ACCEPTABLE USE AND SECURITY OF DIGITAL INFORMATION AND ELECTRONIC SYSTEMS (GP 24)
Date
March 23, 1993
Revision Date
March 30, 2023
Number
GP 24
Mandated Review
March 30, 2028
Policy Authority: Vice President Finance and Administration
Associated Procedure(s): See section 14 of this Policy.
EXECUTIVE SUMMARY
Simon Fraser University (the “University”) is committed to protecting the Digital Information and Electronic Systems that are critical to teaching, research, business operations, and other University activities and that are vital to the communities we support. This policy establishes standards and guidelines to:
- secure the Regulated Digital Information that our Electronic Systems contain;
- maintain the integrity of those Electronic Systems, and
- safeguard the financial assets of the University.
Access to, and use of, Digital Information and Electronic Systems will be granted using Role-Based Access principles. This enables Users to access Digital Information and Electronic Systems only as required for their role at the University, and only at the level required to perform their role. Everyone who accesses or uses Digital Information and Electronic Systems must do so ethically, responsibly, lawfully, and in a manner consistent with the Procedures, Standards, Guidelines, Controls, and Processes associated with this and any other relevant University policy or procedure.
TABLE OF CONTENTS
1.0 PREAMBLE
2.0 PURPOSE
3.0 SCOPE AND JURISDICTION
4.0 DEFINITIONS
5.0 POLICY
6.0 ROLES AND RESPONSIBILITES
7.0 REPORTING
8.0 RELATED LEGAL, POLICY AUTHORITIES AND AGREEMENTS
9.0 ACCESS TO INFORMATION AND PROTECTION OF PRIVACY
10.0 RETENTION AND DISPOSAL OF DIGITAL INFORMATION
11.0 POLICY REVIEW
12.0 POLICY AUTHORITY
13.0 INTERPRETATION
14.0 PROCEDURES AND OTHER ASSOCIATED DOCUMENTS
1.1 The University will strive to balance the need for security with the open pursuit of academic activities. Security concerns may place limits on the way in which work is done, but not on the research or inquiry that is pursued. When limitations are needed, the University will make reasonable efforts to consult with person(s) impacted to attempt to find appropriate and workable solutions.
1.2 Proper management of the security risks associated with access to and use of Digital Information and Electronic Systems is imperative to support the University’s academic, research, and administrative activities.
1.3 To ensure Digital Information and Electronic Systems remain secure, to a degree that is reasonable and technically feasible and in accordance with FIPPA, the University will grant access to Users by utilizing Role-Based Access principles and security controls.
1.4 Each User of Digital Information and Electronic Systems is responsible for abiding by the University’s Role-Based Access principles and security controls.
2.1 This policy, together with its associated Procedures, Standards, Guidelines, Controls, and Processes referenced in section 14, establishes the University’s expectations for access to, and use of, Digital Information and Electronic Systems.
3.1 This policy applies to all Digital Information and Electronic Systems.
3.2 This policy applies to all Service Providers and members of the University Community who are authorized to access and use Digital Information and Electronic Systems.
3.3 A breach of this policy may result in the University restricting or withdrawing a User’s access to Digital Information and Electronic Systems, including computing privileges and network access.
4.1 See Appendix A for the definitions of words used in this policy and its associated Procedures, Standards, Guidelines, Controls, and Processes.
5.1 Role-Based Access to Digital Information and Electronic Systems
5.1.1 The University will utilize Role-Based Access principles to grant Users access to Digital Information and Electronic Systems. Role-Based Access enables Users to access information and systems only as required for their role at the University, and only at the level required to perform their role.
5.2 Use of Digital Information and Electronic Systems
5.2.1 All Users must:
a. use Digital Information and Electronic Systems responsibly, lawfully, ethically, in accordance with the User’s Role-Based Access, and in adherence to license agreements.
5.3 Security of Digital Information and Electronic Systems
5.3.1 All Users of Digital Information and Electronic Systems must take appropriate steps to ensure security by:
a. applying the Digital Information Classification Standard to determine which class of Digital Information is appropriate: Internal Information, Public Access Information or Regulated Information; and
b. applying the digital information security and domain Standards applicable to each classification of Digital Information.
5.3.2 All Operational Leaders and Service Providers of Digital Information and Electronic Systems, and those who are responsible for maintaining and administering them, must protect the systems from cybersecurity or other threats by managing and remediating any vulnerabilities throughout the Electronic System's lifecycle.
5.3.3 Disclosure of Information - Administrative Continuity
In cases of the absence, retirement, or termination of an employee engaged in administrative duties, there may be occasions where Units need access to that individual’s emails or files to conduct University Business. In such cases the Unit head can obtain access by making a request to the University Archivist and Coordinator of Information and Privacy. Any information released under this provision may not be used for any employee disciplinary purpose and may only be used for purposes of administrative continuity or any purpose provided for under the Freedom of Information and Protection of Privacy Act (RSBC 1996, c. 165). All personal information so obtained shall be kept confidential.
5.3.4 Role Accounts
Role accounts (that is, those accounts granted to a role or organizational position rather than to an individual for business purposes) may be shared amongst Users as determined by the appropriate Operational Leader. Role accounts must have one responsible owner as appointed by the Operational Leader but may be shared amongst Users as determined by the appropriate Operational Leader. Role accounts cannot be used to store Personal Information as they are subject to access by the University to conduct its operations. The Chief Information Security Officer has the authority to permit an Operational Leader to access and disseminate the information contained in a Role account. Role accounts cannot be used to share licensed software in a manner that may violate the license. Use of Role accounts may be prohibited in specific systems and processes if the use of Role accounts fails to meet regulatory or legislative requirements.
5.4 Use of Non-University Systems for University Business
5.4.1 To optimize the security of Digital Information and Electronic Systems and to ensure administrative effectiveness and the best use of University resources, Units must use approved Electronic Systems.
5.4.2 When approved Electronic Systems are not available Users or Units who wish to store, transmit, use, or dispose of Regulated Information or Internal Information using systems other than Electronic Systems must be pre-authorized by the Chief Information Security Officer (“CISO”) to do so. Once approved, adherence to the Procedures, Standards, Guidelines, Controls, and Processes associated with this policy is required.
5.5 CISO - Emergency Authority
5.5.1 If an emergency arises that threatens the security of Digital Information or Electronic Systems, the CISO has the authority and responsibility to implement emergency response measures to shut down the risk and to mitigate further damage. Those affected by such actions shall be notified as soon as practicable.
5.5.2 The CISO will immediately report any such emergency response measures to the Executive Team. The Executive Team will work with the CISO to evaluate the risk and review next steps.
6.0 ROLES AND RESPONSIBILITIES
6.1 Chief Information Security Officer
6.1.1 The CISO (or delegate) shall perform a coordinating role in the implementation, administration, and support of this policy by:
a. developing, issuing, and regularly reviewing the Procedures, Standards, Guidelines, Controls, and Processes;
b. providing guidance on compliance with the policy;
c. providing an ongoing security awareness training program;
d. assisting in the investigation of breaches and potential breaches of the policy; and
e. consulting with the Access and Privacy Program at the Archives and Records Management Department to determine the potential privacy impact associated with any information security incident or breach.
6.2 Operational Leaders
6.2.1 Operational Leaders of Academic or Administrative Units are responsible for maintaining the security of their local Digital Information and Electronic Systems. Their responsibilities include:
a. assigning access, renewing, retiring, or revoking User authorizations within their area of responsibility based upon the User’s role within the Unit (Role-Based Access) following the Principle of Least Privilege
b. ensuring that Digital Information and Electronic Systems are secured, with particular care concerning User identification and validation measures;
c. ensuring that Digital Information, within their area of responsibility, is maintained, transmitted, stored, retained and disposed in a secure and consistent manner that adheres to all relevant University policies including Procedures, Standards, Guidelines, Controls, and Processes, record retention schedules and disposal authorities and the Freedom of Information and Protection of Privacy Act;
d. ensuring that breaches and potential breaches of this policy occurring within their Unit are reported to the CISO, then continuing to assist in the investigation, while preserving evidence where required;
e. ensuring that technical staff within their Unit are aware of and adhere to this policy and its associated Procedures, Standards, Guidelines, Controls, and Processes;
f. ensuring their technical staff support University security standards in the design, installation, maintenance, training, and use of Digital Information and Electronic Systems; and
g. working with Chief Information Officer (“CIO”) and CISO to make training, other information, and resources necessary to support this policy available to their Unit.
7.1 The CISO will report to the Audit, Risk, and Compliance Committee of the Board of Governors on matters related to the security and use of Digital Information and Electronic Systems.
8.0 RELATED LEGAL, POLICY AUTHORITIES AND AGREEMENTS
8.1 The legal and other University Policy authorities and agreements that may bear on the administration of this policy and may be consulted as needed include but are not limited to:
8.1.1 University Act, R.S.B.C. 1996, c. 468
8.1.2 Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165
8.1.3 Enterprise Risk Management (GP 42)
8.1.4 The University’s Information Policy Series, including Protection of Privacy (I 10.11)
9.0 ACCESS TO INFORMATION AND PROTECTION OF PRIVACY
9.1 The information and records made and received to administer this policy are subject to the access to information and protection of privacy provisions of British Columbia’s Freedom of Information and Protection of Privacy Act and the University’s Information Policy series.
10.0 RETENTION AND DISPOSAL OF DIGITAL INFORMATION
10.1 Information and records made and received to administer this policy are evidence of the University’s actions to guide access to, and the use and security of, Digital Information and Electronic Systems. Digital Information and records must be retained and disposed of in accordance with a records retention schedule approved by the University Archivist.
11.1 This policy must be reviewed every five years but may be reviewed as needed.
12.1 This policy is administered under the authority of the Vice-President Finance and Administration.
13.1 This policy should be interpreted in a manner that is consistent with the University’s legal obligations, including its obligations under any relevant collective agreement or employment policy with non-unionized employees.
13.2 Questions of interpretation or application of this policy shall be referred to the Vice-President Finance and Administration for determination, and whose decision shall be final.
14.0 PROCEDURES AND OTHER ASSOCIATED DOCUMENTS
14.1 Appendix A contains the definitions applicable to this policy and its associated Procedures, Standards, Guidelines, Controls, and Processes.
14.2 The Procedures, Standards, Guidelines, Controls, and Processes associated with this policy include but are not limited to:
14.2.1 Digital Information Classification Standard;
14.2.2 Acceptable Use of Electronic Systems Standard;
14.3 The associated Procedures, Standards, Guidelines, Controls, and Processes listed above will be published on the [Web Site TBD].
14.4 Appendix B: Procedure to Authorize File Access
14.5 Appendix C: Request for Access to Digital Information Contained in Electronic Systems Form