Information Technology Security

Responsibility: Associate Vice-President, Information and Communications Technology 
Authorization: Board of Governors
Approval Date: Dec 13, 2016

The University of Saskatchewan (U of S) is responsible for ensuring the availability, confidentiality, and integrity of all information to which it is entrusted. The university relies on a vast amount of information to operate on a daily basis. This information ranges from vital research data to personal data about students, faculty, staff, donors and alumni. Maintaining an information technology (IT) environment that protects this information is critical to the operation of the university.

The need to balance the openness of university culture with appropriate security controls complicates the overall IT environment. The university has made substantial investments in secure facilities (data centers), high-quality secure and reliable IT infrastructure, processes and tools, and in professional staff in order to address increasing IT security risks.

This policy provides the necessary framework to reduce and manage the university’s IT-based risk while providing flexibility to support the broad range of academic, research and administrative activities. It promotes the use of central IT infrastructure thereby leveraging the institutional investments made to secure the university’s IT environment.

This policy is guided by the principles and values outlined in the U of S mission, vision and values statement. It was also developed in the context of the following IT asset management principles:

• The university’s IT services and IT infrastructure are critical to the university’s academic, research and administrative activities.
• University data needs to be managed as an asset. In order to reduce the damaging impact of data loss on business continuity, academic activities and research programs, university data must be appropriately safeguarded.
• The requirement to safeguard IT services and IT infrastructure must be balanced with the need to support the pursuit of legitimate academic objectives.
• The university uses a risk-based approach, and follows best practices in IT security, to select appropriate security controls to minimize risk to an acceptable level, and to design security and privacy into our IT services and IT infrastructure.
• The university leverages investments in central IT services and infrastructure, gaining both security and financial benefits.
• The university’s enterprise architecture principles are foundational to the IT security policy and for making IT services and IT infrastructure decisions.
• Protecting the university’s IT services and IT infrastructure is a responsibility shared by all members of the university community.

• University owned – Assets purchased by university funds including research grants administered by the university or acquired by the university through some contractual agreement.
  
  
• University community – All students, employees, faculty, postdoctoral fellows, alumni, agents, contractors, authorized guests, persons or organizations acting for or on behalf of the university.
  
  
• Controls – Procedures, processes, practices, or standards put in place to minimize risk.
  
  
• Secure facilities – University of Saskatchewan data centres or secure hosted facilities, managed by Information and Communications Technology (ICT) or contracted, located at the main university campus, at other university locations or at vendor locations.
  
  
• IT services –Technology-based services managed or hosted by a university community member, the university or vendors/contractors.
  
  
• IT infrastructure – IT assets including, but not limited to, servers, databases, data, software, end-point devices, the university network, Internet connections, central authentication, the telephone system, and data centres, whether provided directly by ICT or contracted.
  
  
• Server – A computer or software/program that provides access/services to other computers/programs.
  
  
• End-point devices – Network-capable devices such as desktops, laptops, tablets, phones, printers, multimedia equipment, etc.
  
  
• Centrally managed – The management of university-owned devices by ICT to ensure they have security policies applied, use university credentials, are patched current, are in a secure configuration, and have known vulnerabilities mitigated.
  
  
• Hardening standards – Industry defined best practices for securing systems to reduce the likelihood of a security incident.
  
  
• Network segmentation - Splitting the network into logically isolated zones to limit the exposure of the entire network in the case of the compromise of a single system.
  
  
• IT outsourcing - The use of external service providers to deliver IT-enabled business process, application service and infrastructure solutions. Outsourcing can include, but is not limited to, utility services, software as a service and cloud-enabled outsourcing.

This policy is applicable to all university community members and all University of Saskatchewan academic and administrative units, ancillary units, and any affiliated organizations (collectively referred to as “units”) that make use of the university’s IT services and IT infrastructure.

It covers all university IT services and IT infrastructure regardless of where it is located or from where it is being accessed (on campus or off campus) or stored.

The policy has been developed in the context of, and is designed to complement,

• Existing university policies and regulations, particularly those governing use of university property and services; data management, data access and data use; privacy; risk management; responsible conduct of research; disciplinary procedures; copyright and intellectual property
• Collective agreements
• Guidelines for Academic Conduct

All units and members of the university community must access and use university IT services and IT infrastructure in ways that reduce and mitigate IT security risks.

a. The primary means of reducing and mitigating IT security risks at the university is for:

1. All IT services, where practicable, to be administered by ICT staff and hosted in secure facilities (e.g., university data centres or vendor-hosted facilities).
   
   
2. All university-owned IT end-point devices, where practicable, must use services offered by ICT to ensure compliance with the published U of S IT security procedures.

b. To the extent that the primary means of reducing and mitigating IT security risks is not practicable, the secondary means is for the unit or individual to work with ICT to implement alternative mitigation strategies to ensure that the overall risk to the university is being maintained at an acceptable level. The process by which this will be accomplished is identified in the IT Risk Management procedure. An example of a potential mitigation strategy would be to identify network segmentation strategies for student or research labs that cannot be compliant with the security procedures due to their academic or research objectives.

Information and Communications Technology:

Information and Communications Technology (ICT) is responsible for maintaining the security of the university’s IT infrastructure.

ICT must continue to implement security measures that mitigate IT security risks. This includes, but is not limited to, continually improving end-user IT security awareness; maintaining physical security of IT assets, implementing appropriate network segmentation; developing comprehensive device and hardening standards for the university; and ensuring that all university-owned devices are patched current, are in a secure configuration, and have known vulnerabilities mitigated.

Units:

Academic, administrative and ancillary units are responsible for ensuring they access and use university IT services and IT infrastructure in a manner that minimizes risk to the university. The best way to minimize risk to university data/information is to use the centrally-managed IT infrastructure (including data centres and end-point devices) for all university activities to the greatest extent practicable. When not practicable, they must follow the IT Risk Management procedure.

University Community Members:

Individual members are responsible for ensuring they access and use IT services and IT infrastructure in a manner that minimizes risk to the university. They must understand that IT security is a shared responsibility across the university community and they must abide by the IT security procedures and practices.

If there is reason to suspect that laws or university policies have been, or are being violated, or that continued access poses a threat to the university’s IT infrastructure, university community members or the reputation of the university, access to the university’s IT infrastructure may be restricted or withdrawn.

Following due process, the university may take action against anyone whose activities are in violation of the law or of this policy. The actions taken may include, but are not limited to:

• Revocation of access to the university’s IT services or IT infrastructure or parts of it.
• Disciplinary action for students under either Council Regulations on Academic Dishonesty or Senate Non-Academic Disciplinary regulations.
• Disciplinary action for employees.

• IT Security Incident Response Procedure
• End-point Security Management Procedure
• IT Risk Management Procedure (under review)
• IT Service Acquisition and Outsourcing Procedure (under review)

• Information Technology Use
• Data Management, Data Access and Data Use
• Enterprise Architecture Principles

This policy replaces Network Security, approved June 22, 2007.