Please enable javascript to view this page in its intended format.

Queen's University
 

Queen's University Information Systems Security Policy

Approved by Senate September 25, 2003


Table of Contents

  1. Purpose
  2. Definitions
  3. Scope
  4. Elements
  5. 4.1. Record Access and Use Policy
    4.2. Information System Security Standards
    4.3. System Security Controls and Policies
    4.4. Campus Network
    4.5. Computer User Code of Ethics

  6. Responsibilities
  7. 5.1. Information Technology Services
    5.2. Steward
    5.3. Custodians
    5.4. System Administrators
    5.5. Department Heads
    5.6. Campus Security
    5.7. Internal Audit
    5.8. Vice Principal (Operations and Finance)

  8. Violations
  9. 6.1. Reporting
    6.2. External organizations

  10. Review and Update Process
  11. Questions
  12. Revision History

1. Purpose

Information and information systems are assets of high value to the University. as they are essential to many academic and administrative activities. They must he protected, with the same care as valuable physical assets, from threats such as disclosure, damage or loss, whether accidental or deliberate. The purpose at this policy is to set out the responsibilities of members of the University community to safeguard information assets, ensuring that:

  1. The University meets its commitments to Protect information, such as those defined in the Freedom of Information and Protection of Privacy Guidelines;
  2. The University can continue operations dependent on electronic access to information;
  3. Members and partners of the University community can protect their intellectual property, research data, notes. and personal communications;
  4. and The University maintains its reputation as a soundly managed institution.

 

2. Definitions

For the purposes of this policy and associated standards:

  • data” means a representation of facts, concepts or instructions in a formalized manner suitable for communication, interpretation or processing by human beings or by automatic means;
  • information” is the meaning assigned to data by means of conventions applied to that data;
  •  “information systems” means computers, communication facilities, computer and communication networks and data and information that may be stored, processed, retrieved or transmitted by them. including programs, specifications and procedures for their operation, use and maintenance;
  • "confidentiality” means the characteristic of data and information being disclosed only to authorized persons, entities and processes at authorized times and in the authorized manner;
  • "integrity" means the characteristic of data and information being accurate and complete and the preservation of accuracy and completeness;
  • "availability" means the characteristic of data, information and information systems being accessible and usable on a timely basis in the required manner:
  •  “security" means the protection of confidentiality. integrity and availability;
  •  "university record" and "personal information” are defined in the Freedom of Information and Protection of Privacy Guidelines

 

3. Scope

Information Systems Security Policy applies to all employees, including faculty, support staff, contractors, consultants, and other workers at Queen’s University, and those employees of external organizations who access University information and records. The policy applies to all information systems owned by and/or operated by the University, or that are operated by agents of the University.

This policy covers only information handled via computers arid/or networks. Although the policy and standards may mention other manifestations such as voice and paper, they do not directly address the security of information in these forms.

 

4. Elements

Security of information depends on the security of the systems used to collect, process, store, and communicate it, and the actions of individuals making use of those systems. No one component of a system provides security. Security policy is only effective in the context of a coordinated and comprehensive set of controls, mechanisms, procedures, and behaviors.

Information Systems Security is implemented through the following elements: Policy, Controls, Monitoring, and Recovery. Security policy expresses management’s expectations for security as specific requirements, goals and objectives. Security controls are protective actions, devices, policies, procedures, techniques, or other measures that reduce risk of policy violations, and that identify unwanted events after they have occurred. Monitoring procedures are followed to review data and information produced by security controls, for the purpose of detecting violations of security policy. Recovery procedures are followed to restore security following detection of failures.

 

4.1 Record Access and Use Policy

For every type of university record, the university officer with primary responsibility tor the record, the Steward, shall declare a record access and use policy (AUP) consistent with the Freedom of Information and Protection of Privacy Guidelines (FOIPP) and applicable legislation. (For an example of an AUP, see the Student and Applicant Record Policy.) Stewards should further declare the availability goals for these records. Individuals with primary responsibility for other collections of data and information may declare an access and use policy for the collection. An access and use policy must be declared for research data containing personal information, consistent with the FOIPP.

In the event of a conflict between Information Systems Security Policy and the FOIPP Guidelines, the latter prevails. Individuals have a right of recourse to the Freedom of Information and Protection of Privacy Officer if they feel that the FOIPP Guidelines are not applied appropriately.

