Data Storage Standard – what it is and why you need to care

Before your eyes glaze over, answer these simple questions:

  • Where do you store your University data?
  • Does it contain personal or highly sensitive information?
  • Do you use a cloud-based storage service like Dropbox or Google Drive?
  • What types of documents do you share with people outside of the University, or in another country?

As technology continues to evolve and our dependency on information sharing increases, it is becoming increasingly critical to ensure that academic and administrative staff classify, store and share their data appropriately.

The border between work life and personal life is becoming blurred.”

“People are demanding 24/7 access to their information—both personal and professional,” says Kevin Vadnais, Information Security Manager in IT Services. “Consequently, they have turned to cloud-based services which can provide constant availability to all of their information. The border between work life and personal life is becoming blurred. Perceived security and acceptable use of cloud-based solutions is often flawed and the University is taking steps to bridge that knowledge gap so that users are aware of the risks and benefits.

“There is also a difference between personal storage and work-related storage. Some personal storage solutions are free to a pre-set limit, and users pay over and above that, as is the case with Dropbox and Google Drive. Users are asked to either accept the end-user license agreement, or not use it. Most people do not take the time to read them and just accept the terms. Work-related, or enterprise, storage solutions are better protected through contracts between the enterprise or business and the cloud provider. Specific services are spelled out and privacy implications are assessed for that business or enterprise.”

To assist in educating the University community, IT Services has created and authorized a Data Storage Standard which is available on the University Policy website. This standard provides four points of guidance and expectations regarding the secure management of information with which individuals, departments and faculties have been entrusted.

We want people to balance the convenience of a cloud storage vendor with the risks of potential data loss, and to make the appropriate decision.”

“We want people to balance the convenience of a cloud storage vendor, such as Dropbox, with the risks of potential data loss, and to make the appropriate decision,” Vadnais adds.

Below are the highlights of the Standards. Faculty and staff are encouraged to not only review the document, but to download it or bookmark the page so that it is a constant reminder of their responsibilities.

  1. On-campus storage should be utilized for information that has specific requirements or constraints specifying it cannot be stored on systems outside of Canada, e.g. research funding requirements which mandate where resulting data is stored. These solutions typically include network shares (research drives, department shares, etc.), and P Drives.
  2. Cloud storage, commonly provided by third-party vendors such as Dropbox, Microsoft OneDrive’s personal and enterprise solutions, and Google Drive, etc., host users’ data in a robust data centre environment which is not located on campus. This environment typically resides in one or more geographic locations outside of Canada and, as such, subjects that data to the legal jurisdiction of the hosting country. Depending on the sensitivity of data being stored, additional security measures, such as encryption, may be required. (Selection of a third-party encryption tool is underway to support secure usage of cloud storage.)
  3. IT Services is currently developing online training on data storage and selecting the appropriate storage location for your data based on sensitivity. Staff and faculty will be asked to complete the training every two years, and again when significant changes are made to the data storage standard. This will ensure their knowledge is up to date on the latest technologies, threats, privacy implications, and best practices for data management. Training is not expected to take longer than 10-15 minutes.
  4. The use of email as a data management tool is a common practice at the University but is an unsustainable and risky strategy. Lost devices, compromised passwords, and human error (accidently sending the wrong information) can all lead to inadvertent data loss and possibly privacy breaches. While email is generally secure it is not appropriate for sending all types of data. Faculty and staff should become familiar with the data storage standard and use the appropriate storage and sharing technologies based on the data they are working with. The University is also exploring the use of email encryption services if sensitive information must be shared via email.

