Table of Contents
SCHEDULE A – ACCEPTABLE USE OF IT ASSETS
SCHEDULE B - NETWORK MONITORING
SCHEDULE C - SOFTWARE LICENSING AND USAGE
SCHEDULE D - PASSWORD PROTECTION
SCHEDULE E - ACCESS CONTROL
SCHEDULE F - COMMUNICATIONS AND NETWORKING
SCHEDULE G - REMOTE ACCESS
SCHEDULE H - CHANGE MANAGEMENT AND CONTROL
SCHEDULE I - VIRUS PROTECTION
SCHEDULE J - IT ASSET DISPOSAL
SCHEDULE K - ACCEPTABLE ENCRYPTION
SCHEDULE A – ACCEPTABLE USE OF IT ASSETS
1. PURPOSE
1.1 This schedule defines the standard that governs the acceptable use of all IT assets.
2. APPLICATION, SCOPE AND INTERPRETATION
2.1 This standard is established pursuant to Policy 116, Use and Security of Information Technology Assets and its application, scope and interpretation are governed by Policy 116.
2.2 For the purposes of this standard:
a) “acceptable use”, as more particularly defined in section 3 below, broadly means use of a University IT asset for University purposes only, while respecting the rights of other users of IT assets and maintaining the integrity of IT assets and respecting all pertinent licence and contractual agreements;
b) “chain letter” includes a message, in any format, that attempts to convince the recipient to make a number of copies of the message to be passed on to as many further recipients as possible;
c) “spam” means any commercial electronic message sent without the express consent of the recipient(s), and includes a message used as the vehicle for delivery of online threats such as spyware, phishing and malware.
3. STANDARD
3.1 In making acceptable use of IT assets, the user shall:
a) Protect their user identity, password and system from unauthorized use. All users are responsible for all activities on their user accounts or that originate from their devices.
b) Secure University IT assets when they are left unattended. While in transit, devices must be kept in the user’s possession or secured (for example, if left in a car, hidden in the trunk with the vehicle locked.)
c) Understand the sensitivity of information in the user’s custody and treat such information accordingly. Even if technical security mechanisms fail or are absent, every user must act as a reasonable person to maintain the security of information commensurate to its sensitivity.
d) Access, use or disclose restricted, confidential or internal information (as classified pursuant to Policy 117: Information Classification and Handling) only to the extent authorized and necessary to fulfill assigned duties or responsibilities.
e) Be considerate in using shared resources. Refrain from monopolizing systems, overloading networks with excessive data, degrading services, or wasting computer time, connect time, disk space, printer paper, manuals, or other resources. As the use of IT resources changes and technology capabilities evolve over time, consult with Information Technology or the user’s own IT department to define appropriate and efficient uses of IT resources.
f) Ensure that personal use of IT assets does not compromise or violate network, computer or data security and/or ethical policies or principles established or espoused by the University.
g) Report immediately, to the IT Service Desk, incidents such as stolen computing equipment (including but not limited to laptops, tablets and desktops), stolen passwords, or virus infections that are not automatically cleaned by resident anti-virus software.
3.2 The following uses of IT assets are acceptable:
a) Use for University-related purposes, including but not limited to direct and indirect support of the University’s academic, research and administrative activities.
b) Personal use, providing that such use is not for financial gain, does not incur any additional costs to the University, does not interfere with the conduct of University business and does not otherwise constitute unacceptable use as set out in this standard.
c) Use of University email facilities and official University email accounts in a manner considered acceptable under Policy 118, Electronic Mail.
3.3 The following uses of IT resources are prohibited:
a) Using unauthorized user names, passwords, computer addresses or identities, or modifying assigned network settings to gain access to computer resources or data, or otherwise attempting to evade, disable or crack the security provisions of University or external systems.
b) Accessing data that is not publicly available, does not belong to the user and which the user does not have explicit permission to access, or accessing IT assets in a manner designed to circumvent public or restricted access limitations (e.g., replicating a database by automated queries).
c) Inspecting, altering, deleting, publishing or otherwise tampering with files or file structures that one is not authorized to access.
d) Disclosing or distributing, without authorization, of information that is the property of the University.
e) Using any process that causes a user to be deprived of services or resources that they would normally expect to have available. This includes, but is not limited to, creating spam (excessive email distribution without permission), propagating chain letters, broadcasting offensive or otherwise inappropriate messages, mounting denial of service attacks, and intentionally using, introducing, distributing or creating viruses, worms or other malicious software.
