Policy Policy Information Security Policy No.: 3502 Category: Information Technology Services Approving Body: Board of Governors Executive Division: Learning and Technology Services Department Responsible: Information Technology Services Current Approved Date: 2016 Oct 04 Directory of Records Classification 0650−10 1 of 24 Policy Statement BCIT is committed to taking appropriate measures to preserve the confidentiality, integrity, and availability of information and information technology (IT). This policy applies to all BCIT information and computing, communications, and networking resources connected to Institute facilities and the users of these resources. Purpose of Policy BCIT’s information, network, and other IT services are shared resources that are critical to teaching, learning, research, Institute operations, and service delivery. The purpose of this policy is to: • Protect the confidentiality, integrity, and availability of BCIT information and associated information technology • Provide management direction and support for information security in accordance with business requirements and relevant laws and regulations • Define the roles of individuals and organizational entities involved in information security and establish the responsibilities of these roles • Ensure the reliable operation of BCIT’s information technology so that all members of the BCIT community have access to the information assets they require. Table of Contents Policy Statement 1 Purpose of Policy 1 Application of this Policy 1 Related Documents and Legislation 2 Definitions 2 Guiding Principles 5 Duties and Responsibilities 6 Procedures Associated With This Policy 24 Forms Associated With This Policy 24 Special Situations Error! Bookmark not defined. Amendment History 24 Scheduled Review Date 24 Application of this Policy This policy applies to everyone who uses BCIT information technology assets, including those who use their own personal equipment to connect to BCIT information assets.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
PolicyPolicy
Information Security
PolicyNo.: 3502Category: InformationTechnologyServicesApprovingBody: BoardofGovernorsExecutiveDivision: LearningandTechnology
ServicesDepartmentResponsible: InformationTechnologyServicesCurrentApprovedDate: 2016Oct04
DirectoryofRecordsClassification0650−10 1of24
PolicyStatement
BCITiscommittedtotakingappropriatemeasurestopreservetheconfidentiality,integrity,andavailabilityofinformationandinformationtechnology(IT).ThispolicyappliestoallBCITinformationandcomputing,communications,andnetworkingresourcesconnectedtoInstitutefacilitiesandtheusersoftheseresources.
PurposeofPolicy
BCIT’sinformation,network,andotherITservicesaresharedresourcesthatarecriticaltoteaching,learning,research,Instituteoperations,andservicedelivery.Thepurposeofthispolicyisto:• Protecttheconfidentiality,integrity,andavailabilityofBCITinformationandassociated
informationtechnology• Providemanagementdirectionandsupportforinformationsecurityinaccordancewith
businessrequirementsandrelevantlawsandregulations• Definetherolesofindividualsandorganizationalentitiesinvolvedininformationsecurity
andestablishtheresponsibilitiesoftheseroles• EnsurethereliableoperationofBCIT’sinformationtechnologysothatallmembersofthe
BCITcommunityhaveaccesstotheinformationassetstheyrequire.
TableofContents
PolicyStatement 1PurposeofPolicy 1ApplicationofthisPolicy 1RelatedDocumentsandLegislation 2Definitions 2GuidingPrinciples 5DutiesandResponsibilities 6ProceduresAssociatedWithThisPolicy 24FormsAssociatedWithThisPolicy 24SpecialSituations Error!Bookmarknotdefined.AmendmentHistory 24ScheduledReviewDate 24
ApplicationofthisPolicy
ThispolicyappliestoeveryonewhousesBCITinformationtechnologyassets,includingthosewhousetheirownpersonalequipmenttoconnecttoBCITinformationassets.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 2of24
PolicyPolicyRelatedDocumentsandLegislation
BCITPolicies:1504,StandardsofConductandConflictofInterest3501,AcceptableUseofInformationTechnology5102,StandardsofNon-academicConduct6601,IntellectualProperty6700,FreedomofInformationandProtectionofPrivacy(FOIPOP)6701,RecordsManagement7506,CopyrightCompliance7525,ProtectionofEquipment,PropertyandInformation7530,EmergencyResponseLegislationapplicabletothispolicyincludes:• BCCollegeandInstituteAct• BCFreedomOfInformationandProtectionofPrivacy(FOIPOP)Act• BCPersonalInformationProtection(PIP)Act• TheCriminalCodeofCanada• CanadaCopyrightAct.
Definitions
Account:establishesarelationshipbetweenauserandasetofinformationassets.Byloggingintoanaccount,theuserisauthorizedtoperformaspecifiedsetofactionsagainstacorrespondingsetofinformationassetsforthetimetheuserremainsauthenticatedtotheaccount(forthatloginsession).Asset:anythingthathasvaluetotheInstitute.AssetCustodian:theBCITemployeeresponsibleforlocatingaphysicalinformationasset(i.e.equipment)uponrequest.Allinformationassetsmusthaveanassignedcustodian.Authorization:thegrantingofpermissioninaccordancewithapprovedpoliciesandprocedurestoperformaspecifiedactiononanITasset.AuthorizedUser:auserwhoisauthorizedtoperformthespecifiedactiononanasset.Partoftheauthorizationprocessmayrequirethatthepersonexhibitthenecessaryqualificationstoperformtheaction.BCITInternalUse:asdefinedinsection2.2InformationClassification.BusinessContinuity:theInstitute’sabilitytomaintainorrestoreitsbusinessandacademicserviceswhensomecircumstancethreatensordisruptsnormaloperations.Itencompassesdisasterrecoveryandincludesactivitiessuchasassessingriskandbusinessimpact,prioritizingbusinessprocesses,andrestoringoperationstoa“newnormal”afteranevent.SeePolicy7530,EmergencyResponseformoreinformation.ConfidentialInformation:asdefinedinsection2.2InformationClassification.Control:ameansofmanagingrisk,includingpolicies,procedures,guidelines,practices,ororganizationalstructures,whichcanbeofadministrative,technical,management,orlegalnature.Note:Controlisalsousedasasynonymforsafeguardorcountermeasure.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 3of24
