Loading...
HomeMy WebLinkAboutInformation Security - 5.47 1 POLICY STATEMENTPOLICY STATEMENTPOLICY STATEMENTPOLICY STATEMENT District of Maple RidgeDistrict of Maple RidgeDistrict of Maple RidgeDistrict of Maple Ridge Title: Information SecurityTitle: Information SecurityTitle: Information SecurityTitle: Information Security Policy No : 5.47Policy No : 5.47Policy No : 5.47Policy No : 5.47 Authority:Authority:Authority:Authority: ________________________________________________________________________________________________________________________________________________________ Approval:Approval:Approval:Approval: CMTCMTCMTCMT Effective Date: Oct 22, 2002Effective Date: Oct 22, 2002Effective Date: Oct 22, 2002Effective Date: Oct 22, 2002 Policy Statement:Policy Statement:Policy Statement:Policy Statement: Computer information systems and networks are an integral part of business at the District of Maple Ridge. The District has made a substantial investment in human and financial resources to create and support these and other communication technologies. It is the intent of the Municipality to ensure that all District computer and information resources are safe for their intended use, and will adopt procedures and statements to ensure secure usage by all District employees. Purpose:Purpose:Purpose:Purpose: Definitions:Definitions:Definitions:Definitions: 2 PROCEDUREPROCEDUREPROCEDUREPROCEDURESSSS To Information Security Policy 5.47To Information Security Policy 5.47To Information Security Policy 5.47To Information Security Policy 5.47 Title: Information SecurityTitle: Information SecurityTitle: Information SecurityTitle: Information Security Procedures Procedures Procedures Procedures Procedures to Procedures to Procedures to Procedures to Policy No : 5.47Policy No : 5.47Policy No : 5.47Policy No : 5.47 Authority:Authority:Authority:Authority: ________________________________________________________________________________________________________________________________________________________ Approval:Approval:Approval:Approval: CMTCMTCMTCMT Effective Effective Effective Effective Policy Policy Policy Policy Date: Oct 22, 2002Date: Oct 22, 2002Date: Oct 22, 2002Date: Oct 22, 2002 Amended Amended Amended Amended Procedures: Procedures: Procedures: Procedures: Feb 14Feb 14Feb 14Feb 14, 2008, 2008, 2008, 2008 Nov 27, 2008Nov 27, 2008Nov 27, 2008Nov 27, 2008 1.01.01.01.0 Policy Statement (adopted): Policy Statement (adopted): Policy Statement (adopted): Policy Statement (adopted): Computer information systems and networks are an integral part of business at the District of Maple Ridge. The District has made a substantial investment in human and financial resources to create and support these and other communication technologies. It is the intent of the Municipality to ensure that all District computer and information resources are safe for their intended use, and will adopt procedures and statements to ensure secure usage by all District employees. Attachment ‘A’Attachment ‘A’Attachment ‘A’Attachment ‘A’ Information Security ProceduresInformation Security ProceduresInformation Security ProceduresInformation Security Procedures:::: 1.01.01.01.0 IntroductionIntroductionIntroductionIntroduction The Information Security policy and supporting procedure and statements have been adopted in order to: Protect the technologies and the investment. Safeguard the information contained within these systems. Reduce business and legal risk. Protect the reputation of the District. Protect the rights of users (i.e. - Council member, employee, contractor, associate, or authorized third party). District technologies affected by this policy and procedure include: Computer desktop technology including workstations, software, printers and modems; Network services including servers, email, internet, intranet, and remote access; Software, and data, including application programs, automated methodologies and operating systems; Voice communication including voice mail, wire and wireless communications; Reproduction technologies including photocopiers, fax machines, and scanners; and Video conferencing. 2.02.02.02.0 ContentsContentsContentsContents The topics covered in this procedure document include: Administration and Responsibilities Use of District Technologies Prohibited Use of District Technologies Software and Hardware Internet Email Access Control Asset and Data Control Computer Viruses Remote Access 3 3.03.03.03.0 Administration and ResponsibilitiesAdministration and ResponsibilitiesAdministration and ResponsibilitiesAdministration and Responsibilities 3.13.13.13.1 ResponsibilitiesResponsibilitiesResponsibilitiesResponsibilities – Information security is a shared responsibility. The involvement and participation of all District staff and users is needed to ensure security controls adequately protect the organization and stakeholders. This section identifies general responsibilities of all users of District technologies; specific sections below identify additional responsibilities. 3.1.1 Security Policy Sponsor Security Policy Sponsor Security Policy Sponsor Security Policy Sponsor – The Corporate Management Team (CMT) assumes the ultimate responsibility for the Districts security posture at the executive management level. Support from this level will give the policy and procedure legitimacy. 