INFORMATION!SECURITY!GUIDELINES!

Transcription

1 INFORMATIONSECURITYGUIDELINES

2 TABLEOFCONTENTS: ScopeofDocument 1 DataDefinitionGuidelines(Appendix1).2 DataProtectionGuidelines(Appendix2).3 ProtectionofElectronicorMachineAReadableData...3 ProtectionofPrintedData....3 DataProtectionandDisposalGuidelines(Appendix3). 4 Datavs.Records... 4 RecordsRetention... 4 RecordARelatedData.. 4 AccessLifetime.. 5 DataDeletion.. 5 SecurityBaseline(Appendix4).. 6

3 CONSISTENT,EFFECTIVEINFORMATIONSECURITY Torespondtosocietalexpectationsandlegislativerequirements,theUniversitymustcreateand apply upatoadate information security standards. Should we fail to do so, in the event of a significant release of personal information or compromise of the University's information systems,theresultwouldbeahighlyvisibleimpacttotheuniversity'sreputationandstatureas aworldaclasseducationandresearchinstitution. Theneedfordataclassification There are legislative requirements that require certain controls be applied toselectsensitive andpersonalinformation.forinformationwithnolegislatedcontrolrequirement,thereisstilla practical need, informed by public expectations and current practices, to protect data in proportiontotheinformation'ssensitivity. Therequirementtoprotectinformation Toensurethatinformationiseffectivelyprotected,informationmustbe: 1.Reliablyidentifiedbysensitivity,aspercurrentDataDefinitionguidelines(Appendix1); 2. Verifiably protected in accordance with location and sensitivity, as per current Data Protectionguidelines(Appendix2); 3. Retained for a duration as defined in the current Data Retention and Disposal guidelines (Appendix3);and 4.DisposedofasdefinedinthecurrentDataRetentionandDisposalguidelines(Appendix3). 1

4 APPENDIX19DATADEFINITIONGUIDELINES Indiscussingaccesscontrolsforinformation,informationisconsideredtobeeitherconfidential ornonaconfidential. Confidentialinformationincludes: 1. Any personally identifiable information (PII): name, address, health data, or any other informationuniquelyassociatedwithanindividual. 2. Any data of a financial or legal nature, where disclosure or sharing has not been explicitly authorized. 3.Dataassociatedwithaccesscontrol,suchaspasswordsordoorAlockcombinations. 4. Information that does not fall into the preceding three categories, but where there is an expectation that the information not be modified, deleted or shared without conscious authorizationbythedataownertoallowsuchactivity. AllotherinformationisconsiderednonAconfidential. WhenconfidentialandnonAconfidentialdataareaggregated,thecollectionasawholemustbe consideredconfidential.unlessdesignatedotherwise,informationisconsideredconfidentialby default. 2

5 APPENDIX29DATAPROTECTIONGUIDELINES Data must be protected from unauthorized access or alteration while the data are in use, in physical or electronic storage, in physical transport or electronic communication, or under administrativeaccess.accesstoconfidentialinformationmustbeonaneedatoaknowbasisonly; needatoaknowrequirementsmustbedocumentedasarequirementofjobdutiesorcontractual obligations. Accessandalterationcontrolsmustmanagethedisclosure,deletion,modificationorduplication ofdata.accessandalterationcontrolsmustbeproportionatetotherisktotheuniversitydueto unauthorizeddisclosure,deletion,modificationorduplicationofdata,whetherconfidentialor nonaconfidential. ProtectionofElectronicorMachineAReadableData Unlessstoredonsecure,UniversityofTorontoAownedequipment,confidentialinformation(as definedinthedatadefinitionguidelines),musthaveoneormoreofthefollowingprotections applied: be encrypted; have all personally identifiable information removed or obfuscated (anonymized);orbesanitized(haveallverifiableinformationremovedorobfuscated).accessto confidential information stored on secure, University of TorontoAowned equipment must be controlledinproportiontotheinformation ssensitivity,andprovidedonaneedatoaknowbasis. Forasystemtobeconsideredsecure,itmustbemanagedtoastandardequivalentto,orbetter thanappendix4 SecurityBaseline. Accesscontrolstochange,readordeletenonAconfidentialdataarenotrequiredbeyondthose necessarytoimplementfunctionaloroperationalrequirements. ProtectionofPrintedData Theonlyoptiontoprotectconfidentialdatainprintedformat,istostoreitunderlockandkey. Thestrengthofthelock,andthecharacteristicsofthestoragefacility(passivefireAresistance, firealarms,firesuppressionsystems,breakaenteralarms,humiditysensors/controls,etc.)must accomodatethephysicalcharacteristicsoftheprintmediumandtherequiredretentionperiod. NonAconfidentialprinteddatadonotrequireaccessorprotectivecontrolsbeyondthephysical characteristicsoftheprintmediumandtherequiredretentionperiodassociatedwiththedata. 3

