Improve User Handling of Organizational Records
Targeted Behaviour
Working copies of Records are being abandoned in unsecured locations.
Directive
Files temporarily retrieved from records management systems for editing or reference, must be returned correctly to the records management system after edits have been made and all reference copies must be deleted as soon as work is complete.
Records may not be indefinitely stored in Home Drives, SharePoint Sites, Office365 file shares, or on NAS storage. Records may only be stored in designated records management systems.
Policy Requirements
| Scan once per week for files containing ‘customer numbers’, ‘employee numbers’, ‘supplier numbers’, social security numbers, credit card numbers, and/or other specific PII/PCI data, that have not been accessed/modified within the past seven days. |
| Notify Data Stewards/Records Managers when suspected records have been identified. |
| Require that Data Stewards/Records Managers review file lists and perform appropriate actions. |
Avoid Unnecessary Retention of Sensitive Job Applicant Data
Targeted Behaviour
Personal letters and CVs collected during recruitment processes are being retained within Managers’ Home Drives. The sensitive personal data within these files is not appropriately secured.
Directive
Personal letters and CVs collected during recruitment processes must be destroyed immediately after the position is filled. If the manager wishes to retain these documents for future reference then a dedicated location can be provided.
Policy Requirements
| Home Drives (including O365 file storage) are scanned on a monthly basis. |
| Files containing relevant strings/patterns (social security number, “CV”, etc.) are identified. |
| The owners of identified files are notified, asked to remove the offending files and reminded of the organizational directive. |
Remove Practices of Storing Password Details in Files
Targeted Behaviour
Users are storing personal passwords as well as application and service account login information in file shares.
Directive
Users must store all login credentials (including user names and passwords for personal accounts) in a dedicated system (KeePass). No ID or password information may be stored in files, encrypted or otherwise.
Policy Requirements
| File shares and O365 file storage are scanned once per month. |
| Files containing text strings associated with passwords and user IDs are identified. |
| The owners of identified files are notified, asked to check the file contents and reminded of the organizational directive. |
Ensure Destruction of Sensitive Annual Review Data
Targeted Behaviour
Sensitive personal data, including salary information, is distributed to managers on an annual basis to support annual review processes. These files are not being appropriately deleted after the conclusion of review processes.
Directive
Employee information that is provided in support of annual review processes must be deleted following completion of these processes. Historical information can be provided upon request and should therefore not be retained independently by managers.
Policy Requirements
| Home Drives (including O365 file storage) and Common Shares are scanned on a monthly basis. |
| Files containing relevant strings/patterns (“Annual Review”, “Salary” and employee numbers) are identified. |
| The owners of identified files are notified, asked to remove the offending files and reminded of the organizational directive. |
