BCIT :: Information Security Policy 3502 · Policy Information Security Policy No.: 3502 Category:...
Transcript of BCIT :: Information Security Policy 3502 · Policy Information Security Policy No.: 3502 Category:...
PolicyPolicy
Information Security
PolicyNo.: 3502Category: InformationTechnologyServicesApprovingBody: BoardofGovernorsExecutiveDivision: LearningandTechnology
ServicesDepartmentResponsible: InformationTechnologyServicesCurrentApprovedDate: 2016Oct04
DirectoryofRecordsClassification0650−10 1of24
PolicyStatement
BCITiscommittedtotakingappropriatemeasurestopreservetheconfidentiality,integrity,andavailabilityofinformationandinformationtechnology(IT).ThispolicyappliestoallBCITinformationandcomputing,communications,andnetworkingresourcesconnectedtoInstitutefacilitiesandtheusersoftheseresources.
PurposeofPolicy
BCIT’sinformation,network,andotherITservicesaresharedresourcesthatarecriticaltoteaching,learning,research,Instituteoperations,andservicedelivery.Thepurposeofthispolicyisto:• Protecttheconfidentiality,integrity,andavailabilityofBCITinformationandassociated
informationtechnology• Providemanagementdirectionandsupportforinformationsecurityinaccordancewith
businessrequirementsandrelevantlawsandregulations• Definetherolesofindividualsandorganizationalentitiesinvolvedininformationsecurity
andestablishtheresponsibilitiesoftheseroles• EnsurethereliableoperationofBCIT’sinformationtechnologysothatallmembersofthe
BCITcommunityhaveaccesstotheinformationassetstheyrequire.
TableofContents
PolicyStatement 1PurposeofPolicy 1ApplicationofthisPolicy 1RelatedDocumentsandLegislation 2Definitions 2GuidingPrinciples 5DutiesandResponsibilities 6ProceduresAssociatedWithThisPolicy 24FormsAssociatedWithThisPolicy 24SpecialSituations Error!Bookmarknotdefined.AmendmentHistory 24ScheduledReviewDate 24
ApplicationofthisPolicy
ThispolicyappliestoeveryonewhousesBCITinformationtechnologyassets,includingthosewhousetheirownpersonalequipmenttoconnecttoBCITinformationassets.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 2of24
PolicyPolicyRelatedDocumentsandLegislation
BCITPolicies:1504,StandardsofConductandConflictofInterest3501,AcceptableUseofInformationTechnology5102,StandardsofNon-academicConduct6601,IntellectualProperty6700,FreedomofInformationandProtectionofPrivacy(FOIPOP)6701,RecordsManagement7506,CopyrightCompliance7525,ProtectionofEquipment,PropertyandInformation7530,EmergencyResponseLegislationapplicabletothispolicyincludes:• BCCollegeandInstituteAct• BCFreedomOfInformationandProtectionofPrivacy(FOIPOP)Act• BCPersonalInformationProtection(PIP)Act• TheCriminalCodeofCanada• CanadaCopyrightAct.
Definitions
Account:establishesarelationshipbetweenauserandasetofinformationassets.Byloggingintoanaccount,theuserisauthorizedtoperformaspecifiedsetofactionsagainstacorrespondingsetofinformationassetsforthetimetheuserremainsauthenticatedtotheaccount(forthatloginsession).Asset:anythingthathasvaluetotheInstitute.AssetCustodian:theBCITemployeeresponsibleforlocatingaphysicalinformationasset(i.e.equipment)uponrequest.Allinformationassetsmusthaveanassignedcustodian.Authorization:thegrantingofpermissioninaccordancewithapprovedpoliciesandprocedurestoperformaspecifiedactiononanITasset.AuthorizedUser:auserwhoisauthorizedtoperformthespecifiedactiononanasset.Partoftheauthorizationprocessmayrequirethatthepersonexhibitthenecessaryqualificationstoperformtheaction.BCITInternalUse:asdefinedinsection2.2InformationClassification.BusinessContinuity:theInstitute’sabilitytomaintainorrestoreitsbusinessandacademicserviceswhensomecircumstancethreatensordisruptsnormaloperations.Itencompassesdisasterrecoveryandincludesactivitiessuchasassessingriskandbusinessimpact,prioritizingbusinessprocesses,andrestoringoperationstoa“newnormal”afteranevent.SeePolicy7530,EmergencyResponseformoreinformation.ConfidentialInformation:asdefinedinsection2.2InformationClassification.Control:ameansofmanagingrisk,includingpolicies,procedures,guidelines,practices,ororganizationalstructures,whichcanbeofadministrative,technical,management,orlegalnature.Note:Controlisalsousedasasynonymforsafeguardorcountermeasure.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 3of24
PolicyPolicyData:itemsrepresentingfactsthatconsistoftext,numbersorimagesandstoredinelectronicinformationsystems.Dataaretherawmaterialsthatareprocessedorinterpretedtocreateinformation.Institutedataisalldatarelatedto,receivedby,orcreatedbyBCIT.DenialofService:actionsthatintentionallypreventanyInformationProcessingFacilityfromfunctioninginaccordancewithitsintendedpurposeDisasterRecovery:referstotheactivitiesthatrestoretheInstitutetoanacceptableconditionaftersufferingadisaster.SeePolicy7530,EmergencyResponseformoreinformation.Encryption:theprocessofobscuringinformationtomakeitunreadablewithoutspecialknowledge(i.e.,“scrambling”theinformation).Thatspecialknowledgeisoftena“key”thatisusedtodecrypttheinformationsoitcanberead.Conceptually,thekeyissimilartoapasswordthatprovidesaccesstotheencryptedinformation.Equipment:informationtechnologyequipment.ExternalParty:anorganizationoranindividualwhoisnotanemployeeorstudentwhorequiresaccesstoBCIT’sinformationassets,excludingpublicassets.Firewall:asystemdesignedtopreventunauthorizedaccesstoorfromaprivatenetworkorbetweennetworkzones.InactiveAccount:anaccountthathasremainedunusedfortheperiodoftimespecifiedinGuideline3502,InformationSecurity.Information:includesallformsofdata,documents,records,communications,conversations,messages,recordings,andphotographs.Itincludeseverythingfromdigitaldataandemailtofaxesandtelephoneconversations.InformationAsset:anassetthatiscomprisedofinformationorofequipmentorsystemsfortheprocessingofinformation.InformationOwner:theBCITemployeewhoclassifiesthespecifiedinformation.InformationProcessingFacilities:anyinformationprocessingsystem,serviceorinfrastructure,orthephysicallocationshousingthem.InformationSecurity:thepreservationofconfidentiality,integrity,andavailabilityofinformation.Confidentialityensuresthatinformationisaccessibleonlytothoseauthorized.Integrityinvolvessafeguardingtheaccuracyandcompletenessofinformationandprocessingmethods.Itmayalsoincludeauthenticity,auditability,accountability,non-repudiation,andreliabilityofinformation.AvailabilityensuresthatauthorizedusershaveaccesstoITassetswhenrequired.InformationSecurityFramework:acomprehensiveapproachtopreserveinformationsecurityincluding:
