Policy 116 - Schedules - IT Asset Use and Security Standards

 

SCHEDULE A – ACCEPTABLE USE OF IT ASSETS

PURPOSE: This schedule defines the standard that governs the acceptable use of all IT assets.

 

SCHEDULE B - NETWORK MONITORING

PURPOSE: This schedule defines the standard that governs the monitoring, logging, and retention of network traffic that traverses University networks.

 

SCHEDULE C - SOFTWARE LICENSING AND USAGE

PURPOSE: This schedule defines the standard that governs the use of software at the University in order to prevent infringing activities.

 

SCHEDULE D - PASSWORD PROTECTION

PURPOSE: This schedule defines the standard that governs the use of passwords in connection with the use of University IT assets, including the creation of strong passwords, the use of password protection technology, and the frequency of password changes required to ensure the integrity of all user, privileged and administrative accounts.

 

SCHEDULE E - ACCESS CONTROL

PURPOSE: This schedule defines the standard that governs the use of access control technology to ensure information remains accurate, documented and managed on an ongoing basis to ensure its value to the University.

 

SCHEDULE F - COMMUNICATIONS AND NETWORKING

PURPOSE: This schedule defines the standard that governs the use of communications and networking technology to ensure the confidentiality, integrity, availability and authenticity of information shared between University’s computer systems and with outside networks and computers.

 

SCHEDULE G - REMOTE ACCESS

PURPOSE: This schedule defines the standard that governs the use of remote access technology to connect to the University of Ottawa network from a remote host in a manner that minimizes potential exposure to unauthorized use of University IT assets.

 

SCHEDULE H - CHANGE MANAGEMENT AND CONTROL

PURPOSE: This schedule defines the standard that governs changes to the University’s technology environment in order to ensure the confidentiality, integrity, and availability of IT assets.

 

SCHEDULE I - VIRUS PROTECTION

PURPOSE: This schedule defines the standard that governs the use of virus prevention techniques aimed at minimizing the risk of virus infections and virus attacks on University IT assets.

 

SCHEDULE J - IT ASSET DISPOSAL

PURPOSE: This schedule defines the standard that governs the roles and responsibilities of members of the University community who have been given a University IT asset to ensure its secure disposal.

 

SCHEDULE K - ACCEPTABLE ENCRYPTION

PURPOSE: This schedule defines the standard that governs the use of encryption technology to preserve the confidentiality and integrity of information.

 

SCHEDULE L - PRIVILEGED ACCOUNT USAGE ON END-USER DEVICES

PURPOSE: The purpose of this schedule is to ensure appropriate and consistent delegation of privileged access to end-user devices.

 

SCHEDULE M - PRIVILEGED ACCESS TO IT SYSTEMS AND SERVICES

PURPOSE: The purpose of this schedule is to define privileged access account use and management at the University.

 

SCHEDULE N - CLEAN DESK

PURPOSE: The purpose of this schedule is to establish the minimum requirements for maintaining a “clean desk” – where sensitive/critical information about employees, students, intellectual property, customers, and vendors is secured in locked areas and out of sight.

 

SCHEDULE O - GENERATING AND MAINTAINING SYSTEM LOGS

PURPOSE: The purpose of this schedule is to identify specific requirements that information systems must meet in order to generate appropriate audit logs and integrate with the University’s system information and events management (SIEM) system.

 

SCHEDULE P - INFORMATION SECURITY RISK ASSESSMENT

PURPOSE: The purpose of this schedule is to outline the requirements for managing cybersecurity risks to the University of Ottawa that result from threats to the confidentiality, integrity, and availability of University IT assets.

 

SCHEDULE Q - PATCH MANAGEMENT

PURPOSE: The purpose of this schedule is to ensure that all University-managed devices that store, process, or transmit University data are proactively managed and patched with the appropriate security updates.

 

SCHEDULE R - PRINTER SECURITY

PURPOSE: The purpose of this schedule is to provide direction to owners of University of Ottawa printers and related devices to protect such devices against compromise. This schedule describes the baseline standards required for print-related devices connected to the University network.

 

SCHEDULE S - SECURITY AWARENESS AND TRAINING

PURPOSE: The purpose of this schedule is to ensure that all employees within the University community receive clear guidance on expectations and requirements to participate in mandatory security awareness training.

 

SCHEDULE T - SERVER SECURITY

PURPOSE: The purpose of this schedule is to establish the base configuration of server equipment that is owned or operated by the University of Ottawa. Effective implementation of this schedule will minimize unauthorized access to University of Ottawa proprietary information and technologies.

 

SCHEDULE U - SOFTWARE INSTALLATION

PURPOSE: The purpose of this schedule is to outline the requirements for the installation of software on devices owned and managed by the University of Ottawa.

 

SCHEDULE V - MULTI-FACTOR AUTHENTICATION

PURPOSE: Traditional “one factor” authentication methods (where the credentials consist of only a username and password) suffer from several weaknesses.
• Credentials can be divulged to others, deliberately or accidentally.
• A credential can be “stolen” without the knowledge of the owner, e.g. via phishing, keystroke-logging, or simply watching over a user’s shoulder.
• Multiple people can know and use the credentials at the same time.
• Credentials can be “guessed” via brute-force methods, or other means.

The purpose of this schedule is to outline requirements for multi-factor authentication (MFA) in order to overcome these weaknesses by requiring the user to provide a second factor that cannot be shared or duplicated.

 

SCHEDULE W - VULNERABILITY SCANNING

PURPOSE: The purpose of this schedule is to establish minimum requirements for performing vulnerability scans on server infrastructure.

 

SCHEDULE X - WEB APPLICATION SECURITY ASSESSMENT

PURPOSE: The purpose of this schedule is to define web application security assessments within the University of Ottawa. Web application assessments are performed to identify potential or actual weaknesses occurring as a result of misconfiguration, weak authentication, insufficient error handling, sensitive information leakage, etc.  Discovery and subsequent mitigation of these issues will limit the attack surface of the University of Ottawa’s available services, both internally and externally, and comply with the relevant policies or schedules in place.

 

SCHEDULE Y - WIRELESS COMMUNICATION

PURPOSE: The purpose of this schedule is to outline wireless network security requirements at the University of Ottawa. These requirements are mandatory and all wireless connectivity and deployments must comply with them.

 

SCHEDULE Z - WORKSTATION SECURITY

PURPOSE: The purpose of this schedule is to provide guidance for securing workstations in order to ensure the security of information stored on the workstation and information to which the workstation may have access.

Back to top