Identify& Remedy Dangerous Working Practices

Improve User Handling of Organizational Records

Targeted Behaviour

Working copies of Records are being abandoned in unsecured locations.

Directive

Files temporarily retrieved from records management systems for editing or reference, must be returned correctly to the records management system after edits have been made and all reference copies must be deleted as soon as work is complete.

Records may not be indefinitely stored in Home Drives, SharePoint Sites, Office365 file shares, or on NAS storage. Records may only be stored in designated records management systems.

Policy Requirements

Scan once per week for files containing ‘customer numbers’, ‘employee numbers’, ‘supplier numbers’, social security numbers, credit card numbers, and/or other specific PII/PCI data, that have not been accessed/modified within the past seven days.
Notify Data Stewards/Records Managers when suspected records have been identified.
Require that Data Stewards/Records Managers review file lists and perform appropriate actions.

Avoid Unnecessary Retention of Sensitive Job Applicant Data

Targeted Behaviour

Personal letters and CVs collected during recruitment processes are being retained within Managers’ Home Drives. The sensitive personal data within these files is not appropriately secured.

Directive

Personal letters and CVs collected during recruitment processes must be destroyed immediately after the position is filled. If the manager wishes to retain these documents for future reference then a dedicated location can be provided.

Policy Requirements

Home Drives (including O365 file storage) are scanned on a monthly basis.
Files containing relevant strings/patterns (social security number, “CV”, etc.) are identified.
The owners of identified files are notified, asked to remove the offending files and reminded of the organizational directive.

Remove Practices of Storing Password Details in Files

Targeted Behaviour

Users are storing personal passwords as well as application and service account login information in file shares.

Directive

Users must store all login credentials (including user names and passwords for personal accounts) in a dedicated system (KeePass). No ID or password information may be stored in files, encrypted or otherwise.

Policy Requirements

File shares and O365 file storage are scanned once per month.
Files containing text strings associated with passwords and user IDs are identified.
The owners of identified files are notified, asked to check the file contents and reminded of the organizational directive.

Ensure Destruction of Sensitive Annual Review Data

Targeted Behaviour

Sensitive personal data, including salary information, is distributed to managers on an annual basis to support annual review processes. These files are not being appropriately deleted after the conclusion of review processes.

Directive

Employee information that is provided in support of annual review processes must be deleted following completion of these processes. Historical information can be provided upon request and should therefore not be retained independently by managers.

Policy Requirements

Home Drives (including O365 file storage) and Common Shares are scanned on a monthly basis.
Files containing relevant strings/patterns (“Annual Review”, “Salary” and employee numbers) are identified.
The owners of identified files are notified, asked to remove the offending files and reminded of the organizational directive.