� Organizationalstructureswithclearlydefinedrolesandresponsibilities� Riskassessmentandimpactanalysis� Guidingprinciples� Policies,guidelines,andprocedures� Controlsandcountermeasures� Informationsecurityawarenessincludingeducationandtraining� Ongoingmonitoringofinformationsecurity
InformationSecurity3502
DirectoryofRecordsClassification0650−10 4of24
PolicyPolicy� Resourcessuchasfinancialandhumanresourcesrequiredtoimplementthesecurity
framework� Periodicreviewsandassessmentoftheframeworkincluding,whereappropriate,
reviewsbyindependentthirdparties.InformationSecurityIncident:anidentifiedoccurrenceofasystem,service,ornetworkstateindicatingapossibleorpendingbreachofinformationsecurityorbreachofacceptableuseorfailureofsafeguardsorapreviouslyunknownsituationthatmaybesecurityrelevant.TechnicalInfrastructureServices(TIS)Manager:overseestheInstitute'sInformationSecurityprogram.Thisincludesprovidingleadershipandguidanceininformationsecurityandinformationriskmanagement,developinginformationsecuritypoliciesandguidelines,andoverseeingtheinformationsecurityincidentresponseteam.ITAdministrator:thepersonresponsibleforconfiguringaccesstoandmonitoringaccess,usage,andperformanceofaninformationasset,includingsystemadministrator,networkadministrator,applicationadministrator,anddatabaseadministrator(DBA).LeastPrivilege:theprinciplethatrequireseachusertobegrantedthemostrestrictivesetofprivilegesneededfortheperformanceofauthorizedtasks.LoginSession:aperiodbetweenauserlogginginandloggingoutofanaccount.MaliciousCode:includesallprograms(includingmacrosandscripts)thataredeliberatelycodedtocauseanunexpectedorharmfulevent.Media:includesremovablemediaandfixedstoragedevices.MobileDevice:anyelectronicdevicethatisportableandcontainsorhastheabilitytocontaininformationorprovidestheabilitytoaccessortransmitPersonalorConfidentialinformation.Examplesincludelaptop,tabletPC,PDA,RIMBlackBerry,andPalmTreo.NetworkEquipment:anyhardwareorsoftware,excludingworkstationsandserversunlessconfiguredtoprovidenetworkservices,thattransmitsorfacilitatesthetransmissionofinformation,includingswitches,hubs,routers,bridges,firewalls,modems,wirelessaccesspoints,DHCP,WINS,andDNSservers.NetworkZone:Differentnetworks,andoftendifferentsegmentsofagivennetwork,havediversesecuritycharacteristicsandrequirements.Forsecurity,eachnetworkmustbedividedintooneormorelogicalnetworkzones.Eachnetworkzoneisalogicallyconnectedpartofthenetwork,whosesecurityismanagedinacoherentfashion.Definedzonesinclude:• AdministrativeZone–forkeybusinessusersandsystems• AcademicZone–forfacultyandstudentsforthepurposesofteaching• ResidenceZone–forstudentsinresidence• DMZ–forsystemsconnectedtotheInternetorotheroutsidenetwork.Password:thesequenceofcharactersandnumbersusedtoauthenticateauser’sidentity,whichisknownonlytothatuser.PersonalInformation:asdefinedinsection2.2InformationClassification.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 5of24
PolicyPolicyPublicAssets:designatedBCITinformationassetsthatareavailabletomembersofthepublicwithauthorizationrequired.Examplesincludekiosksandthepublicwebsite.PublicInformation:asdefinedinsection2.2InformationClassification.Record:SeePolicy6701,RecordsManagementfordefinitionofarecord.RemovableMedia:Informationstoragedevicesthatarenotfixedinsideacomputer.Examplesincludeexternalharddrives,CD-ROMs,DVDsandUSBflashdrives.Server:acomputerwhosefunctionistoprovideservices(e.g.,accesstofiles,printing,andsharedapplicationsincludingwebsites;databasemanagement;communications;andaccesstoPersonalorConfidentialinformation)onwhichendusersdependonanongoingbasis.ComputersthatareusedtoprovidenetworkservicessuchasDHCP,DNS,andLDAPareconsideredtobenetworkequipmentandarenotserversforthepurposeofthispolicy.StudentServer:acomputersetupbyfacultyorstudentsaspartofacoursetoteachservertechnologyandprinciples.System:acollectionofcomponentsincludinghardwareandsoftwaredesignedtostore,process,ortransmitinformationinsupportofabusinessoutcome.SystemOwner:theBCITemployeeresponsibleforagivensystem.Threat:apotentialcauseofanunwantedincident,whichmayresultinharmtoasystemororganization.User:apersonwhoperformsanyactiononaninformationasset.Vulnerability:aweaknessofanassetorgroupofassetsthatcanbeexploitedbyoneormorethreats.
GuidingPrinciples
1. Bynature,apost-secondaryeducationinstituteneedstoshareinformationforthepurposeofdeliveringeducation.Securitymeasuresmustbeimplementedinamannerthatenablesappropriateinformationexchange.
2. Securityresponsibilitiesandaccountabilitymustbeclearlydefinedandacknowledged.3. Usersarepersonallyaccountablefortheprotectionofinformationassetsundertheir
controlandmusttakeappropriatemeasurestoprotecttheconfidentiality,integrity,andavailabilityoftheassets.
4. Usersshouldhavesufficienttrainingtoallowthemtoproperlyprotectinformationassets.5. Securitycontrolsmustbecost-effectiveandinproportiontotherisksandthevalueofthe
assetsthatneedtobeprotected.6. Securityismulti-disciplinaryandrequiresacomprehensiveandintegratedapproach
coveringeveryaspectofBCIT’soperations.7. Allpartiesshouldactinatimely,coordinatedmannertopreventandrespondtosecurity
incidents.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 6of24
PolicyPolicy8. Securitymustbeperiodicallyassessedtoensurethatadequatemeasuresareinplaceto
protecttheassetsofBCIT.
9. Permissionsareassignedsothattheleastamountofprivilegerequiredtofulfillthebusinessfunctionisgiven(leastprivilege).
10. Nosinglemechanismmayprotectanassetfromunknownthreats.Wherewarranted,
multiplelayersofcontrolsshouldbeemployedtoreducetheriskoffailureofanysinglemeasure(defenceindepth).
11. Compromiseofoneassetshouldnotleadtothefurthercompromiseofotherassets
(compartmentalization).12. Manyinformationsystemshavenotbeendesignedwithsecurityinmind.Whereadequate
securitycannotbeachievedthroughtechnicalmeans,alternatecontrolsmustbeimplemented.
DutiesandResponsibilities
1. OrganizationofInformationSecurity1.1 InternalOrganization
1.1.1 ManagementCommitmenttoInformationSecurityTheBoardofGovernorsandBCITExecutiveactivelysupportinformationsecuritywithintheorganization.