3.1.2 Security ManagerSecurity ManagerSecurity ManagerSecurity Manager – The Chief Information Officer assumes the responsibility of the IT Security Manager. Working in tandem with the Operational Security Managers, the IT Security Manager oversees and provides guidance for the overall development, implementation, and coordination of the security policy and procedures. 3.1.3 Operational SOperational SOperational SOperational Security Managerecurity Managerecurity Managerecurity Manager – For each Division, individuals are designated to manage security from an operational level. It is at the Division and Department level that risks can best be understood, and the implementation of security procedures be achieved. Working with the IT Security Manager, or his designate, the Operational Security Managers oversee and provide guidance and leadership for the overall development, implementation, monitoring, compliance and coordination of security for their specific areas of responsibility. On an operational basis, individual Department managers are responsible for the development, implementation and review of security controls for their respective areas. As necessary, some operational security responsibilities may be escalated to the Operational Security Managers. The Operational Security Managers will need to ensure that all appropriate personnel are aware of and comply with this policy and procedure document, and will need to monitor the use of District technologies for compliance with this policy and procedure and investigate any reported or suspected infringements. 3.1.4 Human ResourcesHuman ResourcesHuman ResourcesHuman Resources – The Personnel Department has the responsibility of providing general security training and awareness for all new hires and, as needed, all users. All users will need to sign an acknowledgement attached to this policy and procedure document, when they start with the District and also upon leaving the District. Department managers have the responsibility of providing to their staff the specific security training components appropriate for their area. 3.1.5 UsersUsersUsersUsers – Users of District technologies will review, understand and comply with this policy and procedure prior to using the technologies, and will be required to sign the attached acknowledgement. Users will ensure that they are competent in the use of District technologies they require to perform their employment responsibilities, or will take the appropriate, approved training to achieve competency: in the operation of the hardware technology; in the use of licensed software products; in the use of proprietary automated methodologies; and 4 to ensure that they are applying District technologies appropriate to the business requirement. If this policy and procedure does not deal with specific circumstances at hand, then users should advise the IT or Operational Security Manager. 3.23.23.23.2 Compliance and Exceptions Compliance and Exceptions Compliance and Exceptions Compliance and Exceptions – All users must comply with both the letter and spirit of all security policies and procedures, and adopted technology standards. The Security Policy Sponsor (CMT) assumes the ownership of the overall security policy and procedures and will direct that it be maintained, reviewed, disseminated, and complied with. The CMT as the security sponsor must grant approval to all proposed changes or additions to the Security Policy. The Operational Security Managers will monitor the use of District technologies for compliance with this policy and procedures and investigate any reported or suspected infringements. 3.33.33.33.3 ViolationsViolationsViolationsViolations – Failure to observe this policy, procedures and associated guidelines may result in disciplinary action by the District depending upon the type, severity, and number of violations, and whether it causes any liability or loss to the District. Action, in keeping with District personnel policies, for non-compliance may result in: suspension of service; user accounts and passwords may be withdrawn without notice; other disciplinary actions as deemed appropriate by District personnel policies or for cases of civil or criminal actions. 4.04.04.04.0 Use of District TechnologiesUse of District TechnologiesUse of District TechnologiesUse of District Technologies District technologies are provided to users for business purposes and shall be returned by the user upon termination of employment or involvement with the District. Other reasonable use is subject to Operational Security Managers’ approval provided the following conditions are met: the use is not contrary to any provisions of this or related District policies, reasonable personal use is restricted to personal time and does not interfere with the user's ability to fulfill his or her employment obligations to the District, the user agrees to accept any expenses resulting from such use, and the use is restricted to the user, and does not include use by his or her family or other third parties. Use of District technologies should be in compliance with applicable laws, contractual arrangements, professional standards and related District policies. It is recognized that where the use of a District Security Policy Sponsor (CMT) IT Security Manager ( CIO) Operational Security Manager ( member of each Div/Depart ) Physical Assets (IS staff member) Applications (IS staff member) Line of Business (department) (department) Line of Business Line of Business (department) 5 technology is subject to a license agreement, contract or provision of law, lack of adherence to these policies could result in individual user or District liability for monetary or other penalties. 