Responsible Use of Digital Resources Policy | University Secretariat and Legal Counsel

Final Approval Body: Senior Leadership Team
Senior Administrative Position with Responsibility for Policy: Vice-Principal, Finance and Administration
Date Initially Approved: February 2024

Definitions

A complete glossary of technology and cybersecurity related terms and acronyms will be maintained in the Digital Information Security Glossary of Terms and will be made available to all Community Members and Guests.

Purpose

The purpose of the Responsible Use of Digital Resources Policy (the “Responsible Use Policy”) is to establish baseline responsibilities of Queen’s University community members and guests as they use and interact with digital assets operated by, or on behalf of, the University, or data and information in the custody and/or control of the University.

Scope

The Responsible Use Policy is applicable to all community members and guests as they access and use digital assets operated by, or on behalf of, the University. Digital assets include:

Digitized services, functions, workflows, processes, and procedures, operated by, or on behalf of the University (“digital services”),
Data and information in the custody and/or control of the University (“data”),
Digital identities, the associated credentials and accounts, and the contents thereof that have been created and issued by the University for the purpose of using digital services (“digital identities”),
Digital technologies, including infrastructure, hardware, software, and licenses, operated by, or on behalf of the University (“digital technologies”),
Client access devices, including laptops, desktops, and mobile devices, that are provided by or purchased using University funds (“endpoints”).

Roles

Board of Trustees

The Board of Trustees provides oversight of the Cybersecurity Program and the performance of cybersecurity objectives defined by the QCSF through the Finance, Assets, and Strategic Infrastructure Committee.

Senior Leadership Team

The Senior Leadership Team (“SLT”) includes the Principal and Vice-Principals and are the approval authority for Information Security and Cybersecurity related policies.

Chief Information Officer and Associate Vice-Principal (Information Technology Services)

The Chief Information Officer and Associate Vice-Principal (Information Technology Services) (“CIO”) is accountable to the Board of Trustees and SLT for the management of the Cybersecurity Program, and activities relating to achieving the Strategic Cybersecurity Goals and Objectives.

Queen's University Community

Members of the Queen’s University Community (“community members”) are people for whom the University explicitly creates and maintains a digital identity. This includes, without limitation:

Employees, including Faculty and staff in research, student success, and administrative roles.
Students, including undergraduate, graduate, continuing education, and independent learners.
Affiliates, including alumni, former employees, and members of affiliated organizations.
University Officers and volunteers, including members of the Board of Trustees and Senate.

Guests

Guests of the University are people who may have access to publicly available digital assets to which access has been granted by means of a trusted relationship with a partner or third-party, and for whom the University has not explicitly created a digital identity. This may include, and is not limited to:

Partners, including contractors, vendors, and third-party service providers.
Visitors using the wireless network.
Guests using temporary or courtesy accounts.

Community Member Expectations

Community members and guests shall have a reasonable expectation of privacy while using university digital assets. The University shall take measures to safeguard digital assets and protect the privacy of community members and guests in accordance with the Access to Information and Protection of Privacy Policy and the Freedom of Information and Protection of Privacy Act.

Community members and guests can expect a reasonable level of security while using university digital assets. The University shall take measures to reduce information security risk, and the impact of cybersecurity threats to digital assets and devices used by community members and guests on the university network.

Community members and guests can expect to be kept informed about common and emerging cybersecurity threats, actions that they can take to protect themselves, and their responsibilities related to Acceptable Use Policies and other policy and governance instruments.

Community Member Responsibilities

Community members and guests shall:

comply with applicable Acceptable Use Policies, and other relevant policy and governance instruments,
use university digital assets to which they have been provided access in a responsible, ethical, and legal manner,
use university digital assets to which they have been provided access in a manner that is consistent with the mission, values, and strategic goals of the University,
use university digital assets to which they have been provided access for their intended purposes.
use university digital assets in a manner which does not cause damage to the university or violate the rights of other community members and guests.

Community members and guests shall not:

engage in activity that may compromise the confidentiality, integrity, or availability of, or otherwise adversely affect the ability of others to use, university digital assets.
use university digital assets to engage in activity that may compromise the confidentiality, integrity, or availability, or otherwise adversely affect the ability of others to use resources external to the university.

Community members and guests are responsible for:

securing and maintaining personal devices that they use to access digital assets.
protecting the credentials that have been issued to them by the University. This includes protecting knowledge authentication factors, such as passwords, and maintaining custody and control of possession authentication factors, such as the smartphone or token they use for multi-factor authentication.
protecting data and information in their care and control. This includes understanding the impact of data risk, knowing the classification of data, following data handling standards and guidelines.
reporting observed, known, or suspected cybersecurity incidents or breaches, or situations wherein information security risk is not treated appropriately, or that contravene Policies, Standards, and other policy and governance instruments.

Acceptable Use Policies

The University shall develop Acceptable Use Policies to establish expectations of community members and guests for the appropriate and acceptable use of digital assets provided by, or on behalf of, the University.

The CIO is authorized to develop Acceptable Use Policies and is accountable to the SLT for the sustainment thereof.

Acceptable Use Policies may be differentiated depending upon the segment of the community for which they have been written.

Acceptable Use Policies shall be based on the responsibilities established by this Policy and shall include additional details about expectations relevant to the segment of the community for which the agreement has been written.

Community members and guests shall acknowledge Acceptable Use Policies before getting access to digital assets provided by, or on behalf of the University,
Community members shall periodically update their acknowledgements of Acceptable Use Policies thereafter.

The University shall investigate situations that are known or suspected to contravene the Responsible Use Policy and applicable Acceptable Use Policies. Community members and guests found to be in contravention of the Responsible Use Policy and applicable Acceptable Use Policies may have digital access rights restricted. Such situations may be referred to relevant disciplinary bodies.

Cybersecurity Training

The University shall provide cybersecurity training to Community Members which will include training about their responsibilities within the Policy, common cybersecurity threats, and actions that can be taken to protect against those threats. Training opportunities may include, without limitation:

Computer-based training,
Workshops,
Webinars,
Experiential training, and
Simulations.

The University shall provide role-based cybersecurity training to community members performing activities for which there is increased cybersecurity risk, or for which specialized cybersecurity knowledge is required.

The CIO is authorized to develop Cybersecurity Training strategy, materials, and assignments and is accountable to the SLT for the sustainment thereof.

Cybersecurity Awareness

The University shall communicate with community members and guests about their responsibilities within the Policies, Acceptable Use Policies, and other policy and governance instruments, cybersecurity trends, and actions that can be taken to protect against common and emerging cybersecurity threats.

The University shall use reasonable efforts to provide timely alerts and notifications to community members and guests about imminent cybersecurity threats of which it becomes aware.

The CIO is authorized to develop Cybersecurity Awareness strategy, materials, and communications plans and is accountable to the SLT for the sustainment thereof.

Framework References

Framework: Queen's CSF
Sections: 5.2, 7.1, 7.2

Related Policies, Procedures, Guidelines: Digital Information Security Policy, Cybersecurity Incident Detect and Respond Policy, Records Management Policy, Access to Information and Protection of Privacy Policy
Policies Superseded by this Policy: Electronic Information Security Policy, Electronic Information Security Policy Framework, Acceptable Use of Information Technology Resources Policy, Acceptable Use Policy for Guest Network Access
Responsible Officer: The Associate Vice-Principal (Information Technology Services) and Chief Information Officer
Contact: Information Security Officer iso@queensu.ca
Date for Next Review: 2029