Information Security: P o L I C y

Policy
Information Security
PolicyNo.: Category: ApprovingBody: ExecutiveDivision: DepartmentResponsible: CurrentApprovedDate:
3502 InformationTechnologyServices BoardofGovernors LearningandTechnology Services InformationTechnologyServices 2009Jan27
PolicyStatement
BCITiscommittedtotakingappropriatemeasurestopreservetheconfidentiality,integrity,and availabilityofinformationandinformationtechnology(IT).ThispolicyappliestoallBCIT informationandcomputing,communications,andnetworkingresourcesconnectedtoInstitute facilitiesandtheusersoftheseresources.
PurposeofThisPolicy
BCITsinformation,network,andotherITservicesaresharedresourcesthatarecriticalto teaching,learning,research,Instituteoperations,andservicedelivery. Thepurposeofthispolicyisto: Protecttheconfidentiality,integrity,andavailabilityofBCITinformationandassociated informationtechnology Providemanagementdirectionandsupportforinformationsecurityinaccordancewith businessrequirementsandrelevantlawsandregulations Definetherolesofindividualsandorganizationalentitiesinvolvedininformationsecurity andestablishtheresponsibilitiesoftheseroles EnsurethereliableoperationofBCITsinformationtechnologysothatallmembersofthe BCITcommunityhaveaccesstotheinformationassetstheyrequire.
DirectoryofRecordsClassification065010
1of28
InformationSecurity3502
Policy
TableofContents
PolicyStatement 1 PurposeofThisPolicy 1 ApplicationofThisPolicy 2 RelatedDocumentsandLegislation 2 Definitions 3 GuidingPrinciples 7 DutiesandResponsibilities 8 1. OrganizationofInformationSecurity 8 2. AssetManagement 11 3. HumanResourcesSecurity 13 4. PhysicalandEnvironmentalSecurity 14 5. CommunicationsandOperationsManagement 16 6. AccessControl 22 7. InformationSystemsAcquisition,Development& Maintenance 24 8. InformationSecurityIncidentManagement 25 9. BusinessContinuityManagement 26 10. Compliance 26 11. NonConformingSystems 27 12. ConsequencesofPolicyViolation 27 ProceduresandGuidelinesAssociatedWithThisPolicy 27 FormsAssociatedWithThisPolicy 27 SpecialSituations 27 AmendmentHistory 28 ScheduledReviewDate 28
ApplicationofThisPolicy
ThispolicyappliestoeveryonewhousesBCITinformationtechnologyassets,includingthose whousetheirownpersonalequipmenttoconnecttoBCITinformationassets.
RelatedDocumentsandLegislation
BCITPolicies: 1504,StandardsofConductandConflictofInterest 3501,AcceptableUseofInformationTechnology 5102,StandardsofNonacademicConduct 6601,IntellectualProperty 6700,FreedomofInformationandProtectionofPrivacy(FOIPOP) 6701,RecordsManagement 7506,CopyrightCompliance 7525,ProtectionofEquipment,PropertyandInformation 7530,EmergencyResponse Legislationapplicabletothispolicyincludes: BCCollegeandInstituteAct BCFreedomOfInformationandProtectionofPrivacy(FOIPOP)Act BCPersonalInformationProtection(PIP)Act TheCriminalCodeofCanada CanadaCopyrightAct.
2of28
Policy
Definitions
Account:establishesarelationshipbetweenauserandasetofinformationassets.Byloggingin toanaccount,theuserisauthorizedtoperformaspecifiedsetofactionsagainsta correspondingsetofinformationassetsforthetimetheuserremainsauthenticatedtothe account(forthatloginsession). Asset:anythingthathasvaluetotheInstitute. AssetCustodian:theBCITemployeeresponsibleforlocatingaphysicalinformationasset(i.e. equipment)uponrequest.Allinformationassetsmusthaveanassignedcustodian. Authorization:thegrantingofpermissioninaccordancewithapprovedpoliciesandprocedures toperformaspecifiedactiononanITasset. AuthorizedUser:auserwhoisauthorizedtoperformthespecifiedactiononanasset.Partof theauthorizationprocessmayrequirethatthepersonexhibitthenecessaryqualificationsto performtheaction. BCITInternalUse:asdefinedinsection2.2InformationClassification. BusinessContinuity:theInstitutesabilitytomaintainorrestoreitsbusinessandacademic serviceswhensomecircumstancethreatensordisruptsnormaloperations.Itencompasses disasterrecoveryandincludesactivitiessuchasassessingriskandbusinessimpact,prioritizing businessprocesses,andrestoringoperationstoanewnormalafteranevent.SeePolicy7530, EmergencyResponseformoreinformation. ConfidentialInformation:asdefinedinsection2.2InformationClassification. Control:ameansofmanagingrisk,includingpolicies,procedures,guidelines,practices,or organizationalstructures,whichcanbeofadministrative,technical,management,orlegalnature. Note:Controlisalsousedasasynonymforsafeguardorcountermeasure. Data:itemsrepresentingfactsthatconsistoftext,numbersorimagesandstoredinelectronic informationsystems.Dataaretherawmaterialsthatareprocessedorinterpretedtocreate information.Institutedataisalldatarelatedto,receivedby,orcreatedbyBCIT. DenialofService:actionsthatintentionallypreventanyInformationProcessingFacilityfrom functioninginaccordancewithitsintendedpurpose DisasterRecovery:referstotheactivitiesthatrestoretheInstitutetoanacceptablecondition aftersufferingadisaster.SeePolicy7530,EmergencyResponseformoreinformation. Encryption:theprocessofobscuringinformationtomakeitunreadablewithoutspecial knowledge(i.e.,scramblingtheinformation).Thatspecialknowledgeisoftenakeythatis usedtodecrypttheinformationsoitcanberead.Conceptually,thekeyissimilartoapassword thatprovidesaccesstotheencryptedinformation. Equipment:informationtechnologyequipment. ExternalParty:anorganizationoranindividualwhoisnotanemployeeorstudentwhorequires accesstoBCITsinformationassets,excludingpublicassets.
