Information Security - fraserhealth.ca · This material has been prepared solely for use within the Organization (Provincial Health Services Authority and/or Vancouver Coastal Health

This material has been prepared solely for use within the Organization (Provincial Health Services Authority and/or Vancouver Coastal Health Authority and/or Providence Health Care). The Organization accepts no responsibility for use of this material by any person or business not associated with the Organization. A printed copy of this document may not reflect the current, electronic version on the Organization's Intranet.

Policy Title: Information Security

Control Area/Category: Information Security Information Management Information Technology Services

Reference: IMITS 130

Effective as of: February 27, 2013

Approved by: PHSA Senior Executive Team Review Date: February 27, 2016

Revision no.

Page 1 of 22

Information Security “Organization”, as referenced below, is defined as the Provincial Health Services Authority (PHSA) and / or Vancouver Coastal Health (VCH) and / or Providence Healthcare (PHC).

1. Policy Purpose

The purpose of the Information Security Policy (the “Policy”) is to ensure the confidentiality, integrity and availability of Confidential Information stored on all of the Organization’s respective information systems, including shared information systems (“Systems”). This is the primary policy for information security within the Organization and covers the range of control objectives described in the international standard: ISO/IEC 27002: Code of practice for information security management. Other Organizational policies provide additional details and specific security requirements for particular subject areas discussed in this Policy.

Specifically, this Policy:

Establishes a framework for operations to minimize risk and respond effectively to any security incidents that may occur;

Ensures that the Organization meets its legal obligations to protect Confidential Information;

Communicates roles and responsibilities in respect of maintaining information security;

Establishes a secure and stable environment for processing, storage/retention and destruction of information; and

Guides the consistent adherence to security measures across the Organization.

2. Policy Statement

2.1. Information Security Risk Management

Information security requirements must be identified by a methodical assessment of security risks. The results of the risk assessment will help to guide the Organization to determine the appropriate management action and priorities for managing information security risks, and for implementing controls selected to protect against these risks.







Revision no.

Page 2 of 22

Expenditure on controls needs to be balanced against the business harm likely to result from security failures.

Risk assessment should be repeated periodically to address any changes that might influence the risk assessment results.

See the Security Threat and Risk Assessment policy.

2.2. Security Policy, Procedures and Standards

a. Information Security Policy Document

IMITS will set a clear direction and demonstrate support for and commitment to information security through this and other information security policies, procedures and standards.

This Policy must be reviewed at planned intervals, when industry standards change or in response to a security incident, in accordance with the Organization’s Information Security Policy Development & Sustainment Framework, and whenever material changes occur to ensure its continuing suitability, adequacy, and effectiveness.

2.3. Organization of Information Security

a. Internal Organization

The Organization will implement and manage an information security program to protect Systems and Confidential Information stored on Systems. The information security program is managed by the Chief Information Officer, IMITS. The security program will:

(i) ensure that information security goals are identified, meet organizational requirements and are integrated into relevant processes;

(ii) formulate, review, and approve this Policy and related policies and standards;

(iii) review the effectiveness of the implementation of this Policy and other related policies;

(iv) provide clear direction and visible management support for security initiatives;

(v) provide the resources needed for information security;

(vi) approve assignment of specific roles and responsibilities for information security across the organization;

http://pod/policies/Information%20ManagementInformation%20Technology/Forms/public.aspx







Revision no.

Page 3 of 22

(vii) initiate plans and programs to maintain information security awareness; and

(viii) ensure that the implementation of information security controls is coordinated and consistent across the Organization.

Information security activities will be coordinated by representatives from different parts of the Organization with relevant roles and job functions.

