Physical Records

• Confidential physical records must be stored in locked file cabinets located in secure, access-controlled areas.
• Access logs must be maintained to record who accesses the physical records and when.
• Storage areas must be protected against environmental hazards (e.g., fire, water damage).
• Confidential data must never be left unattended or in plain view.
• When no longer needed, physical records must be securely destroyed (e.g., cross-cut shredding or certified document destruction services).

Electronic Records

Confidential electronic data must be stored only on approved, centrally managed systems. The following controls must be implemented:

• Data must not be stored on personal devices or portable storage (e.g. USB drives).
• Approved storage locations include:
  
  • Western University's centralized servers. 
  • Western University's OneDrive (with institutional account and encryption enabled).
  • Other approved cloud services that meet institutional and regulatory security standards.
• Operating System Hardening: Systems must be configured according to security best practices.
• All stored data must be encrypted at rest using approved cryptographic methods (e.g. AES-256).
• Multi-Factor Authentication (MFA) is required for all systems storing confidential data.
• Access must be restricted to authorized personnel only, following the principle of least privilege.
• Systems must maintain detailed logs of access and administrative actions. Logs must be reviewed periodically.
•  Implement automated monitoring for unauthorized access attempts or anomalies.
• Confidential data must be backed up regularly. Backups must also be encrypted and stored securely.
• Data must be retained only as long as necessary for business or legal purposes.
• When no longer needed, data must be securely deleted using approved data sanitization methods.
• Access permissions and system configurations must be reviewed at least annually or upon role changes.
• If access is required from mobile devices, those devices must be securely managed and comply with university security policies.

Physical Records

• Sensitive physical records must be stored in locked file cabinets located in restricted-access areas.
• Access logs should be maintained where feasible.
• Storage areas must be protected from environmental risks (e.g., fire, water).
• When no longer needed, physical records must be securely destroyed (e.g., shredding).

Electronic Records

Sensitive data may be stored electronically under the following conditions.

• Data must not be stored on personal devices or portable storage (e.g. USB drives) unless that data has been encrypted using approved cryptographic methods (eg. AES-256).
• Approved storage locations:
  • Institutionally managed devices.
  • Western University’s OneDrive.
  • Devices acquired through grant funding that have Western's approved Endpoint Detection and Response (EDR) client deployed.
• All sensitive data is recommended to be encrypted at rest using approved cryptographic methods (eg. AES-256).
• Devices storing sensitive electronic records must use storng passwords.
• Multi-Factor Authentication (MFA) is recommended for all systems storing sensitive electronic records.
• Access must be limited to authorized users.
• Device usage should be logged and reviewed periodically.
• Data should be retained only as long as necessary.
• When no longer needed, data must be securely deleted using approved methods.
• Access permissions and device configurations should be reviewed annually.

Physical Records

No restriction on where data can be stored.

Electronic Records

No restriction on where data can be stored.