Approved by Senate September 25, 2003
5.1. Information Technology Services
5.4. System Administrators
5.5. Department Heads
5.6. Campus Security
5.7. Internal Audit
5.8. Vice Principal (Operations and Finance)
Information and information systems are assets of high value to the University, as they are essential to many academic and administrative activities. They must be protected, with the same care as valuable physical assets, from threats such as disclosure, damage or loss, whether accidental or deliberate. The purpose of this policy is to set out the responsibilities of members of the University community to safeguard information assets, ensuring that:
For the purposes of this policy and associated standards:
Information Systems Security Policy applies to all employees, including faculty, support staff, contractors, consultants, and other workers at Queen's University, and those employees of external organizations who access University information and records. The policy applies to all information systems owned by and/or operated by the University, or that are operated by agents of the University.
This policy covers only information handled via computers and/or networks. Although the policy and standards may mention other manifestations such as voice and paper, they do not directly address the security of information in these forms.
Security of information depends on the security of the systems used to collect, process, store, and communicate it, and the actions of individuals making use of those systems. No one component of a system provides security. Security policy is only effective in the context of a coordinated and comprehensive set of controls, mechanisms, procedures, and behaviors.
Information Systems Security is implemented through the following elements: Policy, Controls, Monitoring, and Recovery. Security policy expresses management's expectations for security as specific requirements, goals and objectives. Security controls are protective actions, devices, policies, procedures, techniques, or other measures that reduce risk of policy violations, and that identify unwanted events after they have occurred. Monitoring procedures are followed to review data and information produced by security controls, for the purpose of detecting violations of security policy. Recovery procedures are followed to restore security following detection of failures.
For every type of university record, the university officer with primary responsibility for the record, the Steward, shall declare a record access and use policy (AUP) consistent with the Freedom of Information and Protection of Privacy Guidelines (FOIPP) and applicable legislation. (For an example of an AUP, see the Student and Applicant Record Policy.) Stewards should further declare the availability goals for these records. Individuals with primary responsibility for other collections of data and information may declare an access and use policy for the collection. An access and use policy must be declared for research data containing personal information, consistent with the FOIPP.
In the event of a conflict between Information Systems Security Policy and the FOIPP Guidelines, the latter prevails. Individuals have a right of recourse to the Freedom of Information and Protection of Privacy Officer if they feel that the FOIPP Guidelines are not applied appropriately.
In order to construct a security policy that will neither be overlooked, nor ignored, it is necessary to make certain the security policy reflects realistic business goals and business values. Degree of protection must be balanced against cost, convenience, risk probability, and consequences of failure.
Information Technology Services shall declare economically efficient standards for information system security controls, which will provide effective risk mitigation, ensuring that all operations are consistent with the intent of the AUPs on information systems throughout the university. Standards shall be based on current assessments of threats in the operating environment, and shall include applicability statements.
Security controls shall be implemented on information systems, consistent with, and meeting or exceeding, applicable standards based on the information processed, stored or communicated on the system.
System-level access, use, and security policies may be declared as necessary to go beyond the Computer User Code of Ethics.
The campus data network is a shared facility with very decentralized decision making. It is recognized that easy access to and from the Internet is important to the academic mission of the university, and that is desirable to extend this access into administrative areas where this can be done with reasonable safety. Within multi-user computing systems and communications networks, actions by one user can compromise security of other users. Members of the university are granted decision-making freedom for equipment connected to the network. This freedom is balanced by a responsibility to avoid placing others and the institution at undue risk. The Network Security Policy set outs minimum requirements in this regard. Information System Security Standards may set more stringent requirements for segments of the network involved in access to specific information systems.
The Queen's University Computer User Code of Ethics sets out elementary expectations for use of any personal computer, computing or communications facilities owned wholly or partly by Queen's University.