5.05.05.05.0 Prohibited Use of District TechnologiesProhibited Use of District TechnologiesProhibited Use of District TechnologiesProhibited Use of District Technologies Use of District technologies for any of the following purposes is strictly prohibited: to discriminate or harass, to distribute inappropriate, offensive or illicit information including sexually explicit written or graphic material, to promote hatred against any group, to distribute unauthorized advertising material whether it be with respect to District business or otherwise; to impersonate, distribute unsolicited non-District correspondence (chain letters, etc.), slander or otherwise defame, invade privacy, or other unacceptable, disruptive activities, to "hack" or otherwise attempt unauthorized access to or penetration of District, client or other third party computing and communication facilities. 6.06.06.06.0 Software and Hardware Software and Hardware Software and Hardware Software and Hardware 6.16.16.16.1 SoftwareSoftwareSoftwareSoftware – All software acquired for, or developed by, District employees or contract personnel is the property of the District. All such software must be used in compliance with applicable licenses, notices, contracts, and agreements. 6.1.1 PurchasingPurchasingPurchasingPurchasing – All purchasing of software must respect the Corporate Purchasing Policy and shall be centralized with the IS Department to ensure that all applications conform to corporate software standards, are purchased at the best possible price, are tracked as corporate assets, and so that licences are centrally managed to ensure legality and replacement. All requests for corporate software must be submitted to the IS Department for review, to determine the standard software that best accommodates the desired request, and approval. 6.1.2 LicensingLicensingLicensingLicensing – Each user should make a reasonable attempt at understanding and following all applicable licenses, notices, contracts, and agreements for software used on their District computer. Unless otherwise provided in the applicable license, notice, contract, or agreement, any duplication of copyrighted software, except for backup and archival purposes, may be a violation of legal provisions. Upon a user leaving the District, all District data and software stored on District or personal machines will be deleted. 6.1.3 Software StandardsSoftware StandardsSoftware StandardsSoftware Standards – The District maintains a software standard that all users requesting use or purchase of technologies must comply with. These software standards are identified under separate cover and are supported by IS staff and user departments. Users needing software other than those programs listed, in another document, as District standard packages must request such software from the IS Department with the approval of their supervisor. Each request will be considered on a case-by-case basis in conjunction with the adopted software standards, business need, available funding and purchasing policies. Technologies purchased by staff for home use through the District funding plan are owned by the District until purchase has been completed by the owner, but are the responsibility of the owner and they will be required to purchase the standard District software load. 6.1.4 Software InstallationSoftware InstallationSoftware InstallationSoftware Installation – The IS Department is responsible for installation and support to provide software and hardware in good operating condition to District users so they can best accomplish their work tasks. It is District policy to comply with all laws regarding 6 intellectual property rights and licencing restrictions. Non-compliance can expose the District and the responsible user to civil and/or criminal penalties. The IS Department responsibilities include: Office desktop computers; District laptop computers; District network resources; District databases; District telephone systems; Computer lab and public access computers; Home computers that are provided by the District. Technologies purchased through the District funding plan are the responsibility of the owner, but will be required to purchase the standard District software load. Software may exist in any one of the following scenarios: An IS Department created “image” or OEM installation on the hardware. An IS Department installation procedure that provides for the following: 1. Installation options. 2. Upgrade considerations (if applicable). 3. Data conversion (if applicable). a shortcut to a network application (not truly an installation). an automated installation through an IS Department developed solution that may be used in a rapid-deployment scenario or silent-install situation. a terminal application, Citrix application, or other thin-client type of application accessible via the District network. Software cannot be present on District computers in the following scenarios: an installation not consistent with accepted procedures and standards. software purchased for a users’ home computer. an unlicenced (e.g. – “pirated”) copy of any title. The IS Department will maintain a software inventory for management purposes. The Department will also retain original copies of all software in a central location in the office. Disks/CD's are not to be distributed to users as this software is the property of the District. IS staff shall be responsible for the administration of access controls to all District computer systems. All requests for adds, deletions, and changes must be submitted to the IS Manager upon receipt of a written request from the end user’s supervisor. Deletions may be processed by an oral request prior to reception of the written request The IS Manager will maintain a list of administrative access codes and passwords and keep this list in a secure area. 6.26.26.26.2 HardwareHardwareHardwareHardware – All hardware acquired for, or developed by, users or contract personnel is the property of the District. All such hardware must be used in compliance with applicable licenses, notices, contracts, and agreements. The IS Department will maintain a hardware inventory for management purposes. 