BCIT :: Information Security Policy 3502 · Policy Information Security Policy No.: 3502 Category: Information Technology Services Approving Body: Board of Governors Executive Division:

PolicyPolicy

Information Security

PolicyNo.: 3502Category: InformationTechnologyServicesApprovingBody: BoardofGovernorsExecutiveDivision: LearningandTechnology

ServicesDepartmentResponsible: InformationTechnologyServicesCurrentApprovedDate: 2016Oct04

DirectoryofRecordsClassification0650−10 1of24

PolicyStatement

BCITiscommittedtotakingappropriatemeasurestopreservetheconfidentiality,integrity,andavailabilityofinformationandinformationtechnology(IT).ThispolicyappliestoallBCITinformationandcomputing,communications,andnetworkingresourcesconnectedtoInstitutefacilitiesandtheusersoftheseresources.

PurposeofPolicy

BCIT’sinformation,network,andotherITservicesaresharedresourcesthatarecriticaltoteaching,learning,research,Instituteoperations,andservicedelivery.Thepurposeofthispolicyisto:• Protecttheconfidentiality,integrity,andavailabilityofBCITinformationandassociated

informationtechnology• Providemanagementdirectionandsupportforinformationsecurityinaccordancewith

businessrequirementsandrelevantlawsandregulations• Definetherolesofindividualsandorganizationalentitiesinvolvedininformationsecurity

andestablishtheresponsibilitiesoftheseroles• EnsurethereliableoperationofBCIT’sinformationtechnologysothatallmembersofthe

BCITcommunityhaveaccesstotheinformationassetstheyrequire.

TableofContents

PolicyStatement 1PurposeofPolicy 1ApplicationofthisPolicy 1RelatedDocumentsandLegislation 2Definitions 2GuidingPrinciples 5DutiesandResponsibilities 6ProceduresAssociatedWithThisPolicy 24FormsAssociatedWithThisPolicy 24SpecialSituations Error!Bookmarknotdefined.AmendmentHistory 24ScheduledReviewDate 24

ApplicationofthisPolicy

ThispolicyappliestoeveryonewhousesBCITinformationtechnologyassets,includingthosewhousetheirownpersonalequipmenttoconnecttoBCITinformationassets.

InformationSecurity3502


PolicyPolicyRelatedDocumentsandLegislation

BCITPolicies:1504,StandardsofConductandConflictofInterest3501,AcceptableUseofInformationTechnology5102,StandardsofNon-academicConduct6601,IntellectualProperty6700,FreedomofInformationandProtectionofPrivacy(FOIPOP)6701,RecordsManagement7506,CopyrightCompliance7525,ProtectionofEquipment,PropertyandInformation7530,EmergencyResponseLegislationapplicabletothispolicyincludes:• BCCollegeandInstituteAct• BCFreedomOfInformationandProtectionofPrivacy(FOIPOP)Act• BCPersonalInformationProtection(PIP)Act• TheCriminalCodeofCanada• CanadaCopyrightAct.

Definitions

Account:establishesarelationshipbetweenauserandasetofinformationassets.Byloggingintoanaccount,theuserisauthorizedtoperformaspecifiedsetofactionsagainstacorrespondingsetofinformationassetsforthetimetheuserremainsauthenticatedtotheaccount(forthatloginsession).Asset:anythingthathasvaluetotheInstitute.AssetCustodian:theBCITemployeeresponsibleforlocatingaphysicalinformationasset(i.e.equipment)uponrequest.Allinformationassetsmusthaveanassignedcustodian.Authorization:thegrantingofpermissioninaccordancewithapprovedpoliciesandprocedurestoperformaspecifiedactiononanITasset.AuthorizedUser:auserwhoisauthorizedtoperformthespecifiedactiononanasset.Partoftheauthorizationprocessmayrequirethatthepersonexhibitthenecessaryqualificationstoperformtheaction.BCITInternalUse:asdefinedinsection2.2InformationClassification.BusinessContinuity:theInstitute’sabilitytomaintainorrestoreitsbusinessandacademicserviceswhensomecircumstancethreatensordisruptsnormaloperations.Itencompassesdisasterrecoveryandincludesactivitiessuchasassessingriskandbusinessimpact,prioritizingbusinessprocesses,andrestoringoperationstoa“newnormal”afteranevent.SeePolicy7530,EmergencyResponseformoreinformation.ConfidentialInformation:asdefinedinsection2.2InformationClassification.Control:ameansofmanagingrisk,includingpolicies,procedures,guidelines,practices,ororganizationalstructures,whichcanbeofadministrative,technical,management,orlegalnature.Note:Controlisalsousedasasynonymforsafeguardorcountermeasure.



PolicyPolicyData:itemsrepresentingfactsthatconsistoftext,numbersorimagesandstoredinelectronicinformationsystems.Dataaretherawmaterialsthatareprocessedorinterpretedtocreateinformation.Institutedataisalldatarelatedto,receivedby,orcreatedbyBCIT.DenialofService:actionsthatintentionallypreventanyInformationProcessingFacilityfromfunctioninginaccordancewithitsintendedpurposeDisasterRecovery:referstotheactivitiesthatrestoretheInstitutetoanacceptableconditionaftersufferingadisaster.SeePolicy7530,EmergencyResponseformoreinformation.Encryption:theprocessofobscuringinformationtomakeitunreadablewithoutspecialknowledge(i.e.,“scrambling”theinformation).Thatspecialknowledgeisoftena“key”thatisusedtodecrypttheinformationsoitcanberead.Conceptually,thekeyissimilartoapasswordthatprovidesaccesstotheencryptedinformation.Equipment:informationtechnologyequipment.ExternalParty:anorganizationoranindividualwhoisnotanemployeeorstudentwhorequiresaccesstoBCIT’sinformationassets,excludingpublicassets.Firewall:asystemdesignedtopreventunauthorizedaccesstoorfromaprivatenetworkorbetweennetworkzones.InactiveAccount:anaccountthathasremainedunusedfortheperiodoftimespecifiedinGuideline3502,InformationSecurity.Information:includesallformsofdata,documents,records,communications,conversations,messages,recordings,andphotographs.Itincludeseverythingfromdigitaldataandemailtofaxesandtelephoneconversations.InformationAsset:anassetthatiscomprisedofinformationorofequipmentorsystemsfortheprocessingofinformation.InformationOwner:theBCITemployeewhoclassifiesthespecifiedinformation.InformationProcessingFacilities:anyinformationprocessingsystem,serviceorinfrastructure,orthephysicallocationshousingthem.InformationSecurity:thepreservationofconfidentiality,integrity,andavailabilityofinformation.Confidentialityensuresthatinformationisaccessibleonlytothoseauthorized.Integrityinvolvessafeguardingtheaccuracyandcompletenessofinformationandprocessingmethods.Itmayalsoincludeauthenticity,auditability,accountability,non-repudiation,andreliabilityofinformation.AvailabilityensuresthatauthorizedusershaveaccesstoITassetswhenrequired.InformationSecurityFramework:acomprehensiveapproachtopreserveinformationsecurityincluding:

