SCHEDULE A – ACCEPTABLE USE OF IT ASSETS
PURPOSE: This schedule defines the standard that governs the acceptable use of all IT assets.
SCHEDULE B - NETWORK MONITORING
PURPOSE: This schedule defines the standard that governs the monitoring, logging, and retention of network traffic that traverses University networks.
SCHEDULE C - SOFTWARE LICENSING AND USAGE
PURPOSE: This schedule defines the standard that governs the use of software at the University in order to prevent infringing activities.
SCHEDULE D - PASSWORD PROTECTION
PURPOSE: This schedule defines the standard that governs the use of passwords in connection with the use of University IT assets, including the creation of strong passwords, the use of password protection technology, and the frequency of password changes required to ensure the integrity of all user, privileged and administrative accounts.
PURPOSE: This schedule defines the standard that governs the use of access control technology to ensure information remains accurate, documented and managed on an ongoing basis to ensure its value to the University.
SCHEDULE F - COMMUNICATIONS AND NETWORKING
PURPOSE: This schedule defines the standard that governs the use of communications and networking technology to ensure the confidentiality, integrity, availability and authenticity of information shared between University’s computer systems and with outside networks and computers.
PURPOSE: This schedule defines the standard that governs the use of remote access technology to connect to the University of Ottawa network from a remote host in a manner that minimizes potential exposure to unauthorized use of University IT assets.
SCHEDULE H - CHANGE MANAGEMENT AND CONTROL
PURPOSE: This schedule defines the standard that governs changes to the University’s technology environment in order to ensure the confidentiality, integrity, and availability of IT assets.
PURPOSE: This schedule defines the standard that governs the use of virus prevention techniques aimed at minimizing the risk of virus infections and virus attacks on University IT assets.
SCHEDULE J - IT ASSET DISPOSAL
PURPOSE: This schedule defines the standard that governs the roles and responsibilities of members of the University community who have been given a University IT asset to ensure its secure disposal.
SCHEDULE K - ACCEPTABLE ENCRYPTION
PURPOSE: This schedule defines the standard that governs the use of encryption technology to preserve the confidentiality and integrity of information.
SCHEDULE L - PRIVILEGED ACCOUNT USAGE ON END-USER DEVICES
PURPOSE: The purpose of this schedule is to ensure appropriate and consistent delegation of privileged access to end-user devices.
SCHEDULE M - PRIVILEGED ACCESS TO IT SYSTEMS AND SERVICES
PURPOSE: The purpose of this schedule is to define privileged access account use and management at the University.
PURPOSE: The purpose of this schedule is to establish the minimum requirements for maintaining a “clean desk” – where sensitive/critical information about employees, students, intellectual property, customers, and vendors is secured in locked areas and out of sight.
SCHEDULE O - GENERATING AND MAINTAINING SYSTEM LOGS
PURPOSE: The purpose of this schedule is to identify specific requirements that information systems must meet in order to generate appropriate audit logs and integrate with the University’s system information and events management (SIEM) system.
SCHEDULE P - INFORMATION SECURITY RISK ASSESSMENT
PURPOSE: The purpose of this schedule is to outline the requirements for managing cybersecurity risks to the University of Ottawa that result from threats to the confidentiality, integrity, and availability of University IT assets.
PURPOSE: The purpose of this schedule is to ensure that all University-managed devices that store, process, or transmit University data are proactively managed and patched with the appropriate security updates.
PURPOSE: The purpose of this schedule is to provide direction to owners of University of Ottawa printers and related devices to protect such devices against compromise. This schedule describes the baseline standards required for print-related devices connected to the University network.
SCHEDULE S - SECURITY AWARENESS AND TRAINING
PURPOSE: The purpose of this schedule is to ensure that all employees within the University community receive clear guidance on expectations and requirements to participate in mandatory security awareness training.
PURPOSE: The purpose of this schedule is to establish the base configuration of server equipment that is owned or operated by the University of Ottawa. Effective implementation of this schedule will minimize unauthorized access to University of Ottawa proprietary information and technologies.
SCHEDULE U - SOFTWARE INSTALLATION
PURPOSE: The purpose of this schedule is to outline the requirements for the installation of software on devices owned and managed by the University of Ottawa.
SCHEDULE V - MULTI-FACTOR AUTHENTICATION
PURPOSE: Traditional “one factor” authentication methods (where the credentials consist of only a username and password) suffer from several weaknesses.
• Credentials can be divulged to others, deliberately or accidentally.
• A credential can be “stolen” without the knowledge of the owner, e.g. via phishing, keystroke-logging, or simply watching over a user’s shoulder.
• Multiple people can know and use the credentials at the same time.
• Credentials can be “guessed” via brute-force methods, or other means.
The purpose of this schedule is to outline requirements for multi-factor authentication (MFA) in order to overcome these weaknesses by requiring the user to provide a second factor that cannot be shared or duplicated.
SCHEDULE W - VULNERABILITY SCANNING
PURPOSE: The purpose of this schedule is to establish minimum requirements for performing vulnerability scans on server infrastructure.
SCHEDULE X - WEB APPLICATION SECURITY ASSESSMENT
PURPOSE: The purpose of this schedule is to define web application security assessments within the University of Ottawa. Web application assessments are performed to identify potential or actual weaknesses occurring as a result of misconfiguration, weak authentication, insufficient error handling, sensitive information leakage, etc. Discovery and subsequent mitigation of these issues will limit the attack surface of the University of Ottawa’s available services, both internally and externally, and comply with the relevant policies or schedules in place.
SCHEDULE Y - WIRELESS COMMUNICATION
PURPOSE: The purpose of this schedule is to outline wireless network security requirements at the University of Ottawa. These requirements are mandatory and all wireless connectivity and deployments must comply with them.
SCHEDULE Z - WORKSTATION SECURITY
PURPOSE: The purpose of this schedule is to provide guidance for securing workstations in order to ensure the security of information stored on the workstation and information to which the workstation may have access.