INFORMATION SECURITY POLICY

Policy Type: Policy Sponsor: Administrative Responsibility: Approver:

Management VP, Administrative Services Information Technology Services

Initially Approved:

October 24, 2016

Last Revised:

October 24, 2016

Review Scheduled:

April 2021

Board of Governors

Policy Summary: Information and the associated support structures for Information are integral to the operations of the University and must be protected. Protecting Information, both written or electronically stored, processed or transmitted, from a wide range of risks is a shared responsibility of Users and is crucial for ensuring operational continuity.

A.

OVERVIEW The intent of this Policy is to set expectations for implementing reasonable safeguards to mitigate Information loss such as unauthorized or inappropriate access, collection, destruction, use, modification or disclosure of Information. Unauthorized or inappropriate disclosure of Information includes unlawful disclosure of information, specifically payment card and personal information. The University recognizes the need for safe and secure management of Information generated, collected, accessed, modified, synthesized or maintained to conduct University Operations.

B.

PURPOSE The purpose of this Policy is to: 1. Prevent unlawful disclosure of information and to comply with Payment Card Industry (PCI) requirements; 2. Prevent unlawful disclosure of information and to comply with Freedom of Information and Protection of Privacy (FOIP) Act requirements; and 3. Outlie and communicate expectation and Information Security and Security Controls at the University.

C.

SCOPE This Policy applies to all Employees and Users.

Information Security Policy – October 24, 2016

Page 1 of 6

D.

POLICY STATEMENT 1.

2.

GENERAL 1.1

Information Security is necessary to maintain uncompromised, reliable Information that is accessible where and when it is needed for maintaining University operations.

1.2

Information Security is characterized by the protection of Information by reasonable security safeguards against such risks as loss, unauthorized or in appropriate access, destruction, use, modification, or disclosure of Information.

1.3

Information Security involves more than developing a Security Control such as antimalware software. This Policy provides a means to identify and co-ordinate the University’s approach for maintaining Information Security and Security Controls.

1.4

The University will assign heads of Functional Units to work with ITS to maintain Critical Technologies using Security Controls.

RESPONSIBILITIES 2.1

Users are responsible for: a. Reading, complying and acting in accordance with this Policy and any associated Procedures; b. Ensuring that any sharing of Information is only to the intended recipient and the recipient is made aware that the Information is not to be distributed; c.

Ensuring that any non-University systems used to store Information meet Security Controls;

d. Ensuring that any exchange of Information is compliant with relevant law; and e. Completing Information Security Awareness Training in compliance with PCI requirements. 2.2

Management Employees are responsible for: a. Ensuring that their Employees, and any other relevant Users, are aware of and act in accordance with this Policy and any associated Procedures; b. Ensuring that their Employees, and any other relevant Users, are assigned access only to Information that is necessary to perform the requirements of their Role; and c.

2.3

Ensuring that Information Security Awareness Training has been completed upon hire and annually by relevant Users in compliance with PCI requirements.

ITS is responsible for: a. Identifying, evaluating, documenting and managing Information Security risks which are identified in the scope of ITS operations or by the University’s risk management process, b. Recording, assessing and monitoring attempted and/or actual Information security breaches with the intent to prevent recurrent;

Information Security Policy – October 24, 2016

Page 2 of 6

c.

Ensuring that critical or sensitive Information is stored in facilities with secured areas, physically protected from access, damage, interference and/or theft;

d. Identifying Security Controls in consultation with applicable Functional Units prior to the development or enhancement of applications and other systems that may affect University operations or result in a Technical Landscape change; e. Responding to actual or predicted changes to the University’s operational environment that may affect or result in a Technical Landscape change; f.

Providing guidance, operation support, maintaining, and managing change to the University’s Technical Landscape to ensure consistency and accuracy in a timely and cost-effective manner; and

g. Maintaining and administering Information Security Awareness Training in compliance with PCI requirements on an annual basis. 3.

4.

5.

INFORMATION SECURITY REQUIREMENTS 3.1

Information Security requirements will be identified by ITS in consultation with applicable Functional Units, prior to the development or enhancement of applications and other systems that may affect the Technical Landscape.

3.2

The Functional Unit will consult with ITS to assess whether any new technology, upgrade or maintenance has the potential to affect Information Security or the Technical Landscape and to apply ITS approved Security Controls.

3.3

The Functional Unit will consult with ITS in order to assess the impact of any system malfunction or abnormality to ensure that it has not affected Information Security or the Technical Landscape.

3.4

ITS may require the Functional Unit to provide access to Critical Technologies in order to assess the impact of any malfunction or abnormality to ensure that it has not affected Information Security or the Technical Landscape.