6.2.1 PurchasingPurchasingPurchasingPurchasing – All purchasing of District computer hardware devices must respect the Corporate Purchasing Policy and shall be centralized with the IS Department to ensure that all equipment conforms to corporate hardware standards and is purchased at the best possible price, and is managed for asset tracking and replacement. All user requests for corporate computing hardware devices must be submitted to the IS Department along with approval of their supervisor. The IS Department will then determine the hardware standard that best accommodates the desired request. 7 6.2.2 Hardware StandardsHardware StandardsHardware StandardsHardware Standards – The District maintains a hardware standard that all users requesting use or purchase of technologies must comply with. These hardware standards are identified under separate cover and are supported by IS staff and user departments. Users requesting computer hardware beyond the corporate standard must request such hardware from the IS Department. Each request will be considered on a case-by-case basis in conjunction with the hardware standards, corporate needs and hardware purchasing practices. 6.36.36.36.3 Outside Equipment Outside Equipment Outside Equipment Outside Equipment – No outside equipment or electronic parts (eg. – wireless cards) may be plugged into the District’s network without the IS Department’s review and permission. Computers purchased through the District funding plan are the responsibility of the owner, but will be required to purchase the standard District software load to ensure compatibility with the District network. 7.07.07.07.0 Internet Internet Internet Internet Access to the Internet is provided to users to facilitate bonafide District business. Users are able to retrieve information, research topics, process transactions, and communicate with other organizations. Similarly, Email is an efficient means of communication whether through the Internet or through the District’s network. The Internet has risks to use. To ensure that all users are responsible and productive Internet users and to protect the District’s interests, the following guidelines have been established for using this service. 7.17.17.17.1 Acceptable UseAcceptable UseAcceptable UseAcceptable Use – Employees using the Internet are representing the company. Employees are responsible for ensuring that the Internet is used in an effective, ethical, and lawful manner. Examples of acceptable use are: Using Web browsers to obtain business information from commercial web sites. Accessing databases as required for business purposes. Using Email for business contacts. 7.27.27.27.2 Unacceptable UseUnacceptable UseUnacceptable UseUnacceptable Use – Employees must not use the Internet for purposes that are illegal, unethical, harmful to the District, or non-productive. Examples of unacceptable use are: Sending or forwarding chain Email (i.e. - messages containing instructions to forward the message to others). Conducting personal business using District resources. Transmitting any content that is offensive, harassing, or fraudulent. The organization maintains a web filtering service as an added measure of protection to prevent inappropriate access and to track how bandwidth is being used. 7.37.37.37.3 DownloadsDownloadsDownloadsDownloads – File downloads from the Internet for personal or entertainment purposes are not permitted. File downloads of business related files is permitted. Installation of same may require assistance of the IS Department. 7.47.47.47.4 CopyrightsCopyrightsCopyrightsCopyrights – Employees using the Internet are not permitted to copy, transfer, rename, add, or delete information or programs belonging to others unless given express permission to do so by the owner. Failure to observe copyright or license agreements may result in disciplinary action by the District and/or legal action by the copyright owner. 8 7.57.57.57.5 MonitoringMonitoringMonitoringMonitoring – All messages created, sent, or retrieved over the Internet are the property of the District and may be regarded as public information. The District reserves the right to access the contents of any messages sent over its facilities if the District believes, in its sole judgment, that it has a business need to do so. All communications, including text and images, can be disclosed to law enforcement or other third parties without prior consent of the sender or the receiver. Users are reminded not to put anything into an Email message that you wouldn’t want to see public. 8.08.08.08.0 EmailEmailEmailEmail Email is an efficient means of communication whether through the Internet or through the Districts network. Email also has risks. To ensure that all users are responsible and productive Email users and to protect the District’s interests, the following guidelines have been established for using this service. 