� Organizationalstructureswithclearlydefinedrolesandresponsibilities� Riskassessmentandimpactanalysis� Guidingprinciples� Policies,guidelines,andprocedures� Controlsandcountermeasures� Informationsecurityawarenessincludingeducationandtraining� Ongoingmonitoringofinformationsecurity



PolicyPolicy� Resourcessuchasfinancialandhumanresourcesrequiredtoimplementthesecurity

framework� Periodicreviewsandassessmentoftheframeworkincluding,whereappropriate,

reviewsbyindependentthirdparties.InformationSecurityIncident:anidentifiedoccurrenceofasystem,service,ornetworkstateindicatingapossibleorpendingbreachofinformationsecurityorbreachofacceptableuseorfailureofsafeguardsorapreviouslyunknownsituationthatmaybesecurityrelevant.TechnicalInfrastructureServices(TIS)Manager:overseestheInstitute'sInformationSecurityprogram.Thisincludesprovidingleadershipandguidanceininformationsecurityandinformationriskmanagement,developinginformationsecuritypoliciesandguidelines,andoverseeingtheinformationsecurityincidentresponseteam.ITAdministrator:thepersonresponsibleforconfiguringaccesstoandmonitoringaccess,usage,andperformanceofaninformationasset,includingsystemadministrator,networkadministrator,applicationadministrator,anddatabaseadministrator(DBA).LeastPrivilege:theprinciplethatrequireseachusertobegrantedthemostrestrictivesetofprivilegesneededfortheperformanceofauthorizedtasks.LoginSession:aperiodbetweenauserlogginginandloggingoutofanaccount.MaliciousCode:includesallprograms(includingmacrosandscripts)thataredeliberatelycodedtocauseanunexpectedorharmfulevent.Media:includesremovablemediaandfixedstoragedevices.MobileDevice:anyelectronicdevicethatisportableandcontainsorhastheabilitytocontaininformationorprovidestheabilitytoaccessortransmitPersonalorConfidentialinformation.Examplesincludelaptop,tabletPC,PDA,RIMBlackBerry,andPalmTreo.NetworkEquipment:anyhardwareorsoftware,excludingworkstationsandserversunlessconfiguredtoprovidenetworkservices,thattransmitsorfacilitatesthetransmissionofinformation,includingswitches,hubs,routers,bridges,firewalls,modems,wirelessaccesspoints,DHCP,WINS,andDNSservers.NetworkZone:Differentnetworks,andoftendifferentsegmentsofagivennetwork,havediversesecuritycharacteristicsandrequirements.Forsecurity,eachnetworkmustbedividedintooneormorelogicalnetworkzones.Eachnetworkzoneisalogicallyconnectedpartofthenetwork,whosesecurityismanagedinacoherentfashion.Definedzonesinclude:• AdministrativeZone–forkeybusinessusersandsystems• AcademicZone–forfacultyandstudentsforthepurposesofteaching• ResidenceZone–forstudentsinresidence• DMZ–forsystemsconnectedtotheInternetorotheroutsidenetwork.Password:thesequenceofcharactersandnumbersusedtoauthenticateauser’sidentity,whichisknownonlytothatuser.PersonalInformation:asdefinedinsection2.2InformationClassification.



PolicyPolicyPublicAssets:designatedBCITinformationassetsthatareavailabletomembersofthepublicwithauthorizationrequired.Examplesincludekiosksandthepublicwebsite.PublicInformation:asdefinedinsection2.2InformationClassification.Record:SeePolicy6701,RecordsManagementfordefinitionofarecord.RemovableMedia:Informationstoragedevicesthatarenotfixedinsideacomputer.Examplesincludeexternalharddrives,CD-ROMs,DVDsandUSBflashdrives.Server:acomputerwhosefunctionistoprovideservices(e.g.,accesstofiles,printing,andsharedapplicationsincludingwebsites;databasemanagement;communications;andaccesstoPersonalorConfidentialinformation)onwhichendusersdependonanongoingbasis.ComputersthatareusedtoprovidenetworkservicessuchasDHCP,DNS,andLDAPareconsideredtobenetworkequipmentandarenotserversforthepurposeofthispolicy.StudentServer:acomputersetupbyfacultyorstudentsaspartofacoursetoteachservertechnologyandprinciples.System:acollectionofcomponentsincludinghardwareandsoftwaredesignedtostore,process,ortransmitinformationinsupportofabusinessoutcome.SystemOwner:theBCITemployeeresponsibleforagivensystem.Threat:apotentialcauseofanunwantedincident,whichmayresultinharmtoasystemororganization.User:apersonwhoperformsanyactiononaninformationasset.Vulnerability:aweaknessofanassetorgroupofassetsthatcanbeexploitedbyoneormorethreats.

GuidingPrinciples

1. Bynature,apost-secondaryeducationinstituteneedstoshareinformationforthepurposeofdeliveringeducation.Securitymeasuresmustbeimplementedinamannerthatenablesappropriateinformationexchange.

2. Securityresponsibilitiesandaccountabilitymustbeclearlydefinedandacknowledged.3. Usersarepersonallyaccountablefortheprotectionofinformationassetsundertheir

controlandmusttakeappropriatemeasurestoprotecttheconfidentiality,integrity,andavailabilityoftheassets.

4. Usersshouldhavesufficienttrainingtoallowthemtoproperlyprotectinformationassets.5. Securitycontrolsmustbecost-effectiveandinproportiontotherisksandthevalueofthe

assetsthatneedtobeprotected.6. Securityismulti-disciplinaryandrequiresacomprehensiveandintegratedapproach

coveringeveryaspectofBCIT’soperations.7. Allpartiesshouldactinatimely,coordinatedmannertopreventandrespondtosecurity

incidents.



PolicyPolicy8. Securitymustbeperiodicallyassessedtoensurethatadequatemeasuresareinplaceto

protecttheassetsofBCIT.

9. Permissionsareassignedsothattheleastamountofprivilegerequiredtofulfillthebusinessfunctionisgiven(leastprivilege).

10. Nosinglemechanismmayprotectanassetfromunknownthreats.Wherewarranted,

multiplelayersofcontrolsshouldbeemployedtoreducetheriskoffailureofanysinglemeasure(defenceindepth).

11. Compromiseofoneassetshouldnotleadtothefurthercompromiseofotherassets

(compartmentalization).12. Manyinformationsystemshavenotbeendesignedwithsecurityinmind.Whereadequate

securitycannotbeachievedthroughtechnicalmeans,alternatecontrolsmustbeimplemented.

DutiesandResponsibilities

1. OrganizationofInformationSecurity1.1 InternalOrganization

1.1.1 ManagementCommitmenttoInformationSecurityTheBoardofGovernorsandBCITExecutiveactivelysupportinformationsecuritywithintheorganization.

