Least Privilege. Authorized Users needing access to a subset of data shall not be granted access to all records for instance, nor shall they be provided write access if creating or modifying records is beyond the scope of their authorized duties. Application of the principle of Least Privilege can greatly limit damage resulting from user error and unauthorized access. Principle of Least Privilege is to be employed wherever possible.
Change of Authorized User Status
When an Authorized User who has been granted access changes responsibilities or leaves employment, their access rights shall be re-evaluated by the Unit(s) involved and any access to data outside of the scope of the new position or status shall be revoked per the Procedure for Managing University Records of Exiting Employees and the Process for Exiting Employees.
Operating Systems
All Computing Resources purchased with University Funds shall run a currently supported operating system outlined in the Electronic Data Security Standards.
Software Applications
All Computing Resources purchased with University Funds shall run currently supported software applications outlined in the Electronic Data Security Standards. Non-supported software to be installed on Computing Resources requires a security assessment by the Office of the CIO.
Cloud Solutions
As per the IT Investment and Governance policy, Cloud services and storage that meet any of the current criteria set by the IT Governance and Collaboration Council (available here) shall be assessed through the IT Governance and Collaboration Framework.
Antivirus
All desktops and laptops purchased with University funds shall run approved anti-virus software per the Electronic Data Security Standards.
Encryption
All mobile or off-site Computing Resources purchased with University funds must have approved encryption software installed per the Electronic Data Security Standards. (Updated below) Other approved encryption methods are also covered under the Electronic Data Security Standards.
Sensitive Electronic Data
Sensitive University Electronic Data is to be shared using secure file sharing solutions. See the Electronic Data Security Standards for more information.
Information and Training:
The OCIO shall provide security awareness information and/or training to members of the university community as it pertains to this policy.
Network Access
University-owned and managed Computing Resources are to connect to the Memorial wired or @Memorial wireless services where possible, requiring Memorial credentials. Guest, Residence or other network services should not be used by University-owned and managed Computing Resources while on campus unless otherwise approved for a specific purpose. Eduroam is available for visiting institutions which are members of the Canadian Access Federation (CAF). The OCIO has the right, under this policy, to refuse to connect equipment that does not meet the Standards outlined in the Policy or which may negatively affect the campus network.
University-owned Computing Resources connecting to Memorial’s network require the use of the approved VPN service for remote work arrangements or any off-site use of Computing Resources, per the Electronic Data Security Standards. Use of Multi-factor Authentication (MFA) is required for some services and otherwise recommended where available.
Passwords
Computing Resources or University Technology Resources which store University Electronic Data must be password protected with a strong password meeting Memorial University standards. This is part of the normal setup process when IT-Classified Staff set up Computing Resources, per the Electronic Data Security Standards.
University-provided solutions
University Technology Resources are to be used to conduct university business. Please refer to the Electronic Data Security Standards) for university-provided solutions. It is recommended to access your files remotely using University Technology Resources and not carry or transfer files to non-University owned systems. For tools outside the defined Standards, please consult with IT Classified Staff.
Mobile/cellular devices
Memorial issued or approved mobile/cellular devices must employ approved security configurations , per the Electronic Data Security Standards. Encryption, in addition to PIN or password protection, is required.
Backups and Resiliency
Data that is critical to the mission of the University shall be backed up or resiliently stored to reduce the risk of accidental loss. Backup copies of University Electronic Data shall be protected to the same standards set out in this policy. For guidance regarding backups, consult your campus IT Service Desk or IT-Classified Staff.
Physical Security
Appropriate controls must be employed to protect physical access or proximity to Computing Resources and University Technology Resources, commensurate with the acceptable risk considering data type and physical exposure of the environment.
Disposal University
Electronic Data must be securely deleted from reassigned and/or surplus Computing Resources in accordance with the Data Removal Policy.
Use of Non-University-owned Equipment
University Electronic Data is not to be stored on non-University-owned equipment. Please refer to the Electronic Data Security Standards for university-provided file storage solutions.
Deviations:
Requests for deviation from this policy are to be addressed to the CIO, through the Vice-President (Administration, Finance and Advancement). Requests should detail the section of the policy for which the exemption is being sought, and propose compensating controls if any. Requests for exemption must be endorsed by the Unit Head.
Non-compliance:
Units and Authorized Users who act in good faith and execute their responsibilities with a reasonable standard of care shall not be subject to disciplinary action in the event of a data security breach. Breaches arising from non-compliance with this policy may result in disciplinary action up to and including dismissal or expulsion.
Related Documents
Electronic Data Security Standards
IT Onboarding for New Employees
Procedure for Managing University Records of Exiting Employees
Security and Information Protection Assessments
Elevated Account Privileges for Desktop Administration Request
Certificate Signing Request (CSR) Certificate Request
Procedures:
For inquiries related to this policy:
Office of the Chief Information Officer, 709-864-4595
Sponsor:
Vice-President (Administration, Finance and Advancement)
Category:
Operations
Previous Versions:
There is at least one previous version of this policy. Contact the Policy Office to view earlier version(s)
Policy Amendment History
There are past amendments for this policy: