Adoption Date: June 29, 2016
Amendments dates: November 18, 2020, September 4, 2024
Approved by: Administration Committee
Responsible Service: Information Technology
PURPOSE
The purpose of this Policy is to ensure the security and integrity of University IT assets. This Policy also promotes the efficient, ethical, and lawful use of University IT assets. It serves as the overarching policy that governs the interpretation and application of all other information technology use and security policies and any related IT standards or procedures.
- DEFINITIONS
For the purposes of this Policy and any IT standard or University procedure established pursuant to this Policy:
“employee” means any (regular or contract position) unionized or non-unionized academic, administrative or support personnel (including those whose salary is paid through sources other than the University’s operating funds, such as grants, research grants and external contracts) or any other individual identified as an employee by University of Ottawa Human Resources.
“IT asset” encompasses all and collectively refers to University IT resources and electronic information stored on, within, connected or passing through a University IT resource.
“IT resource” includes (but is not limited to) the following that are owned by and/or operated or managed by the University, or that are licensed to the University or operated by an external organization on behalf of the University: software, systems, networks, computers, any other computing resource or hardware , servers (physical or virtual), data storage devices, telephone systems, magnetic or network media, and any other communication devices.
“IT service” includes (but is not limited to) infrastructure, applications, enterprise architecture, information security and end user support services across the University.“IT standard” refers to the operating IT standards that are documented and published in the Office of the Chief Information Officer’s IT schedules.
“IT schedule” refers to a schedule issued by the Office of the Chief Information Office pursuant to this Policy that sets out IT standards approved by the Chief Information Officer governing IT assets.
“members of the University community” refers to any person or entity that utilizes University IT assets in any manner, whether directly or indirectly. This includes but is not limited to:
- employees and students;
- clinicians and physicians with an academic appointment; adjunct professors, visiting academics and emeritus professors; postdoctoral or clinical fellows; research trainees;
- supplier and/or vendor or other entities engaged by the University to provide services or goods;
- members of the Board of Governors, of the Senate and any of their respective committees, as well as members of any advisory committee formed to help the University achieve its goals;
- staff of a union or a student group while acting in a capacity defined by their relationship to the University;
- volunteers; and
- Universities federated with the University of Ottawa such as Saint Paul University;
“student” means any individual registered at the University at the undergraduate, graduate, or postdoctoral level, including any medical resident, fellow or special student, whether enrolled full-time or part-time.
“supplier and/or vendor” means any individual or organization that provides, or may provide, goods or services to the University.
"volunteer" means any individual with permitted access to or use of IT assets willingly providing goods or services to the University without compensation.
- INTERPRETATION
- This Policy, any procedure and any IT standard established pursuant to it shall be read in conjunction with other University policies, including without limiting:
- Policy 117 - Information Classification and Handling
- Policy 90 - Access to Information and Protection of Privacy.
- The Chief Information Officer (CIO) shall be responsible for the interpretation of this Policy and any IT standard or procedure established pursuant to it. Consult the IT standards set out in the IT schedules.
- This Policy, any procedure and any IT standard established pursuant to it shall be read in conjunction with other University policies, including without limiting:
- APPLICATION
- The provisions of this Policy, of any procedure and of any IT standards established pursuant to it, extend to all University IT assets, and apply to all members of the University community.
- PRINCIPLES
- As part of its educational mission, the University acquires, develops, and maintains various IT assets. IT assets are intended for University-related purposes, including, but not limited to, direct and indirect support of the University’s academic, research and service missions; University administrative functions; student and campus life activities; and the free exchange of ideas within the University community and the wider local, national, and world communities.
- The University recognizes the importance of information security and protecting its IT assets. The University is therefore committed to preserving the security and integrity of its IT assets and using reasonable, appropriate, practical, and effective security measures to protect against unauthorized use, modification, disclosure, and destruction of its IT assets.
- The University is equally committed to preserving an environment that encourages academic and research freedom through the responsible use of IT assets.
- RESPONSIBILITIES
The University’s Chief Information Officer (CIO) oversees the University’s IT resources and services that enable academic, research and administrative functions, and that support faculty, staff, and students.
Without limiting the generality of the foregoing, the CIO shall be responsible for:
- developing, implementing and ensuring awareness of IT policies and related procedures;
- recommending, to the Vice-President, Finance and Administration, IT asset use;
- developing, approving, maintaining, and ensuring awareness of IT standards ;
- providing custodianship of IT assets;
- providing oversight of IT asset use and security throughout the University;
- educating the University community about IT asset use and security responsibilities;
- informing the Administration Committee annually of significant exceptions granted and of non-compliance matters;
- exercise internal control measures over IT assets, as reasonably necessary, to preserve the security and integrity of IT assets, regardless of the IT assets’ source of funding (University operating or research funds) and of the faculty, service, or unit operating, managing, or using such IT assets.
- All members of the University Community are responsible for complying with this Policy, its related procedures and IT standards established pursuant to this Policy. Consult the IT standards set out in the IT schedules.
- All members of the University Community shall promptly inform the CIO of any failure to comply with the requirements of this Policy, or procedures established pursuant to it or any IT standard.
- REVIEW AND IMPLEMENTATION
- This Policy and the IT standards and procedures established pursuant to it shall be reviewed by the CIO on a regular basis, as the CIO deems appropriate, based on changes in technology or regulatory requirements.
- APPROVAL AND AMENDMENTS
- The Office of the Chief Information Officer is responsible for recommending changes to this Policy to the Vice-President, Finance and Administration.
- Amendments to this Policy require the approval of the Administration Committee.
- The Vice-President, Finance and Administration of the University may establish, amend, or abrogate procedures for purposes of the effective implementation of this Policy, provided that such procedures are consistent with the provisions of this Policy.
- Notwithstanding Section 8.2 the Secretary-General may amend this Policy without the need to submit such amendment to the Administrative Committee for approval if such amendment is required to:
- update or correct the name or title of a position, unit, law, bylaw, policy, procedure, or authority; or
- correct punctuation, grammar, typographical errors, revisions to format and other technical revisions, where appropriate, if the correction does not change the meaning of a provision, or make such other corrections if it is clear both that an error has been made and what the correction should be; or
- correct the form of expression of a provision in French or in English to be more compatible with its form of expression in the other language; or
- make consequential amendments to conform with or arising from another University bylaw, resolution, policy or procedure.