Date effective: 1988-06-06
Authorized by: Secretary of the University
OWNERSHIP, CUSTODY AND USE OF ADMINISTRATIVE EDP INFORMATION ASSETS
1. To define responsibilities of owners, custodians and users for the security of administrative Electronic Data Processing (EDP)information assets of the University.
2. Administrative EDP information assets shall have an identified Owner and Custodian and authorized Users.
3. Ownership, as here defined, is the exercise of management responsibility over an EDP information asset on behalf of the University, with corresponding accountability. It does not imply any personal title of the Owner to the asset under law.
4. The degree of security implemented must be commensurate with the value to the University, including intangible value, of the EDP information asset.
5. Except as otherwise provided, the University is the legal owner of administrative and academic University EDP information assets. The Owners and Custodians defined below act in the role of agents oft he University.
6. Electronic Data Processing Information Assets are computer systems software, application systems software, programs, associated data, and copies thereof on paper or other media.
7. There are three types of EDP information assets, as follows.
- a) Academic EDP Information Assets: EDP information assets created, used or maintained on a computer or on electronic data storage media for students or academic personnel, for the purpose of teaching or research.
- b) Administrative EDP Information Assets: EDP information assets created, used or maintained on a computer or on electronic data storage media for the purpose of administration or management. Note that marks and other personal EDP information (see item 8i, below) about the student that are maintained by professors,teaching assistants etc. are administrative EDP information assets.
- c) Private EDP Information Assets: EDP information assets created, used or maintained on a computer or on electronic data storage media for professional or private purposes rather than for University purposes, and are not the responsibility of the University. Note that a student's work done or stored on a University computer is a private EDP information asset, belonging to the student and not the University, even if it is to be evaluated as part of the course requirements and even if the use of the computer in its preparation was authorized by the University.
8. Some other definitions are as follows.
- a) Owner (or Guardian): The Owner is the individual who has management responsibility for an EDP information asset, see item 3.Guardian is an acceptable alternate name. The Owner is normally the Department manager/chairperson or delegated representative of the Service or Faculty that created the information asset, or is its primary user. By default, the creator is Owner until ownership is assigned elsewhere.
- b) Surrogate Owner: One authorized to act as agent for the real Owner(s), such as the data administrator of a large database.
- c) Custodian: One who has authorized possession of an EDP information asset and is entrusted by the Owner to provide proper protection and care of assets in an ongoing, operational environment;frequently the supplier of computing services.
- d) User: A person (or group) authorized by the Owner of an EDP information asset to use it for approved University purposes.
- e) EDP Information Asset Classification System: A formal system of listing, categorizing and labelling EDP information assets to indicate the protective controls required, as detailed in Procedure 21-2.
- f) Sensitive EDP Information Assets: EDP information assets that are sensitive to disclosure and whose distribution is, therefore, restricted; see Procedure 21-2.
- g) Critical EDP Information Assets: Critical data and applications that must be assigned priority in recovery following a disaster, see Procedure 21-2.
- h) Disaster: An event (fire, flood, evacuation, electrical damage, etc.) that causes prolonged unavailability of EDP services.
- i) Personal EDP Information: Information about identifiable individuals that requires protection under University-approved access to information or privacy regulations, and that exists as a University EDP information asset.
9. A User may also be Owner or Custodian of an EDP information asset, or both. Owners may also be Custodians.
Some examples are:
- a) A Computing Centre owns its system software.
- b) The User of a personal computer or workstation may also be its Owner and Custodian.
- c) A new Custodian or Owner is created where an electronic copy of an EDP information asset is received for use separately from the original. A User of a personal computer (PC), or terminal connected to a computer, may receive it as electronic mail or as a file via a network. It may be a screen image, or be a down-loaded data file,program or extract of a database. The copy may be provided on a diskette, disc or tape. The recipient is then Custodian of the copy,under terms set by the Owner. The original Owner may give the copy outright so the recipient becomes its Owner, the sensitivity being maintained as before. If the information is manipulated, combined with other data, or new information derived from it, then a new EDP information asset and Owner are created.
10. The Owner has the administrative responsibilities for EDP information assets to:
- a) identify administrative EDP information assets and acknowledge ownership;
- b) classify the EDP information assets according to sensitivity to disclosure, criticality in case of disaster and retention requirements;
- c) advise the Custodian of the full EDP information asset classification and notify Users of relevant attributes;
- d) authorize access;
- e) assign custody under mutually agreed terms;
- f) specify appropriate business controls;
- g) approve application controls for software development, or purchased applications software packages;
- h) perform or participate in risk assessment and, subject to approval, risk acceptance;
- i) develop contingency plans;
- j) monitor compliance and undertake periodic reviews;
- k) investigate security violations and notify the EDP Security Administrator;
- l) ensure compliance with contractual agreements with regard to EDP assets not owned by the University, including proprietary agreements, copyright of software and manuals, and the provisions of federal government Bill C-60 Amendments of the Copyright Act.
11. The Custodian has the responsibility to carry out the Owner's rules. These rules may be jointly developed with the Owner if the Custodian is the supplier of services.
12. A Custodian who is a supplier of services should provide facilities which include:
- a) security systems that satisfy the protection requirements of Owners of EDP information assets;
- b) an effective resource access control system, if sensitive EDP information is processed or stored;
- c) back-up and recovery of administrative data (by individual transaction and globally for files and data bases) as required by the Owner and approved by the EDP Security Administrator.
13. The Custodian is responsible to the Owner for:
- a) processing, storing and safeguarding EDP information assets;
- b) identifying those authorized to access data resources;
- c) reporting regularly on unauthorized access attempts or access(es) not pre-authorized by the Owner.
14. The Custodian shall:
- a) maintain an EDP information assets inventory;
- b) ensure proper control management procedures;
- c) monitor resource access controls;
- d) restrict physical access to facilities to authorized employees, supervised visitors and approved students;
- e) prepare and maintain a comprehensive disaster recovery plan for EDP information assets.
15. Responsibilities of Users include:
- a) use of EDP information assets only for the purpose intended by the Owner;
- b) non-disclosure of sensitive EDP information assets to anyone without the permission of the Owner;
- c) compliance with the Code of Conduct for Computer Users (see Procedure 21-3);
- d) compliance with controls established by the Owner and Custodian.
16. No exception may be made to this procedure without the written consent of the Secretary of the University.
Published June 6, 1988
(Office of the Secretary)