Data Security
Data at the University of Manitoba is:
Implements, manages and operates a system or systems at the direction of the system and data owner,. The System Administrator assists in management of the day to day administration of related IT systems, and implements security controls and other requirements of the security program.
Data Custodian:
The individuals or departments in physical or logical possession of data that is responsible for:
Risk Management:
This policy and related standards are based on protecting IT systems and data based on sensitivity and risk, including system availability needs. Risk Management is a central component of the IT security program.
Departments define and determine ownership of IT systems classified as sensitive so that IT security roles can be appropriately assigned.
A Risk Assessment is required for all systems classified as sensitive. While a Risk Assessment is not required for data classified as non sensitive departments are advised to conduct an informal assessment for all data and systems, and apply appropriate security controls as necessary to reduce risks to an acceptable level.
IT systems Security:
The purpose of IT systems security is to define the steps necessary to provide adequate and effective protection for IT systems in areas such as: System Hardening, System Interoperability, Malicious Code Protection and System Life Cycle. IT systems may require further security controls for adequate protection based on the identification of sensitivity and risk and system availability needs.
Logical Access
Logical Access Control requirements identify the measures needed to verify that all IT system users are who they say they are, and that they are permitted to use the systems and data they are attempting to access. Logical Access Control defines requirements in the areas of Account Management, Password Management and Remote Access.
Data Protection provides security safeguards for the processing and storing of data. This component defines the methods that departments can use to safeguard the data in a manner commensurate with the sensitivity and risk of the data stored. Data Protection includes requirements in the areas of Media Protection and Encryption.
Storing any data classified as sensitive on any mobile device including laptops and any local storage device such as USB thumb drives, memory chips and iPods is not recommended unless the data is encrypted.
Facilities Security:
This is planning for the security of IT facilities to provide a front line of defense for IT systems against damage, theft, unauthorized disclosure of data, loss of control over system integrity, and interruption to computer services.
Personnel Security:
It is necessary to control and reduce the risk to UofM IT systems and data by specifying Access Determination and Control requirements that restrict access to systems and data to those individuals who require such access as part of their job duties. Personnel Security should also contain Security Awareness Training required to provide all IT system users with appropriate understanding regarding UofM security policies and Acceptable Use requirements for UofM IT systems and data.
Threat Management:
This addresses the protection of UofM IT systems and data by preparing for and responding to IT security incidents. This includes Threat Detection, Incident Handling and IT security monitoring and logging.
Should unencrypted personally identifiable information be subject to a breach in security resulting in unauthorized disclosure, the data owners, shall provide appropriate notice to affected individuals. Notice should occur without unreasonable delay as soon as verification of a breach is made consistent with the investigative needs of the UofM and law enforcement. U of M Security Services and IST should be notified of any such incident.
IT Asset Management:
This deals with the protection of the components that comprise the UofM IT systems by managing them in a planned organized and secure fashion. Asset Management includes Asset Control, Software License Management and Configuration Management and change control.
General Monitoring
Monitoring is used to improve IT security, to assess appropriated use of UofM IT resources, and to protect those resources from attack. Use of UofM resources constitutes permission to monitor that use. This can include the use of privately owned equipment across the UofM network.
In accordance with the U of M policy on the use of computer facilities, the University of Manitoba reserves the right to:
o Review data contained in or using Uof M IT resources.
o Review activities using UoM IT resources.
o Act on information discovered as a result of monitoring and disclose such information to law enforcement agencies and other organizations as authorized by the VP Administration.
User Agreement to Monitoring:
Any use of University of Manitoba computer resources constitutes consent to monitoring activities that may be conducted. Users of University of Manitoba computer resources:
o Agree to comply with University of Manitoba policy on the use of computer facilities
o Acknowledge that their activities may be subject to monitoring.
o Acknowledge that any detected misuse of University of Manitoba computer resources may be subject to disciplinary action.
What is Monitored?
