IT2 – Security of Information Technology Resources
Originator: Information Technology Governance Committee
Approver: President’s Council
Effective: April 8, 2008
“As an applied learning institution, Red River College Polytechnic is reliant on technology to support its mission of education and to support corporate systems and maintain communications.” To that end, it is the College vision “to be recognized as a leader through the innovative use of technologies.”1
The absolute security of electronic information resources is unrealistic. Red River College Polytechnic aims to reduce its risk of an electronic security breach while balancing factors such as information quality and access, possible impacts and the cost of preventative measures and controls designed to detect irregularities.
The College will not allow its “assets to be unprotected, inadequately maintained nor unnecessarily risked” and will within available resources “protect intellectual property and information from loss or significant damage.”2
Red River College Polytechnic is committed to providing a secure yet open technological environment that protects the integrity and confidentiality of information while maintaining its accessibility. To that end, the College will protect the integrity, security and privacy of data to meet legal and operational requirements.
Each member of the campus community is responsible for the security and protection of the electronic information resources over which they have control.
Data is College information which is processed, stored, maintained, or transmitted on computing systems and networks.
Data Owner is the entity or office that is authorized to collect and manage the Data as an official corporate record.
Users are students, staff and external clients with whom the College maintains a business relationship who are provided access to information technology resources and Data. They may also include the general public in public access locations.
Information Technology Solutions (IT Solutions) will take action to identify and set up technical and procedural mechanisms to provide a secure IT environment.
IT Solutions Information Protection and Compliance (IPC) has the authority to audit computing resources to ensure confidentiality, integrity and availability. IPC will advise the Data Owner of how to effect changes required to mitigate risk, vulnerability or threat that could compromise Data security.
Establishing Security Levels
Data Owners are responsible and liable for the protection of their Data. Security levels can be established based on the following criteria: a. how confidential or sensitive is the Data b. how important the Data is to the continuing operation of individual departments or the College as a whole in the event of a system failure
Data Owners will decide who requires appropriate access to specific applications and information, ensuring the minimum access possible to meet the needs of the User.
Data Owners are obligated to report security vulnerabilities and breaches to IPC for investigation.
Privacy and Confidentiality
Any application software used by the College must protect the privacy and confidentiality of the various types of electronic data they process.
Users must ensure that Data is protected wherever and however it is accessed.
Technical staff assigned to ensure the proper functioning and security of electronic information resources are not permitted to search the contents of electronic communications, related transactional information or stored data except as related to the task they are performing.
It is acknowledged that employees may be exposed to private or confidential information in the course of their employment with the College. Private information is protected by legislation and illegitimate disclosure is illegal. Private or confidential information will be used only for the purpose of performing an employee’s job or assignment.
IT Governance Committee has the responsibility to ensure a common strategic direction in the use of enterprise-wide information technology. The Committee’s responsibility includes the development of corporate information technology security policy.
IT Solutions has the responsibility to ensure information technology resources are secure. IT Solutions will monitor that Users are complying with the authorization they have been given. They will ensure that equipment is issued with the most recently available and appropriate security measures. IT Solutions will define the physical requirements to secure IT resources and network assets. IT Solutions will provide these requirements to Security Services who will ensure they will be implemented.
IT Solutions Information Protection and Compliance (IPC) has the responsibility to take immediate action to mitigate any threats that have the potential to pose a serious risk to information systems resources. If a threat is deemed serious enough, the device(s) or individuals posing the threat will be blocked from network access. Finally, IPC is obligated to report incidents they deem to be significant to Data Owners.
Security Services has the responsibility to monitor systems which protect physical access to all College computer and network assets. Security Services will work with IT Solutions as a resource in the investigation of security breaches and apprehension of offenders.
Data Owners have the responsibility to manage access to electronic information resources under their control. They must ensure that individuals have the least amount of privilege required to fulfill their duties. Upon request, Data Owners must be able to identify to IPC the specific individuals who are allowed access to their Data. Data Owners also have the responsibility to designate an individual as a point of contact for corporate data security.
Approved In-House College Service Providers are College employees who design, manage and operate campus electronic information resources. Providers have the responsibility to become knowledgeable regarding relevant security requirements and guidelines. They have the responsibility to implement security measures.
College employees who enter into contracts with Off-Campus Service Providers must ensure that these Providers are able to comply with College security requirements.
Users have the responsibility to protect the resources under their control such as access passwords, computers and data. Users must not change the configuration of their workstation in any way that would compromise the integrity of the workstation or the security of the network.
Users will, on occasion, receive educational material, information or instructions from IT Solutions. Users are responsible to read this information and act on instructions meant to ensure the security of their workstations, laptops or other devices.
All Users must ensure that any devices under their care do not compromise the integrity of the College network.
Users are required to ensure the physical security of their computer by logging out when leaving their workstation for an extended period of time and at the end of the day (unless otherwise instructed by IT Solutions). On occasions when this is impractical or interferes with processes that are continuing, then display screens should be locked and password protected.
Persons who violate this Policy may be subject to disciplinary action up to and including dismissal or expulsion as outlined in College Policy and Collective Agreements. Jeopardizing IT resource security may result in the immediate loss of account privileges and access to information technology resources. Additionally, dependant on circumstances, they may face civil action and/or criminal prosecution. Disciplinary action may be appealed under appropriate Policy, the MGEU Collective Agreement or the Terms and Conditions of Excluded Staff.
Related Policies and Documents
IT Strategic Plan Executive Summary, Deloitte Inc. March 2006
2.12 Asset Management – Board of Governors Policy Manual
A10 – Intellectual Property and Copyright
G4 – Exit Process
IT1 – Acceptable Use of Computer Facilities
S1 – Student Code of Rights and Responsibilities
S2 – Student Discipline
S3 – Student Appeal – Non Academic Decisions
MGEU Collective Agreement
Terms and Conditions of Excluded Staff
1 IT Strategic Plan Executive Summary
2 Red River College Polytechnic Board of Governors Policy Manual