Data Security Standardget help

We are embarking on a journey to update the policies and standards related to the use of information systems at SFU.  The goal of these policies is to manage information systems risk at the university.  Regarding data security specifically, we have drafted a standard that we would like to circulate more widely for awareness and discussion.

The purpose of the Data Security Standard is to provide guidelines that help the University Community know which Information Systems are appropriate for the handling and storage of different types of data, as classified in the Data Governance Policy.

Types of Data 

Simon Fraser University data classifications help members of the university community to identify, understand, manage, and use university data appropriately. 

The data classes and guidelines are meant to be used as recommendations in conjunction with any applicable compliance requirements, such as the Copyright Act, Freedom of Information and Protection of Privacy Act (FIPPA), and Payment Card Industry Data Security Standard (PCI DSS).

Information systems outside of Canada are not suitable for Personal Information because FIPPA prohibits storing or accessing Personal Information outside Canada.

All members of the University Community are required to comply with all ethical, regulatory, statutory, third-party, and other contractual obligations; to use data only for the purposes for which it is collected; to observe any restrictions for its use; and to collect, store, and dispose of data in ways appropriate to risk and impact of unintended disclosure.



Access alone does not authorize use of data.


Public Access Data

Public Access Data is data that is generally available to all employees, the general public, and the media.

This information is deemed to be public by legislation or policy.

Examples of such data at SFU include information contained in the University's Annual Report, published convocation lists, and statistical reports on enrolment.

There are no restrictions on access.

Internal Data

Internal Data is limited to employees and other authorized users and is stored within a controlled access system.

This is the default category, used for information that is not Public Access Data or Regulated Data.

Internal data is available to those employees with a need for access as part of their job duties. Not all employees have access to all internal data, but free flow of information is critical to the success of the University. Restrictions are applied only with consent of all interested Data Stewards.

Access is influenced by the employee's job responsibilities and ability to extract value from the data for the greater good of SFU.

Examples of internal data include student grades and contact information.

 

Regulated Data

Regulated Data is data of a very sensitive nature that is protected from general distribution and is stored within a controlled access system.

This information protected by legal contract, legislation, or regulation.

Special authorization from a Data Steward must be obtained before regulated data is made available to a Data User. The Steward may choose to only provide limited access.

Examples of limited access data include employment and education equity declarations, and records pertaining to disciplinary actions.

Guidelines for Data 

1


Only handle or store the minimum amount of data required to complete a task (the principle of “data minimization”). Do not handle or store any data that is not required, in particular very sensitive data.

3


Keep data on just one Information System and do not copy, extract, or download data to other Information Systems. In the case of a violation of this control, then either one of the following must be done:

  • Submit a plan to eliminate the redundancy to the Data Governance Council, or
  • Submit a request for approval in writing to the Data Governance Council.

2


Internal Data or Regulated Data may only be shared with other SFU Employees when their role at SFU requires them to have access to perform their duties (the principle of “least privilege”).

4


Enterprise and Local Information Systems staff are available to consult with departments and Users to advise them of the risks and help determine which Information Systems will be best able to meet their requirements and support their business processes.

Standards for Data 

These standards help the university community know which information systems are appropriate for the handling and storage of different types of data.  This is not a full list of information systems, but is intended to give the university community an understanding of how to protect university data.

To assist with navigation, examples of applied standards are displayed in two categories.

  • University-managed: Institutional services, systems and devices that are operated, managed and supported by enterprise or local IT at SFU.

  • Individually-managed: Services, systems and devices that are operated, managed and supported independently of enterprise or local IT at SFU.

University Managed

Public Access Data

Internal Data

Regulated Data

Institutional Systems
(Academic Personnel System,
Canvas, eTRACS, FINS, goSFU,
myInfo, SFU Print)





Department File Storage
(SFU SharePoint, file server)




Apply standards
1 and 2

Individual File Storage
(SFU Vault)




Apply standards
2 and 3

Email and Instant Messaging
(SFU Mail)




Apply standards
2 and 3

Research Storage




Apply standard
1

Cloud Services




Apply standard
4

Individually Managed

Public Access Data

Internal Data

Regulated Data

Removable Storage
(e.g. USB flash drive,
external hard drive,
CD, DVD)




Apply standard
5

Unmanaged Devices
(e.g. personal mobile phones, home computers)


Apply standard
6


Apply standard
6


Apply standard
6

Cloud Services
(e.g. Dropbox, Gmail, Slack)


Apply standard
7


Apply standard
7


Apply standard
7


 

  Use with Caution: Contact IT for assistance and recommendations.

 

 Not Recommended: Contact IT for assistance and recommendations.

 

Standards

Standard 1 - Access Control

Restrict access permissions appropriately so that only authorized groups and users have access. Controlling access by role-based group is preferred over individual named users, as users’ roles change over time.

 


 

Standard 2 - Copying Data

Minimize unnecessary copies of data by sharing links instead of data files. Copies of data files are harder to restrict and keep up-to-date, while linked files can be updated and access permissions can be changed as needed in the future.

 


 

Standard 3 - File Storage

University-provided departmental file storage (SFU SharePoint, SFU OnBase, file server) is preferred.

If file attachments must be used, file encryption is recommended.

University-provided individual file storage (SFU Vault) typically has files shared between individuals rather than role-based groups, which makes it harder to control access appropriate as users’ roles change over time. 

University-provided email (SFU Mail) and instant messaging is typically also between individuals rather than role-based groups, and typical use encourages sharing files rather than storing them on university-provided departmental file storage, where it is easier to maintain data and access permissions over time as roles and responsibilities change. 

 


 

Standard 4 - Cloud Data

Not all types of data will be appropriate for all university-approved cloud services. For example, some university-approved cloud services may be hosted outside Canada and not appropriate for personal information.

 


 

Standard 5 - Encryption for Removable Storage

Encrypt removable storage devices such as external hard drives and USB flash drives.

 


 

Standard 6 - Unmanaged Devices 

Do not store university data on unmanaged devices, as they often lack the controls and protection required compared with university systems designed to handle and provide long-term management of the data. Unmanaged devices require increased security settings when used to access university data.

 


 

Standard 7 - Unmanaged Cloud Services 

Do not use non-university cloud services to store or share university data as they lack the contracts or service agreements that safeguard ownership and control of university data. Do not use personal email to store or share university data.