Cybersecurity Incident Detect and Respond Policy

Final Approval Body: Senior Leadership Team
Senior Administrative Position with Responsibility for Policy: Vice-Principal, Finance and Administration
Date Initially Approved: February 2024

Definitions

A complete glossary of technology and cybersecurity related terms and acronyms will be maintained in the Digital Information Security Glossary of Terms and will be made available to all Community Members and Guests.

Purpose

The purpose of the Queen鈥檚 University Cybersecurity Incident Detect and Respond Policy (the 鈥淚ncident Response Policy鈥) is to establish accountability for cybersecurity incident detection and response activities that support objectives defined by the Queen鈥檚 Cybersecurity Framework (鈥淨CSF鈥).

Scope

The Incident Response Policy is applicable to Risk Owners, Risk Assessors, and Digital Service Managers in all administrative departments, faculties, and research units as they assess and treat risks related to the lifecycle of institutional functions that are provided, or intended to be provided, using digital assets operated by, or on behalf of, the University. Digital assets include:

  • Digitized services, functions, workflows, processes, and procedures, operated by, or on behalf of the University (鈥渄igital services鈥),
  • Data and information in the custody and/or control of the University (鈥渄ata鈥),
  • Digital identities, the associated credentials and accounts, and the contents thereof that have been created and issued by the University for the purpose of using digital services (鈥渄igital identities鈥),
  • Digital technologies, including infrastructure, hardware, software, and licenses, operated by, or on behalf of the University (鈥渄igital technologies鈥),
  • Client access devices, including laptops, desktops, and mobile devices, that are provided by or purchased using University funds (鈥渆ndpoints鈥).

Roles

Board of Trustees

The Board of Trustees provides oversight of the Cybersecurity Program and the performance of cybersecurity objectives defined by the QCSF through the Finance, Assets, and Strategic Infrastructure Committee.

Senior Leadership Team

The Senior Leadership Team (鈥淪LT鈥) includes the Principal and Vice-Principals and are the approval authority for Information Security and Cybersecurity related policies.

Associate Vice-Principal (Information Technology Services) and Chief Information Officer

The Associate Vice-Principal (Information Technology Services) and Chief Information Officer (鈥淐IO鈥) is accountable to the Board of Trustees and SLT for the management of the Cybersecurity Program, and activities relating to achieving the Strategic Cybersecurity Goals and Objectives.

Risk Owners

Risk Owners are Senior Leaders, Associate Vice-Principals, Vice-Provosts, Deans, Principal Investigators, Faculty members, or other leaders within faculties and departments that are accountable to the University for information security risk within their area of responsibility.

  • Service Risk Owners are accountable for information security risk related to digital services that operate within, or on behalf of their area of responsibility.
  • Technology Risk Owners are accountable for information security risk related to the digital technologies upon which digital services operate within, or on behalf of their area of responsibility.
  • Data Risk Owners are accountable for information security risk related to data for which stewardship falls within their area of responsibility.
  • Identity Risk Owner are accountable for information security risk related to the use of digital identities and their associated credentials to access digital assets.

Risk Assessor

Risk Assessors are leaders within departments, teams, and research units with decision making authority over operations within their area of responsibility and are accountable to Risk Owners for assessing and treating information security risk related to services operating within, on behalf of their area of responsibility. This may include, without limitation:

  • Operation of services within, or on behalf of their area of responsibility,
  • Data that are created, processed, stored, or otherwise handled by the services operating within, on behalf of their area of responsibility,
  • Community members, guests, and other stakeholders that rely on the institutional services operating within, on behalf of their area of responsibility.

Digital Service Managers

Digital Service Managers are leaders within information technology delivery departments and teams that are accountable to Risk Owners for assessing and treating information security risk related to digital assets operating within, on behalf of their area of responsibility. This may include, without limitation:

  • Acquisition, development, implementation, configuration, maintenance, and operation of digital assets operating within, or on behalf of their area of responsibility,
  • Data that are created, processed, stored, or otherwise handled by the digital assets operating within, or on behalf of their area of responsibility,
  • The use of digital identities and associated credentials to access digital assets operating within, or on behalf of their area of responsibility.

Digital Custodians

Digital Custodians are authorized community members with responsibility for operating and protecting digital assets within, on behalf of their area of responsibility. This may include, without limitation:

  • Protecting data in their custody and/or control,
  • Administering, configuring, or managing access to digital services,
  • Developing, implementing, maintaining, and operating digital technologies upon which services operate
  • The safeguards that protect the confidentiality, integrity, and availability of digital assets.