3of28
Policy
Firewall:asystemdesignedtopreventunauthorizedaccesstoorfromaprivatenetworkor betweennetworkzones. InactiveAccount:anaccountthathasremainedunusedfortheperiodoftimespecifiedin Guideline3502,InformationSecurity. Information:includesallformsofdata,documents,records,communications,conversations, messages,recordings,andphotographs.Itincludeseverythingfromdigitaldataandemailto faxesandtelephoneconversations. InformationAsset:anassetthatiscomprisedofinformationorofequipmentorsystemsforthe processingofinformation. InformationOwner:theBCITemployeewhoclassifiesthespecifiedinformation. InformationProcessingFacilities:anyinformationprocessingsystem,serviceorinfrastructure, orthephysicallocationshousingthem. InformationSecurity:thepreservationofconfidentiality,integrity,andavailabilityof information.Confidentialityensuresthatinformationisaccessibleonlytothoseauthorized. Integrityinvolvessafeguardingtheaccuracyandcompletenessofinformationandprocessing methods.Itmayalsoincludeauthenticity,auditability,accountability,nonrepudiation,and reliabilityofinformation.AvailabilityensuresthatauthorizedusershaveaccesstoITassetswhen required. InformationSecurityFramework:acomprehensiveapproachtopreserveinformationsecurity including: Organizationalstructureswithclearlydefinedrolesandresponsibilities Riskassessmentandimpactanalysis Guidingprinciples Policies,guidelines,andprocedures Controlsandcountermeasures Informationsecurityawarenessincludingeducationandtraining Ongoingmonitoringofinformationsecurity Resourcessuchasfinancialandhumanresourcesrequiredtoimplementthesecurity framework Periodicreviewsandassessmentoftheframeworkincluding,whereappropriate, reviewsbyindependentthirdparties. InformationSecurityIncident:anidentifiedoccurrenceofasystem,service,ornetworkstate indicatingapossibleorpendingbreachofinformationsecurityorbreachofacceptableuseor failureofsafeguardsorapreviouslyunknownsituationthatmaybesecurityrelevant. InformationSecurityOfficer:overseestheInstitute'sInformationSecurityprogram.This includesprovidingleadershipandguidanceininformationsecurityandinformationrisk management,developinginformationsecuritypoliciesandguidelines,andoverseeingthe informationsecurityincidentresponseteam. ITAdministrator:thepersonresponsibleforconfiguringaccesstoandmonitoringaccess,usage, andperformanceofaninformationasset,includingsystemadministrator,networkadministrator, applicationadministrator,anddatabaseadministrator(DBA). LeastPrivilege:theprinciplethatrequireseachusertobegrantedthemostrestrictivesetof privilegesneededfortheperformanceofauthorizedtasks. LoginSession:aperiodbetweenauserlogginginandloggingoutofanaccount.
4of28
Policy
MaliciousCode:includesallprograms(includingmacrosandscripts)thataredeliberatelycoded tocauseanunexpectedorharmfulevent. Media:includesremovablemediaandfixedstoragedevices. MobileDevice:anyelectronicdevicethatisportableandcontainsorhastheabilitytocontain informationorprovidestheabilitytoaccessortransmitPersonalorConfidentialinformation. Examplesincludelaptop,tabletPC,PDA,RIMBlackBerry,andPalmTreo. NetworkEquipment:anyhardwareorsoftware,excludingworkstationsandserversunless configuredtoprovidenetworkservices,thattransmitsorfacilitatesthetransmissionof information,includingswitches,hubs,routers,bridges,firewalls,modems,wirelessaccesspoints, DHCP,WINS,andDNSservers. NetworkZone:Differentnetworks,andoftendifferentsegmentsofagivennetwork,have diversesecuritycharacteristicsandrequirements.Forsecurity,eachnetworkmustbedivided intooneormorelogicalnetworkzones.Eachnetworkzoneisalogicallyconnectedpartofthe network,whosesecurityismanagedinacoherentfashion. Definedzonesinclude: AdministrativeZoneforkeybusinessusersandsystems AcademicZoneforfacultyandstudentsforthepurposesofteaching ResidenceZoneforstudentsinresidence DMZforsystemsconnectedtotheInternetorotheroutsidenetwork. Password:thesequenceofcharactersandnumbersusedtoauthenticateausersidentity,which isknownonlytothatuser. PersonalInformation:asdefinedinsection2.2InformationClassification. PublicAssets:designatedBCITinformationassetsthatareavailabletomembersofthepublic withauthorizationrequired.Examplesincludekiosksandthepublicwebsite. PublicInformation:asdefinedinsection2.2InformationClassification. Record:SeePolicy6701,RecordsManagementfordefinitionofarecord. RemovableMedia:Informationstoragedevicesthatarenotfixedinsideacomputer.Examples includeexternalharddrives,CDROMs,DVDs,USBflashdrives,tape,floppydisk,andzipdisk. Server:acomputerwhosefunctionistoprovideservices(e.g.,accesstofiles,printing,and sharedapplicationsincludingwebsites;databasemanagement;communications;andaccessto PersonalorConfidentialinformation)onwhichendusersdependonanongoingbasis. ComputersthatareusedtoprovidenetworkservicessuchasDHCP,DNS,andLDAPare consideredtobenetworkequipmentandarenotserversforthepurposeofthispolicy. StudentServer:acomputersetupbyfacultyorstudentsaspartofacoursetoteachserver technologyandprinciples. System:acollectionofcomponentsincludinghardwareandsoftwaredesignedtostore,process, ortransmitinformationinsupportofabusinessoutcome. SystemOwner:theBCITemployeeresponsibleforagivensystem.
5of28
Policy
Threat:apotentialcauseofanunwantedincident,whichmayresultinharmtoasystemor organization. User:apersonwhoperformsanyactiononaninformationasset. Vulnerability:aweaknessofanassetorgroupofassetsthatcanbeexploitedbyoneormore threats.
6of28
Policy
GuidingPrinciples
1. Bynature,apostsecondaryeducationinstituteneedstoshareinformationforthepurpose ofdeliveringeducation.Securitymeasuresmustbeimplementedinamannerthatenables appropriateinformationexchange. 2. Securityresponsibilitiesandaccountabilitymustbeclearlydefinedandacknowledged. 3. Usersarepersonallyaccountablefortheprotectionofinformationassetsundertheir controlandmusttakeappropriatemeasurestoprotecttheconfidentiality,integrity,and availabilityoftheassets. 4. Usersshouldhavesufficienttrainingtoallowthemtoproperlyprotectinformationassets. 5. Securitycontrolsmustbecosteffectiveandinproportiontotherisksandthevalueofthe assetsthatneedtobeprotected. 6. Securityismultidisciplinaryandrequiresacomprehensiveandintegratedapproach coveringeveryaspectofBCITsoperations. 7. Allpartiesshouldactinatimely,coordinatedmannertopreventandrespondtosecurity incidents. 8. Securitymustbeperiodicallyassessedtoensurethatadequatemeasuresareinplaceto protecttheassetsofBCIT. 9. Permissionsareassignedsothattheleastamountofprivilegerequiredtofulfillthe businessfunctionisgiven(leastprivilege). 10. Nosinglemechanismmayprotectanassetfromunknownthreats.Wherewarranted, multiplelayersofcontrolsshouldbeemployedtoreducetheriskoffailureofanysingle measure(defenceindepth). 11. Compromiseofoneassetshouldnotleadtothefurthercompromiseofotherassets (compartmentalization). 12. Manyinformationsystemshavenotbeendesignedwithsecurityinmind.Whereadequate securitycannotbeachievedthroughtechnicalmeans,alternatecontrolsmustbe implemented.
7of28
Policy
DutiesandResponsibilities
1.