1.1.2 AllocationofInformationSecurityResponsibilitiesBoardofGovernorsTheBCITBoardofGovernorsisaccountablefortheestablishmentofanInformationSecurityFrameworkfortheInstitute.BCITExecutiveTheBCITExecutiveisresponsibleforrecommendinganappropriateInformationSecurityFrameworktotheBoardofGovernorsandforprovidingongoingexecutiveoversightoftheframework,includingperiodic,independentreviews.TechnicalInfrastructureServices(TIS)ManagerTheTISManagerisresponsiblefor:� RecommendinganappropriateInformationSecurityFrameworkto

theBCITExecutive� Providingday-to-daymonitoringoftheframework� InformingtheBCITExecutiveofsecurityrisksandmanagementplans� Establishingappropriatecontactswithsecurityforums,professional

associations,andothergroupswithspecialistinterestsininformationsecurity.

BCITManagementMembersofBCITManagementareresponsibleforensuringthatemployeesandothersundertheirsupervisionareawareoftheirinformationsecurityresponsibilities.



PolicyPolicy


InstructorsandTeachingFacultyInstructorsandTeachingFacultyareresponsibleforensuringthatstudentsundertheirsupervisionareawareoftheirinformationsecurityresponsibilities.InformationOwnersInformationOwnersareresponsibleforclassifyinginformationinaccordancewithpoliciesandguidelines.Allinformationmusthaveanassignedinformationowner.SystemOwnersSystemownersareaccountableforensuringthatsystemsareassessedforsecurityrequirementsincludingthoseflowingfromlegislativeandcontractualobligations.Systemownersarealsoaccountableforensuringthatsystemsaredesigned,configured,implemented,operated,maintained,upgraded,anddecommissionedconsistentwiththeestablishedsecurityneeds.Allsystemsmusthaveanassignedsystemowner.SystemownersmustensureanITadministratorisassignedtoeachassetcomprisingthesystem.AssetCustodiansAssetcustodians,uponrequest,mustbeabletodeterminethelocationofinformationassetsundertheircustodianshipandmustensurethatassetstransferredfromtheircustodianshipareclearlyassignedtothenextcustodian.Allphysicalassetssuchasinformationtechnologyequipmentmusthaveanassignedcustodian.ITAdministratorsITAdministratorsareresponsibleforconfiguringthesecurityfeaturesoftheassetsundertheiradministrationinaccordancewithpolicy,guidelines,andotherrequirements.AllassetswithconfigurablesecuritycharacteristicsmusthaveanassignedITAdministrator.InformationTechnologyServicesAsthecentralproviderofInformationTechnology,theITSDepartmentisresponsiblefor:� Networkmanagementandoperationincludingtheestablishmentof

networkzonesandcompartmentalization� Delegationofadministrationofanetworkzoneonlywhen

appropriatecontrolsareinplaceinthedelegatedorganization� Maintainingacatalogueofcoreservicesincludingclearlyarticulated

servicelevelexpectations� ContinuityofcoreenterpriseclassITinfrastructureaspartofthe

Institute’soverallbusinesscontinuityframework.

SafetyandSecurityDepartmentTheSafetyandSecurityDepartmentisresponsiblefor:� ThephysicalsecurityofBCITfacilitiesincludingaccesscontrolto

buildingsandrooms� Overallemergencyresponse,disasterplanning,andbusiness



PolicyPolicy


continuityplanning� Contactwithauthorities.

MarketingandCommunicationsDepartmentTheMarketingandCommunicationsDepartmentisresponsiblefor:� ProtectionofBCIT’sbrandfrominformationsecuritythreats� Communicationswiththemediaintheeventofaninformation

securityincident� PoliciesandproceduresforuseofBCITdomainnames.

HumanResourcesTheHumanResourcesDepartmentisresponsiblefor:

• Documentinginformationsecurityrequirementsinjobdescriptions

• Screeningofemployees• Coordinatingtheterminationofemployees,ensuringall

departmentsareappropriatelynotified.RecordsManagementOfficeTheRecordsManagementOfficeisresponsibleforensuringthattheDirectoryofRecordsaccuratelyreflectstheclassificationofrecords.Information,AccessandPrivacyInformation,AccessandPrivacyisresponsibleforexchangeagreementsthatinvolvetheexchangeofPersonalinformation.FinancialServicesDepartmentTheFinancialServicesDepartmentisresponsibleforensuringcontrolsareinplacetoprotectthesecurityoffinancialinformationand,inparticular,toensuretheintegrityoffinancialinformation.RiskManagerTheRiskManagerisresponsibleforidentifyingandassessingoverallriskforBCIT.UsersAllusersareresponsiblefor:� Takingappropriatemeasurestopreventloss,damage,abuse,or

unauthorizedaccesstoinformationassetsundertheircontrol� Promptlyreportingallactsthatmayconstituterealorsuspected

breachesofsecurityincluding,butnotlimitedto,unauthorizedaccess,theft,systemornetworkintrusions,willfuldamage,andfraud

� Lookingafteranyphysicaldevice(tools,computers,vehicles,etc.)andaccessarticles(keys,IDcards,systemIDs,passwords,etc.)assignedtothemforthepurposesofperformingtheirjobduties,takingcourses,conductingresearch,orotherwiseparticipatingwithintheInstitute

� Respectingtheclassificationofinformationasestablishedbytheinformationowner

� Complyingwithallthesecurityrequirementsdefinedinthis



PolicyPolicy


document� ComplyingwithotherrelatedpoliciesincludingPolicy3501,

AcceptableUseofInformationTechnology.

1.2 ExternalParties1.2.1 IdentificationofRisksRelatedtoExternalPartiesorStudents

TheriskstotheInstitute’sinformationassetsrelatingtoexternalpartiesorstudentsmustbeidentifiedandappropriatecontrolsimplementedbeforegrantingaccess.

1.2.2 AddressingSecurityinExternalPartyAgreementsAccesstoBCITinformationassets,exceptpublicassets,mustnotbegrantedtoexternalpartieswithoutacontractualagreementthatbindsthemtoBCITpolicies.

2. AssetManagement2.1 ResponsibilityforAssets

Eachpieceofequipmentmusthaveanassignedassetcustodian.Uponrequestassetcustodiansmustbeabletolocatetheequipmentassignedtothem.Ifcustodiansaretopassthecustodyoftheequipmenttoanotherperson,theyareresponsibleforensuringtherecordofcustodianshipisupdated.Ifacustodianbecomesunavailableunexpectedly,thisresponsibilityfallstotheoperationsmanageroftheirdepartmentorschool.2.1.1 InventoryofAssets

Aninventoryofassetsmustbemaintained.

2.1.2 AcceptableUseofAssetsSeePolicy3501,AcceptableUseofInformationTechnology.

2.2 InformationClassification2.2.1 InformationOwnership

Allinformationmusthaveadesignatedinformationowner.Forcompleteinformationaboutestablishinginformationownership,seeGuideline3502,InformationSecurity.

2.2.2 ClassifyingInformationAllInstituteinformationmustbeclassifiedaccordingtoitsrequirementsforconfidentiality,integrity,andavailability.TheinformationownerisresponsibleforclassifyingtheinformationaccordingtoGuideline3502,InformationSecurity.Classificationmustbereviewedonaregularbasis.

2.2.3 ConfidentialityClassificationsThefollowingconfidentialityclassificationsdeterminehowInstituteinformationmustbeshared,handledandstored:� Public–informationthatisavailabletothegeneralpublicandis

routinelydisclosed



PolicyPolicy


� BCITInternalUse–informationthatisavailabletoauthorizedusersandisnotroutinelydisclosed.Bydefault,dataisBCITInternalUseuntilitisassessedandotherwiseclassified

� Confidential–informationthatcontainssensitiveInstituteinformationandthatisavailabletoauthorizedusers.AformalFOIPOPrequestisrequiredfornon-routinedisclosure

� Personal–informationthatcontainssensitivepersonalinformationandisavailabletoauthorizedusersonly.AformalFOIPOPrequestisrequiredfornon-routinedisclosure.

2.2.4 BusinessContinuityClassifications

Inadditiontotheconfidentialityclassifications,Policy7530,EmergencyResponsegovernstheclassificationofinformationforbusinesscontinuitypurposes.Eachinformationownermustclassifyinformationforthepurposesofbusinesscontinuity.

2.2.5 LabellingInformationBothhardcopyandelectronicinformationmustbeclearlylabelledwithitsconfidentialityclassificationsothatauthorizedusersareawareoftheclassification.Forcompletedetailsonhowtolabelinformation,seeGuideline3502,InformationSecurity.

2.3 InformationHandlingAuthorizedusersmustcarryoutalltasksrelatedtothecreation,storage,maintenance,cataloguing,use,dissemination,anddisposalofInstituteinformationresponsibly,inatimelymanner,andwiththeutmostcare.Usersmustnotknowinglyfalsifyinformationorreproduceinformationthatshouldnotbereproduced.2.3.1 SharingInstituteInformation

Personal,Confidential,andBCITInternalUseinformationmayonlybesharedwithotherauthorizedusers,onaneedtoknowbasis.

2.3.2 StoringInformationInformationclassifiedasPersonalorConfidentialmustbeencryptedandstoredwithaccesslimitedtoauthorizedusers.SecurestorageofInstituteinformationisajointresponsibilityofsystemowners,ITadministrators,databasedesigners,applicationdesigners,andtheinformationowner.

2.3.3 PrintingofPersonalorConfidentialInformationInformationclassifiedasPersonalorConfidentialmustneverbesenttoasharedprinterwithoutanauthorizeduserimmediatelypresenttoretrieveitandhencesafeguarditsconfidentialityduringandafterprinting.

2.3.4 CollectionandUseofPersonalInformationThecollection,use,storage,andtransmissionofPersonalinformationusingBCITinformationtechnologyresourcesmustbeincompliancewiththeB.C.



PolicyPolicy


FreedomofInformationandProtectionofPrivacyActandwithPolicy6700,FreedomofInformationandProtectionofPrivacy.

2.3.5 DeletingInformationCreatedorOwnedbyOthersInformationistobeprotectedagainstunauthorizedoraccidentalchanges,andmayonlybedeletedinaccordancewithproceduresestablishedbytheinformationownerandinaccordancewithrecordsmanagementprocedures.

3. HumanResourcesSecurity3.1 PriortoEmployment

3.1.1 RolesandResponsibilitiesSecurityrolesandresponsibilitiesofemployeesmustbedefinedanddocumentedinjobdescriptions.

3.1.2 ScreeningBackgroundverificationchecksonallcandidatesforemployment,andexternalpartiesmustbecarriedoutinaccordancewithrelevantlaws,regulationsandethics,andproportionaltothebusinessrequirements,theclassificationoftheinformationtobeaccessed,andtheperceivedrisks.

3.1.3 TermsandConditionsofEmploymentAllemployeesmustacknowledgetheiragreementtoabidebyPolicy3501andPolicy3502priortoreceivingaccesstoanyaccount.

3.2 DuringEmployment3.2.1 InformationSecurityAwareness,Education,andTraining

Allemployeesandexternalparties,whereapplicable,mustreceiveappropriateawarenesstrainingandregularupdatesinpoliciesandprocedures.Newemployeesmustreceivesecuritytrainingaspartoftheirinitialorientation.

3.2.2 ChangeofRoleChangeofresponsibilitiesmustbemanagedasaterminationoftherespectiveresponsibilitiesandtheassignmentofnewresponsibilitiesasdescribedinsection3.1PriortoEmployment.

3.3 TerminationofEmployment3.3.1 TerminationResponsibilities

Anemployee’scontinuingobligationstoinformationsecuritymustbecommunicatedinwritingatterminationofemployment.

3.3.2 ReturnofAssetsAllemployeesandexternalpartiesmustreturnalloftheInstitute’sassetsintheirpossessionuponterminationofemployment,contract,oragreement.Theassetcustodianisresponsibletoensurethecorrespondingassetinventoriesareupdated.



PolicyPolicy


3.3.3 RemovalofAccessRightsOnleavingemployment,allemployee-basedaccessmustbedisabledattheendoftheemployee’slastday,orsooner,basedonsecurityrequirements.

4. PhysicalandEnvironmentalSecurity4.1 SecureAreas

4.1.1 PhysicalSecurityPerimeterSecurityperimeterswithwell-definedaccesspoints(barrierssuchaswall,cardcontrolledentry)mustbeusedtoprotectareasthatcontainPersonal,Confidential,orBCITInternalUseinformationandinformationprocessingfacilities.Protectionprovidedmustbecommensuratewithidentifiedrisks.Mobiledevicesandremovablemediaareexcludedprovidedtheinformationisencryptedaspersection5.7.2EncryptionofInformationonRemovableMedia.

4.1.2 PhysicalEntryControlsAreasrequiringhigherlevelsofsecuritymustbeprotectedwithappropriateentrycontrolstoensurethatonlyauthorizedusersareallowedaccess.

4.2 EquipmentSecurity4.2.1 EquipmentSitingandProtection

Thesiteschosentolocateequipmentorstoreinformationmustbesuitablyprotectedfromphysicalintrusion,temperaturefluctuations,theft,fire,flood,andotherhazards.

4.2.2 PhysicalSecurityofEquipmentAssetcustodiansareaccountable(eitherdirectlyorbydelegationofresponsibility)toensurethephysicalsecurityofassignedequipmentregardlessofwhethertheequipmentislocatedonoroffBCITcampuses.

4.2.3 MobileDevicesBCITownedmobiledevicesmustbeissuedonlytoauthorizedusers.Theyaretobeusedonlybyauthorizedusersandonlyforthepurposeforwhichtheyareissued.Theinformationstoredonthemobileequipmentistobesuitablyprotectedfromunauthorizedaccessatalltimes.Whenusingmobiledevices,encryptionstandardsmustbefollowed.Seealsosection2.3InformationHandling.

4.2.4 UseofEquipmentOn-CampusWiththeexceptionofpublicassets,onlyauthorizedusersarepermittedtouseBCITequipment.

4.2.5 SupportingUtilitiesEquipmentmustbeprotectedfrompowerfailuresandotherdisruptionscausedbyfailuresinsupportingutilities.



PolicyPolicy


4.2.6 CablingSecurityCablingcarryinginformationorsupportinginformationservicesmustbeprotectedfrominterceptionordamage.Powerandcoolinglinesmustbeprotectedfromdamage.

4.2.7 EquipmentMaintenanceEquipmentmustbecorrectlymaintainedtoensureitscontinuedavailabilityandintegrity.

4.2.8 SecurityofEquipmentOff-CampusOnlyauthorizedusersarepermittedtotakenon-mobileBCITtechnologyequipmentoffcampus.Whennon-mobileBCITequipmentisusedoffcampus,theauthorizeduserisresponsiblefornotifyingtheassetcustodianandensuringthesecurityoftheequipmentatalltimes.

4.2.9 SecureDisposalorRe-useofEquipmentEquipmentownedorleasedbytheInstitutemayonlybedisposedoforreconditionedforreusebypersonsauthorizedtodisposeoforreconditionequipmentwhohaveensuredthattherelevantsecurityriskshavebeenmitigatedandallinformationhasbeenrenderedunrecoverable.

5. CommunicationsandOperationsManagement5.1 OperationalProceduresandResponsibilities

5.1.1 DocumentedOperatingProceduresOperatingproceduresmustbedocumented,maintained,andmadeavailabletoalluserswhoneedthem.

5.1.2 ChangeManagementChangestoinformationprocessingfacilitiesandsystemsmustbecontrolledthroughappropriatechangecontrolmechanisms.

5.1.3 SegregationofDutiesDutiesandareasofresponsibilitymustbesegregatedtoreduceopportunitiesforunauthorizedorunintentionalmodificationormisuseoftheInstitute’sassets.

5.1.4 SeparationofDevelopment,Test,andOperationalFacilitiesDevelopment,test,andoperationalfacilitiesmustbeseparatedtoreducetherisksofunauthorizedaccessorchangetotheoperationalsystem.

5.2 ExternalPartyServiceDeliveryManagementBCITsecurityrequirementsmustbeincorporatedintocontractualrelationshipswithexternalparties.Compliancetosecurityrequirementsmustbemonitoredonanongoingbasis.

5.3 SystemPlanningandAcceptanceAcceptancecriteriafornewinformationsystems,upgrades,andnewversionsmustbeestablishedandsuitabletestsofthesystem(s)carriedoutduringdevelopment



PolicyPolicy


andpriortoacceptance.

5.4 ProtectionagainstMaliciousCodeRisksfrommaliciouscodetotheInstitute'ssystemsandinformationmustbeminimizedbyfosteringemployeeawareness,encouragingemployeevigilance,anddeployingappropriateprotectivesystemsanddevices.ITadministratorsmustinformrelevantpartiesofthreatsandcountermeasurestheycantaketoprotecttheInstitute’ssystemsandinformation.UsersmuststayinformedaboutthreatsandtakereasonableprecautionsinusingInstituteITresourcesinordertominimizeopportunitiesforattacks.ITadministratorsmustprepareandmaintaincontingencyplansforadenialofserviceattackandperiodicallytesttheirplanstoensureadequacy.5.4.1 DefendingagainstMaliciousAttack

Systemhardware,operatingsystemandapplicationsoftware,networks,andcommunicationsystemsmustallbeadequatelyconfiguredandsafeguardedagainstbothphysicalattackandunauthorizednetworkintrusion.

5.4.2 DownloadingFilesandInformationfromtheInternetUsersareresponsibleforallinformationandfilestheydownloadfromtheInternet(orotherexternalnetworksorfromonenetworkzonetoanother)andmustsafeguardagainstbothmaliciouscodeandinappropriatematerial.SeealsoGuideline3502,InformationSecurity.

5.4.3 ReceivingElectronicMail(Email)Usersmusttreatincomingemailwiththeutmostcareduetoitsinherentinformationsecurityrisks.Theopeningoffilesorotherattachmentsthatarefromanunknownsourceisnotpermittedunlesstheuserfirstscanstheattachmentsforpossiblevirusesorothermaliciouscode.SeeGuideline3501,AcceptableUseofInformationTechnology.

5.5 BackupSystemownersareresponsibleforestablishingtheextent,frequency,andretentionofsystembackupswhichmustreflectthebusinessrequirementsoftheInstitute,thesecurityrequirementsoftheinformationinvolved,andthecriticalityoftheinformationtothecontinuedoperationoftheInstitute.SeealsoGuideline3502,InformationSecurity.ITadministratorsareresponsibleforconfiguringinformationassetstomeetbackuprequirements.5.5.1 BackupsmustbeSecuredandTested

Backupsmustbesecuredinaccordancewiththeclassificationoftheinformationtheycontain.Backupsmustbeperiodicallytestedtoensurethedataisrecoverable,andrecordsmustbekeptofthetests.



PolicyPolicy


5.5.2 BackupsmustnotbeUsedinLieuofOtherControlsBCITbackupfacilitiesarenotintendedtoreplacerecordsmanagementcontrolsorprovideaudittrails.

5.5.3 RecoveringandRestoringInformationSafeguardsmustbeinplacetoprotecttheintegrityofdatafileswhenrecoveringandrestoringdatafiles,especiallywhererestoredfilesmayreplacemorerecentfiles.

5.6 NetworkSecurityManagementNetworksmustbeadequatelymanagedandcontrolledinordertobeprotectedfromthreatsandtomaintainsecurityforthesystemsandapplicationsusingthenetworks,includinginformationintransit.AllequipmentconnectedtothenetworkissubjecttoallBCITpolicies.Personalequipmentthatwillbeconnectedtothenetworkmayalsobesubjecttoinspectionpriortoconnectioninordertoverifythatsecurityrequirementsaremet.5.6.1 NetworkControls

Specialcontrolsmustbeestablishedto:� Safeguardtheconfidentialityandintegrityofdatapassingover

publicnetworksoroverwirelessnetworks� Protectnetworkequipment,theconnectedsystems,and

applications� Maintaintheavailabilityofthenetworkservicesandcomputers

connected� Applyappropriateloggingandmonitoringtoenablerecordingof

securityrelevantactions.

5.6.2 UserAuthenticationforExternalConnectionsRemoteaccesscontrolproceduresmustprovideadequatesafeguardsthroughrobustidentification,authentication,andencryptiontechniques.RemoteaccesstoBCITnetworksisonlythroughthetechnologyapprovedbytheTISManager.