 

4.2 Information System Security Standards

In order to construct a security policy that will neither be overlooked, nor ignored, it is necessary to make certain the security policy reflects realistic business goals and business values. Degree of protection must be balanced against cost, convenience, risk probability, and consequences of failure.

Information Technology Services shall declare economically efficient standards for information system security controls, which will provide effective risk mitigation, ensuring that all operations are consistent with the intent of the AUPs on information systems throughout the university. Standards shall he based on current assessments of threats in the operating environment, and shall include applicability statements.

 

4.3 System Security Controls and Policies

Security controls shalt be implemented on information systems, consistent with, and meeting or exceeding, applicable standards based on the information processed, stored or communicated on the system.

System-level access, use, and security policies may he declared as necessary to go beyond the Computer User Code of ethics.

 

4.4 Campus Network

The campus data network is a shared facility with very decentralized decision making. It is recognized that easy access to and from the Internet is important to the academic mission of the university, and that is desirable to extend this access into administrative areas where this can be done with reasonable safety. Within multi-user computing systems and communications networks, actions by one user can compromise security of other users. Members of the university are granted decision-making freedom for equipment connected to the network. This freedom is balanced by a responsibility to avoid placing others and the institution at undue risk. The Network Security Policy sets out minimum requirements in this regard. Information System Security Standards may set more stringent requirements for segments of the network involved in access to specific information systems.

 

4.5 Computer User Code of Ethics

The Queen’s University Computer User Code of Ethics sets out elementary expectations for use of any personal computer, computing or communications facilities owned wholly or partly by Queens University.

 

5. Responsibilities

Every employee, contractor, or other worker must understand the university’s policies and procedures about information security, and must perform his or her work according to such policies and procedures. Any person, group, or custodian accessing University information must recognize the responsibility to preserve the security and confidentiality of this information. Such information shall be used only for conducting University business or as appropriately authorized. Security controls may not be bypassed.

 

5.1 Information Technology Services

The Director of information Technology Services shall be responsible for establishing, maintaining, implementing, administering, and interpreting organization-wide information systems security standards, guidelines, and procedures. The Director of Information Technology Services is therefore also responsible for activities related to this policy. While responsibility for information systems security on a day-to-day basis is every employee’s duty, specific guidance, direction, and authority for information systems security is centralized for all of the University in the Information Technology Services Department. Accordingly, this Department will designate an Information Systems Security Manager to advise on policy and practices, perform information systems risk assessments, prepare information systems security action plans, evaluate information security products, and perform other activities necessary to assure a secure information systems environment.

The Director of Information Technology Services is further responsible for:

  • Conducting investigations into any alleged computer or network security compromises, incidents, or problems;
  • Providing security guidance to Stewards and independent system owners;
  • Investigating technical aspects of violations of security policy and standards, and reporting to the appropriate university officers;
  • Conducting the information Systems Security Policy review and update cycle specified below;
  • Promoting security awareness to the University computing community.

 

5.2 Steward

A Steward is a department head, or delegate, within the university who bears responsibility for the collection, processing, and maintenance of university records. Every Steward shall ensure that:

  • Each database, master file, and other shared collection of information, is designated with its privacy requirements, its availability requirements for ongoing operations, which users will be permitted to access it, its authorized uses, and the assignment of Custodian responsibilities (see below);
  • Security controls are routinely audited to verify their effectiveness and to detect inconsistencies with policy.

The Steward may delegate detailed duties in an individual to:

  • Maintain detailed knowledge of the data within their trust;
  • Interpret pertinent laws and University policies to classify data and define its level of sensitivity;
  • Define required levels of security, including those for data transmission;
  • Develop guidelines for requesting access;
  •  Review and authorize access requests;
  • Establish measures to ensure data integrity for access and update to data:
  • Provide data descriptions to inform data users about available sharable data, how to access the data, and what the data means;
  • Promote accurate interpretation of administrative data and publicize the rules and conditions that could affect the accurate presentation of that data;
  • Review usage information;
  • Assist with disaster recovery planning;
  • Define criteria for archiving data to satisfy retention requirements.

