Administration and Governance

• Home
• Overview
  • Officers of the University
  • Organizational Chart
  • University of Ottawa Act
• Chancellor
  • Past Chancellors
• Board of Governors
  • Members
  • Committees
  • Meetings and Minutes
• Senate
  • Members
  • Committees
  • Meetings and Minutes
• President
• Vice-Presidents
  • Vice-President
    Academic and Provost
  • Vice-President
    Research
  • Vice-President
    External Relations
  • Vice-President
    Resources
  • Vice-President,
    Governance
• Deans
  • Faculty of Arts
  • Faculty of Education
  • Faculty of Engineering
  • Faculty of Graduate and Postdoctoral Studies
  • Faculty of Health Sciences
  • Faculty of Law
    Civil Law Section
  • Faculty of Law
    Common Law Section
  • Faculty of Medicine
  • Faculty of Science
  • Faculty of Social Sciences
  • Telfer School of Management
• Ombudsperson
• uOttawa Mission and Areas of Development
• Regulations, Policies, Procedures and Related Documents
  • Academic Regulations
  • Administrative Policies
  • Administrative Procedures
  • Privacy and Personal Information
  • Related Documents
• Elections
• Comments on the language of the services you receive
• Declaration of Student Rights at the University of Ottawa
• Contact Us

Policy 108

Approved Administrative Committee 1002.8

ELECTRONIC DATA PROCESSING SECURITY

OBJECTIVE

1. The purpose of this policy is as follows:

• a) to establish responsibilities for the protection of the University of Ottawa's Electronic Data Processing assets;
   
• b) to establish acceptable security requirements for EDP assets protection against misuse and loss;
   
• c) to establish the basis for audits and self-assessments;
  
  
• d) to preserve the University of Ottawa's management options and legal remedies in the event of EDP asset loss or failure.

SCOPE

2. This policy applies to:

• a) all academic departments or administrative units of the University which provide EDP services or are custodians, owners or users of administrative or academic EDP systems;
   
• b) all EDP assets throughout the University.

DEFINITIONS

3. Electronic Data Processing (EDP) security is the protection of EDP assets from accidental and deliberate threats to confidentiality, integrity or availability.

4. EDP assets include the following:

• a) computers and associated peripherals and facilities;
   
• b) computer rooms, terminal rooms and off-site storage areas;
   
• c) telecommunications networks and facilities;
   
• d) EDP information assets (also called EDP information) comprise computer systems software, applications systems software, programs, associated data, and copies thereof on paper or other media;
   
• e) documentation of such procedures, systems, application systems designs, change management, contingency and disaster recovery plans as are required to assure the continued conduct of university business.

POLICY

5. It is the responsibility of all employees to safeguard the security and integrity of the University's EDP assets.

6. EDP assets belong to the University but management responsibility is delegated to an Owner (sometimes called a Guardian).

7. An EDP Information Assets Classification System is used to identify them and specify the particular security needs of administrative and, as appropriate, academic EDP information.

8. Directors of Services, Managers of Administrative Units, Deans, Department Heads are responsible for:

• a) protecting all EDP assets assigned to their area of management control;
   
• b) ensuring that personnel under their supervision are aware of EDP asset protection requirements;
   
• c) implementing security practices and procedures in accordance with the established policy and EDP Security Manual;
   
• d) contingency planning;
   
• e) ensuring that for sensitive business information processing, generally recognized control principles are applied to prevent the loss of integrity, auditability and control;
   
• f) restricting information to those who really need it in performing their assigned functions for all sensitive EDP information assets including all personal, confidential, or proprietary information.

9. The degree of security that should be implemented depends on the nature of the EDP asset and the consequence of loss of security. The cost of protection must be commensurate with the value to the University of the EDP asset, including the estimated intangible value.

10. All University of Ottawa personnel are responsible for compliance with the EDP Security Program and for reporting any variances from the established policies to the appropriate management representative.

11. Any unapproved deviation from the established EDP security policy, procedures or guidelines can result in disciplinary action including termination.

