1. University Wide Policy Library
  2. Administration and Operations
  3. Cybersecurity Policy for the use of Digital Assets by Staff

Cybersecurity Policy for the use of Digital Assets by Staff

Final Approval Body: Senior Leadership Team
Senior Administrative Position with Responsibility for Policy: Vice-Principal, Finance and Administration
Date Initially Approved: November 2025
Date of Last Revision, if applicable: N/A

Definitions

A complete glossary of technology and cybersecurity related terms and acronyms will be maintained in the Digital Information Security Glossary of Terms and will be made available to all community members and guests.

Purpose

The Cybersecurity Policy for Staff aims to empower staff members to make the most of the digital resources provided by the University. By fostering responsible and ethical use, this policy ensures that staff members can fully leverage these assets to enhance their productivity, collaboration, and innovation. Additionally, it helps to mitigate the risk of cybersecurity incidents, safeguarding both the staff member and the University's digital environment.


This policy contributes to a safe and supportive digital environment where staff can effectively manage resources, collaborate across teams, and support the community in expressing diverse perspectives without fear of external interference or unfair scrutiny. By using digital assets responsibly and ethically, staff members help maintain the conditions necessary for efficient and effective operations; for the affirmation of Indigenous rights to self-determination and cultural continuity; and, for ensuring that diverse voices across the community are respected and heard.

Scope

The Cybersecurity Policy for Staff is designed to support university employees in accessing and utilizing digital assets operated by, or on behalf of, the University by clearly defining their responsibilities related to ensuring a cybersecure digital environment. This policy applies to all employees except:

  • employees for whom collective bargaining rights are represented by Queen’s University Faculty Association (“QUFA”); and,
  • Clinical Faculty in the School of Medicine.
  • For clarity, “employee” under this Policy means only those employees of the University who are considered employees under the Employment Standards Act.

Acceptable use of University Digital Assets

Staff members are encouraged to use digital assets operated by, or on behalf of, the University to enhance their productivity, collaboration, and innovation. Usage must:

  • be responsible, ethical, and legal,
  • be consistent with the ֱ, values, and strategic goals of the University,
  • comply with applicable University Policies and other governance instruments,
  • be considerate of the rights of other community members and guests,
  • not cause harm to the University.

Responsibilities

Incident Response
Staff members play a crucial role in maintaining the security of our digital environment. By promptly reporting observed, known, or suspected cybersecurity incidents or breaches, staff members help protect the community and ensure a safe digital space for everyone. Staff members are encouraged to report cybersecurity incident; refer to the Contact IT Services | IT Services (queensu.ca), or the Report a Security Incident | IT Services (queensu.ca) web pages.

Staff members are encouraged to report known or suspected malicious email messages (i.e., phishing emails) in accordance with the Incident Response guidelines above.


Cybersecurity Awareness and Training
Staff members are empowered with annual cybersecurity literacy training to enhance their knowledge and skills in protecting digital assets. Completing this training is required and ensures staff members are well-prepared to navigate the digital landscape securely.

  • Staff members who complete their annual cybersecurity literacy training within the allotted time gain uninterrupted access to digital assets operated by, or on behalf of, the University.

Staff members are strongly encouraged to further their expertise by completing role-based cybersecurity training that they have been assigned.


Access Control
Staff members are entrusted with access to digital assets operated by, or on behalf of, the University. Staff members may only access and use digital assets to which they have been granted perֱ, including digital authentication identifier(s) (e.g., “NetID”) issued to them by the University.

Subject to appropriate university safeguards, staff members can enhance their digital experience by granting perֱ to third-party apps to access their account information. Staff members are responsible for and must ensure that the perֱs do not unnecessarily expose information or increase risk to the University. Authorization by an institutional risk owner may be required for some perֱ requests, and access may be denied or revoked depending on the risk level of the app and vendor.


Data and Information Protection
Staff members are entrusted as custodians of data and information under their care and control. This responsibility includes:

Accounts provided by the University are valuable tools intended to support the institutional administration objectives of staff members. To ensure compliance with data governance standards, and to maintain the integrity and security of data, staff members must only use university-provided accounts to handle institutional information in their care and control.

  • Staff members must not configure university-provided accounts to automatically forward email to personal or external accounts, nor use personal or external accounts to create, respond to, or store institutional information.

Identification and Authentication
Staff members are responsible for safeguarding their digital authentication identifier(s) issued by the University. Staff members are required to select a password or passphrase as their identification and authentication knowledge factor that complies with minimum password complexity requirements. By following , and selecting strong passwords or passphrases, staff members contribute to the security of their accounts and the University's digital environment.

Staff members are responsible for protecting their passwords or passphrases and must not share or disclose them to anyone. Changing passwords or passphrases when activated or when there is reasonable suspicion of compromise is required and ensures ongoing security of their account.

Staff members are required to enroll in multi-factor authentication, enhancing the security of their accounts.

Staff members who have been provided with a university-funded mobile device must use it as their identification and authentication possession factor and configure one of the following as their primary multi-factor authentication methods:

  • University Supported Authenticator App Push Notification.
  • University Supported Authenticator App Software Token.

