Information Protection Policy
- Owner: Chief Information Security Officer (CISO)
- Approver: Vice-President, Administration and Operations
- Approval Dates: November 1999, January 2002, May 2009, September 2010
To develop within the University community an appreciation for the value, and often vulnerable nature of the information asset and to reduce the risk of misuse, destruction or loss of information without restricting academic freedom or complicating access to information for which the University community has a legitimate and specific need.
Application and Scope
This policy extends to the whole of the University community. It directs that the information asset be used in a manner that maintains an appropriate level of confidentiality and that provides sufficient assurance of its integrity in compliance with existing laws and obligations. While the elimination of all risk is impossible, the goal of the policy is to minimize the possibility of information misuse, corruption, and loss through the adoption of reasonable procedures for the University community to follow. While this policy is especially pertinent to information stored electronically, it is also intended to guide users of all information, including that which is stored in other formats, such as paper, microfilm, and video, as well as the content of confidential meetings and conversations.
1. Public Information: The vast majority of information at the University is of a public nature, for example: telephone directories, calendars, schedules, library books in general circulation, most conversations and meetings, and information bulletins. Access to public information is limited by such restrictions as circulation policies, copyright restrictions, license and contractual agreements, University policies and procedures for use.
2. Restricted Information: As of June 10, 2006 the University became subject to the Freedom of Information and Privacy Protection Act (FIPPA) that governs the legal requirements concerning the use, disclosure, and retention of personal information, as well the obligation to provide access to University records with limited protection for certain kinds of restricted information (please refer to the Ryerson WEB page “privacy” tab for the “Information Protection and Access Policy for Restricted Information (IPAP-RI)). Information of a restricted or legally constrained nature, such as that protected by federal and provincial laws on rights and privacy, should only be accessed by those authorized members of the University community with a specific and legitimate need. Legitimate access does not include the freedom to search for information beyond that specifically required to perform a job-related task or authorized research.
1. Each member of the University community is accountable for appropriate use of the information asset as it pertains to his/her work assignment, the terms of this policy, and the procedures established for this purpose in the member’s work area.
2. Appropriate use is defined as wise and prudent use of information so that resources are not wasted, damaged, or corrupted. Inappropriate use includes erasing, taking or modifying information without proper authorization, defacing or removing pages from books, using information to embarrass, intimidate or harass, or attempting to subvert the flow of information, such as purposefully attempting to crash or slow down computer systems, modifying or removing posted information without authority, and other such actions.
3. Authorized research is defined as respecting the defined boundaries of permitted research areas.
1. Department: Each user department responsible for University information shall maximize the likelihood information is being used properly and appropriately by:
a. identifying the information it maintains;
b. determining whether it is of a restricted nature and/or highly risk sensitive;
c. developing, implementing, and maintaining reasonable and clear procedures that:
· establish access rules;
· identify change control requirements and responsibilities;
· identify confidentiality requirements;
· promote “good housekeeping” practices such as locking away confidential files when not in use, destroying confidential information when discarded, and not sharing passwords to computer accounts with anyone other than their supervisor and/or the department information security officer;
· establish appropriate password, data integrity, storage, backup, and recovery practices where local department computer applications exist;
d. having employees sign an acknowledgement that they are aware of this policy and the related departmental procedures, and that they are expected to act appropriately in maintaining the confidentiality and integrity of the information to which they have access.
2. Application Owner: Beyond “user department” responsibilities, some departments are also “owners” of computer applications. Examples of these applications include Financial Systems, Human Resources/Payroll Systems, Student Information Systems, Alumni Systems, and various academic systems.
The ownership of these systems includes the additional responsibilities of:
a. establishing application access rules for the broader University community;
b. developing, implementing, and maintaining reasonable and clear procedures for granting application access to the broader University community;
c. designating an application security officer within the “owner” department responsible for setting up and maintaining authorized user security access profiles on these systems;
d. maintaining the skill sets necessary to support these practices.
3. Technical: Beyond “user” and “ownership” responsibilities, some departments have the responsibilities for the traffic (network) processing (computer programs) and storage of data on behalf of the University community.
These departments have the added responsibilities of:
a. establishing the technical infrastructure access rules for the University community (access to networks and computers);
b. establishing change control rules for processing and storage technology (computer programs and data bases);
c. establishing storage, backup, and recovery rules for computer programs and databases;
d. developing, implementing, and maintaining reasonable and clear procedures for granting access to the technical infrastructure, storage, backup, data integrity, and recovery practices;
e. designating a data security officer within the “technical” department responsible for setting up and maintaining authorized user security access profiles for the technical infrastructure;
f. maintaining the skill sets necessary to support these practices.
4. Information Systems Security Officer (ISSO): The prime responsibility of the ISSO is protecting the integrity of the information asset across the University community. The ISSO will accomplish this by:
a. assisting all departments throughout the University to develop sound and consistent information system practices and procedures;
b. working with the application and data security officers to develop;
· the required security interfaces between application systems and the technical infrastructures;
· change control rules for application programs and database updates;
· data storage, backup, data integrity, and recovery requirements
c. researching the latest technological advances in information security software and practices, and recommending appropriate changes and improvements to the University information systems environment;
d. monitoring the University information systems environment, and apprising management and Internal Audit of suspected breaches of security, procedures and/or policy.
5. Audit: The Internal Audit department will include, in their departmental audit activities, compliance with this policy and the associated departmental procedures.
University Community: All University faculty and staff, students, contractors, and members of affiliated organizations of the University.
The Information Asset: Data, in all its forms, collected, maintained, accessed, modified, or synthesized by and for members of the University community. The various forms of data include, but are not limited to, computer files, paper files, books, microfilm and fiche, video, recorded conversations and oral presentations, and pictures or images.
Public Information: Information to which the University community has unrestricted access and for which there are no requirements of confidentiality.
Restricted Information: Information which is sensitive and confidential in nature, and requires access only by that part of the University with the specific need to do so. Restricted University information includes, for example, individual student schedules, grades, bills, financial aid applications, donor information, health records and most personnel files, whether the information is in paper, micrographics or conversational form and all information assets that fall under the FIPPA legislation.
This policy shall be under the jurisdiction of the Vice President, Administration and Finance. The application and interpretation of this policy is the point responsibility of the Information Systems Security Officer (ISSO).