Western unveils new IT security policy

Representing a major overhaul of Western’s security framework, the university effected a new Computing, Technology and Information Resources Policy earlier this week. The last substantive policy changes were implemented almost 10 years ago.

“The new information technology (IT) security policy is an important element of Western’s overall Cyber Security Strategy. Protecting the privacy and security of the university’s information and electronic resources is an organizational priority,” said Jeff Grieve, executive director of Information Technology Services (ITS).

“Information technology is undoubtedly an integral component of our personal and professional lives. The responsibility for information security at Western needs to be shared by every member of the campus community,” he added.

The new policy, MAPP 1.13 (approved by the Board of Governors in January), intends to provide faculty, staff and students with a single, streamlined and accessible source of information concerning the appropriate and secure use of information and technology resources at Western.

Positive information security behaviours go a long way in protecting valuable research, teaching and administrative resources, Grieve noted. A lengthy review process, which started in 2015, was necessary to streamline and consolidate a single IT security policy (overriding four separate, however interrelated policies), he explained. ITS also wanted to make the policy more accessible by simplifying language and to ensure the university is nimble in responding to emergent cyber security threats.

Among a number of guidelines and recommendations for the campus community, Western’s new IT security policy outlines a Code of Behaviour and standard expectations for the use of computing resources. Above all, ensure the university’s computing resources are used in an ethical and lawful manner, Grieve said. Don’t use computing resources for commercial personal use; don’t use unlicensed or unauthorized copies of computer software, and remember – the use of computing resources on campus is not private. The Code of Behaviour, available in full on the University Secretariat website, lists situations in which Western may disclose results of general or individual monitoring to appropriate university personnel or law enforcement agencies.

Some of the key takeaways of the new ITS security policy include:

  • Users should be aware the university does not guarantee security and should always engage in safe computing practices;The university shall disclose any breach of the security of an information system to any individual whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person;
  • Any computer or network security incident that potentially involves criminal activity shall be reported to Campus Community Police;
  • Everyone who connects a computer to university computing resources has the potential to affect the security of those resources;
  • Encryption of wireless communications is required for all staff and faculty at the university;
  • Users are responsible for ascertaining what authorizations are necessary and for obtaining them before proceeding;
  • Unit heads, including directors, are responsible for ensuring security policy is implemented within the unit; and
  • When engaging in electronic communications with persons in other jurisdictions, or on other systems or networks, be aware they may also be subject to the laws of those other jurisdictions and the rules and policies of those other systems and networks.

Information about the new IT Security Policy (MAPP 1.13) can be found at security.uwo.ca.