f) Using IT assets in a manner that disables other IT assets, makes disproportionate use of IT assets that causes other users to be denied reasonable access to them or materially increases their costs. This includes, but is not limited to, downloading large non-work-related files, downloading or distributing illegal material using BitTorrent or any other peer-to-peer file sharing protocol, or launching denial of service or distributed denial of service attacks.
g) Degrading systems by using unwarranted data space, consuming time and bandwidth through the use of resource‐intensive programs, establishing unattended network connections, or printing lengthy documents unnecessarily.
h) Using IT assets for purposes other than as permitted under section 3.2 above.
i) Giving, selling or otherwise providing IT assets to individuals or groups that do not have explicit permission to access, acquire or use them.
j) Sharing computer accounts without obtaining prior permission from Information Technology or another relevant administrative authority within the University.
k) Installing, reproducing and/or distributing copyrighted materials such as proprietary software, publications or files without permission. Copying or removing University software provided under licensing agreements with various vendors. Storing or using, on University IT assets, third-party copyrighted information or software that users do not have specific approval to store or use.
l) Importing or distributing material that may be objectionable or offensive to others or the possession or distribution of which is regulated by laws, regulations, or policies, including without limitation racist material, hate literature, sexist slurs or sexually explicit material.
m) Sending harassing or defamatory material, as defined in relevant laws, regulations, or policies, by any means, including text messages, social media, email, voice mail or newsgroup postings.
n) Altering, concealing or destroying University IT assets, or causing any other person to do so, with the intention of frustrating rights or obligations under access to information or other applicable laws.
o) Using IT assets in a manner that poses a significant, material, or unacceptable risk to health, safety or security.
p) Using IT assets in a manner that violates any local, provincial or federal law or regulation or any University policy, procedure, regulation, standard, guideline or directive.
SCHEDULE B - NETWORK MONITORING
1. PURPOSE
1.1 This schedule defines the standard that governs the monitoring, logging, and retention of network traffic that traverses University networks.
2. APPLICATION, SCOPE AND INTERPRETATION
2.1 This standard is established pursuant to Policy 116 –Use and Security of Information Technology Assets and its application, scope and interpretation are governed by Policy 116.
2.2 For greater certainty, this standard specifically applies to all computing systems and network infrastructure resources owned or managed by the University.
3. STANDARD
3.1 Designated IT employees may use monitoring technologies such as anti-virus software, network firewalls, web security gateways, email security firewalls, vulnerability management systems, identity and access management systems, and database and application monitoring systems to log network, user and system activities for the purposes of protecting University IT assets. Information resulting from these monitoring technologies may be centrally collected, correlated and analyzed via a security information and event management (SIEM) tool.
3.2 Access to and monitoring of specific network traffic within a specified scope may only occur if there is a demonstrated, legitimate need to:
a) detect known patterns of IT security attacks or compromises;
b) detect improper release of confidential or restricted data; or
c) troubleshoot or analyze network-based problems.
3.3 Once the legitimate need is established, only IT employees authorized by the relevant IT manager of the relevant faculty, administrative or other organizational unit shall be permitted to access and monitor specific traffic on specific networks for which they are responsible, provided that:
a) the IT employees have an understanding of the operation of network monitoring devices;
b) the IT employees have signed a confidentiality agreement; and
c) the Security Architect is notified of the authorization given to IT employees.
3.4 All network-monitoring points shall be architected, approved and configured by Information Technology.
3.5 Network monitoring points and associated devices shall not be extended physically or virtually (such as through a VPN) or changed without written approval from the Security Architect. Information Technology shall maintain written records of all monitoring points, architectures and approvals.
3.6 Designated IT employees and the Security Architect may store incident-related data as required. Unrelated monitored data shall not be stored by anyone.
3.7 Monitoring data stores and logs shall not be accessible from the public Internet. All authorized IT employees shall show due care in protecting, handling and storing all monitored data and logs. Off-campus access to monitoring data stores and logs must be authorized and updated by an appropriate Information Technology authority.
3.8 The Security Architect or a designated IT employee shall have the authority to discontinue service to any network or network device that:
a) is in violation of this standard or any other standard or procedure established pursuant to Policy 116;
b) has demonstrated an operational hindrance or threat to the University or its IT assets; or
c) is a threat to the Internet community in general.
SCHEDULE C - SOFTWARE LICENSING AND USAGE
1 PURPOSE
1.1 This schedule defines the standard that governs the use of software at the University in order to prevent infringing activities.
2. APPLICATION, SCOPE AND INTERPRETATION
2.1 This standard is established pursuant to Policy 116 –Use and Security of Information Technology Assets, and its application, scope and interpretation are governed by Policy 116.
