Information Security Policy Redevelopment
The University of Alberta is updating its Information Technology Security Policy, bringing it in alignment with Technology with Purpose and the broader university strategic plan, Shape, to foster a resilient, secure and adaptive environment that enables world class teaching, learning, research and administrative functions. Our goal is to ensure a cybersecurity framework that meets the demands of a rapidly changing digital landscape, while empowering the university community to achieve its strategic objectives. This policy will establish foundational principles for safeguarding the university’s information assets, from data and systems to research and academic resources.
The rapid evolution of IT security threats – ranging from sophisticated cyber-attacks to data privacy challenges – necessitates a comprehensive update of the university’s Information Technology Security Policy to safeguard sensitive information and ensure operational continuity. This policy update will also align the University of Alberta with best practices in cybersecurity, providing a robust foundation that reflects the evolving landscape of and upholds our commitment to research integrity and institutional security.
Draft Policy Principles
The Information Technology Security Policy will be guided by key principles, which will be finalized in the first round of consultations:
| Information Asset Protection | Information and IT infrastructure are valuable and vital assets to the university and therefore must be safeguarded accordingly. |
|---|---|
| Risk-Based Security | The university uses a risk-based approach and follows best practices in information security, to select appropriate security controls to minimize risk to an acceptable level, and to design security and privacy into our IT services and IT infrastructure. |
| Keep It Secure: Check Before You Trust | With mobility and remote teaching, learning, researching and working from anywhere, anytime, on any device, the concept of the “trusted university network” is antiquated and the university must adapt its information security accordingly. |
| Shared Responsibility | Safeguarding the university’s information and IT assets is a shared responsibility by all members of the university community. |
| Leveraging Core Investments | The university leverages investments in core IT services and infrastructure, gaining both security and financial benefits to support its mission effectively. |
Policy Development Process
The redevelopment of the policy will take place over the next several months with a number of community engagement activities. Some of the key dates will include:
1
December 2024–January 2025
Community Consultation
Initial discussions with groups across the university community will gather input on the draft policy statements, principles and responsibilities. Community feedback will play a central role in shaping the policy to ensure it reflects the unique needs of our diverse university.
2
January–March 2025
Governance Review
The policy draft will undergo a phased review by university governance bodies.
3
March 2025
Policy Draft and “What We Heard” Report
Following consultation and governance review, a draft Information Technology Security Policy will be released, along with a “What We Heard” report summarizing key insights and feedback from the community.
4
March 2025–April 2025
Policy Revisions
Based on feedback from the university community and governance bodies, further revisions will be made to refine the policy statement, principles and the initial draft, addressing any concerns and aligning with university standards.
5
May–June 2025
Continuing Community Consultation
An additional community consultation will be held to gather feedback on the updated policy draft. This consultation will offer an opportunity for the university community to comment on the draft in its near-final form. Opportunities for ongoing feedback will also be available online and via a dedicated email.
6
June–July 2025
Governance Review
The revised policy draft will be re-introduced to governance bodies for additional review and feedback.
7
August 2025
Policy Revisions
A final round of revisions will incorporate feedback from the second governance review and community consultation, ensuring the policy is well-aligned with institutional goals and community needs.
8
Fall 2025
Approval
The finalized Information Technology Security Policy will be submitted for formal approval by university governance.
Questions + Feedback
Any thoughts or feedback you may have regarding the Information Technology Security Policy revision can be shared at either of the roundtables or by sending an email to itpolicy@ualberta.ca.
Frequently Asked Questions (FAQs)
Why is this change happening?
As information security threats grow more complex, a comprehensive update of the university’s Information Technology Security Policy is essential to protect sensitive information and ensure smooth operations. This revision reflects the need to stay ahead of potential risks and align with evolving security standards.
Additionally, many funding agencies, such as the Canadian Institutes of Health Research (CIHR) and the Natural Sciences and Engineering Research Council of Canada (NSERC), require stringent information security practices to support research. This policy update helps the University of Alberta meet these requirements, safeguarding research integrity and enabling continued support for our academic mission.
How does this align with Shape and Technology with Purpose?
The policy supports Shape's strategic goals and Technology with Purpose by aligning IT investments with academic, research and operational priorities, fostering an environment where innovation can thrive safely.
What resources and support will be available to help ensure compliance with the Information Technology Security Policy?
To help the university community comply with the Information Technology Security Policy, we plan to offer guidance and resources tailored to various roles and responsibilities. As the policy is implemented, information on best practices for data security, safe use of university-approved technology platforms and secure access protocols will be made available.
We are also exploring options for training and practical tools to support everyone in understanding and meeting their responsibilities under the policy. These resources will be designed to provide clarity and assistance as the university strengthens its commitment to protecting information and IT assets.
How can I help and play a part in the policy redevelopment?
Your input and feedback will be greatly appreciated through some of the consultation sessions or directly to our policy redevelopment working group.