1. University Wide Policy Library
  2. Administration and Operations
  3. Cybersecurity Policy for the use of Digital Assets by Students

Cybersecurity Policy for the use of Digital Assets by Students

Final Approval Body: Senior Leadership Team
Senior Administrative Position with Responsibility for Policy: Vice-Principal, Finance and Administration
Date Initially Approved: November 4, 2025
Date of Last Revision, if applicable: N/A
 

Definitions

A complete glossary of technology and cybersecurity related terms and acronyms will be maintained in the Digital Information Security Glossary of Terms and will be made available to all community members and guests.

  • Digital Assets: Discrete or aggregated data, digital services, digital identities, digital technologies, and endpoints within the information technology environment, both on and off University premises, that are provided by the University or purchased using university funds. [Queen’s specific]
  • Endpoints: Client access devices, including, without limitation, laptops, desktops, and mobile devices. Endpoints may be personally owned, or provided by the University (i.e., purchased using University funds). [Queen’s specific]

Purpose

The Cybersecurity Policy for Students aims to empower students to make the most of the digital resources provided by the University. By fostering responsible and ethical use, this policy ensures that students can fully leverage these assets to enhance their learning, collaboration, and innovation. Additionally, it helps to mitigate the risk of cybersecurity incidents, safeguarding both the students and the University's digital environment.

This policy contributes to a safe and supportive digital environment where students can explore new ideas, participate in collaborative learning, and express diverse perspectives without fear of external interference or unfair consequences. By using digital assets responsibly and ethically, students help create the conditions necessary for effective learning; for the affirmation of Indigenous rights to self-determination and cultural continuity; and, for ensuring that diverse voices within the community are respected and heard.

Scope

The Cybersecurity Policy for Students is designed to support students in accessing and utilizing digital assets operated by, or on behalf of, the University by clearly defining their responsibilities related to ensuring a cybersecure digital environment. This policy applies to all students and persons enrolled in or undertaking a course of study under a continuing education, executive education or other program or arrangement which does not bear credit toward a certificate, diploma or degree as approved by Queen's Senate, including:

  • Undergraduate students;
  • Graduate students;
  • Non-credit students;
  • Continuing Education students; and,
  • Post-Graduate Medical Education students.
     

Acceptable Use of University Digital Assets

Students are encouraged to use digital assets operated by, or on behalf of, the University to enhance their learning, collaboration, and innovation. Usage must:

  • be responsible, ethical, and legal,
  • be consistent with the ֱ, values, and strategic goals of the University,
  • comply with applicable University Policies and other governance instruments,
  • be considerate of the rights of other community members and guests,
  • not cause harm to the University.
     

Responsibilities

Incident Response
Students play a crucial role in maintaining the security of our digital environment. By promptly reporting observed, known, or suspected cybersecurity incidents or breaches, students help protect the community and ensure a safe digital space for everyone. Students are encouraged to report cybersecurity incident; refer to the Contact IT Services | IT Services (queensu.ca), or the Report a Security Incident | IT Services (queensu.ca) web pages.

Students are encouraged to report known or suspected malicious email messages (i.e., phishing emails) in accordance with the Incident Response guidelines above.

Cybersecurity Awareness and Training
Students are empowered with annual cybersecurity literacy training to enhance their knowledge and skills in protecting digital assets. Completing this training is required and ensures students are well-prepared to navigate the digital landscape securely.

  • Students who complete their annual cybersecurity literacy training within the allotted time gain uninterrupted access to digital assets operated by, or on behalf of, the University.

Students are encouraged to further their expertise by completing role-based cybersecurity training that they have been assigned.

Access Control
Students are entrusted with access to digital assets operated by, or on behalf of, the University. Students may only access and use digital assets to which they have been granted perֱ, including digital authentication identifier(s) (e.g., “NetID”) issued to them by the University.

Subject to appropriate university safeguards, students can enhance their digital experience by granting perֱ to third-party apps to access their account information. Students are responsible for and must ensure that the perֱs do not unnecessarily expose information or increase risk to themselves or the University. Authorization by an institutional risk owner may be required for some perֱ requests, and access may be denied or revoked depending on the risk level of the app and vendor.

Identification and Authentication
Students are responsible for safeguarding their digital authentication identifier(s) issued by the University. Students are required to select a password or passphrase as their identification and authentication knowledge factor that complies with minimum password complexity requirements. By following , and selecting strong passwords or passphrases, students contribute to the security of their accounts and the University's digital environment.