EDP SECURITY ADMINISTRATION AND PROGRAM

12. The Electronic Data Processing Security Administrator reporting to the Vice-rector, Administration and Services is responsible for:

• a) developing and administering EDP security policies;
   
• b) co-ordinating the University EDP security program;
   
• c) promoting EDP security awareness;
   
• d) monitoring security practice and ensuring compliance with the EDP security program.

VARIETY OF COMPUTING ENVIRONMENTS

13. The security measures that are appropriate depend on the nature of the EDP asset, its value, type of use and its environment. Computer systems may be categorized as low, medium or high risk systems. This assignment depends on many factors. A multi-user system connected to an open communications network without proper access control and other procedures is potentially a high risk system, but with proper procedures becomes a medium risk system. Additional security features and procedures may be justified to reduce the risk still further to an acceptable level.

14. A typical low risk system would be a microcomputer or an office, laboratory or departmental computer system with the following minimum attributes:

• a) effective isolation from other systems or networks;
   
• b) a homogeneous, mutually acceptable group of users (or a single user);
   
• c) effective control of physical access and/or individual password-controlled system access;
   
• d) restriction of privileged system commands to approved users;
   
• e) a physical environment meeting approved standards;
   
• f) a system manager who fosters security awareness among users;
   
• g) effective procedures for data, applications and system documentation and for back-up and contingencies; and
   
• h) additional measures to assure the confidentiality of personal, proprietary or other sensitive information.

RISK ACCEPTANCE

15. EDP security standards are minimum requirements that must be followed unless demonstrated to be inappropriate or unfeasible.

Non-compliance with EDP security standards implies acceptance of significant risks to the EDP assets. In some cases these may be fully justified. Such risk acceptance decisions should be explicitly made and documented, and approved by the immediate superior. They should then be sent to the EDP Security Administrator who will either give final approval or will refer the matter to the Administrative Committee for its decision.

RELATED PROCEDURES FOR EDP SECURITY

16. The EDP security program will be implemented through this and related policies and by the issuing of a set of procedures comprising guidelines, procedures and standards covering many aspects of computer security in detail. These will be incorporated into an EDP Security Manual prepared by the EDP Security Administrator.

GLOSSARY

17. A glossary is provided in APPENDIX A.

EXCEPTION

18. No exception to this policy may be made without the written consent of the Vice-rector, Administration and Services.

Published June 6, 1988

(Office of the Secretary)

APPENDIX A

GLOSSARY

Risk Acceptance: A conscious management decision to accept a particular level of significant risk as operationally necessary or as reasonable in view of the cost of providing a higher level of protection.

Disaster: An event (fire, flood, forced evacuation, electrical damage, etc.) that causes prolonged unavailability of EDP services or facilities.

Communications: The transmission of digital information or data over transmission media (wire, fibre optics, radio, etc.) between computers and terminals, workstations, or other devices that are attached either directly or by a local area or other network; also called telecommunications. (See also Controlled Communications and Open Communications).

Open Communications: Communications links to the system are open if the network itself provides no effective control against unauthorized users reaching and attempting to log on to a computer system.

Custodian: One who has authorized possession of an EDP information asset and is entrusted by the Owner to provide proper protection and care of the asset in an ongoing, operational environment; frequently the supplier of computing services.

Availability: This is violated by the failure, loss or destruction of an EDP asset.

Data: A general expression for a group of alphabetic characters, numbers or symbols which can be operated on by a computer program, but not the program itself.

Contingency Planning: Development of formal procedures to be followed to ensure employee safety and to minimize the extent of a disaster impacting the provision of EDP services.

Information Assets: (See EDP Information Assets).

Electronic Data Processing Information Assets: (See EDP Information Assets).

EDP Information Assets: Computer systems, programs, application systems software, programs, associated data, and copies thereof on paper or other media; also called EDP information (See also Academic EDP Information Assets, Administrative EDP Information Assets).

Sensitive EDP Information Assets: Sensitive EDP information assets that are designated as for internal University use. They are subdivided into the categories Highly Confidential, Confidential and Restricted.

Administrative EDP Information Assets: EDP information assets created, used or maintained on a computer or on electronic data storage media for the purpose of administration or management.

