You are here

Policy 8 – Information Security

Established:​ December 11, 2009

​Class:​ G

1. Introduction and scope

The University of Waterloo relies heavily on information and information systems for the delivery of services and management of resources and must therefore ensure that its information assets are well protected. Failure to adequately protect the university’s information assets through the implementation of appropriate security controls puts the university at risk.

This policy applies to university records and all other information that is in the custody or control of the University of Waterloo. This policy serves the following purposes:

  1. Provides a security classification scheme for university information that can be referenced in other policies, guidelines, standards, and procedures relating to information.
  2. Outlines the responsibilities that members of the university community have with respect to information security.

Use of information means any access to, collection, storage, transmission, processing, or destruction of information.

Custody of information means the keeping, care, watch, preservation, or security of information for a legitimate business purpose.

Control of information means the power or authority to make a decision about the use or disclosure of information in university records, as defined in Policy 12 (Records Management).

An Information Security Breach involves one or more of: a circumvention of information security controls; the unauthorized use of information; the unintended exposure of information.

2. Information security classification

Information in the custody or control of the university is either Confidential or Public. Information is Confidential where there is an expectation that such information will not be disclosed to anyone except those persons requiring the information for a legitimate purpose. Restricted information is the subset of Confidential information where the protection of such information is required by law or regulation, or the university is required to provide notice to an individual or some authority if information is inappropriately accessed. Highly Restricted information is the subset of Restricted information that presents a higher risk to the university if compromised. The university collects Highly Restricted information only when absolutely necessary to conduct its business. 

Information is Public when no other security classification has been applied. Public information is viewable without the requirement for any access controls.

Highly Restricted information is comprised of:

  • Social Insurance Numbers
  • Bank Account Numbers
  • Credit Card Numbers
  • Driver’s License Numbers
  • Health Insurance Identification Numbers
  • Information considered itself to be controlled technology as regulated by Controlled Goods Regulations, and technical data as defined by Technical Data Control Regulations under the authority of the Defence Production Act
  • Information related to Public Works and Government Services Canada contracts or other contracts governed by regulations of the Canadian and International Security Directorate

Restricted information includes the following not explicitly classified as Highly Restricted:

Confidential information includes, but is not limited to:

  • Information supplied in confidence
  • Commercially sensitive information including related financial transactions

Confidential information (including Highly Restricted and Restricted information) may be found in forms such as:

  • Examinations
  • Correspondence in the form of electronic mail, electronic real-time communications, and hard copy communications
  • Employment applications
  • Records of closed meetings
  • Records subject to solicitor-client privilege
  • Research proposals
  • Institutional plans, policies, and projects while in development
  • Employment files of regular faculty members as provided in Policy 75 (Official Employment Files of Regular Faculty Members)
  • Employment files of regular staff members as provided in Appendix C of Policy 18 (Staff Employment)

Public information includes, but is not limited to:

  • University policies
  • Job postings and job descriptions
  • Campus directories
  • University calendars
  • The university’s public website


3. Roles and responsibilities

Responsibility for this policy lies with the Chief Information Officer, who is responsible for the security of university information systems, and the Secretary of the University, who is responsible for overseeing the administration of FIPPA within the university. 

Information Security Officer 

The Information Security Officer is a senior-level employee of the university, designated by the Chief Information Officer, responsible for:

  • Developing, maintaining, and disseminating standards and procedures relating to information security.
  • Coordinating and assisting with the response to breaches involving the unauthorized use of information.

Privacy Officer

The Privacy Officer, designated by the Secretary of the University, is responsible for:

  • Developing, maintaining, and disseminating standards and procedures relating to protection of information.
  • Maintaining an index of personal information banks for the university.
  • Providing guidance in the response to breaches involving the unintended exposure of information.

Information Steward 

An Information Steward is normally:

  • A senior-level employee of the university who has been delegated responsibility, on behalf of the university, for the creation, maintenance, protection, and use of a collection of information.
  • An owner of other information which is in the custody of the university.

An Information Steward is responsible for the following:

  1. Applying a security classification to information using the classification scheme defined in this policy.
  2. Determining the risk tolerance to threats that affect information security.
  3. Assigning operational responsibility for information to one or more Information Custodians.
  4. Establishing and maintaining rules and procedures for the appropriate use and protection of information.
  5. Ensuring that the use and protection of information is consistent with all applicable policies and regulations, including relevant legislation.

