Draft for Comment – January 2014
Associate Vice-Principal IT / Chief Information Officer
The following are definitions for key terms used in this policy:
An electronic set of information or data, such as a database, file or document, that is classified as personal, confidential, or operationally-sensitive, as defined under the Queen's University Data Classification Standard. Whether it is stored on or off campus does not matter.
A computer, device, or network on which there is a significant operational dependency for the University, a Department or Research Group, and/or which stores, transmits, or provides access to Sensitive Information. In general this refers to computers functioning as servers, and storage devices such as USB keys and portable hard drives, but also extends to personal computers, printers, facsimile and photocopiers which have internal storage capability that could contain Sensitive Information.
The Department Head or Director of a Queen's department, or the Principal Investigator or Lead Researcher for a research unit or project.
The individual who has primary responsibility for installing, configuring and maintaining an IT Resource. For the purposes of this policy, in the absence of a designated system administrator, the primary owner or user of an IT Resource is regarded as its System Administrator.
Safeguards or measures/countermeasures which prevent, counteract or minimize security risks.
Purpose/Reason for This Policy:
The purpose of the Network and Systems Security Policy is to ensure the security, integrity and reliability of the University's information technology resources, and the confidentiality of sensitive information, by establishing responsibility for ensuring that IT Resources are installed and maintained in accordance with appropriate security controls, standards and practices.
Scope of this Policy Framework:
This policy applies to all employees of Queen's University who manage IT resources where:
- There is a significant operational or strategic dependency on an IT resource, at the University, Faculty or Department level; or
- The IT resource plays a role in storing, accessing or transmitting personal, confidential or operationally-sensitive information.
This policy also applies by extension to external contractors or agents who are involved in deploying and managing IT resources for the University, a department, or a research group.
There is a wide range of IT Resources used across the University. The following policy statement establishes responsibility for ensuring the required security measures are implemented or used for IT Resources:
Members of the Queen's Community who are responsible for managing IT Resources on which the University or a Faculty, Department or a research group depend, OR which are used to collect, store or provide access to Sensitive Information, must ensure that those Resources are acquired, installed, configured, maintained and disposed of in a manner that is consistent with Queen's Electronic Information Security Policies, Guidelines and Standards, such that those Resources are not compromised, and sensitive information is appropriately protected. More specifically:
- IT Resources should be installed in locations with physical access controls which limit access to only those individuals who must have it.
- All servers connected to the Queen's network and providing services should be installed, configured and maintained in accordance with the Server Security Standards and the Electronic Information Security Guidelines.
- Those individuals involved in configuring and maintaining IT Resources must do so in accordance with the Authentication and Access Control Standard and the Electronic Information Security Guidelines.
- Those individuals who manage IT Resources which store, access, or transmit Sensitive Information must do so in accordance with the Queen's University Electronic Information Security Policy, the Sensitive Information Protection Standard, and the Electronic Information Security Guidelines.
- Any new system or software application, whether developed or acquired, that will be used to gather, store, or provide access to sensitive information must undergo a system security assessment prior to being used with real data. This includes both new software applications and when applying major releases/upgrades of those applications.
- All individuals who manage IT Resources are required to monitor the availability and security of those resources to detect any risks to their regular operation, and to detect any attempts to compromise or access the resource by unknown or unauthorized parties. Logging of access and activity should occur and logs should be reviewed regularly.
- All software on which there is a significant operational dependency, or which is used to gather, store, process, provide access to, or transmit Sensitive Information, must be acquired or developed in accordance with relevant policies and standards in the Queen's University Information Security Policy Framework.
- All suspected or confirmed security incidents must be reported in accordance with Procedures for Reporting IT or Information Security Incidents or Risks.
Contact Officer: Information Systems Security Manager – ITServices
Date for Next Review: TBD yyyy-mm-dd
Related Policies, Procedures and Guidelines:
Policies Superseded by This Policy: