IM30 – Information Security [DRAFT]

Records relating to information systems, technology, and infrastructure security.

This records class contains Personal Information Banks.

Related Records | Responsible Unit | Information Steward | Information Confidentiality Classification | Retention | Disposition | Authority | Retention Rationale | Personal Information BanksVersion Information

Content & Scope

Information security services and processes include: information risk and security assessments; network monitoring and vulnerability management; log aggregation and analysis to identify information security incidents; identity and access management; system forensic examinations; and, investigations of information security breaches. User identities, authorizations and authentication are managed using the enterprise identity and access management system.

The records include: security services planning and review documentation; reports; log files; security information and event management system data; user identity profiles, passwords, and system authorizations; information security breach reports and investigation records; and other correspondence related to information security services and processes.

Related Records

For information security standards and procedures applicable to all University community members, see AD40 – Policies, Procedures, & Guidelines.

Responsible Unit

  • IST, Information Security Services.
  • Faculty and other computing support units.

Information Steward

Vice-President, Administration & Finance.

Information Confidentiality Classification

Restricted.

Retention

  • Information security risk assessments and associated records: 2 years after the system has been decommissioned/discontinued.
  • Information security breach investigations and action taken: 7 years after the last action on the case.
  • All other records: 2 years after last action or administrative use.

Disposition

Secure destruction.

Note

Responsible Units should document the disposal/destruction of official records using the University records destruction form or equivalent documentation, to verify that we are following our records retention rules.

Authority

  • Policy 46 – Information Management.
  • Guidelines on use of Waterloo computing and network resources.
  • Statement on the security of Waterloo computing network and resources.
  • Information Security Breach Response Procedure.

Retention Rationale

The retention period is based on operational use.

Personal Information Banks

Identity and access management records include: name, user ID, password, student or employee ID number, email address, phone number, and user roles.

Under Review Date

16 December 2022.