Draft for Comment – January 2014
Associate Vice-Principal IT / Chief Information Officer
The following are definitions for key terms used in this policy:
An electronic set of information or data, such as a database, file or document, that is classified as personal, confidential, or operationally-sensitive, as defined under the Queen's University Data Classification Standard. Whether it is stored on or off campus does not matter.
A computer, device, or network on which there is a significant operational dependency for the University, a Department or Research Group, and/or which stores, transmits, or provides access to sensitive information. This includes computers functioning as servers, and storage devices such as USB keys and portable hard drives, but may also be personal computers, printers, facsimile and other devices which have internal storage capability that could contain Sensitive Information.
The University officer or employee having primary responsibility for establishing policies and procedures relating to access, use, retention and destruction of Sensitive Information, and for ensuring that it is protected from unauthorized access or modification, and inappropriate use or disclosure, whether intentional or unintended.
A Unit Head or individual assigned responsibility by the Steward for collecting, storing or enabling access to the Sensitive Information, and for maintaining appropriate controls to guard against unauthorized access or modification, and inappropriate use or disclosure, whether intentional or unintended.
The Department Head or Director of a Queen's department, or the Principal Investigator or Lead Researcher for a research unit or project.
Any individual within the scope of this policy who is granted or has access to Sensitive Information.
Purpose/Reason for This Policy:
The purpose of the Queen's Electronic Information Security Policy is to establish responsibility for preserving:
- the confidentiality, integrity and availability of electronically maintained Queen's University information or data; and
- the privacy of electronically maintained personal information in the custody or control of the University or members of the Queen's Community, whether stored on premises or external to the University
Scope of this Policy Framework:
This Policy applies to all members of the Queen's University who, in the course of their employment or academic activities, will gather, manage, distribute or use Sensitive Information. This includes departments, research groups, faculty, staff, students, and volunteers, and extends to external vendors, suppliers, contractors or collaborators engaged in the gathering, management and use of Sensitive Information.
Members of the Queen's Community who have care and control of or use Sensitive Information, are responsible for accessing and using only that information required for their academic or administrative role(s), for protecting the information from disclosure or unauthorized use by others, and for safeguarding the privacy of personal information about or belonging to others.
Responsibility for preserving the security and privacy of information rests with each member of the Queen's community involved in the collection, management, and use of information. While it may be possible to delegate responsibility to others, one cannot delegate their accountability for preserving the security and privacy of information. Responsibilities vary according to each person's role in relation to the Sensitive Information, and in some circumstances a person may have multiple roles. Any person who has care and control of Sensitive Information is a Custodian for that information while it is in their care and control. Where Sensitive Information is stored on a personal computer or mobile device, the owner or holder of that IT Resource is a Custodian for that information. The following establishes the responsibilities of each of the primary roles associated with electronic information:
As an Information Steward, you are responsible for ensuring:
- that Sensitive Information for which you are primarily responsible is appropriately classified according to the Queen's University Data Classification Standard;
- that all Custodians and Users provide appropriate protection for Sensitive Information in their care;
- that all Custodians and Users involved in gathering, managing or using the Sensitive Information, understand and accept their responsibilities under this Policy;
- that a review of who has access to the Sensitive Information is conducted regularly to ensure that only those still requiring access continue to have it;
- that a security assessment for the Sensitive Information be conducted on a regular basis;
- that in a situation when the security of Sensitive Information has or may have been compromised:
- that immediate corrective measures are taken to eliminate the risk or exposure
- that the situation is reported in accordance with Procedures for Reporting IT or Information Security Incidents or Risks;
- that all affected individuals are notified when it is determined that the privacy of their personal information has been compromised; and
- that a security assessment be conducted immediately.
As an Information Custodian, you are responsible for ensuring:
- that access to the Sensitive Information is provided only to Users who require such access for legitimate University purposes, as established by the Steward, and that each user's access is approved by the associated Unit Head or designate;
- that a User's access to the Sensitive Information is limited to only those data subsets or elements that the User requires;
- that access to the Sensitive Information is revoked as soon as a User no longer requires access;
- that those responsible for installing and maintaining the hardware and software that is used to collect, house, manage or provide access to the Sensitive Information, do so in accordance with the Queen's University Network and Systems Security Policy;
- that any new system or application that will house or provide access to the Sensitive Information undergo a system security assessment prior to being used;
- that subsequent system security assessments are conducted on a regular basis; and
- that the Steward is immediately notified if it is determined that the security of the Sensitive Information may have been compromised.
As a Unit Head, you are responsible for ensuring:
- that members of your unit are aware of and maintain compliance with these policies where applicable, fulfill their responsibilities as Steward, Custodian or User, and have signed confidentiality agreements where required by the Steward;
- that you have approved appropriate access only for those members of the Unit who require such access to fulfill their role in the Unit;
- that when an individual (staff, faculty, contractors, etc.) leaves the Unit, or her or his role changes, this is communicated to Information Custodians where appropriate and without delay;
- that all desktop, laptop or server computers which are used to collect, store or access the Sensitive Information are installed and maintained in accordance with the Queen's University Network and Systems Security Policy and with the Sensitive Information Protection Standard.
- that any new system or application which will be used to collect, manage or provide access to the Sensitive Information has undergone a system security assessment prior to being used;
- that any visitors, suppliers, contractors, or collaborators who will require or have access to the Sensitive Information are made aware of this Policy and that they are subject to it; and
- that a secure means of information erasure or destruction is used prior to disposing of or donating any IT Resource in the Unit which contains or which at one time did contain Sensitive Information.
As an Information User, you are responsible for ensuring:
- that you access only the Sensitive Information you are authorized to use, and only for the academic or administrative purpose for which that Sensitive Information is intended;
- that you not disclose any portion of the Sensitive Information to another person not authorized to receive it;
- that you not disclose your user account and password (or similar authentication credentials) which you use to access Sensitive Information;
- that you notify your Unit Head immediately if the security or privacy of some or all of the Sensitive Information you use, or that is in your care or control, may have been compromised;
- that you maintain the personal computer or device which you use to store or access the Sensitive Information in accordance with Queen's University's Information Security Guidelines and Standards;
- that any Sensitive Information being transported on a portable computer or device, or sent to others electronically, be encrypted in accordance with the Sensitive Information Protection Standard and with the Electronic Information Security Guidelines.
Contact Officer: Information Systems Security Manager – ITServices
Date for Next Review: TBD yyyy-mm-dd
Related Policies, Procedures and Guidelines:
Policies Superseded by This Policy: