Approved Administration Committee 2288.3
As part of its educational mission, the University of Ottawa acquires, develops, and maintains various IT assets. These assets are intended for University-related purposes, including, but not limited to, direct and indirect support of the University’s academic, research and service missions; University administrative functions; student and campus life activities; and the free exchange of ideas within the University community and the wider local, national, and world communities.
The University collects, stores, and transmits electronic information of a sensitive nature to facilitate and enable its academic, research and other University-related functions. The exposure of sensitive information to unauthorized individuals could cause irreparable harm to the University or members of the University community, and could also subject the University to fines or other government sanctions. Additionally, if University information were tampered with or made unavailable, it could impair the University's ability to conduct its operations.
The University recognizes the importance of information security and protecting its IT assets. The University is therefore committed to preserving the confidentiality and integrity of its IT assets and use reasonable, appropriate, practical and effective security measures to protect against unauthorized use, modification, disclosure, and destruction of its IT assets.
The University of Ottawa is equally committed to preserving an environment that encourages academic and research freedom through the responsible use of IT resources.
The University of Ottawa Information Technology Resources Acceptable Use Policy promotes the efficient, ethical, and lawful use of IT resources. Protecting and preserving the University’s IT resources is a cooperative effort that requires each member of the University community to act responsibly and guard against abuses.
The purpose of this Policy is to ensure the confidentiality and integrity of University of Ottawa information technology assets as more particularly defined below (IT assets) and it serves as the overarching policy that governs the interpretation and application of all other information security policies and related procedures.
The University’s Chief Information Officer (CIO) oversees the central IT resources and services that enable both academic and administrative functions, and that support faculty, staff, and students. IT services include infrastructure, applications, enterprise architecture, information security and end user support services that scale across the University.
In the context of this policy, the University’s CIO is primarily responsible for:
• Providing custodianship for IT assets;
• Oversight of IT security;
• Establishing, maintaining, publishing and ensuring awareness of the IT resources Acceptable Use Policy and related procedures; and,
• Educating the University community about information security responsibilities.
The CIO develops procedures and guidelines in consultation with relevant services such as legal, privacy and risk management offices, to assist the University community in implementing and enforcing this Policy. This Policy is the governing foundation for future policies, procedures and guidelines related to IT security.
The CIO may delegate individual responsibilities and authorities specified in this Policy or associated information security policies, procedures and guidelines.
Amendments to this Policy shall be made with the approval of the Administrative Committee.
The Policy must be read in conjunction with:
• Policy 117 – Information Classification and Handling Policy
• Policy 118 – Electronic Mail (Email) Policy
• Policy 37 – University-Owned Personal Computers (PCs)
• Policy 45 – University-Wireless Communications
• Policy 23 – University of Ottawa Archives
• IT Security Procedures.
4. APPLICATION, SCOPE AND INTERPRETATION
This Policy and related procedures established pursuant to it covers all IT assets and applies to:
a) all University employees, students, contractors, visitors, volunteers, members of its Board of Governors; and,
b) external organizations and their respective employees, contractors, and representatives who use or are granted access to the University’s IT assets or its IT resources.
The CIO is responsible for the interpretation of this policy.
5. For the purposes of this Policy and when used with a procedure established pursuant to this Policy:
a) “employee” includes all (regular and contract positions) unionized and non-unionized academic, administrative and support personnel (including those whose salary is paid through sources other than the University’s operating funds, such as grants, research grants and external contracts);
b) “student” means an individual registered at the University at the undergraduate, graduate or postdoctoral level, including medical residents, fellows and special students, whether enrolled full-time or part-time;
c) “IT asset” or “IT assets” is meant to encompass all and collectively refer to University IT resources and the electronic information stored on, within or passing through a University IT resource;
d) “IT resource” or “IT resources” includes (and is not limited to) the following that are owned by and/or operated or managed by the University, or that are licensed to the University or operated by an external organization on behalf of the University: software, systems, networks, computers, or any other computing resource or hardware, servers (physical or virtual), data storage or network devices, email servers, print and fax servers, telephone systems, magnetic media or network and any other communication devices;
e) “University community” is meant to encompass all University employees, individuals holding University of Ottawa academic appointments, students, contractors, visitors, and volunteers, as well as the members of federated institutions of the University of Ottawa (e.g. Saint Paul University);
f) “Chain letter”: a typical chain letter consists of a message that attempts to convince the recipient to make a number of copies of the letter and then pass them on to as many recipients as possible.
