Guidelines for secure data exchange: Choosing information transmission methods based on the security classification

G4 - Secure Data Exchange Guideline

Guideline ID

4

Guideline status

Reviewed

Guideline description

Information security guideline for choosing information transmission methods based on the security classification.

Guideline owner

Information Security Services

Guideline contact

Jason Testart

Table of Contents

Changes

This document is subject to change and review at least annually.

Purpose

The purpose of this document is to provide an overview of the security classifications defined in Policy 46 and provide guidance on what technologies are appropriate for storage of information in the University of Waterloo's custody and control, based on Policy 46.

Applicability

This guideline applies to University of Waterloo departments and University businesses that are exchanging data.

Overview of Policy 46 security classifications

Public

Public information is what one would expect to see posted on a public website or subject to a Freedom of Information request without requiring redaction. Examples include the University Calendar, Request For Proposals (RFPs), and salaries subject to disclosure by the Ontario Public Sector Salary Disclosure Act.

Confidential

Confidential information is anything not classified as Public. Some confidential information can be further classified as Restricted and/or Highly Restricted

Restricted

The Restricted classification is assigned to Confidential information that, if breached, requires details of the breach to be disclosed to a third party. The most common example of this is personal information about students including, but not limited to, biographical information, assigned grades, course enrolment information, completed coursework, and health information. If breached, the affected individual(s) must be notified of such a breach and, depending on the circumstances, the University may need to notify the Privacy Commissioner of Ontario.

Highly Restricted

The Highly Restricted classification is assigned to Restricted information that presents a higher risk if compromised. Examples of Highly Restricted information include Social Insurance Numbers, certain financial information, and health insurance identification numbers. The use of Highly Restricted information is forbidden except where required by an approved business need.

Technology selection

The table below provides guidance on the appropriate use of technology based on Policy 46 security classification.

Technology

Security features/notes

Public

Confidential

Restricted

Highly Restricted

Website

  • None

X

     

Email

  • Security depends upon the connection settings between clients sending and retrieving email and also servers transmitting email
  • End-to-end encryption possible but not guaranteed (especially for off-campus destinations)
  • Campus email servers may or may not require client-to-server communication to be carried out over a secure connection
  • Sending email to "@uwaterloo.ca" email address may have a final destination off-campus where Waterloo has no control over the security of down-stream communication

X

X

X1

 

Sendit

  • Data transfer is encrypted end-to-end, but the access URLs are exchanged via email which may or may not be encrypted
  • Use SFTP/HTTPS as the transfer protocol

X

X

X1

 

LEARN

OneDrive

  • Good level of access control (UWaterloo authentication)
  • Makes use of transport security (SSL/TLS)
  • uWaterloo has good level of control of service
  • uWaterloo has contract with Desire2Learn (D2L) that covers freedom of information requests and breach notification concerns

X

X

X

X3

Cloud-based storage

  • Some access controls possible (e.g. sharing with specific individuals)
  • Storage location unknown and access control for data on the backend storage unknown (under non-Waterloo administrator control)

X

X

X2

 

Sharepoint

  • All communication conducted over SSL
  • Access controlled by Active Directory authentication

X

X

X

X

Waterloo based webserver with authentication and SSL enabled

  • All communication conducted over SSL
  • Access controlled by Waterloo based authentication

X

X

X

X

Secure FTP, SCP

  • Encrypted file transfer end-to-end

X

X

X

X

Notes:

1Appropriate when a staff or faculty member is corresponding with an individual student, and personally identifiable information about that individual student is being exchanged

2See the "Selection of cloud-based technologies" section of this document

3Extra security controls such as two-factor authentication must be in place. Consult the Information Security Services team for further guidance.

Selection of cloud-based technologies

The security controls and sharing capabilities will vary between different cloud-based solutions. When cloud-based solutions are to be used for storing information classified as Restricted, then the following four criteria need to be met:

Adequate security controls are in place

The adequacy and nature of security controls will depend on the nature of the service and how it's used. Some considerations include:

  • Integration with one of the university's central authentication services
  • If central authentication integration is missing, then a unique identifier for each user is required (preferably the Waterloo userid) and the provider's password policy must meet or exceed the university's standards
  • Sharing should be denied by default
  • Secure transport protocol (e.g. HTTPS) must be employed
  • Provider's service has undergone third party security testing (i.e. vulnerability scan/assessment)
  • Provider has continuous monitoring in place for system intrusions/unauthorized access

Adequate data recoverability functionality

All information in the stewardship of the University of Waterloo needs to be recoverable from the cloud-based provider, in the event the University of Waterloo wishes to terminate its business relationship with that provider.

Accessibility to UWaterloo data on request (Freedom of Information)

Most, if not all, information that is classified as Restricted would be considered a university record and governed by policy 46. Given the University of Waterloo is subject to the Freedom of Information and Protection of Privacy Act (FIPPA), Restricted information stored in the cloud may need to be retrieved in response to a Freedom of Information (FOI) request.

Notification to UWaterloo in the event of a data breach

The provider must have processes in place to notify the University of Waterloo in the event of a breach of privacy and/or security. This is necessary in order for the University of Waterloo to fulfil its obligations to the university community.

Glossary

Term Definition

Access control

Access control systems provide:

  • Authorization to specify what a person can do
  • Identification and authentication to ensure that only legitimate people can obtain access to the resource
  • Access approval to grant access during operations based on the authorization policy

Authentication

Authentication involves confirming the identity of a person

Cloud-based services

Cloud computing is the use of computing resources (hardware and software) that are delivered as a service over a network (typically the Internet). Cloud computing entrusts remote services with a user's data, software and computation.

Encryption

The process of encoding messages (or information) in such a way that eavesdroppers or hackers cannot read it, but that authorized parties can.

Freedom of Information (FOI) Request

a FOI (or access to information) request is an official written request for information from an organization covered by the Freedom of Information and Protection of Privacy Act, R.S.O. 1990 c. F.31

Sendit

A University of Waterloo service based on the FileCatalyst Webmail product. The service is useful for transferring files when email is not appropriate whether because of file size or type or when delivery confirmation is required.

Sharepoint

A web application platform developed by Microsoft used for internal content management and document management.

Secure Copy (SCP)

A means of securely transferring computer files between two computers using the Secure Shell (SSH) protocol.

Secure File Transfer Protocol (SFTP)

A network protocol that provides file access, file transfer, and file management functionalities of any reliable data stream. It was designed to provide secure file transfer capability.

Secure Shell (SSH)

A cryptographic network protocol for secure data communication or services between two networked computers via a secure channel over an insecure network.

Secure Sockets Layer (SSL)

A cryptographic protocol that provide communication security over the Internet.

Definition sources: Wikipedia

Document history

Date

Revision Summary

2017-08

Initial Version

Reviews

Date

Reviewed By

2017-08

Information Security Services

2019-10 Information Security Services