The following standards have been approved by the SFU Information Technology Strategies Committee and apply to all faculty, staff, and third parties who access university information.
High-level direction for secure storage, transmission, and disposal of university information based on three classification levels: Public (White), For Official Use Only (Amber), and Confidential (Red).
The Information Security Breach Protocol provides guidance on the steps that SFU will follow when there is evidence confidential information has been accessed without authorization. The Breach Protocol should be used when there is a loss or theft of any device containing confidential information, loss or theft of any paper files containing confidential information, or when there is evidence of unauthorized access to any system or file where confidential information is stored or accessed.
These standards offer guidance on minimum password strength and usage for SFU systems.
Smartphones such as BlackBerrys and iPhones which are used to access University systems such as email, require a number of unique security measures. The Information Technology Services department will enforce these standards where possible, but all users of these devices are required to meet these standards.
This standard addresses notebooks, netbooks, USB flash drives, and any other mobile storage media.
MFDs now combine printing, fax, scanning, email, and copy functions and include the ability to store and share large amounts of data over networks. These standards address the minimum configuration to meet the University's security requirements.
Privacy Impact Assessment
New programs or services, new systems or applications, and new agreements with service providers can all have an impact upon privacy. The process used to evaluate these privacy implications is called a Privacy Impact Assessment (PIA). For more information about how to conduct a PIA, or for any other questions you may have about privacy, see SFU's Freedom of Information and Protection of Privacy Program.
Information Security Assessment
[To be added.]
Role accounts are granted to a role or organizational position rather than to an individual for business purposes. A role account may be shared amongst authorized users as determined by the appropriate Department Chair/unit head. Information contained in these accounts may be accessed and disseminated upon the request of the Chair/unit head to the Director, Client and Research Services (CaRS). Users are advised that role accounts should not be used to store personal information as they are subject to access should the University need to do so to conduct its operations.
See also policy GP 24, Fair Use of Information and Communications Technology.