Standardsget help

(Draft)

The following standards have been approved by the SFU Information Technology Strategies Committee and apply to all faculty, staff, and third parties who access university information.

Information Classification Standards

High-level direction for secure storage, transmission, and disposal of university information based on three classification levels: Public (White), For Official Use Only (Amber), and Confidential (Red).

Privacy Breach Protocol

In the event of a privacy breach, SFU staff and faculty will follow the steps outlined in the University Privacy Breach Protocol.

Information Security Breach Protocol

The Information Security Breach Protocol provides guidance on the steps that SFU will follow when there is evidence confidential information has been accessed without authorization. The Breach Protocol should be used when there is a loss or theft of any device containing confidential information, loss or theft of any paper files containing confidential information, or when there is evidence of unauthorized access to any system or file where confidential information is stored or accessed.

Choosing a Password

These standards offer guidance on minimum password strength and usage for SFU systems.

Smartphone Standards

Smartphones such as BlackBerrys and iPhones which are used to access University systems such as email, require a number of unique security measures. The Information Technology Services department will enforce these standards where possible, but all users of these devices are required to meet these standards.

Mobile Device Standards

This standard addresses notebooks, netbooks, USB flash drives, and any other mobile storage media.

Multi-Function Device (MFD) Standards

MFDs now combine printing, fax, scanning, email, and copy functions and include the ability to store and share large amounts of data over networks. These standards address the minimum configuration to meet the University's security requirements.

Privacy Impact Assessment

New programs or services, new systems or applications, and new agreements with service providers can all have an impact upon privacy. The process used to evaluate these privacy implications is called a Privacy Impact Assessment (PIA). For more information about how to conduct a PIA, or for any other questions you may have about privacy, see SFU's Freedom of Information and Protection of Privacy Program.

Information Security Assessment

[To be added.]

Role Accounts

Role accounts are granted to a role or organizational position rather than to an individual for business purposes.  A role account may be shared amongst authorized users as determined by the appropriate Department Chair/unit head. Information contained in these accounts may be accessed and disseminated upon the request of the Chair/unit head to the Director, Client and Research Services (CaRS). Users are advised that role accounts should not be used to store personal information as they are subject to access should the University need to do so to conduct its operations.

See also policy GP 24, Fair Use of Information and Communications Technology.