All information security responsibilities must be clearly defined. Individuals with allocated security responsibilities may delegate security tasks to others; however, the individual remains responsible for ensuring that any delegated tasks have been correctly performed.

b. Independent Review

IMITS’ approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes, and procedures for information security) should be reviewed independently at planned intervals, or when significant changes to the security implementation occur. The independent review should be initiated by the respective Organization’s Senior Executive/Leadership Team (SET/ SLT) or the respective Organization’s Board (the “Board”). Such a review should be carried out by individuals independent of the area under review, e.g. Internal Audit group or a third party organization specializing in such reviews. The results of the independent review must be recorded and reported to SET/ SLT or the Board. If the independent review determines that the organization’s approach and implementation to managing information security is inadequate or non-compliant with this Policy, SET/ SLT or the Board will take corrective actions as necessary.

c. External Parties

The security of the Organization’s Systems and Confidential Information must not be compromised by the introduction of External Parties, the products or services they provide or External Users. Access to the Organization’s Systems facilities by External Parties must be controlled. Where there is a business need for working with External Parties that may require access to the Organization’s Systems and Confidential Information, or in obtaining or providing a product or service from or to an External Party, an assessment must be carried out to determine security implications and control requirements as per the Security Threat and Risk Assessment (“STRA”) policy. Controls must be agreed to and defined in an agreement with the External Party.








Revision no.

Page 4 of 22

Agreements with External Parties involving accessing, processing, communicating or managing the Organization’s Confidential Information or Systems must cover all relevant security requirements. Periodic reviews may be required to ensure compliance with agreements with External Parties.

Outsourcing arrangements must address the risks, security controls and procedures for Systems in the contract between the Organization and the External Parties.

Security requirements must be identified and addressed before giving External Parties or External Users access to The Organization’s Confidential Information or Systems.

2.4. Asset Management

a. Responsibility for Assets

Management responsibility must be identified for all major Systems and Confidential Information it contains. The responsibility for the maintenance of appropriate controls must be assigned to designated individuals.

The Organization is responsible for approving all computer equipment installations, disconnections, modifications, repairs, servicing and relocations. Rules for the acceptable use of Systems and Confidential Information must be identified, documented, and implemented. Acceptable uses of Systems are set out in the Acceptable Use of Technology policy.

b. Information Classification

All major Systems and Confidential Information must be identified and classified according to the value, legal requirements, sensitivity and criticality to the Organization as per the Information Security Classification policy. An appropriate set of procedures for information labeling and handling should be developed and implemented in accordance with the classification scheme.

2.5. Human Resources Security

a. Prior to Employment or Commencement of Services

Security roles and responsibilities of Staff, External Parties and External Users should be defined and documented in accordance with this Policy.

All Users must agree in writing to maintain the confidentiality and adhere to the appropriate terms of use governing their use of the System(s) to which









Revision no.

Page 5 of 22

they have been provided access. They must also be provided with appropriate policies and guidelines that pertain to acceptable use of technology, protection of privacy and general standards of conduct.

External Parties must not be given access to a System or Confidential Information unless there is an agreement in place between the External Party and the Organization which includes appropriate privacy, confidentiality and security obligations governing their access to the System or Confidential Information.

Background verification checks on all candidates for employment, contractors, and External Users should be carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed and the risks.

b. During Employment or Delivery of Services

The Organization’s management must ensure that Staff and Users comply with their security responsibilities as outlined in this Policy and related policies.

All Users must receive appropriate information security awareness, education or training and regular updates to the Organization’s security policies and procedures, as relevant for their job functions. External Parties and External Users must also receive security awareness, education or training as appropriate for their level of access to Systems or Confidential Information. Users should be trained on the appropriate security procedures and the correct use of Systems to minimize the potential security risks.

Any material violations to this or other organizational security policies must be addressed through a formal disciplinary process and / or termination of services.

c. Termination or Change of Employment or Services

All Staff and Users must return all of the Organization’s assets, equipment, and records in their possession upon termination of their employment or relationship with their respective Organization.

The access rights of all Staff and Users to Systems and Confidential Information must be removed upon termination of their employment, contract or agreement with the Organization or modified accordingly if their position or functional role within the Organization changes.







Revision no.