2.2 This standard addresses only computer software and supporting documentation, and no other material such as literary, instructional, dramatic, musical, or artistic works created by members of the University community.
2.3 This standard shall not apply when members of the University community participate in non-University activities or in organizations that operate independently of the University (e.g., outside employment, volunteer or other activity in an area unrelated to University activities, or activity conducted while on an unpaid leave of absence from the University).
2.4 This standard shall not apply to personally owned technology devices that are not connected to or do not use University IT assets.
2.5 For the purposes of this standard:
a) “illegal software” means software, including without limitation freeware, shareware, open source, proprietary, demo or trial versions of software, that is copied or used contrary to the terms of any applicable software licence.
b) “software licence” means the right to use software, granted by a licensor to a licensee under the conditions of a licence agreement.
3. STANDARD
3.1 No member of the University community shall be involved in any activity, while connected to or using a University network or other IT asset that violates federal, provincial or local laws with respect to intellectual property, software licence agreements or University policies pertaining to computer software. This applies to any computer software owned by or licensed to the University.
3.2 All software installed on University IT resources shall be purchased, leased or licensed (e.g., through an enterprise licence, server-based licence, individual workstation licence or negotiated contract).
3.3 Unauthorized duplication of leased or licensed software and documentation is strictly prohibited.
3.4 University-owned software shall be protected from actions that could jeopardize the confidentiality, integrity or availability of organizational information or automated systems.
3.5 Software purchased, leased, licensed or developed by the University shall only be installed on University-owned hardware unless otherwise authorized within the terms of any applicable licensing or other agreement.
3.6 Fully executed contracts, licences, or other agreements related to the acquisition of software shall be retained by the administrative officer of the relevant organizational unit and, when required by University policy, Procurement.
3.7 The reproduction of copyrighted software is prohibited unless and to the extent authorized by the terms of any applicable licensing or other agreement.
3.8 University-licensed software shall not be copied to or stored on non-University equipment unless and to the extent authorized by the terms of any applicable licensing or other agreement.
3.9 Demo software obtained on a trial basis shall be removed after evaluation unless properly licensed or purchased.
3.10 Software and information stored on University IT resources shall be removed or destroyed prior to sending such IT resources for maintenance, salvage or redeployment in another organizational unit. The method used for destruction shall ensure that restricted, confidential or internal information (as defined in Policy 117 – Information Classification and Handling) is destroyed beyond recognition and cannot be reconstructed.
3.11 Members of the University community shall return all University-licensed software upon termination of employment or contractual or other relationship with the University.
3.12 University-licensed software, documentation or information shall not be sold or transferred to another (non-University) entity without prior written approval from the copyright owner or relevant administrative authority (e.g., dean, principal investigator, vice-president, associate vice-president or equivalent), as well as Procurement.
3.13 Contracts negotiated with software vendors for critical applications and customized software shall be reviewed and approved in accordance with the University’s procurement policies (Policy 36 and Policy 98).
SCHEDULE D - PASSWORD PROTECTION
1 PURPOSE
1.1 This schedule defines the standard that governs the use of passwords in connection with the use of University IT assets, including the creation of strong passwords, the use of password protection technology, and the frequency of password changes required to ensure the integrity of all user, privileged and administrative accounts.
2 APPLICATION, SCOPE AND INTERPRETATION
2.1 This standard is established pursuant to Policy 116 – Use and Security of Information Technology Assets, and its application, scope and interpretation are governed by Policy 116. For greater certainty, this standard applies to all IT asset users and administrators.
3 STANDARD
3.1 Passwords shall contain at least 10 alphanumeric characters;
3.2 Password shall contain at least three of the four following character classes:
3.2.1 Lowercase characters
3.2.2 Uppercase characters
3.2.3 Numbers
3.2.4 Punctuation and “special” characters (e.g. @#$%^&*()_+|~-=\`{}[]:";'<>/);
3.3 Default account passwords shall be changed in accordance with this standard.
3.3.1 Users shall change their initial password to a new one during their first logon.
3.3.2 For systems accessed by users (e.g., web-based applications), the frequency of password/PIN changes should be based on the risk, sensitivity and nature of the application and information accessed.
3.3.3 All system-level passwords (e.g., root, Windows Administrator, application administrator accounts) must be changed on at least a quarterly basis.
3.4 Passwords shall not be shared. All passwords shall be treated as restricted information (as defined in Policy 117 – Information Classification and Handling).
3.5 Passwords should not be written down unless strictly necessary. In cases where it is necessary to write a password down, it shall be stored in a secure location and properly destroyed when no longer needed.
