¶¡ÏãÔ°AV

MENU

Data security standard

The purpose of the Data Security Standard is to provide guidelines that help the University Community know which Information Systems are appropriate for the handling and storage of different types of data, as classified in the Data Governance Policy.

Standards for data

These standards help the university community know which information systems are appropriate for the handling and storage of different types of data.  This is not a full list of information systems, but is intended to give the university community an understanding of how to protect university data. To assist with navigation, examples of applied standards are displayed in two categories.

  • University-managed: Institutional services, systems and devices that are operated, managed and supported by enterprise or local IT at ¶¡ÏãÔ°AV.
  • Individually-managed: Services, systems and devices that are operated, managed and supported independently of enterprise or local IT at ¶¡ÏãÔ°AV.

University managed

  Public access data Internal data Regulated data

Institutional systems
(Academic personnel system, Canvas, eTRACS, FINS, go¶¡ÏãÔ°AV, myINFO, ¶¡ÏãÔ°AV Print)

√

√

√

Department file storage
(¶¡ÏãÔ°AV Sharepoint, File server)

√

√

!!

Apply standards 1 & 2

Individual file storage
(¶¡ÏãÔ°AV Vault)

√

√

!!

Apply standards 2 & 3

Email & instant messaging
(¶¡ÏãÔ°AV Mail)

√

√

!!

Apply standards 2 & 3

Research storage

√

√

√

Apply standard 1 

Cloud services

√

√

!!

Apply standard 4

Individually managed

  Public access data Internal data Regulated data

Removable storage 
(E.g. USB flash drive, external hard drive, CD, DVD)

√

√

!!

Apply standard 5

Unmanaged devices
(E.g. Personal mobile phones, home computers)

!!

Apply standard 6

!!

Apply standard 6

x

Apply standard 6

Cloud services
(E.g. dropbox, Gmail, Slack)

!!

Apply standard 7

!!

Apply standard 7

x

Apply standard 7

Standards

Standard 1 - Access control

  • Restrict access permissions appropriately so that only authorized groups and users have access. Controlling access by role-based group is preferred over individual named users, as users’ roles change over time.

Standard 2 - Copying data 

  • Minimize unnecessary copies of data by sharing links instead of data files. Copies of data files are harder to restrict and keep up-to-date, while linked files can be updated and access permissions can be changed as needed in the future.

Standard 3 - File storage

  • University-provided departmental file storage (¶¡ÏãÔ°AV SharePoint, ¶¡ÏãÔ°AV OnBase, file server) is preferred. 

If file attachments must be used, file encryption is recommended.

University-provided individual file storage (¶¡ÏãÔ°AV Vault) typically has files shared between individuals rather than role-based groups, which makes it harder to control access appropriate as users’ roles change over time. 

University-provided email (¶¡ÏãÔ°AV Mail) and instant messaging is typically also between individuals rather than role-based groups, and typical use encourages sharing files rather than storing them on university-provided departmental file storage, where it is easier to maintain data and access permissions over time as roles and responsibilities change. 

Standard 4 - Cloud data

  • Not all types of data will be appropriate for all university-approved cloud services. For example, some university-approved cloud services may be hosted outside Canada and not appropriate for personal information.

Standard 5 - Encryption for removable storage

  • Encrypt removable storage devices such as external hard drives and USB flash drives.

Standard 6 - Unmanaged devices

  • Do not store university data on unmanaged devices, as they often lack the controls and protection required compared with university systems designed to handle and provide long-term management of the data. Unmanaged devices require increased security settings when used to access university data.

Standard 7 - Unmanaged cloud services

  • Do not use non-university cloud services to store or share university data as they lack the contracts or service agreements that safeguard ownership and control of university data. Do not use personal email to store or share university data.