5.6.3 RemoteConfigurationandDiagnosticPortProtectionPhysicalandlogicalaccesstoconfigurationanddiagnosticportsmustbecontrolled.

5.6.4 SegregationinNetworks–NetworkZonesEachnetworkzonemust:� Haveclearguidelinesastotheintendeduseofthezoneandits

securitycharacteristics� Besufficientlysecureforintendeduses� Becompartmentalizedsoasnottobeameansforintrusioninto,or

interferencewith,BCITsystemsorothernetworks� Haveredundancy,backupandrecoverymeasures,andcontingency

plansinplacetoensurethatnetworkservicesareavailableonasufficientlytimelybasistosupporttheintendeduses



PolicyPolicy


� Havedocumentationcoveringitstopology,configuration,andgatewaystoexternalnetworksandnodes,aswellastheconnecteddevicesandindividualsresponsible.

Equipment,otherthanapprovednetworkequipment,mustnotbeattachedtotwonetworkzonessimultaneously.Thisistopreventuncontrolledflowoftrafficbetweenzonesandtopreservecompartmentalization.

5.6.5 NetworkConnectionControlNetworkequipmentmustnotbeconnectedtoBCITnetworkswithoutapprovalfromITServices.SystemsandequipmentconnectedtotheBCITnetworkmustbeconfiguredtominimizethepossibilityofbypassingaccesscontrols.ITadministratorsareresponsibleforimplementingsuchprecautions.SeeGuideline3502,InformationSecurityforconfigurationdetails.

5.6.6 IPAddressAssignmentIPaddressesonBCITnetworksmustnotbeassignedorusedwithoutpermissionfromITServices.(AutomatedassignmentofanIPaddressbyanITScontrolledDHCPserverconstitutespermission.)

5.6.7 DomainNameRegistrationandUseEmployeesandstudentsarenotpermittedtoregisterdomainnamesthatincludeBCIT,BritishColumbiaInstituteofTechnology,oranyvariationswithoutpriorauthorizationoftheMarketingandCommunicationsDepartment.ThirdpartyagreementlanguagemustincludeprotectionforBCITdomainnames.Seesection1.2.2AddressingSecurityinExternalPartyAgreements.Allwebsitesthataresub-domainsofaBCITdomainorassignedtoaBCITownedIPrangemustbeauthorizedbytheMarketingandCommunicationsDepartmentpriortodevelopment.

5.6.8 ServerPlacementinNetworksServersthatareconnectedtotheBCITnetworkmustbeplacedinalocationandnetworkzonethatislogicallyandphysicallysecurecommensuratewiththevalueoftheserviceprovidedandthesensitivityoftheinformationaccessiblethroughthesystem.Allaccesstothisequipmentmustbeloggedtofacilitateauditing.SeeGuideline3502,InformationSecurityforminimumloggingstandards.StudentserversmayonlybeattachedtotheAcademicZoneandmustnotbeattachedtotheAdministrativeZone.

5.6.9 ServersAccessiblefromExternalNetworksAllserversthatareaccessibletoanexternalnetwork(includingtheInternet)mustreceivepermissionfromtheTISManager.



PolicyPolicy


5.6.10 SecurityofNetworkServices

Securityfeatures,servicelevels,andmanagementrequirementsforeachnetworkzonemustbeidentifiedandincludedinanyservicelevelagreement,whethertheseservicesareprovidedin-houseoroutsourced.

5.7 HandlingofMediaandHardcopy5.7.1 MediaandHardcopyHandlingProcedures

Proceduresmustbedrawnupandfollowedforhandling,processing,storing,transporting,transmitting,anddisposalorreuseofmediaandhardcopy.Theseproceduresmustbeconsistentwithsecurityguidelines.Fordetails,seeGuideline3502,InformationSecurity.

5.7.2 EncryptionofInformationonRemovableMediaPersonalorConfidentialinformationmustbeencryptedwhenstoredonremovablemediainaccordancewithsection2.3InformationHandlingandProcedure3502,InformationSecurity.

5.7.3 DisposalorReuseofMediaAllmediamustbedisposedoforpreparedforreuseinsuchamannerthatitisimpossibletorecovertheinformation.

5.7.4 ShreddingofUnwantedHardcopyAllhardcopiescontainingPersonalorConfidentialinformationaretobesecurelyshreddedwhennolongerrequired.Wheretheinformationconstitutesarecord,seealsoProcedure6701-PR1,RecordsManagement.

5.7.5 UsingExternalDisposalFirmsAnyexternalpartyusedfordisposalofBCIT’smediaandhardcopymusthaveacontractualagreementaccordingtosection1.2.2AddressingSecurityinExternalPartyAgreements.

5.7.6 SecurityofSystemDocumentationSystemdocumentationmustbeprotectedagainstunauthorizedaccess.

5.8 ExchangeofInformation5.8.1 InformationExchangePoliciesandProcedures

Formalinformationexchangepolicies,procedures,andcontrolsmustbeinplacetoprotecttheexchangeofinformationthroughtheuseofalltypesofcommunication.

5.8.2 TransmittingInformationacrossNetworksAllPersonalorConfidentialinformationmustbeencryptedintransit,includingbyemail,electronicdatainterchange,orotherformsofinterconnectionofbusinesssystems.ControlsmustbeputinplacetoverifytheintegrityoftransmittedPersonalorConfidentialinformationandtheidentitiesofsenderandreceiver.SeeGuideline3502,InformationSecurity.



PolicyPolicy


5.8.3 PersonsGivingInformationovertheTelephoneTheidentityandauthorizationofcallersmustbeverifiedbeforePersonalorConfidentialinformationisprovidedoverthetelephone.

5.8.4 ExchangeAgreementsAgreementsmustbeestablishedfortheexchangeofPersonalorConfidentialinformationbetweentheInstituteandexternalpartiesotherthanforregulatoryorlegislativerequirements.

5.8.5 RemovableMediainTransitRemovablemediacontaininginformationmustbeprotectedagainstunauthorizedaccess,misuseorcorruptionduringtransportation.ThetransportationofremovablemediacontainingPersonalorConfidentialinformationmustbelogged.Theremovablemediamustbeaddressedtotheintendedrecipientandreceiptmustbeconfirmedandlogged.

5.9 ElectronicCommerceServicesControlsarenecessarytocovertheadditionalsecurityrequirementsassociatedwithusingorprovidingelectroniccommerceservices.Informationinvolvedinelectroniccommercemustbeprotectedfromfraudulentactivity,contractdispute,andunauthorizeddisclosureandmodification.ElectroniccommercesystemsmustmeetPaymentCardIndustry(PCI)standardswhereappropriate.5.9.1 ApprovalofElectronicCommerceSystems

EachelectroniccommercesystemrequiresapprovalfromtheChiefFinancialOfficer(CFO)priortoimplementation.