PolicyPolicyData:itemsrepresentingfactsthatconsistoftext,numbersorimagesandstoredinelectronicinformationsystems.Dataaretherawmaterialsthatareprocessedorinterpretedtocreateinformation.Institutedataisalldatarelatedto,receivedby,orcreatedbyBCIT.DenialofService:actionsthatintentionallypreventanyInformationProcessingFacilityfromfunctioninginaccordancewithitsintendedpurposeDisasterRecovery:referstotheactivitiesthatrestoretheInstitutetoanacceptableconditionaftersufferingadisaster.SeePolicy7530,EmergencyResponseformoreinformation.Encryption:theprocessofobscuringinformationtomakeitunreadablewithoutspecialknowledge(i.e.,“scrambling”theinformation).Thatspecialknowledgeisoftena“key”thatisusedtodecrypttheinformationsoitcanberead.Conceptually,thekeyissimilartoapasswordthatprovidesaccesstotheencryptedinformation.Equipment:informationtechnologyequipment.ExternalParty:anorganizationoranindividualwhoisnotanemployeeorstudentwhorequiresaccesstoBCIT’sinformationassets,excludingpublicassets.Firewall:asystemdesignedtopreventunauthorizedaccesstoorfromaprivatenetworkorbetweennetworkzones.InactiveAccount:anaccountthathasremainedunusedfortheperiodoftimespecifiedinGuideline3502,InformationSecurity.Information:includesallformsofdata,documents,records,communications,conversations,messages,recordings,andphotographs.Itincludeseverythingfromdigitaldataandemailtofaxesandtelephoneconversations.InformationAsset:anassetthatiscomprisedofinformationorofequipmentorsystemsfortheprocessingofinformation.InformationOwner:theBCITemployeewhoclassifiesthespecifiedinformation.InformationProcessingFacilities:anyinformationprocessingsystem,serviceorinfrastructure,orthephysicallocationshousingthem.InformationSecurity:thepreservationofconfidentiality,integrity,andavailabilityofinformation.Confidentialityensuresthatinformationisaccessibleonlytothoseauthorized.Integrityinvolvessafeguardingtheaccuracyandcompletenessofinformationandprocessingmethods.Itmayalsoincludeauthenticity,auditability,accountability,non-repudiation,andreliabilityofinformation.AvailabilityensuresthatauthorizedusershaveaccesstoITassetswhenrequired.InformationSecurityFramework:acomprehensiveapproachtopreserveinformationsecurityincluding:
� Organizationalstructureswithclearlydefinedrolesandresponsibilities� Riskassessmentandimpactanalysis� Guidingprinciples� Policies,guidelines,andprocedures� Controlsandcountermeasures� Informationsecurityawarenessincludingeducationandtraining� Ongoingmonitoringofinformationsecurity
InformationSecurity3502
DirectoryofRecordsClassification0650−10 4of24
PolicyPolicy� Resourcessuchasfinancialandhumanresourcesrequiredtoimplementthesecurity
framework� Periodicreviewsandassessmentoftheframeworkincluding,whereappropriate,
reviewsbyindependentthirdparties.InformationSecurityIncident:anidentifiedoccurrenceofasystem,service,ornetworkstateindicatingapossibleorpendingbreachofinformationsecurityorbreachofacceptableuseorfailureofsafeguardsorapreviouslyunknownsituationthatmaybesecurityrelevant.TechnicalInfrastructureServices(TIS)Manager:overseestheInstitute'sInformationSecurityprogram.Thisincludesprovidingleadershipandguidanceininformationsecurityandinformationriskmanagement,developinginformationsecuritypoliciesandguidelines,andoverseeingtheinformationsecurityincidentresponseteam.ITAdministrator:thepersonresponsibleforconfiguringaccesstoandmonitoringaccess,usage,andperformanceofaninformationasset,includingsystemadministrator,networkadministrator,applicationadministrator,anddatabaseadministrator(DBA).LeastPrivilege:theprinciplethatrequireseachusertobegrantedthemostrestrictivesetofprivilegesneededfortheperformanceofauthorizedtasks.LoginSession:aperiodbetweenauserlogginginandloggingoutofanaccount.MaliciousCode:includesallprograms(includingmacrosandscripts)thataredeliberatelycodedtocauseanunexpectedorharmfulevent.Media:includesremovablemediaandfixedstoragedevices.MobileDevice:anyelectronicdevicethatisportableandcontainsorhastheabilitytocontaininformationorprovidestheabilitytoaccessortransmitPersonalorConfidentialinformation.Examplesincludelaptop,tabletPC,PDA,RIMBlackBerry,andPalmTreo.NetworkEquipment:anyhardwareorsoftware,excludingworkstationsandserversunlessconfiguredtoprovidenetworkservices,thattransmitsorfacilitatesthetransmissionofinformation,includingswitches,hubs,routers,bridges,firewalls,modems,wirelessaccesspoints,DHCP,WINS,andDNSservers.NetworkZone:Differentnetworks,andoftendifferentsegmentsofagivennetwork,havediversesecuritycharacteristicsandrequirements.Forsecurity,eachnetworkmustbedividedintooneormorelogicalnetworkzones.Eachnetworkzoneisalogicallyconnectedpartofthenetwork,whosesecurityismanagedinacoherentfashion.Definedzonesinclude:• AdministrativeZone–forkeybusinessusersandsystems• AcademicZone–forfacultyandstudentsforthepurposesofteaching• ResidenceZone–forstudentsinresidence• DMZ–forsystemsconnectedtotheInternetorotheroutsidenetwork.Password:thesequenceofcharactersandnumbersusedtoauthenticateauser’sidentity,whichisknownonlytothatuser.PersonalInformation:asdefinedinsection2.2InformationClassification.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 5of24
PolicyPolicyPublicAssets:designatedBCITinformationassetsthatareavailabletomembersofthepublicwithauthorizationrequired.Examplesincludekiosksandthepublicwebsite.PublicInformation:asdefinedinsection2.2InformationClassification.Record:SeePolicy6701,RecordsManagementfordefinitionofarecord.RemovableMedia:Informationstoragedevicesthatarenotfixedinsideacomputer.Examplesincludeexternalharddrives,CD-ROMs,DVDsandUSBflashdrives.Server:acomputerwhosefunctionistoprovideservices(e.g.,accesstofiles,printing,andsharedapplicationsincludingwebsites;databasemanagement;communications;andaccesstoPersonalorConfidentialinformation)onwhichendusersdependonanongoingbasis.ComputersthatareusedtoprovidenetworkservicessuchasDHCP,DNS,andLDAPareconsideredtobenetworkequipmentandarenotserversforthepurposeofthispolicy.StudentServer:acomputersetupbyfacultyorstudentsaspartofacoursetoteachservertechnologyandprinciples.System:acollectionofcomponentsincludinghardwareandsoftwaredesignedtostore,process,ortransmitinformationinsupportofabusinessoutcome.SystemOwner:theBCITemployeeresponsibleforagivensystem.Threat:apotentialcauseofanunwantedincident,whichmayresultinharmtoasystemororganization.User:apersonwhoperformsanyactiononaninformationasset.Vulnerability:aweaknessofanassetorgroupofassetsthatcanbeexploitedbyoneormorethreats.
GuidingPrinciples
1. Bynature,apost-secondaryeducationinstituteneedstoshareinformationforthepurposeofdeliveringeducation.Securitymeasuresmustbeimplementedinamannerthatenablesappropriateinformationexchange.
2. Securityresponsibilitiesandaccountabilitymustbeclearlydefinedandacknowledged.3. Usersarepersonallyaccountablefortheprotectionofinformationassetsundertheir
controlandmusttakeappropriatemeasurestoprotecttheconfidentiality,integrity,andavailabilityoftheassets.
4. Usersshouldhavesufficienttrainingtoallowthemtoproperlyprotectinformationassets.5. Securitycontrolsmustbecost-effectiveandinproportiontotherisksandthevalueofthe
assetsthatneedtobeprotected.6. Securityismulti-disciplinaryandrequiresacomprehensiveandintegratedapproach
coveringeveryaspectofBCIT’soperations.7. Allpartiesshouldactinatimely,coordinatedmannertopreventandrespondtosecurity
incidents.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 6of24
PolicyPolicy8. Securitymustbeperiodicallyassessedtoensurethatadequatemeasuresareinplaceto
protecttheassetsofBCIT.