1.1.2 AllocationofInformationSecurityResponsibilitiesBoardofGovernorsTheBCITBoardofGovernorsisaccountablefortheestablishmentofanInformationSecurityFrameworkfortheInstitute.BCITExecutiveTheBCITExecutiveisresponsibleforrecommendinganappropriateInformationSecurityFrameworktotheBoardofGovernorsandforprovidingongoingexecutiveoversightoftheframework,includingperiodic,independentreviews.TechnicalInfrastructureServices(TIS)ManagerTheTISManagerisresponsiblefor:� RecommendinganappropriateInformationSecurityFrameworkto
theBCITExecutive� Providingday-to-daymonitoringoftheframework� InformingtheBCITExecutiveofsecurityrisksandmanagementplans� Establishingappropriatecontactswithsecurityforums,professional
associations,andothergroupswithspecialistinterestsininformationsecurity.
BCITManagementMembersofBCITManagementareresponsibleforensuringthatemployeesandothersundertheirsupervisionareawareoftheirinformationsecurityresponsibilities.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 7of24
PolicyPolicy
DutiesandResponsibilities
InstructorsandTeachingFacultyInstructorsandTeachingFacultyareresponsibleforensuringthatstudentsundertheirsupervisionareawareoftheirinformationsecurityresponsibilities.InformationOwnersInformationOwnersareresponsibleforclassifyinginformationinaccordancewithpoliciesandguidelines.Allinformationmusthaveanassignedinformationowner.SystemOwnersSystemownersareaccountableforensuringthatsystemsareassessedforsecurityrequirementsincludingthoseflowingfromlegislativeandcontractualobligations.Systemownersarealsoaccountableforensuringthatsystemsaredesigned,configured,implemented,operated,maintained,upgraded,anddecommissionedconsistentwiththeestablishedsecurityneeds.Allsystemsmusthaveanassignedsystemowner.SystemownersmustensureanITadministratorisassignedtoeachassetcomprisingthesystem.AssetCustodiansAssetcustodians,uponrequest,mustbeabletodeterminethelocationofinformationassetsundertheircustodianshipandmustensurethatassetstransferredfromtheircustodianshipareclearlyassignedtothenextcustodian.Allphysicalassetssuchasinformationtechnologyequipmentmusthaveanassignedcustodian.ITAdministratorsITAdministratorsareresponsibleforconfiguringthesecurityfeaturesoftheassetsundertheiradministrationinaccordancewithpolicy,guidelines,andotherrequirements.AllassetswithconfigurablesecuritycharacteristicsmusthaveanassignedITAdministrator.InformationTechnologyServicesAsthecentralproviderofInformationTechnology,theITSDepartmentisresponsiblefor:� Networkmanagementandoperationincludingtheestablishmentof
networkzonesandcompartmentalization� Delegationofadministrationofanetworkzoneonlywhen
appropriatecontrolsareinplaceinthedelegatedorganization� Maintainingacatalogueofcoreservicesincludingclearlyarticulated
servicelevelexpectations� ContinuityofcoreenterpriseclassITinfrastructureaspartofthe
Institute’soverallbusinesscontinuityframework.
SafetyandSecurityDepartmentTheSafetyandSecurityDepartmentisresponsiblefor:� ThephysicalsecurityofBCITfacilitiesincludingaccesscontrolto
buildingsandrooms� Overallemergencyresponse,disasterplanning,andbusiness
InformationSecurity3502
DirectoryofRecordsClassification0650−10 8of24
PolicyPolicy
DutiesandResponsibilities
continuityplanning� Contactwithauthorities.
MarketingandCommunicationsDepartmentTheMarketingandCommunicationsDepartmentisresponsiblefor:� ProtectionofBCIT’sbrandfrominformationsecuritythreats� Communicationswiththemediaintheeventofaninformation
securityincident� PoliciesandproceduresforuseofBCITdomainnames.
HumanResourcesTheHumanResourcesDepartmentisresponsiblefor:
• Documentinginformationsecurityrequirementsinjobdescriptions
• Screeningofemployees• Coordinatingtheterminationofemployees,ensuringall
departmentsareappropriatelynotified.RecordsManagementOfficeTheRecordsManagementOfficeisresponsibleforensuringthattheDirectoryofRecordsaccuratelyreflectstheclassificationofrecords.Information,AccessandPrivacyInformation,AccessandPrivacyisresponsibleforexchangeagreementsthatinvolvetheexchangeofPersonalinformation.FinancialServicesDepartmentTheFinancialServicesDepartmentisresponsibleforensuringcontrolsareinplacetoprotectthesecurityoffinancialinformationand,inparticular,toensuretheintegrityoffinancialinformation.RiskManagerTheRiskManagerisresponsibleforidentifyingandassessingoverallriskforBCIT.UsersAllusersareresponsiblefor:� Takingappropriatemeasurestopreventloss,damage,abuse,or
unauthorizedaccesstoinformationassetsundertheircontrol� Promptlyreportingallactsthatmayconstituterealorsuspected
breachesofsecurityincluding,butnotlimitedto,unauthorizedaccess,theft,systemornetworkintrusions,willfuldamage,andfraud
� Lookingafteranyphysicaldevice(tools,computers,vehicles,etc.)andaccessarticles(keys,IDcards,systemIDs,passwords,etc.)assignedtothemforthepurposesofperformingtheirjobduties,takingcourses,conductingresearch,orotherwiseparticipatingwithintheInstitute
� Respectingtheclassificationofinformationasestablishedbytheinformationowner
� Complyingwithallthesecurityrequirementsdefinedinthis
InformationSecurity3502
DirectoryofRecordsClassification0650−10 9of24
PolicyPolicy
DutiesandResponsibilities
document� ComplyingwithotherrelatedpoliciesincludingPolicy3501,
AcceptableUseofInformationTechnology.
1.2 ExternalParties1.2.1 IdentificationofRisksRelatedtoExternalPartiesorStudents
TheriskstotheInstitute’sinformationassetsrelatingtoexternalpartiesorstudentsmustbeidentifiedandappropriatecontrolsimplementedbeforegrantingaccess.
1.2.2 AddressingSecurityinExternalPartyAgreementsAccesstoBCITinformationassets,exceptpublicassets,mustnotbegrantedtoexternalpartieswithoutacontractualagreementthatbindsthemtoBCITpolicies.
2. AssetManagement2.1 ResponsibilityforAssets
Eachpieceofequipmentmusthaveanassignedassetcustodian.Uponrequestassetcustodiansmustbeabletolocatetheequipmentassignedtothem.Ifcustodiansaretopassthecustodyoftheequipmenttoanotherperson,theyareresponsibleforensuringtherecordofcustodianshipisupdated.Ifacustodianbecomesunavailableunexpectedly,thisresponsibilityfallstotheoperationsmanageroftheirdepartmentorschool.2.1.1 InventoryofAssets
Aninventoryofassetsmustbemaintained.
2.1.2 AcceptableUseofAssetsSeePolicy3501,AcceptableUseofInformationTechnology.
2.2 InformationClassification2.2.1 InformationOwnership
Allinformationmusthaveadesignatedinformationowner.Forcompleteinformationaboutestablishinginformationownership,seeGuideline3502,InformationSecurity.
