This policy framework groups policies and supporting materials relating to the security and integrity of the University's information and technology resources, and information that is in our care. All members of the Queen's community have a responsibility to preserve the integrity and reliability of the University's IT infrastructure, and the confidentiality of valuable or sensitive information. These policies should be read with the following Guiding Principles in mind:
|Queen's University Data Classification Standard||A key element of this Framework which categorizes various types of information or data according to the level of protection or safeguarding they require.|
|Sensitive Information||An electronic set of information or data, such as a database, file or document, that is classified as personal, confidential, or operationally-sensitive, as defined under the Queen's University Data Classification Standard. Whether it is stored on or off campus does not matter.|
|IT Resource||A computer, device, or network on which there is a significant operational dependency for the University, a Department or Research Group, and/or which stores, transmits, or provides access to Sensitive Information. This includes computers functioning as servers, and storage devices such as USB keys and portable hard drives, but may also be personal computers, printers, facsimile and other devices which have internal storage capability that could contain Sensitive Information.|
|Unit Head||The Department Head or Director of a Queen’s department, or the Principal Investigator or Lead Researcher for a research unit or project.|
|System Administrator||The individual who has primary responsibility for installing, configuring and maintaining an IT Resource. In the absence of a designated system administrator, the primary owner or user of an IT Resource is regarded as its System Administrator.|
|Security Controls||Safeguards or measures which eliminate, counteract or minimize security risks.|
The intent and scope of these policies make it necessary for there to be some technical terminology. A glossary of Electronic Information Security Definitions is provided to aid understanding.
The purpose of the Queen's Information Security Policy Framework is to establish or foster:
The Framework consists of three primary Policies:
|Policy||Purpose and/or Scope|
|Electronic Information Security Policy||Preserving and protecting the University's electronically maintained information assets, and the privacy of electronically maintained personal and confidential information|
|Acceptable Use of Information Technology Resources Policy||Establishing what the University's information technology resources may or may not be used for, and ensuring there is equitable access to them.|
|Network and Systems Security Policy||Preserving the security, integrity, reliability and availability of the University's information technology infrastructure.|
The Policies establish what each person's responsibilities are. Procedures, Standards and Guidelines are intended to establish how one upholds their responsibilities under the Policies.
These policies apply to:
The Chief Information Officer (CIO) or his or her designates have the authority to investigate suspected or alleged non-compliance with these policies on behalf of the University. They will assess the significance of any alleged non-compliance, and determine a course of action through consultation with appropriate University officers. Serious non-compliance will be referred to the appropriate disciplinary body or process.
Where there are reasonable and probable grounds to believe that a failure to take action to address a non-compliance situation could result in significant harm to a person or University property, the CIO or his or her designate have the authority to enact emergency measures, the sole purpose of which are to contain a serious situation or mitigate a serious risk. Examples of such situations include, but are not limited to:
Immediate measures can include immediate restriction in or a complete suspension of an individual's or group's access to computing and network facilities and services, and/or disconnection of a system or device which threatens the security or integrity of Queen's IT resources or personal or confidential information. Such measures will remain in effect until it has been determined that the non-compliance has been appropriately dealt with and any risks have been mitigated or eliminated.
Contact Officer: Information Systems Security Manager, ITServices
Related Policies, Procedures and Guidelines: Electronic Information Security Policy, Acceptable Use of Information Technology Resources Policy, Network and Systems Security Policy