Staff members who have not been provided with a university-funded mobile device are strongly encouraged to use their personal mobile device as their identification and authentication possession factor and configure one of the following as their primary multi-factor authentication methods:

  • University Supported Authenticator App Push Notification,
  • University Supported Authenticator App Software Token,
  • Other Authenticator App not supported by the University.

Staff members who do not use a mobile device, or whose mobile device does not support the above-listed methods, must use a hardware token as their identification and authentication possession factor.

To ensure optimal protection, staff members are strongly encouraged to use the most secure multi-factor authentication methods available. By choosing stronger authentication options, staff members help protect their personal information and contribute to a safer digital environment for the entire university community. To maintain a secure and resilient digital environment, the following methods that offer significantly lower levels of protection are strongly discouraged for use as primary or secondary multi-factor authentication methods:

  • Short Messaging Service (“SMS”, a.k.a. text message),
  • Telephone call to mobile device,
  • Telephone call to wired telephone (i.e., desk phone).

Staff members are responsible for protecting the device that they use as their identification and authentication possession factor and are required to:

  • Keep the device in their possession,
  • Store the device in a safe place when it is not in use,
  • Ensure that the device is not usable when it is lost, stolen, or no longer under their control.

System and Information Integrity
Staff members contribute to the integrity and security of the University's digital environment by protecting and maintaining the personal endpoints they use to connect to wireless networks and to access other University digital assets. It is strongly encouraged that:

  • The endpoint operating system and other software are intended for use on the endpoint. Software versions are supported by the manufacturer or vendor, and recent updates and security patches are installed,
  • Protection software that detects and prevents malware and other unwanted software is installed and up to date,
  • The endpoint operating system firewall is active and configured.

Endpoint devices provided and/or funded by the University enable staff members to access digital assets. To protect these devices and assets, staff members are required to ensure that the endpoint is enrolled in the centrally managed Endpoint Protection service.

Personal endpoints are also valuable tools for accessing digital assets operated by, or on behalf of, the University. Staff members who use personal endpoints to access protected assets are required to ensure that these endpoints are enrolled in the centrally managed Endpoint Assessment service.

  • To maintain the security and integrity of the University's digital assets, personal endpoints that are not enrolled in the centrally managed Endpoint Assessment service will be prevented from being used to access protected digital assets operated by, or on behalf of, the University.

Use of Generative Artificial Intelligence

Generative artificial intelligence is a transformative tool that may complement the working experience. The use of generative artificial intelligence must be done in compliance with:

  • The acceptable use and prohibited use requirements of this policy,
  • Responsibilities and requirements outlined in the Queen’s Strategic Artificial Intelligence Framework,
  • Other relevant university policies.

By adhering to these guidelines, staff members can maximize the benefits of AI while maintaining ethical standards and contributing to a positive work environment.
 

Prohibited use of University Digital Assets

To ensure a safe and respectful digital environment, staff members are encouraged to use digital assets operated by, or on behalf of, the University responsibly. To protect the integrity and security of our online community, the following actions are not permitted:

  • Attempting to gain access to or use digital assets to which explicit perֱ has not been granted, including credentials not issued explicitly to the staff member by the University.
  • Sending unsolicited electronic messages, commercial or otherwise, that are outside of the scope of their role at the University. For more information about unsolicited commercial electronic messages and relevant legislation and regulations, please review the guidance on the Canadian Anti-Spam Legislation (CASL) at Queen’s University web page.
  • Using peer-to-peer file sharing technologies and networks (such as BitTorrent) to download or share content in violation of the .
  • Using digital assets in a manner that .
  • Using digital assets in a manner intended to deceive, including impersonating the University, any member of the university community, or any other person or entity; giving the impression of representing or being endorsed by the University or any other institution or organization if this is not the case; misrepresenting identity or affiliation in any way.
  • Using digital assets in a manner that disables, overburdens, impairs, or damages the university network or any other university digital asset; restricts, inhibits, or interferes with the use of university digital assets by any other community member or guest; deliberately propagates a virus, malware, or any other malicious code.
  • Using technologies on the university network that automates the enumeration of entities or monitor or collect network activity and data from the university network, including network, port, or security scanning; robots or spiders; network sniffing;
  • keystroke logging.

Assurance

The University may directly access information stored on or within university provided and managed assets, including within personally assigned accounts and on university provided or funded endpoints. Access to this information will only be conducted in accordance with the Electronic Monitoring Transparency Policy and by following the Exceptional Access to Information Procedure.
The University collects data by electronic means related to the activity of university assets and resources. This data, collected passively, may be used or correlated with other data sets to review activities of an identifiable individual, as outlined in the Electronic Monitoring Transparency Policy, helping to maintain a secure and efficient digital environment.
Suspected violation of this Policy may result in the implementation of containment measures. Containment measures may include, without limitation:

  • Disabling access to university digital assets,
  • Disabling credentials,
  • Isolating or removing a client access endpoint from the network.

Violation of this Policy may be referred to an appropriate authority for investigation and may result in disciplinary action at the discretion of said authority.


Related Policies, Procedures, Guidelines: Responsible Use of Digital Resources Policy
Policies Superseded by this Policy: n/a
Responsible Officer : The Associate Vice-Principal (Information ֱ Services) and Chief Information Officer
Contact: Information Security Officer 
Date for Next Review: 2030