In addition to these four points, IT Services has implemented a data classification strategy to assist University users to determine the level of rigour that should be applied to specific pieces of information. These definitions classify the four types of data as follows:

  1. No/Low Risk – Category 1
    Information that is publicly available and poses little to no risk of negative consequences should it be seen outside the University:

  2. Medium Risk – Category 2
    Information typically used and shared in daily operational activities by University staff and faculty. This is not data we would normally publish outside of the businesses, but is not considered sensitive:

    • Meeting Minutes
    • Student coursework submitted to instructors
    • Preliminary research reports/results
    • Operational budget items (travel costs, office supplies, etc.)
  3. High Risk – Category 3
    Information that, if compromised, would be harmful to the University’s reputation or to an individual:

    • Employee/Student records
    • Payroll/Budget reports
    • Personally Identifiable Information (SIN’s, tax information, FOIP-related data)
    • Contracts and Terms
    • Passwords/Authentication information
  4. Critical Risk – Category 4
    Information in this category would cause significant damage to the institution if disclosed. Any data classified as a Category 4 should be given special attention as to its storage location, storage method and distribution channels:

    • Legal Proceedings/Appeals
    • Medical/Health information
    • Criminal Investigation results

(more…)

Blackfoot Digital Library – new and improved

The long and auspicious journey of the Blackfoot Digital Library (BDL) has met yet another major milestone. The newest iteration of it went live last week, after almost two years of planning and work.

BDL

“The first version of the BDL in 2009 was ground-breaking work,” says IT Services’ Web Manager Michael Warf. “It pushed boundaries with the technologies but, because it was so customized, upgrades became a huge barrier. The other huge shift that happened since the first version was developed was the evolution of mobile devices,” Warf says. “The previous BDL site didn’t have any support for these devices, which created a significant barrier with the growth in mobile usage.”

As a result, and with the assistance of a grant, the University Library commissioned Hybrid Forge, an Edmonton company that specializes in design and development for the web and mobile. IT Services was brought in to assist with the RFP, vendor selection, and to act as a consultant on the project. “It’s one thing to have an idea and it’s quite another to understand what’s within the realm of the possible. It’s not unlike doing a complete renovation on your existing home. You and the contractor have to communicate in order to manage what can be changed or rebuilt and what the associated costs are,” says Warf.

IT Services’ ongoing commitment to supporting this important and significant resource is to be commended.”

Once Hybrid Forge completed the development of the new BDL site, the ITS Web team deployed it on campus. The system now can be secured, updated and maintained appropriately. “The longevity of the system is now there and can easily upgraded and secured. And it also works well on mobile devices. One of the great features is that anyone can use a mobile device to record interviews and the files can be immediately uploaded to the Blackfoot Digital Library. It removes all the extra steps that are often involved.”

Wendy Merkley, Associate University Librarian says the new BDL is the result of a successful collaborative effort on the part of the Library, IT Services and Red Crow College. “While the process encountered difficulties, the relationships established early on by the members of the core project team served to ensure that we did not lose momentum or direction. IT Services’ ongoing commitment to supporting this important and significant resource is to be commended.”

For more information, please contact Michael Warf at michael.warf@uleth.ca, or 403-332-4584.

Systems critical for University operations

 

For the past 10 years, more than 50 U of L Facilities’ employees have depended on obtaining their daily work schedules and tasks through TMA, a computerized maintenance management system. And all U of L employees and students have relied on Facilities’ staff to deliver the University’s needs: power, air flow, plumbing, building maintenance, event setups, and cleanliness.webTMA

Users of Facilities’ work request system are blissfully unaware of the many months, weeks, days and hours spent planning, collaborating, testing and finally rolling out the new webTMA in December last year. But ask anyone from the Systems, Applications or Telecom teams in IT Services, or the Facilities’ teams, and they’ll tell you.

“The original TMA work order system had been in place for more than 10 years,” says Wim Chalmet, Facility Operations and Maintenance Director. “As with any software product, desktop versions are costly and require regular upgrades and maintenance. IT Systems has been moving away from desktop installations to web-based solutions for some time now. TMA was able to provide a solution, technical support and the flexibility we needed.”

