We use cookies on this site to enhance your experience.
By selecting “Accept” and continuing to use this website, you consent to the use of cookies.
9.4 Information Security Policy Statement
This online version is for convenience; the official version of this policy is housed in the University Secretariat. In case of discrepancy between the online version and the official version held by the Secretariat, the official version shall prevail.
Approving Authority: President
Original Approval Date: February 5, 2016
Date of Most Recent Review/Revision: April 15, 2024
Office of Accountability: Office of the Chief Information Officer
Administrative Responsibility: Information and Communication Technologies
1.00 Purpose
1.01 Information is a vital asset to the University as it relies heavily on it for the delivery of services and management of resources. It is crucial for the University to ensure the confidentiality, integrity, and availability of all data in its possession. As such, Laurier recognizes the importance of protecting the information in its custody from unauthorized access, modification, disclosure, or destruction. This policy outlines the roles and responsibilities for the security of information, however recorded, including governance, training and awareness, technical security systems, and monitoring of the Laurier information security program.
2.00 Definitions
2.01 Information: includes any part or all of any record, document, or data that is created, stored and used by the University, however recorded, whether in printed, film, or electronic form. University Information is information created in the course of University business.
2.02 Personal Information: Recorded information about an identifiable individual.
Classes of Information:
2.03 Open Information (Type 1): Information that is readily available to any Member of the University Community or to the general public, either by request or by virtue of being posted or published by the university through proper administrative procedures. This type of information has no restrictions on access or usage. It may include Personal Information collected for the express purpose of public release with the knowledge and consent of the individuals the information is about, or records created for public circulation.
2.04 Internal Information (Type 2): Information whose unauthorized release could reasonably be expected to cause minor, short-term harm to individuals or to the University and is intended for only limited dissemination. Internal Information must be guarded due to proprietary, ethical, or privacy considerations, and must be protected from unauthorized access, modification, distribution, storage or other use. Protection of such information may be required by university policy and/or provincial or federal legislation. Access to Internal Information is restricted to those who have a legitimate purpose for accessing such information. It is important to note that internal information in the aggregate may migrate to Restricted Information, particularly with respect to Personal Information about an individual.
2.05 Restricted Information (Type 3): Information that, if compromised, could reasonably be expected to result in significant and/or lasting harm to an individual or the University such as identity theft or reputational risk. This type of information is strictly protected by provincial or federal statutes or regulations, University policy, or contractual agreement(s) and must be protected from unauthorized access, modification, distribution, storage, destruction, or use. Access to Restricted Information is limited to those who have a legitimate purpose for accessing such information.
2.06 Information User: the individual Member of the University Community who has been granted access to Information in order to perform assigned duties or in fulfillment of assigned roles or functions at the University. This access is granted solely for the conduct of University business.
2.07 Information Steward: The University employee who is the manager responsible for the direction of a functional unit that is responsible for creating and/or managing a group of records. This typically will be a Director for the unit, depending on the structure of the department.
2.08 Information Custodians: ICT or computer system administrators responsible for the operation and management of systems and servers which collect, manage, and provide access to Information. Information Custodians must be authorized by the appropriate Information Steward and ICT. Information Custodian responsibilities include:
• Maintaining physical and system security and safeguards appropriate to the classification level of the data in their custody ;
• Complying with applicable University computer security standards;
• Managing Information User access as authorized by appropriate Information Stewards;
• Following data handling and protection policies and procedures established by Information Stewards and ICT.
2.09 Information Security Team: A subset of Information Custodians, the Information Security Team consists of the Laurier ICT and administrative personnel responsible for the implementation and operation of the information security program at Laurier.
2.10 Identity Management: the set of business processes and supporting infrastructure for the creation, maintenance, and use of digital identities. This includes a user’s unique identifier and credentials that enable access to Laurier’s computing systems.
2.11 Member(s) of the University Community: Persons who currently live, work or study at any Laurier campus or location. Members include students (including student groups), employees, adjunct and visiting faculty, and volunteers at Laurier.
3.00 Jurisdiction/Scope
3.01 This policy applies to all Members of the University Community, and other authorized users of Information at the University. Third party contractors (for example, software and cloud-based solution providers), must comply with this policy as well as other applicable University policies.
3.02 This policy applies to all University Information.
4.00 Policy
4.01 All Internal and Restricted Information must be protected and used only for authorized purposes.
(See Policy 10.1, Privacy Protection and Information Access)
4.01.01 Throughout its lifecycle, all Internal and Restricted Information collected, stored, processed, and shared at the University must be protected in a manner that is reasonable and appropriate for the level of sensitivity, value, and risk that the Information has to the University or third-party supplier of the information. All applicable policies and guidelines on the protection of Internal and Restricted Information must be followed.
4.01.02 All Internal and Restricted Information must be:
• Secured from unauthorized use and access;
• Secured when not in use;
• Secured in transit;
• Securely destroyed in accordance with University policies, procedures, or guidelines.
4.01.03 Once identified, improper use or access of restricted or internal information must be addressed immediately (see Privacy Breach Protocol).
4.02 University equipment, software, and networks must be secured and used only for authorized purposes.
4.02.01 Any information and communication technology that is used to store, process, or transmit University Information must be secured in a manner that is reasonable for the level of sensitivity, value, and risk related to the Information and in accordance with legislation or university policies, procedures, or guidelines.
4.02.02 The Information Security Team ensures that control standards will be enabled on every University computing system;
4.02.03 The Information Security Team is responsible to:
• Communicate any potential threats received from credible external sources regarding any potential issues which may affect security to the Members of the University Community in a timely manner;
• Regularly review and audit all information security procedures and mechanisms related to electronic systems.
4.03 Authorized Information Users, including academic and administrative units, are responsible for the Information in their custody or control.
(See policies 10.1, 10.2, 9.1.)
4.03.01 Faculty and administrative units are responsible for adopting and implementing the security standards, procedures and guidelines developed by the Information Security Team for protection of University Information and resources;
4.03.02 All Information Users must notify their manager and the Privacy Office if Internal or Restricted Information is, or is suspected to have been, lost, stolen, or improperly disclosed;
4.03.03 Units and Information users must consult with ICT before purchasing, downloading, or using a software solution or hardware to ensure it meets ICT requirements. Users should be aware of other policies that may have an impact on software and hardware purchases and use such as Policy 9.5, 4.15 and 5.11;
4.03.04 Internal and Restricted Information is only to be accessed by authorized Information Users as required for the performance of their University duties and responsibilities;
4.03.05 Physical access to Internal and Restricted Information on devices such as laptops, smart phones, or in printed files should be restricted when not in use.
Relevant Legislation
- Freedom of Information and Protection of Privacy Act (FIPPA)
- Personal Health Information Protection Act (PHIPA)
Related Policies, Procedures and Documents
- Roles and Responsibilities of Information Users
- 4.2 Surplus Disposal
- 4.15 Capital Budgeting Policy
- 5.11 Procurement and Tendering Policy
- 5.15 Merchant Card Use Policy
- 5.18 Fraud Policy
- 9.1 Use of Information Technology
- 9.5 External Information Technology and Cloud Services
- 10.1 Information Availability and Privacy Protection
- 10.2 Student Records
- 10.3 Responsible Use of Video Surveillance
- 10.4 Records Management Policy
- Use Encryption and Password to Protect Files
- Cybersecurity Information and Resources