2.2.2 ClassifyingInformationAllInstituteinformationmustbeclassifiedaccordingtoitsrequirementsforconfidentiality,integrity,andavailability.TheinformationownerisresponsibleforclassifyingtheinformationaccordingtoGuideline3502,InformationSecurity.Classificationmustbereviewedonaregularbasis.
2.2.3 ConfidentialityClassificationsThefollowingconfidentialityclassificationsdeterminehowInstituteinformationmustbeshared,handledandstored:� Public–informationthatisavailabletothegeneralpublicandis
routinelydisclosed
InformationSecurity3502
DirectoryofRecordsClassification0650−10 10of24
PolicyPolicy
DutiesandResponsibilities
� BCITInternalUse–informationthatisavailabletoauthorizedusersandisnotroutinelydisclosed.Bydefault,dataisBCITInternalUseuntilitisassessedandotherwiseclassified
� Confidential–informationthatcontainssensitiveInstituteinformationandthatisavailabletoauthorizedusers.AformalFOIPOPrequestisrequiredfornon-routinedisclosure
� Personal–informationthatcontainssensitivepersonalinformationandisavailabletoauthorizedusersonly.AformalFOIPOPrequestisrequiredfornon-routinedisclosure.
2.2.4 BusinessContinuityClassifications
Inadditiontotheconfidentialityclassifications,Policy7530,EmergencyResponsegovernstheclassificationofinformationforbusinesscontinuitypurposes.Eachinformationownermustclassifyinformationforthepurposesofbusinesscontinuity.
2.2.5 LabellingInformationBothhardcopyandelectronicinformationmustbeclearlylabelledwithitsconfidentialityclassificationsothatauthorizedusersareawareoftheclassification.Forcompletedetailsonhowtolabelinformation,seeGuideline3502,InformationSecurity.
2.3 InformationHandlingAuthorizedusersmustcarryoutalltasksrelatedtothecreation,storage,maintenance,cataloguing,use,dissemination,anddisposalofInstituteinformationresponsibly,inatimelymanner,andwiththeutmostcare.Usersmustnotknowinglyfalsifyinformationorreproduceinformationthatshouldnotbereproduced.2.3.1 SharingInstituteInformation
Personal,Confidential,andBCITInternalUseinformationmayonlybesharedwithotherauthorizedusers,onaneedtoknowbasis.
2.3.2 StoringInformationInformationclassifiedasPersonalorConfidentialmustbeencryptedandstoredwithaccesslimitedtoauthorizedusers.SecurestorageofInstituteinformationisajointresponsibilityofsystemowners,ITadministrators,databasedesigners,applicationdesigners,andtheinformationowner.
2.3.3 PrintingofPersonalorConfidentialInformationInformationclassifiedasPersonalorConfidentialmustneverbesenttoasharedprinterwithoutanauthorizeduserimmediatelypresenttoretrieveitandhencesafeguarditsconfidentialityduringandafterprinting.
2.3.4 CollectionandUseofPersonalInformationThecollection,use,storage,andtransmissionofPersonalinformationusingBCITinformationtechnologyresourcesmustbeincompliancewiththeB.C.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 11of24
PolicyPolicy
DutiesandResponsibilities
FreedomofInformationandProtectionofPrivacyActandwithPolicy6700,FreedomofInformationandProtectionofPrivacy.
2.3.5 DeletingInformationCreatedorOwnedbyOthersInformationistobeprotectedagainstunauthorizedoraccidentalchanges,andmayonlybedeletedinaccordancewithproceduresestablishedbytheinformationownerandinaccordancewithrecordsmanagementprocedures.
3. HumanResourcesSecurity3.1 PriortoEmployment
3.1.1 RolesandResponsibilitiesSecurityrolesandresponsibilitiesofemployeesmustbedefinedanddocumentedinjobdescriptions.
3.1.2 ScreeningBackgroundverificationchecksonallcandidatesforemployment,andexternalpartiesmustbecarriedoutinaccordancewithrelevantlaws,regulationsandethics,andproportionaltothebusinessrequirements,theclassificationoftheinformationtobeaccessed,andtheperceivedrisks.
3.1.3 TermsandConditionsofEmploymentAllemployeesmustacknowledgetheiragreementtoabidebyPolicy3501andPolicy3502priortoreceivingaccesstoanyaccount.
3.2 DuringEmployment3.2.1 InformationSecurityAwareness,Education,andTraining
Allemployeesandexternalparties,whereapplicable,mustreceiveappropriateawarenesstrainingandregularupdatesinpoliciesandprocedures.Newemployeesmustreceivesecuritytrainingaspartoftheirinitialorientation.
3.2.2 ChangeofRoleChangeofresponsibilitiesmustbemanagedasaterminationoftherespectiveresponsibilitiesandtheassignmentofnewresponsibilitiesasdescribedinsection3.1PriortoEmployment.
3.3 TerminationofEmployment3.3.1 TerminationResponsibilities
Anemployee’scontinuingobligationstoinformationsecuritymustbecommunicatedinwritingatterminationofemployment.
3.3.2 ReturnofAssetsAllemployeesandexternalpartiesmustreturnalloftheInstitute’sassetsintheirpossessionuponterminationofemployment,contract,oragreement.Theassetcustodianisresponsibletoensurethecorrespondingassetinventoriesareupdated.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 12of24
PolicyPolicy
DutiesandResponsibilities
3.3.3 RemovalofAccessRightsOnleavingemployment,allemployee-basedaccessmustbedisabledattheendoftheemployee’slastday,orsooner,basedonsecurityrequirements.
4. PhysicalandEnvironmentalSecurity4.1 SecureAreas
4.1.1 PhysicalSecurityPerimeterSecurityperimeterswithwell-definedaccesspoints(barrierssuchaswall,cardcontrolledentry)mustbeusedtoprotectareasthatcontainPersonal,Confidential,orBCITInternalUseinformationandinformationprocessingfacilities.Protectionprovidedmustbecommensuratewithidentifiedrisks.Mobiledevicesandremovablemediaareexcludedprovidedtheinformationisencryptedaspersection5.7.2EncryptionofInformationonRemovableMedia.
4.1.2 PhysicalEntryControlsAreasrequiringhigherlevelsofsecuritymustbeprotectedwithappropriateentrycontrolstoensurethatonlyauthorizedusersareallowedaccess.
4.2 EquipmentSecurity4.2.1 EquipmentSitingandProtection
Thesiteschosentolocateequipmentorstoreinformationmustbesuitablyprotectedfromphysicalintrusion,temperaturefluctuations,theft,fire,flood,andotherhazards.
4.2.2 PhysicalSecurityofEquipmentAssetcustodiansareaccountable(eitherdirectlyorbydelegationofresponsibility)toensurethephysicalsecurityofassignedequipmentregardlessofwhethertheequipmentislocatedonoroffBCITcampuses.
