Information Technology Initiatives
Introduction
The University of Regina has a legal obligation and an ethical responsibility to protect the information and processes related to our administrative and academic portfolios. This policy describes the governance structure, committees and processes that are established and required to ensure that software, hardware, and technology-related initiatives are adequately protected, and that the risks involved are understood and accepted by the required stakeholders within the University.
The University Information Technology Steering Committee’s (UITSC) mandate is to ensure the technology resources of the university are aligned with and focused on the strategic objectives of the University. The UITSC fulfills its mandate using policies and procedures that are open and transparent to the University’s faculty, staff and management.
To effectively administer its governance responsibilities the UITSC has established four sub committees:
- The General Administrative Systems Planning Committee (GASP) is responsible for overseeing the Operational Initiatives for in production university wide technologies used to carry-out the administrative responsibilities of the University. GASP is also responsible to make recommendations and proposals to UITSC on new Strategic Initiatives that would enhance the value of the University’s administrative information technology infrastructure.
- The University Web Governance Committee (UWGC) is responsible for overseeing the institutional website policies, standards, guidelines and procedures. The UWGC also oversees website development projects and their implementation.
- The Technology Risk Management Committee (TRMC) is responsible for oversight of the technology risk assessment process, including impacts to technology, privacy, financial and records management processes at the University.
- The Governance Committee on Academic Technology (GCAT) is responsible to identify the academic technology needs of faculty and students at the institutional level and to facilitate the systematic integration of these needs in institutional decision-making.
This Policy outlines the information technology committee governance structure which is intended to efficiently identify, document, approve, prioritize and monitor the Strategic and Operational Initiatives of the University and do so without impacting faculty and administrative departmental Tactical Initiatives.
Policy
To provide for the University the due diligence required to ensure that software, hardware, and technology-related initiatives are adequately protected, and that the risks involved are understood and accepted by the required stakeholders at the University of Regina, a Technology Risk Assessment (TRA) must be completed for any Tactical, Operational, or Strategic initiative that includes utilization of technology for creation, use, storage, or sharing of University records when:
- A new system, application, or service is introduced.
- An existing system is planned to be utilized for a new use case or purpose, is using a new third-party vendor, is substantially updated in terms of technology, or is using a risk category of data not previously utilized by the system.
- An existing system uses data classified as High Risk and a security or privacy assessment has not already been completed.
Employees should not commence utilization of an in-scope production system, application, or service without technology risk assessment approval
Strategic and Operational Initiatives of the University will be documented, planned, approved, prioritized, and monitored for timely completion and attainment of the initiative’s stated objectives.
Information Services will identify, and report on, all known Strategic Initiatives to UITSC.
Roles and Responsibilities
University Information Technology Steering Committee (UITSC):
- shall approve and implement the procedures that allow for the prioritization and monitoring of all information technology Strategic Initiatives of the University.
- shall, for those projects managed by Information Services, determine the appropriate level of formal project management required.
- shall review recommendations of TRMC and provide authorization for initiatives to proceed.
- shall oversee the scope, duties and responsibilities outlined in the current GCAT Terms of Reference.
- shall provide Strategic Initiatives to UITSC for consideration.
- shall oversee the scope, duties and responsibilities outlined in the current GASP Terms of Reference.
- shall provide Strategic Initiatives to the UITSC consideration.
University Web Governance Committee UWGC:
- shall oversee the scope, duties and responsibilities outlined in the current UWGC Terms of Reference.
- Shall provide Strategic Initiatives to the UITSC for consideration.
Associate Vice President Information Services:
- shall ensure that only UITSC prioritized Strategic and Operational Initiatives receive Information Technology Resources for implementation of the initiative.
Information Services:
- shall implement, communicate and adhere to the procedures that allow the UITSC and its sub committees to meet their University mandate with respect to the prioritization and monitoring of Strategic and Operational Initiatives.
- will where possible assist faculties and departments address their Tactical Initiative needs.
