The following practices are intended to help University faculty and staff effectively manage and protect digital (computer-based) information. While these practices focus on managing information related to our job duties, these same practices can also be applied when managing digital information in our personal lives.
Traditional computing services vs Cloud-based services
Traditionally, employees have used their desktop and laptop computers to access services and information hosted locally (ie. on campus) using a well-defined and managed network infrastructure. In addition, they used this same network to connect to the Internet and access information available online. Over the years, a number of security best practices have evolved to reduce the risk of unauthorized or accidental disclosure and/or destruction of digital information.
Cloud computing enables on-demand access to a shared pool of computing resources (e.g., networks, servers, storage, applications, and services) that may be hosted in various locations. Because these resources can be rapidly provisioned and released with minimal effort, cloud computing provides an efficient and economic means to deliver services on a global scale. Many of the web's most popular services (Gmail, Faceook, etc.) are considered cloud-based services, as are Dalhousie's Office 365 tools and Blackboard.
Best Practices – General
- A password is like a toothbrush; choose a good one, don't share it with anyone, and replace it occasionally.
- Employees are required to change their password to protect their university information, but everyone should consider occasional password changes for their own protection.
- Be especially wary of phishing. There is no legitimate reason for anyone, including Dalhousie staff, to know or ask for your password.
- Use only https://password.dal.ca for password changes. Other links may be fake.
- Change your password anytime you think someone may have discovered it.
- Use Dal's Antivirus software and keep your system software up-to-date.
- Lock your devices (computer/tablet/smart phone) whenever you leave them:
- Manually when you remember (usually via a key or key combination); and
- Set an inactivity "time out" to cover the times you forget.
- Encrypt mobile devices where possible and consider tagging them to aid in their return. Remember: Smartphones are full of sensitive information, if not directly then via remembered logins.
- Store sensitive info on servers instead of mobile devices.
- If you must store highly sensitive information locally, encrypt it.
3. Have a backup plan
- Server storage is safer than storing the data locally. It reduces the likelihood of both data loss and accidental data disclosure.
- Email is backed up automatically with Office 365 but restoration time limits need to be considered.
- Phone backups are important as they often contain irreplaceable information such as contact details and photos.
4. Be savvy
- Erase computing devices (including smartphones) before passing on or recycling them.
- Security is more than preventing inappropriate viewing. Think: Deletion and alteration.
- Avoid public computers when working with sensitive information.
- Do not email highly sensitive information. Use an appropriate alternative.
- Be careful what you publish or share electronically; everything online can be permanent.
Best Practices – Cloud Services
Cloud computing brings many opportunities to work remotely from computers as well as mobile devices, but many of the IT security best practices still apply.
Be aware that consumer cloud services have agreements with you as an individual and not with the University, except for those enterprise services the University has authorized such as Microsoft Office 365 and Blackboard. Many consumer services require you to agree that the information stored or shared via the service can be scanned to advertise directly to you or shared with another third party.
To reduce the risk of exposing sensitive information, please remember to follow the best practices above and the following additional steps:
- Do not store or share sensitive information using consumer cloud services. While the convenience of a consumer cloud service is attractive, there is inherent risk of exposure of that information as well. Limit the sharing of sensitive information to recommended Dalhousie services.
- Maintain good password security. Remember to use strong passwords. Saved passwords in a browser can be exposed and should be avoided. On public computers use the private browsing option to reduce the amount of information stored in the browser when it is closed. Do not reuse your Dalhousie credentials on other services like social media or your bank.
- When sharing information limit who has access to view it. Remember to limit how long an individual has access to information and periodically audit what you have shared to reduce the risk of over exposure of information.
Definition of Sensitive Information
Please consult your supervisor or department head if you have questions about which category the information you work with falls under, and for the best means of sharing the information with others.
- Highly Sensitive information may result in significant and substantial harm to the university or members of the university community, or which may violate legal or contractual requirements, if it were to be released.
- Sensitive information could have a negative impact on the university or members of the university community, or which may violate legal or contractual requirements, if it were to be released.
- Internal Use information may be made available to faculty or staff of the university but is not necessarily appropriate for the general public. (Directory listings, minutes from non-confidential meetings, internal websites, etc.)
- Public Use information can be made generally available to the public.
Last updated: 2014 Jul 11