RDM Wise Practices Guidelines

All accounts on your devices (e.g., computer, phone) should be protected by a password, according to Sheridan’s Password Management Procedure. To avoid loss of access if team members leave Sheridan, passwords should be used at the device and/or account level, not to control access to individual research data files or folders. For example, grant access to files and folders through SharePoint permissions, rather than unique passwords.

For medium- to high-risk data, data must be collected and stored on password-protected devices. Storage on static devices in a secure location such as on a desktop computer in a locked office or an appropriately protected server is recommended (medium-risk) or required (high-risk).

Ensure your password:

• Is at least 8 characters long. 
• Has an element of complexity, e.g. combination of uppercase and lowercase letters, numbers, special characters (or) using passphrases i.e., memorized phrases consisting of a sequence of mixed words, that is unique to the Account Holder and don’t relate to you. Try to combine them into something memorable – like L1br@ryt1pS.
• Is unique across different systems or websites/services 
• Does not contain a word or a series of words that can be found in a dictionary. 
• Is not a proper name or any variation of one, or a simple keyboard pattern (e.g., qwerty), series of numbers, etc. 
• Is not your Sheridan ID number, userID or any personal information such as family name, birthday, etc.
• Is not a reused old password, or a password that can be easily guessed.

Ensure that your password is also:

• Secret: Never share your passwords with anybody via email or text.
• Up to date: Change your passwords in response to platform breaches.
• Secure: Use a strong password on the device (e.g., laptop, phone) you use to access your data.

Passwords must never be shared with anyone, written down or stored in an insecure manner. Consider using a password manager to help you create, store, and remember your passwords. Passwords should be updated in the following cases:

• The first time the account is accessed
• Suspected compromise or concern about the security of the account
• When requested to do so by IT Services

To enhance the security of sensitive accounts, all individuals are required to implement MFA (also known as 2 Factor Authentication, or 2FA), where available. Enabling multi-Factor Authentication (MFA) requires that more than one code or ‘Factor’ be provided for identity verification to login, such as a password and a security code sent to your phone number or generated by an authenticator app (e.g. Microsoft Authenticator).

• Use platforms provided by IT Services which are already protected by MFA. If other services are needed, contact IT Services for advice on how to enable MFA. The frequency of updates may need to be considered based on how frequently the data is accessed.
• Sheridan’s standard tool is Microsoft Authenticator. Many other web services (Gmail, Dropbox, etc) provide MFA as well.
• The frequency of updates may need to be considered based on how frequently the data is accessed.

Encryption is the process of making information unreadable to protect it from unauthorized access. After information has been encrypted, a secret key or password is needed to unencrypt it and make it readable again.

For medium- to high-risk data, encryption is recommended at rest and in transit for all medium-risk data, wherever feasible, and must be used at rest and in transit for all high-risk data.

To encrypt individual files:

• Microsoft Office or other applications can be used to encrypt documents on a file-by-file basis.

To encrypt your whole drive:

• Full disk encryption is available on Windows, Mac, iOS, and Android. This protects every file on your device so you don’t need to worry about missing a file. You can also encrypt entire external drives.
• Researchers should follow the Encryption Standards provided by Sheridan, which includes details on requirements and the recommended toolsets to be used in each case.

Data at rest:

• Laptop and desktop computers: full disk encryption is required.
• Smartphones, tablets and PDAs: device-level encryption is required.
• Mobile storage devices/media: device/media-level encryption is required.
• Cloud services (e.g. Azure, AWS): confidential or restricted information must be encrypted.

Data in transit (unsecure or wireless networks, websites, cloud services): encryption is required for high-risk data.

Safeguarding and management of the encryption keys must be established to maintain security, avoid compromise, and ensure availability of information. Use strong passwords or passphrases and keep encryption keys secure (Key Strength: Minimum 128-bit key is required; 512-bit key is recommended). Industry best practices suggest the use of Azure Key Vault to standardize the management of keys, secrets, and certificates.