OrganizationofInformationSecurity 1.1 InternalOrganization 1.1.1 ManagementCommitmenttoInformationSecurity TheBoardofGovernorsandBCITExecutiveactivelysupportinformation securitywithintheorganization. AllocationofInformationSecurityResponsibilities BoardofGovernors TheBCITBoardofGovernorsisaccountablefortheestablishmentofan InformationSecurityFrameworkfortheInstitute. BCITExecutive TheBCITExecutiveisresponsibleforrecommendinganappropriate InformationSecurityFrameworktotheBoardofGovernorsandfor providingongoingexecutiveoversightoftheframework,includingperiodic, independentreviews. InformationSecurityOfficer TheInformationSecurityOfficerisresponsiblefor: RecommendinganappropriateInformationSecurityFrameworkto theBCITExecutive Providingdaytodaymonitoringoftheframework InformingtheBCITExecutiveofsecurityrisksandmanagementplans Establishingappropriatecontactswithsecurityforums,professional associations,andothergroupswithspecialistinterestsin informationsecurity. BCITManagement MembersofBCITManagementareresponsibleforensuringthatemployees andothersundertheirsupervisionareawareoftheirinformationsecurity responsibilities. InstructorsandTeachingFaculty InstructorsandTeachingFacultyareresponsibleforensuringthatstudents undertheirsupervisionareawareoftheirinformationsecurity responsibilities. InformationOwners InformationOwnersareresponsibleforclassifyinginformationin accordancewithpoliciesandguidelines.(SeeGuideline3502,Information SecurityandProcedure3502,InformationSecurityfordetails.)All informationmusthaveanassignedinformationowner. SystemOwners Systemownersareaccountableforensuringthatsystemsareassessedfor securityrequirementsincludingthoseflowingfromlegislativeand contractualobligations.Systemownersarealsoaccountableforensuring thatsystemsaredesigned,configured,implemented,operated,maintained, upgraded,anddecommissionedconsistentwiththeestablishedsecurity needs.
1.1.2
8of28
Policy
Allsystemsmusthaveanassignedsystemowner.Systemownersmust ensureanITadministratorisassignedtoeachassetcomprisingthesystem. (SeeProcedure3502,InformationSecurityfordetails.) AssetCustodians Assetcustodians,uponrequest,mustbeabletodeterminethelocationof informationassetsundertheircustodianshipandmustensurethatassets transferredfromtheircustodianshipareclearlyassignedtothenext custodian.Allphysicalassetssuchasinformationtechnologyequipment musthaveanassignedcustodian.(SeeProcedure3502,Information Securityfordetails.) ITAdministrators ITAdministratorsareresponsibleforconfiguringthesecurityfeaturesofthe assetsundertheiradministrationinaccordancewithpolicy,guidelines,and otherrequirements.Allassetswithconfigurablesecuritycharacteristics musthaveanassignedITAdministrator.(SeeProcedure3502,Information Securityfordetails.) InformationTechnologyServices AsthecentralproviderofInformationTechnology,theITSDepartmentis responsiblefor: Networkmanagementandoperationincludingtheestablishmentof networkzonesandcompartmentalization Delegationofadministrationofanetworkzoneonlywhen appropriatecontrolsareinplaceinthedelegatedorganization Maintainingacatalogueofcoreservicesincludingclearlyarticulated servicelevelexpectations ContinuityofcoreenterpriseclassITinfrastructureaspartofthe Institutesoverallbusinesscontinuityframework. SafetyandSecurityDepartment TheSafetyandSecurityDepartmentisresponsiblefor: ThephysicalsecurityofBCITfacilitiesincludingaccesscontrolto buildingsandrooms Overallemergencyresponse,disasterplanning,andbusiness continuityplanning Contactwithauthorities. MarketingandCommunicationsDepartment TheMarketingandCommunicationsDepartmentisresponsiblefor: ProtectionofBCITsbrandfrominformationsecuritythreats Communicationswiththemediaintheeventofaninformation securityincident PoliciesandproceduresforuseofBCITdomainnames. HumanResources TheHumanResourcesDepartmentisresponsiblefor: Documentinginformationsecurityrequirementsinjob descriptions Screeningofemployees Coordinatingtheterminationofemployees,ensuringall
9of28
Policy
1.2
departmentsareappropriatelynotified. RecordsManagementOffice TheRecordsManagementOfficeisresponsiblefor: EnsuringthattheDirectoryofRecordsaccuratelyreflectsthe classificationofrecords ExchangeagreementsthatinvolvetheexchangeofPersonal information. FinancialServicesDepartment TheFinancialServicesDepartmentisresponsibleforensuringcontrolsare inplacetoprotectthesecurityoffinancialinformationand,inparticular,to ensuretheintegrityoffinancialinformation. RiskManager TheRiskManagerisresponsibleforidentifyingandassessingoverallriskfor BCIT. Users Allusersareresponsiblefor: Takingappropriatemeasurestopreventloss,damage,abuse,or unauthorizedaccesstoinformationassetsundertheircontrol Promptlyreportingallactsthatmayconstituterealorsuspected breachesofsecurityincluding,butnotlimitedto,unauthorized access,theft,systemornetworkintrusions,willfuldamage,and fraud Lookingafteranyphysicaldevice(tools,computers,vehicles,etc.) andaccessarticles(keys,IDcards,systemIDs,passwords,etc.) assignedtothemforthepurposesofperformingtheirjobduties, takingcourses,conductingresearch,orotherwiseparticipating withintheInstitute Respectingtheclassificationofinformationasestablishedbythe informationowner Complyingwithallthesecurityrequirementsdefinedinthis document ComplyingwithotherrelatedpoliciesincludingPolicy3501, AcceptableUseofInformationTechnology. ExternalParties 1.2.1 IdentificationofRisksRelatedtoExternalPartiesorStudents TheriskstotheInstitutesinformationassetsrelatingtoexternalpartiesor studentsmustbeidentifiedandappropriatecontrolsimplementedbefore grantingaccess. AddressingSecurityinExternalPartyAgreements AccesstoBCITinformationassets,exceptpublicassets,mustnotbe grantedtoexternalpartieswithoutacontractualagreementthatbinds themtoBCITpolicies.
1.2.2
10of28
Policy
2.
AssetManagement 2.1 ResponsibilityforAssets Eachpieceofequipmentmusthaveanassignedassetcustodian.Uponrequest assetcustodiansmustbeabletolocatetheequipmentassignedtothem.If custodiansaretopassthecustodyoftheequipmenttoanotherperson,theyare responsibleforensuringtherecordofcustodianshipisupdated.Ifacustodian becomesunavailableunexpectedly,thisresponsibilityfallstotheoperations manageroftheirdepartmentorschool. 2.1.1 InventoryofAssets Aninventoryofassetsmustbemaintained. AcceptableUseofAssets
2.1.2
2.2
SeePolicy3501,AcceptableUseofInformationTechnology. InformationClassification 2.2.1 InformationOwnership Allinformationmusthaveadesignatedinformationowner.Forcomplete informationaboutestablishinginformationownership,seeGuideline3502, InformationSecurity. ClassifyingInformation AllInstituteinformationmustbeclassifiedaccordingtoitsrequirementsfor confidentiality,integrity,andavailability.Theinformationowneris responsibleforclassifyingtheinformationaccordingtoGuideline3502, InformationSecurity. Classificationmustbereviewedonaregularbasis. ConfidentialityClassifications ThefollowingconfidentialityclassificationsdeterminehowInstitute informationmustbeshared,handledandstored: Publicinformationthatisavailabletothegeneralpublicandis routinelydisclosed BCITInternalUseinformationthatisavailabletoauthorizedusers andisnotroutinelydisclosed.Bydefault,dataisBCITInternalUse untilitisassessedandotherwiseclassified ConfidentialinformationthatcontainssensitiveInstitute informationandthatisavailabletoauthorizedusers.Aformal FOIPOPrequestisrequiredfornonroutinedisclosure Personalinformationthatcontainssensitivepersonalinformation andisavailabletoauthorizedusersonly.AformalFOIPOPrequestis requiredfornonroutinedisclosure. BusinessContinuityClassifications Inadditiontotheconfidentialityclassifications,Policy7530,Emergency Responsegovernstheclassificationofinformationforbusinesscontinuity purposes.Eachinformationownermustclassifyinformationforthe purposesofbusinesscontinuity.