Information Stewards should consider carefully whether there is a need to collect and store Restricted information.

Information Custodian 

An Information Custodian is an employee of the university, or an external entity operating under contract with the university, who has operational responsibility for a collection of information. An Information Custodian is responsible for one or more of the following:

  • Understanding the rules and procedures for the appropriate use and protection of information.
  • Understanding the flow of information in relevant operational processes, both manual and automated.
  • Implementing and maintaining physical and logical controls that enforce established rules and procedures.
  • Granting and revoking access to information, under the direction of the Information Steward.
  • Enabling the timely detection, reporting, and analysis of incidents where circumvention, or attempted circumvention, of controls takes place.

User 

User is a member of the university who accesses information that is in the custody or control of the university. A User is responsible for the following:

  1. Restricting the use of information to only the purposes specified by the Information Steward.
  2. Complying with rules and procedures in force regarding the use of information.
  3. Complying with controls implemented by the Information Custodian.

Any User who duplicates and stores information, or any subset of information, including paper copies, assumes the responsibilities of Information Custodian for that information.

4. Requirements for the use and protection of information

The use of information classified as Highly Restricted is prohibited without approval from both the Chief Information Officer and the Secretary of the University. The Privacy OfficerInformation Security Officer, and others may be consulted as circumstances dictate. Approved use of Highly Restricted Information is recorded in Appendix A of this policy.
Security controls, both physical and logical, around the use of information must be in accordance with standards established by the Information Security Officer. The strength of security controls for information classified as Restricted will normally exceed those for information classified as Confidential

5. Requirements in the event of an information security breach

Users must report Information Security Breaches to the Information Custodian who will inform the Information Steward as soon as possible. Information Custodians must follow the Information Security Breach Response Procedure as established by the Information Security Officer and Privacy Officer.


Appendix A

This appendix outlines the approved uses of information classified as Highly Restricted. Information Stewards who require the use of Highly Restricted information must submit a request in writing to either of the Chief Information Officer or the Secretary of the University. 

Social Insurance Numbers 

The table below outlines the approved uses of Social Insurance Numbers:

Approved Use

Information Steward

Employment records

Associate Provost, Human Resources

Undergraduate student awards and financial aid

Registrar

Graduate student awards and financial aid
Associate Provost, Graduate Studies
Collection of overdue accounts
Director, Finance

Taxable benefits

Director, Finance

WSIB claims

Director, Safety Office

Bank Account Numbers 

The use of university banking information is approved for members of the university subject to the rules and procedures established by Finance. The table below outlines the approved uses of non-university banking information:

Approved Use

Information Steward

Payroll

Associate Provost, Human Resources

Accounts payable

Director, Finance

Donations
Vice-President, External Relations

Credit Card Numbers 

The use of university-issued payment cards and corporate credit cards is approved for members of the university subject to the rules and procedures established by Finance.
The use of non-university-issued credit card information is approved subject to rules and procedures established by Finance. The electronic use of non-university-issued credit card information is subject to the requirements of the university Statement on Electronic Business.

Driver’s License Numbers 

The table below outlines the approved uses of Driver’s License Numbers:

Approved Use

Information Steward

Collision reporting

Director, Police and Parking Services

Identification of persons on campus property

Director, Police and Parking Services

Identification of non-UW bar patrons

Director, University Business Operations

Insurance on UW vehicles

Director, Finance

Hea​lth Insurance Numbers 
The table below outlines the approved uses of Health Insurance Numbers:

Approved Use

Information Steward

Health care services

Director, Health Services

Optometry services

Director, School of Optometry

UW summer camps

Dean of Arts; Dean of Engineering

Sports clinic

Director, Athletics

Highly Restricted Information in Research

The use of highly restricted information, including information related to Public Works and Government Services Canada contracts or other contracts governed by regulations of the Canadian and International Security Directorate, or controlled technology and / or controlled technical data as regulated by the Defence Production Act in research is approved for members of the university subject to the rules and procedures established by the Office of Research and / or granting agency, and where appropriate, in consultation with the Information Security Officer.