Page 6 of 22

2.6. Physical and Environmental Security

a. Secure Areas

Security perimeters (barriers such as walls, card controlled entry gates or manned reception desks) must be used to protect areas that contain Systems and Confidential Information.

Secure areas must be protected by appropriate entry controls to ensure that only authorized personnel are allowed access to such areas.

Physical security for offices, rooms, and facilities must be designed and applied.

Physical access is granted on the basis of Least Privilege, and upon defined job descriptions or roles.

Access points such as delivery and loading areas and other points where unauthorized persons may enter the premises must be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.

b. Equipment Security

All Systems must be protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.

Systems must be protected from power failures and other disruptions caused by failures in supporting utilities.

Power and telecommunications cabling carrying data or supporting information services must be protected from interception or damage.

Systems must be correctly maintained to ensure its continued availability and integrity.

Security must be applied to equipment taken off-site considering the different risks of working outside of the Organization’s premises.

All Systems containing storage media must be checked to ensure that any Confidential Information and licensed software has been removed or securely overwritten prior to disposal. Systems containing Confidential Information must be physically destroyed or the information must be destroyed, deleted or overwritten using techniques to make the original information non-retrievable.







Revision no.

Page 7 of 22

2.7. Communications and Operations Management

a. Operational Procedures and responsibilities

(i) Documented procedures must be created and maintained for the secure operation of all Systems.

(ii) Changes to Systems must be controlled. Operational Systems and application software should be subject to strict change management control. Formal management responsibilities and procedures should be in place to ensure satisfactory control of all changes to equipment, software or procedures. When changes are made, an audit log containing all relevant information should be retained.

(iii) Duties and areas of responsibility should be segregated where appropriate to reduce opportunities for unauthorized or unintentional modification or misuse of Systems.

(iv) Development, test, and operational Systems must be segregated to reduce the risks of unauthorized access or changes to the operational System.

b. External Party Service Delivery Management

Security controls, service definitions and delivery levels must be included in any External Party service delivery agreement. The Organization must verify the implementation of agreements, monitor compliance with the agreements and manage changes to ensure that the services delivered meet all requirements agreed with the External Party.

The services, reports and records provided by the External Party should be regularly monitored and reviewed, and audits should be carried out regularly.

Changes to the provision of External Party services, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business Systems and processes involved and re-assessment of risks.

c. System Planning and Acceptance

The use of Systems should be monitored, tuned, and projections made for future capacity requirements to ensure the required System performance.

Acceptance criteria for new Systems, upgrades, and new versions must be reviewed by the Organization’s Production Change Control process and







Revision no.

Page 8 of 22

suitable tests of the System(s) carried out during development and prior to acceptance.

d. Protection against Malicious and Mobile Code

Detection, prevention, and recovery controls to protect against malicious code and appropriate User awareness procedures must be implemented as described in the Controls for Malicious Code policy.

Mobile Code must be controlled within Systems. Systems deploying Mobile Code must ensure that the authorized Mobile Code operates according to a clearly defined security policy, and unauthorized Mobile Code is prevented from executing.

e. Back-Up

Back-up copies of essential information within Systems must be taken regularly and tested to ensure recovery System and network security patches are maintained.

Not all Systems or data are backed up (i.e. “C” drive) and it is the responsibility of Users for ensuring all Systems or data requiring a back-up is saved on appropriate network drives.

f. Network Security Management

The Organization’s network must be adequately managed and controlled to protect it from threats and to maintain security for the Systems and applications using the network, including Confidential Information in transit.

Devices connected to the Organization's network must not be modified, disconnected or relocated without appropriate approval by IMITS or HSSBC.

Wireless access points, peer to peer wireless connections and Wi-Fi devices (even if they are not connected to the network) must be installed as per the Wireless (Wi-Fi) Network policy.

Security features, service levels, and management requirements of all network services must be identified and included in any network services agreement, whether these services are provided by the Organization or outsourced to an External Party.

g. Media Handling

Procedures for handling, reusing and disposing of media containing Confidential Information must be established and communicated to Users.