 

5.3 Custodians

Any unit maintaining electronic administrative systems, applications, or data is responsible for implementing a level of security consistent with that defined by the Steward and applicable Standards. A Custodian is in physical or logical possession of either university records, or information that has been entrusted to the university, and is responsible to implement security controls. While Information Technology Services staff members clearly are Custodians, distributed multi-user system administrators are also Custodians. Whenever information is maintained only on a personal computer, the User of that computer is necessarily also the Custodian. Each type of record storage and processing system must have one or more designated Custodians. Custodians are responsible for:

  • Developing, maintaining, and documenting an internal security plan to include data integrity, authentication, recovery, and continuity of operations that support administrative data;
  • Ensuring that access to data and applications is secured as required by the Steward;
  • Providing adequate operational controls to ensure data protection;
  • Ensuring that access requests are authorized;
  • Communicating appropriate use, and consequences of misuse, to users, who access the systems or data;
  • Modifying access when employees terminate or transfer;
  • Protecting sensitive files and access control files from unauthorized activity;
  • Securing data transmissions within the levels defined by the Steward;
  • Ensuring LAN and workstation integrity through virus protection measures and policies;
  • Performing day-to-day security administration;
  • Maintaining access and audit records;
  • Creating, distributing, and following up on security violation reports.

 

5.4 System Administrators

Every independent computer and communications system administrator shall act to preserve security of shared facilities, and ensure that systems they administer are operated in accordance with all applicable Information Security Standards and Policies.

 

5.5 Department Heads

Department Heads, including Directors, are responsible for ensuring that security policy is implemented within the unit. These duties may be delegated; however, it is the responsibility of the head to:

  • Ensure that unit employees understand security policies, procedures, and responsibilities;
  • Provide and maintain safeguards for information systems within his/her authority, consistent with policies and standards;
  • Approve appropriate data access, allowing staff to complete business-related assignments;
  • Review, evaluate, and respond to all security violations reported against staff, and take appropriate action;
  • Communicate to appropriate campus and University departments when employee departures, arrivals, and changes affect computer access.

 

5.6 Campus Security

Campus Security is responsible for liaising with law enforcement in investigations into computer or network security incidents that potentially involve criminal activity.

 

5.7 Internal Audit

In accordance with the Internal Audit Policy Statement, the Department of Internal Audit has the authority to examine and appraise the adequacy and effectiveness of this policy to protect against current risks, and to determine compliance with this policy throughout the university.

 

5.8 Vice-Principal (Operations and Finance)

The Vice Principal (Operations and Finance) will be responsible for actions pursuant to this policy.

 

6. Violations

It is a violation of this policy to fail to comply with security practices established under its authority. First violations of information security policies or procedures, where the action is inadvertent or accidental, will result in a warning. Intentional violations are disciplinary matters for the responsible department head. Access may be suspended during investigation of an incident, on authority of the responsible department head or the Director of Information Technology Services.

 

6.1 Reporting

Violations of record access and use policies (AUPs) shall be reported expeditiously to the responsible Steward.

The Steward shall disclose any breach of the security of an information system, following discovery or notification of the breach in the security of the system, to any subject whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the information system.

All violations of Information Systems Security Policy and detected instances of non-adherence to Information Systems Security Standards, shall be recorded in a form approved by, and accessible to individuals authorized by, the Vice Principal (Operations and Finance). The VP is designated the Steward of these records, and shall determine the access and use policy. Any violation of Information Systems Security Policy involving an ITS staff member must he reported to the Associate Vice Principal Human Services, and the Director of Internal Audit.

 

6.2 External Organizations

Any relationship where external organizations access or store University information and records shall do so only under contracts which include adequate penalties for violations of this policy.

 

7. Review and Update Process

The Director of information Technology Services shall, in consultation with the Information Systems Security Manager, internal Audit, the Administrative Computing Steering Committee, and the Senate Information Technology Committee, review this Information Systems Security Policy no less frequently than every three years.

The Information Systems Security Manager shall review Information Systems Security Standards annually to ensure they result in effective and efficient protection against current risks. Revisions shall be submitted to the Senate Information Technology Committee and the Administrative Computing Steering Committee for approval.

A contingent review shall be conducted if a significant loss occurs due to a risk that has not been adequately addressed in either Policy or Standards.

 

8. Questions

Questions relating to this policy may be directed to the Information Systems Security Manager in Information Technology Services.

 

9. Revision History

2003 April: First version

Kingston, Ontario, Canada. K7L 3N6. 613.533.2000