5.9.2 PersonalPaymentInformationAllsystemsstoringorprocessingpersonalpaymentinformation,includingcreditcardnumbersandbankaccountnumbers,requireapprovalfromtheCFOpriortoimplementation.

5.10 Monitoring5.10.1 Logging

Logsrecordingsecurityrelevantuseractivities,exceptions,andinformationsecurityeventsmustbeproducedandkeptfortheperiodspecifiedintheguidelinesforaccesscontrolmonitoringandtoassistinfutureinvestigations.SeeGuideline3502,InformationSecurity.

5.10.2 MonitoringSystemUseLogs,includingsystemandapplicationlogs,mustbemonitoredandanomaliesinvestigated.LogsmustbereviewedregularlyforsecurityeventsbyITadministratorsanddiscrepanciesreportedtotheTISManager.



PolicyPolicy


5.10.3 ProtectionofLogInformationLoggingfacilitiesandloginformationmustbeprotectedagainsttamperingandunauthorizedaccess.

5.10.4 AdministratorandOperatorLogsITadministratorandotherprivilegedaccountactivitiesmustbelogged.

5.10.5 ClockSynchronizationSystemclocksmustbesynchronizedregularlytoacommonsourcetosimplifythereviewandcorrelationofauditlogs.ThecommonsourceisasspecifiedbyITServices.

6. AccessControlAccountsmaybeprovisionedtoprovideaccesstoassetsincluding:networks,operatingsystems,applications,anddatabasemanagementsystems.Thissectiongovernsaccesstoalloftheseassetcategories.6.1 AccessControlPolicy

Systemownersmustestablish,document,andregularlyreviewanaccesscontrolpolicyforsystemsintheircontrolbasedonbusinessandsecurityrequirementsforaccess.

6.2 UserAccessManagementFormaluserregistrationandde-registrationproceduresmustbeusedtograntandrevokeaccesstoallinformationsystemsandservicesincludingnetworkservices,operatingsystems,applications,anddatabasemanagementsystems.Theallocationanduseofprivilegesmustberestrictedandcontrolled,andtheallocationofpasswordsandothersecuritycredentialsmustbecontrolledthroughaformalmanagementprocess.6.2.1 ReviewofAccountsandAccessRights

Systemownersmustreviewusers’accessrightsatregularintervalsusingaformalprocess.

6.2.2 InactiveAccountsInactiveaccountsmustbedisabledaftertheperiodofinactivityspecifiedinGuideline3502,InformationSecurity.

6.2.3 SessionTime-outInactivesessionsmustbeterminatedaftertheperiodofinactivitydefinedinGuideline3502,InformationSecurity.

6.2.4 AdditionalAccessProtectionsSystemsmayrequireadditionalaccessprotectionsbasedontimeofday,location,andadditionalauthenticationrequirements.SeeGuideline3502,InformationSecurity.



PolicyPolicy


6.3 UserResponsibilitiesAllusersmustauthenticateusingtheirownaccountforagivensystem.Approvedloginproceduresmustbefollowed.6.3.1 DelegationofDuties

Wheredelegationofdutiesisrequiredtomeetabusinessneed,usersmustemployfeatureswithinthesystemwhereverpossible.Wherethesystemdoesnotprovidetheabilitytodelegate,thentheprocedurefordelegatinganaccountthroughcontrolledsharingdetailedinProcedure3502,InformationSecuritymustbefollowed.

6.3.2 ShortTermAccountsIndepartmentsthatemploytemporaryemployeesonafrequentbasis,theuseofshorttermaccountsmustfollowProcedure3502,InformationSecurity.

6.3.3 InadvertentAccesstoResourcesandInformationUsersmustnotexploitinsecureaccountsorresources,ortakeadvantageoflessknowledgeableusers.UsersmustnotreadPersonalorConfidentialinformationsimplybecauseitisaccessibletothemthroughaccidentalexposureorthroughthemaliceofotherswhohavebrokenintoasystemoraremisusingtheiraccessprivileges.Ifusersdiscoversuchanexposuretheymustreporttheexposureasasecurityincident.

6.3.4 PasswordUseTheselectionofpasswordsandtheiruse,protection,andmanagementmustfollowthecorrespondingproceduresinProcedure3502,InformationSecurity.Passwordsmustnotbesharedwithanyotherpersonatanytime.TheonlyexceptioniswhenauthorizedusersmustdelegateanaccountaccordingtoProcedure3502,InformationSecurity.BCITpasswordsmustnotbeusedforanynon-BCITaccountsorservices(suchaspersonalISPaccounts,freeonlineemailaccounts,instantmessagingaccounts,orotheronlineservices).ThispracticeensurescompartmentalizationandreducesthelikelihoodthatpasswordsobtainedfromothersystemsmaybeusedtocompromiseBCITsystems.

6.3.5 ControllingAccesstoUnattendedUserEquipmentWhenleavingacomputerormobiledeviceunattended,usersareresponsiblefor:� Preventingunauthorizedaccesstoinformationandrecordsbyeither

loggingofforusingdevicelockingsoftware� Preventingtheftofthecomputerordevicebyusingalockingdevice.

Allunattendedequipmentinpublicareasmustbephysicallysecuredandconfiguredinamannersuchthatthesecurityofitssystemscannotbeeasilythwarted.



PolicyPolicy


6.3.6 ControllingAccesstoInformationinUnattendedAreasDesksmustbeclearedofPersonalorConfidentialinformationwhendesksareunattended.AreasthatmaycontainPersonalorConfidentialinformationmustnotbeleftunattendedwithoutsecuringtheinformation.

7. InformationSystemsAcquisition,Development&Maintenance7.1 SecurityRequirementsofInformationSystems

Statementsofbusinessrequirementsfornewinformationsystems,orenhancementstoexistinginformationsystemsmustspecifytherequirementsforsecuritycontrols.Securityrequirementsandcontrolsmustreflectthebusinessvalueofinformationassetsaffectedbythesystemandthepotentialbusinessdamagethatmightresultfromafailureorabsenceofsecurity.Systemrequirementsforinformationsecurityandprocessesforimplementingsecurityshouldbeintegratedintheearlystagesofinformationsystemprojects.Forrequirementsthatmustbeconsidered,seeGuideline3502,InformationSecurity.

7.2 CorrectProcessinginApplicationsSystemownersmustensurethatthesystemstheyareresponsibleforhandleinformationwithduecare.Thisincludesvalidationofinformationenteredintothesystem,validationcheckstodetectcorruptionofinformationthroughprocessingerrorsordeliberateacts,appropriatecontrolstoensureauthenticityandmessageintegrity,andvalidationofinformationoutputfromanapplicationtoensurethattheprocessingofstoredinformationiscorrect.

