Differences

This shows you the differences between two versions of the page.

--- policies:information_resources_use_and_security_policy [2016/07/14 20:44] – peter
+++ policies:information_resources_use_and_security_policy [2020/07/15 09:30] (current) – external edit 127.0.0.1
@@ Line 29: / Line 29: @@
   * all Institutions and organizational units within the System;
-  * all Information Resources owned, leased, operated, or under the custodial care of any System Institution, organization, or facility;
+  * all Information Resources owned, leased, operated, or under the custodial care of any System Institution, organization, or business;
-  * all Information Resources owned, leased, operated, or under the custodial care of third-parties operated on behalf of a System Institution, organization, or facility; and
+  * all Information Resources owned, leased, operated, or under the custodial care of third-parties operated on behalf of a System Institution, organization, or business; and
-  * all individuals accessing, using, holding, or managing University Information Resources on behalf of The System.
+  * all individuals accessing, using, holding, or managing Information Resources on behalf of The System.
@@ Line 73: / Line 73: @@
 **Controlled Data** - one of three data classifications defined within the System Data Classification Standard. The “Controlled” classification applies to information/data that is not generally created for or made available for public consumption, but that is subject to release to the public through request via legal Information Acts or similar laws.
-**Data** - elemental units, regardless of form or media, that are combined to create information used to support research, teaching, patient care, and other University business processes. Data may include but are not limited to: written, electronic video, and audio records, photographs, negatives, etc.
+**Data** - elemental units, regardless of form or media, that are combined to create information used to support research, teaching, patient care, and other System business processes. Data may include but are not limited to: written, electronic video, and audio records, photographs, negatives, etc.
 **Data Centre** - a facility used to house computer systems and associated components, such as telecommunications and storage systems.
@@ Line 116: / Line 116: @@
 **Information Resources Custodian (Custodian)** - an individual, department, Institution, or third-party service provider responsible for supporting and implementing Information Resources Owner defined controls to Information Resources.  Custodians include Information Security Administrators, institutional information technology/systems departments, vendors, and any third-party acting as an agent of or otherwise on behalf of an Institution.
-**Information Resources Manager (IR**M) - the executive responsible for Information Resources across the whole of the institution.
+**Information Resources Manager (IRM)** - the executive responsible for Information Resources across the whole of the institution.
 **Information Resources Owner (Owner)** - the manager or agent responsible for the business function that is supported by the Information Resource or the individual upon whom responsibility rests for carrying out the program that uses the resources.  The Owner is responsible for establishing the controls that provide the security and authorizing access to the Information Resource.  The Owner of a collection of information is the person responsible for the business results of that system or the business use of the information.  Where appropriate, ownership may be shared.  Note: In the context of this Information Security Policy and Standards, Owner is a role that has security responsibilities assigned to it by System policy.   It does not imply legal ownership of an Information Resource.   All Information Resources are legally owned by the System.
@@ Line 122: / Line 122: @@
 **Information Security Administrator** - a departmental employee, designated by management, who assists with information security tasks as described in **Information Resources Security Responsibilities and Accountability**.
-**Information Security Program** - the Policies, Standards, Procedures, Guidelines, elements, structure, strategies, objectives, plans, metrics, reports, resources, and services adopted for the purpose of securing University Information Resources.
+**Information Security Program** - the Policies, Standards, Procedures, Guidelines, elements, structure, strategies, objectives, plans, metrics, reports, resources, and services adopted for the purpose of securing System Information Resources.
-**Information Syst**em - an interconnected set of Information Resources under the same direct management control that shares common functionality.  An Information System normally includes hardware, software, Network Infrastructure, information, data, applications, communications, and people.
+**Information System** - an interconnected set of Information Resources under the same direct management control that shares common functionality.  An Information System normally includes hardware, software, Network Infrastructure, information, data, applications, communications, and people.
 **Information Technology (IT)** - the hardware, software, services, supplies, personnel, facilities, maintenance, and training used for the processing of Data and telecommunications.
@@ Line 188: / Line 188: @@
 **Remote Access** - access to Information Resources that originates from a Remote Location.
-**Remote Location** - a location outside the physical boundary of the Institution (inclusive of University leased/rented properties and locations within the compliance environment).
+**Remote Location** - a location outside the physical boundary of the Institution (inclusive of leased/rented properties and locations within the compliance environment).
 **Residual Risk** - the risk (Low, Moderate, or High) that remains after security controls have been applied.
@@ Line 196: / Line 196: @@
 **Researcher** - Lead Researchers, faculty, staff, graduate students, postdoctoral fellows, residents, and visiting/affiliated scientists who are engaged in or responsible for Research activities.
-**Risk** – a function of the likelihood that a threat will exploit a vulnerability and the resulting impact to University missions, functions, image, reputation, assets, or constituencies if such an exploit were to occur.
+**Risk** – a function of the likelihood that a threat will exploit a vulnerability and the resulting impact to System missions, functions, image, reputation, assets, or constituencies if such an exploit were to occur.
 **Scheduled Change** - a change to an Information Resource made under normal working conditions following formally defined change control processes as defined in Change Management.
@@ Line 224: / Line 224: @@
 **System Administration** - the central administrative offices that provide oversight and coordination of the activities of the System and its Institutions.
-System Data (Data) - All Data or Information held on behalf of the System and its Institutions created as a result of and/or in support of the System business, or residing on System Information Resources, including paper records.
+**System Data (Data)** - All Data or Information held on behalf of the System and its Institutions created as a result of and/or in support of the System business, or residing on System Information Resources, including paper records.
 **System Shared Data Centre** - any data centre governed by the Shared Data Centre group on behalf of the System.
-**Systemwide Information Security Program** – the System policies, standards, procedures, elements, structure, strategies, objectives, plans, metrics, reports, resources, and services that establish requirements and provide for oversight and supplemental support for Institutional Information Security Programs.
+**System-wide Information Security Program** – the System policies, standards, procedures, elements, structure, strategies, objectives, plans, metrics, reports, resources, and services that establish requirements and provide for oversight and supplemental support for Institutional Information Security Programs.
 **User** - an individual, automated application, or process that is authorized by the Owner to access the resource, in accordance with loca and country law, policy, and the Owner's procedures and rules.  Has the responsibility to (1) use the resource only for the purpose specified by the Owner, (2) comply with controls established by the Owner, and (3) prevent the unauthorized disclosure of Confidential Data.  The user is any person who has been authorized by the Owner of the information to read, enter, or update that information.  The User is the single most effective control for providing adequate security.