4.2.3 MobileDevicesBCITownedmobiledevicesmustbeissuedonlytoauthorizedusers.Theyaretobeusedonlybyauthorizedusersandonlyforthepurposeforwhichtheyareissued.Theinformationstoredonthemobileequipmentistobesuitablyprotectedfromunauthorizedaccessatalltimes.Whenusingmobiledevices,encryptionstandardsmustbefollowed.Seealsosection2.3InformationHandling.
4.2.4 UseofEquipmentOn-CampusWiththeexceptionofpublicassets,onlyauthorizedusersarepermittedtouseBCITequipment.
4.2.5 SupportingUtilitiesEquipmentmustbeprotectedfrompowerfailuresandotherdisruptionscausedbyfailuresinsupportingutilities.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 13of24
PolicyPolicy
DutiesandResponsibilities
4.2.6 CablingSecurityCablingcarryinginformationorsupportinginformationservicesmustbeprotectedfrominterceptionordamage.Powerandcoolinglinesmustbeprotectedfromdamage.
4.2.7 EquipmentMaintenanceEquipmentmustbecorrectlymaintainedtoensureitscontinuedavailabilityandintegrity.
4.2.8 SecurityofEquipmentOff-CampusOnlyauthorizedusersarepermittedtotakenon-mobileBCITtechnologyequipmentoffcampus.Whennon-mobileBCITequipmentisusedoffcampus,theauthorizeduserisresponsiblefornotifyingtheassetcustodianandensuringthesecurityoftheequipmentatalltimes.
4.2.9 SecureDisposalorRe-useofEquipmentEquipmentownedorleasedbytheInstitutemayonlybedisposedoforreconditionedforreusebypersonsauthorizedtodisposeoforreconditionequipmentwhohaveensuredthattherelevantsecurityriskshavebeenmitigatedandallinformationhasbeenrenderedunrecoverable.
5. CommunicationsandOperationsManagement5.1 OperationalProceduresandResponsibilities
5.1.1 DocumentedOperatingProceduresOperatingproceduresmustbedocumented,maintained,andmadeavailabletoalluserswhoneedthem.
5.1.2 ChangeManagementChangestoinformationprocessingfacilitiesandsystemsmustbecontrolledthroughappropriatechangecontrolmechanisms.
5.1.3 SegregationofDutiesDutiesandareasofresponsibilitymustbesegregatedtoreduceopportunitiesforunauthorizedorunintentionalmodificationormisuseoftheInstitute’sassets.
5.1.4 SeparationofDevelopment,Test,andOperationalFacilitiesDevelopment,test,andoperationalfacilitiesmustbeseparatedtoreducetherisksofunauthorizedaccessorchangetotheoperationalsystem.
5.2 ExternalPartyServiceDeliveryManagementBCITsecurityrequirementsmustbeincorporatedintocontractualrelationshipswithexternalparties.Compliancetosecurityrequirementsmustbemonitoredonanongoingbasis.
5.3 SystemPlanningandAcceptanceAcceptancecriteriafornewinformationsystems,upgrades,andnewversionsmustbeestablishedandsuitabletestsofthesystem(s)carriedoutduringdevelopment
InformationSecurity3502
DirectoryofRecordsClassification0650−10 14of24
PolicyPolicy
DutiesandResponsibilities
andpriortoacceptance.
5.4 ProtectionagainstMaliciousCodeRisksfrommaliciouscodetotheInstitute'ssystemsandinformationmustbeminimizedbyfosteringemployeeawareness,encouragingemployeevigilance,anddeployingappropriateprotectivesystemsanddevices.ITadministratorsmustinformrelevantpartiesofthreatsandcountermeasurestheycantaketoprotecttheInstitute’ssystemsandinformation.UsersmuststayinformedaboutthreatsandtakereasonableprecautionsinusingInstituteITresourcesinordertominimizeopportunitiesforattacks.ITadministratorsmustprepareandmaintaincontingencyplansforadenialofserviceattackandperiodicallytesttheirplanstoensureadequacy.5.4.1 DefendingagainstMaliciousAttack
Systemhardware,operatingsystemandapplicationsoftware,networks,andcommunicationsystemsmustallbeadequatelyconfiguredandsafeguardedagainstbothphysicalattackandunauthorizednetworkintrusion.
5.4.2 DownloadingFilesandInformationfromtheInternetUsersareresponsibleforallinformationandfilestheydownloadfromtheInternet(orotherexternalnetworksorfromonenetworkzonetoanother)andmustsafeguardagainstbothmaliciouscodeandinappropriatematerial.SeealsoGuideline3502,InformationSecurity.
5.4.3 ReceivingElectronicMail(Email)Usersmusttreatincomingemailwiththeutmostcareduetoitsinherentinformationsecurityrisks.Theopeningoffilesorotherattachmentsthatarefromanunknownsourceisnotpermittedunlesstheuserfirstscanstheattachmentsforpossiblevirusesorothermaliciouscode.SeeGuideline3501,AcceptableUseofInformationTechnology.
5.5 BackupSystemownersareresponsibleforestablishingtheextent,frequency,andretentionofsystembackupswhichmustreflectthebusinessrequirementsoftheInstitute,thesecurityrequirementsoftheinformationinvolved,andthecriticalityoftheinformationtothecontinuedoperationoftheInstitute.SeealsoGuideline3502,InformationSecurity.ITadministratorsareresponsibleforconfiguringinformationassetstomeetbackuprequirements.5.5.1 BackupsmustbeSecuredandTested
Backupsmustbesecuredinaccordancewiththeclassificationoftheinformationtheycontain.Backupsmustbeperiodicallytestedtoensurethedataisrecoverable,andrecordsmustbekeptofthetests.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 15of24
PolicyPolicy
DutiesandResponsibilities
5.5.2 BackupsmustnotbeUsedinLieuofOtherControlsBCITbackupfacilitiesarenotintendedtoreplacerecordsmanagementcontrolsorprovideaudittrails.
5.5.3 RecoveringandRestoringInformationSafeguardsmustbeinplacetoprotecttheintegrityofdatafileswhenrecoveringandrestoringdatafiles,especiallywhererestoredfilesmayreplacemorerecentfiles.
5.6 NetworkSecurityManagementNetworksmustbeadequatelymanagedandcontrolledinordertobeprotectedfromthreatsandtomaintainsecurityforthesystemsandapplicationsusingthenetworks,includinginformationintransit.AllequipmentconnectedtothenetworkissubjecttoallBCITpolicies.Personalequipmentthatwillbeconnectedtothenetworkmayalsobesubjecttoinspectionpriortoconnectioninordertoverifythatsecurityrequirementsaremet.5.6.1 NetworkControls
Specialcontrolsmustbeestablishedto:� Safeguardtheconfidentialityandintegrityofdatapassingover
publicnetworksoroverwirelessnetworks� Protectnetworkequipment,theconnectedsystems,and
applications� Maintaintheavailabilityofthenetworkservicesandcomputers
connected� Applyappropriateloggingandmonitoringtoenablerecordingof
securityrelevantactions.
5.6.2 UserAuthenticationforExternalConnectionsRemoteaccesscontrolproceduresmustprovideadequatesafeguardsthroughrobustidentification,authentication,andencryptiontechniques.RemoteaccesstoBCITnetworksisonlythroughthetechnologyapprovedbytheTISManager.
