Final Approval Body: Senior Leadership Team
Senior Administrative Position with Responsibility for Policy: Vice-Principal, Finance and Administration
Date Initially Approved: February, 2024
Definitions
A complete glossary of technology and cybersecurity related terms and acronyms will be maintained in the Digital Information Security Glossary of Terms and will be made available to all Community Members and Guests.
Purpose
The purpose of the Queen’s University Digital Information Security Policy (the “Information Security Policy”) is to establish accountability for the treatment of Management of Information and Information Security Risk (“information security risk”), and risk management activities that support university cybersecurity objectives.
Scope
The Information Security Policy is applicable to Risk Owners, Risk Assessors, and Digital Service Managers in all administrative departments, faculties, and research units as they assess and treat risks related to the lifecycle of institutional functions that are provided, or intended to be provided, using digital assets operated by, or on behalf of, the University. Digital assets include:
- Digitized services, functions, workflows, processes, and procedures, operated by, or on behalf of the University (“digital services”),
- Data and information in the custody and/or control of the University (“data”),
- Digital identities, the associated credentials and accounts, and the contents thereof that have been created and issued by the University for the purpose of using digital services (“digital identities”),
- Digital technologies, including infrastructure, hardware, software, and licenses, operated by, or on behalf of the University (“digital technologies”),
- Client access devices, including laptops, desktops, and mobile devices, that are provided by or purchased using University funds (“endpoints”).
Roles and Responsibilities
Board of Trustees
The Board of Trustees provides oversight of the Cybersecurity Program and the performance of cybersecurity objectives defined by the QCSF through the Finance, Assets, and Strategic Infrastructure Committee.
Senior Leadership Team
The Senior Leadership Team (“SLT”) includes the Principal and Vice-Principals and are the approval authority for Information Security and Cybersecurity related policies.
Associate Vice-Principal (Information Technology Services) and Chief Information Officer
The Associate Vice-Principal (Information Technology Services) and Chief Information Officer (“CIO”) is accountable to the Board of Trustees and SLT for the management of the Cybersecurity Program, and activities relating to achieving the Strategic Cybersecurity Goals and Objectives.
Risk Owners
Risk Owners are Senior Leaders, Associate Vice-Principals, Vice-Provosts, Deans, Principal Investigators, Faculty members, or other leaders within faculties and departments that are accountable to the University for information security risk within their area of responsibility.
- Service Risk Owners are accountable for information security risk related to digital services that operate within, or on behalf of their area of responsibility.
- Technology Risk Owners are accountable for information security risk related to the digital technologies upon which digital services operate within, or on behalf of their area of responsibility.
- Data Risk Owners are accountable for information security risk related to data for which stewardship falls within their area of responsibility.
- Identity Risk Owner are accountable for information security risk related to the use of digital identities and their associated credentials to access digital assets.
Risk Assessor
Risk Assessors are leaders within departments, teams, and research units with decision making authority over operations within their area of responsibility and are accountable to Risk Owners for assessing and treating information security risk related to services operating within, on behalf of their area of responsibility. This may include, without limitation:
- Operation of services within, or on behalf of their area of responsibility,
- Data that are created, processed, stored, or otherwise handled by the services operating within, on behalf of their area of responsibility,
- Community members, guests, and other stakeholders that rely on the institutional services operating within, on behalf of their area of responsibility.
Digital Service Managers
Digital Service Managers are leaders within information technology delivery departments and teams that are accountable to Risk Owners for assessing and treating information security risk related to digital assets operating within, on behalf of their area of responsibility. This may include, without limitation:
- Acquisition, development, implementation, configuration, maintenance, and operation of digital assets operating within, or on behalf of their area of responsibility,
- Data that are created, processed, stored, or otherwise handled by the digital assets operating within, or on behalf of their area of responsibility,
- The use of digital identities and associated credentials to access digital assets operating within, or on behalf of their area of responsibility.
Digital Custodians
Digital Custodians are authorized community members with responsibility for operating and protecting digital assets within, on behalf of their area of responsibility. This may include, without limitation:
- Protecting data in their custody and/or control,
- Administering, configuring, or managing access to digital services,
- Developing, implementing, maintaining, and operating digital technologies upon which services operate,
- The safeguards that protect the confidentiality, integrity, and availability of digital assets.
External partners or third-party service providers may be digital custodians where elements of digital technologies are managed externally.
Management of Information and Information Security Risk
The University shall appropriately treat the risk of unauthorized disclosure, modification, or destruction of data and information in its care and control, and reduced availability of digital assets provided by, or on behalf of the University, caused by improperly configured, improperly managed, or the absence of appropriate safeguards resulting in financial, legal, regulatory, or reputational consequences that impact the ability of the University to deliver on teaching and learning, research, administrative, and community engagement objectives.
Risk Assessment
Information security risk shall be assessed, and periodically reassessed, for digital assets acquired, developed, implemented, configured, maintained, or operated by, or on behalf of, the University in accordance with risk assessment process and procedures.
- Risk Assessors are accountable to Risk Owners for assessing information security risk for digital assets acquired, developed, implemented, configured, maintained, or operated by, or on behalf of, their area of responsibility in accordance with risk assessment process and procedures.
The University shall develop a standard risk assessment process and procedures for assessing information security risk.