2.2.2
2.2.3
2.2.4
11of28
Policy
LabellingInformation
2.2.5
2.3
Bothhardcopyandelectronicinformationmustbeclearlylabelledwithits confidentialityclassificationsothatauthorizedusersareawareofthe classification.Forcompletedetailsonhowtolabelinformation,see Guideline3502,InformationSecurity. InformationHandling Authorizedusersmustcarryoutalltasksrelatedtothecreation,storage, maintenance,cataloguing,use,dissemination,anddisposalofInstituteinformation responsibly,inatimelymanner,andwiththeutmostcare.Usersmustnot knowinglyfalsifyinformationorreproduceinformationthatshouldnotbe reproduced. 2.3.1 SharingInstituteInformation Personal,Confidential,andBCITInternalUseinformationmayonlybe sharedwithotherauthorizedusers,onaneedtoknowbasis. StoringInformation InformationclassifiedasPersonalorConfidentialmustbeencryptedand storedwithaccesslimitedtoauthorizedusers. SecurestorageofInstituteinformationisajointresponsibilityofsystem owners,ITadministrators,databasedesigners,applicationdesigners,and theinformationowner. PrintingofPersonalorConfidentialInformation InformationclassifiedasPersonalorConfidentialmustneverbesenttoa sharedprinterwithoutanauthorizeduserimmediatelypresenttoretrieve itandhencesafeguarditsconfidentialityduringandafterprinting. CollectionandUseofPersonalInformation Thecollection,use,storage,andtransmissionofPersonalinformationusing BCITinformationtechnologyresourcesmustbeincompliancewiththeB.C. FreedomofInformationandProtectionofPrivacyActandwithPolicy6700, FreedomofInformationandProtectionofPrivacy. DeletingInformationCreatedorOwnedbyOthers Informationistobeprotectedagainstunauthorizedoraccidentalchanges, andmayonlybedeletedinaccordancewithproceduresestablishedbythe informationownerandinaccordancewithrecordsmanagement procedures.
2.3.2
2.3.3
2.3.4
2.3.5
12of28
Policy
3.
HumanResourcesSecurity 3.1 PriortoEmployment 3.1.1 RolesandResponsibilities Securityrolesandresponsibilitiesofemployeesmustbedefinedand documentedinjobdescriptions. Screening Backgroundverificationchecksonallcandidatesforemployment,and externalpartiesmustbecarriedoutinaccordancewithrelevantlaws, regulationsandethics,andproportionaltothebusinessrequirements,the classificationoftheinformationtobeaccessed,andtheperceivedrisks. TermsandConditionsofEmployment
3.1.2
3.1.3
3.2
AllemployeesmustacknowledgetheiragreementtoabidebyPolicy3501 andPolicy3502priortoreceivingaccesstoanyaccount.SeeProcedure 3502,InformationSecurity. DuringEmployment 3.2.1 InformationSecurityAwareness,Education,andTraining Allemployeesandexternalparties,whereapplicable,mustreceive appropriateawarenesstrainingandregularupdatesinpoliciesand procedures.Newemployeesmustreceivesecuritytrainingaspartoftheir initialorientation. ChangeofRole
3.2.2
3.3
Changeofresponsibilitiesmustbemanagedasaterminationofthe respectiveresponsibilitiesandtheassignmentofnewresponsibilitiesas describedinsection3.1PriortoEmployment. TerminationofEmployment 3.3.1 TerminationResponsibilities Anemployeescontinuingobligationstoinformationsecuritymustbe communicatedinwritingatterminationofemployment. ReturnofAssets AllemployeesandexternalpartiesmustreturnalloftheInstitutesassetsin theirpossessionuponterminationofemployment,contract,oragreement. Theassetcustodianisresponsibletoensurethecorrespondingasset inventoriesareupdated. RemovalofAccessRights Onleavingemployment,allemployeebasedaccessmustbedisabledatthe endoftheemployeeslastday,orsooner,basedonsecurityrequirements.
3.3.2
3.3.3
13of28
Policy
4.
PhysicalandEnvironmentalSecurity 4.1 SecureAreas 4.1.1 PhysicalSecurityPerimeter Securityperimeterswithwelldefinedaccesspoints(barrierssuchaswall, cardcontrolledentry)mustbeusedtoprotectareasthatcontainPersonal, Confidential,orBCITInternalUseinformationandinformationprocessing facilities.Protectionprovidedmustbecommensuratewithidentifiedrisks. Mobiledevicesandremovablemediaareexcludedprovidedthe informationisencryptedaspersection5.7.2EncryptionofInformationon RemovableMedia. PhysicalEntryControls
4.1.2
4.2
Areasrequiringhigherlevelsofsecuritymustbeprotectedwithappropriate entrycontrolstoensurethatonlyauthorizedusersareallowedaccess. EquipmentSecurity 4.2.1 EquipmentSitingandProtection Thesiteschosentolocateequipmentorstoreinformationmustbesuitably protectedfromphysicalintrusion,temperaturefluctuations,theft,fire, flood,andotherhazards. PhysicalSecurityofEquipment Assetcustodiansareaccountable(eitherdirectlyorbydelegationof responsibility)toensurethephysicalsecurityofassignedequipment regardlessofwhethertheequipmentislocatedonoroffBCITcampuses. MobileDevices BCITownedmobiledevicesmustbeissuedonlytoauthorizedusers.They aretobeusedonlybyauthorizedusersandonlyforthepurposeforwhich theyareissued.Theinformationstoredonthemobileequipmentistobe suitablyprotectedfromunauthorizedaccessatalltimes.SeeProcedure 3502,InformationSecurity. Whenusingmobiledevices,encryptionstandardsmustbefollowed.See alsosection2.3InformationHandling. UseofEquipmentOnCampus Withtheexceptionofpublicassets,onlyauthorizedusersarepermittedto useBCITequipment. SupportingUtilities Equipmentmustbeprotectedfrompowerfailuresandotherdisruptions causedbyfailuresinsupportingutilities. CablingSecurity Cablingcarryinginformationorsupportinginformationservicesmustbe protectedfrominterceptionordamage.Powerandcoolinglinesmustbe protectedfromdamage.