9. Permissionsareassignedsothattheleastamountofprivilegerequiredtofulfillthebusinessfunctionisgiven(leastprivilege).
10. Nosinglemechanismmayprotectanassetfromunknownthreats.Wherewarranted,
multiplelayersofcontrolsshouldbeemployedtoreducetheriskoffailureofanysinglemeasure(defenceindepth).
11. Compromiseofoneassetshouldnotleadtothefurthercompromiseofotherassets
(compartmentalization).12. Manyinformationsystemshavenotbeendesignedwithsecurityinmind.Whereadequate
securitycannotbeachievedthroughtechnicalmeans,alternatecontrolsmustbeimplemented.
DutiesandResponsibilities
1. OrganizationofInformationSecurity1.1 InternalOrganization
1.1.1 ManagementCommitmenttoInformationSecurityTheBoardofGovernorsandBCITExecutiveactivelysupportinformationsecuritywithintheorganization.
1.1.2 AllocationofInformationSecurityResponsibilitiesBoardofGovernorsTheBCITBoardofGovernorsisaccountablefortheestablishmentofanInformationSecurityFrameworkfortheInstitute.BCITExecutiveTheBCITExecutiveisresponsibleforrecommendinganappropriateInformationSecurityFrameworktotheBoardofGovernorsandforprovidingongoingexecutiveoversightoftheframework,includingperiodic,independentreviews.TechnicalInfrastructureServices(TIS)ManagerTheTISManagerisresponsiblefor:� RecommendinganappropriateInformationSecurityFrameworkto
theBCITExecutive� Providingday-to-daymonitoringoftheframework� InformingtheBCITExecutiveofsecurityrisksandmanagementplans� Establishingappropriatecontactswithsecurityforums,professional
associations,andothergroupswithspecialistinterestsininformationsecurity.
BCITManagementMembersofBCITManagementareresponsibleforensuringthatemployeesandothersundertheirsupervisionareawareoftheirinformationsecurityresponsibilities.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 7of24
PolicyPolicy
DutiesandResponsibilities
InstructorsandTeachingFacultyInstructorsandTeachingFacultyareresponsibleforensuringthatstudentsundertheirsupervisionareawareoftheirinformationsecurityresponsibilities.InformationOwnersInformationOwnersareresponsibleforclassifyinginformationinaccordancewithpoliciesandguidelines.Allinformationmusthaveanassignedinformationowner.SystemOwnersSystemownersareaccountableforensuringthatsystemsareassessedforsecurityrequirementsincludingthoseflowingfromlegislativeandcontractualobligations.Systemownersarealsoaccountableforensuringthatsystemsaredesigned,configured,implemented,operated,maintained,upgraded,anddecommissionedconsistentwiththeestablishedsecurityneeds.Allsystemsmusthaveanassignedsystemowner.SystemownersmustensureanITadministratorisassignedtoeachassetcomprisingthesystem.AssetCustodiansAssetcustodians,uponrequest,mustbeabletodeterminethelocationofinformationassetsundertheircustodianshipandmustensurethatassetstransferredfromtheircustodianshipareclearlyassignedtothenextcustodian.Allphysicalassetssuchasinformationtechnologyequipmentmusthaveanassignedcustodian.ITAdministratorsITAdministratorsareresponsibleforconfiguringthesecurityfeaturesoftheassetsundertheiradministrationinaccordancewithpolicy,guidelines,andotherrequirements.AllassetswithconfigurablesecuritycharacteristicsmusthaveanassignedITAdministrator.InformationTechnologyServicesAsthecentralproviderofInformationTechnology,theITSDepartmentisresponsiblefor:� Networkmanagementandoperationincludingtheestablishmentof
networkzonesandcompartmentalization� Delegationofadministrationofanetworkzoneonlywhen
appropriatecontrolsareinplaceinthedelegatedorganization� Maintainingacatalogueofcoreservicesincludingclearlyarticulated
servicelevelexpectations� ContinuityofcoreenterpriseclassITinfrastructureaspartofthe
Institute’soverallbusinesscontinuityframework.
SafetyandSecurityDepartmentTheSafetyandSecurityDepartmentisresponsiblefor:� ThephysicalsecurityofBCITfacilitiesincludingaccesscontrolto
buildingsandrooms� Overallemergencyresponse,disasterplanning,andbusiness
InformationSecurity3502
DirectoryofRecordsClassification0650−10 8of24
PolicyPolicy
DutiesandResponsibilities
continuityplanning� Contactwithauthorities.
MarketingandCommunicationsDepartmentTheMarketingandCommunicationsDepartmentisresponsiblefor:� ProtectionofBCIT’sbrandfrominformationsecuritythreats� Communicationswiththemediaintheeventofaninformation
securityincident� PoliciesandproceduresforuseofBCITdomainnames.
HumanResourcesTheHumanResourcesDepartmentisresponsiblefor:
• Documentinginformationsecurityrequirementsinjobdescriptions
• Screeningofemployees• Coordinatingtheterminationofemployees,ensuringall
departmentsareappropriatelynotified.RecordsManagementOfficeTheRecordsManagementOfficeisresponsibleforensuringthattheDirectoryofRecordsaccuratelyreflectstheclassificationofrecords.Information,AccessandPrivacyInformation,AccessandPrivacyisresponsibleforexchangeagreementsthatinvolvetheexchangeofPersonalinformation.FinancialServicesDepartmentTheFinancialServicesDepartmentisresponsibleforensuringcontrolsareinplacetoprotectthesecurityoffinancialinformationand,inparticular,toensuretheintegrityoffinancialinformation.RiskManagerTheRiskManagerisresponsibleforidentifyingandassessingoverallriskforBCIT.UsersAllusersareresponsiblefor:� Takingappropriatemeasurestopreventloss,damage,abuse,or
unauthorizedaccesstoinformationassetsundertheircontrol� Promptlyreportingallactsthatmayconstituterealorsuspected
breachesofsecurityincluding,butnotlimitedto,unauthorizedaccess,theft,systemornetworkintrusions,willfuldamage,andfraud
� Lookingafteranyphysicaldevice(tools,computers,vehicles,etc.)andaccessarticles(keys,IDcards,systemIDs,passwords,etc.)assignedtothemforthepurposesofperformingtheirjobduties,takingcourses,conductingresearch,orotherwiseparticipatingwithintheInstitute
� Respectingtheclassificationofinformationasestablishedbytheinformationowner
� Complyingwithallthesecurityrequirementsdefinedinthis
InformationSecurity3502
DirectoryofRecordsClassification0650−10 9of24
PolicyPolicy
DutiesandResponsibilities
document� ComplyingwithotherrelatedpoliciesincludingPolicy3501,
AcceptableUseofInformationTechnology.
1.2 ExternalParties1.2.1 IdentificationofRisksRelatedtoExternalPartiesorStudents
TheriskstotheInstitute’sinformationassetsrelatingtoexternalpartiesorstudentsmustbeidentifiedandappropriatecontrolsimplementedbeforegrantingaccess.
1.2.2 AddressingSecurityinExternalPartyAgreementsAccesstoBCITinformationassets,exceptpublicassets,mustnotbegrantedtoexternalpartieswithoutacontractualagreementthatbindsthemtoBCITpolicies.