5.6.3 RemoteConfigurationandDiagnosticPortProtectionPhysicalandlogicalaccesstoconfigurationanddiagnosticportsmustbecontrolled.
5.6.4 SegregationinNetworks–NetworkZonesEachnetworkzonemust:� Haveclearguidelinesastotheintendeduseofthezoneandits
securitycharacteristics� Besufficientlysecureforintendeduses� Becompartmentalizedsoasnottobeameansforintrusioninto,or
interferencewith,BCITsystemsorothernetworks� Haveredundancy,backupandrecoverymeasures,andcontingency
plansinplacetoensurethatnetworkservicesareavailableonasufficientlytimelybasistosupporttheintendeduses
InformationSecurity3502
DirectoryofRecordsClassification0650−10 16of24
PolicyPolicy
DutiesandResponsibilities
� Havedocumentationcoveringitstopology,configuration,andgatewaystoexternalnetworksandnodes,aswellastheconnecteddevicesandindividualsresponsible.
Equipment,otherthanapprovednetworkequipment,mustnotbeattachedtotwonetworkzonessimultaneously.Thisistopreventuncontrolledflowoftrafficbetweenzonesandtopreservecompartmentalization.
5.6.5 NetworkConnectionControlNetworkequipmentmustnotbeconnectedtoBCITnetworkswithoutapprovalfromITServices.SystemsandequipmentconnectedtotheBCITnetworkmustbeconfiguredtominimizethepossibilityofbypassingaccesscontrols.ITadministratorsareresponsibleforimplementingsuchprecautions.SeeGuideline3502,InformationSecurityforconfigurationdetails.
5.6.6 IPAddressAssignmentIPaddressesonBCITnetworksmustnotbeassignedorusedwithoutpermissionfromITServices.(AutomatedassignmentofanIPaddressbyanITScontrolledDHCPserverconstitutespermission.)
5.6.7 DomainNameRegistrationandUseEmployeesandstudentsarenotpermittedtoregisterdomainnamesthatincludeBCIT,BritishColumbiaInstituteofTechnology,oranyvariationswithoutpriorauthorizationoftheMarketingandCommunicationsDepartment.ThirdpartyagreementlanguagemustincludeprotectionforBCITdomainnames.Seesection1.2.2AddressingSecurityinExternalPartyAgreements.Allwebsitesthataresub-domainsofaBCITdomainorassignedtoaBCITownedIPrangemustbeauthorizedbytheMarketingandCommunicationsDepartmentpriortodevelopment.
5.6.8 ServerPlacementinNetworksServersthatareconnectedtotheBCITnetworkmustbeplacedinalocationandnetworkzonethatislogicallyandphysicallysecurecommensuratewiththevalueoftheserviceprovidedandthesensitivityoftheinformationaccessiblethroughthesystem.Allaccesstothisequipmentmustbeloggedtofacilitateauditing.SeeGuideline3502,InformationSecurityforminimumloggingstandards.StudentserversmayonlybeattachedtotheAcademicZoneandmustnotbeattachedtotheAdministrativeZone.
5.6.9 ServersAccessiblefromExternalNetworksAllserversthatareaccessibletoanexternalnetwork(includingtheInternet)mustreceivepermissionfromtheTISManager.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 17of24
PolicyPolicy
DutiesandResponsibilities
5.6.10 SecurityofNetworkServices
Securityfeatures,servicelevels,andmanagementrequirementsforeachnetworkzonemustbeidentifiedandincludedinanyservicelevelagreement,whethertheseservicesareprovidedin-houseoroutsourced.
5.7 HandlingofMediaandHardcopy5.7.1 MediaandHardcopyHandlingProcedures
Proceduresmustbedrawnupandfollowedforhandling,processing,storing,transporting,transmitting,anddisposalorreuseofmediaandhardcopy.Theseproceduresmustbeconsistentwithsecurityguidelines.Fordetails,seeGuideline3502,InformationSecurity.
5.7.2 EncryptionofInformationonRemovableMediaPersonalorConfidentialinformationmustbeencryptedwhenstoredonremovablemediainaccordancewithsection2.3InformationHandlingandProcedure3502,InformationSecurity.
5.7.3 DisposalorReuseofMediaAllmediamustbedisposedoforpreparedforreuseinsuchamannerthatitisimpossibletorecovertheinformation.
5.7.4 ShreddingofUnwantedHardcopyAllhardcopiescontainingPersonalorConfidentialinformationaretobesecurelyshreddedwhennolongerrequired.Wheretheinformationconstitutesarecord,seealsoProcedure6701-PR1,RecordsManagement.
5.7.5 UsingExternalDisposalFirmsAnyexternalpartyusedfordisposalofBCIT’smediaandhardcopymusthaveacontractualagreementaccordingtosection1.2.2AddressingSecurityinExternalPartyAgreements.
5.7.6 SecurityofSystemDocumentationSystemdocumentationmustbeprotectedagainstunauthorizedaccess.
5.8 ExchangeofInformation5.8.1 InformationExchangePoliciesandProcedures
Formalinformationexchangepolicies,procedures,andcontrolsmustbeinplacetoprotecttheexchangeofinformationthroughtheuseofalltypesofcommunication.
5.8.2 TransmittingInformationacrossNetworksAllPersonalorConfidentialinformationmustbeencryptedintransit,includingbyemail,electronicdatainterchange,orotherformsofinterconnectionofbusinesssystems.ControlsmustbeputinplacetoverifytheintegrityoftransmittedPersonalorConfidentialinformationandtheidentitiesofsenderandreceiver.SeeGuideline3502,InformationSecurity.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 18of24
PolicyPolicy
DutiesandResponsibilities
5.8.3 PersonsGivingInformationovertheTelephoneTheidentityandauthorizationofcallersmustbeverifiedbeforePersonalorConfidentialinformationisprovidedoverthetelephone.
5.8.4 ExchangeAgreementsAgreementsmustbeestablishedfortheexchangeofPersonalorConfidentialinformationbetweentheInstituteandexternalpartiesotherthanforregulatoryorlegislativerequirements.
5.8.5 RemovableMediainTransitRemovablemediacontaininginformationmustbeprotectedagainstunauthorizedaccess,misuseorcorruptionduringtransportation.ThetransportationofremovablemediacontainingPersonalorConfidentialinformationmustbelogged.Theremovablemediamustbeaddressedtotheintendedrecipientandreceiptmustbeconfirmedandlogged.
5.9 ElectronicCommerceServicesControlsarenecessarytocovertheadditionalsecurityrequirementsassociatedwithusingorprovidingelectroniccommerceservices.Informationinvolvedinelectroniccommercemustbeprotectedfromfraudulentactivity,contractdispute,andunauthorizeddisclosureandmodification.ElectroniccommercesystemsmustmeetPaymentCardIndustry(PCI)standardswhereappropriate.5.9.1 ApprovalofElectronicCommerceSystems
EachelectroniccommercesystemrequiresapprovalfromtheChiefFinancialOfficer(CFO)priortoimplementation.