3.6 Passwords shall not be stored without encryption.
3.7 Passwords shall not be stored in an easily reversible form.
3.8 Passwords shall be encrypted during transmission (over any network) and when stored.
3.9 A user’s identity shall always be verified before resetting a password.
3.10 A password shall not be provided to a third party on request; requesters shall be referred to this standard or to the Security Architect.
SCHEDULE E - ACCESS CONTROL
1. PURPOSE
1.1 This schedule defines the standard that governs the use of access control technology to ensure information remains accurate, documented and managed on an ongoing basis to ensure its value to the University.
2. APPLICATION, SCOPE AND INTERPRETATION
2.1 This standard is established pursuant to Policy 116 – Use and Security of Information Technology Assets, and its application, scope and interpretation are governed by Policy 116.
2.2 For the purposes of this standard:
a) “production information” means any information that is stored or used by workers to perform their work;
b) “information owner” and “information custodian” have the same meanings as in Policy 117 – Information Classification and Handling;
c) “principle of least privilege” and “least privilege principle” refer to the practice of limiting access to the minimal level that allows normal functioning (e.g., applying the principle of least privilege to employees would mean giving employees the lowest level of user rights necessary to the fulfilment of their employment duties).
3. STANDARD
3.1 Information classifications and controlling access
a) Access to production information and files shall be authorized by the information owner in accordance with its level of classification pursuant to Policy 117 – Information Classification and Handling.
b) Production information shall retain the same level of security even if it is copied or moved from one computing platform to another (e.g., downloaded from a server to a computer).
c) If a University IT resource contains information with varying sensitivity classifications, access is governed by the classification of the most sensitive information.
d) All restricted information, within the meaning of Policy 117 – Information Classification and Handling, shall be encrypted when transmitted through any network.
e) All confidential information, within the meaning of Policy 117 – Information Classification and Handling, shall where possible be encrypted when transmitted through any network.
f) All restricted information, within the meaning of Policy 117 – Information Classification and Handling, shall be encrypted when stored in a database.
g) Restricted, confidential or internal information, within the meaning of Policy 117 – Information Classification and Handling, shall not be copied or stored on non-University equipment, including the user’s personal equipment.
h) Restricted and confidential information, within the meaning of Policy 117 – Information Classification and Handling, shall be managed so that its confidentiality is maintained regardless of the media on which it is stored. This includes, but is not limited to, information in the following formats:
- electronic mail
- facsimile
- voice recording
- image processing
- online reports
- portable file storage media
i ) Printers shall not be left unattended if restricted, confidential or internal information, within the meaning of Policy 117 – Information Classification and Handling, is being printed. Secure printing options shall be used whenever possible.
j) Printed materials that include restricted, confidential or internal information, within the meaning of Policy 117 – Information Classification and Handling, shall only be distributed or made available to authorized individuals or individuals with a legitimate need to know.
k) When encryption techniques are used to protect information, the information owner shall work with the information custodian to manage and safeguard the encryption keys.
3.2 Logging onto systems
a) User accounts shall be locked after five failed logon attempts whenever possible.
b) Logon warning banners may be displayed at all access points to University computers and systems where technically feasible.
c) Users shall not receive specific feedback about the source of the problem (other than a failed authentication code message) if any part of their logon sequence is incorrect.
d) When feasible, sessions shall automatically terminate or require that an authentication code be re-entered into the system after a specific period of inactivity. The timeout period shall be based on the system and sensitivity of the information, and generally should not exceed 30 minutes.
e) Access control security systems shall be used to provide an audit trail of all successful and unsuccessful access attempts and violation messages.
3.3 User identification, authentication and authorization
a) Each user shall be assigned a unique ID and shall use a password to ensure confidentiality and accountability.
b) Access control software shall maintain a history of previous authentication codes and prevent reuse of at least the 10 prior authentication codes whenever technically feasible.
c) Passwords shall be reset by the IT Service Desk only when requesters are able to validate that they are who they represent themselves to be.
d) User IDs and passwords shall not be hardcoded or embedded into software, login scripts, macros, or batch files.
e) Access rights shall be granted in accordance with least privilege and need-to-know principles.
f) Role-based access control shall be used to secure access to all IT assets.
g) The allocation of privilege rights (e.g., local administrator, domain administrator, super user, root access) shall be restricted and controlled and not provided by default.
h) Third parties shall be provided with accounts that offer access solely to the systems or data they are contracted to handle in accordance with least privilege and need-to-know principles;
i) Access to restricted, confidential, or internal information, within the meaning of Policy 117 –Information Classification and Handling, shall be limited to authorized persons whose work or study responsibilities require such access as determined by law, contractual agreement or University policies, procedures or regulations. Responsibility for implementing access restrictions lies with information owners.
