For a system to be considered secure, it must be managed to a standard equivalent to, or better than the minimum security baseline adopted in 2013. The list below is a summary of the Information Security Guidelines 2013

 

#

Topic

Requirement

1 Patching Prompt installation of vendors’ software updates to correct known vulnerabilities.
2 Antivirus Installation and regular update of anti-virus software.
3 Encryption Encryption of confidential information on devices that are physically insecure, or not under the University of Toronto’s control
4 Data in transit Encryption of network communications, such that user credentials and other confidential information are not visible in transit over insecure networks.
5 Firewalls Protection of networked devices via firewalls.
6 User Security Education Education of administrators and users as to best practices for protecting data while in storage, use and communication.
7 Physical Security Physical protection of resources that restricts removal by unauthorized persons.
8 Backups Back up of critical data, with backups tested for readability and protected to the same level as data that is in use.
9 Incident Reponse Effective and practiced incident response procedures, including (but not limited to): monitoring of, and response to unauthorized access to systems and data.
10 Un-needed services Disabling un-needed network services.
11 Default accounts Deletion of ‘guest’ or non-password protected accounts.
12 System Hardening Choosing security settings that are more strict than typically insecure default values, and changing default passwords.
13 Data Deletion (From Appendix 3) All data associated with a record must be rendered irrecoverable after its retention duration expires. Data associated with the creation, use and transport of a record should be rendered irrecoverable after data are no longer operationally useful.

Where data are stored in printed format, all documents ideally should be shredded as part of the disposal process. Confidential data must always be shredded as part of the data disposal process.

Where data are stored in electronic/ machine-readable format, all storage media should be physically destroyed or ‘wiped’ (over-written with random data a minimum of 3 times) as part of the disposal process. Devices used to store confidential data must always either be destroyed or ‘wiped’ (as above) as part of the data disposal process.

Technology users should be aware of all locations where data are stored in their environment.

14 Availability of stored data (from Appendix 3) Where data are stored in machine-readable format, equipment and software that can interpret and communicate the data in usable format must be kept in working order for the retention duration of the data.

Alternatively, the data must be migrated to new storage media in advance of the end of lifetime for its storage media, or the failure of, or lack of manufacturer support for interpreting technology.

15 Records Retention (from Appendix 3) The University’s recommendations for how long certain records series should be kept, are set out in more than 700 records retention schedules developed by the University of Toronto Archives and Records Management Services. The retention periods outlined in these schedules should be followed and applied to both departmental files, and to any convenience copies. For more information, please see the University Archives’ on-line Retention and Disposition Schedules database http://archives.library.utoronto.ca/dbtw-wpd/textbase/webschedule/.

 

16 Protection of Electronic or Machine-Readable Data (from Appendix 2) Unless stored on secure, University of Toronto-owned equipment, confidential or restricted information (as defined in the Data Definition Guidelines), must have one or more of the following protections applied:

  • be encrypted; have all personally identifiable information removed or obfuscated (anonymized);
  • or be sanitized (have all verifiable information removed or obfuscated).

Access to confidential information stored on secure, University of Toronto-owned equipment must be controlled in proportion to the information’s sensitivity, and provided on a need-to-know basis.

17 Protection of Printed Data (from Appendix 2) The only option to protect confidential data in printed format, is to store it under lock and key. The strength of the lock, and the characteristics of the storage facility (passive fire-resistance, fire alarms, fire suppression systems, break-enter alarms, humidity sensors / controls, etc.) must accomodate the physical characteristics of the print medium and the required retention period.

Non-confidential printed data do not require access or protective controls beyond the physical characteristics of the print medium and the required retention period associated with the data.