Monitoring of University of Manitoba computer systems and data may include, but is not limited to, network traffic, application and data access, keystrokes and user commands, e-mail and internet usage, and message and data content.
Infrastructure Monitoring:
IT personnel are responsible for maintaining security in their environments through the following processes:
• Monitoring all systems for security baselines and policy compliance.
• Notifying the Security Officer, and the Executive Director of IST of any detected or suspected incidents.
• Monitoring their environment infrastructure.
• Installing or using unauthorized monitoring devices is strictly prohibited.
Confiscation and Removal of IT resources:
As necessitated by circumstances and authorized, the confiscation and removal of any IT resource suspected to be the object of inappropriate use or violation of University of Manitoba security policies to preserve evidence that might be utilized in forensic analysis of a security incident.
- A critical asset that shall be protected.
- Use of data is restricted to authorized personnel
- Be a cornerstone of computer systems and use.
- Address the business and technological requirements of the University.
- Be risk based and cost effective.
- Align with University priorities, industry practices and legislative requirements.
- Be implemented by facilities and departments at the University of Manitoba using tolls and procedures supplied by IST
- Be the responsibility of all users of the University of Manitoba networks, systems, and data.
Departments and Facilities may choose to adopt more restricted security programs and policies, but must meet the requirements of IST security standards and best practices. Requests for exceptions should be made in writing to the VP Administration and the Executive Director of Information Services and Technology.
The aim of these guidelines is to protect systems and data from threats, internal and external, deliberate or accidental.
The goal of a security protection strategy would be:
- To protect data at the University of Manitoba from unauthorized access and use.
- Maintain the integrity of data.
- Meet legislative requirements.
Deans, Directors, and Department heads will need to provide for the data security needs within the purview of their respective areas. They should take all reasonable actions to provide adequate IT security and to refer problems, requirements, and matters related to IT security to the Executive Director of Information Services and Technology.
Definitions:
Data Owner:
The individual, group or area that is responsible for the policy and practice decisions with respect to their data. Their responsibilities include;
- Evaluating and classifying sensitivity of the data.
- Defining the protection requirements for the data based on the sensitivity of the data.
- Communicating the data protection requirements to local IT support.
- Defining requirements for access to data.
Implements, manages and operates a system or systems at the direction of the system and data owner,. The System Administrator assists in management of the day to day administration of related IT systems, and implements security controls and other requirements of the security program.
Data Custodian:
The individuals or departments in physical or logical possession of data that is responsible for:
- Protecting the data in their possession from unauthorized access, alteration, destruction or usage.
- Establishing, monitoring and operating IT systems in a manner consistent with security guidelines and standards.
All users of University of Manitoba IT systems are responsible for the following:
- Read and comply with IST security program requirements.
Report breaches of IT security, actual or suspected to IST Security Officer. - Take reasonable and prudent steps to protect the security of IT systems and data to which they have authorized access.
Users with sensitive data shall:
- Define the sensitive data and the IT systems that it is stored on.
- Assign security roles for protection of the data
- Conduct a formal risk assessment.
- Conduct a Security Audit.
- Develop and Implement an action plan to be used in the event of a security breach
Risk Management:
This policy and related standards are based on protecting IT systems and data based on sensitivity and risk, including system availability needs. Risk Management is a central component of the IT security program.
Departments define and determine ownership of IT systems classified as sensitive so that IT security roles can be appropriately assigned.
A Risk Assessment is required for all systems classified as sensitive. While a Risk Assessment is not required for data classified as non sensitive departments are advised to conduct an informal assessment for all data and systems, and apply appropriate security controls as necessary to reduce risks to an acceptable level.
IT systems Security:
The purpose of IT systems security is to define the steps necessary to provide adequate and effective protection for IT systems in areas such as: System Hardening, System Interoperability, Malicious Code Protection and System Life Cycle. IT systems may require further security controls for adequate protection based on the identification of sensitivity and risk and system availability needs.
