Skip to main content
University of Ontario Institute of Technology logo

Information Security Policy

Classification number LCG 1144
Framework category Legal, Compliance and Governance
Approving authority Board of Governors
Policy owner Vice-President, Administration
Approval date November 28, 2019
Review date November 2022
Last updated Editorial Amendment May 30, 2022

Purpose

This Policy is the cornerstone of the university’s information security program. It establishes the concept that information is an asset and the property of University of Ontario Institute of Technology.  All information technology users are required to protect this asset.

Definitions

“Information Assets” means any information that is printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on visual media, or spoken in conversation.
“University Member” means any individual who is:
  • Employed by the University;
  • Registered as a student, in accordance with the academic regulations of the University;
  • Holding an appointment with the University, including paid, unpaid and/or honorific appointments; and/or
  • Otherwise subject to University policies by virtue of the requirements of a specific policy (e.g. Booking and Use of University Space) and/or the terms of an agreement or contract.
 “Information Owners” means individuals that have administrative control over the information and has been officially designated as accountable for a specific information asset dataset.
“Information Custodians” is a person who has technical control over an information asset dataset, usually IT Services
“Cardholder Data Environment (CDE)” means the segmented area of the network which encompasses applications, hardware, and network services in the transmission, processing, or storing of cardholder data.

Scope and authority

This Policy applies to:

  1. All University Members who are able to create and share information using University computing resources, and to any person or organization that handles University information and data regardless of their affiliation with or function within the University.
  2. All information within the custody and control of the University, including the Cardholder Data Environment (CDE). Any activity aimed at the manipulation, transportation or use of information is subject to this policy throughout its life cycle.
The Vice-President, Administration, or successor thereof, is the Policy Owner and is responsible for overseeing the implementation, administration and interpretation of this Policy.

Policy

The University is committed to the security of information, both within the University and in communications with third parties.


Roles and Responsibilities
Departmental System Managers are directly responsible for implementing the policy and ensuring staff compliance in their respective departments.
IT Services shall:
Maintain detection and prevention controls to protect against malicious software and unauthorised access to networks and systems.
Be responsible for creating, updating, and auditing information security plans, policies and procedures on an annual basis.
In cooperation with departmental system managers, administrators and users, be responsible for providing information security training.
All University Members handling University related information or using University information systems shall:
Be required to observe this Policy and these Regulations and are responsible for the consequences of their actions regarding computing security practices
Be in part responsible for protecting University information from unauthorized access, modification, destruction or disclosure.
Report immediately to the IT services any observed or suspected security incidents where a breach of this policy has occurred.
System administrators are responsible for administering user account authentication and account management.
The Executive Director IT services is responsible for monitoring and enforcing this policy.  
Accessibility for Ontarians with Disabilities Act considerations
Accessibility for Ontarians with Disabilities Act (AODA) standards have been considered in the development of this policy.
Consequence of Non-compliance:
Non-compliance could affect the University’s ability to conduct business, respond to requests for information, be transparent and accountable, and ensure confidentiality and privacy of personal information.  This would be a risk to the University both financially and to its reputation in the community.
Failure to comply with this policy could result in loss of access to the University’s information technology services and equipment, disciplinary action up to and including suspension or termination of an employee, and/or legal action that could result in criminal or civil proceedings.
In securing information, it is essential that the following characteristics of information are preserved and maintained:
  1. Confidentiality: ensuring that information is accessible only to those authorized to have access;
  2. Integrity: safeguarding the accuracy and completeness of information and processing methods;
  3. Availability: ensuring that authorized users will have access to information and associated assets when required.
Information security training will be available to all employees at the start of employment, and at least yearly thereafter.
Information Owners are responsible for properly classifying information in terms of their confidentiality, integrity and availability.
Information Owners and Information Custodians shall work together to ensure adequate access measures are in place to protect information and IT resources from loss or unauthorized access.
Information Owners and Information Custodians shall work together to ensure the integrity of information is maintained by protecting against unauthorized modification.
Information Owners and Information Custodians shall work together to protect confidential information from unauthorized disclosure.
All University Members may only have access to the confidential information that is required to perform their roles. They shall protect the confidentiality of the information to which they have access.
An IT operational information security incident response procedure must be in place, reviewed and tested.
Roles and Responsibilities
  1. Departmental System Managers are directly responsible for implementing the policy and ensuring staff compliance in their respective departments.
  2. IT Services shall:
    1. Maintain detection and prevention controls to protect against malicious software and unauthorised access to networks and systems.
    2. Be responsible for creating, updating, and auditing information security plans, policies and procedures on an annual basis.
    3. In cooperation with departmental system managers, administrators and users, be responsible for providing information security training.
  3. All University Members handling University related information or using University information systems shall:
    1. Be required to observe this Policy and these Regulations and are responsible for the consequences of their actions regarding computing security practices
    2. Be in part responsible for protecting University information from unauthorized access, modification, destruction or disclosure.
    3. Report immediately to the IT services any observed or suspected security incidents where a breach of this policy has occurred.
  4. System administrators are responsible for administering user account authentication and account management.
  5. The Executive Director IT services is responsible for monitoring and enforcing this policy.
Accessibility for Ontarians with Disabilities Act considerations
  1. Accessibility for Ontarians with Disabilities Act (AODA) standards have been considered in the development of this policy.
Consequence of Non-compliance:
  1. Non-compliance could affect the University’s ability to conduct business, respond to requests for information, be transparent and accountable, and ensure confidentiality and privacy of personal information.  This would be a risk to the University both financially and to its reputation in the community.
  2. Failure to comply with this policy could result in loss of access to the University’s information technology services and equipment, disciplinary action up to and including suspension or termination of an employee, and/or legal action that could result in criminal or civil proceedings.

Monitoring and review

This Policy will be reviewed as necessary and at least every three years.  The Vice-President, Administration, or successor thereof, is responsible to monitor and review this Policy.

Relevant legislation

This section intentionally left blank.

Related policies, procedures & documents

Acceptable use of Technology Policy
PCI Sustainability Policy
PCI Sustainability procedure