3.4 User identification administration
a) Access to all University IT assets shall be promptly cancelled upon termination or completion of employment, assignment, contract or relationship with the University.
b) Access to automated systems and data shall be re-evaluated when an employee or contractor changes departments or job responsibilities.
3.5 Physical access controls
a) Controls shall be established to restrict physical access to automated systems (e.g., mainframe computers, mid-range computers, Local Area Network (LAN) servers, and network and communications devices). Access shall be granted in accordance with least privilege and need-to-know principles.
b) Computers and related equipment shall reside in access-controlled rooms that limit access based on job function. Small systems, such as LAN servers, gateway servers, network bridges or routers shall be located in a data centre or in a separate access-controlled room.
c) All wiring cabinets or closets shall be physically secured. Network cables shall not be exposed or unprotected.
d) Physical access control records and access privileges shall be reviewed for appropriateness by the information custodian on a periodic basis, as determined by practicality and potential risk. Evidence that such a review has taken place shall be retained for at least 13 months, and should include reports with appropriate sign-off and follow-up mechanisms.
e) All backups shall be stored in an environmentally-protected and access-controlled site.
f) In addition to being encrypted, portable file storage media containing restricted or confidential information, within the meaning of Policy 117 –Information Classification and Handling, shall be stored in a secure location, such as a locked cabinet, when not in use.
g) In addition to being encrypted, portable devices such as laptops shall be physically secured in a locked cabinet or equivalent when not in use at work or off-site locations.
SCHEDULE F - COMMUNICATIONS AND NETWORKING
1. PURPOSE
1.1 This schedule defines the standard that governs the use of communications and networking technology to ensure the confidentiality, integrity, availability and authenticity of information shared between University’s computer systems and with outside networks and computers.
2. APPLICATION, SCOPE AND INTERPRETATION
2.1 This standard is established pursuant to Policy 116 –Use and Security of Information Technology Assets, and its application, scope and interpretation are governed by Policy 116.
2.2 For greater certainty, this standard applies to University IT assets as well as devices and/or computers owned by individuals who have been authorized to install or connect personal equipment on University premises or to the University network.
2.3 For the purposes of this standard:
“external connection” means a link established between a University computer system and a non-University computer system. Examples of external connections include:
- a University business unit that has established a connection to a service provider’s or business partner’s computer from the University network;
- a University user that has established a remote connection to a University computer system;
- an employee or student who establishes an active Internet session from the University network;
“external party” means any party that does not fall within the definition of internal party, below;
“firewall” means a series of components or interfaces that form a secure gateway between the University's internal network and external networks in order to aid in protecting the integrity of the University’s network and the information that resides within it;
“internal party” means one of the following:
- an employee of the University;
- a contractor of the University using a University facility;
- a student of the University using a University facility;
- a member of a federated institution of the University of Ottawa (e.g., Saint Paul University); or
- any part of a business entity that operates under University management.
“Internet service” means any service used or provided over the Internet.
“Private network connection” means a direct link established between the University and an external party through a dedicated leased, VPN or private value-added network provider (e.g., Telus, Rogers);
“Public network connection” means a connection established between University computer systems and other computers over the Internet.
3. STANDARD
3.1 Connectivity to or from the University’s network shall be approved and coordinated by Information Technology.
3.2 Connections to private and public networks
- Network connections with external parties based on IP communications, ports or protocols shall be secured through the University’s standard firewall.
- Connectivity architecture shall be designed so that external parties connecting to a University system are prevented from directly accessing any of the University’s Local Area Networks (LANs).
- All remote access to or from the University shall be through data access paths approved or administered by Information Technology.
- Modem connections to or from University computer systems (e.g., desktop devices, file servers, mainframe systems) shall not be permitted without prior review and approval by Information Technology.
- Computers attached to the University’s network shall only be permitted to establish outbound connections to external parties through secure enterprise gateways (e.g., firewalls) established for such purposes. Outbound connections through any other means (e.g., modems) require prior review and approval by Information Technology.
- External parties shall not be permitted to connect to the University’s internal network through corporate gateways (e.g., VPN) without prior review and approval by Information Technology.
- Access to telecommunication services such as telephones, modems, faxes or VoIP devices shall be denied unless expressly permitted.
- Intrusion detection and prevention systems shall be used to monitor the University's network and block known malicious traffic.
