Responsibility: Associate Vice-Principal IT / Chief Information Officer
Date: May 27, 2014
The following are definitions for key terms used in this policy:
|Sensitive Information||An electronic set of information or data, such as a database, file or document, that is classified as personal, confidential, or operationally-sensitive, as defined under the Queen's University Data Classification Standard. Whether it is stored on or off campus does not matter.|
||A computer, device, or network on which there is a significant operational dependency for the University, a Department or Research Group, and/or which stores, transmits, or provides access to Sensitive Information. In general this refers to computers functioning as servers, and storage devices such as USB keys and portable hard drives, but also extends to personal computers, printers, facsimile and photocopiers which have internal storage capability that could contain Sensitive Information.|
|Unit Head||The Department Head or Director of a Queen's department, or the Principal Investigator or Lead Researcher for a research unit or project.|
||The individual who has primary responsibility for installing, configuring and maintaining an IT Resource. For the purposes of this policy, in the absence of a designated system administrator, the primary owner or user of an IT Resource is regarded as its System Administrator.|
||Safeguards or measures/countermeasures which prevent, counteract or minimize security risks.|
For other terminology, please see Electronic Information Security Definitions and the Queen's University Data Classification Standard.
The purpose of the Network and Systems Security Policy is to ensure the security, integrity and reliability of the University's information technology resources, and the confidentiality of sensitive information, by establishing responsibility for ensuring that IT Resources are installed and maintained in accordance with appropriate security controls, standards and practices.
This policy applies to all employees of Queen's University who manage IT resources where:
This policy also applies by extension to external contractors or agents who are involved in deploying and managing IT resources for the University, a department, or a research group.
There is a wide range of IT Resources used across the University. The following policy statement establishes responsibility for ensuring the required security measures are implemented or used for IT Resources:
Members of the Queen's Community who are responsible for managing IT Resources on which the University or a Faculty, Department or a research group depend, OR which are used to collect, store or provide access to Sensitive Information, must ensure that those Resources are acquired, installed, configured, maintained and disposed of in a manner that is consistent with Queen's Electronic Information Security Policies, Guidelines and Standards, such that those Resources are not compromised, and sensitive information is appropriately protected. More specifically:
Contact Officer: Information Systems Security Manager – ITServices
Related Policies, Procedures and Guidelines: Acceptable Use of Information Technology Resources Policy, Electronic Information Security Policy, Various related Standards, Procedures and Guidelines