8.18.18.18.1 Authorized UsageAuthorized UsageAuthorized UsageAuthorized Usage – Electronic communications systems generally must be used only for business activities. Incidental personal use is permissible so long as: a. It does not consume more than a trivial amount of resources; b. It does not interfere with staff productivity; c. It does not preempt any business activity. Users must not use communications systems for private business activities or amusement/entertainment purposes unless expressly approved by the Security Sponsor. Users are reminded that the use of corporate resources, including electronic communications, should never create either the appearance or the reality of inappropriate use. 8.28.28.28.2 Default PrivDefault PrivDefault PrivDefault Privilegesilegesilegesileges – User privileges on electronic communications systems must be assigned so that only those capabilities necessary to perform a job are granted. This approach is widely known as the concept of "need-to-know." For example, end users must not be able to reprogram electronic mail system software. With the exception of emergencies and regular system maintenance notices, broadcast facilities must be used only after the permission of a Department Director has been obtained. 8.38.38.38.3 No Default ProtectionNo Default ProtectionNo Default ProtectionNo Default Protection – Users are reminded that District electronic communications systems are not encrypted by default. If sensitive information must be sent by electronic communications systems, encryption or similar technologies to protect the data must be employed. See the Chief Information Officer (CIO) if this requirement is needed. 8.48.48.48.4 Respecting Privacy RightsRespecting Privacy RightsRespecting Privacy RightsRespecting Privacy Rights – Except as otherwise specifically provided, users may not intercept or disclose, or assist in intercepting or disclosing, electronic communications. The District is committed to respecting the rights of its users, including their reasonable expectation of privacy. However, the District is also responsible for servicing and protecting its electronic communications networks. To accomplish this, it is occasionally necessary to intercept or disclose, or assist in intercepting or disclosing, electronic communications. All communications, including text and images, can be disclosed to law enforcement or other third parties without prior consent of the sender or the receiver. Users are reminded not to put anything into an Email message that you wouldn’t want to see public. 8.58.58.58.5 No Guaranteed Message PrivacyNo Guaranteed Message PrivacyNo Guaranteed Message PrivacyNo Guaranteed Message Privacy – The District cannot guarantee that electronic communications will be private. Users should be aware that electronic communications could, depending on the technology, be forwarded, intercepted, printed, and stored by others. Furthermore, others can access electronic communications in accordance with this policy and procedure. 9 8.68.68.68.6 Regular MessageRegular MessageRegular MessageRegular Message Monitoring Monitoring Monitoring Monitoring – It is the policy of the District not to monitor the content of electronic communications. However, it may be necessary to monitor in specific instances to support operational, maintenance, auditing, security, and investigative activities. Users should structure their electronic communications in recognition of the fact that the District may need to examine the content of electronic communications. 8.78.78.78.7 Purging Electronic Messages Purging Electronic Messages Purging Electronic Messages Purging Electronic Messages – Messages no longer needed for business purposes must be periodically purged by users from their electronic message storage areas. After a certain period -- generally six months -- electronic messages should be backed up to a separate data storage media (e.g. - tape, disk, CD-ROM, etc.). If the District is involved in a litigation action, all electronic messages pertaining to that litigation will not be deleted until the Security Sponsor or his designated representative has communicated that it is legal to do so. 9.09.09.09.0 Access ControlAccess ControlAccess ControlAccess Control 9.19.19.19.1 Supervisor’s ResponsibilitySupervisor’s ResponsibilitySupervisor’s ResponsibilitySupervisor’s Responsibility – Managers and Supervisors should notify the Personnel Department and the IS Manager promptly whenever a user leaves the District or transfers to another department so that his/her access privileges can be modified or revoked. Arrangements for system access changes for disciplinary terminations must be made ahead of time. Access to District technologies will be reviewed and approved on a ‘need-to-know’ basis. A users request for access needs to be approved by the department Manager and forwarded to the IS Manager for review and implementation. 9.29.29.29.2 Human ResHuman ResHuman ResHuman Resources Responsibilityources Responsibilityources Responsibilityources Responsibility – The Human Resources Department will notify the IS Manager promptly of transfers and terminations. Disciplinary terminations must be discussed as early as possible. Human Resources will provide new staff members with the appropriate orientation to security procedures at the District. 