Governance Instruments

Governance Instruments


Digital Information Security Policies establish accountability and responsibility for university cybersecurity objectives, and the authority to act on behalf of the University in response cybersecurity incidents and breaches, and to observed, known, or suspected cases of non-compliance with the policies and standards.  

Enterprise Standards

Enterprise Standards establish a standards approach for selecting and implementing mitigating technical, physical, and administrative safeguards. Enterprise Standards are structured using the NIST SP 800-53 Security and Privacy control catalogue as a guide.

Note that to read more about each standard, you will be redirected to a Queen's SharePoint site where you will be asked to log in with your NetID and password.

Access control is a security mechanism that regulates who or what can view, use, or access a particular resource in a computing environment. It involves the processes of identification, authentication, authorization, and auditing to ensure that only authorized users, systems, or services have access to the resources they need. This helps minimize security risks and protect sensitive information from unauthorized access. 

Read more about Access Control Standards.

An Assessment, Authorization, and Monitoring (AAM) control standard is a framework that ensures digital information systems are constantly evaluated for risks. It is based on security considerations, continuously monitored for compliance and effectiveness of security controls. It typically includes:

  • Assessment of security controls to validate their effectiveness.
  • Authorization processes for system operation based on risk analysis.
  • Continuous Monitoring strategies to maintain security posture over time.

Read more about Assessment Authorization and Monitoring.

The Audit and Accountability Standard is a framework designed to ensure that Queen's information systems are monitored and reviewed for security-relevant events. An audit is a systematic examination and evaluation of Queens IT Services processes, procedures, or records to ensure compliance with established standards and regulations. Furthermore, accountability refers to the obligation of individuals or entities within Queens University to take responsibility for their actions and decisions while ensuring transparency, integrity, and trustworthiness in operations and governance.

Read more about Audit and Accountability Standards.

Configuration management is a comprehensive process that involves systematically managing changes to the configuration of systems, products, or infrastructure throughout their lifecycle. It encompasses the identification, control, documentation, and verification of configuration items to ensure their integrity, consistency, and traceability, facilitating efficient operations, maintenance, and evolution while minimizing risks and maximizing reliability.

Read more about Configuration Management.

Contingency planning is a standard framework for risk management that involves the development and implementation of strategies, policies, and procedures to prepare for and respond to potential emergencies, disasters, or unforeseen events. By anticipating and mitigating potential disruptions, Queens University can minimize their impact, ensure continuity of operations, and safeguard critical assets, resources, and stakeholders, thereby enhancing resilience, adaptability, and sustainability.

Read more about Contingency Planning.

Data Classification is the method to identify the sensitivity of data. The classification is determined by the inherent risks to a person or the institution from a breach or wrongful disclosure of the data.

A breach or wrongful disclosure of data can adversely affect people and impact our core mission. You are required under the Digital Information Security Policy to exercise due diligence when handling Institutional or personal information. The degree of due diligence and data handling practices are selected according to the classification of the data in your care; ConfidentialInternal or General data.

See the Data Classification Standard.

Identification and authentication are fundamental processes in information security that involve verifying the identity of users, systems, or entities accessing resources or services. Identification establishes the identity claimed by an individual or entity, while authentication validates that identity and verifies authorization to access specific resources or perform actions, ensuring confidentiality, integrity, and accountability in information handling and access control.

Read more about Identification and Authentication.

Media protection encompasses the implementation of physical and digital security measures to safeguard storage devices and media containing sensitive or confidential information. This includes protecting against unauthorized access, theft, loss, or damage to physical storage media such as hard drives, tapes, or disks, as well as ensuring encryption, access controls, and data sanitization for digital media to prevent data breaches, leakage, or compromise, thereby preserving the confidentiality, integrity, and availability of information assets.

Read more about Media Protection.

Physical and environmental standards focus on safeguarding physical assets, facilities, and infrastructure, and ensuring environmental conditions conducive to the proper functioning of systems and equipment. This involves measures such as access controls, surveillance, intrusion detection, and security personnel to protect against unauthorized access, theft, vandalism, or sabotage, as well as monitoring and controlling environmental factors such as temperature, humidity, power supply, and natural disasters to minimize risks and ensure operational resilience and continuity.

Read more about Physical and Environmental Standards.

Risk assessment is a standard designed to identify, analyze, and evaluate potential risks and vulnerabilities that may threaten Queens University’s assets, operations, or objectives. By assessing the likelihood and impact of risks, the university can prioritize and implement appropriate mitigation strategies, controls, or countermeasures to minimize threats, exploit opportunities, and optimize risk-reward trade-offs, thereby enhancing decision-making, resource allocation, and resilience in achieving organizational goals.

Read more about Risk Assessment.

Supply chain risk standard addresses potential threats or disruptions that can arise from dependencies on external suppliers, vendors, or partners, impacting the availability, quality, or security of goods, services, or information. This includes risks such as supply shortages, quality issues, geopolitical instability, regulatory compliance, cybersecurity breaches, or natural disasters, which can have cascading effects on operations, reputation, and financial performance, necessitating proactive risk management, resilience planning, and collaboration across the supply chain ecosystem to enhance agility, transparency, and sustainability.

Read more about Supply Chain Risk Standards.

System and services acquisition standard encompasses the processes and activities involved in acquiring, developing, implementing, and maintaining IT systems, software, or services to meet Queens University’s digital necessities and objectives. This includes requirements analysis, procurement, contracting, development, testing, integration, deployment, and lifecycle management, as well as considerations for cost, schedule, quality, risk, and stakeholder needs to ensure successful outcomes, customer satisfaction, and value realization while managing complexity, uncertainty, and change in technology environments.

Read more about System and Services Acquisition Standards.

Systems and communication standard focuses on protecting the confidentiality, integrity, and availability of information exchanged between systems, networks, or devices to prevent unauthorized access, interception, or tampering. This includes implementing encryption, access controls, authentication, authorization, intrusion detection, and secure protocols to ensure secure communication channels, data transmission, and network connectivity, thereby safeguarding sensitive information, preserving trust, and mitigating cybersecurity risks and threats in interconnected and distributed computing environments.

Read more about Systems and Communication Standards.

Systems and information integrity standard encompasses measures to ensure the accuracy, reliability, and consistency of data and the systems that process, store, or transmit it. This includes implementing controls, mechanisms, and practices to prevent unauthorized alterations, corruption, or manipulation of information, as well as detecting and responding to anomalies, errors, or security breaches to maintain data integrity, trustworthiness, and compliance with regulatory requirements, standards, or organizational policies, thereby enhancing the reliability, usability, and value of information assets in support of decision-making, operations, and accountability.

Read more about Systems and Information Integrity Standards.


Guidelines are technical and procedural documents that recommend actions to reduce management of information and information security risk and to comply with Policies and Enterprise Standards. 


Standard Operating Procedures provide a consistent approach to delivering on common requests.

Acceptable Use Agreements

Acceptable use agreements establish expectations of community members and guests for the appropriate and acceptable use of digital resources provided by, or on behalf of the University.