Records relating to information systems, technology, and infrastructure security.
This records class contains Personal Information Banks.
Related Records | Responsible Unit | Information Steward | Information Confidentiality Classification | Retention | Disposition | Authority | Retention Rationale | Personal Information Banks | Version Information
Content & Scope
Information security services and processes include: information risk and security assessments; network monitoring and vulnerability management; log aggregation and analysis to identify information security incidents; identity and access management; system forensic examinations; and, investigations of information security breaches. User identities, authorizations and authentication are managed using the enterprise identity and access management system.
The records include: security services planning and review documentation; reports; log files; security information and event management system data; user identity profiles, passwords, and system authorizations; information security breach reports and investigation records; and other correspondence related to information security services and processes.
Related Records
For information security standards and procedures applicable to all University community members, see AD40 – Policies, Procedures, & Guidelines.
Responsible Unit
- IST, Information Security Services.
- Faculty and other computing support units.
Information Steward
Vice-President, Administration & Finance.
Information Confidentiality Classification
Restricted.
Retention
- Information security risk assessments and associated records: 2 years after the system has been decommissioned/discontinued.
- Information security breach investigations and action taken: 7 years after the last action on the case.
- All other records: 2 years after last action or administrative use.
Disposition
Secure destruction.
Note
Responsible Units should document the disposal/destruction of official records using the University records destruction form or equivalent documentation, to verify that we are following our records retention rules.
Authority
- Policy 46 – Information Management.
- Guidelines on use of Waterloo computing and network resources.
- Statement on the security of Waterloo computing network and resources.
- Information Security Breach Response Procedure.
Retention Rationale
The retention period is based on operational use.
Personal Information Banks
Identity and access management records include: name, user ID, password, student or employee ID number, email address, phone number, and user roles.
Under Review Date
16 December 2022.