- The design and deployment of network security devices shall require the approval of Information Technology.
- Use of tools that identify network hosts and system vulnerabilities shall not be permitted without prior review and approval by Information Technology.
- Use of network diagnostic tools that analyze traffic, capture data or decode packets (monitoring software, sniffers, etc.) shall not be permitted without prior review and approval by Information Technology, except where such use is within defined job responsibilities.
- Internet and intranet security devices (e.g., routers, firewalls) shall be located in physically secured areas.
- The University’s internal IP addresses shall not be disclosed to external parties through public or private network connections.
- Integrity of firewalls and high-risk systems at the network perimeter shall be verified on a regular basis and whenever system configuration changes occur.
3.3 Remote access to University systems and the University network
a) Remote access to the University’s systems and network shall only be permitted through the designated enterprise remote access gateways.
b) Intentional interference with the normal operation of any University remote access gateway is prohibited.
c) Remote access to automated systems on the University’s internal network shall require strong password protection in accordance with the Password Protection standard established in Schedule D to Policy 116 – Use and Security of Information Technology Assets.d) Use of the University remote access gateways shall only be permitted for accessing resources on the University’s internal network.
3.4 Encryption
a) All restricted information, within the meaning of Policy 117 – Information Classification and Handling, shall be encrypted when transmitted through any network.
b) All confidential information, within the meaning of Policy 117 – Information Classification and Handling, shall where possible be encrypted when transmitted through any network.
3.5 Internet services
a) All enterprise connections to the Internet shall be established through a secure gateway (e.g., a firewall).
b) Connections through any other source (e.g., DSL modem, personal wireless access points) shall not be permitted without prior review and approval by Information Technology.
c) All Internet services shall be denied unless explicitly permitted. Requests for services not explicitly permitted shall require approval by Information Technology.
d) Event logging shall be enabled at key components of the Internet infrastructure (e.g., the firewall, secure web gateway, email, and FTP servers).
e) Internet use shall conform to the Acceptable Use of IT Assets standard established in Schedule A to Policy 116 – Use and Security of Information Technology Assets.
3.6 Email
All inbound files, email links and attachments shall be scanned for viruses prior to being allowed into the University’s internal network.
SCHEDULE G - REMOTE ACCESS
1 PURPOSE
1.1 This schedule defines the standard that governs the use of remote access technology to connect to the University of Ottawa network from a remote host in a manner that minimizes potential exposure to unauthorized use of University IT assets.
2 APPLICATION, SCOPE AND INTERPRETATION
2.1 This standard is established pursuant to Policy 116 –Use and Security of Information Technology Assets, and its application, scope and interpretation are governed by Policy 116.
2.2 For greater certainty, this standard applies to all members of the University community (including members of federated institutions such as Saint Paul University) using University-, third-party- or personally-owned devices to connect to the University network. It also applies to remote access connections used to do work on behalf of the University or for University-related activities.
2.3 For the purposes of this standard, remote access includes all direct connections to University systems and networks from outside of the University network.
2.4 All activity during a remote access session is subject to University policies, standards and procedures.
2.5 All machines, while using the University's remote access technology, including University-owned and personal equipment, automatically become part of the University's network, and are subject to Policy 116.
3 STANDARD
3.1 Secure remote access shall be strictly controlled by Information Technology through an established remote access technology standard. Access through any other source requires prior review and approval by Information Technology.
3.2 Intentional interference with the normal operation of any University enterprise remote access gateway is prohibited.
3.3 All requests for remote access shall be accompanied by a documented business case and approval from the requester’s manager or supervisor. This applies, but is not limited to, requests by employees, service providers, consultants, contractors, partners and temporary employees. Each request shall be reviewed and approved on a case-by-case basis by Information Technology.
3.4 All members of the University community and authorized third parties with remote access privileges shall ensure that unauthorized users are not allowed access to the internal networks of the University and their associated content. At no time shall members of the University community provide their usernames or passwords to anyone.
3.5 Members of the University community with remote access privileges shall ensure that their University-owned personal computers or workstations remotely connected to the University network are not simultaneously connected to any other network, with the exception of personal networks that are under the complete control of the user.
3.6 Users are responsible for having an up-to-date operating system and anti-virus software for devices with which they connect to the University’s internal network via remote access or any other technology. This includes personally owned devices. Anti-virus software is only provided to University employees.
3.7 Vendor or other third-party connections shall comply with the requirements stated in any relevant third-party agreement or contract with the University.
3.8 Faculties or individuals intending to implement non-standard solutions to provide for remote access to the University’s production network shall obtain prior approval from Information Technology.
