Information Security Guideline
UBC Systems are exempt from encryption requirements if they are fully compliant with the criteria below, and they have been documented in a completed and submitted Encryption Exemption Attestation Form:
Direct Attached Storage (DAS) – External
External Direct Attached Storage (DAS) is an external array of drives that is not considered portable, and cannot easily be carried or moved by an average individual.
- The DAS requires a Server or host system to operate.
- The DAS is not network accessible without a host system.
- The DAS is locally mounted on a host, e.g. connected via Thunderbolt 3.
- The DAS is physically secured via security cable, locking cabinet or other similar physical security measure.
- The information on the DAS is Low Risk Information only and will never change to be of a higher risk level.
Direct Attached Storage (DAS) – Internal
Internal Direct Attached Storage (DAS) is DAS that is internal and housed in a Server.
- The Server housing the DAS is physically secured via security cable, locking cabinet or other similar physical security measure.
- The information on the Server is Low Risk Information only and will never change to be of a higher risk level.
Kiosk
Kiosks are interactive terminals for short-term use that provide access to specific information and applications without a user login.
- Software or process controls that wipe session data (including anything cached locally) are in place. The recommended frequency is daily, but at a minimum at least once per week.
- Logs are sent elsewhere (e.g. a separate log storage service) prior to session data being wiped.
- The terminal is not visible or accessible from the Internet.
- USB ports are disabled.
- CD/disk drives are disabled.
- Endpoint Detection and Response (EDR) software approved by the CISO has been installed.
- The information on the Kiosk is Low Risk Information only and will never change to be of a higher risk level.
Public Workstation
Public Workstations are permanent, shared Workstations for short-term use that require a user login.
- Individual user login is required to access the Workstation (CWL recommended). No generic logins permitted.
- Software or process controls that wipe session data (including anything cached locally) are in place. The recommended frequency is after every session, but at a minimum daily.
- Logs are sent elsewhere (e.g. a separate log storage service) prior to session data being wiped.
- Authenticated sessions must timeout as follows, after which Users must reauthenticate to continue an existing session or establish a new session:
- after a maximum session length of 12 hours; and
- where reasonable, after 30 minutes of User inactivity.
- The Workstation is not visible or accessible from the Internet.
- CD/disk drives are disabled.
- Endpoint Detection and Response (EDR) software approved by the CISO has been installed.
Instructional Lab Workstation
Instructional lab workstations are located in an instructional lab space for students that require a user login. These do not include Workstations dedicated to a specific course or used for research.
- Individual user login is required to access the Workstation (CWL recommended). No generic logins permitted.
- Software or process controls that wipe session data (including anything cached locally) are in place. The recommended frequency is after every session, but at a minimum daily.
- Logs are sent elsewhere (e.g. a separate log storage service) prior to session data being wiped.
- Authenticated sessions must timeout as follows, after which Users must reauthenticate to continue an existing session or establish a new session:
- after a maximum session length of 12 hours; and
- where reasonable, after 30 minutes of User inactivity.
- Endpoint Detection and Response (EDR) software approved by the CISO has been installed.
- (Recommended) The Workstation is not visible or accessible from the Internet.
Instrument Controller – No data stored
Instrument controllers – No data stored are Workstations used for controlling instrumentation where no data is stored on the Workstation.
- The Workstation is not visible or accessible from the Internet.
- USB ports are disabled, except when used for serial license keys.
- Endpoint Detection and Response (EDR) software approved by the CISO is installed where technically possible, as per the Securing Computing and Mobile Storage Devices/Media standard.
- (Recommended) Screensaver Locks/Idle Timeout has been set as per the Securing Computing and Mobile Storage Devices/Media standard.
Instrument Controller – Data stored
Instrument controllers – Data stored are Workstations used for controlling instrumentation where data captured from the instrument (e.g. microscope, IoT Device, MRI machine, genetic sequencer) is stored on the Workstation.
- Individual user login is required to access the Workstation (CWL recommended). No generic logins permitted.
- Authenticated sessions must timeout as follows, after which Users must reauthenticate to continue an existing session or establish a new session:
- after a maximum session length of 12 hours; and
- where reasonable, after 30 minutes of User inactivity.
- The Workstation is not visible or accessible from the Internet.
- USB ports are disabled, except when used for serial license keys.
- Endpoint Detection and Response (EDR) software approved by the CISO is installed where technically possible, as per the Securing Computing and Mobile Storage Devices/Media standard.
Lectern/Podium Workstation
Lectern/podium workstations are multi-purpose Workstations located in a classroom for instructor use.
- Individual user login is required to access the Workstation (CWL recommended). No generic logins permitted.
- Authenticated sessions must timeout as follows, after which Users must reauthenticate to continue an existing session or establish a new session:
- after a maximum session length of 12 hours; and
- where reasonable, after 30 minutes of User inactivity.
- The Workstation is not visible or accessible from the Internet.
- Endpoint Detection and Response (EDR) software approved by the CISO has been installed.
Related Documents and Resources
- Encryption Requirements standard
- Encryption Exemption Attestation Form (with CWL credentials)
- Systems for Encryption Exemption
Criteria Last Revised: 2023-09