Revision no.

Page 9 of 22

Media must be disposed of securely and safely when no longer required, using formal procedures as described in the respective Organization’s IT Asset Security and/or Records Retention and Disposal and/or Waste Management policies.

Procedures for the handling and storage of Confidential Information must be established to protect the information from unauthorized disclosure or misuse.

Media must be protected against unauthorized access.

h. Exchange of Information

Formal exchange policies, procedures, and controls must be in place to protect the exchange of information through the use of all types of communication facilities.

Agreements must be executed for the exchange of Confidential Information and software between the Organization and External parties.

Media containing Confidential Information must be protected against unauthorized access, misuse or corruption during transportation beyond the Organization’s physical boundaries.

Confidential Information involved in electronic messaging must be appropriately protected.

Policies and procedures must be developed and implemented to protect Confidential Information associated with the interconnection of Systems.

i. Electronic Commerce Services

Confidential Information involved in electronic commerce passing over public networks must be protected from fraudulent activity, contract dispute, and unauthorized disclosure and modification.

Confidential Information involved in on-line transactions must be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, and unauthorized message duplication or replay.

The integrity of Confidential Information being made available on a publicly available System must be protected to prevent unauthorized modification.



http://www.vcha.ca/policies_manuals/reg_policy_clinical_administrative/safety_and_quality_improvement/_docs/waste_management_policies/binary_20831.pdf

http://www.vcha.ca/policies_manuals/reg_policy_clinical_administrative/safety_and_quality_improvement/_docs/waste_management_policies/binary_20831.pdf







Revision no.

Page 10 of 22

j. Monitoring & Logging

Audit logs recording exceptions and other security-relevant events must be produced and retained for an agreed period to assist in future investigations and access control monitoring.

Procedures for monitoring and auditing use of Systems must be established and the results of the monitoring activities reviewed regularly.

Logging facilities and log information must be protected against tampering and unauthorized access.

System administrator and system operator activities must be logged.

Faults must be logged, analyzed, and appropriate action taken.

The clocks of all relevant information processing Systems within an organization or security domain must be synchronized with an agreed accurate time source.

See the Monitoring & Logging Policy

k. Firewalls

Access to the Organization’s network and networked Systems must be controlled and managed by firewall devices. Firewall appliances and similar devices will be implemented to control the flow of network traffic at network boundaries between networks with differing security postures (i.e. at the boundary between the public Internet and the Organization’s internal network).

End point protection must be installed on all authorized devices accessing the network where indicated by a STRA or based on its sensitivity as per the Information Security Classification policy.

2.8. Access Control

a. Business Requirements for Access Control

Access to Systems, networks and Confidential Information are controlled on the basis of business and security requirements as specified in the Role-Based User Management policy.

Access control rules must be based on the premise of “need to know” and the principle of “Least Privilege”.

b. User Access Management











Revision no.

Page 11 of 22

There must be a formal User registration and de-registration procedure in place for granting and revoking access to all Systems and Confidential Information as described in the Access Management policy.

Allocation and use of privileges must be restricted and controlled.

The allocation of passwords must be controlled through a formal management process as described in the User Identification and Passwords policy.

All of the Organization's user accounts, computers and portable devices (i.e. laptops, personal digital assistants and cellular devices with data capabilities) that access the Organization's network and/or data must employ appropriate protection controls enabled.

Management must review Users’ access rights at regular intervals using a formal process as described in the Access Management policy.

c. User Responsibilities

Users must follow good security practices in the selection and use of passwords in accordance with the Organization’s guidelines for passwords.

Users must ensure that unattended equipment has appropriate protection.

A clear desk policy for papers and removable storage media and a clear screen policy for Systems should be adopted.

Users must not use the “Remember Password” feature of any software application (e.g. Internet Explorer).