SCHEDULE H - CHANGE MANAGEMENT AND CONTROL
1. PURPOSE
1.1 This schedule defines the standard that governs changes to the University’s technology environment in order to ensure the confidentiality, integrity, and availability of IT assets.
2. APPLICATION, SCOPE AND INTERPRETATION
2.1 This standard is established pursuant to Policy 116 –Use and Security of Information Technology Assets and its application, scope and interpretation are governed by Policy 116.
2.2 For greater certainty, this standard applies to any device or application owned or operated by the University, as well as to individuals who have been authorized to install new systems or make changes to existing systems.
2.3 For the purposes of this standard, (1) “infrastructure” refers to the system software, hardware and network components used to support an application, (2) “change management” refers to a process that ensure that all changes to the IT infrastructure are assessed and authorized in a controlled manner, (3) “Change Advisory Board (CAB)” is a team that meets to assess Change Requests and recommend its authorization or rejection.
3. STANDARD
3.1 Change control processes shall be used to minimize the risk of change and its impact on production applications, systems and networks. Changes shall be authorized, tested and documented prior to implementation.
3.2 All application and infrastructure components running in the production environment shall be subject to a formal change control process for managing changes to the environment. The Change Advisory Board (CAB) shall review all changes during scheduled meetings to ensure application, infrastructure and security concerns are addressed.
3.3 The scope and production readiness of the change shall be documented and then approved by Information Technology, or, in the case of faculty- or service-managed applications and systems, by the IT asset owner (or delegate).
3.4 All maintenance (programs, files, spreadsheets, infrastructure components, etc.) shall be supported by a request or documentation.
3.5 Software, hardware and networks under development or modification shall be kept separate from production software, hardware and networks, respectively.
3.6 Access to update libraries or directories containing production programs (source code and executable modules) shall be restricted to individuals requiring such access to perform their responsibilities.
3.7 The test environment shall be kept separate from the production environment.
3.8 A file naming method shall be employed to clearly distinguish between files used for production and files used for testing and training.
3.9 Provisions shall be made to ensure that changes to production components can be backed out, and that the prior production version can be restored or recreated.
3.10 When implementing business application systems, security shall be considered by systems developers from the beginning of the systems design process through to implementation in the production environment.
SCHEDULE I - VIRUS PROTECTION
1. PURPOSE
This schedule defines the standard that governs the use of virus prevention techniques aimed at minimizing the risk of virus infections and virus attacks on University IT assets.
2. APPLICATION, SCOPE AND INTERPRETATION
2.1 This standard is established pursuant to Policy 116, Use and Security of Information Technology Assets, and its application, scope and interpretation are governed by Policy 116.
2.2 For greater certainty, this standard applies to University IT resources as well as those owned by individuals who have been authorized to install or connect personal equipment on University premises or to the University network.
2.3 For greater certainty, this standard does not apply to platforms for which anti-virus software is not available.
3. STANDARD
3.1 Users are responsible for ensuring updated anti-virus software is installed on any IT resource they use (desktop, laptop, server, etc.) for processing restricted, confidential or internal information (within the meaning of Policy 117 – Information Classification and Handling) as well as production applications.
3.2 University IT resources shall be supplied, when available, with an appropriate anti-virus product with automatic updating.
3.3 Users who do not work from a University IT resource shall ensure that adequate anti-virus protection measures are implemented on their computer.
3.4 Anti-virus software signature files shall be kept current.
3.5 All portable file storage media, regardless of where it comes from, shall be scanned for viruses by the user before it is used.
3.6 Portable file storage media intended for mass distribution, whether duplicated internally or by a vendor, shall be verified by IT staff to be free from viruses prior to distribution.
3.7 Hardware shall be scanned for viruses after it is repaired and before it is used on the University network.
3.8 Any activity intended to create or distribute malicious programs on the University network (e.g., viruses, worms, Trojan horses) is strictly prohibited.
3.9 Information Technology reserves the right to disconnect any device from the University network if an infection is found or suspected. The machine shall remain disconnected from the University network until the infection is removed by the relevant organizational unit’s IT staff.
3.10 Anyone who suspects that a computer is infected with a virus shall immediately report the incident to the IT Service Desk.
SCHEDULE J - IT ASSET DISPOSAL
1. PURPOSE
1.1 This schedule defines the standard that governs the roles and responsibilities of members of the University community who have been given a University IT asset to ensure its secure disposal.