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
14of28
Policy
EquipmentMaintenance Equipmentmustbecorrectlymaintainedtoensureitscontinuedavailability andintegrity. SecurityofEquipmentOffCampus OnlyauthorizedusersarepermittedtotakenonmobileBCITtechnology equipmentoffcampus.WhennonmobileBCITequipmentisusedoff campus,theauthorizeduserisresponsiblefornotifyingtheassetcustodian andensuringthesecurityoftheequipmentatalltimes. SecureDisposalorReuseofEquipment EquipmentownedorleasedbytheInstitutemayonlybedisposedofor reconditionedforreusebypersonsauthorizedtodisposeoforrecondition equipmentwhohaveensuredthattherelevantsecurityriskshavebeen mitigatedandallinformationhasbeenrenderedunrecoverable.
4.2.7
4.2.8
4.2.9
15of28
Policy
5.
CommunicationsandOperationsManagement 5.1 OperationalProceduresandResponsibilities 5.1.1 DocumentedOperatingProcedures Operatingproceduresmustbedocumented,maintained,andmade availabletoalluserswhoneedthem. ChangeManagement Changestoinformationprocessingfacilitiesandsystemsmustbecontrolled throughappropriatechangecontrolmechanisms. SegregationofDuties Dutiesandareasofresponsibilitymustbesegregatedtoreduce opportunitiesforunauthorizedorunintentionalmodificationormisuseof theInstitutesassets. SeparationofDevelopment,Test,andOperationalFacilities
5.1.2
5.1.3
5.1.4
5.2
Development,test,andoperationalfacilitiesmustbeseparatedtoreduce therisksofunauthorizedaccessorchangetotheoperationalsystem. ExternalPartyServiceDeliveryManagement BCITsecurityrequirementsmustbeincorporatedintocontractualrelationships withexternalparties.Compliancetosecurityrequirementsmustbemonitoredon anongoingbasis. SystemPlanningandAcceptance Acceptancecriteriafornewinformationsystems,upgrades,andnewversionsmust beestablishedandsuitabletestsofthesystem(s)carriedoutduringdevelopment andpriortoacceptance. ProtectionagainstMaliciousCode RisksfrommaliciouscodetotheInstitute'ssystemsandinformationmustbe minimizedbyfosteringemployeeawareness,encouragingemployeevigilance,and deployingappropriateprotectivesystemsanddevices. ITadministratorsmustinformrelevantpartiesofthreatsandcountermeasuresthey cantaketoprotecttheInstitutessystemsandinformation.Usersmuststay informedaboutthreatsandtakereasonableprecautionsinusingInstituteIT resourcesinordertominimizeopportunitiesforattacks. ITadministratorsmustprepareandmaintaincontingencyplansforadenialof serviceattackandperiodicallytesttheirplanstoensureadequacy. 5.4.1 DefendingagainstMaliciousAttack Systemhardware,operatingsystemandapplicationsoftware,networks, andcommunicationsystemsmustallbeadequatelyconfiguredand safeguardedagainstbothphysicalattackandunauthorizednetwork intrusion. DownloadingFilesandInformationfromtheInternet 16of28
5.3
5.4
5.4.2
Policy
Usersareresponsibleforallinformationandfilestheydownloadfromthe Internet(orotherexternalnetworksorfromonenetworkzonetoanother) andmustsafeguardagainstbothmaliciouscodeandinappropriate material.SeealsoGuideline3502,InformationSecurity. ReceivingElectronicMail(Email)
5.4.3
5.5
Usersmusttreatincomingemailwiththeutmostcareduetoitsinherent informationsecurityrisks.Theopeningoffilesorotherattachmentsthat arefromanunknownsourceisnotpermittedunlesstheuserfirstscansthe attachmentsforpossiblevirusesorothermaliciouscode.SeeGuideline 3501,AcceptableUseofInformationTechnology. Backup Systemownersareresponsibleforestablishingtheextent,frequency,andretention ofsystembackupswhichmustreflectthebusinessrequirementsoftheInstitute, thesecurityrequirementsoftheinformationinvolved,andthecriticalityofthe informationtothecontinuedoperationoftheInstitute.SeealsoGuideline3502, InformationSecurity. ITadministratorsareresponsibleforconfiguringinformationassetstomeetbackup requirements. 5.5.1 BackupsmustbeSecuredandTested Backupsmustbesecuredinaccordancewiththeclassificationofthe informationtheycontain.Backupsmustbeperiodicallytestedtoensurethe dataisrecoverable,andrecordsmustbekeptofthetests. BackupsmustnotbeUsedinLieuofOtherControls BCITbackupfacilitiesarenotintendedtoreplacerecordsmanagement controlsorprovideaudittrails. RecoveringandRestoringInformation
5.5.2
5.5.3
5.6
Safeguardsmustbeinplacetoprotecttheintegrityofdatafileswhen recoveringandrestoringdatafiles,especiallywhererestoredfilesmay replacemorerecentfiles. NetworkSecurityManagement Networksmustbeadequatelymanagedandcontrolledinordertobeprotected fromthreatsandtomaintainsecurityforthesystemsandapplicationsusingthe networks,includinginformationintransit. AllequipmentconnectedtothenetworkissubjecttoallBCITpolicies.Personal equipmentthatwillbeconnectedtothenetworkmayalsobesubjecttoinspection priortoconnectioninordertoverifythatsecurityrequirementsaremet. 5.6.1 NetworkControls Specialcontrolsmustbeestablishedto: Safeguardtheconfidentialityandintegrityofdatapassingover publicnetworksoroverwirelessnetworks Protectnetworkequipment,theconnectedsystems,and
17of28
Policy
applications Maintaintheavailabilityofthenetworkservicesandcomputers connected Applyappropriateloggingandmonitoringtoenablerecordingof securityrelevantactions. 5.6.2 UserAuthenticationforExternalConnections Remoteaccesscontrolproceduresmustprovideadequatesafeguards throughrobustidentification,authentication,andencryptiontechniques. RemoteaccesstoBCITnetworksisonlythroughthetechnologyapproved bytheInformationSecurityOfficer.SeeProcedure3502,Information Security. RemoteConfigurationandDiagnosticPortProtection Physicalandlogicalaccesstoconfigurationanddiagnosticportsmustbe controlled. SegregationinNetworksNetworkZones Eachnetworkzonemust: Haveclearguidelinesastotheintendeduseofthezoneandits securitycharacteristics Besufficientlysecureforintendeduses Becompartmentalizedsoasnottobeameansforintrusioninto,or interferencewith,BCITsystemsorothernetworks Haveredundancy,backupandrecoverymeasures,andcontingency plansinplacetoensurethatnetworkservicesareavailableona sufficientlytimelybasistosupporttheintendeduses Havedocumentationcoveringitstopology,configuration,and gatewaystoexternalnetworksandnodes,aswellastheconnected devicesandindividualsresponsible. Equipment,otherthanapprovednetworkequipment,mustnotbeattached totwonetworkzonessimultaneously.Thisistopreventuncontrolledflow oftrafficbetweenzonesandtopreservecompartmentalization. NetworkConnectionControl NetworkequipmentmustnotbeconnectedtoBCITnetworkswithout approvalfromITServices.SeeProcedure3502,InformationSecurity. SystemsandequipmentconnectedtotheBCITnetworkmustbeconfigured tominimizethepossibilityofbypassingaccesscontrols.ITadministrators areresponsibleforimplementingsuchprecautions.SeeGuideline3502, InformationSecurityforconfigurationdetails. IPAddressAssignment IPaddressesonBCITnetworksmustnotbeassignedorusedwithout permissionfromITServices.(AutomatedassignmentofanIPaddressbyan ITScontrolledDHCPserverconstitutespermission.) DomainNameRegistrationandUse Employeesandstudentsarenotpermittedtoregisterdomainnamesthat 18of28