5.9.2 PersonalPaymentInformationAllsystemsstoringorprocessingpersonalpaymentinformation,includingcreditcardnumbersandbankaccountnumbers,requireapprovalfromtheCFOpriortoimplementation.
5.10 Monitoring5.10.1 Logging
Logsrecordingsecurityrelevantuseractivities,exceptions,andinformationsecurityeventsmustbeproducedandkeptfortheperiodspecifiedintheguidelinesforaccesscontrolmonitoringandtoassistinfutureinvestigations.SeeGuideline3502,InformationSecurity.
5.10.2 MonitoringSystemUseLogs,includingsystemandapplicationlogs,mustbemonitoredandanomaliesinvestigated.LogsmustbereviewedregularlyforsecurityeventsbyITadministratorsanddiscrepanciesreportedtotheTISManager.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 19of24
PolicyPolicy
DutiesandResponsibilities
5.10.3 ProtectionofLogInformationLoggingfacilitiesandloginformationmustbeprotectedagainsttamperingandunauthorizedaccess.
5.10.4 AdministratorandOperatorLogsITadministratorandotherprivilegedaccountactivitiesmustbelogged.
5.10.5 ClockSynchronizationSystemclocksmustbesynchronizedregularlytoacommonsourcetosimplifythereviewandcorrelationofauditlogs.ThecommonsourceisasspecifiedbyITServices.
6. AccessControlAccountsmaybeprovisionedtoprovideaccesstoassetsincluding:networks,operatingsystems,applications,anddatabasemanagementsystems.Thissectiongovernsaccesstoalloftheseassetcategories.6.1 AccessControlPolicy
Systemownersmustestablish,document,andregularlyreviewanaccesscontrolpolicyforsystemsintheircontrolbasedonbusinessandsecurityrequirementsforaccess.
6.2 UserAccessManagementFormaluserregistrationandde-registrationproceduresmustbeusedtograntandrevokeaccesstoallinformationsystemsandservicesincludingnetworkservices,operatingsystems,applications,anddatabasemanagementsystems.Theallocationanduseofprivilegesmustberestrictedandcontrolled,andtheallocationofpasswordsandothersecuritycredentialsmustbecontrolledthroughaformalmanagementprocess.6.2.1 ReviewofAccountsandAccessRights
Systemownersmustreviewusers’accessrightsatregularintervalsusingaformalprocess.
6.2.2 InactiveAccountsInactiveaccountsmustbedisabledaftertheperiodofinactivityspecifiedinGuideline3502,InformationSecurity.
6.2.3 SessionTime-outInactivesessionsmustbeterminatedaftertheperiodofinactivitydefinedinGuideline3502,InformationSecurity.
6.2.4 AdditionalAccessProtectionsSystemsmayrequireadditionalaccessprotectionsbasedontimeofday,location,andadditionalauthenticationrequirements.SeeGuideline3502,InformationSecurity.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 20of24
PolicyPolicy
DutiesandResponsibilities
6.3 UserResponsibilitiesAllusersmustauthenticateusingtheirownaccountforagivensystem.Approvedloginproceduresmustbefollowed.6.3.1 DelegationofDuties
Wheredelegationofdutiesisrequiredtomeetabusinessneed,usersmustemployfeatureswithinthesystemwhereverpossible.Wherethesystemdoesnotprovidetheabilitytodelegate,thentheprocedurefordelegatinganaccountthroughcontrolledsharingdetailedinProcedure3502,InformationSecuritymustbefollowed.
6.3.2 ShortTermAccountsIndepartmentsthatemploytemporaryemployeesonafrequentbasis,theuseofshorttermaccountsmustfollowProcedure3502,InformationSecurity.
6.3.3 InadvertentAccesstoResourcesandInformationUsersmustnotexploitinsecureaccountsorresources,ortakeadvantageoflessknowledgeableusers.UsersmustnotreadPersonalorConfidentialinformationsimplybecauseitisaccessibletothemthroughaccidentalexposureorthroughthemaliceofotherswhohavebrokenintoasystemoraremisusingtheiraccessprivileges.Ifusersdiscoversuchanexposuretheymustreporttheexposureasasecurityincident.
6.3.4 PasswordUseTheselectionofpasswordsandtheiruse,protection,andmanagementmustfollowthecorrespondingproceduresinProcedure3502,InformationSecurity.Passwordsmustnotbesharedwithanyotherpersonatanytime.TheonlyexceptioniswhenauthorizedusersmustdelegateanaccountaccordingtoProcedure3502,InformationSecurity.BCITpasswordsmustnotbeusedforanynon-BCITaccountsorservices(suchaspersonalISPaccounts,freeonlineemailaccounts,instantmessagingaccounts,orotheronlineservices).ThispracticeensurescompartmentalizationandreducesthelikelihoodthatpasswordsobtainedfromothersystemsmaybeusedtocompromiseBCITsystems.
6.3.5 ControllingAccesstoUnattendedUserEquipmentWhenleavingacomputerormobiledeviceunattended,usersareresponsiblefor:� Preventingunauthorizedaccesstoinformationandrecordsbyeither
loggingofforusingdevicelockingsoftware� Preventingtheftofthecomputerordevicebyusingalockingdevice.
Allunattendedequipmentinpublicareasmustbephysicallysecuredandconfiguredinamannersuchthatthesecurityofitssystemscannotbeeasilythwarted.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 21of24
PolicyPolicy
DutiesandResponsibilities
6.3.6 ControllingAccesstoInformationinUnattendedAreasDesksmustbeclearedofPersonalorConfidentialinformationwhendesksareunattended.AreasthatmaycontainPersonalorConfidentialinformationmustnotbeleftunattendedwithoutsecuringtheinformation.
7. InformationSystemsAcquisition,Development&Maintenance7.1 SecurityRequirementsofInformationSystems
Statementsofbusinessrequirementsfornewinformationsystems,orenhancementstoexistinginformationsystemsmustspecifytherequirementsforsecuritycontrols.Securityrequirementsandcontrolsmustreflectthebusinessvalueofinformationassetsaffectedbythesystemandthepotentialbusinessdamagethatmightresultfromafailureorabsenceofsecurity.Systemrequirementsforinformationsecurityandprocessesforimplementingsecurityshouldbeintegratedintheearlystagesofinformationsystemprojects.Forrequirementsthatmustbeconsidered,seeGuideline3502,InformationSecurity.
7.2 CorrectProcessinginApplicationsSystemownersmustensurethatthesystemstheyareresponsibleforhandleinformationwithduecare.Thisincludesvalidationofinformationenteredintothesystem,validationcheckstodetectcorruptionofinformationthroughprocessingerrorsordeliberateacts,appropriatecontrolstoensureauthenticityandmessageintegrity,andvalidationofinformationoutputfromanapplicationtoensurethattheprocessingofstoredinformationiscorrect.
