G4 - Secure Data Exchange Guideline
|
Guideline ID |
4 |
|---|---|
|
Guideline status |
Reviewed |
|
Guideline description |
Information security guideline for choosing information transmission methods based on the security classification. |
|
Guideline owner |
Information Security Services |
|
Guideline contact |
Table of Contents
- Changes
- Purpose
- Applicability
- Overview of Policy 46 security classifications
- Technology selection
- Selection of cloud-based technologies
- Glossary
- Document history
- Reviews
Changes
This document is subject to change and review at least annually.
Purpose
The purpose of this document is to provide an overview of the security classifications defined in Policy 46 and provide guidance on what technologies are appropriate for storage of information in the University of Waterloo's custody and control, based on Policy 46.
Applicability
This guideline applies to University of Waterloo departments and University businesses that are exchanging data.
Overview of Policy 46 security classifications
Public
Public information is what one would expect to see posted on a public website or subject to a Freedom of Information request without requiring redaction. Examples include the University Calendar, Request For Proposals (RFPs), and salaries subject to disclosure by the Ontario Public Sector Salary Disclosure Act.
Confidential
Confidential information is anything not classified as Public. Some confidential information can be further classified as Restricted and/or Highly Restricted
Restricted
The Restricted classification is assigned to Confidential information that, if breached, requires details of the breach to be disclosed to a third party. The most common example of this is personal information about students including, but not limited to, biographical information, assigned grades, course enrolment information, completed coursework, and health information. If breached, the affected individual(s) must be notified of such a breach and, depending on the circumstances, the University may need to notify the Privacy Commissioner of Ontario.
Highly Restricted
The Highly Restricted classification is assigned to Restricted information that presents a higher risk if compromised. Examples of Highly Restricted information include Social Insurance Numbers, certain financial information, and health insurance identification numbers. The use of Highly Restricted information is forbidden except where required by an approved business need.
Technology selection
The table below provides guidance on the appropriate use of technology based on Policy 46 security classification.
|
Technology |
Security features/notes |
Public |
Confidential |
Restricted |
Highly Restricted |
|---|---|---|---|---|---|
|
Website |
|
X |
|||
|
|
|
X |
X |
X1 |
|
|
Sendit |
|
X |
X |
X1 |
|
|
LEARN OneDrive Sharepoint Online |
|
X |
X |
X |
X3 |
|
Cloud-based storage |
|
X |
X |
X2 |
|
|
Sharepoint |
|
X |
X |
X |
X |
|
Waterloo based webserver with authentication and SSL enabled |
|
X |
X |
X |
X |
|
Secure FTP, SCP |
|
X |
X |
X |
X |
Notes:
1Appropriate when a staff or faculty member is corresponding with an individual student, and personally identifiable information about that individual student is being exchanged
2See the "Selection of cloud-based technologies" section of this document
3Extra security controls such as two-factor authentication must be in place. Consult the Information Security Services team for further guidance.
Selection of cloud-based technologies
The security controls and sharing capabilities will vary between different cloud-based solutions. When cloud-based solutions are to be used for storing information classified as Restricted, then the following four criteria need to be met:
Adequate security controls are in place
The adequacy and nature of security controls will depend on the nature of the service and how it's used. Some considerations include:
- Integration with one of the university's central authentication services
- If central authentication integration is missing, then a unique identifier for each user is required (preferably the Waterloo userid) and the provider's password policy must meet or exceed the university's standards
- Sharing should be denied by default
- Secure transport protocol (e.g. HTTPS) must be employed
- Provider's service has undergone third party security testing (i.e. vulnerability scan/assessment)
- Provider has continuous monitoring in place for system intrusions/unauthorized access
Adequate data recoverability functionality
All information in the stewardship of the University of Waterloo needs to be recoverable from the cloud-based provider, in the event the University of Waterloo wishes to terminate its business relationship with that provider.
Accessibility to UWaterloo data on request (Freedom of Information)
Most, if not all, information that is classified as Restricted would be considered a university record and governed by policy 46. Given the University of Waterloo is subject to the Freedom of Information and Protection of Privacy Act (FIPPA), Restricted information stored in the cloud may need to be retrieved in response to a Freedom of Information (FOI) request.
Notification to UWaterloo in the event of a data breach
The provider must have processes in place to notify the University of Waterloo in the event of a breach of privacy and/or security. This is necessary in order for the University of Waterloo to fulfil its obligations to the university community.
Glossary
| Term | Definition |
|---|---|
|
Access control |
Access control systems provide:
|
|
Authentication |
Authentication involves confirming the identity of a person |
|
Cloud-based services |
Cloud computing is the use of computing resources (hardware and software) that are delivered as a service over a network (typically the Internet). Cloud computing entrusts remote services with a user's data, software and computation. |
|
Encryption |
The process of encoding messages (or information) in such a way that eavesdroppers or hackers cannot read it, but that authorized parties can. |
|
Freedom of Information (FOI) Request |
a FOI (or access to information) request is an official written request for information from an organization covered by the Freedom of Information and Protection of Privacy Act, R.S.O. 1990 c. F.31 |
|
Sendit |
A University of Waterloo service based on the FileCatalyst Webmail product. The service is useful for transferring files when email is not appropriate whether because of file size or type or when delivery confirmation is required. |
|
Sharepoint |
A web application platform developed by Microsoft used for internal content management and document management. |
|
Secure Copy (SCP) |
A means of securely transferring computer files between two computers using the Secure Shell (SSH) protocol. |
|
Secure File Transfer Protocol (SFTP) |
A network protocol that provides file access, file transfer, and file management functionalities of any reliable data stream. It was designed to provide secure file transfer capability. |
|
Secure Shell (SSH) |
A cryptographic network protocol for secure data communication or services between two networked computers via a secure channel over an insecure network. |
|
Secure Sockets Layer (SSL) |
A cryptographic protocol that provide communication security over the Internet. |
Definition sources: Wikipedia
Document history
|
Date |
Revision Summary |
|---|---|
|
2017-08 |
Initial Version |
Reviews
|
Date |
Reviewed By |
|---|---|
|
2017-08 |
Information Security Services |
| 2019-10 | Information Security Services |