5.6.3
5.6.4
5.6.5
5.6.6
5.6.7
Policy
includeBCIT,BritishColumbiaInstituteofTechnology,oranyvariations withoutpriorauthorizationoftheMarketingandCommunications Department. ThirdpartyagreementlanguagemustincludeprotectionforBCITdomain names.Seesection1.2.2AddressingSecurityinExternalPartyAgreements. AllwebsitesthataresubdomainsofaBCITdomainorassignedtoaBCIT ownedIPrangemustbeauthorizedbytheMarketingandCommunications Departmentpriortodevelopment. ServerPlacementinNetworks ServersthatareconnectedtotheBCITnetworkmustbeplacedinalocation andnetworkzonethatislogicallyandphysicallysecurecommensuratewith thevalueoftheserviceprovidedandthesensitivityoftheinformation accessiblethroughthesystem.Allaccesstothisequipmentmustbelogged tofacilitateauditing.SeeGuideline3502,InformationSecurityforminimum loggingstandards. StudentserversmayonlybeattachedtotheAcademicZoneandmustnot beattachedtotheAdministrativeZone. ServersAccessiblefromExternalNetworks
5.6.8
5.6.9
Allserversthatareaccessibletoanexternalnetwork(includingthe Internet)mustreceivepermissionfromtheISO.SeeProcedure3502, InformationSecurity. 5.6.10 SecurityofNetworkServices Securityfeatures,servicelevels,andmanagementrequirementsforeach networkzonemustbeidentifiedandincludedinanyservicelevel agreement,whethertheseservicesareprovidedinhouseoroutsourced. HandlingofMediaandHardcopy 5.7.1 MediaandHardcopyHandlingProcedures Proceduresmustbedrawnupandfollowedforhandling,processing, storing,transporting,transmitting,anddisposalorreuseofmediaand hardcopy.Theseproceduresmustbeconsistentwithsecurityguidelines. Fordetails,seeGuideline3502,InformationSecurity. EncryptionofInformationonRemovableMedia PersonalorConfidentialinformationmustbeencryptedwhenstoredon removablemediainaccordancewithsection2.3InformationHandlingand Procedure3502,InformationSecurity. DisposalorReuseofMedia Allmediamustbedisposedoforpreparedforreuseinsuchamannerthat itisimpossibletorecovertheinformation.Fordetails,seeProcedure3502, InformationSecurity. ShreddingofUnwantedHardcopy 19of28
5.7
5.7.2
5.7.3
5.7.4
Policy
AllhardcopiescontainingPersonalorConfidentialinformationaretobe securelyshreddedwhennolongerrequired.SeeProcedure3502, InformationSecurity.Wheretheinformationconstitutesarecord,seealso Procedure6701PR1,RecordsManagement. UsingExternalDisposalFirms AnyexternalpartyusedfordisposalofBCITsmediaandhardcopymust haveacontractualagreementaccordingtosection1.2.2Addressing SecurityinExternalPartyAgreements. SecurityofSystemDocumentation
5.7.5
5.7.6
5.8
Systemdocumentationmustbeprotectedagainstunauthorizedaccess. ExchangeofInformation 5.8.1 InformationExchangePoliciesandProcedures Formalinformationexchangepolicies,procedures,andcontrolsmustbein placetoprotecttheexchangeofinformationthroughtheuseofalltypesof communication. TransmittingInformationacrossNetworks AllPersonalorConfidentialinformationmustbeencryptedintransit, includingbyemail,electronicdatainterchange,orotherformsof interconnectionofbusinesssystems.Controlsmustbeputinplacetoverify theintegrityoftransmittedPersonalorConfidentialinformationandthe identitiesofsenderandreceiver.SeeGuideline3502,InformationSecurity. UsingFaxMachinesorModems PersonalorConfidentialinformationmayonlybefaxedorsentviapublic telephonelineswheremoresecuremethodsoftransmissionarenot feasible.Boththesenderandtheintendedrecipientmustauthorizethe transmissionbeforehand,informtherecipientthatthemachineshouldbe attended,andconfirmthereceipt. PersonsGivingInformationovertheTelephone TheidentityandauthorizationofcallersmustbeverifiedbeforePersonalor Confidentialinformationisprovidedoverthetelephone.SeeProcedure 3502,InformationSecurity. ExchangeAgreements AgreementsmustbeestablishedfortheexchangeofPersonalor ConfidentialinformationbetweentheInstituteandexternalpartiesother thanforregulatoryorlegislativerequirements. RemovableMediainTransit Removablemediacontaininginformationmustbeprotectedagainst unauthorizedaccess,misuseorcorruptionduringtransportation. ThetransportationofremovablemediacontainingPersonalorConfidential informationmustbelogged.Theremovablemediamustbeaddressedto theintendedrecipientandreceiptmustbeconfirmedandlogged.
5.8.2
5.8.3
5.8.4
5.8.5
5.8.6
20of28
Policy
5.9
ElectronicCommerceServices Controlsarenecessarytocovertheadditionalsecurityrequirementsassociated withusingorprovidingelectroniccommerceservices. Informationinvolvedinelectroniccommercemustbeprotectedfromfraudulent activity,contractdispute,andunauthorizeddisclosureandmodification.Electronic commercesystemsmustmeetPaymentCardIndustry(PCI)standardswhere appropriate. 5.9.1 ApprovalofElectronicCommerceSystems EachelectroniccommercesystemrequiresapprovalfromtheChief FinancialOfficer(CFO)priortoimplementation. PersonalPaymentInformation
5.9.2
5.10
Allsystemsstoringorprocessingpersonalpaymentinformation,including creditcardnumbersandbankaccountnumbers,requireapprovalfromthe CFOpriortoimplementation. Monitoring 5.10.1 Logging Logsrecordingsecurityrelevantuseractivities,exceptions,andinformation securityeventsmustbeproducedandkeptfortheperiodspecifiedinthe guidelinesforaccesscontrolmonitoringandtoassistinfuture investigations.SeeGuideline3502,InformationSecurity. 5.10.2 MonitoringSystemUse Logs,includingsystemandapplicationlogs,mustbemonitoredand anomaliesinvestigated.Logsmustbereviewedregularlyforsecurityevents byITadministratorsanddiscrepanciesreportedtotheInformationSecurity Officer.SeeProcedure3502,InformationSecurityfordetails. 5.10.3 ProtectionofLogInformation Loggingfacilitiesandloginformationmustbeprotectedagainsttampering andunauthorizedaccess. 5.10.4 AdministratorandOperatorLogs ITadministratorandotherprivilegedaccountactivitiesmustbelogged. 5.10.5 ClockSynchronization Systemclocksmustbesynchronizedregularlytoacommonsourceto simplifythereviewandcorrelationofauditlogs.Thecommonsourceisas specifiedbyITServices.SeeProcedure3502,InformationSecurity.