The hard work of planning, upgrading the database server, applications server and the web component began in earnest. “We needed to know how we were going to move away from the desktop application and how to implement the web-based system quickly and cleanly. If it didn’t work correctly when we switched over, it could jeopardize all of the work orders waiting to be fulfilled. IT Services recommended that a test server be built so that we could play with it and fix any glitches. So we had to stagger all of the work.”

Once the Facilities and IT Services teams were confident it would operate as required, TMA converted the database to the new platform, sent it back to ITS for uploading, and the system went live.

“We had to stop all work at 3:30 pm one day and it was up and running by 9:30 am the next day. Advanced planning with ITS Systems was critical to ensure resources were available. Everything worked really well. We were very happy with all the guidance from the ITS Systems and Telecom teams. It was well planned and executed,” says Chalmet. “Excellent cooperation and collaboration meant that the Facilities’ work order system was up and running without significant downtime, not to mention those waiting for their work orders to be completed.”

The new webTMA interface can be viewed here.

For more information, contact Wim Chalmet at 403-380-1837 or wim.chalmet@uleth.ca.

Health Sciences manikins going mobile

If you see human-like beings laying around campus, breathing heavily, sweating, and generally looking unwell, don’t worry, it’s not an episode of the Walking Dead. The Simulation Health Centre in the Faculty of Health Sciences has purchased new manikins and, unlike the old ones, students and instructors will soon be able to move this newest generation of ‘patients’ around campus.

“Sharon Dersch, an instructor in the Nursing Programs, approached us about a year ago to assist the Faculty with the RFP and vendor selection to replace two of their training manikins,” says Daryle Niedermayer, Application Design and Planning Manager in IT Services. “They were aware of the technology challenges and needed to select a product that would work within the University’s environment. Any sort of complex equipment like this is far from plug-and-play, and the costs warrant intense collaboration with all stakeholders. Between our Telecom and Applications teams, we were able to help them choose the best option for their needs.”Manikin1

Dersch says the older manikins had limitations with some of their technologies. “We had experienced problems with wireless connections between the manikins and A/V systems within the University environment that could not be resolved. The problems required the manikins to be hardwired which limited the amount of information that could be transmitted through the A/V system. We did not want to encounter similar problems with the new equipment.”

The mobility characteristic of the two manikins represents only one of many complex requirements for the new medical training tools for students. The undertaking required assurance the manikins and audio-visual equipment would work seamlessly within the University’s network and could be supported by IT Services in the future.

“The amount of information about the patient’s, or manikin’s, condition was extremely limited in that it could not be transmitted between the manikin and visual displays without wireless connections,” says Dersch. “With the new equipment, students and instructors observing the simulation remotely will be able to see the ‘patient’s’ heart monitor, blood pressure and other vital signs, as well as the names and dosages of medications that are given.”

Niedermayer adds that the new manikins’ ability to use the University’s wireless network means that it will be much easier for instructors to wander the room with an iPad, for example, and test their students’ skills with simulated symptoms, and to monitor their progress.

Working together, the Health Sciences and IT Services teams were able to select a vendor that met the requirements. “By reaching out to us early in their investigation, we were able to ask the right questions and help Health Sciences choose the right vendor. Three different companies responded to the RFP but only one, Laerdal Medical Canada, Ltd., addressed the networking issues involved with a product like this,” Niedermayer says.

Dersch concurs. “Daryle and the IT team met with us on numerous occasions over the last year to help with all stages of the purchase, from wording the technical requirements on the RFP, to helping with the final selection of products. During the selection process IT Services managed all the technical correspondence, and also met with vendor technicians to test equipment. Daryle and his team were invaluable in helping to ensure the manikins have the necessary functions and functionality–not something that the SHC team could have done alone. Another huge advantage to including IT Services in the selection process is their knowledge of the selected product, enabling them to more easily provide support in the future.”

The new manikins are expected early this summer.

Faculty & Staff: Office 365 is now FREE

 

Information Technology Services is pleased to announce Microsoft’s latest offer of Office 365 ProPlus free of charge to current faculty and staff at the University of Lethbridge.