g) “Spam”: any commercial electronic message sent without the express consent of the recipient(s). Spam is also used as the vehicle for the delivery of other online threats such as spyware, phishing and malware.
6. POLICY STATEMENT
a) All IT resources are for University-related purposes including but not limited to direct and indirect support of the University’s academic, research and administrative activities;
b) The University does not permit or support the use of University IT assets that:
i. interfere with or are a nuisance or menace to the University, its employees, students or others, or to its operations;
ii. pose a significant/material/unacceptable health, safety or security risk; or,
iii. are contrary to applicable laws.
c) Prior to entrusting (e.g., for storing, copying, printing, formatting, processing, etc.) outside entities with access to the University's restricted, confidential or any other internal information (reference: Information Classification and Handling Policy), a third-party security risk assessment must be performed by the Security Architect;
d) All software developed by employees or contractors for the University is the University’s property and protected by applicable copyright laws from unauthorized use and duplication, unless otherwise agreed to in writing;
e) Every user must understand the sensitivity of their information and treat them accordingly. Even if technical security mechanisms fail or are absent, every user must still act as a reasonable person to maintain the security of information commensurate to its sensitivity;
f) The University does not routinely monitor, inspect, copy or disclose the electronic information stored on, within or passing through a University IT asset unless such action is, to the extent that it is strictly necessary, to ensure the proper functioning of the operations of the University or a University IT asset, to prevent or correct improper use of an IT asset, to ensure compliance with this Policy or an information security procedure, or unless such action is permitted or required by applicable laws;
g) The University will maintain reasonable processes to deal with viruses, to reject emails from unwanted spam sources and to scan incoming and outgoing network traffic to detect and protect against other malicious content; the University cannot guarantee the success of such processes, and the user must accept the risk inherent in the use of the technology;
h) Members of the University community are to adhere to this Policy and procedures established pursuant to it;
i) The University will take appropriate preventative and corrective action where violation (or threat of violation) of this Policy or any of related procedures occurs and will, where warranted, hold individuals responsible in accordance with applicable collective agreement provisions, terms of employment or other University policies, regulations or applicable laws.
j) In making acceptable use of IT resources the user must:
i. Not use IT resources for unauthorized purposes.
ii. Protect your user identity, password and system from unauthorized use. All users are responsible for all activities on their user accounts or that originate from their devices.
iii. Access, use or disclose restricted, confidential or internal information (reference: Policy 117 on Information Classification and Handling) only to the extent it is authorized and necessary to fulfill assigned job duties. .
iv. Use only legal versions of copyrighted software in compliance with vendor license requirements.
v. Be considerate in your use of shared resources. Refrain from monopolizing systems, overloading networks with excessive data, degrading services, or wasting computer time, connect time, disk space, printer paper, manuals, or other resources.
vi. Report incidents such as stolen computing equipment (including but not limited to laptops, tablets and desktops), stolen passwords or virus infections that are not automatically cleaned by resident anti-virus software. Any such activity must be reported immediately to the IT Service Desk.
k) Unacceptable uses of IT resources include but are not limited to the following:
i. Using the resources for any purpose which violates local, provincial or federal laws.
ii. Using the University's systems or networks for personal gain; for example, by selling access to user identities or to University systems or networks, or by performing work for profit with University IT resources in a manner not authorized by the University.
iii. Unauthorized copying of information stored on the University's IT assets.
iv. Using excessive computing resources, data storage or network bandwidth in activities such as the propagating of chain letters or broadcasting inappropriate messages to lists or individuals or generally transferring unusually large or numerous files or messages or printing excessive amounts of paper.
