Jan. 5, 2017
This online version is for convenience; the official version of this policy is housed in the University Secretariat. In case of discrepancy between the online version and the official version held by the Secretariat, the official version shall prevail.
Approving Authority: President
Original Approval Date: February 5, 2016
Date of Most Recent Review/Revision: N/A
Office of Accountability: Office of the Chief Information Officer
Administrative Responsibility: Information and Communication Technologies
1.00 Information is a vital asset to the University as it relies heavily on information and information systems for the delivery of services and management of resources. As such, Laurier recognizes the importance of protecting the information in its custody from unauthorized access, modification, disclosure, or destruction. This policy outlines the roles and responsibilities for the security of University Information, however recorded, including governance, training and awareness, technical security systems, and monitoring of the Laurier information security program.
2.01 Information: includes any part or all of any record, document, or data that is created, stored and used by the University, however recorded, whether in printed, film, or electronic form.
2.02 Classes of Information:
Open Information: information that is readily available to any member of the University community or to the general public, either by request or by virtue of its being posted or published by the university through proper administrative procedures. This type of information has no legal restriction on access or usage. It may include personal information collected for the express purpose of public release with the knowledge and consent of the individuals the information is about.
Internal Information: information that is intended to be accessed only by internal and Authorized Users for University purposes. Internal Information is information that must be guarded due to proprietary, ethical, or privacy considerations, and must be protected from unauthorized access, modification, distribution, storage, or other use.
Restricted Information: confidential and controlled information that may only be accessed by limited internal and Authorized Users for University purposes. This type of information is strictly protected by provincial or federal statutes or regulations, University policy, or contractual agreement(s), and must be protected from unauthorized access, modification, distribution, storage, destruction, or use.
2.03 Authorized User: includes faculty, staff, student, volunteer, or other individual (for example contractor), who has been granted permission by their supervisor or unit to use, input, change, or access University Information.
2.04 Identity Management: the set of business processes and supporting infrastructure for the creation, maintenance, and use of digital identities. This includes a user’s unique identifier and credentials that enable access to Laurier’s computing systems.
2.05 Information Security Team: the Laurier ICT and administrative personnel responsible for the implementation and operation of the information security program at Laurier.
3.00 This policy applies to all faculty, staff, volunteers, students, and other authorized users of information at the University. Third party contractors (for example, software and cloud-based solution providers), also must comply with this, as well as other, applicable University policies.
3.01 This policy applies to all University Information.
4.01 All Internal and Restricted Information must be protected and used only for authorized purposes.
I. Throughout its lifecycle, all Internal and Restricted Information collected, stored, processed, and shared at the University must be protected in a manner that is reasonable and appropriate for the level of sensitivity, value, and risk that the Information has to the University or third party supplier of the information. All applicable policies and guidelines on the protection of Internal and Restricted Information must be followed.
II. All Internal and Restricted Information must be:
4.02 University equipment, software, and networks must be secured and used only for authorized purposes.
I. Any information and communication technology that is used to store, process, or transmit University Information must be secured in a manner that is reasonable for the level of sensitivity, value, and risk related to the Information and in accordance with legislation or University policies, procedures, or guidelines.
II. The Information Security Team ensures that control standards will be enabled on every University computing system;
III. The Information Security Team is responsible to:
4.03 Authorized Users, including academic and administrative units, are responsible for Information in their custody or control.
I. Faculty and administrative units are responsible for adopting and implementing the security standards, procedures and guidelines developed by the Information Security Team for protection of University Information and resources;
II. All Authorized Users must notify their manager and the Privacy Office if Internal or Restricted Information is, or is suspected to have been, lost, stolen, or improperly disclosed;
III. Units and users must consult with ICT before purchasing, downloading, or using a software solution or hardware to ensure it meets ICT requirements;
IV. Internal and Restricted Information is only to be accessed by Authorized Users as required for the performance of their University duties and responsibilities;
V. Physical access to Internal and Restricted Information on devices such as laptops, smart phones, or in printed files should be restricted when not in use.
We see you are accessing our website on IE8. We recommend you view in Chrome, Safari, Firefox or IE9+ instead.×