Information security procedures and other controls
The University guidelines on use and security of information systems are:
- Statement on Security of Waterloo Computing and Network Resources
- Guidelines on the Use of Waterloo Computing and Network Resources
- Statement on Electronic Business
- Managing Student Information for Faculties, Departments and Schools
- Password Standards
- Technical security standards for e-commerce applications
- Standards for secure hosting
- Security standards for desktops and laptops
- Security standards for networked peripheral devices (print/scan/fax)
- Data encryption
The Guidelines for secure data exchange should be followed by all employees when choosing secure methods for sharing electronic information.
The Information & Privacy website includes guidance on basic security measures required for all information, including hard-copy information:
Information confidentiality classification scheme
University Records Management in 5 Steps, Step 3, Organize Your Records provides additional examples of public, confidential, restricted, and highly restricted information, supporting the definitions found in Policy 46.
The University records retention schedules (WatClass) document the information confidentiality classification for records in each records class.
The Guidelines for secure data exchange describe the technologies that can be used to share information in each of the confidentiality classifications.
Information security risk management methodology
The information security risk management methodology includes:
- The Information Risk Assessment process (formerly known as the Privacy and Security Impact Assessment (PSIA)); and,
- The draft guidelines and standards for additional aspects of information security risk management, available via the Information Security Services SharePoint site.
Information security incident reporting procedures
As defined in Policy 46, an information security breach involves one or more of:
- A circumvention of information security controls;
- The unauthorized use of information;
- The unintended exposure of information.
Information custodians who become aware on an information security breach should follow the Information Security Breach Response Procedure.
Any information user who becomes aware of an information security breach should inform an information custodian - typically a manager - in the unit responsible for the information. If you are unsure, contact the University Records Manager, Privacy Officer, or IST's Information Security Services (firstname.lastname@example.org, or ext. 41125) for assistance.