Objective

The objective of the University Information Security Policy is to define and describe the responsibilities and required practices for all members of the University community with respect to information security and the protection of University information.

The policy comprehensively applies to all individuals in the community and all forms of information resources. It describes, based on an individual’s role, the responsibilities of a members of the University community to prevent unauthorized access to physical and electronic information, consistent with law, regulation, and University policies. The policy outlines the responsibilities of those who are responsible for implementing, enforcing and abiding by this policy. The Procedures for the Protection of University Information, incorporated by reference into the policy, describe the specific procedures required to comply with the policy.

Responsibilities

Information security is a responsibility shared by the community. All members of the community are considered Data Users. In addition to the responsibilities of Data Users, members of each role are required to fulfill specific responsibilities, including incident reporting and handling. Stewards, Managers and Information Service Providers are responsible for establishing security policies and procedures. Users are expected to be aware of and to adhere to these and other University policies.

Data Users:
Every member of the University community is a Data User, and as such is responsible for appropriate protection of University information. Data Users are tasked with understanding and adhering to University policies, and with complying with best practices in information security as established by the University Information Security Office.

Data Stewards:
Are accountable for the data under their stewardship. Stewards classify data, authorize access, and promote information security within the relevant user community. Faculty are considered Stewards of their own research and course materials; students are considered the Stewards of their own work (where it does not form part of the academic record).

Heads of Academic and Administrative Units, Managers, and Supervisors:
Are responsible for assuring that all individuals who fall within the scope of their authority are appropriately educated in the information security requirements of their roles. They also encourage information security through User training and awareness.

University Information Security Office (UISO):
The UISO is responsible for overseeing University network security; establishing required minimum security standards for handling University information; overseeing technology policy; managing an information security training and awareness program; handling information security incidents.

The policy will be periodically reviewed be reviewed and updated as needed, but at least annually, unless changes in institutional policy or relevant law or regulation dictate otherwise.

April 24, 2013