7.3 SecurityinDevelopment,DeploymentandSupportProcessesOnlyauthorizedusersmayaccessoperationalsoftwarelibrariesorthesourcecodeofsystems.Segregationofduties,technicalaccesscontrols,androbustproceduresmustbeemployedwheneveramendmentstosoftwarearenecessary.7.3.1 TechnicalReviewofApplicationsafterExecutionEnvironment
ChangesWhentheexecutionenvironmentoftheapplicationischanged(e.g.,operatingsystem,hardware,middleware),businesscriticalapplicationsmustbereviewedandtestedtoensurethereisnoadverseimpactonInstituteoperationsorsecurity.
7.3.2 OutsourcedSoftwareDevelopmentOutsourcedsoftwaredevelopmentmustbeinaccordancewithsection1.2.2AddressingSecurityinExternalPartyAgreements.
7.3.3 ControlofOperationalSoftwareOnlyauthorizedusersmaydeploysoftwareonoperationalsystems.
7.3.4 UsingLiveInformationforTestingTheuseofliveinformationfortestingnewvendor-suppliedorcustomsystemsorsystemchangesmayonlybepermittedwherethesamecontrolsforthesecurityoftheinformationasusedontheproductionsystemareinplace.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 22of24
PolicyPolicy
DutiesandResponsibilities
7.4 TechnicalVulnerabilityManagementTheTISManagerandeachITadministratorareresponsibleformonitoringinformationaboutthetechnicalvulnerabilitiesoftheinformationsystems,promptlyevaluatingtheInstitute’sexposuretosuchvulnerabilities,andtakingtimely,appropriatemeasurestoaddresstheassociatedrisks.SeeGuideline3502,InformationSecurity.
8. InformationSecurityIncidentManagement8.1 ReportingInformationSecurityEventsandWeaknesses
8.1.1 ReportingInformationSecurityEventsAllsuspectedinformationsecurityincidentsmustbereportedpromptlytotheTISManager.
8.1.2 ReportingSecurityWeaknessesAllinformationsecurityweaknessesmustbereportedpromptlytotheTISManager.
8.2 ManagementofInformationSecurityIncidentsandImprovements8.2.1 ConductofInvestigations
InformationsecurityinvestigationsarecoordinatedbytheTISManager.TheTISManagerisauthorizedtoinvestigateinformationsecurityincidentsincluding:seizingInstitute-ownedequipment,monitoring,andtakingimagesandbackups.
8.2.2 ResponsibilitiesandProceduresBCITemployeesandstudentsmustprovidetimelyassistancewhenrequested.Externalparties’responsibilitiesforinformationsecurityincidentmanagementmustbeestablishedaccordingtosection1.2.2AddressingSecurityinExternalPartyAgreements.
8.2.3 InvestigationLimitationsInvestigationofanindividual’sactivitiesorfilesbytheTISManagerwillonlybedoneinresponsetoanincidentorwithreasonablesuspicionthattheindividualisengaginginactivitiesthatarenoncompliantwithBCITpolicies.
8.2.4 EnsuringtheIntegrityofInformationSecurityIncidentInvestigationsToensuretheintegrityofevidence,theTISManagermustbecontactedbeforeanyinvestigationalactivitiesareundertaken.
8.2.5 LearningfromInformationSecurityIncidentsPost-incidentreviewofmajorincidentsmustbeconducted.Periodically,incidentsmustbereviewedcollectivelytoidentifytrendsforimprovementofsecurityefforts.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 23of24
PolicyPolicy
DutiesandResponsibilities
9. BusinessContinuityManagementSeePolicy7530,EmergencyResponseforBCIT’sbusinesscontinuitymanagementapproach.9.1 InformationSecurityAspectsofBusinessContinuityManagement
9.1.1 IncludingInformationSecurityintheBusinessContinuityManagementProcessTheplanningandimplementationofbusinesscontinuitymustnotcompromiseinformationsecurity.
9.1.2 DisasterRecoveryPlanSystemownersmustensurethatdisasterrecoveryplansfortheirsystemsaredeveloped,tested,andimplemented.RecoverytimemustbenegotiatedjointlybythesystemownersandITServicesorotherserviceprovider.WherebusinessrequirementsexceedtheabilitytorecoverITassets,mitigatingcontrolsmustbeputinplace.SeePolicy7530,BCITEmergencyResponseformoredetails.
10. Compliance10.1 CompliancewithLegalRequirements
10.1.1 IntellectualPropertyRights(IPR)SeePolicy6601,IntellectualProperty.
10.1.2 UsingLicensedSoftwareAllsoftwaremustbeappropriatelylicensedandusersmustcomplywiththetermsandconditionsofallEndUserLicenseAgreements.
10.1.3 ProtectionofOrganizationalRecordsSeePolicy6701,RecordsManagement.
10.1.4 DataProtectionandPrivacyofPersonalInformationSeesection2.2InformationClassificationinthispolicy.
10.2 InformationSystemsAuditConsiderationsTheplanningandimplementationofinformationsystemsauditsmustnotcompromiseinformationsecurity.Accesstosystemauditingtoolsmustbeprotectedtopreventanymisuseorcompromise.
11. Non-ConformingSystemsThispolicyrepresentsatargetenvironment.Notallsystemsortechnologiesarecapableofconforminginalldetails.TheTISManagermustmaintainalistofnon-conformingsystemsandtechnologies.Thisisarisk-basedactivityfocusingonnon-conformingsystemswiththehighestriskprofile.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 24of24
PolicyPolicy
DutiesandResponsibilities
Systemownersofsystemsthatareunabletoconformtothispolicyanditsguidelinesmust:• Reportnon-conformancetotheTISManagerimmediately• Undertakeariskassessment• DevelopariskmanagementplanandsubmittotheTISManager.Thisexceptionlistwillincludeallsystemsandtechnologiesthatdonotconformtothispolicyandincludeareferencetotheriskassessmentandriskmanagementplanforeachsystemortechnologyonthelist.
12. ConsequencesofPolicyViolationBCITreservestherighttoterminateorrestricttheaccessprivilegesofauserwhoseactivitiesnegativelyaffectorposeathreattoafacility,anotheraccountholder,normaloperations,orthereputationoftheInstitute.Followingdueprocess,theInstitutemaytakeoneormoreofthefollowingactionsagainstanyuserwhoseactivitiesareinviolationofthispolicyorthelaw:� Averbalorwrittenwarning� RestrictionsonorremovalofaccesstoanyorallInstitutecomputingfacilitiesand
services� Legalactionthatcouldresultincriminalorcivilproceedings� Inthecaseofstudents,disciplinaryactionunderPolicy5102,StandardsofNon-
academicConduct.� Inthecaseofemployees,disciplinaryactionuptoandincludingtermination.EquipmentthatviolatesBCITpolicyornegativelyaffectsorposesathreattoafacility,normaloperations,orthereputationoftheInstitutemaybeimmediatelydisconnected,quarantined,orotherwisecontained.Institute-ownedequipmentmayalsobeseized.
ProceduresAssociatedWithThisPolicy
None.
FormsAssociatedWithThisPolicy
None.
AmendmentHistory
1. Created 2009Jan272. Revision1 2016Oct04
ScheduledReviewDate
2021Oct04