“Earlier in the fall, Microsoft offered the Office 365 Student Advantage Program free to currently registered students, and now they are also extending the offer to current employees of the University,” says Terry Kirkvold, Infrastructure Manager. “Microsoft has re-branded the product as Office 365 ProPlus to include employees’ personal use. This is a significant offer from Microsoft.”Office 365 ProPlus

Kirkvold adds the offer is solely meant for home or personal use since the University currently provides Office products to all employees for work purposes via a site license. Employees will no longer need to purchase it with Professional Supplement and personal funds.

This offer is identical to the Student Advantage plan, and permits installation of all Office products on up to five different Windows and Apple devices including laptops, desktops, smart phones and tablets.

“We would also like to advise those who choose to download the product during the Christmas break that should they have any difficulties with the installation, we will not have staff working to assist them with troubleshooting.”

Those who download and install on devices that currently do not have any Office products on them should not experience any issues, he says. But those who have old copies of Office software on their machines could run into difficulties if they do not carefully read and follow the instructions on the Microsoft website.

“We wanted to get the information out now to make faculty and staff aware of the offer in the event they receive a new device for Christmas and decide to purchase Office 365. It will save them a bit of frustration when they find out it’s free after the fact.”

In summary:

  • Students have been offered Office 365 for free since September through the Student Advantage Program.
  • Microsoft is now extending the same offer, Office 365 ProPlus for free to faculty and staff for home/personal use
  • Office 365 can be installed on up to five (5) personal devices
  • Downloading on devices that do not currently have Office products installed should result in a smooth installation
  • Downloading on devices that already have Office products may cause issues if instructions are not followed closely
  • Do not purchase Office 365 products when you can get them for free

For more detailed information on this Microsoft offer, visit the IT Services website.

Click here to download the Office 365 ProPlus package.

Here are some sites that may assist:
Getting Started with Office 365

Online Community Support and troubleshooting page

For more information:

Please contact the Solutions Centre at (403) 329-2490, help@uleth.ca, or drop in to E610 in University Hall.

Take the Food Bank Challenge!!

 

Information Technology Services and Financial Services are in a dead heat to collect the most donations for the U of L Students’ Union Food Bank.

Care to join us??

In the spirit of giving and competition this holiday season, they are challenging other departments to attempt to beat them with the number of items. Now, you need to understand that an open box of granola bars only counts as ONE item – not EIGHT. And also, the Food Bank reps do the counting so they will be fair and consistent. In addition, and although not counted as items, cash donations are gladly accepted in lieu of food.

Last year, Financial Services donated 693 items and $136.05 in cash. IT Services donated 505 items and $613. 25 in cash.

Mark Humphries, CIO, has thrown down the gauntlet to all Deans and Executive Directors. How can your department participate, you ask? He says there are three ways:

  1. ‘The Hard Way’: Ask your department to donate items to the Finance donation box located in the A7 area of University Hall.
  2. The Easy Way’: Ask your department to donate items into the ITS collection boxes that we will provide and deliver (just let us know how many you would like and where you would like us to put them by early next week so your faculties have time to donate).  Let us know when they are full and, on the afternoon of December 12th,  we will collect any donation boxes so that items can be consolidated for counting on December 15th.   As this is a collaborative effort, we will give full credit to all those that participate with ITS in the Food Bank Challenge. Alternatively you can bring any donations for the Food Bank (or Toys for Tots, too! see below) to D570.
  3. ‘The Other Way’: Your department can collect its own items and join the challenge.

Food Bank coordinator Shelley Tuff has some recommendations. “All donations are welcome, but we always seem to be short on breakfast items. Some of the items on our wish list include granola, cereal, juices, peanut butter, jelly/jam, canned fruit and vegetables.” She adds they currently have an overstock of soup and beans, but anything they don’t need can be donated to other food banks.

Food bank helpers will be collecting donations on December 15th and 16th and participation updates will appear in UWeekly.