Every employee, contractor, or other worker must understand the university's policies and procedures about information security, and must perform his or her work according to such policies and procedures. Any person, group, or custodian accessing University information must recognize the responsibility to preserve the security and confidentiality of this information. Such information shall be used only for conducting University business or as appropriately authorized. Security controls may not be bypassed.
The Director of Information Technology Services shall be responsible for establishing, maintaining, implementing, administering, and interpreting organization-wide information systems security standards, guidelines, and procedures. The Director of Information Technology Services is therefore also responsible for activities related to this policy. While responsibility for information systems security on a day-to-day basis is every employee's duty, specific guidance, direction, and authority for information systems security is centralized for all of the University in the Information Technology Services Department. Accordingly, this Department will designate an Information Systems Security Manager to advise on policy and practices, perform information systems risk assessments, prepare information systems security action plans, evaluate information security products, and perform other activities necessary to assure a secure information systems environment.
The Director of Information Technology Services is further responsible for:
A Steward is a department head, or delegate, within the university who bears responsibility for the collection, processing, and maintenance of university records. Every Steward shall ensure that
The Steward may delegate detailed duties to an individual to:
Any unit maintaining electronic administrative systems, applications, or data is responsible for implementing a level of security consistent with that defined by the Steward and applicable Standards. A Custodian is in physical or logical possession of either university records, or information that has been entrusted to the university, and is responsible to implement security controls. While Information Technology Services staff members clearly are Custodians, distributed multi-user system administrators are also Custodians. Whenever information is maintained only on a personal computer, the User of that computer is necessarily also the Custodian. Each type of record storage and processing system must have one or more designated Custodians. Custodians are responsible for:
Every independent computer and communications system administrator shall act to preserve security of shared facilities, and ensure that systems they administer are operated in accordance with all applicable Information Security Standards and Policies.
Department Heads, including Directors, are responsible for ensuring that security policy is implemented within the unit. These duties may be delegated; however, it is the responsibility of the head to:
Campus Security is responsible for liaising with law enforcement in investigations into computer or network security incidents that potentially involve criminal activity.
In accordance with the Internal Audit Policy Statement, the Department of Internal Audit has the authority to examine and appraise the adequacy and effectiveness of this policy to protect against current risks, and to determine compliance with this policy throughout the university.
The Vice Principal (Operations and Finance) will be responsible for actions pursuant to this policy.
It is a violation of this policy to fail to comply with security practices established under its authority. First violations of information security policies or procedures, where the action is inadvertent or accidental, will result in a warning. Intentional violations are disciplinary matters for the responsible department head. Access may be suspended during investigation of an incident, on authority of the responsible department head or the Director of Information Technology Services.
Violations of record access and use policies (AUPs) shall be reported expeditiously to the responsible Steward.
The Steward shall disclose any breach of the security of an information system, following discovery or notification of the breach in the security of the system, to any subject whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the information system.
All violations of Information Systems Security Policy and detected instances of non-adherence to Information Systems Security Standards, shall be recorded in a form approved by, and accessible to individuals authorized by, the Vice Principal (Operations and Finance). The VP is designated the Steward of these records, and shall determine the access and use policy. Any violation of Information Systems Security Policy involving an ITS staff member must be reported to the Associate Vice Principal Human Services, and the Director of Internal Audit.
Any relationship where external organizations access or store University information and records shall do so only under contracts which include adequate penalties for violations of this policy.
The Director of Information Technology Services shall, in consultation with the Information Systems Security Manager, Internal Audit, the Administrative Computing Steering Committee, and the Senate Information Technology Committee, review this Information Systems Security Policy no less frequently than every three years.
The Information Systems Security Manager shall review Information Systems Security Standards annually to ensure they result in effective and efficient protection against current risks. Revisions shall be submitted to the Senate Information Technology Committee and the Administrative Computing Steering Committee for approval.
A contingent review shall be conducted if a significant loss occurs due to a risk that has not been adequately addressed in either Policy or Standards.
Questions relating to this policy may be directed to the Information Systems Security Manager in Information Technology Services.
2003 April: First version