Information Security Policy

In all their forms and throughout, information gathered by Astute will be protected through information management policies and actions that meet applicable federal, provincial/state, regulatory, or contractual requirements and that support Astute’s mission, vision, and values.

The purpose of this policy is to identify and disseminate Astute’s framework and principles that guide actions and operations in generating, protecting, and sharing the client data.

This policy governs the management of devices, resources, and user access to the Astute-owned equipment and data. The data policy defines and classifies four sensitivity levels: public, internal, restricted, and critical data. All sensitivity levels other than “public” may be described collectively as “non-public” data.  Each staff, associate, contractor, or affiliate of Astute with access to data is subject to and has responsibilities under this policy.

  • The Astute is committed to ensuring the security and confidentiality of any client information/data is always maintained and that this information/data is only accessed appropriately. 
  • Users are individually responsible for any breaches that occur as a direct result of non-compliance. 
  • Access to non-public information/data may only be granted to authorized users on a need-to-know basis. The Data Steward of any non-public information/data, as defined below, must approve and verify Authorized User access.
  • Users who access data for which they are not authorized and commit breaches of confidentiality may be subject to disciplinary action up to and including discharge, termination of contract/relationship, and liability to civil and criminal penalties.
  • Authorized Users shall be provided training on the expectations, knowledge, and skills related to information security.
  • Authorized Users must maintain all non-public information/data confidentiality, even if technical security mechanisms fail or are absent. A lack of security measures to protect information privacy does not imply that such information is public.
  • Authorized Users are responsible for enforcing security controls whenever they place information/data onto non-university-managed devices or services. Data Trustees of information/data assets are responsible for appointing Data Custodians.
  • All users’ access to Astute-owned or managed digital and or physical assets will comply with applicable standards, controls, and regulations.