Digital Asset and Information Protection Guidelines

Revised: 10 AUG 2017

Introduction

The digital assets and information of the University of Toronto Mississauga are important tools for the University of Toronto Mississauga (UTM) and their use is critical to accomplishing the research and education goals of the university. 

Use of these digital assets come with significant risks and, if the appropriate security and safeguards are not applied, they can be conduits for unauthorised access to the University’s confidential data and IT infrastructure.

The University of Toronto Mississauga has obligations laid out in the Policy on Information Security and the Protection of Digital Assets to safeguard its information and digital assets in order to protect students, staff, faculty, intellectual property, and institutional reputation. This document outlines a set of practices and guidelines for the proper use of digital assets at the University of Toronto Mississauga.

Objective

As part of UTM’s efforts to achieve compliance with University of Toronto Policy on Information Security and the Protection of Digital Assets it has created a comprehensive Risk Management Program. This document is a part of the Risk Management Program that pertains specifically to end user computing. It lays out the best practices, procedures, and guidelines for end user computing with the intent of helping the UTM community to meet or exceed the requirements as laid out in that Policy.

Scope

All digital assets and sensitive information, be they owned by the University of Toronto Mississauga or personally owned, that are used for conducting the business of the University or are otherwise used in the processing, storage or transmission of information that is governed by University of Toronto Policy. This includes, but is not exclusive to, workstations, laptops, portable devices such as tablets or phones, and removable media (eg. USB drives, SD Cards, or Optical disc’s)

Exemptions: Where there is a need for deviations or exemptions from these guidelines a formal Risk Assessment or Exemption Form should be completed and the exemption authorized by the service owner and I&ITS management.

Policy Framework

The guidelines and recommendations in Appendix 1 meet or exceed those set forth in the following University of Toronto Policy documents. For each item in Appendix 1, it is noted which University of Toronto Policy document(s) from which it was derived for future reference.

  • University of Toronto Information Security Guidelines (ISG)
  • University of Toronto Mississauga Privacy Policy (UTM-PP)
  • University of Toronto Provost -  Access and Privacy Practices (P-APP)
  • University of Toronto Provost – Appropriate Use of Information and Communication Technology (P-AUICT)
  • University of Toronto Policy on Information Security and the Protection of Digital Assets (ISPDA)

Emergency Authority

In the event of an emergency that threatens the digital assets of UTM, authority rests with the President of UTM, its Chief Administrative Officer, or the Director of I&ITS to take appropriate measures to mitigate the risk to the Universities assets.

Appendix 1

  • Clean Desk Policy – All confidential/private materials must be secured when not at your desk. This includes breaks, lunch and when you are gone for the day. Material should either be physically locked in a drawer or cabinet or, if on an IT resource, this must be locked or otherwise secured to permanent furniture if in publicly accessible space. Computer and device screen auto lock should be 5-10min. [P-APP, UTM-PP]
  • All Desktops/Laptops are to be promptly updated, patched, have an approved anti-virus program installed with regular updates and scans. Enrolment in UTM I&ITS Secure Managed Desktop Environment is strongly recommended.[UTM-PP, ISG, P-APP]
  • All Mobile devices (eg. Tablets, phones) should be running up to date operating system software and be set to regularly or automatically update applications and OS. [ISG]
  • Firewalls are to be turned on and configured in accordance with best practices and I&ITS standards. Unneeded ports and protocols should be disabled [ISG, P-APP]
  • Default accounts should be disabled and generic logins should be changed for all devices. [ISG]
  • Stricter security settings for operating systems and applications are to be used wherever possible. [ISG]
  • Strong Passwords and pins should be used for all desktop and mobile devices. The recommended minimum is 10 characters. [P-APP, UTM-PP]
  • Full volume/device encryption is required for desktops, laptops and phones. If portable media are to be used to transport sensitive data, full device/media encryption is the preference but encrypting the data itself with an industry standard method is acceptable. [UTM-PP, ISG, P-APP]
  • All sensitive or confidential information that is to be transmitted outside University of Toronto networks (e.g. external Email addresses, 3rd party storage like Dropbox, other academic institutions, etc.) must be done in a secure manner. This could mean encrypting email attachments, encrypting files before upload to a 3rd party, or using a VPN if you are access sensitive material on UofT servers from off campus. Off campus network traffic must be secure if involving sensitive data. Passwords, if required, for accessing this material should be sent via a different and also secure means (e.g. Telephone). File and Record management should be done in line with the UofT File Plan including its retention and disposition requirements.  [UTM-PP, P-APP]
  • Confidential and sensitive information should be stored, wherever possible, in an institutionally managed secure service, or server environment and accessed through an institutionally controlled network, or VPN. If this is not possible the local device the data resides on must be encrypted. [P-APP, UTM-PP]
  • Hard copies in transit should be suitably physically secured; a lockable case is recommended, kept out of public view, and never left unattended in an unsecure environment. [P-APP, UTM-PP]
  • Access to sensitive data should be limited only to the minimum of what is required for the intended use. Only the bare minimum of confidential information required for tasks should be collected. If you have access to resources not required for your job, alert your superior. [P-APP, ISG]
  • Appropriate backups must be kept of any critical data. The backup solution should have protections to at least the same standard of the as the devices where the data is accessed. Backups are to be verified often and should be a suitably separate physical location. [P-APP, ISG, UTM-PP]
  • For retention purposes any long term data should be updated in format and its function verified [ISG]
  • Data destruction must be by three passes of random data, approved physical destruction means, or if done by a 3rd party disposal service a certificate of destruction must be provided. Never simply dispose of or recycle sensitive or potentially sensitive material. [P-APP, ISG, UTM-PP]
  • Paper documents need to be cross-shredded at a minimum. [UTM-PP, P-APP]
  • Access to resources only to be provided by the authority responsible for the resource. [P-AUICT]
  • Individuals are not to share access to a resource to others that are not authorised to access that resource. [P-AUICT]
  • All changes in staffing and roles should be communicated to I&ITS promptly.
  • Report all potential privacy issues to the UTM Privacy Officer immediately. [P-APP, UTM-PP]