6 APPENDIX39DATARETENTIONANDDISPOSALGUIDELINES Datavs.Records Data,inthecontextofthisguideline,isregardedasinformationinitsbroadestsense symbols orpatternsthatrepresentmeaning;theterms data and information areusedinterchangeably inthisdocument.forpurposesofriskmanagement, data isconsideredtobetohavedistinct needs which may differ from those of a record, defined as: any document containing information,howeverrecorded,whetherinmanuscript,printed,onfilmorinelectronicformor otherwise.u.#of#t.#policy#on#access#to#information#and#protection#of#privacy(1995). Whilerecordsarecomprisedofdata,datamaynot indeedoftendoesnot representarecord initsentirety,orinitsmostcurrentorofficiallyarecognizedform.datacancreatedthroughthe processofrecordcreation,modification,transportandstorage;thesedataareofteninvisible, butnotirretrievable,andrepresentriskiftheyexistwithoutappropriateaccesscontrols.for example, computer systems may create temporary files to assist the process of document creation arecordsocreatedmaybedeletedattheendofitslife,butthe temporary data associatedwithitscreationmayberetrievablyfoundonthesystemusedtocreatetherecord. Notethatstorageofdataisnotrestrictedtoworkstations,serversandlaptopcomputers,but includes mobile devices (such as, but not limited to, phones and music players), and office appliances (such as multiafunction photocopier / fax / printers). These devices must be consideredwhendevelopingdataretentionanddisposalpractices. RecordsRetention TheUniversity'srecommendationsforhowlongcertainrecordsseriesshouldbekept,areset out in more than 700 records retention schedules developed by the University of Toronto ArchivesandRecordsManagementServices.Theretentionperiodsoutlinedintheseschedules shouldbefollowedandappliedtobothdepartmentalfiles,andtoanyconveniencecopies.for more information, please see the University Archives onaline Retention and Disposition Schedules database [ ]. RecordARelatedData Data associated with records may be created depending on how a record is stored, used or transported.forreference,suchdatamayoccurin,butisnotlimitedto,thefollowingcontexts: 1. Metadata: Information that characterizes scheduled records, such as, but not limited to: documentname(s),storagelocation,author(s),reviewers,etc. 2.TemporaryData:Workingcopiesorprinted'draft'documents;applicationAcreatedcopiesof files,inwholeorinpart(i.e.'tempfiles');copiesofelectronicdocumentsin'trash'folderson computers,butnotyet'emptied'(i.e.deleted). 4

7 3.ResidualData:Datacreatedintheprocessofusingscheduledrecords,suchascarbonAcopies, mimeographoriginals,filmnegatives,or'deleted'filesinelectronicstorage. 4.CachedData:DataretainedforreferenceAeitherasinacatalogueofdocuments,orbyan application in order to speed up performance. Cached data may include some or all of the contentofascheduledrecord,oronlymetadata,andincludessearchindexesofbothscheduled recordsandassociatedmetadata. AccessLifetime WheredataarestoredinmachineAreadableformat,equipmentandsoftwarethatcaninterpret andcommunicatethedatainusableformatmustbekept in working order for the retention durationofthedata.alternatively,thedatamustbemigratedtonewstoragemediainadvance oftheendoflifetimeforitsstoragemedia,orthefailureof,orlackofmanufacturersupportfor interpretingtechnology. DataDeletion All data associated with a record must be rendered irrecoverable after its retention duration expires.dataassociatedwiththecreation,useandtransportofarecordshouldberendered irrecoverableafterdataarenolongeroperationallyuseful. Wheredataarestoredinprintedformat,alldocumentsideallyshouldbeshreddedaspartof the disposal process. Confidential data must always be shredded as part of the data disposal process. Where data are stored in electronic / machineareadable format, all storage media should be physicallydestroyedor'wiped'(overawrittenwithrandomdataaminimumof3times)aspartof thedisposalprocess.devicesusedtostoreconfidentialdatamustalwayseitherbedestroyedor 'wiped'(asabove)aspartofthedatadisposalprocess.technologyusersshouldbeawareofall locationswheredataarestoredintheirenvironment. 5

8 APPENDIX49SECURITYBASELINE Certainpracticeshavebecomedefactorequirementsfortheprotectionofdata.Thesepractices constitutewhatisconsideredtobeamanagedsecuritybaseline: 1. Prompt installation of vendors software updates to correct known vulnerabilities. 2.InstallationandregularupdateofantiAvirussoftware. 3.Encryptionofconfidentialinformationondevicesthatarephysicallyinsecure,ornotunder theuniversityoftoronto scontrol[seethei+tsfulldiskencryptionwebsiteat: 4. Encryption of network communications, such that user credentials and other confidential informationarenotvisibleintransitoverinsecurenetworks. 5.Protectionofnetworkeddevicesviafirewalls. 6.Educationofadministratorsandusersastobestpracticesforprotectingdatawhileinstorage, useandcommunication. 7.Physicalprotectionofresourcesthatrestrictsremovalbyunauthorizedpersons. 8.Backupofcriticaldata,withbackupstestedforreadabilityandprotectedtothesamelevelas datathatisinuse. 9. Effective and practiced incident response procedures, including (but not limited to): monitoringof,andresponsetounauthorizedaccesstosystemsanddata. 10.DisablingunAneedednetworkservices. 11.Deletionof guest ornonapasswordprotectedaccounts. 12. Choosing security settings that are more strict than typically insecure default values, and changingdefaultpasswords. Forasystemtobeconsideredsecure,itmusthaveappliedtheabovesecuritypracticeswitha timelinessandeffectivenessthatreflectsthesensitivityofinformationstored/communicated bythesystem. This list of specific practices will be updated as technologies and risk management practices mature; these updates will be communicated to the University of Toronto Information Technologysupportcommunity. For guidance on what uses of information and communication technology are considered appropriate, please refer to the policy: Appropriate use of Information and Communication Technology ( 6