ICT Guidelines on Information Security (Jan-16-2016)
The Laurier community is dependent upon digital information, digital information systems, and digital information networks. The integrity of these digital assets is vulnerable due to Laurier's reliance on the public internet , which opens Laurier systems and networks to threats related to that exposure. Consequently, it is imperative that Laurier define computer and network guidelines and best practices which will allow the students, faculty, and staff to pursue their academic, research, and administrative requirements without compromising the integrity of our digital assets. Below is a list of guidelines to help the university community protect their information.
Members of the Laurier community must be made aware of the Laurier digital information taxonomy.
Specifically, Laurier's digital information should be classified as Open, Internal, or Restricted, per 3.4 Data Classification & Information Management Policy. Printed documents should have a header or footer with the appropriate classification stated.
The ICT department and the Privacy Officer will ensure that appropriate training is provided for members of the university community who handle confidential and sensitive information.
Information Technology Security requires an educated university community who follow proper security practices.
A user can easily compromise the integrity of their computer through e-mail or internet browsing or by connecting to a removable media device which has been infected.
It is the responsibility of every member of the Laurier community who deals with digital information to be aware of, and adhere to, the Laurier Security Principles.
The ICT department will make security training available to all members of the Laurier community.
All traffic on the Laurier network must be attributable to an individual member of the Laurier community and to a particular network connection.
The ICT department will maintain logs and procedures to identify the user of every networked device and will disable any device that interferes with the academic, research, or administrative use of the Laurier network.
Additional users must only be granted access to information when it is needed for their job.
All computing devices (desktop computer, laptop computer, handheld computer, printer, switch, wireless access point, or router) connected to the Laurier wired network must be owned by the university or purchased through research funds and must be securely configured.
All computers running a version of the Microsoft Windows operating system must have Laurier approved virus protection software installed and the software must be configured to receive daily virus definition updates.
All computers should be configured to receive the latest security patches for their operating system.
All computers should have a desktop firewall installed for their operating system, and the firewall should be configured to block all unnecessary incoming network connections.
The ICT department or designated departmental technical staff will be available to properly configure all university computers for safe network access as described above and to ensure that only approved devices are connected to the network.
The ICT department will also monitor the network to ensure no illicit devices have been connected to the network and to take action to disable any such devices.
All connections to the Laurier wireless network must be authenticated and all sessions must be encrypted.
All wireless access points deployed on campus and connected to the Laurier data network must be approved and configured by the ICT department. The ICT department will ensure that software is available to connect securely to these access points.
The ICT department will regularly scan for rogue access points and will audit log files to ensure that only members of the Laurier community are connecting to the Laurier wireless network.
Passwords are the primary means of ensuring that only authorized persons have access to confidential data.
Passwords must never be shared or otherwise put at risk.
The ICT department will provide training for users to choose strong passwords and will ensure that any password access to Laurier systems from the Internet is encrypted. The ICT department will ensure that systems under its control are configured to force strong password selection and regular password change. The ICT department will regularly scan systems for weak passwords.
Laurier Internet access must be used in a manner compatible with Laurier’s mission, vision, and values.
All members of the Laurier community have direct access to the internet for the academic, research and administrative requirements of the university, and it is accepted that there will be some personal recreational internet use.
The ICT department will provide training to faculty and staff to never use the internet for recreational purposes that put the digital assets of the university at risk. For an understanding of acceptable use refer to Policy 9.1 Use of Information Technology, section 4.04. The ICT department will monitor lab, research and wireless connections to ensure that students do not use these assets in a way that conflicts with the Laurier mission.
Security incidents must be reported in a timely fashion to the Service Desk or to ICT Management directly.
Security incidents should be addressed as soon as possible so as to limit the damage to the integrity of Laurier's digital assets.
The internet is a dangerous environment and from time to time Laurier computers may be compromised in some manner. Users must report to the ICT department any unusual behavior on their computer so as to minimize dangers to the integrity of Laurier digital assets.
The ICT department will provide training to the Laurier community in regard to the kinds of behavior to be aware of and will notify the university community to security alerts received from trusted sources.
The Laurier community must be vigilant in detecting deceitful people who will use technology or human persuasion to gain access to Laurier's digital information. This is referred to as Social Engineering.
Users must never give physical access to their computer to any person who does not provide the appropriate identification, and must never provide confidential or sensitive information over the phone unless they recognize the caller as authorized for that information, and must never provide confidential or sensitive information in an e-mail or a web page that has not been confirmed as trusted.
It is strongly recommended that all computers be locked when the user is away from the keyboard.
The ICT department will provide training in regard to social engineering and will provide alerts to the community when such threats are active in our area.
A. Erasure of digital information from disks, CD's etc. is frequently insufficient for ensuring information cannot be retrieved.
Users must ensure that external media (i.e. USB sticks, external hard drives, DVD’s etc) that might contain confidential information are rendered unreadable before disposal and that all removable media that might contain confidential information are destroyed. The ICT department will make resources available to the Laurier community to render external hard drives unreadable and advise how to shred removable media.
B. Members of the Laurier community must ensure that all laptops and desktops are returned to the ICT department for proper secure disposal.
Erasure of digital information from disks, CD's etc. is frequently insufficient for ensuring information cannot be retrieved.
The ICT department will dispose of all obsolete laptops, desktops, printers, tablets, and smart phones.
*** No computer or technology equipment will be sold to any employee or individual.
C. Employees Leaving Laurier
When an employee leaves Laurier, the manager of the department is required to:
a. For a desktop computer - Call the service desk to inform ICT that an employee is leaving so that ICT can reimage the computer or
b. For a laptop computer – call the service desk to inform ICT that an employee is leaving so that ICT pick up the laptop for re-imaging. Refer to Policy 4.2 Surplus Disposal - Used Furniture and Equipment for guidance.
The ICT department will implement data backup procedures, network redundancy, and a Disaster Recovery Policy so that except for ICT network maintenance windows and unforeseen outages, the Laurier digital network will be available on a 24/7 basis.
Network services such as e-mail, web hosting, must only be run on computers operated by the ICT department or on systems approved by the ICT department.
Poorly configured or out of date network service software can be used to compromise a computer.
The ICT department will operate computer systems to provide network services required by members of the university community.
When a department or an individual requires a computer system to run an application or specialized service that is not part of the standard image, the ICT department will install and configure the system under a Service Level Agreement with the department or, the ICT department will provide advice and approval for running the service on a computer operated by the department or individual.
Remote Desktop programs such as Windows Remote Desktop, Real VNC, and PCAnywhere should only be installed on a computer after consultation with the ICT department.
Poorly configured remote desktop programs can be used to compromise a computer. The ICT department may disable any insecure remote desktop connection.
The ICT department will provide training in the proper use of remote desktop programs.
Any action by a member of the Laurier community that is contrary to The Laurier Computer and Network Security Guidelines must be dealt with in a timely and effective manner.
It is expected that notification from the Manager, ICT Infrastructure will be sufficient to handle most security violations.
In the event of repeated or intentional security violations by an individual, the Manager, ICT Infrastructure, in consultation with the Director, ICT Solutions will contact the individual's manager to have the situation resolved.
Exceptions to the ICT Guidelines on Information Security will be made only at the discretion of the Director, ICT Solutions and will be documented.