Users must use automatic password protected screen savers with timeout periods appropriate to the sensitivity of the data being accessed.

d. Network Access Control

Users must only be provided with access to the Systems and Confidential Information that they have been specifically authorized to use.

Appropriate authentication methods must be used to control access by remote Users. Controls for Remote Access including authentication mechanisms to the Organization’s network are defined in the Remote Access policy.

Automatic equipment identification must be used where appropriate as a means to authenticate connections from specific locations and equipment.












Revision no.

Page 12 of 22

Physical and logical access to diagnostic and configuration ports must be controlled.

Groups of Systems, Confidential Information and Users must be segregated on the Organization’s network as required.

For shared networks, especially those extending across the respective Organization’s boundaries, the capability of Users to connect to the network must be restricted, in line with the access control requirements of Systems.

Routing controls must be implemented for the Organization’s network to ensure that computer connections and Confidential Information flows do not breach the access control requirements of Systems.

Wireless networks must be segregated from internal and private networks and networking controls must implemented to maintain that segregation. Wireless controls are defined in the Wireless (WiFi) Network policy.

Restrictions on connection times must be used to provide additional security for high-risk applications.

e. Operating System Access Control

Access to operating systems must be controlled by a secure log-on procedure.

All System passwords must follow standards defined in the User Identification and Password policy. Passwords must be protected from unauthorized use or disclosure. Unsuccessful attempts of access must be monitored and trigger appropriate System protection mechanisms and response processes, such as User account lock-outs or deactivation.

The use of utility programs that might be capable of overriding System controls must be restricted and tightly controlled.

Inactive sessions must shut down after a defined period of inactivity.

Restrictions on connection times must be used to provide additional security for high-risk applications.

f. Application and Information Access Control

Access to Confidential Information and application System functions by Users and support personnel must be restricted in accordance with this and other access control policies. Restrictions to access must be based on individual business application requirements.










Revision no.

Page 13 of 22

Systems containing Confidential Information must have a dedicated (isolated) computing environment.

g. Mobile Computing and Teleworking

Appropriate security measures must be adopted to protect against the risks of using mobile computing and communication devices.

Users must not take portable storage devices or media off the Organization's premises without the approval of their immediate supervisor. Approval encompasses that the supervisor knows what equipment is leaving, what data is on it and for what purpose it will be used.

Operational plans and procedures must follow the standards defined in the Mobile Computing and Device Usage policy

2.9. Information Security in System Acquisition, Development and Maintenance

a. Security Requirements of Systems

Statements of business requirements for new Systems, or enhancements to existing Systems must specify the requirements for security controls.

All security requirements must be identified at the requirements phase of a project and justified, agreed and documented as part of the overall business case for Systems.

Appropriate controls and audit trails or activity logs must be designed into Systems. Control requirements must be determined on the basis of a risk assessment.

b. Correct Processing in Applications

Data input to applications should be validated to ensure that this data is correct and appropriate.

Validation checks should be incorporated into applications to detect any corruption of information through processing errors or deliberate acts.

Requirements for ensuring authenticity and protecting message integrity in applications must be identified, and appropriate controls identified and implemented.

c. Cryptographic Controls

Encryption must be used in appropriate circumstances to protect Confidential Information from unauthorized disclosure. If storage or transmission of Confidential Information is required for business needs, it







Revision no.

Page 14 of 22

must be encrypted to render it unreadable, using the Organization’s Encryption/Cryptographic Standard

The use of cryptographic controls must be determined by a STRA as described in the Security Threat and Risk Assessment policy.

As necessary, appropriate key management systems must be in place to support the use of cryptographic techniques across the Organization.

d. Security of System Files

Procedures must be in place to control the installation of software on operational Systems.

Test data must be selected carefully, and protected and controlled. The use of operational data or databases containing Confidential Information must not be used for testing purposes. Production data may be used for certain types of System testing provided that all personally identifiable data elements or sensitive content is removed or modified beyond recognition before use.