External partners or third-party service providers may be digital custodians where elements of digital technologies are managed externally.

Cybersecurity Incident Detect and Respond

The University shall investigate incidents that actually or potentially increase information security risk of digital assets operated by, or on behalf of, the University, or that constitute a threat of violation of the Policies, Standards, and other governance instruments.

The University shall establish cybersecurity incident detection and response process and procedures.

  • The CIO is authorized to develop cybersecurity incident detection and response process and procedures on behalf of the University and is accountable to the SLT for the sustainment thereof.

The University shall practice cybersecurity incident detection and response process and procedures at regular intervals using simulations, tabletop exercises (鈥淭TX鈥), and other exercises to ensure that CIRP participants and stakeholders are prepared and understand their role in incidents.

  • The CIO is accountable to the SLT for the coordination of cybersecurity incident detection and response process and procedures practice, simulations, and TTX,
  • Risk Owners, Risk Assessors, Digital Service Managers, and Digital Custodians shall participate in cybersecurity incident detection and response process and procedures practice, simulations, and TTX related to the digital assets operating within, or on behalf of their area of responsibility.

Incident detection and response process and procedures shall be subject to review by Internal Audit at regular intervals, to ensure the efficacy of the process.

External Engagement

The University shall establish and maintain communications with higher education peer institutions and partners, and other selected groups and associations within the security and privacy communities for the following purposes, without limitation:

  • To share information about cybersecurity threats, vulnerabilities, and incidents affecting the University,
  • To maintain currency with recommended security and privacy practices, techniques, and technologies,
  • To facilitate ongoing security and privacy education and training.  

Information sharing protocols and/or agreements shall be established with higher education peer institutions and partners, and other selected groups and associations, to enable sharing of information about cybersecurity threats, vulnerabilities, and incidents impacting the University, and to enable the use of information shared by said communities to mitigate information security risk.  

  • The CIO is authorized to establish information sharing protocols and agreements and is accountable to the SLT for them.

Incident Detection

The University shall monitor digital assets operated by, or on its behalf, safeguards implemented in the protection thereof, and devices connected to the university network or accessing said digital assets for the purpose of detecting cybersecurity incidents.

The University shall monitor digital assets operated by, or on its behalf, throughout their lifecycle, and the safeguards implemented in the protection thereof, and for the purpose of detecting threats and vulnerabilities.  

Digital assets that are operated by, or on behalf of the University, shall be monitored to detect threats, vulnerabilities, and incidents (鈥渃ybersecurity incidents鈥). Cybersecurity incidents shall be reported in a timely manner in accordance with incident detection and response process and procedure(s).

  • Digital Service Managers are accountable to Digital Risk Owners for ensuring that digital assets operating within, or on behalf of their area of responsibility are monitored for cybersecurity incidents,
  • Digital Service Managers are accountable to Digital Risk Owners for ensuring that cybersecurity incidents detected on digital assets operating within, or on behalf of the University within their area of responsibility are reported in a timely manner and in accordance with incident detection and response process and procedure(s).

Incident Response

The University shall investigate cybersecurity incidents on digital assets operated by, or on its behalf.

  • The CIO is authorized to investigate cybersecurity incidents and is accountable to the SLT for same.

The University shall respond to incidents by implementing containment measures to mitigate impact to the confidentiality, integrity, or availability of the digital asset(s) on which the incident(s) has or have been detected, and/or to prevent or mitigate impact to other digital assets and devices on the university network, or otherwise provided by the University.  

Containment measures may include, without limitation:

  • Restrict, limit, or revoke network access for personally owned devices,
  • Disable credentials, or otherwise restrict, limit, or revoke access to university digital asset(s),
  • Prevent communications and information exchange to and from university digital asset(s),
  • Disable or remove power from a university digital asset(s).

Containment measures shall remain in effect until the digital asset has been recovered.

Framework References

Framework: Queen's CSF
Section: 2.1, 2.3, 3.1, 3.2, 3.3, 3.4, 3.5, 4.2, 4.3, 5.1, 5.2, 5.6

 

Related Policies, Procedures, Guidelines: Digital Information Security Policy, Responsible Use of Digital Resources Policy, Cybersecurity Incident Response Plan, Records Management Policy, Access to Information and Protection of Privacy Policy
Policies Superseded by this Policy: Electronic Information Security Policy, Electronic Information Security Policy Framework

Responsible Officer (senior administrator ultimately responsible): The Associate Vice-Principal (Information Technology Services) and Chief Information Officer
Contact: Information Security Officer iso@queensu.ca
Date for Next Review: 2029