- publish and maintain the Terms of Reference for all UITSC Sub-Committees: General Administrative Systems Planning Committee (GASP); University Web Governance Committee (UWGC); Technology Risk Management Committee (TRMC); Governance Committee on Academic Technology (GCAT)
- publish and maintain a risk-based Information Classification Framework
- publish and maintain Data Handling Standards that cover treatment of electronic information throughout its entire lifecycle in accordance with the classifications denoted above
- ensure the Technology Risk Assessment process is documented and available.
Vice Presidents, Associate Vice Presidents, Deans and Directors:
- shall ensure that initiatives they are approving that appear to meet the definition of a Strategic or Operational Initiative are first reviewed with Information Services prior to proceeding. Should the project be assessed as either a Strategic or Operational Initiative they would then work with Information Services to ensure the initiative is documented and prioritized for completion by the appropriate governance committee.
- shall review and undertake Tactical Initiatives as appropriate to their needs.
Technology Risk Management Committee TRMC:
- shall oversee the scope, duties and responsibilities outlined in the current TRMC Terms of Reference.
- assess initiatives against the published Information Classification Framework, and/or Data Handling Standards
- provide recommendations in a TRA report on risk mitigation or other policy, regulatory, or legal obligations
- provide recommendations to UITSC regarding authorization of initiatives to proceed
- record and store risk assessments
- Review final TRA report; including recommendations and responses
- Provide leadership and oversight relating to the Classification of Information by Risk Framework
- Evaluate the residual risks and outstanding obligations, and document acceptance
- Ensure compliance with this policy for in-scope initiatives
- Submit a completed TRA intake form for in-scope initiatives
- Participate in the assessment process and provide responses to the TRA recommendations
- Understand the classification and risk to information in their custody
- Provide leadership and support to Data Stewards in their University unit to ensure that their unit’s records are safeguarded in accordance with this Policy
- Seek assistance where necessary from the Information Security Office within Information Services
Consequences for Noncompliance
IT Strategic Initiatives commenced on campus without following the Procedures established in Appendix A (241 KB) for approval could result in IS resources not being available to support the initiative and a financial risk to the University.
The loss, compromise, or exposure of University records has financial, legal and/or reputational consequences for the institution.
Any University employee who does not manage information or systems in accordance with this policy may be subject to disciplinary action.
Processes
Technology Risk Assessment
- Data Trustees, Data Stewards, or designates which propose an in-scope initiative shall complete and submit an intake request form for a Technology Risk Assessment (TRA) to the Technology Risk Management Committee (TRMC). The TRMC will complete a risk assessment and provide recommendations for risk mitigation. Data Trustees and Data Stewards will be provided an opportunity to respond to the TRMC recommendations (accept, accept with revisions, or reject), following which the TRMC will provide recommendations for authorization to proceed or a recommendation to the University IT Steering Committee (UITSC) to withhold authorization.
- The TRMC is required to be engaged to perform a Technology Risk Assessment for initiatives at the University of Regina that have a technological and/or data element involved, whether those initiatives are Strategic, Operational, or Tactical. Research initiatives are not in scope of this policy or the Technology Risk Assessment process. Research initiatives should be assessed for risk by the Research Ethics Board.
Requests for Exemptions
- Requests for exemption from some or all of the security control provisions provided for in this policy may be made to the Manager, Information Security, Information Services, and shall be authorized or denied by the Associate Vice-President (Information Services).
Related Information
- Appendix A - Procedures Established for Documenting, Assessing, and Prioritizing IT Related Project Requests (241 KB)
- Appendix B - Classification of Information by Risk (438 KB)
- GOV-060-005 Freedom of Information and Protection of Privacy
- OPS-080-015 Supported Hardware, Software and Related Products
- OPS-080-005 Use of Computer and Network Systems
- GOV-070-005 Records and Information Management
- GOV-070-007 Digital Preservation
- Information Classification Framework
- Data Handling Standards
- UITSC Terms of Reference
- GCAT Terms of Reference
- GASP Terms of Reference
- UWGC Terms of Reference
- TRMC Terms of Reference