Access to System files and source code must be controlled and restricted to authorized Users only based on their roles and responsibilities following the principle of Least Privilege.

e. Security of Development and Support Processes

The implementation of changes should be controlled by the use of formal change control procedures.

When operating systems are changed, business critical applications should be reviewed and tested to ensure there is no adverse impact on the Organization’s operations or security.

Modifications to software packages should be limited to necessary changes, and all changes should be strictly controlled.

Information leakage should be prevented by:

(i) scanning of outbound media and communications for hidden information;

(ii) masking and modulating system and communications behavior to reduce the likelihood of an External Party being able to deduce information from such behavior;

(iii) making use of Systems and software that are considered to be of high integrity, e.g. using evaluated products;








Revision no.

Page 15 of 22

(iv) regular monitoring of Staff usage and System activities, where permitted under existing legislation or regulation; and

(v) monitoring resource usage in Systems.

Outsourced software development must be supervised and monitored by the Organization where appropriate.

f. Technical Vulnerability Management

A STRA must be conducted prior deploying a system in production to ensure that information about technical vulnerabilities of that system is obtained to evaluate exposure to such vulnerabilities, and implement appropriate measures to address the associated risk.

Systems must be patched regularly as described in the Management of Standard Software Patches policy.

Systems must be scanned for vulnerabilities before being deployed in production and when changes which may affect the System security are made. Identified vulnerabilities must be prioritized and addressed for remediation considering each threat and its potential impact on the organization. Vulnerability remediation may include correcting the vulnerable configuration, applying a software patch or by implementing alternative compensatory controls. Critical Systems (such as externally facing network devices and firewalls) must be scanned for vulnerabilities on regular and ad hoc basis.

2.10. Information Security Incident Management

a. Reporting Information Security Events and Weaknesses

All Staff and Users of Systems are required to report any observed or suspected security breach. Information Security Events must be reported to the respective Organization’s Information Privacy Office, Enterprise Architecture and HSSBC as quickly as possible.

All Staff and Users of Systems are required to note and report any observed or suspected security weaknesses in Systems to Enterprise Architecture and HSSBC.

b. Management of Information Security Incidents and Improvements

Management responsibilities and procedures must be established to ensure a quick, effective, and orderly response to Information Security Incidents.

http://www.vcha.ca/policies_manuals/reg_policy__alpha_list/page_24600.htm







Revision no.

Page 16 of 22

The respective Organization’s Senior Executive / Leadership Teams are accountable for decisions relating to significant Security Incidents affecting revenue, reputation or legal liability.

Security Incidents must be logged, tracked and summary reports of the incidents must be presented to the respective Organization’s Information Privacy Office

2.11. Disaster Recovery and Business Continuity Planning

a. Information Security Aspects of Business Continuity Management

A managed process should be developed and maintained that identifies the information security requirement needed for business continuity. Events that can cause interruptions to business processes should be identified, along with the probability and impact of such interruptions and their consequences for information security.

Plans should be developed and implemented to maintain or restore operations and ensure availability of information at the required level and in the required time scales following interruption to, or failure of, critical business processes.

A single framework of business continuity plans should be maintained to ensure all plans are consistent, to consistently address information security requirements, and to identify priorities for testing and maintenance.

Business continuity plans should be tested and updated regularly to ensure that they are up to date and effective.

2.12. Compliance

a. Compliance with Legal Requirements

All relevant statutory, regulatory, and contractual requirements and the Organization’s approach to meet these requirements must be explicitly defined, documented, and kept up to date.

Appropriate procedures must be implemented to ensure compliance with legislative, regulatory, and contractual requirements on the use of material in respect of which there may be intellectual property rights and on the use of proprietary software products.

Important records must be protected from loss, destruction, and falsification, in accordance with statutory, regulatory, contractual, and business requirements. Retention periods for the Organization’s







Revision no.

Page 17 of 22

Confidential Information are defined in the Records Retention & Disposal policy.

