Security Plan

Security Plan #

1. Policy Statement #

Creating a secure environment in which to operate is an important part of establishing the level of stability required of a Trusted Digital Repository. Scholars Portal recognizes that there are two main areas of vulnerability to consider: the vulnerability of the information systems and data, and the vulnerability of the physical space in which the servers housing the Scholars Portal systems and data reside. The Scholars Portal Operations Team uses industry best practices and a strict evaluation of necessary access in order to mitigate risk associated with unauthorized access to these resources.

2. Security Implementation #

2.1 Information systems security #

Except as necessary to provide external access to the Designated Community, SP servers are located on an internal network to which only SP staff machines and other servers have access. In addition, SP IT staff enforce strict control over user privileges within all SP systems. Any SP staff who needs to work with production SP systems in the course of their work only has access to do the tasks specific to their duties.

Once a storage volume is full, it is remounted on each server as a read-only volume. At that point, changes to any of the material, whether intentional or accidental, are only possible from the SAN console itself.

2.2. Physical Security #

All Scholars Portal services and data are housed on servers located in a secure computing facility at the University of Toronto and at partner institutions that serve as hosts for nodes of the Ontario Library Research Cloud. Access to these spaces is restricted only to authorized individuals, is subject to monitoring by staff during business hours, and is monitored by a series of motion detectors and alarm systems during non-business hours. These alarm systems are connected to library security and a contracted security firm, who can escalate calls to either campus or municipal police.

3. Security policies and procedures #

Data centres at the University of Toronto follow both the Policy on Information Technology and the Policy on Information Security and the Protection of Digital Assets.

All digital assets at the University of Toronto are required to follow the Information Security Standard, which provides a set of baseline controls and minimum standards for information security at the University. These standards are endorsed by the University’s Information Security Council and are aligned with the National Institute of Standards and Technology (NIST) 800-171 for the protection of data. These standards also include an Incident Security Response Plan.

The Information Security and Enterprise Architecture department at the University of Toronto, as per the policy for digital assets, has also developed a procedure for reporting an information security incident or event and a set of guidelines for the University of Toronto community to mitigate risks associated with information security. These guidelines include recommendations and requirements for the protection of data centres at the University of Toronto.

Review Cycle #