2. AssetManagement2.1 ResponsibilityforAssets
Eachpieceofequipmentmusthaveanassignedassetcustodian.Uponrequestassetcustodiansmustbeabletolocatetheequipmentassignedtothem.Ifcustodiansaretopassthecustodyoftheequipmenttoanotherperson,theyareresponsibleforensuringtherecordofcustodianshipisupdated.Ifacustodianbecomesunavailableunexpectedly,thisresponsibilityfallstotheoperationsmanageroftheirdepartmentorschool.2.1.1 InventoryofAssets
Aninventoryofassetsmustbemaintained.
2.1.2 AcceptableUseofAssetsSeePolicy3501,AcceptableUseofInformationTechnology.
2.2 InformationClassification2.2.1 InformationOwnership
Allinformationmusthaveadesignatedinformationowner.Forcompleteinformationaboutestablishinginformationownership,seeGuideline3502,InformationSecurity.
2.2.2 ClassifyingInformationAllInstituteinformationmustbeclassifiedaccordingtoitsrequirementsforconfidentiality,integrity,andavailability.TheinformationownerisresponsibleforclassifyingtheinformationaccordingtoGuideline3502,InformationSecurity.Classificationmustbereviewedonaregularbasis.
2.2.3 ConfidentialityClassificationsThefollowingconfidentialityclassificationsdeterminehowInstituteinformationmustbeshared,handledandstored:� Public–informationthatisavailabletothegeneralpublicandis
routinelydisclosed
InformationSecurity3502
DirectoryofRecordsClassification0650−10 10of24
PolicyPolicy
DutiesandResponsibilities
� BCITInternalUse–informationthatisavailabletoauthorizedusersandisnotroutinelydisclosed.Bydefault,dataisBCITInternalUseuntilitisassessedandotherwiseclassified
� Confidential–informationthatcontainssensitiveInstituteinformationandthatisavailabletoauthorizedusers.AformalFOIPOPrequestisrequiredfornon-routinedisclosure
� Personal–informationthatcontainssensitivepersonalinformationandisavailabletoauthorizedusersonly.AformalFOIPOPrequestisrequiredfornon-routinedisclosure.
2.2.4 BusinessContinuityClassifications
Inadditiontotheconfidentialityclassifications,Policy7530,EmergencyResponsegovernstheclassificationofinformationforbusinesscontinuitypurposes.Eachinformationownermustclassifyinformationforthepurposesofbusinesscontinuity.
2.2.5 LabellingInformationBothhardcopyandelectronicinformationmustbeclearlylabelledwithitsconfidentialityclassificationsothatauthorizedusersareawareoftheclassification.Forcompletedetailsonhowtolabelinformation,seeGuideline3502,InformationSecurity.
2.3 InformationHandlingAuthorizedusersmustcarryoutalltasksrelatedtothecreation,storage,maintenance,cataloguing,use,dissemination,anddisposalofInstituteinformationresponsibly,inatimelymanner,andwiththeutmostcare.Usersmustnotknowinglyfalsifyinformationorreproduceinformationthatshouldnotbereproduced.2.3.1 SharingInstituteInformation
Personal,Confidential,andBCITInternalUseinformationmayonlybesharedwithotherauthorizedusers,onaneedtoknowbasis.
2.3.2 StoringInformationInformationclassifiedasPersonalorConfidentialmustbeencryptedandstoredwithaccesslimitedtoauthorizedusers.SecurestorageofInstituteinformationisajointresponsibilityofsystemowners,ITadministrators,databasedesigners,applicationdesigners,andtheinformationowner.
2.3.3 PrintingofPersonalorConfidentialInformationInformationclassifiedasPersonalorConfidentialmustneverbesenttoasharedprinterwithoutanauthorizeduserimmediatelypresenttoretrieveitandhencesafeguarditsconfidentialityduringandafterprinting.
2.3.4 CollectionandUseofPersonalInformationThecollection,use,storage,andtransmissionofPersonalinformationusingBCITinformationtechnologyresourcesmustbeincompliancewiththeB.C.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 11of24
PolicyPolicy
DutiesandResponsibilities
FreedomofInformationandProtectionofPrivacyActandwithPolicy6700,FreedomofInformationandProtectionofPrivacy.
2.3.5 DeletingInformationCreatedorOwnedbyOthersInformationistobeprotectedagainstunauthorizedoraccidentalchanges,andmayonlybedeletedinaccordancewithproceduresestablishedbytheinformationownerandinaccordancewithrecordsmanagementprocedures.
3. HumanResourcesSecurity3.1 PriortoEmployment
3.1.1 RolesandResponsibilitiesSecurityrolesandresponsibilitiesofemployeesmustbedefinedanddocumentedinjobdescriptions.
3.1.2 ScreeningBackgroundverificationchecksonallcandidatesforemployment,andexternalpartiesmustbecarriedoutinaccordancewithrelevantlaws,regulationsandethics,andproportionaltothebusinessrequirements,theclassificationoftheinformationtobeaccessed,andtheperceivedrisks.
3.1.3 TermsandConditionsofEmploymentAllemployeesmustacknowledgetheiragreementtoabidebyPolicy3501andPolicy3502priortoreceivingaccesstoanyaccount.
3.2 DuringEmployment3.2.1 InformationSecurityAwareness,Education,andTraining
Allemployeesandexternalparties,whereapplicable,mustreceiveappropriateawarenesstrainingandregularupdatesinpoliciesandprocedures.Newemployeesmustreceivesecuritytrainingaspartoftheirinitialorientation.
3.2.2 ChangeofRoleChangeofresponsibilitiesmustbemanagedasaterminationoftherespectiveresponsibilitiesandtheassignmentofnewresponsibilitiesasdescribedinsection3.1PriortoEmployment.
3.3 TerminationofEmployment3.3.1 TerminationResponsibilities
Anemployee’scontinuingobligationstoinformationsecuritymustbecommunicatedinwritingatterminationofemployment.
3.3.2 ReturnofAssetsAllemployeesandexternalpartiesmustreturnalloftheInstitute’sassetsintheirpossessionuponterminationofemployment,contract,oragreement.Theassetcustodianisresponsibletoensurethecorrespondingassetinventoriesareupdated.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 12of24
PolicyPolicy
DutiesandResponsibilities
3.3.3 RemovalofAccessRightsOnleavingemployment,allemployee-basedaccessmustbedisabledattheendoftheemployee’slastday,orsooner,basedonsecurityrequirements.
4. PhysicalandEnvironmentalSecurity4.1 SecureAreas
4.1.1 PhysicalSecurityPerimeterSecurityperimeterswithwell-definedaccesspoints(barrierssuchaswall,cardcontrolledentry)mustbeusedtoprotectareasthatcontainPersonal,Confidential,orBCITInternalUseinformationandinformationprocessingfacilities.Protectionprovidedmustbecommensuratewithidentifiedrisks.Mobiledevicesandremovablemediaareexcludedprovidedtheinformationisencryptedaspersection5.7.2EncryptionofInformationonRemovableMedia.
4.1.2 PhysicalEntryControlsAreasrequiringhigherlevelsofsecuritymustbeprotectedwithappropriateentrycontrolstoensurethatonlyauthorizedusersareallowedaccess.
