May, 2015

Data Storage Standard – what it is and why you need to care

Before your eyes glaze over, answer these simple questions:

  • Where do you store your University data?
  • Does it contain personal or highly sensitive information?
  • Do you use a cloud-based storage service like Dropbox or Google Drive?
  • What types of documents do you share with people outside of the University, or in another country?

As technology continues to evolve and our dependency on information sharing increases, it is becoming increasingly critical to ensure that academic and administrative staff classify, store and share their data appropriately.

The border between work life and personal life is becoming blurred.”

“People are demanding 24/7 access to their information—both personal and professional,” says Kevin Vadnais, Information Security Manager in IT Services. “Consequently, they have turned to cloud-based services which can provide constant availability to all of their information. The border between work life and personal life is becoming blurred. Perceived security and acceptable use of cloud-based solutions is often flawed and the University is taking steps to bridge that knowledge gap so that users are aware of the risks and benefits.

“There is also a difference between personal storage and work-related storage. Some personal storage solutions are free to a pre-set limit, and users pay over and above that, as is the case with Dropbox and Google Drive. Users are asked to either accept the end-user license agreement, or not use it. Most people do not take the time to read them and just accept the terms. Work-related, or enterprise, storage solutions are better protected through contracts between the enterprise or business and the cloud provider. Specific services are spelled out and privacy implications are assessed for that business or enterprise.”

To assist in educating the University community, IT Services has created and authorized a Data Storage Standard which is available on the University Policy website. This standard provides four points of guidance and expectations regarding the secure management of information with which individuals, departments and faculties have been entrusted.

We want people to balance the convenience of a cloud storage vendor with the risks of potential data loss, and to make the appropriate decision.”

“We want people to balance the convenience of a cloud storage vendor, such as Dropbox, with the risks of potential data loss, and to make the appropriate decision,” Vadnais adds.

Below are the highlights of the Standards. Faculty and staff are encouraged to not only review the document, but to download it or bookmark the page so that it is a constant reminder of their responsibilities.

  1. On-campus storage should be utilized for information that has specific requirements or constraints specifying it cannot be stored on systems outside of Canada, e.g. research funding requirements which mandate where resulting data is stored. These solutions typically include network shares (research drives, department shares, etc.), and P Drives.
  2. Cloud storage, commonly provided by third-party vendors such as Dropbox, Microsoft OneDrive’s personal and enterprise solutions, and Google Drive, etc., host users’ data in a robust data centre environment which is not located on campus. This environment typically resides in one or more geographic locations outside of Canada and, as such, subjects that data to the legal jurisdiction of the hosting country. Depending on the sensitivity of data being stored, additional security measures, such as encryption, may be required. (Selection of a third-party encryption tool is underway to support secure usage of cloud storage.)
  3. IT Services is currently developing online training on data storage and selecting the appropriate storage location for your data based on sensitivity. Staff and faculty will be asked to complete the training every two years, and again when significant changes are made to the data storage standard. This will ensure their knowledge is up to date on the latest technologies, threats, privacy implications, and best practices for data management. Training is not expected to take longer than 10-15 minutes.
  4. The use of email as a data management tool is a common practice at the University but is an unsustainable and risky strategy. Lost devices, compromised passwords, and human error (accidently sending the wrong information) can all lead to inadvertent data loss and possibly privacy breaches. While email is generally secure it is not appropriate for sending all types of data. Faculty and staff should become familiar with the data storage standard and use the appropriate storage and sharing technologies based on the data they are working with. The University is also exploring the use of email encryption services if sensitive information must be shared via email.

In addition to these four points, IT Services has implemented a data classification strategy to assist University users to determine the level of rigour that should be applied to specific pieces of information. These definitions classify the four types of data as follows:

  1. No/Low Risk – Category 1
    Information that is publicly available and poses little to no risk of negative consequences should it be seen outside the University:

  2. Medium Risk – Category 2
    Information typically used and shared in daily operational activities by University staff and faculty. This is not data we would normally publish outside of the businesses, but is not considered sensitive:

    • Meeting Minutes
    • Student coursework submitted to instructors
    • Preliminary research reports/results
    • Operational budget items (travel costs, office supplies, etc.)
  3. High Risk – Category 3
    Information that, if compromised, would be harmful to the University’s reputation or to an individual:

    • Employee/Student records
    • Payroll/Budget reports
    • Personally Identifiable Information (SIN’s, tax information, FOIP-related data)
    • Contracts and Terms
    • Passwords/Authentication information
  4. Critical Risk – Category 4
    Information in this category would cause significant damage to the institution if disclosed. Any data classified as a Category 4 should be given special attention as to its storage location, storage method and distribution channels:

    • Legal Proceedings/Appeals
    • Medical/Health information
    • Criminal Investigation results

(more…)