2. APPLICATION, SCOPE AND INTERPRETATION
2.1 This standard is established pursuant to Policy 116 – Use and Security of Information Technology Assets, and its application, scope and interpretation are governed by Policy 116.
2.2 For the purposes of this standard:
a) “IT asset controller” is the person who has responsibility for the management of an IT asset;
b) “computer equipment” means personally owned or University-supplied personal computers, laptops, mobile devices, printers, servers or other devices that process or store University data.
3. STANDARD
3.1 Members of the University community shall follow the approved destruction methods to ensure that unauthorized exposure of University IT assets is prevented or minimized.
3.2 Computer equipment that stores restricted, confidential or internal information, within the meaning of Policy 117 – Information Classification and Handling, that is no longer needed or has reached the end of its lifecycle shall have all such information securely deleted before:
a) re-distribution or re-use of the equipment within the University;
b) the equipment leaves the University’s custody; or
c) the decommissioning of its core services.
Such computer equipment shall be securely wiped or have any information it contains or stores removed by University IT staff or an authorized delegate, in accordance with University disposal procedures.
3.3 No computer equipment should be disposed of in dumps, landfills, etc.
3.4 The University maintains arrangements with companies regarding the disposal of computing equipment. IT asset controllers discarding computer equipment shall use one of these contracted organizations for purposes of disposal or trade-in of such equipment.
3.5 For all disposals, the IT asset controller shall ensure that data with personal details (including email and other addresses) are removed, in compliance with legal obligations.
3.6 To comply with licences and copyright law, when computer equipment leaves the ownership or custody of the University, the IT asset controller shall ensure that all software is removed. Exceptions may be made when transferable software licences, including the original disks, operating system and documentation, are supplied with the computer. The original operating system may be retained if the original certificates are available to be transferred with the machine.
3.7 Assets funded from external sources that are subject to externally imposed rules and conditions relating to ownership may only be disposed of in accordance with those rules and conditions.
SCHEDULE K - ACCEPTABLE ENCRYPTION
1. PURPOSE
1.1 This schedule defines the standard that governs the use of encryption technology to preserve the confidentiality and integrity of information.
2. APPLICATION, SCOPE AND INTERPRETATION
2.1 This standard is established pursuant to Policy 116 – Use and Security of Information Technology Assets, and its application, scope and interpretation are governed by Policy 116.
3. STANDARD
3.1 All restricted information within the meaning of Policy 117 – Information Classification and Handling shall be encrypted when transmitted through any network.
3.2 All confidential information within the meaning of Policy 117 – Information Classification and Handling shall, where possible, be encrypted when transmitted through any network.
3.3 All restricted information within the meaning of Policy 117 – Information Classification and Handling shall be encrypted when stored in a database.
3.4 Encryption algorithms and processes shall adhere to the following industry standards:
- American National Standards Institute (ANSI) X9
- National Institute of Standards and Technology (NIST)
- Federal Information Processing Standards (FIPS)
3.5 The use of proprietary encryption algorithms is not allowed unless reviewed by qualified experts independent of the vendor in question and approved by the Security Architect.
3.6 The information owner, as defined in Policy 117 – Information Classification and Handling, shall assume responsibility for protecting encryption keys.
3.7 Keys shall be used for a single designated purpose.
3.8 Encryption systems shall be designed so that no single person has full knowledge of an encryption key. Encryption keys shall be protected through the segregation of duties and dual control techniques.
3.9 Encryption keys shall remain confidential, and access to the keys shall be limited to those individuals who have a need-to-know.
3.10 Persons entrusted with a key component shall protect the component so that it cannot be observed by another individual.
3.11 Encryption key management processes shall be automated where possible to avoid errors and unauthorized or accidental disclosure of keys.
3.12 Encryption keys shall be generated using a random pattern to yield keys that are difficult to guess.
3.13 Asymmetrical encryption keys (public and private key pairs) shall be changed at least once every three years.
3.14 Hardcopy versions of encryption keys shall be kept confidential and stored in a secure manner under dual control.
3.15 All materials and supplies used in the generation, distribution or storage of encryption keys shall be kept confidential and stored in a secure manner. Components no longer needed shall also be destroyed in a secure manner, as witnessed and documented by an observer.
3.16 Encryption keys and related encryption keying materials (initialization vectors, time and date stamps, salt parameters, etc.) used in the encryption process shall not reside on storage media in an unencrypted format.
3.17 Encryption keys transmitted over communication lines shall be sent in an encrypted form.
3.18 IDs and access codes (passwords or PINs) shall be separated (distributed in separate transmittals) and concealed in tamper-proof envelopes if sent by mail or similar distribution method.