4.2 EquipmentSecurity4.2.1 EquipmentSitingandProtection
Thesiteschosentolocateequipmentorstoreinformationmustbesuitablyprotectedfromphysicalintrusion,temperaturefluctuations,theft,fire,flood,andotherhazards.
4.2.2 PhysicalSecurityofEquipmentAssetcustodiansareaccountable(eitherdirectlyorbydelegationofresponsibility)toensurethephysicalsecurityofassignedequipmentregardlessofwhethertheequipmentislocatedonoroffBCITcampuses.
4.2.3 MobileDevicesBCITownedmobiledevicesmustbeissuedonlytoauthorizedusers.Theyaretobeusedonlybyauthorizedusersandonlyforthepurposeforwhichtheyareissued.Theinformationstoredonthemobileequipmentistobesuitablyprotectedfromunauthorizedaccessatalltimes.Whenusingmobiledevices,encryptionstandardsmustbefollowed.Seealsosection2.3InformationHandling.
4.2.4 UseofEquipmentOn-CampusWiththeexceptionofpublicassets,onlyauthorizedusersarepermittedtouseBCITequipment.
4.2.5 SupportingUtilitiesEquipmentmustbeprotectedfrompowerfailuresandotherdisruptionscausedbyfailuresinsupportingutilities.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 13of24
PolicyPolicy
DutiesandResponsibilities
4.2.6 CablingSecurityCablingcarryinginformationorsupportinginformationservicesmustbeprotectedfrominterceptionordamage.Powerandcoolinglinesmustbeprotectedfromdamage.
4.2.7 EquipmentMaintenanceEquipmentmustbecorrectlymaintainedtoensureitscontinuedavailabilityandintegrity.
4.2.8 SecurityofEquipmentOff-CampusOnlyauthorizedusersarepermittedtotakenon-mobileBCITtechnologyequipmentoffcampus.Whennon-mobileBCITequipmentisusedoffcampus,theauthorizeduserisresponsiblefornotifyingtheassetcustodianandensuringthesecurityoftheequipmentatalltimes.
4.2.9 SecureDisposalorRe-useofEquipmentEquipmentownedorleasedbytheInstitutemayonlybedisposedoforreconditionedforreusebypersonsauthorizedtodisposeoforreconditionequipmentwhohaveensuredthattherelevantsecurityriskshavebeenmitigatedandallinformationhasbeenrenderedunrecoverable.
5. CommunicationsandOperationsManagement5.1 OperationalProceduresandResponsibilities
5.1.1 DocumentedOperatingProceduresOperatingproceduresmustbedocumented,maintained,andmadeavailabletoalluserswhoneedthem.
5.1.2 ChangeManagementChangestoinformationprocessingfacilitiesandsystemsmustbecontrolledthroughappropriatechangecontrolmechanisms.
5.1.3 SegregationofDutiesDutiesandareasofresponsibilitymustbesegregatedtoreduceopportunitiesforunauthorizedorunintentionalmodificationormisuseoftheInstitute’sassets.
5.1.4 SeparationofDevelopment,Test,andOperationalFacilitiesDevelopment,test,andoperationalfacilitiesmustbeseparatedtoreducetherisksofunauthorizedaccessorchangetotheoperationalsystem.
5.2 ExternalPartyServiceDeliveryManagementBCITsecurityrequirementsmustbeincorporatedintocontractualrelationshipswithexternalparties.Compliancetosecurityrequirementsmustbemonitoredonanongoingbasis.
5.3 SystemPlanningandAcceptanceAcceptancecriteriafornewinformationsystems,upgrades,andnewversionsmustbeestablishedandsuitabletestsofthesystem(s)carriedoutduringdevelopment
InformationSecurity3502
DirectoryofRecordsClassification0650−10 14of24
PolicyPolicy
DutiesandResponsibilities
andpriortoacceptance.
5.4 ProtectionagainstMaliciousCodeRisksfrommaliciouscodetotheInstitute'ssystemsandinformationmustbeminimizedbyfosteringemployeeawareness,encouragingemployeevigilance,anddeployingappropriateprotectivesystemsanddevices.ITadministratorsmustinformrelevantpartiesofthreatsandcountermeasurestheycantaketoprotecttheInstitute’ssystemsandinformation.UsersmuststayinformedaboutthreatsandtakereasonableprecautionsinusingInstituteITresourcesinordertominimizeopportunitiesforattacks.ITadministratorsmustprepareandmaintaincontingencyplansforadenialofserviceattackandperiodicallytesttheirplanstoensureadequacy.5.4.1 DefendingagainstMaliciousAttack
Systemhardware,operatingsystemandapplicationsoftware,networks,andcommunicationsystemsmustallbeadequatelyconfiguredandsafeguardedagainstbothphysicalattackandunauthorizednetworkintrusion.
5.4.2 DownloadingFilesandInformationfromtheInternetUsersareresponsibleforallinformationandfilestheydownloadfromtheInternet(orotherexternalnetworksorfromonenetworkzonetoanother)andmustsafeguardagainstbothmaliciouscodeandinappropriatematerial.SeealsoGuideline3502,InformationSecurity.
5.4.3 ReceivingElectronicMail(Email)Usersmusttreatincomingemailwiththeutmostcareduetoitsinherentinformationsecurityrisks.Theopeningoffilesorotherattachmentsthatarefromanunknownsourceisnotpermittedunlesstheuserfirstscanstheattachmentsforpossiblevirusesorothermaliciouscode.SeeGuideline3501,AcceptableUseofInformationTechnology.
5.5 BackupSystemownersareresponsibleforestablishingtheextent,frequency,andretentionofsystembackupswhichmustreflectthebusinessrequirementsoftheInstitute,thesecurityrequirementsoftheinformationinvolved,andthecriticalityoftheinformationtothecontinuedoperationoftheInstitute.SeealsoGuideline3502,InformationSecurity.ITadministratorsareresponsibleforconfiguringinformationassetstomeetbackuprequirements.5.5.1 BackupsmustbeSecuredandTested
Backupsmustbesecuredinaccordancewiththeclassificationoftheinformationtheycontain.Backupsmustbeperiodicallytestedtoensurethedataisrecoverable,andrecordsmustbekeptofthetests.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 15of24
PolicyPolicy
DutiesandResponsibilities
5.5.2 BackupsmustnotbeUsedinLieuofOtherControlsBCITbackupfacilitiesarenotintendedtoreplacerecordsmanagementcontrolsorprovideaudittrails.
5.5.3 RecoveringandRestoringInformationSafeguardsmustbeinplacetoprotecttheintegrityofdatafileswhenrecoveringandrestoringdatafiles,especiallywhererestoredfilesmayreplacemorerecentfiles.
5.6 NetworkSecurityManagementNetworksmustbeadequatelymanagedandcontrolledinordertobeprotectedfromthreatsandtomaintainsecurityforthesystemsandapplicationsusingthenetworks,includinginformationintransit.AllequipmentconnectedtothenetworkissubjecttoallBCITpolicies.Personalequipmentthatwillbeconnectedtothenetworkmayalsobesubjecttoinspectionpriortoconnectioninordertoverifythatsecurityrequirementsaremet.5.6.1 NetworkControls
Specialcontrolsmustbeestablishedto:� Safeguardtheconfidentialityandintegrityofdatapassingover
publicnetworksoroverwirelessnetworks� Protectnetworkequipment,theconnectedsystems,and
applications� Maintaintheavailabilityofthenetworkservicesandcomputers
connected� Applyappropriateloggingandmonitoringtoenablerecordingof
securityrelevantactions.