Logical Access
Logical Access Control requirements identify the measures needed to verify that all IT system users are who they say they are, and that they are permitted to use the systems and data they are attempting to access. Logical Access Control defines requirements in the areas of Account Management, Password Management and Remote Access.
Data Protection provides security safeguards for the processing and storing of data. This component defines the methods that departments can use to safeguard the data in a manner commensurate with the sensitivity and risk of the data stored. Data Protection includes requirements in the areas of Media Protection and Encryption.
Storing any data classified as sensitive on any mobile device including laptops and any local storage device such as USB thumb drives, memory chips and iPods is not recommended unless the data is encrypted.
Facilities Security:
This is planning for the security of IT facilities to provide a front line of defense for IT systems against damage, theft, unauthorized disclosure of data, loss of control over system integrity, and interruption to computer services.
Personnel Security:
It is necessary to control and reduce the risk to UofM IT systems and data by specifying Access Determination and Control requirements that restrict access to systems and data to those individuals who require such access as part of their job duties. Personnel Security should also contain Security Awareness Training required to provide all IT system users with appropriate understanding regarding UofM security policies and Acceptable Use requirements for UofM IT systems and data.
Threat Management:
This addresses the protection of UofM IT systems and data by preparing for and responding to IT security incidents. This includes Threat Detection, Incident Handling and IT security monitoring and logging.
Should unencrypted personally identifiable information be subject to a breach in security resulting in unauthorized disclosure, the data owners, shall provide appropriate notice to affected individuals. Notice should occur without unreasonable delay as soon as verification of a breach is made consistent with the investigative needs of the UofM and law enforcement. U of M Security Services and IST should be notified of any such incident.
IT Asset Management:
This deals with the protection of the components that comprise the UofM IT systems by managing them in a planned organized and secure fashion. Asset Management includes Asset Control, Software License Management and Configuration Management and change control.
General Monitoring
Monitoring is used to improve IT security, to assess appropriated use of UofM IT resources, and to protect those resources from attack. Use of UofM resources constitutes permission to monitor that use. This can include the use of privately owned equipment across the UofM network.
In accordance with the U of M policy on the use of computer facilities, the University of Manitoba reserves the right to:
o Review data contained in or using Uof M IT resources.
o Review activities using UoM IT resources.
o Act on information discovered as a result of monitoring and disclose such information to law enforcement agencies and other organizations as authorized by the VP Administration.
User Agreement to Monitoring:
Any use of University of Manitoba computer resources constitutes consent to monitoring activities that may be conducted. Users of University of Manitoba computer resources:
o Agree to comply with University of Manitoba policy on the use of computer facilities
o Acknowledge that their activities may be subject to monitoring.
o Acknowledge that any detected misuse of University of Manitoba computer resources may be subject to disciplinary action.
What is Monitored?
Monitoring of University of Manitoba computer systems and data may include, but is not limited to, network traffic, application and data access, keystrokes and user commands, e-mail and internet usage, and message and data content.
Infrastructure Monitoring:
IT personnel are responsible for maintaining security in their environments through the following processes:
• Monitoring all systems for security baselines and policy compliance.
• Notifying the Security Officer, and the Executive Director of IST of any detected or suspected incidents.
• Monitoring their environment infrastructure.
• Installing or using unauthorized monitoring devices is strictly prohibited.
Confiscation and Removal of IT resources:
As necessitated by circumstances and authorized, the confiscation and removal of any IT resource suspected to be the object of inappropriate use or violation of University of Manitoba security policies to preserve evidence that might be utilized in forensic analysis of a security incident.
IST SERVICE DESK
Mon - Fri: 8am to 8pm
204-474-8600 or
Walk-In:
Fort Garry
123 Fletcher Argue
Mon - Fri: 8am to 8pm
Bannatyne
230 Neil John Maclean Library
Mon - Fri: 8am to 4:30pm