- The CIO is authorized to develop a standard risk assessment process and procedures for assessing information security risk on behalf of the University and is accountable to the SLT for the sustainment thereof.
The standard risk assessment process and procedures shall be subject to review by Internal Audit at regular intervals, to ensure the efficacy of the process.
Risk Treatment
The University shall develop Enterprise Standards that define minimum requirements for standard mitigating safeguards to be implemented, maintained, and monitored in the protection of digital assets operated by, or on behalf of, the University.
- The CIO is authorized to develop Standards on behalf of the University and is accountable to the SLT for the sustainment thereof.
Enterprise Standards shall be subject to review by Internal Audit at regular intervals, to ensure their efficacy.
Information security risk shall be treated appropriately within established risk tolerance.
- Risk Assessors are accountable to Risk Owners for the treatment of information security risk to within established risk tolerance for digital assets within, or on behalf of their area of responsibility throughout their lifecycle.
Safeguards shall be selected, implemented, operated, and maintained in compliance with Enterprise Standards for digital assets operated by, or on behalf of, the University throughout their lifecycle. Exceptions to standard safeguards may be permitted in conditions where standard risk treatments are not technically feasible, will render the operating environment non-functional, or are not achievable due to financial or resource constraints. Compensating safeguards may be recommended to treat risk appropriately within established risk tolerance.
- Digital Service Managers are accountable to Risk Owners for the selection, implementation, operation, maintenance, and monitoring of Standard and compensating safeguards for digital assets within, or on behalf of their area of responsibility throughout their lifecycle.
Residual information security risk related to digital assets operated by, or on behalf of, the University shall be within established risk tolerance, and shall be accepted before a digital asset is authorized to operate.
- Risk Owners are authorized to accept information security risk on behalf of the University for digital assets that operate within, or on behalf of their area of responsibility, and are accountable to SLT for assuring that residual risk is within established risk tolerance.
Monitoring, Maintenance, and Assurance
Digital assets operated by, or on behalf of, the University, and the safeguards implemented in the protection thereof, shall be maintained throughout their lifecycle to provide assurance of continuous appropriate treatment of information security risk treatment.
- Digital Service Managers are accountable to the Risk Owners for maintaining digital assets operating within, or on behalf of their area of responsibility throughout their lifecycle.
Digital assets operated by, or on behalf of, the University, and the safeguards implemented in the protection thereof, shall be monitored throughout their lifecycle to detect software, code, and/or configuration weaknesses (“vulnerabilities”).
- Digital Service Managers are accountable to the Risk Owners for monitoring of digital assets operating within, or on behalf of their area of responsibility throughout their lifecycle.
Vulnerabilities detected in digital assets operated by, or on behalf of, the University, or the safeguards implemented in the protection thereof, shall be remediated within a reasonable timeframe.
- Digital Service Managers are accountable to the Risk Owners for the remediation of vulnerabilities and weaknesses detected by assessments performed by the University.
The University shall develop standard monitoring and maintenance process(es) and procedures for assuring the continuous appropriate treatment of information security risk for digital assets operated by, or on behalf of, the University throughout their lifecycle and the safeguards implemented thereon.
- The CIO is authorized to develop standard monitoring and maintenance process(es) and procedures and is accountable to the SLT for the sustainment thereof.
Standard monitoring and maintenance process(es) and procedures shall be subject to review by Internal Audit at regular intervals, to ensure the efficacy of the process.
Assurance
The University shall monitor digital assets operated by, or on its behalf, throughout their lifecycle, and the safeguards implemented in the protection thereof, and for the purpose of assuring appropriate treatment of information security risk.
The University shall investigate situations wherein it is suspected that information security risk has not been treated appropriately (“cybersecurity incidents”).
- The CIO is authorized to investigate cybersecurity incidents and is accountable to the SLT for same.
The University shall respond to incidents by implementing containment measures to mitigate impact to the confidentiality, integrity, or availability of the digital asset(s) on which the incident(s) has or have been detected, and/or to prevent or mitigate impact to other digital assets and devices on the university network, or otherwise provided by the University.
Containment measures may include, without limitation:
- Prevent information exchange from university sources,
- Prevent integration with university systems,
- Prevent communications to and from digital asset(s),
- Disable or remove power from digital asset(s).
Containment measures shall remain in effect until vulnerabilities and weaknesses have been remediated, or compensating safeguards have been implemented, and there is assurance of appropriate treatment of information security risk.
Repeated or ongoing failure to appropriately treat information security risk within a reasonable timeframe may be referred to appropriate authority for disciplinary action.
Framework References
Framework: ľĹĐăÖ±˛Ą CSF
Section: 1.1, 1.2, 1.3, 1.4, 2.2, 2.4, 4.1, 5.4, 5.5, 6.1, 6.2, 6.3, 7.3
Related Policies, Procedures, Guidelines: Responsible Use of Digital Resources Policy, Records Management Policy, Access to Information and Protection of Privacy Policy
Policies Superseded by this Policy: Electronic Information Security Policy, Electronic Information Security Policy Framework
Responsible Officer: Associate Vice-Principal (Information Technology Services) and Chief Information Officer
Contact: Information Security Officer iso@queensu.ca
Date for next review: 2029