9.39.39.39.3 PasswordsPasswordsPasswordsPasswords – The confidentiality and integrity of data stored on District computer systems must be protected by access controls to ensure that only authorized employees have access. This access shall be restricted to only those capabilities that are appropriate to each user’s job duties. Passwords will be required to be synchronized to allow users access to all appropriate District software and services for their privileges. Passwords will be required to be complex (e.g. – a minimum of 6 characters, not normal words) and will need to be changed every 90 days. Users will not be able to use the same password for at least 5 password changes. 9.49.49.49.4 User ResponsibilitiesUser ResponsibilitiesUser ResponsibilitiesUser Responsibilities – The directives below apply to all users: 1. Disks and other storage media should be stored out of sight when not in use. If they contain highly sensitive or confidential data, they must be locked up. 2. Disks and other storage media should be kept away from environmental hazards such as heat, direct sunlight, and magnetic fields. 3. Critical computer equipment (e.g.- file servers) must be protected by an uninterruptible power supply (UPS). Other computer equipment should be protected by a surge suppressor. 4. Environmental hazards to hardware such as food, smoke, liquids, high or low humidity, and extreme heat or cold should be avoided. 5. IS staff are responsible for all computer equipment installations, modifications, and relocations. This does not apply to moves of portable computers. 10 6. Users with laptops shall take reasonable measures to ensure the security of the device and the data stored on it. Shared portable equipment such as laptop computers, require pre-booking using the Outlook system. Staff booking such devices are responsible for their security. No sensitive data should be stored on such shared devices. 7. Users should exercise care to safeguard the valuable electronic equipment assigned to them. Users who neglect this duty may be accountable for any loss or damage that may result. 8. USB or other mobile storage devices can contain large amounts of corporate data; users are expected to utilize encryption when transporting sensitive corporate data on such devices. IS Department personnel will provide appropriate encryption tools for the user. 9. Corporate data is not to be taken or sent off-site without prior consideration as to the criticality and sensitivity of the information contained within the file. Appropriate protections are to be utilized depending on the classification of the data. If in doubt, please consult with your Operational Security Manager or the IT Security Manager. Upon leaving the District, all users are expected to return or delete all corporate data in their possession and will be required to sign a Declaration to that effect. 9.59.59.59.5 Physical SecPhysical SecPhysical SecPhysical Securityurityurityurity – It is District policy and procedure to protect computer hardware, software, data, and documentation from misuse, theft, unauthorized access, and environmental hazards. Users are expected to ensure that resources under their control are adequately protected from theft or misuse. 9.69.69.69.6 Public Requests for DataPublic Requests for DataPublic Requests for DataPublic Requests for Data – The District can release certain digital information for public use, typically for a fee as is current practice. Release of computer lists of database information that contains personal information such as names, addresses, and phone numbers will be reviewed for the protection of confidentiality. Computer lists will only be released upon receipt of a written request and undertaking from the recipient that it will be used solely for the purpose for which it was requested. This policy and procedure does not relate to information which is otherwise public information through other legislative authority. The IT Security Manager will review all such requests in consultation with Operational Security Managers and the District Clerk for approval. 10.010.010.010.0 Asset and Data Control Asset and Data Control Asset and Data Control Asset and Data Control 10.110.110.110.1 Asset and Data Classification Asset and Data Classification Asset and Data Classification Asset and Data Classification – The value and inherent risk of information or information-related assets shall be determined and classified. Controls to protect the confidentiality, integrity, and availability of the information or information-related asset are consistent with the assigned classification. A classification scheme is used to ensure the protective control implemented is proportionate to both the information asset’s value to the District and its potential for loss. 10.210.210.210.2 Responsibility for Responsibility for Responsibility for Responsibility for Classification – The owner of the information or information-related asset is responsible for assigning the appropriate classification levels and applying the appropriate labeling. As the value of the information may decline over time, periodic reviews are performed by the owner and, where appropriate, the owner reclassifies the information when its value or inherent risk has changed. 