- Get help
- Services
- Announcements & alerts
- Service outages
- Security alerts
- Major initiatives
- Reintroducing IT ServiceHub: Your One-Stop IT Support Platform
- Supporting SFU's Digital Transformation with Exchange Online
- Important changes to SFU email practices
- Transforming the SFU experience through digital improvements - Key Initiatives in Progress
- Jovanna Sauro wins SFU Personal Achievement Award
- Improve your cellular coverage by enabling WiFi Calling
- New committee guides transformative changes at SFU
- Expanded identity options for students within SFU applications
- SFU works toward keeping devices out of landfills
- A journey to improved WiFi
- Help us, help you, connect to better WiFi
- IT Services' new support system: ServiceHub
- Information Security Essential Courses
- IT Services leadership announcement
- University Wide Password Change Initiative
- April 2021 technical issue
- Telephone System Core Infrastructure Upgrade
- Decommissioning fraser.sfu.ca
- About
- Information security
Data security standard
The purpose of the Data Security Standard is to provide guidelines that help the University Community know which Information Systems are appropriate for the handling and storage of different types of data, as classified in the Data Governance Policy.
Standards for data
These standards help the university community know which information systems are appropriate for the handling and storage of different types of data. This is not a full list of information systems, but is intended to give the university community an understanding of how to protect university data. To assist with navigation, examples of applied standards are displayed in two categories.
- University-managed: Institutional services, systems and devices that are operated, managed and supported by enterprise or local IT at SFU.
- Individually-managed: Services, systems and devices that are operated, managed and supported independently of enterprise or local IT at SFU.
University managed
| Public access data | Internal data | Regulated data | |
|---|---|---|---|
Institutional systems |
√ |
√ |
√ |
| Department file storage (SFU Sharepoint, File server) |
√ |
√ |
!! |
| Individual file storage (SFU Vault) |
√ |
√ |
!! |
| Email & instant messaging (SFU Mail) |
√ |
√ |
!! |
| Research storage | √ |
√ |
√ |
| Cloud services | √ |
√ |
!! |
Indivisually managed
| Public access data | Internal data | Regulated data | |
|---|---|---|---|
Removable storage |
√ |
√ |
!! |
| Unmanaged devices (E.g. Personal mobile phones, home computers) |
!! |
!! |
x |
| Cloud services (E.g. dropbox, Gmail, Slack) |
!! |
!! |
x |
Standards
- Restrict access permissions appropriately so that only authorized groups and users have access. Controlling access by role-based group is preferred over individual named users, as users’ roles change over time.
- Minimize unnecessary copies of data by sharing links instead of data files. Copies of data files are harder to restrict and keep up-to-date, while linked files can be updated and access permissions can be changed as needed in the future.
- University-provided departmental file storage (SFU SharePoint, SFU OnBase, file server) is preferred.
If file attachments must be used, file encryption is recommended.
University-provided individual file storage (SFU Vault) typically has files shared between individuals rather than role-based groups, which makes it harder to control access appropriate as users’ roles change over time.
University-provided email (SFU Mail) and instant messaging is typically also between individuals rather than role-based groups, and typical use encourages sharing files rather than storing them on university-provided departmental file storage, where it is easier to maintain data and access permissions over time as roles and responsibilities change.
- Not all types of data will be appropriate for all university-approved cloud services. For example, some university-approved cloud services may be hosted outside Canada and not appropriate for personal information.
Standard 5 - Encryption for removable storage
- Encrypt removable storage devices such as external hard drives and USB flash drives.
Standard 6 - Unmanaged devices
- Do not store university data on unmanaged devices, as they often lack the controls and protection required compared with university systems designed to handle and provide long-term management of the data. Unmanaged devices require increased security settings when used to access university data.
Standard 7 - Unmanaged cloud services
- Do not use non-university cloud services to store or share university data as they lack the contracts or service agreements that safeguard ownership and control of university data. Do not use personal email to store or share university data.