Proposed Electronic Information Security Policy Framework - Posted for Comment
The University's Associate Vice-Principal IT and Chief Information Officer, Bo Wandschneider, invites comment from the Queen's community on a proposed policy framework to address the security of University IT and information resources, and the privacy of sensitive information in the University's care. Once approved, these administrative policies will be included in the University-wide Policy Library.
These policies were developed over the past several years with considerable input from the Queen's Security Community of Practice, and the Senate Information Technology Committee. Drafts have been reviewed with the Enterprise Information Technology Advisory Committee (EITAC), research ethics boards, and numerous stakeholders across the campus. During this consultation process there was consistent support for the need for policies in this important area.
Why are these policies important? An array of security mechanisms have been implemented to both detect and prevent attempts to gain access to, take control of, or attack systems connected to the Queen's network. Statistics from these mechanisms illustrate how relentless such attempts can be:
- Over a two month timespan in 2013, one of these mechanisms detected and blocked over 10 Million attempts to infiltrate Windows computers on the Queen's network. There might be a similar number of attempts that were not detected, as hackers discover new attack avenues.
- In one day in January 2014, there were 35 unsuccessful attempts to take remote control of a single Windows computer, and this is typical for many such computers at Queen's. Yet, Remote Desktop is a feature often used in many areas of campus, even though it has inherent security implications. Computers running an Apple operating system are increasingly being targeted as their numbers increase, so the risk is not just for Windows systems.
ITServices continues to strengthen the security of the Queen's infrastructure, create more secure zones, and implement multiple security defences where warranted. The scope and complexity of the Queen's IT infrastructure makes it very challenging to improve its security, but it is a priority area of investment and staffing. But this doesn't fully address the risks. We must still rely heavily on every member of the Queen's community to be aware of security risks and adopt recommended practices to address them.
To help people understand the policies, why they are important, and where or to whom they apply, ITServices continues to develop a collection of how-to documentation, guidelines and standards. In many cases, all that will be necessary are some adjustments to daily routines or work processes.
It must be acknowledged that the University cannot reasonably expect immediate compliance with these policies once they are approved. It will take some time, some changes in daily routines, and some more informed choices before we can achieve the desired compliance. ITServices and our IT colleagues in the faculties and departments will continue developing standards, programs and support materials to help people learn how to fulfill their responsibilities under these policies.
Members of the Queen's community are asked to send comments by email no later than February xx, 2013.