Data protection and privacy controls must be implemented as required by relevant legislation, regulations, and, if applicable, contractual clauses.

b. Compliance with Security Policies and Standards, and Technical Compliance

Staff are accountable for complying with this Policy and related policies. All deviations and non-compliance with these policies must be recorded, including the specific actions taken through an exceptions authorization process.

Managers are required to ensure that all security procedures within their area of responsibility are carried out correctly to achieve compliance with this and related policies.

Systems must be regularly checked for compliance with security implementation standards.

Failure to comply with this Policy and other related IT policies may result in disciplinary action including, but not limited to, the termination of employment, loss of computing privileges, loss of privileges as a student placement or volunteer role, prosecution and liability for loss or damages.

The Organization will take reasonable measures to comply with this and related policies. Where technical controls or existing resources are incapable of enforcing all conditions outlined in this Policy, compensatory controls will be put in place to achieve the control objectives of this Policy.

c. Information Systems Audit Considerations

Audit requirements and activities involving checks on operational Systems must be carefully planned and agreed to minimize the risk of disruptions to business processes.

Access to System audit tools must be protected to prevent any possible misuse or compromise.

On-going planned and ad hoc compliance reviews for the Organization, its partners and service providers must be conducted. Consent of the asset owner or facility manager is not needed by the IMITS. All Systems are subject to inspection at any time.

A periodic information security risk assessment, and review of implemented security controls, will be performed to ensure that existing

http://www.vcha.ca/policies_manuals/reg_policy__alpha_list/page_24600.htm







Revision no.

Page 18 of 22

information security policies and controls adequately address changes to business requirements and priorities, and to consider new threats and vulnerabilities to the organization.

3. Policy Scope

This Policy applies to all computer and network Systems owned or administered by the Organization, or operated by a third party for the Organization. This includes all of the Organization’s processing facilities, all platforms, all computers (regardless of size) and all application systems (whether developed in-house or purchased by third parties).

This Policy applies to all Staff and Users of Systems, including part-time, temporary staff, physicians, students, as well as all business and health-care delivery partners, consultants, contractors, and other service providers.

4. Policy Principles

4.1. Information security is a shared responsibility that requires the involvement and participation of all Staff and Users.

4.2. The Organization must provide Staff and Users with clear policy direction for the protection of its Systems and Confidential Information.

4.3. System security measures for the protection of the confidentiality, integrity and availability of information must be commensurate with the level of sensitivity of the information and the value and importance of the information to the Organization.

4.4. System security controls must comply with relevant legislative and regulatory requirements for the protection of individual privacy.

4.5. The Organization will follow the international standard ISO/IEC 27002: Code of practice for information security management (ISO 27002 Code of Practice) as the foundation of its information security practices.

5. Procedures

The Organization and HSSBC will develop procedures and technical standards to support this Policy as appropriate.

6. Exceptions

Exceptions to this policy are only permitted in extraordinary circumstances for approved business or clinical purposes and where the exception is supported by a security risk assessment.







Revision no.

Page 19 of 22

Exceptions to this policy must be approved by the Chief Information Officer, IMITS in consultation with the respective Organization’s Information Privacy Office, Enterprise Architecture and HSSBC.

Any approved exceptions must be re-evaluated whenever a material change to the control environment occurs. The business sponsor is responsible for notifying Enterprise Architecture and HSSBC of any changes to the control or operating environment described in an approved exception.

7. Internal Tools, Forms and References

Link to Standards: http://teamsites.phsa.ca/sites/TASPI/Security/Processes/default.aspx

8. Related Policies

Acceptable Use of Technology Policy

Access Management Policy

Auditing Access to Electronic Health Records Policy

Controls for Malicious Code Policy

Information Privacy and Confidentiality Policy

Management of Standard Software Patches Policy

Record Retention and Disposal Policy

Remote Access Policy

Role-Based Access Control Policy

User Identification and Passwords Policy

Wireless (WiFi) Network Policy

9. Definitions

“Clients” means all people receiving services from the Organization and includes patients and residents or their authorized or legal representative.

http://teamsites.phsa.ca/sites/TASPI/Security/Processes/default.aspx







Revision no.

