Approved Administration Committee 2288.3, revised by Administration Committee on November 18, 2020, resolution 2437.2.
1. CONTEXT
As part of its educational mission, the University of Ottawa acquires, develops, and maintains various information technology (IT) assets. These assets are intended for University-related purposes, including, but not limited to, direct and indirect support of the University’s academic, research and service missions; University administrative functions; student and campus life activities; and the free exchange of ideas within the University community and the wider local, national, and world communities.
The University recognizes the importance of information security and protecting its IT assets. The University is therefore committed to preserving the security and integrity of its IT assets and using reasonable, appropriate, practical and effective security measures to protect against unauthorized use, modification, disclosure, and destruction of its IT assets.
The University of Ottawa is equally committed to preserving an environment that encourages academic and research freedom through the responsible use of IT assets.
2. PURPOSE
The purpose of this Policy is to ensure the security and integrity of University IT assets. This Policy also promotes the efficient, ethical, and lawful use of University IT assets. It serves as the overarching policy that governs the interpretation and application of all other information technology use and security policies enumerated in section 3.2 below and any related standards or procedures.
3. INTERPRETATION
3.1 For the purposes of this Policy and any standard or procedure established pursuant to this Policy:
“employee” means any (regular or contract position) unionized or non-unionized academic, administrative or support personnel (including those whose salary is paid through sources other than the University’s operating funds, such as grants, research grants and external contracts);
“student” means any individual registered at the University at the undergraduate, graduate or postdoctoral level, including any medical resident, fellow or special student, whether enrolled full-time or part-time;
“IT asset” or “IT assets” encompasses all and collectively refers to University IT resources and electronic information stored on, within or passing through a University IT resource;
“IT resource” or “IT resources” includes (but is not limited to) the following that are owned by and/or operated or managed by the University, or that are licensed to the University or operated by an external organization on behalf of the University: software, systems, networks, computers, any other computing resource or hardware, servers (physical or virtual), data storage or network devices, email servers, print and fax servers, telephone systems, magnetic or network media, and any other communication device;
“IT service” or “IT services” includes (but is not limited to) infrastructure, applications, enterprise architecture, information security and end user support services that scale across the University;
“University community” encompasses all employees, holders of academic appointments, students, contractors, visitors, and volunteers, whether of or at the University or its federated institutions (e.g. Saint Paul University).
3.2 This Policy and any standard or procedure established pursuant to it shall be read in conjunction with:
- Policy 117 - Information Classification and Handling
- Policy 118 - Electronic Mail (Email)
- Policy 37 – University-Owned Personal Computers (PCs)
- Policy 45 - University-Wireless Communications.
3.3 The CIO shall be responsible for interpretation of this Policy and any standard or procedure established pursuant to it.
4. SCOPE AND APPLICATION
The provisions of this Policy and of standards and procedures established pursuant to it extend to all University IT assets. The requirements of this Policy and of standards and procedures established pursuant to it apply to:
a) all University employees, students, contractors, visitors, volunteers, and members of its Board of Governors; and
b) external organizations and their respective employees, contractors, and representatives who use or are granted access to the University’s IT assets or its IT resources.
5. RESPONSIBILITIES
5.1 The University’s Chief Information Officer (CIO) oversees the University’s IT resources and services that enable both academic and administrative functions, and that support faculty, staff, and students. In this capacity, the CIO develops and implements policies, standards and procedures in consultation with relevant services to assist the University community in complying with this Policy.
Without limiting the generality of the foregoing, the CIO shall be responsible for:
- establishing procedures for the implementation of this Policy;
- recommending, to the Vice-President Resources, IT asset use and security standards and amendments thereto for implementation pursuant to this Policy;
- publishing, maintaining and ensuring awareness of this Policy and related policies, standards, and procedures;
- providing custodianship of IT assets;
- providing oversight of IT asset use and security throughout the University; and
- educating the University community about IT asset use and security responsibilities.
The CIO may delegate, but shall remain accountable for, his or her responsibilities as specified in this Policy or any standards or procedures established pursuant to it.
5.2 All persons to which reference is made in section 4 of this Policy shall adhere to this Policy and comply with all standards and procedures established pursuant to it.
6. Procedures and IT ASSET USE AND SECURITY STANDARDS
All persons to which reference is made in section 4 of this Policy shall comply with Procedures and IT asset use and security standards established pursuant to this Policy. Procedures and IT asset use and security standards are listed in https://uozone2.uottawa.ca/standard/schedule/all.
7. COMPLIANCE
7.1 The CIO shall be promptly informed of any failure to comply with the requirements of this Policy or any standards or procedures established pursuant to it. The CIO shall inform the Administration Committee annually of significant non-compliance matters.
7.2 The University will take appropriate preventative and corrective action where violation (or threat of violation) of this Policy or any standard or procedure established pursuant to it occurs and will, where warranted, hold individuals responsible in accordance with applicable collective agreement provisions, terms of employment or other University policies, regulations or applicable laws.
8. EXCEPTIONS
8.1 No exception shall be made to this Policy or any standard or procedure established pursuant to it without the prior written permission of the CIO. Exceptions will not generally be made unless justified on compelling grounds among or akin to the following:
a) a user or organizational unit is non-compliant and it is impossible to remedy such non-compliance immediately;
b) compliance is not possible in the context of a system being phased out, requiring the user or organizational unit to manage the risk on an interim basis;
c) an alternative compliance method is available that offers equivalent or superior security;
d) access to objectionable or offensive material is required for academic or research purposes approved by the Research Ethics Board or the relevant dean, subject to sufficient and appropriate safeguards to contain the material to pre-defined IT assets.
8.2 Exceptions pursuant to section 8.1 shall be sought, considered and, where appropriate, granted in accordance with the procedure to request a security policies and standards exception, established by the CIO pursuant to this Policy.
8.3 The CIO shall inform the Administration Committee annually of significant exceptions granted to this Policy or standards or procedures established pursuant to it.
9. REVIEW AND AMENDMENTS
9.1 This Policy and the standards and procedures established pursuant to it shall be reviewed by the CIO on a regular basis, as deemed appropriate based on changes in technology or regulatory requirements.
9.2 Amendments to this Policy shall require the approval of the Administration Committee upon recommendation of the Vice-President, Finance and Administration.
9.3 Amendments to the Procedures and IT asset use and security standards established pursuant to this Policy, require the approval of the CIO.