5.6.2 UserAuthenticationforExternalConnectionsRemoteaccesscontrolproceduresmustprovideadequatesafeguardsthroughrobustidentification,authentication,andencryptiontechniques.RemoteaccesstoBCITnetworksisonlythroughthetechnologyapprovedbytheTISManager.
5.6.3 RemoteConfigurationandDiagnosticPortProtectionPhysicalandlogicalaccesstoconfigurationanddiagnosticportsmustbecontrolled.
5.6.4 SegregationinNetworks–NetworkZonesEachnetworkzonemust:� Haveclearguidelinesastotheintendeduseofthezoneandits
securitycharacteristics� Besufficientlysecureforintendeduses� Becompartmentalizedsoasnottobeameansforintrusioninto,or
interferencewith,BCITsystemsorothernetworks� Haveredundancy,backupandrecoverymeasures,andcontingency
plansinplacetoensurethatnetworkservicesareavailableonasufficientlytimelybasistosupporttheintendeduses
InformationSecurity3502
DirectoryofRecordsClassification0650−10 16of24
PolicyPolicy
DutiesandResponsibilities
� Havedocumentationcoveringitstopology,configuration,andgatewaystoexternalnetworksandnodes,aswellastheconnecteddevicesandindividualsresponsible.
Equipment,otherthanapprovednetworkequipment,mustnotbeattachedtotwonetworkzonessimultaneously.Thisistopreventuncontrolledflowoftrafficbetweenzonesandtopreservecompartmentalization.
5.6.5 NetworkConnectionControlNetworkequipmentmustnotbeconnectedtoBCITnetworkswithoutapprovalfromITServices.SystemsandequipmentconnectedtotheBCITnetworkmustbeconfiguredtominimizethepossibilityofbypassingaccesscontrols.ITadministratorsareresponsibleforimplementingsuchprecautions.SeeGuideline3502,InformationSecurityforconfigurationdetails.
5.6.6 IPAddressAssignmentIPaddressesonBCITnetworksmustnotbeassignedorusedwithoutpermissionfromITServices.(AutomatedassignmentofanIPaddressbyanITScontrolledDHCPserverconstitutespermission.)
5.6.7 DomainNameRegistrationandUseEmployeesandstudentsarenotpermittedtoregisterdomainnamesthatincludeBCIT,BritishColumbiaInstituteofTechnology,oranyvariationswithoutpriorauthorizationoftheMarketingandCommunicationsDepartment.ThirdpartyagreementlanguagemustincludeprotectionforBCITdomainnames.Seesection1.2.2AddressingSecurityinExternalPartyAgreements.Allwebsitesthataresub-domainsofaBCITdomainorassignedtoaBCITownedIPrangemustbeauthorizedbytheMarketingandCommunicationsDepartmentpriortodevelopment.
5.6.8 ServerPlacementinNetworksServersthatareconnectedtotheBCITnetworkmustbeplacedinalocationandnetworkzonethatislogicallyandphysicallysecurecommensuratewiththevalueoftheserviceprovidedandthesensitivityoftheinformationaccessiblethroughthesystem.Allaccesstothisequipmentmustbeloggedtofacilitateauditing.SeeGuideline3502,InformationSecurityforminimumloggingstandards.StudentserversmayonlybeattachedtotheAcademicZoneandmustnotbeattachedtotheAdministrativeZone.
5.6.9 ServersAccessiblefromExternalNetworksAllserversthatareaccessibletoanexternalnetwork(includingtheInternet)mustreceivepermissionfromtheTISManager.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 17of24
PolicyPolicy
DutiesandResponsibilities
5.6.10 SecurityofNetworkServices
Securityfeatures,servicelevels,andmanagementrequirementsforeachnetworkzonemustbeidentifiedandincludedinanyservicelevelagreement,whethertheseservicesareprovidedin-houseoroutsourced.
5.7 HandlingofMediaandHardcopy5.7.1 MediaandHardcopyHandlingProcedures
Proceduresmustbedrawnupandfollowedforhandling,processing,storing,transporting,transmitting,anddisposalorreuseofmediaandhardcopy.Theseproceduresmustbeconsistentwithsecurityguidelines.Fordetails,seeGuideline3502,InformationSecurity.
5.7.2 EncryptionofInformationonRemovableMediaPersonalorConfidentialinformationmustbeencryptedwhenstoredonremovablemediainaccordancewithsection2.3InformationHandlingandProcedure3502,InformationSecurity.
5.7.3 DisposalorReuseofMediaAllmediamustbedisposedoforpreparedforreuseinsuchamannerthatitisimpossibletorecovertheinformation.
5.7.4 ShreddingofUnwantedHardcopyAllhardcopiescontainingPersonalorConfidentialinformationaretobesecurelyshreddedwhennolongerrequired.Wheretheinformationconstitutesarecord,seealsoProcedure6701-PR1,RecordsManagement.
5.7.5 UsingExternalDisposalFirmsAnyexternalpartyusedfordisposalofBCIT’smediaandhardcopymusthaveacontractualagreementaccordingtosection1.2.2AddressingSecurityinExternalPartyAgreements.
5.7.6 SecurityofSystemDocumentationSystemdocumentationmustbeprotectedagainstunauthorizedaccess.
5.8 ExchangeofInformation5.8.1 InformationExchangePoliciesandProcedures
Formalinformationexchangepolicies,procedures,andcontrolsmustbeinplacetoprotecttheexchangeofinformationthroughtheuseofalltypesofcommunication.
5.8.2 TransmittingInformationacrossNetworksAllPersonalorConfidentialinformationmustbeencryptedintransit,includingbyemail,electronicdatainterchange,orotherformsofinterconnectionofbusinesssystems.ControlsmustbeputinplacetoverifytheintegrityoftransmittedPersonalorConfidentialinformationandtheidentitiesofsenderandreceiver.SeeGuideline3502,InformationSecurity.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 18of24
PolicyPolicy
DutiesandResponsibilities
5.8.3 PersonsGivingInformationovertheTelephoneTheidentityandauthorizationofcallersmustbeverifiedbeforePersonalorConfidentialinformationisprovidedoverthetelephone.
5.8.4 ExchangeAgreementsAgreementsmustbeestablishedfortheexchangeofPersonalorConfidentialinformationbetweentheInstituteandexternalpartiesotherthanforregulatoryorlegislativerequirements.
5.8.5 RemovableMediainTransitRemovablemediacontaininginformationmustbeprotectedagainstunauthorizedaccess,misuseorcorruptionduringtransportation.ThetransportationofremovablemediacontainingPersonalorConfidentialinformationmustbelogged.Theremovablemediamustbeaddressedtotheintendedrecipientandreceiptmustbeconfirmedandlogged.