21of28
Policy
6.
AccessControl Accountsmaybeprovisionedtoprovideaccesstoassetsincluding:networks,operating systems,applications,anddatabasemanagementsystems.Thissectiongovernsaccessto alloftheseassetcategories. 6.1 AccessControlPolicy Systemownersmustestablish,document,andregularlyreviewanaccesscontrol policyforsystemsintheircontrolbasedonbusinessandsecurityrequirementsfor access. UserAccessManagement Formaluserregistrationandderegistrationproceduresmustbeusedtograntand revokeaccesstoallinformationsystemsandservicesincludingnetworkservices, operatingsystems,applications,anddatabasemanagementsystems. Theallocationanduseofprivilegesmustberestrictedandcontrolled,andthe allocationofpasswordsandothersecuritycredentialsmustbecontrolledthrougha formalmanagementprocess. 6.2.1 ReviewofAccountsandAccessRights Systemownersmustreviewusersaccessrightsatregularintervalsusinga formalprocess. InactiveAccounts Inactiveaccountsmustbedisabledaftertheperiodofinactivityspecifiedin Guideline3502,InformationSecurity. SessionTimeout Inactivesessionsmustbeterminatedaftertheperiodofinactivitydefined inGuideline3502,InformationSecurity. AdditionalAccessProtections
6.2
6.2.2
6.2.3
6.2.4
6.3
Systemsmayrequireadditionalaccessprotectionsbasedontimeofday, location,andadditionalauthenticationrequirements.SeeGuideline3502, InformationSecurity. UserResponsibilities Allusersmustauthenticateusingtheirownaccountforagivensystem.Approved loginproceduresmustbefollowed. 6.3.1 DelegationofDuties Wheredelegationofdutiesisrequiredtomeetabusinessneed,usersmust employfeatureswithinthesystemwhereverpossible(e.g.,LotusNotes delegation).Wherethesystemdoesnotprovidetheabilitytodelegate, thentheprocedurefordelegatinganaccountthroughcontrolledsharing detailedinProcedure3502,InformationSecuritymustbefollowed. ShortTermAccounts Indepartmentsthatemploytemporaryemployeesonafrequentbasis,the useofshorttermaccountsmustfollowProcedure3502,Information 22of28
6.3.2
Policy
Security. InadvertentAccesstoResourcesandInformation Usersmustnotexploitinsecureaccountsorresources,ortakeadvantageof lessknowledgeableusers.UsersmustnotreadPersonalorConfidential informationsimplybecauseitisaccessibletothemthroughaccidental exposureorthroughthemaliceofotherswhohavebrokenintoasystemor aremisusingtheiraccessprivileges.Ifusersdiscoversuchanexposurethey mustreporttheexposureasasecurityincident. PasswordUse Theselectionofpasswordsandtheiruse,protection,andmanagement mustfollowthecorrespondingproceduresinProcedure3502,Information Security. Passwordsmustnotbesharedwithanyotherpersonatanytime.Theonly exceptioniswhenauthorizedusersmustdelegateanaccountaccordingto Procedure3502,InformationSecurity. BCITpasswordsmustnotbeusedforanynonBCITaccountsorservices (suchaspersonalISPaccounts,freeonlineemailaccounts,instant messagingaccounts,orotheronlineservices).Thispracticeensures compartmentalizationandreducesthelikelihoodthatpasswordsobtained fromothersystemsmaybeusedtocompromiseBCITsystems. ControllingAccesstoUnattendedUserEquipment Whenleavingacomputerormobiledeviceunattended,usersare responsiblefor: Preventingunauthorizedaccesstoinformationandrecordsbyeither loggingofforusingdevicelockingsoftware Usingpasswordprotectedscreensaverstolockworkstationsand protectthecontentsofthescreenwhenunattended Preventingtheftofthecomputerordevicebyusingalockingdevice. Allunattendedequipmentinpublicareasmustbephysicallysecuredand configuredinamannersuchthatthesecurityofitssystemscannotbe easilythwarted. ControllingAccesstoInformationinUnattendedAreas DesksmustbeclearedofPersonalorConfidentialinformationwhendesks areunattended.AreasthatmaycontainPersonalorConfidential informationmustnotbeleftunattendedwithoutsecuringtheinformation.
6.3.3
6.3.4
6.3.5
6.3.6
23of28
Policy
7.
InformationSystemsAcquisition,Development&Maintenance 7.1 SecurityRequirementsofInformationSystems Statementsofbusinessrequirementsfornewinformationsystems,or enhancementstoexistinginformationsystemsmustspecifytherequirementsfor securitycontrols.Securityrequirementsandcontrolsmustreflectthebusiness valueofinformationassetsaffectedbythesystemandthepotentialbusiness damagethatmightresultfromafailureorabsenceofsecurity. Systemrequirementsforinformationsecurityandprocessesforimplementing securityshouldbeintegratedintheearlystagesofinformationsystemprojects.For requirementsthatmustbeconsidered,seeGuideline3502,InformationSecurity. CorrectProcessinginApplications Systemownersmustensurethatthesystemstheyareresponsibleforhandle informationwithduecare.Thisincludesvalidationofinformationenteredintothe system,validationcheckstodetectcorruptionofinformationthroughprocessing errorsordeliberateacts,appropriatecontrolstoensureauthenticityandmessage integrity,andvalidationofinformationoutputfromanapplicationtoensurethat theprocessingofstoredinformationiscorrect. SecurityinDevelopment,DeploymentandSupportProcesses Onlyauthorizedusersmayaccessoperationalsoftwarelibrariesorthesourcecode ofsystems.Segregationofduties,technicalaccesscontrols,androbustprocedures mustbeemployedwheneveramendmentstosoftwarearenecessary. 7.3.1 TechnicalReviewofApplicationsafterExecutionEnvironment Changes Whentheexecutionenvironmentoftheapplicationischanged(e.g., operatingsystem,hardware,middleware),businesscriticalapplications mustbereviewedandtestedtoensurethereisnoadverseimpacton Instituteoperationsorsecurity. OutsourcedSoftwareDevelopment Outsourcedsoftwaredevelopmentmustbeinaccordancewithsection 1.2.2AddressingSecurityinExternalPartyAgreements. ControlofOperationalSoftware Onlyauthorizedusersmaydeploysoftwareonoperationalsystems. UsingLiveInformationforTesting
7.2
7.3
7.3.2
7.3.3
7.3.4
7.4
Theuseofliveinformationfortestingnewvendorsuppliedorcustom systemsorsystemchangesmayonlybepermittedwherethesamecontrols forthesecurityoftheinformationasusedontheproductionsystemarein place. TechnicalVulnerabilityManagement TheISOandeachITadministratorareresponsibleformonitoringinformationabout thetechnicalvulnerabilitiesoftheinformationsystems,promptlyevaluatingthe Institutesexposuretosuchvulnerabilities,andtakingtimely,appropriatemeasures toaddresstheassociatedrisks.SeeGuideline3502,InformationSecurity.