The prize? Well, bragging rights, of course!

For more information on the ULSU Food Bank, please contact Shelley at 403-329-2039 or at food.bank@uleth.ca.

Last year the Salvation Army distributed gifts to 1,300 children, but had to spend $24,000 on gift cards to make up the shortfall. Toys for Tots donations will be picked up in D570 the morning of December 12th by Country 95/B-93 radio.

Contact Diane Boyle at (403) 382-7180 or diane.boyle@uleth.ca for more information.

 

The coffee’s on Leslie – just in time for ‘phishing season’

 

The next time you see Leslie Gatner, Financial Analyst in Financial Services, the coffee’s on her. Gatner’s name was drawn to win the $25 Starbuck’s gift card for completing the online Phishing and Identity Theft course last month.

“We had a good response to the online course, but in my world, 100% completion would be ideal,” says Kevin Vadnais, IT Services Information Security Manager. He says he realizes it may not be realistic but it’s his goal nonetheless, especially with the holiday season looming.

“We’re coming into one of the busiest ‘phishing’ seasons with the upcoming holidays, so I would like to advise the University community to be vigilant.” Vadnais says the Christmas season logically lends itself to shipping scams by the bad guys. “Typically you will see emails from which you’re invited to download a .zip or .exe file that claims to have tracking information on a shipment. The email uses high-quality logos from companies like Canada Post, FedEx and UPS and, in addition, the grammar is far better than the usual phishing emails we see. Once the user clicks on the attachment, what it actually does is download malware on the user’s machine. The malware can contain a variety of threats: for example, Crypto locker is one that holds a computer hostage until a significant ‘ransom’ is paid, and there’s the threat of data theft. The bad guys can capture passwords when doing online banking, find personal data like social insurance numbers in tax returns, and both can lead to identity theft.”

As in all cases, Vadnais advises users to stop and ask themselves if it makes sense to simply click on an attachment, or go to the sender’s website instead to find tracking information. “Use common sense, if you’re not expecting a package, don’t click on a link that says you have one. One of the easiest clues is to hover your cursor over the link provided and compare it to what url shows next to it, or in the bottom of your browser. If it’s phishing or a malicious file, the destination in the link or image which pops up in the hover will not match what the browser text or image is showing. When that happens think twice about proceeding.”

URL hover image

 

 

 

Vadnais says the Information Security website is a good resource to check out if you’re wondering about an email. It contains some of the most current and common threats. He strongly encourages people to take the Security Awareness and Phishing and Identity Theft courses online, and more than once if required – just to refresh the memory. “They are excellent sources of information for everyone.”

Also contained on the site is a form users can complete to report a phishing attack. “The phishing messages we’re concerned about are those that appear in our inboxes, or slip by filters without the ***PHISHING MESSAGE*** alert in the subject line. We can take a lot of those sites down if we report them to the company whose image is being falsely used and alert organizations when we see one of their accounts being abused. This provides us an opportunity to take preventative measures to stop our accounts from being compromised.”

For more information, or to arrange a security session for your unit or department, please contact Kevin Vadnais at kevin.vadnais@uleth.ca.

Cyber Security Awareness Month wrap-up – it’s not too late to get your gift!

 

The IT Services Information Security Office and University Privacy Office extends a huge thank-you to the U of L community for its support of the recent events held in support Cyber Security Awareness Month.

About 150 students, faculty and staff stopped by the information booths set up in the UHall Atrium and Students’ Union building during the weeks of Oct. 14 and 20th, says Kevin Vadnais, Information Security Manager. “Everyone who took the 10-question quiz was awarded with a light-up yo-yo or pocket flashlight, and we still have more for those who didn’t get the chance at the booths.”CyberSecurity

Vadnais is encouraging everyone to take the online quiz, and they simply need to send him the answer to the bonus question via email at kevin.vadnais@uleth.ca to request one of the gifts. He adds that test-takers need to enter their name in the title of the screen to be eligible.