5.9 ElectronicCommerceServicesControlsarenecessarytocovertheadditionalsecurityrequirementsassociatedwithusingorprovidingelectroniccommerceservices.Informationinvolvedinelectroniccommercemustbeprotectedfromfraudulentactivity,contractdispute,andunauthorizeddisclosureandmodification.ElectroniccommercesystemsmustmeetPaymentCardIndustry(PCI)standardswhereappropriate.5.9.1 ApprovalofElectronicCommerceSystems
EachelectroniccommercesystemrequiresapprovalfromtheChiefFinancialOfficer(CFO)priortoimplementation.
5.9.2 PersonalPaymentInformationAllsystemsstoringorprocessingpersonalpaymentinformation,includingcreditcardnumbersandbankaccountnumbers,requireapprovalfromtheCFOpriortoimplementation.
5.10 Monitoring5.10.1 Logging
Logsrecordingsecurityrelevantuseractivities,exceptions,andinformationsecurityeventsmustbeproducedandkeptfortheperiodspecifiedintheguidelinesforaccesscontrolmonitoringandtoassistinfutureinvestigations.SeeGuideline3502,InformationSecurity.
5.10.2 MonitoringSystemUseLogs,includingsystemandapplicationlogs,mustbemonitoredandanomaliesinvestigated.LogsmustbereviewedregularlyforsecurityeventsbyITadministratorsanddiscrepanciesreportedtotheTISManager.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 19of24
PolicyPolicy
DutiesandResponsibilities
5.10.3 ProtectionofLogInformationLoggingfacilitiesandloginformationmustbeprotectedagainsttamperingandunauthorizedaccess.
5.10.4 AdministratorandOperatorLogsITadministratorandotherprivilegedaccountactivitiesmustbelogged.
5.10.5 ClockSynchronizationSystemclocksmustbesynchronizedregularlytoacommonsourcetosimplifythereviewandcorrelationofauditlogs.ThecommonsourceisasspecifiedbyITServices.
6. AccessControlAccountsmaybeprovisionedtoprovideaccesstoassetsincluding:networks,operatingsystems,applications,anddatabasemanagementsystems.Thissectiongovernsaccesstoalloftheseassetcategories.6.1 AccessControlPolicy
Systemownersmustestablish,document,andregularlyreviewanaccesscontrolpolicyforsystemsintheircontrolbasedonbusinessandsecurityrequirementsforaccess.
6.2 UserAccessManagementFormaluserregistrationandde-registrationproceduresmustbeusedtograntandrevokeaccesstoallinformationsystemsandservicesincludingnetworkservices,operatingsystems,applications,anddatabasemanagementsystems.Theallocationanduseofprivilegesmustberestrictedandcontrolled,andtheallocationofpasswordsandothersecuritycredentialsmustbecontrolledthroughaformalmanagementprocess.6.2.1 ReviewofAccountsandAccessRights
Systemownersmustreviewusers’accessrightsatregularintervalsusingaformalprocess.
6.2.2 InactiveAccountsInactiveaccountsmustbedisabledaftertheperiodofinactivityspecifiedinGuideline3502,InformationSecurity.
6.2.3 SessionTime-outInactivesessionsmustbeterminatedaftertheperiodofinactivitydefinedinGuideline3502,InformationSecurity.
6.2.4 AdditionalAccessProtectionsSystemsmayrequireadditionalaccessprotectionsbasedontimeofday,location,andadditionalauthenticationrequirements.SeeGuideline3502,InformationSecurity.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 20of24
PolicyPolicy
DutiesandResponsibilities
6.3 UserResponsibilitiesAllusersmustauthenticateusingtheirownaccountforagivensystem.Approvedloginproceduresmustbefollowed.6.3.1 DelegationofDuties
Wheredelegationofdutiesisrequiredtomeetabusinessneed,usersmustemployfeatureswithinthesystemwhereverpossible.Wherethesystemdoesnotprovidetheabilitytodelegate,thentheprocedurefordelegatinganaccountthroughcontrolledsharingdetailedinProcedure3502,InformationSecuritymustbefollowed.
6.3.2 ShortTermAccountsIndepartmentsthatemploytemporaryemployeesonafrequentbasis,theuseofshorttermaccountsmustfollowProcedure3502,InformationSecurity.
6.3.3 InadvertentAccesstoResourcesandInformationUsersmustnotexploitinsecureaccountsorresources,ortakeadvantageoflessknowledgeableusers.UsersmustnotreadPersonalorConfidentialinformationsimplybecauseitisaccessibletothemthroughaccidentalexposureorthroughthemaliceofotherswhohavebrokenintoasystemoraremisusingtheiraccessprivileges.Ifusersdiscoversuchanexposuretheymustreporttheexposureasasecurityincident.
6.3.4 PasswordUseTheselectionofpasswordsandtheiruse,protection,andmanagementmustfollowthecorrespondingproceduresinProcedure3502,InformationSecurity.Passwordsmustnotbesharedwithanyotherpersonatanytime.TheonlyexceptioniswhenauthorizedusersmustdelegateanaccountaccordingtoProcedure3502,InformationSecurity.BCITpasswordsmustnotbeusedforanynon-BCITaccountsorservices(suchaspersonalISPaccounts,freeonlineemailaccounts,instantmessagingaccounts,orotheronlineservices).ThispracticeensurescompartmentalizationandreducesthelikelihoodthatpasswordsobtainedfromothersystemsmaybeusedtocompromiseBCITsystems.
6.3.5 ControllingAccesstoUnattendedUserEquipmentWhenleavingacomputerormobiledeviceunattended,usersareresponsiblefor:� Preventingunauthorizedaccesstoinformationandrecordsbyeither
loggingofforusingdevicelockingsoftware� Preventingtheftofthecomputerordevicebyusingalockingdevice.
Allunattendedequipmentinpublicareasmustbephysicallysecuredandconfiguredinamannersuchthatthesecurityofitssystemscannotbeeasilythwarted.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 21of24
PolicyPolicy
DutiesandResponsibilities
6.3.6 ControllingAccesstoInformationinUnattendedAreasDesksmustbeclearedofPersonalorConfidentialinformationwhendesksareunattended.AreasthatmaycontainPersonalorConfidentialinformationmustnotbeleftunattendedwithoutsecuringtheinformation.
7. InformationSystemsAcquisition,Development&Maintenance7.1 SecurityRequirementsofInformationSystems
Statementsofbusinessrequirementsfornewinformationsystems,orenhancementstoexistinginformationsystemsmustspecifytherequirementsforsecuritycontrols.Securityrequirementsandcontrolsmustreflectthebusinessvalueofinformationassetsaffectedbythesystemandthepotentialbusinessdamagethatmightresultfromafailureorabsenceofsecurity.Systemrequirementsforinformationsecurityandprocessesforimplementingsecurityshouldbeintegratedintheearlystagesofinformationsystemprojects.Forrequirementsthatmustbeconsidered,seeGuideline3502,InformationSecurity.
7.2 CorrectProcessinginApplicationsSystemownersmustensurethatthesystemstheyareresponsibleforhandleinformationwithduecare.Thisincludesvalidationofinformationenteredintothesystem,validationcheckstodetectcorruptionofinformationthroughprocessingerrorsordeliberateacts,appropriatecontrolstoensureauthenticityandmessageintegrity,andvalidationofinformationoutputfromanapplicationtoensurethattheprocessingofstoredinformationiscorrect.