24of28
Policy
8.
InformationSecurityIncidentManagement 8.1 ReportingInformationSecurityEventsandWeaknesses 8.1.1 ReportingInformationSecurityEvents Allsuspectedinformationsecurityincidentsmustbereportedpromptlyto theInformationSecurityOfficer.SeeProcedure3502,InformationSecurity forinstructionsonhowtoreportaninformationsecurityIncident. ReportingSecurityWeaknesses
8.1.2
8.2
Allinformationsecurityweaknessesmustbereportedpromptlytothe InformationSecurityOfficer. ManagementofInformationSecurityIncidentsandImprovements 8.2.1 ConductofInvestigations InformationsecurityinvestigationsarecoordinatedbytheInformation SecurityOfficer.TheISOisauthorizedtoinvestigateinformationsecurity incidentsincluding:seizingInstituteownedequipment,monitoring,and takingimagesandbackups. ResponsibilitiesandProcedures BCITemployeesandstudentsmustprovidetimelyassistancewhen requested. Externalpartiesresponsibilitiesforinformationsecurityincident managementmustbeestablishedaccordingtosection1.2.2Addressing SecurityinExternalPartyAgreements. InvestigationLimitations InvestigationofanindividualsactivitiesorfilesbytheISOwillonlybedone inresponsetoanincidentorwithreasonablesuspicionthattheindividualis engaginginactivitiesthatarenoncompliantwithBCITpolicies. EnsuringtheIntegrityofInformationSecurityIncident Investigations Toensuretheintegrityofevidence,theISOmustbecontactedbeforeany investigationalactivitiesareundertaken. LearningfromInformationSecurityIncidents Postincidentreviewofmajorincidentsmustbeconducted.Periodically, incidentsmustbereviewedcollectivelytoidentifytrendsforimprovement ofsecurityefforts.
8.2.2
8.2.3
8.2.4
8.2.5
25of28
Policy
9.
BusinessContinuityManagement SeePolicy7530,EmergencyResponseforBCITsbusinesscontinuitymanagement approach. 9.1 InformationSecurityAspectsofBusinessContinuityManagement 9.1.1 IncludingInformationSecurityintheBusinessContinuity ManagementProcess Theplanningandimplementationofbusinesscontinuitymustnot compromiseinformationsecurity. DisasterRecoveryPlan Systemownersmustensurethatdisasterrecoveryplansfortheirsystems aredeveloped,tested,andimplemented.Recoverytimemustbe negotiatedjointlybythesystemownersandITServicesorotherservice provider. WherebusinessrequirementsexceedtheabilitytorecoverITassets, mitigatingcontrolsmustbeputinplace.SeePolicy7530,BCITEmergency Responseformoredetails.
9.1.2
10. Compliance 10.1 CompliancewithLegalRequirements 10.1.1 IntellectualPropertyRights(IPR) SeePolicy6601,IntellectualProperty. 10.1.2 UsingLicensedSoftware Allsoftwaremustbeappropriatelylicensedandusersmustcomplywiththe termsandconditionsofallEndUserLicenseAgreements. 10.1.3 ProtectionofOrganizationalRecords SeePolicy6701,RecordsManagement. 10.1.4 DataProtectionandPrivacyofPersonalInformation Seesection2.2InformationClassificationinthispolicy. InformationSystemsAuditConsiderations Theplanningandimplementationofinformationsystemsauditsmustnot compromiseinformationsecurity. Accesstosystemauditingtoolsmustbeprotectedtopreventanymisuseor compromise.
10.2
26of28
Policy
11. NonConformingSystems Thispolicyrepresentsatargetenvironment.Notallsystemsortechnologiesarecapableof conforminginalldetails.TheInformationSecurityOfficermustmaintainalistofnon conformingsystemsandtechnologies.Thisisariskbasedactivityfocusingonnon conformingsystemswiththehighestriskprofile. Systemownersofsystemsthatareunabletoconformtothispolicyanditsguidelinesmust: ReportnonconformancetotheISOimmediately Undertakeariskassessment DevelopariskmanagementplanandsubmittotheISO. Thisexceptionlistwillincludeallsystemsandtechnologiesthatdonotconformtothis policyandincludeareferencetotheriskassessmentandriskmanagementplanforeach systemortechnologyonthelist.Forthecompleteprocedure,seeProcedure3502, InformationSecurity. 12. ConsequencesofPolicyViolation BCITreservestherighttoterminateorrestricttheaccessprivilegesofauserwhose activitiesnegativelyaffectorposeathreattoafacility,anotheraccountholder,normal operations,orthereputationoftheInstitute. Followingdueprocess,theInstitutemaytakeoneormoreofthefollowingactionsagainst anyuserwhoseactivitiesareinviolationofthispolicyorthelaw: Averbalorwrittenwarning RestrictionsonorremovalofaccesstoanyorallInstitutecomputingfacilitiesand services Legalactionthatcouldresultincriminalorcivilproceedings Inthecaseofstudents,disciplinaryactionunderPolicy5102,StandardsofNon academicConduct. Inthecaseofemployees,disciplinaryactionuptoandincludingtermination. EquipmentthatviolatesBCITpolicyornegativelyaffectsorposesathreattoafacility, normaloperations,orthereputationoftheInstitutemaybeimmediatelydisconnected, quarantined,orotherwisecontained.Instituteownedequipmentmayalsobeseized.
ProceduresandGuidelinesAssociatedWithThisPolicy
Procedure3502,InformationSecurity(tobewritten) Guideline3502,InformationSecurity(tobewritten)
FormsAssociatedWithThisPolicy
SeeProcedure3502,InformationSecurity(tobewritten)
SpecialSituations
None.
27of28
Policy
AmendmentHistory
1. Created 2009Jan27
ScheduledReviewDate
2014Jan01
28of28

Information Security: P o L I C y

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Information Security: P o L I C y

Transféré par

Droits d'auteur :

Formats disponibles

Policy

PolicyNo.: Category: ApprovingBody: ExecutiveDivision: DepartmentResponsible: CurrentApprovedDate:

3502 InformationTechnologyServices BoardofGovernors LearningandTechnology Services InformationTechnologyServices 2009Jan27

Threat:apotentialcauseofanunwantedincident,whichmayresultinharmtoasystemor organization. User:apersonwhoperformsanyactiononaninformationasset. Vulnerability:aweaknessofanassetorgroupofassetsthatcanbeexploitedbyoneormore threats.

Vous aimerez peut-être aussi