Page 20 of 22

“Confidential Information” includes information and data, in any form or medium, relating to the Organization, its business, operations, activities, planning, personnel, labour relations, suppliers and finances that is not generally available to the public, including Personal Information, and information that is identified as ”confidential information” in accordance with the Organization’s policies.

“Control” means any method of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of administrative, technical, management, or legal nature. Control is also used as a synonym for safeguard or countermeasure.

“External Party” means any respective Organization’s business partner entity or other non-Organizational entity.

“External User” means a User of a System who is not a member of the Personnel of a Health Authority, PHC or Ministry of Health under the General Health Information Sharing Agreement.

“Firewall” means a System which controls network access between two or more networks or networked devices.

“IMITS” means the Organization’s Information Management/Information Technology Services department.

“Information security” means the preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved.

“Information Security Event” means an identified occurrence of a System, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant.

“Information Security Incident” means a single or a series of unwanted or unexpected Information Security Events that have a significant probability of compromising business operations and threatening information security

“Least Privilege” means the security principle that ensures that a user should have only those privileges required for the task at hand and no more.

“Malicious code” means software designed to exploit, infiltrate or damage a System without the informed consent of the computer user. It is also referred to as “malware” and includes computer viruses, worms, Trojan horses, rootkits, spyware, dishonest adware and other unwanted software.







Revision no.

Page 21 of 22

“Material change” means a change to existing practices that significantly increase the level of risk to the Organization.

“Media” means any device, such as network infrastructure, information resources and Systems that store the Organization’s personal and confidential information

“Mobile Code” means software obtained from remote Systems, transferred across a network, and then downloaded and executed on a local System without explicit installation or execution by the User.

“Password” means a form of secret authentication data that is used in combination with a user-ID to control access to a System.

"Publicly available" means a domain that is available for public use.

“Remote Access” means accessing a System from outside of an Organization’s facility or site.

“SET” means the Senior Executive Team. “Staff” means all officers, directors, employees, contractors, consultants, physicians, health care professionals, students, volunteers and other service providers engaged by the Organization or organizations with which the Organization has concluded a network services agreement or any other authorized User”

.

“System” means any of the Organization’s respective information systems, including shared electronic information system.

“Threat” means a potential cause of an unwanted incident, which may result in harm to a System or the Organization.

“User” means any Staff or individual who has been authorized for access to and use of a System.

“User-ID” means a code or string of characters used to uniquely identify a user on a System.

“Vulnerability” means a weakness of a System that can be exploited by one or more threats.

10. External References

Canadian Institute of Chartered Accountants

http://www.cica.ca/index.aspx

http://www.cica.ca/index.aspx







Revision no.

Page 22 of 22

Information Security Branch, Office of the Chief Information Officer, Ministry of Citizens’ Services, Province of British Columbia

http://www.cio.gov.bc.ca/local/cio/informationsecurity/policy/summaries/7_sec_threat_risk.pdf

Payment Card Industry Security Standards Council, Payment Card Industry Data Security Standard (PCI-DSS) v2.0

https://www.pcisecuritystandards.org/security_standards/documents.php?document=pci_dss_v2-0#pci_dss_v2-0

ISO 27002 Standards: Code of Practice for Information Security Management

http://www.27000.org/iso-27002.htm

IT Infrastructure Library (ITIL)

http://www.itil-officialsite.com/home/home.aspx

COBIT: Framework for IT Governance and Control

http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx





http://www.27000.org/iso-27002.htm

http://www.itil-officialsite.com/home/home.aspx

http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx

Documents

Information Security - fraserhealth.ca · This material has been prepared solely for use within the Organization (Provincial Health Services Authority and/or Vancouver Coastal Health