Information is an asset that the Centre for Advanced Computing (CAC) at Queen’s University in Kingston has a duty and responsibility to protect. The confidentiality, integrity and availability of information is an essential part of functioning in a manner consistent with client needs and expectations.
As a data centre, the organization stores and provides tools to process information, which may include confidential information. As such, CAC shares a responsibility with its clients to help safeguard information and prevent its misuse.
The purpose and objective of this Security Policy is to set out a framework for the protection of information assets at CAC:
- to protect CAC information from all threats, whether internal or external, deliberate or accidental
- to enable secure information sharing
- to encourage consistent and professional use of information
- to help all parties understand their responsibilities in using and protecting information
- to ensure business continuity and minimize business damage
- to protect CAC from legal liability and the inappropriate use of information
This Security Policy is a high level document, and adopts a number of controls to protect information. The controls are delivered by additional policies, standards, processes, and procedures which are supported by training and tools.
This document outlines a framework for the management of Information Security at CAC.
The Security Policy, standards, processes and procedures apply to all staff and employees and contractual third parties who have access to the information systems or assets.
The Security Policy applies to all forms of information stored on CAC systems.
3. Structure of this Policy
This policy is high level and is supplemented by additional security policy documents which provide detailed policies and guidelines relating to specific security controls.
CAC will undertake risk assessments to identify, quantify, and prioritize risks. Controls will be selected and implemented to mitigate the risks identified.
CAC maintains a Risk Registry which identifies risks, existing controls and counter measures.
The following controls are in place at CAC to help reduce risk:
- Policies and Procedures
- High Availability and Secure Infrastructure
- Roles and Responsibilities
- User and Staff Training
- Segregated Architectures
- Internal and External Audits
4. Security Policy
The security policy sets out an approach to managing information security.
The security policy is approved by management and is communicated to all staff and employees and contractual third parties.
The security requirements for CAC will be reviewed at least annually by management. Formal requests for changes will be raised for incorporation into the Security Policy, processes, and procedures.
5. Organization of Information Security
This Policy and additional procedures help ensure that Information will be protected from a loss of:
- Confidentiality: so that information is accessible only to authorized individuals
- Integrity: safeguarding the accuracy and completeness of information and processing method
- Availability: that authorized users have access to relevant information when required
Queen’s University policy, regulatory, legislative and contractual requirements are incorporated into the Security Policy.
CAC will work towards implementing ISO27002, the International Standards for Information Security.
All incidents of information security, actual or suspected, must be reported and will be investigated.
Business continuity plans will be produced, maintained and tested.
Specialist external advice will be drawn upon where necessary so as to maintain the Security Policy to address new and emerging threats and standards.
Formal Roles and responsibilities are defined and assigned as appropriate to protect the information security systems at CAC.
All staff and contractors are required to comply with the policies and procedures assigned within.
6. Asset Management
All assets including but not limited to (data, information, software, computer and communications equipment, service utilities and people) will be appropriately protected.
Owners will be assigned and they will be responsible for the maintenance and protection of their assets.
7. Human Resources Security
Appropriate policies will be communicated to all employees, contractors and third parties to ensure that they understand their responsibilities.
Security responsibilities will be included in job descriptions and in terms and conditions of employment.
Regular background verification checks are carried out on all CAC employees.
Information security education and training are made available to all staff and employees.
8. Physical and Environmental Security
Secure areas will be protected by well-defined perimeters with appropriate security barriers and entry controls. Staff are assigned physical access only as required.
Critical and sensitive information is housed in the secure area, and physically protected from unauthorized access, damage and interference from environmental threats.
The data centre will have 24/7 on-call and third party monitoring of intrusion and environmental systems or other emergencies.
9. Communications and Operations Management
CAC will operate its information processing facilities securely.
Responsibilities and procedures for the management, operation and ongoing security and availability of all data and information processing facilities is established.
Appropriate operating procedures are put in place to ensure the protection of data in transit and at rest.
Segregation of duties and cross training is implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse.
10. Access Control
Access to sensitive information is controlled. Following the least privileged principle, access will be granted or arrangements made for employees, partners, or suppliers according to their role, only to a minimal level required to allow them to carry out their duties.
A registration and deregistration process is implemented for access to all information systems and services.
11. Information Systems Acquisition, Development, Maintenance
The information security requirements are defined during the development of business requirements for new information systems or changes to existing information systems.
Controls to mitigate any risks identified are implemented where appropriate.
12. Information Security Incident Management
Information security incidents and vulnerabilities associated with information systems are communicated in a timely manner. Appropriate corrective action will be taken.
Formal incident reporting and escalation is implemented.
All employees will be made aware of the procedures for reporting the different types of security incident, or vulnerability that might have an impact on the security of CAC assets.
13. Business Continuity Management
CAC will put in place arrangements to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.
A business continuity management process will be implemented to minimize the impact on CAC and recover from loss of information assets. Critical business processes will be identified.
Business impact analysis will be undertaken of the consequences of disasters, security failures, loss of service, and lack of service availability.
CAC will abide by any law, statutory, regulatory or contractual obligations affecting its information systems.
The design, operation, use and management of information systems will comply with any statutory, regulatory and contractual security requirements.
15. Additional Security Policy Documents
This policy is supplemented by additional security policy documents which provide detailed policies procedures and guidelines. These documents are sensitive in nature and are designed to provide both global and individualized protections for information systems at CAC as well as contributed research projects housed within the CAC data center. The supplemental policy documents are tailored for each project hosted at CAC and may include some or all of the following documents:
- Roles and Responsibilities
- Physical Security
- Access Control and account procedures
- Network Security
- Information Backups
- Disaster Recovery
- Security Reporting and Incident Response
- System Operation and Maintenance
Version 1.0 Jan 4th, 2018