10.310.310.310.3 Risk Assessment and Data Classification Risk Assessment and Data Classification Risk Assessment and Data Classification Risk Assessment and Data Classification Process – The following classifications have been established: 10.3.1 Sensitivity of InformationSensitivity of InformationSensitivity of InformationSensitivity of Information –The degree to which the value of the information is determined by its secrecy. Public – Information that is designed to be in the public domain or is readily acquired commercially or publicly. 11 Internal – Information for general use by all District employees. Confidential – Highly sensitive or critical information. Its knowledge is restricted among District users by the Information Owner. 10.3.2 Criticality of InformationCriticality of InformationCriticality of InformationCriticality of Information – Criticality is comprised of two components, Integrity and Availability: Integrity - The degree to which the value of the information is determined by its reliability. Integrity classification is performed according to the following scale: Low; Moderate; High. Availability - The degree to which the value of the information is determined by its accessibility when needed. Availability classification is performed according to the following scale: Low; Moderate; High. 10.410.410.410.4 Implementation ofImplementation ofImplementation ofImplementation of Controls Controls Controls Controls – The IT Security Manager and Operational Security Managers share responsibility with the data owners for protecting the information and will implement controls appropriate to the documented Sensitivity and Criticality classification. 11.011.011.011.0 Computer VirusesComputer VirusesComputer VirusesComputer Viruses Computer viruses are programs designed to make unauthorized changes to programs and data. Viruses can cause destruction of corporate resources. Computer viruses are much easier to prevent than to cure. Defenses against computer viruses include protection against unauthorized access to computer systems, using only trusted sources for data and programs, and maintaining virus-scanning software. Users should not download programs from the Internet including games and screen savers. IT personnel will provide appropriate software installation and maintenance services. Remote access users will not be able to upload files to the District network resources unless the IS Department staff can verify the integrity of the workstation or source for such upload. The IS Department will scan incoming files and attachments for viruses, and provide appropriate notice to users when viruses are encountered. Users should notify the IS staff of any viruses they encounter. Users should set Email filters on their workstation software to filter out junk or offensive/questionable Email. 12.012.012.012.0 Remote AccessRemote AccessRemote AccessRemote Access Remote access is a generic term used to describe the accessing of District computer network resources by individuals not located at the District’s primary offices. This may take the form of off-site offices, traveling users, or users working from home and connected to the District network. Participation in a remote access program may not be possible for every user. Remote access is meant to be an alternative method of meeting District needs. The District may refuse to extend remote access privileges to any user or terminate a remote access arrangement at any time. 12.112.112.112.1 Acceptable UseAcceptable UseAcceptable UseAcceptable Use – Hardware devices, software programs, and network systems purchased and provided by the District for remote access are to be used only for creating, researching, and processing District-related materials. By using the Districts hardware, software and network systems the user assumes personal responsibility for their appropriate use and agree to comply with the provisions of this and other appropriate District policies. 12 Home users using a District machine will need to ensure District standards are followed to ensure compatibility and security. Eligibility to remotely access the District’s computer network will be determined by the responsible Department Directors. 12.212.212.212.2 Equipment and ToolsEquipment and ToolsEquipment and ToolsEquipment and Tools – The District may provide tools and equipment for remotely accessing the corporate computer network. This may include computer hardware, software, phone lines, email, voicemail, connectivity to host applications, and other applicable equipment as deemed necessary. The use of equipment and software provided by the District for remotely accessing the District’s computer network is limited to authorized users and for purposes relating to District business. The District will provide for repairs to District equipment. When the user uses her/his own equipment, the user is responsible for maintenance and repair of equipment and will not be able to connect to the District network unless compatible with established standards and security settings. 