University Policies

Data Security and Handling Policy

File Code: TECH.DATASEC.POL
Approved by: President
Approval Date: February 8, 2022

The university and all members of the university community are obligated to respect and to protect university data. The university reserves the right to examine computer records or monitor activities of individual computer users (a) to protect the integrity or security of the computing resources or protect the university from liability, (b) to investigate unusual or excessive activity, (c) to investigate apparent violations of law or university policy, and (d) as otherwise required by law. Personal use of university computing resources is strictly prohibited for any reason, per the Ethics Act. Users should be aware that the university may be legally compelled to disclose information relating to business or personal use of the computer network to governmental authorities or, in response to a Freedom of Information Act (FOIA) request, the context of litigation or a served subpoena.

All university areas accepting, working with, or transmitting sensitive data are required to take appropriate measures, to protect sensitive data under their care. Measures are considered appropriate if protective measures are consistent with laws, regulations, and best practices to the greatest extent possible and feasible. Data security requirements are applicable to all electronic data, regardless of medium of storage or transmission (i.e. local drives, servers, wireless, LAN, etc.).

  • There should be only one authoritative source for electronic university records. Because of the strength of RACF security and the technology available on the mainframe to support encryption at rest, it is recommended that the one authoritative source be the Mainframe.
  • Proper use of sensitive data begins by evaluating your business processes for the need to take in or store sensitive data and if indeed it is needed ensure that appropriate protection (obfuscation, masking, one-way hash, encryption, etc.) is applied throughout the data lifecycle. Sensitive data must never exist on University systems unprotected.
  • The requirement to protect sensitive data extends to backup copies of sensitive data especially when this data is outside University control such as with a vendor, in transit or stored off University property.
  • Direct access to data from the Internet must be disallowed. Instead requests for data should be proxied between a requesting segment and a segment hosting the data.
  • Use of default database passwords is strictly prohibited.
  • Configuration of all computing resources should be based on least privilege concepts. All unnecessary services and ports should be disabled by default. Configurations should be based on secure best practice guidelines.
  • Database management should be done over secure channels.
  • When developing and configuring applications, do not connect to a database as a user with superuser-like authority or as the database owner. Instead, make use of customized users with appropriate limited privileges.
  • Use of generic accounts is strictly prohibited.
  • Any passwords stored within the database must be encrypted or hashed with an appropriate algorithm.
  • Data stored on any system not managed or controlled by the university (i.e. third party hosted applications) must be accessed to determine appropriate security measures are in place to protect the confidentiality, integrity and availability of university data.
  • All computing resources should remain patched with the most recent security patches and updated, where possible.
  • Personal use of any university provided resource (i.e. email, web space, computer, etc.) is strictly prohibited.