7.3 SecurityinDevelopment,DeploymentandSupportProcessesOnlyauthorizedusersmayaccessoperationalsoftwarelibrariesorthesourcecodeofsystems.Segregationofduties,technicalaccesscontrols,androbustproceduresmustbeemployedwheneveramendmentstosoftwarearenecessary.7.3.1 TechnicalReviewofApplicationsafterExecutionEnvironment

ChangesWhentheexecutionenvironmentoftheapplicationischanged(e.g.,operatingsystem,hardware,middleware),businesscriticalapplicationsmustbereviewedandtestedtoensurethereisnoadverseimpactonInstituteoperationsorsecurity.

7.3.2 OutsourcedSoftwareDevelopmentOutsourcedsoftwaredevelopmentmustbeinaccordancewithsection1.2.2AddressingSecurityinExternalPartyAgreements.

7.3.3 ControlofOperationalSoftwareOnlyauthorizedusersmaydeploysoftwareonoperationalsystems.

7.3.4 UsingLiveInformationforTestingTheuseofliveinformationfortestingnewvendor-suppliedorcustomsystemsorsystemchangesmayonlybepermittedwherethesamecontrolsforthesecurityoftheinformationasusedontheproductionsystemareinplace.



PolicyPolicy


7.4 TechnicalVulnerabilityManagementTheTISManagerandeachITadministratorareresponsibleformonitoringinformationaboutthetechnicalvulnerabilitiesoftheinformationsystems,promptlyevaluatingtheInstitute’sexposuretosuchvulnerabilities,andtakingtimely,appropriatemeasurestoaddresstheassociatedrisks.SeeGuideline3502,InformationSecurity.

8. InformationSecurityIncidentManagement8.1 ReportingInformationSecurityEventsandWeaknesses

8.1.1 ReportingInformationSecurityEventsAllsuspectedinformationsecurityincidentsmustbereportedpromptlytotheTISManager.

8.1.2 ReportingSecurityWeaknessesAllinformationsecurityweaknessesmustbereportedpromptlytotheTISManager.

8.2 ManagementofInformationSecurityIncidentsandImprovements8.2.1 ConductofInvestigations

InformationsecurityinvestigationsarecoordinatedbytheTISManager.TheTISManagerisauthorizedtoinvestigateinformationsecurityincidentsincluding:seizingInstitute-ownedequipment,monitoring,andtakingimagesandbackups.

8.2.2 ResponsibilitiesandProceduresBCITemployeesandstudentsmustprovidetimelyassistancewhenrequested.Externalparties’responsibilitiesforinformationsecurityincidentmanagementmustbeestablishedaccordingtosection1.2.2AddressingSecurityinExternalPartyAgreements.

8.2.3 InvestigationLimitationsInvestigationofanindividual’sactivitiesorfilesbytheTISManagerwillonlybedoneinresponsetoanincidentorwithreasonablesuspicionthattheindividualisengaginginactivitiesthatarenoncompliantwithBCITpolicies.

8.2.4 EnsuringtheIntegrityofInformationSecurityIncidentInvestigationsToensuretheintegrityofevidence,theTISManagermustbecontactedbeforeanyinvestigationalactivitiesareundertaken.

8.2.5 LearningfromInformationSecurityIncidentsPost-incidentreviewofmajorincidentsmustbeconducted.Periodically,incidentsmustbereviewedcollectivelytoidentifytrendsforimprovementofsecurityefforts.



PolicyPolicy


9. BusinessContinuityManagementSeePolicy7530,EmergencyResponseforBCIT’sbusinesscontinuitymanagementapproach.9.1 InformationSecurityAspectsofBusinessContinuityManagement

9.1.1 IncludingInformationSecurityintheBusinessContinuityManagementProcessTheplanningandimplementationofbusinesscontinuitymustnotcompromiseinformationsecurity.

9.1.2 DisasterRecoveryPlanSystemownersmustensurethatdisasterrecoveryplansfortheirsystemsaredeveloped,tested,andimplemented.RecoverytimemustbenegotiatedjointlybythesystemownersandITServicesorotherserviceprovider.WherebusinessrequirementsexceedtheabilitytorecoverITassets,mitigatingcontrolsmustbeputinplace.SeePolicy7530,BCITEmergencyResponseformoredetails.

10. Compliance10.1 CompliancewithLegalRequirements

10.1.1 IntellectualPropertyRights(IPR)SeePolicy6601,IntellectualProperty.

10.1.2 UsingLicensedSoftwareAllsoftwaremustbeappropriatelylicensedandusersmustcomplywiththetermsandconditionsofallEndUserLicenseAgreements.

10.1.3 ProtectionofOrganizationalRecordsSeePolicy6701,RecordsManagement.

10.1.4 DataProtectionandPrivacyofPersonalInformationSeesection2.2InformationClassificationinthispolicy.

10.2 InformationSystemsAuditConsiderationsTheplanningandimplementationofinformationsystemsauditsmustnotcompromiseinformationsecurity.Accesstosystemauditingtoolsmustbeprotectedtopreventanymisuseorcompromise.

11. Non-ConformingSystemsThispolicyrepresentsatargetenvironment.Notallsystemsortechnologiesarecapableofconforminginalldetails.TheTISManagermustmaintainalistofnon-conformingsystemsandtechnologies.Thisisarisk-basedactivityfocusingonnon-conformingsystemswiththehighestriskprofile.



PolicyPolicy


Systemownersofsystemsthatareunabletoconformtothispolicyanditsguidelinesmust:• Reportnon-conformancetotheTISManagerimmediately• Undertakeariskassessment• DevelopariskmanagementplanandsubmittotheTISManager.Thisexceptionlistwillincludeallsystemsandtechnologiesthatdonotconformtothispolicyandincludeareferencetotheriskassessmentandriskmanagementplanforeachsystemortechnologyonthelist.

12. ConsequencesofPolicyViolationBCITreservestherighttoterminateorrestricttheaccessprivilegesofauserwhoseactivitiesnegativelyaffectorposeathreattoafacility,anotheraccountholder,normaloperations,orthereputationoftheInstitute.Followingdueprocess,theInstitutemaytakeoneormoreofthefollowingactionsagainstanyuserwhoseactivitiesareinviolationofthispolicyorthelaw:� Averbalorwrittenwarning� RestrictionsonorremovalofaccesstoanyorallInstitutecomputingfacilitiesand

services� Legalactionthatcouldresultincriminalorcivilproceedings� Inthecaseofstudents,disciplinaryactionunderPolicy5102,StandardsofNon-

academicConduct.� Inthecaseofemployees,disciplinaryactionuptoandincludingtermination.EquipmentthatviolatesBCITpolicyornegativelyaffectsorposesathreattoafacility,normaloperations,orthereputationoftheInstitutemaybeimmediatelydisconnected,quarantined,orotherwisecontained.Institute-ownedequipmentmayalsobeseized.

ProceduresAssociatedWithThisPolicy

None.

FormsAssociatedWithThisPolicy

None.

AmendmentHistory

1. Created 2009Jan272. Revision1 2016Oct04

ScheduledReviewDate

2021Oct04