Students are responsible for protecting their passwords or passphrases and must not share or disclose them to anyone. Changing passwords or passphrases when activated or when there is reasonable suspicion of compromise is required and ensures ongoing security of their account.

Students are required to enroll in multi-factor authentication, enhancing the security of their accounts.

Students are strongly encouraged to use a personal mobile device as their identification and authentication possession factor and configure one of the following as their primary multi-factor authentication methods:

  • University Supported Authenticator App Push Notification,
  • University Supported Authenticator App Software Token,
  • Other Authenticator App not supported by the University.

Students who do not use a mobile device, or whose mobile device does not support the above-listed methods, using a hardware token as the identification and authentication possession factor is strongly encouraged.

To ensure optimal protection, students are strongly encouraged to use the most secure multi-factor authentication methods available. By choosing stronger authentication options, students help protect their personal information and contribute to a safer digital environment for the entire university community. To maintain a secure and resilient digital environment, the following methods that offer significantly lower levels of protection are strongly discouraged for use as primary or secondary multi-factor authentication methods:

  • Short Messaging Service (“SMS”, a.k.a. text message),
  • Telephone call to mobile device,
  • Telephone call to wired telephone (i.e., desk phone).

Students are responsible for protecting the device they use as their identification and authentication possession factor and are required to:

  • Keep the device in their possession,
  • Store the device in a safe place when it is not in use,
  • Ensure that the device is not usable when it is lost, stolen, or no longer under their control.

System and Information Integrity
Students contribute to the integrity and security of the University's digital environment by protecting and maintaining the personal endpoints they use to connect to wireless networks and to access other University digital assets. It is strongly encouraged that:

  • The endpoint operating system and other software are intended for use on the endpoint. Software versions are supported by the manufacturer or vendor, and recent updates and security patches are installed,
  • Protection software that detects and prevents malware and other unwanted software is installed and up to date,
  • The endpoint operating system firewall is active and configured.

Use of Generative Artificial Intelligence

Generative artificial intelligence is a transformative tool that may complement the learning experience. The use of generative artificial intelligence must be done in compliance with:

By adhering to these guidelines, students can maximize the benefits of AI while maintaining ethical standards and contributing to a positive academic environment.

Prohibited use of University Digital Assets

To ensure a safe and respectful digital environment, students are encouraged to use digital assets operated by, or on behalf of, the University responsibly. To protect the integrity and security of our online community, the following actions are not permitted:

  • Attempting to gain access to or use digital assets to which explicit perֱ has not been granted, including credentials not issued explicitly to the student by the University.
  • Sending unsolicited electronic messages, commercial or otherwise, that are outside of the scope of their role at the University. For more information about unsolicited commercial electronic messages and relevant legislation and regulations, please review the guidance on the Canadian Anti-Spam Legislation (CASL) at Queen’s University web page.
  • Using peer-to-peer file sharing technologies and networks (such as BitTorrent) to download or share content in violation of the .
  • Using digital assets in a manner that .
  • Using digital assets in a manner intended to deceive, including impersonating the University, any member of the university community, or any other person or entity; giving the impression of representing or being endorsed by the University or any other institution or organization if this is not the case; misrepresenting identity or affiliation in any way.
  • Using digital assets in a manner that disables, overburdens, impairs, or damages the university network or any other university digital asset; restricts, inhibits, or interferes with the use of university digital assets by any other community member or guest; deliberately propagates a virus, malware, or any other malicious code.
  • Using technologies on the university network that automate the enumeration of entities or monitor or collect network activity and data from the university network, including network, port, or security scanning; robots or spiders; network sniffing; keystroke logging.

Assurance

The University may directly access information stored on or within university provided and managed assets, including within personally assigned accounts. Access to this information will only be conducted in accordance with the Exceptional Access to Information Procedure, ensuring transparency and respect for privacy.

The University collects data by electronic means related to the activity of university assets and resources. This data, collected passively, may be used or correlated with other data sets to review activities of an identifiable individual, helping to maintain a secure and efficient digital environment.

Suspected violation of this Policy may result in the implementation of containment measures. Containment measures may include, without limitation:

  • Disabling access to university digital assets,
  • Disabling credentials,
  • Isolating or removing a client access endpoint from the network.

Violation of this Policy may be referred to an appropriate authority for investigation and may result in disciplinary action at the discretion of said authority.
 

Related Policies, Procedures, Guidelines: Responsible Use of Digital Resources Policy
Policies Superseded by this Policy: n/a
Responsible Officer: The Associate Vice-Principal (Information ֱ Services) and Chief Information Officer
Contact: Information Security Officer 
Date for Next Review: 2030