12.312.312.312.3 Use of Personal Computers and EquipmentUse of Personal Computers and EquipmentUse of Personal Computers and EquipmentUse of Personal Computers and Equipment – There are thousands of interactions between software needed by the remote user and the average mix of programs on a home computer. Troubleshooting software and hardware conflicts can take hours, and can result in a complete reinstall of operating systems and application software as the only remedy for problems. For that reason the IS Department will only provide support for equipment and software provided by the District. Home users will need to ensure their systems are compatible with District software and network security settings. The District will bear no responsibility if the installation or use of any necessary software causes system lockups, crashes, or complete or partial data loss. The user is solely responsible for backing up data on their home machine before beginning any District work. 13 Acknowledgment of Information Security Policy and ProceduresAcknowledgment of Information Security Policy and ProceduresAcknowledgment of Information Security Policy and ProceduresAcknowledgment of Information Security Policy and Procedures This form is used to acknowledge receipt of, and compliance with, the District of Maple Ridge Information Security Policy and associated procedures. Acknowledgement ProcedureAcknowledgement ProcedureAcknowledgement ProcedureAcknowledgement Procedure Complete the following steps: 1. Read the Information Security Policy and Procedure. 2. Sign and date in the space provided below. 3. Return this page only to the Personnel Department. SignatureSignatureSignatureSignature By signing below, I agree to the following terms: i. I have received and read a copy of the “Information Security Policy and Procedure” and understand the same; ii. I understand and agree that any computers, software, data and storage media provided to me by the District contains proprietary and confidential information about the District of Maple Ridge and its customers or its vendors, and that it is the property of the District at all times; iii. I agree that I shall not copy, duplicate except for backup purposes, otherwise disclose, or allow anyone else to copy or duplicate any of this information or software; iv. I agree that, if I leave the District of Maple Ridge for any reason, I shall immediately return to the District the original and copies of any and all software, computer materials, or computer equipment that I may have received from the District that is either in my possession or otherwise directly or indirectly under my control. Data and software on computer storage devices will be deleted. v. I agree that if connecting from a remote site, I will ensure my computer maintains compatible settings consistent with District security policies, procedures, settings and standards. vi. I understand and agree I must make reasonable efforts to protect all District provided software and hardware devices, and data, from theft, physical damage and inappropriate use. ________________________________________________________________________________________________________________________________________________________ User SignatureUser SignatureUser SignatureUser Signature ________________________________________________________________________________________________________________________________________________________ User NameUser NameUser NameUser Name ________________________________________________________________________________________________________________________________________________________ DateDateDateDate ________________________________________________________________________________________________________________________________________________________ Department/Location/CompanyDepartment/Location/CompanyDepartment/Location/CompanyDepartment/Location/Company 14 Declaration of Return or Disposal of District Information and EquipmentDeclaration of Return or Disposal of District Information and EquipmentDeclaration of Return or Disposal of District Information and EquipmentDeclaration of Return or Disposal of District Information and Equipment This form is used to acknowledge return of, or deletion of, District of Maple Ridge provided hardware and software, and data or information, that is under the control of the user. This form is used also to declare that the user no longer has any such equipment, materials, or data in his/her possession in accordance with the Information Security Policy and associated procedures. Declaration Declaration Declaration Declaration ProcedureProcedureProcedureProcedure Complete the following steps: 1. Read the declaration and acknowledgement below. 2. Sign and date in the space provided below. 3. Return to the Human Resources Department. Declaration and AcknowlDeclaration and AcknowlDeclaration and AcknowlDeclaration and Acknowledgementedgementedgementedgement I hereby declare and acknowledge that: 1. I have returned all District provided computer hardware and peripherals, and associated materials, in my possession or otherwise directly or indirectly under my control; 2. I have returned or deleted, or otherwise destroyed, all original and copies of District supplied software in my possession; 3. I have returned or deleted all District data and information in my possession. ________________________________________________________________________________________________________________________________________________________ User SignatureUser SignatureUser SignatureUser Signature ________________________________________________________________________________________________________________________________________________________ User NameUser NameUser NameUser Name ________________________________________________________________________________________________________________________________________________________ DateDateDateDate ________________________________________________________________________________________________________________________________________________________ Department/Location/CompanyDepartment/Location/CompanyDepartment/Location/CompanyDepartment/Location/Company