v. Sending or storing for retrieval patently harassing, objectionable or extremely offensive, intimidating, or abusive material. Such material includes but is not limited to racist material, hate literature, sexist slurs or sexually explicit material.
vi. Misrepresenting your identity or affiliation while using IT resources.
vii. Using someone else's identity and password for access to IT resources, logging others into the network to access IT resources, or using the network to make unauthorized entry to other computational, information, or communications devices.
ix. Sending, displaying or storing obscene or pornographic material or any other material that is subject to laws or regulations.
x. Attempting to evade or crack passwords of systems on the network.
xi. Attempting to circumvent or subvert system or network security measures.
xii. Reproducing, downloading and/or distributing material protected by trademark, trade secret, or other intellectual property without appropriate authorization.
xiii. Making or using illegal copies of copyrighted materials, software or movies, storing such copies on University systems, or transmitting them over University networks.
xiv. Copying, modifying or destroying files belonging to others or to the University without authorization, including altering data, introducing or propagating viruses, Trojans or worms, or simply damaging files.
xv. Purposefully interfering with or disrupting another user's work or the proper functioning of IT resources.
xvi. Intercepting or altering network packets.
xvii. Engaging in any other activity that interferes with the work of other students, faculty, or staff or the normal operation of the University IT resources.
Information security considerations such as regulatory, compliance, confidentiality, integrity and availability requirements are met when the University community conforms to University policies. However, the University understands that enforcement of security policies and procedures may not always be feasible. Therefore, while deviation from policies and procedures is highly discouraged, it may be considered provided that the alternative presents a reasonable, justifiable business and/or research case for an exception.
The CIO will inform the Administrative Committee annually on non-compliance and exception matters.
A. CONDITIONS FOR CONSIDERING AN EXCEPTION
i. User or organizational unit was unaware of their non-compliance and cannot meet compliance immediately;
ii. Compliance is not possible and the system is being phased out: the owner must manage the risk in the interim;
iii. An alternate method for meeting compliance is available that offers equivalent or better security.
B. EXCEPTION PROCESS
i. The user (requesting party) along with its faculty dean or service director’s approval must submit the following to the CIO or one of his/her delegates:
A general description of the exception request, including:
1) The business need for a security exception;
2) The scope and extent of risks posed by non-compliance;
3) Methods and resources to be used to either meet compliance or manage the risk (mitigating safeguards);
4) Residual risks;
5) Date by which compliance will be met or state of non-compliance ends.
ii. Access to objectionable or offensive material may be permitted for academic or research purposes as long as the research is approved by the Research Ethics Board or dean, and sufficient and appropriate safeguards to contain the research to pre-defined and intended University IT resources is carried out. It is recommended that prior consultation with the instructor, dean or director of the impacted department be obtained to ensure that the University’s community and ethical standards are maintained. If required, consultation with Information Technology is also available to facilitate the above activities.
iii. The Security Architect will perform an initial analysis of the request. If the non-compliance is due to the requestor using an alternative and superior solution or if the request is clearly reasonable and fits prior patterns of approval, the Security Architect may automatically grant the exception. This is likely to cover most of all requests.
iv. Otherwise, the request may be presented to the CIO or to the relevant senior administration of the organizational unit requesting for an exception.
v. If the request is denied, it will be accompanied by an explanation and perhaps suggestions for alternative methods.
vi. The result will be returned to the requestor, who may appeal denials by resubmitting the request. Appeals may be taken to the CIO, who will make the final recommendation.
vii. A log of exception requests and rulings will be maintained and made available as needed.
viii. Once a particular type of exception has been ruled on, future exception requests of the same type may receive the same ruling, barring special circumstances.
For the exception process to be effective, it must operate in a consistent, neutral and timely fashion.
This Policy will be reviewed by the CIO on a regular basis, or as deemed appropriate based on changes in technology or regulatory requirements.
10. EFFECTIVE DATE
This Policy comes into effect on June 15, 2016.