7.3 SecurityinDevelopment,DeploymentandSupportProcessesOnlyauthorizedusersmayaccessoperationalsoftwarelibrariesorthesourcecodeofsystems.Segregationofduties,technicalaccesscontrols,androbustproceduresmustbeemployedwheneveramendmentstosoftwarearenecessary.7.3.1 TechnicalReviewofApplicationsafterExecutionEnvironment
ChangesWhentheexecutionenvironmentoftheapplicationischanged(e.g.,operatingsystem,hardware,middleware),businesscriticalapplicationsmustbereviewedandtestedtoensurethereisnoadverseimpactonInstituteoperationsorsecurity.
7.3.2 OutsourcedSoftwareDevelopmentOutsourcedsoftwaredevelopmentmustbeinaccordancewithsection1.2.2AddressingSecurityinExternalPartyAgreements.
7.3.3 ControlofOperationalSoftwareOnlyauthorizedusersmaydeploysoftwareonoperationalsystems.
7.3.4 UsingLiveInformationforTestingTheuseofliveinformationfortestingnewvendor-suppliedorcustomsystemsorsystemchangesmayonlybepermittedwherethesamecontrolsforthesecurityoftheinformationasusedontheproductionsystemareinplace.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 22of24
PolicyPolicy
DutiesandResponsibilities
7.4 TechnicalVulnerabilityManagementTheTISManagerandeachITadministratorareresponsibleformonitoringinformationaboutthetechnicalvulnerabilitiesoftheinformationsystems,promptlyevaluatingtheInstitute’sexposuretosuchvulnerabilities,andtakingtimely,appropriatemeasurestoaddresstheassociatedrisks.SeeGuideline3502,InformationSecurity.
8. InformationSecurityIncidentManagement8.1 ReportingInformationSecurityEventsandWeaknesses
8.1.1 ReportingInformationSecurityEventsAllsuspectedinformationsecurityincidentsmustbereportedpromptlytotheTISManager.
8.1.2 ReportingSecurityWeaknessesAllinformationsecurityweaknessesmustbereportedpromptlytotheTISManager.
8.2 ManagementofInformationSecurityIncidentsandImprovements8.2.1 ConductofInvestigations
InformationsecurityinvestigationsarecoordinatedbytheTISManager.TheTISManagerisauthorizedtoinvestigateinformationsecurityincidentsincluding:seizingInstitute-ownedequipment,monitoring,andtakingimagesandbackups.
8.2.2 ResponsibilitiesandProceduresBCITemployeesandstudentsmustprovidetimelyassistancewhenrequested.Externalparties’responsibilitiesforinformationsecurityincidentmanagementmustbeestablishedaccordingtosection1.2.2AddressingSecurityinExternalPartyAgreements.
8.2.3 InvestigationLimitationsInvestigationofanindividual’sactivitiesorfilesbytheTISManagerwillonlybedoneinresponsetoanincidentorwithreasonablesuspicionthattheindividualisengaginginactivitiesthatarenoncompliantwithBCITpolicies.
8.2.4 EnsuringtheIntegrityofInformationSecurityIncidentInvestigationsToensuretheintegrityofevidence,theTISManagermustbecontactedbeforeanyinvestigationalactivitiesareundertaken.
8.2.5 LearningfromInformationSecurityIncidentsPost-incidentreviewofmajorincidentsmustbeconducted.Periodically,incidentsmustbereviewedcollectivelytoidentifytrendsforimprovementofsecurityefforts.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 23of24
PolicyPolicy
DutiesandResponsibilities
9. BusinessContinuityManagementSeePolicy7530,EmergencyResponseforBCIT’sbusinesscontinuitymanagementapproach.9.1 InformationSecurityAspectsofBusinessContinuityManagement
9.1.1 IncludingInformationSecurityintheBusinessContinuityManagementProcessTheplanningandimplementationofbusinesscontinuitymustnotcompromiseinformationsecurity.
9.1.2 DisasterRecoveryPlanSystemownersmustensurethatdisasterrecoveryplansfortheirsystemsaredeveloped,tested,andimplemented.RecoverytimemustbenegotiatedjointlybythesystemownersandITServicesorotherserviceprovider.WherebusinessrequirementsexceedtheabilitytorecoverITassets,mitigatingcontrolsmustbeputinplace.SeePolicy7530,BCITEmergencyResponseformoredetails.
10. Compliance10.1 CompliancewithLegalRequirements
10.1.1 IntellectualPropertyRights(IPR)SeePolicy6601,IntellectualProperty.
10.1.2 UsingLicensedSoftwareAllsoftwaremustbeappropriatelylicensedandusersmustcomplywiththetermsandconditionsofallEndUserLicenseAgreements.
10.1.3 ProtectionofOrganizationalRecordsSeePolicy6701,RecordsManagement.
10.1.4 DataProtectionandPrivacyofPersonalInformationSeesection2.2InformationClassificationinthispolicy.
10.2 InformationSystemsAuditConsiderationsTheplanningandimplementationofinformationsystemsauditsmustnotcompromiseinformationsecurity.Accesstosystemauditingtoolsmustbeprotectedtopreventanymisuseorcompromise.
11. Non-ConformingSystemsThispolicyrepresentsatargetenvironment.Notallsystemsortechnologiesarecapableofconforminginalldetails.TheTISManagermustmaintainalistofnon-conformingsystemsandtechnologies.Thisisarisk-basedactivityfocusingonnon-conformingsystemswiththehighestriskprofile.
InformationSecurity3502
DirectoryofRecordsClassification0650−10 24of24
PolicyPolicy
DutiesandResponsibilities
Systemownersofsystemsthatareunabletoconformtothispolicyanditsguidelinesmust:• Reportnon-conformancetotheTISManagerimmediately• Undertakeariskassessment• DevelopariskmanagementplanandsubmittotheTISManager.Thisexceptionlistwillincludeallsystemsandtechnologiesthatdonotconformtothispolicyandincludeareferencetotheriskassessmentandriskmanagementplanforeachsystemortechnologyonthelist.
12. ConsequencesofPolicyViolationBCITreservestherighttoterminateorrestricttheaccessprivilegesofauserwhoseactivitiesnegativelyaffectorposeathreattoafacility,anotheraccountholder,normaloperations,orthereputationoftheInstitute.Followingdueprocess,theInstitutemaytakeoneormoreofthefollowingactionsagainstanyuserwhoseactivitiesareinviolationofthispolicyorthelaw:� Averbalorwrittenwarning� RestrictionsonorremovalofaccesstoanyorallInstitutecomputingfacilitiesand
services� Legalactionthatcouldresultincriminalorcivilproceedings� Inthecaseofstudents,disciplinaryactionunderPolicy5102,StandardsofNon-
academicConduct.� Inthecaseofemployees,disciplinaryactionuptoandincludingtermination.EquipmentthatviolatesBCITpolicyornegativelyaffectsorposesathreattoafacility,normaloperations,orthereputationoftheInstitutemaybeimmediatelydisconnected,quarantined,orotherwisecontained.Institute-ownedequipmentmayalsobeseized.
ProceduresAssociatedWithThisPolicy
None.
FormsAssociatedWithThisPolicy
None.
AmendmentHistory
1. Created 2009Jan272. Revision1 2016Oct04
ScheduledReviewDate
2021Oct04
Related Documents