Earlier in the month, consultants for PricewaterhouseCoopers presented on Security Trends in Today’s Market at CASA which piqued great discussion among University and Lethbridge community members.

“We had a good response from the community both in the public and private sector. I think most were engaged in the topic and took away valuable information. This kind of event sets the stage for more related sessions in the future and promotes collaboration within the Lethbridge community. It’s everyone’s problem and everyone’s responsibility to educate and protect themselves, and those they may serve,” Vadnais adds.

Everyone is reminded to take the 10-minute phishing and identity theft course in order to be entered into a draw for a $25 Starbucks gift card. Completion of the course must occur by 11:59 PM on Oct. 31 to be eligible for the draw.

Faculty, staff and students are also strongly encouraged to take the security awareness course that is now a permanent feature on the Information Security website.

For more information, contact Kevin Vadnais at (403) 332-4056 or kevin.vadnais@uleth.ca.

Attention Mac users – Follow-you Printing issues with OSX Yosemite upgrade

 

Please be advised that Follow-You printing will not work with Mac OS X Yosemite (10.10) and you should avoid upgrading at this time.  Printing Services is aware of the concern and is working with the vendor to resolve the issue. There is no ETA yet for a resolution.  We will provide an update when the issue has been resolved or an effective work-around is put in place.

For more information or if you have questions, contact the Solutions Centre at (403) 329-2490, or help@uleth.ca, or in E610 University Hall.

Free cyber security seminar – Security Trends in Today’s Market

When was the last time you changed your password(s)? How secure is your company’s network – or your client’s data? Can you recognize a phishing scam?

October is Cyber Security Awareness month in Canada. In our highly connected world, awareness about faceless bad guys – or bad actors, as they’re known by IT security professionals – is as important as looking before crossing a busy street.

“Information security is everyone’s business,” says Kevin Vadnais, the University’s Information Security Manager. “Our organizations expect us to protect the data over which we have been given responsibility. Educating ourselves about the risks in our internet centred environment protects us as workers, clients, and citizens, as well as the businesses we operate.”

The Information Security Office at the University of Lethbridge is hosting a free security seminar for the Lethbridge community to help improve awareness of information security risks.  Join security experts from PricewaterhouseCoopers: Neil Karan, Alberta’s cyber security leader and director in PwC’s Risk Assurance Service practice, and Bryson Tan, national threat and vulnerability management practice lead, in a conversation about current and emerging trends in the information security landscape. Brief bios on the featured speakers are below.

“Rarely do we have the opportunity to ask the people on the front lines of information security what they encounter on a day-to-day basis. The presentation is a nice mixture of lecture and an interactive Q & A session,” says Vadnais.

The event takes place at CASA in the ATB Financial Community Room, 230- 8 St. South, on Thursday, Oct. 16 from 1-4 pm.

Attendance is free and anyone interested is welcome, however RSVPs (via ticket download) are required to ensure adequate seating. Light refreshments will be provided and a non-sponsored social event will follow at the Telegraph Tap House (310 6 St S, Lethbridge, AB T1J 0H4).

To reserve your space: https://uleth.universitytickets.com/user_pages/event.asp?id=440

For more info on cyber security in general, visit the the University’s Information Technology Services website. Also watch for upcoming announcements and activities on campus in support of Cyber Security Awareness month.

Neil Karan, PwCNeil Karan is the Alberta Cyber Security Leader and Director in PwC’s Risk Assurance Services practice, working out of the Calgary office.  Neil is responsible for executing threat and vulnerability management programs, digital foot printing, social engineering, security strategy reviews, and breach response initiatives.  

 

 

 

Bryson Tan, PwCBryson Tan is the National Threat and Vulnerability Management practice lead at PwC and is responsible for the development and delivery of services that include Cyber Resilience assessments, penetration testing, vulnerability assessments, source code assessment, platform security diagnostic services, wireless detection and evaluation and enterprise network security.