Confidentiality Requirements and Win File Services


These guidelines were derived from the IT Security Policies Web site. Administrators and data owners should determine their own requirements for their data.

Definitions

In this document, we are referring to the Central IT Win Domain File Services. Share Administrators (SA) refer to the IT Professional (IT Pro) and designees who requested the share. Domain Administrators (DA) refer to IT-NSS staff.

Confidentiality Requirements Win File Service Policy

UDel passwords are highly confidential and should NEVER be used for any cloud/Web-based service, application, or Web site.

Win File Services is a central UD IT service.

When not stored or transmitted on an IT legacy system like PeopleSoft, information must be protected with strong passwords and stored on servers that have protection and encryption measures.

Data is NOT encrypted at rest by default. Files can be encrypted by the SA.

Confidential information must be encrypted when transmitted over any communication network or stored including encrypted backups.

SMB traffic is NOT encrypted by default. Files can be encrypted and decrypted by the SA.

Daily backups are stored in a secure off-site location.

Discreet backup copies for print-in-time recovery are made but are not stored off site. A continuously real-time DR copy is active for the most current file version and is also available for fail-over if needed.

Transmission via email must be encrypted and secured with a digital signature (UD Dropbox preferred).

Data is NOT encrypted at rest by default. Files can be encrypted by the SA.

Avoid faxing or printing. When sent via fax, it must be sent only to a previously established and used address, or one that has been verified as using a secured location. Include a cover sheet stating fax is “Confidential” and to be read only by the named recipient. When printed, label copies as “Confidential” and store in a secure location.

N/A.

Should not be stored on a laptop, mobile device, or individual workstation. If necessary, encryption of stored data is required. Confidential information should only be stored on departmental or central IT servers, and it must not be stored on personally owned devices

This can be accommodated by disabling offline files on the client laptop.

Access via mobile devices is strongly discouraged.

Access through UD VPN is not blocked.

Must not be disclosed to external parties without explicit management authorization.

Determined by the SA.

Unauthorized disclosure or loss of confidential information must be reported to UD Information Security (secadmin@udel.edu) or the IT Support Center (consult@udel.edu) to activate the incident response process.

Determined by the SA.

If logging in to host server directly (vs. Web access), access is restricted to secure UD network connections or via UD VPN SSL (encrypted tunnel) if accessed from outside the University network.

Access is protected by a firewall to UD wired connections, the VPN, and UDel secure wireless connections only.

Audit logs of read and update access.

Determined by the SA.

Confidentiality agreement (optional).

Determined by the SA.

Requirements for Official Use Only

Must not be posted on any public website.

N/A.

Viewing and modification restricted to authorized individuals as needed (least privilege required) for business-related roles.

Determined by the SA.

Authentication and authorization required for access.

Determined by the SA.

Daily backups.

Done by DA.

Access must be immediately removed from any person that no longer requires it as part of their job function.

Determined by the SA.

Audit logs of change.

Determined by the SA.

Follow OS-specific best practices for system management and security.

Done by DA.

Report the loss of OUO data to director-level position who will consult with UD Information Security to determine the requirements, if any, for further reporting.

Determined by the SA.

Must be stored only in a locked draw, room or an area where access is controlled, or that otherwise has sufficient physical access control measures to afford adequate protection and prevent unauthorized access by any persons without a need-to-know.

Yes.

Must be destroyed when no longer needed subject to the University’s Records Management Policy.    

Note: SA is responsible for ensuring data on share is compliant with the Records Management Policy.

Hard copies must be destroyed by shredding or another process that destroys the data beyond either recognition or reconstruction.

Determined by the SA.

Electronic storage media shall be sanitizedappropriately prior to disposal.

Done by DA.

Requirements for Public Information

No restriction on viewing.

Determined by the SA.

Modification requires data steward or designee authorization.

Determined by the SA.

Electronic devices used to store public information should meet minimum security best practices.

 

Password protection (data add, delete, update).

Log ons to share required.

Automatic operating system and application updates.

Updates are not automatic, but are done regularly to ensure availability. Done by DA.

Anti-virus software updated regularly.

Done by DA.

Screen lock/ automatic log out.

N/A.

Separate administrative/user accounts.

Yes.

Regular backups.

Done by DA.

Software firewall.

Done by DA.

Criticality

Availability

Data is stored in an active/active set up between Chapel Street and DR. Data is synced continuously. IT-NSS has monitoring in place to ensure data is synced and that the servers are operating normally.

Integrity 

Shadow copies are taken every 4 hours (these are differential snapshots). Backups are taken nightly and retained for 90 days.

Ownership rights 

End departments retain ownership (and responsibility) for the data.

Support 

Support is provided via IT Support Center and IT-NSS.

Information sharing 

Sharing is determined by SA.