Approved Administration Committee 2288.3, revised by Administration Committee on November 8, 2017, resolution 2335.2.
POLICY # 116 USE AND SECURITY OF INFORMATION TECHNOLOGY ASSETS
As part of its educational mission, the University of Ottawa acquires, develops, and maintains various information technology (IT) assets. These assets are intended for University-related purposes, including, but not limited to, direct and indirect support of the University’s academic, research and service missions; University administrative functions; student and campus life activities; and the free exchange of ideas within the University community and the wider local, national, and world communities.
The University recognizes the importance of information security and protecting its IT assets. The University is therefore committed to preserving the security and integrity of its IT assets and using reasonable, appropriate, practical and effective security measures to protect against unauthorized use, modification, disclosure, and destruction of its IT assets.
The University of Ottawa is equally committed to preserving an environment that encourages academic and research freedom through the responsible use of IT assets.
The purpose of this Policy is to ensure the security and integrity of University IT assets. This Policy also promotes the efficient, ethical, and lawful use of University IT assets. It serves as the overarching policy that governs the interpretation and application of all other information technology use and security policies enumerated in section 3.2 below and any related standards or procedures.
3.1 For the purposes of this Policy and any standard or procedure established pursuant to this Policy:
“employee” means any (regular or contract position) unionized or non-unionized academic, administrative or support personnel (including those whose salary is paid through sources other than the University’s operating funds, such as grants, research grants and external contracts);
“student” means any individual registered at the University at the undergraduate, graduate or postdoctoral level, including any medical resident, fellow or special student, whether enrolled full-time or part-time;
“IT asset” or “IT assets” encompasses all and collectively refers to University IT resources and electronic information stored on, within or passing through a University IT resource;
“IT resource” or “IT resources” includes (but is not limited to) the following that are owned by and/or operated or managed by the University, or that are licensed to the University or operated by an external organization on behalf of the University: software, systems, networks, computers, any other computing resource or hardware, servers (physical or virtual), data storage or network devices, email servers, print and fax servers, telephone systems, magnetic or network media, and any other communication device;
“IT service” or “IT services” includes (but is not limited to) infrastructure, applications, enterprise architecture, information security and end user support services that scale across the University;
“University community” encompasses all employees, holders of academic appointments, students, contractors, visitors, and volunteers, whether of or at the University or its federated institutions (e.g. Saint Paul University).
3.2 This Policy and any standard or procedure established pursuant to it shall be read in conjunction with:
- Policy 117 - Information Classification and Handling
- Policy 118 - Electronic Mail (Email)
- Policy 37 – University-Owned Personal Computers (PCs)
- Policy 45 - University-Wireless Communications.
3.3 The CIO shall be responsible for interpretation of this Policy and any standard or procedure established pursuant to it.
4. SCOPE AND APPLICATION
The provisions of this Policy and of standards and procedures established pursuant to it extend to all University IT assets. The requirements of this Policy and of standards and procedures established pursuant to it apply to:
a) all University employees, students, contractors, visitors, volunteers, and members of its Board of Governors; and
b) external organizations and their respective employees, contractors, and representatives who use or are granted access to the University’s IT assets or its IT resources.
5.1 The University’s Chief Information Officer (CIO) oversees the University’s IT resources and services that enable both academic and administrative functions, and that support faculty, staff, and students. In this capacity, the CIO develops and implements policies, standards and procedures in consultation with relevant services to assist the University community in complying with this Policy.
Without limiting the generality of the foregoing, the CIO shall be responsible for:
- establishing procedures for the implementation of this Policy;
- recommending, to the Vice-President Resources, IT asset use and security standards and amendments thereto for implementation pursuant to this Policy;
- publishing, maintaining and ensuring awareness of this Policy and related policies, standards, and procedures;
- providing custodianship of IT assets;
- providing oversight of IT asset use and security throughout the University; and
- educating the University community about IT asset use and security responsibilities.
The CIO may delegate, but shall remain accountable for, his or her responsibilities as specified in this Policy or any standards or procedures established pursuant to it.
5.2 All persons to which reference is made in section 4 of this Policy shall adhere to this Policy and comply with all standards and procedures established pursuant to it.
6. IT ASSET USE AND SECURITY STANDARDS
All persons to which reference is made in section 4 of this Policy shall comply with the IT asset use and security standards established in the following schedules to this Policy:
a. Schedule A - IT Assets Acceptable Use: permitted and prohibited uses of University IT assets.
b. Schedule B - Network Monitoring: routine network traffic monitoring of University IT networks to detect and prevent against cyber-attacks, known patterns of compromise of University IT assets, and improper release of confidential information; as well as troubleshooting and analysis of network-related problems.
c. Schedule C - Software Licensing and Usage: adherence to the terms of software license agreements entered into by the University.
d. Schedule D - Password Protection: rules and requirements for setting secure passwords and keeping them secure.
e. Schedule E - Access Control: rules and requirements for granting access and setting access controls to guard against loss, misuse, or theft of University IT assets.
f. Schedule F - Communications and Networking: conditions under which connectivity to and from the University’s networks is approved and managed.
g. Schedule G - Remote Access: the manner and methods by which the University’s network is accessed remotely.
h. Schedule H - Change Management and Control: processes to minimize the risk of technological change and its impact on production applications, systems and networks.
i. Schedule I - Virus Protection: rules and requirements for the installation, updating and maintenance of anti-virus software on University IT assets, and other means to guard against the threat or attack of computer viruses on University IT assets.
j. Schedule J - IT Asset Disposal: provision of secure means of disposal of University IT assets.
k. Schedule K - Acceptable Encryption: permitted encryption standards, technologies and implementation requirements.
7.1 The CIO shall be promptly informed of any failure to comply with the requirements of this Policy or any standards or procedures established pursuant to it. The CIO shall inform the Administration Committee annually of significant non-compliance matters.
7.2 The University will take appropriate preventative and corrective action where violation (or threat of violation) of this Policy or any standard or procedure established pursuant to it occurs and will, where warranted, hold individuals responsible in accordance with applicable collective agreement provisions, terms of employment or other University policies, regulations or applicable laws.
8.1 No exception shall be made to this Policy or any standard or procedure established pursuant to it without the prior written permission of the CIO. Exceptions will not generally be made unless justified on compelling grounds among or akin to the following:
a) a user or organizational unit is non-compliant and it is impossible to remedy such non-compliance immediately;
b) compliance is not possible in the context of a system being phased out, requiring the user or organizational unit to manage the risk on an interim basis;
c) an alternative compliance method is available that offers equivalent or superior security;
d) access to objectionable or offensive material is required for academic or research purposes approved by the Research Ethics Board or the relevant dean, subject to sufficient and appropriate safeguards to contain the material to pre-defined IT assets.
8.2 Exceptions pursuant to section 8.1 shall be sought, considered and, where appropriate, granted in accordance with procedures established by the CIO pursuant to this Policy.
8.3 The CIO shall inform the Administration Committee annually of significant exceptions granted to this Policy or standards or procedures established pursuant to it.
9. REVIEW AND AMENDMENTS
9.1 This Policy and the standards and procedures established pursuant to it shall be reviewed by the CIO on a regular basis, as deemed appropriate based on changes in technology or regulatory requirements.
9.2 Except as provided in section 9.3, amendments to this Policy shall require the approval of the Administration Committee.
9.3 Amendments to the IT asset use and security standards established in the schedules to this Policy, and to the list and description of said schedules contained in section 6 of this Policy, shall require the approval of the Vice-President, Resources.
9.4 Amendments to procedures established pursuant to this Policy shall require the approval of the CIO.