3.5

Any Information Security breaches will be thoroughly reviewed and evaluated on a case by case basis and a full report on the outcomes, causes and findings will be documented and corrective actions will be implemented, as required.

ACCESS TO INFORMATION 4.1

Access to Information will be limited by the User’s Role within or for the University.

4.2

The University will regularly monitor and control access to Information requirements to ensure they are current, relevant and that the appropriate level of access is administered.

SHARING INFORMATION 5.1

Information will not be used or disclosed except where it is needed to conduct University operations, as provided by this Policy, other University Policies and Procedures, and relevant law.

Information Security Policy – October 24, 2016

Page 3 of 6

6.

STORAGE OF INFORMATION 6.1

Information will be stored in facilities with secured areas, physically protected from access, damage, interference and/or theft. These areas will be protected by an ITS defined security perimeter, specific to each Functional Unit, with enforced security measures. Information will not be stored on non-University secured systems unless the system meets the same Security Controls.

6.2

7.

8.

INFORMATION RETENTION 7.1

Information that has only immediate or short-term operational value to the University should be considered as transitory and routinely disposed of after the completion of that particular operational activity or transaction in a secure manner.

7.2

Records that are deemed to have a long-term operational value such as those containing Information concerning contracts, financial, legal, research or archival value to the University should be retained according to other University Policies.

INFORMATION SECURITY AWARENESS TRAINING 8.1

9.

E.

The University will administer role-specific training on Information Security upon hire and annually in compliance with PCI requirements.

COMPLIANCE 9.1

Exchange of Information must comply with this Policy, other applicable Policies and Procedures, and relevant law.

9.2

Functional Units and Users who act in good faith and execute their responsibilities with a reasonable standard of care will not be subject to disciplinary action in the event of an Information Security breach.

DEFINITIONS (1)

Availability:

ensuring that authorized Users have access to the necessary Information and associated assets when required

(2)

CIO:

the University’s Chief Information Officer

(3)

Confidentiality:

ensuring that Information is accessible only to those persons with authorized access

(4)

Critical Technologies:

these are defined as University systems used for regular operations, as identified by ITS in consultation with Functional Units

(5)

Employees:

includes faculty, staff, exempt employees and Management Employees

(6)

Functional Unit:

any division, department, office, program, or other collective entity of the University

(7)

Information:

specific to this Policy, is personal information and transactional data in all tangible forms (physical or electronic)

Information Security Policy – October 24, 2016

Page 4 of 6

that is collected, maintained, accessed, modified or synthesized to perform the operations of the University

F.

(8)

Information Security:

the preservation of Confidentiality, Integrity, and Availability of Information

(9)

Integrity:

safeguarding the accuracy and completeness of Information and processing methods

(10)

ITS:

the University’s Information Technology Services Department

(11)

PEC:

the University’s President’s Executive Committee

(12)

PDP:

the University’s Policy Development Plan/Process

(13)

Role:

the behaviours and responsibilities associated with the work being carried out by an individual for the University

(14)

Secured Areas:

areas intended to physically protect information from access, damage, interference and/or theft. These areas are determined by and specific to the needs of the Functional Unit

(15)

Security Controls:

measures in place to safeguard both the Integrity of the security mechanisms established by ITS and the Technical Landscape and that are also compliant with this Policy and relevant law. Security Controls include Users practicing reasonable standards of care to ensure malicious software prevention such as checking the authenticity of email attachments or software installations

(16)

Technical Landscape:

the set of hardware, software and facility elements, arranged in a specific configuration, which serves as a fabric to support the operations of the University

(17)

User:

all individuals dealing with Information. This includes, but is not limited to, Employees, students, contractors, agents, consultants, vendors, visitors, volunteers and third parties who maintain, receive, create, disseminate or use Information

RELATED POLICIES • • • • • • • • •

Acceptable Use of Computing and Communication Resources Cash and Payments Handling Policy Email Policy Information Management Policy Internet and Network Access Management of Microcomputer Software Purchase of Computer and Telecommunications Equipment Records and Information Management Program Enterprise Risk Management Policy

Information Security Policy – October 24, 2016

Page 5 of 6

G.

RELATED LEGISLATION • •

Data Security Standard version 3.1 (April 2015); PCI Security Standards Council Freedom of Information and Protection of Privacy Act, RSA 2000, c F-25 (FOIP Act)

H.

RELATED DOCUMENTS

I.

REVISION HISTORY

Date (mm/dd/yyyy)

Description of Change

10/24/2016

NEW

Information Security Policy – October 24, 2016

Sections

Person who Entered Revision (Position Title) Director, University Secretariat

Person who Authorized Revision (Position Title) VP, Administrative Services

Page 6 of 6