storage

Data Storage Standard – what it is and why you need to care

Before your eyes glaze over, answer these simple questions:

  • Where do you store your University data?
  • Does it contain personal or highly sensitive information?
  • Do you use a cloud-based storage service like Dropbox or Google Drive?
  • What types of documents do you share with people outside of the University, or in another country?

As technology continues to evolve and our dependency on information sharing increases, it is becoming increasingly critical to ensure that academic and administrative staff classify, store and share their data appropriately.

The border between work life and personal life is becoming blurred.”

“People are demanding 24/7 access to their information—both personal and professional,” says Kevin Vadnais, Information Security Manager in IT Services. “Consequently, they have turned to cloud-based services which can provide constant availability to all of their information. The border between work life and personal life is becoming blurred. Perceived security and acceptable use of cloud-based solutions is often flawed and the University is taking steps to bridge that knowledge gap so that users are aware of the risks and benefits.

“There is also a difference between personal storage and work-related storage. Some personal storage solutions are free to a pre-set limit, and users pay over and above that, as is the case with Dropbox and Google Drive. Users are asked to either accept the end-user license agreement, or not use it. Most people do not take the time to read them and just accept the terms. Work-related, or enterprise, storage solutions are better protected through contracts between the enterprise or business and the cloud provider. Specific services are spelled out and privacy implications are assessed for that business or enterprise.”

To assist in educating the University community, IT Services has created and authorized a Data Storage Standard which is available on the University Policy website. This standard provides four points of guidance and expectations regarding the secure management of information with which individuals, departments and faculties have been entrusted.

We want people to balance the convenience of a cloud storage vendor with the risks of potential data loss, and to make the appropriate decision.”

“We want people to balance the convenience of a cloud storage vendor, such as Dropbox, with the risks of potential data loss, and to make the appropriate decision,” Vadnais adds.

Below are the highlights of the Standards. Faculty and staff are encouraged to not only review the document, but to download it or bookmark the page so that it is a constant reminder of their responsibilities.

  1. On-campus storage should be utilized for information that has specific requirements or constraints specifying it cannot be stored on systems outside of Canada, e.g. research funding requirements which mandate where resulting data is stored. These solutions typically include network shares (research drives, department shares, etc.), and P Drives.
  2. Cloud storage, commonly provided by third-party vendors such as Dropbox, Microsoft OneDrive’s personal and enterprise solutions, and Google Drive, etc., host users’ data in a robust data centre environment which is not located on campus. This environment typically resides in one or more geographic locations outside of Canada and, as such, subjects that data to the legal jurisdiction of the hosting country. Depending on the sensitivity of data being stored, additional security measures, such as encryption, may be required. (Selection of a third-party encryption tool is underway to support secure usage of cloud storage.)
  3. IT Services is currently developing online training on data storage and selecting the appropriate storage location for your data based on sensitivity. Staff and faculty will be asked to complete the training every two years, and again when significant changes are made to the data storage standard. This will ensure their knowledge is up to date on the latest technologies, threats, privacy implications, and best practices for data management. Training is not expected to take longer than 10-15 minutes.
  4. The use of email as a data management tool is a common practice at the University but is an unsustainable and risky strategy. Lost devices, compromised passwords, and human error (accidently sending the wrong information) can all lead to inadvertent data loss and possibly privacy breaches. While email is generally secure it is not appropriate for sending all types of data. Faculty and staff should become familiar with the data storage standard and use the appropriate storage and sharing technologies based on the data they are working with. The University is also exploring the use of email encryption services if sensitive information must be shared via email.

In addition to these four points, IT Services has implemented a data classification strategy to assist University users to determine the level of rigour that should be applied to specific pieces of information. These definitions classify the four types of data as follows:

  1. No/Low Risk – Category 1
    Information that is publicly available and poses little to no risk of negative consequences should it be seen outside the University:

  2. Medium Risk – Category 2
    Information typically used and shared in daily operational activities by University staff and faculty. This is not data we would normally publish outside of the businesses, but is not considered sensitive:

    • Meeting Minutes
    • Student coursework submitted to instructors
    • Preliminary research reports/results
    • Operational budget items (travel costs, office supplies, etc.)
  3. High Risk – Category 3
    Information that, if compromised, would be harmful to the University’s reputation or to an individual:

    • Employee/Student records
    • Payroll/Budget reports
    • Personally Identifiable Information (SIN’s, tax information, FOIP-related data)
    • Contracts and Terms
    • Passwords/Authentication information
  4. Critical Risk – Category 4
    Information in this category would cause significant damage to the institution if disclosed. Any data classified as a Category 4 should be given special attention as to its storage location, storage method and distribution channels:

    • Legal Proceedings/Appeals
    • Medical/Health information
    • Criminal Investigation results

(more…)

IT Services busy during Christmas break

IT Services completed a number of system upgrades during the Christmas – New Year period, taking advantage of precious time when there are fewer students, faculty and staff on campus.  These upgrades included:

  • Service Monitoring System Upgrade (Microsoft Manager System Center 2012)
    Operations Manager provides infrastructure monitoring that is flexible and cost-effective, helps ensure predictable performance and availability of vital applications, and offers comprehensive monitoring for the data center and cloud, both private and public. It enables IT Services to set thresholds and monitor baselines.
  • Network Services Upgrades (QIP, Firewalls)
    These are essentially maintenance upgrades. The firewall upgrade is effectively a new engine with more horse power to meet the growing needs of the U of L, and capable of handling more Internet traffic from more users. QIP is the system that handles the IP addressing of devices connected to the U of L network.  It provides better functionality, resulting in a more robust system, and to handle the growing needs of the U of L users.
  • Telephone Services Upgrades (Unified Communications)
    Staff applied patches to provide stability to our telecommunications, an offshoot of which reconfigured the phone system to a new server. A virtual machine now provides a higher level of disaster recovery and redundancy to one of our Life Safety Systems.
  • Servers & Storage Upgrades (Load Balancer, Storage)
    Load balancers that handle Exchange mail and Moodle Services, and large disk upgrades both provide added stability to campus IT services.  Communications Technology is constantly doing work behind the scenes that is preventive while supporting and enhancing all of the University’s systems.

Student Email Survey Results

As part of the student email revitialization project, ITS along with the email project team, created and distributed a survey to determine what the students wanted in a new email system.  We received a very large response of almost 1500 students with approximately 30% of the surveys submitted with written comments.  It was a confirmation that this topic really matters to  students and we are are in the throes of conducting focus groups before making a solution recommendation.

The survey results revealed some interesting wants of the students, as well as areas that didn’t really matter as much as we thought they would.  For example:

1.  Storage capacity increases are considered a must.  Our current system does not meet the needs of our current population.

2.  Mobile device access to email is becoming a necessity.  The current platform does not support it sufficiently.

3.  Online productivity tools are a desired feature of any new email system.

4.  We need to consider privacy aspects of email, especially for students working in counselling or other sensitive areas of study.

5.  Video chat doesn’t really matter when considering an email solution.

This and other data will begin to shape our recommendations which we hope to have approved by the end of the calendar year.  Pilot projects will then be spun up during the spring semester, with full implementation being completed before the end of summer.

We would like to express our appreciation for all the feedback provided by the students, their participation in the focus groups and want to assure them that we are listening and paying attention to what they want in a new system.