Note that marks and other personal EDP information about the student that are maintained by professors, teaching assistants etc. are administrative EDP information assets.

Academic EDP Information Assets: EDP information assets created, used or maintained on a computer or on electronic data storage media for students or academic personnel, for the purpose of teaching or research.

Non-sensitive EDP Information Assets: EDP information assets that are classified as Unrestricted and may be distributed inside or outside the University.

EDP Assets: Computers, telecommunications networks, associated peripherals and facilities; EDP information assets; related documentation, procedures and contingency and disaster recovery plans.

Risk Assessment: The process of determining the different threats to an EDP asset, estimating their likelihood, evaluating their consequences and determining the costs of increased protection.

Contingency: An unexpected event affecting the availability of the computer system. Contingencies include emergencies, disasters, failures and evacuation.

Guardian: (See Owner).

Information: Processed data, or the result of the organization, analysis or summary of data into a meaningful form. (See also Electronic Data Processing Information Assets; EDP Information Asset Classification System; Confidential, Critical, Highly Confidential, Non-critical, Non-sensitive, Restricted, and Sensitive EDP Information Assets).

Confidential Information: Information whose unauthorized disclosure could cause damage to an individual or would be prejudicial to the interests of the University, (e.g. personnel or medical records, financial information, proprietary information, personal information).

Integrity: A program or system has integrity when it performs to its specifications in a predictable way and, when malfunctioning, it fails in a limited and non-destructive manner with specific error messages. Unpredictable or unauthorized modification of information is a breach of integrity.

Software: Computer programs developed for use on hardware which permit the collection, organization, manipulation and retrieval of data.

Microcomputer: A fully-functioning compact computer system capable of operating on a desktop.

Computer: Any machine which can accept data in a prescribed form, process the data and supply the results in a specified format as information or as signals to control a further machine or process.

Control Principles: Generally recognized control principles include fail-safe defaults, separation of duties, individual accountability, resource access control and the limitation of privilege on a need-to-know need-to-work basis.

Programming privileges: The ability to create or modify executable computer instructions.

Program: (See Computer Program).

Computer Program: Specially-encoded data used by a computer as a script defining a series of operations that perform a task when executed in logical sequence.

Owner (or Guardian): That individual who is guardian of, and has management responsibility for, an EDP information asset. The Owner is normally the Department manager/chairperson or delegated representative of the Service or Faculty that created the EDP information asset, or is its primary user. By default, the creator is Owner until ownership is assigned elsewhere; also called the Guardian.

Network: A connected set of computer facilities that can communicate with one another to exchange messages, information, programs or data.

Disaster Recovery: The process of restoring important EDP information assets and services following a disaster.

Risk: The potential loss or damage from materialized threats.

Information Security: (See Data Security).

Data Security: The protection of EDP information assets from unauthorized disclosure, modification, destruction or loss, whether accidentally or intentionally caused; see also EDP security.

EDP Security: The protection of EDP assets from accidental and deliberate threats to confidentiality, integrity and availability; see also Data Security.

System: A collection of units of equipment, methods and procedures, and perhaps persons, that is organized to accomplish a specified set of EDP functions.

Multi-user System: Users sharing the system are either not known to each other or are not all mutually acceptable.

Information Classification System: (See EDP Information Assets Classification System).

EDP Information Assets Classification System: A formal system of listing, categorizing and labelling EDP information assets to specity its EDP security and retention needs.

Computer System: A collection of instructions and hardware mechanisms which control the sharing of resources within a computer.

Single-user System: All users of the system share common access privileges to all system and data resources, and have a common need-to-know of all information on the system. Also microcomputers, workstations etc. with only one user.

Information Systems: (See Electronic Data Processing).

EDP: (See Electronic Data Processing).

Information Processing: (See Electronic Data Processing).

Electronic Data Processing (EDP): The methods and techniques associated with the processing of data by an electronic machine (e.g. a computer), or the act of such processing; also called Computing, Information Processing, Information Systems etc.

User: A person or group authorized by the Owner of an EDP information asset to use it for approved University purposes; often a synonym for End-user. (See Single-user, Multi-user).

© University of Ottawa

For additional information, consult our list of contacts.