Information Security

Information Security

Information security procedures and other controls

The University guidelines on use and security of information systems are:

IST Information Security Services, Policies, standards, and guidelines web-page includes more guidance, including:

The Guidelines for secure data exchange should be followed by all employees when choosing secure methods for sharing electronic information.

The Information & Privacy website includes guidance on basic security measures required for all information, including hard-copy information:

Information confidentiality classification scheme

University Records Management in 5 Steps, Step 3, Organize Your Records provides additional examples of public, confidential, restricted, and highly restricted information, supporting the definitions found in Policy 46.

The University records retention schedules (WatClass) document the information confidentiality classification for records in each records class.

The Guidelines for secure data exchange describe the technologies that can be used to share information in each of the confidentiality classifications.

Information security risk management methodology

The information security risk management methodology includes:

Information security incident reporting procedures

As defined in Policy 46, an information security breach involves one or more of:

  • A circumvention of information security controls;
  • The unauthorized use of information;
  • The unintended exposure of information.

Information custodians who become aware on an information security breach should follow the Information Security Breach Response Procedure.

Any information user who becomes aware of an information security breach should inform an information custodian - typically a manager - in the unit responsible for the information. If you are unsure, contact the University Records Manager, Privacy Officer, or IST's Information Security Services (, or ext. 41125) for assistance.