Information Security Roles and Responsibilities Procedure Reference No. xx Revision No. 2 Relevant ISO Control No. 8.1.1 Issue Date: July 17 th 2012 Revision Date: Jan 16 th 2013 Approved by: Title: Ted Harvey Director, Technology Services Version History Version No. Version Date Author Summary of Changes 1.1 July 17 th 2012 Ted Harvey Minor Spelling changes Approvals Name Title Date of Approval Version No. Ray Hoppins Associate Superintendent, System Services Distribution Name Title Date of Issue Version No. Personal Communication Devices Document Control Document Title Document Location Information Sensitivity Procedure http://xxx.chinooksedge.ab.ca/ Information Security Roles and Responsibilities Procedure Page 1
Table of Contents 1.0 Overview...3 2.0 Purpose...3 3.0 Scope...4 4.0 Risks...4 5.0 Procedure Detail...4 5.1 Minimal Sensitivity: General corporate information; some personnel and technical information... Error! Bookmark not defined. 5.2 More Sensitive: Business, financial, technical, and most personnel information... Error! Bookmark not defined. 5.3 Most Sensitive: Student Information, operational, personnel, financial, IPP, & technical information integral to the success of students and division. Error! Bookmark not defined. 6.0 Enforcement...9 6.1 Compliance... 9 7.0 Procedure Governance...9 8.0 Definitions...10 9.0 References...10 Information Security Roles and Responsibilities Procedure Page 2
1.0 Overview The Information Sensitivity Policy is intended to help employees determine the roles and responsibilities of various Chinook s Edge employees for Information security. 2.0 Purpose The information covered in these guidelines includes, but is not limited to, information that is either stored or shared via any means. This includes: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing). All employees should familiarize themselves with the various roles and responsibilities for Information Security in the organization. It should be noted that even though the security roles and responsibilities are defined below, all users with access to Information should use common sense steps to protect Chinook s Edge Confidential information (e.g., Chinook s Edge Confidential information should not be left unattended in classrooms). Please Note: The impact of these guidelines on daily activity should be minimal. Questions about the proper classification of a specific piece of information should be addressed to your Principal. Questions about these guidelines should be addressed to Technology Services. Information Security Roles and Responsibilities Procedure Page 3
3.0 Scope These Roles and Responsibilities apply to all staff and third-party Agents of the School Division. Chinook s Edge personnel are encouraged to use common sense judgment in securing Chinook s Edge Confidential information to the proper extent. If an employee is uncertain of the sensitivity of a particular piece of information, he/she should contact their department manager or principal. 4.0 Risks XXXXXXXXXX 5.0 Procedure Detail 5.1 Information Security Review Committee The Technology Advisory Group is a voluntary committee whose role includes providing feedback, oversight and direction regarding information systems security and privacy assurance jurisdiction. In collaboration with the Director Technology Services, the group s specific oversight responsibilities include the following: Oversee the development, implementation, and maintenance of a mandatory division-wide strategic information systems security plan. Oversee the development, implementation, and enforcement of division-wide information systems security policy and related recommended guidelines, operating procedures, and technical standards. Oversee the process of handling requested policy exceptions. Advise COLT on related risk issues and recommend appropriate actions in support of the division s larger risk management programs. Ensure related compliance requirements are addressed, e.g., FOIP, School Technology Framework, PASI, etc. Ensure appropriate risk mitigation and control processes for security incidents as required. 5.2 Director of Technology Services The Director of Technology Services oversees the development and implementation of the divisions Information Security Policy. Specific responsibilities include: Information Security Roles and Responsibilities Procedure Page 4
Document and disseminate information security policies, procedures, and guidelines. Update and review policies based upon feedback and incidents. Coordinate the development and implementation of a Division-wide information security training and awareness program. Coordinate a response to actual or suspected breaches in the confidentiality, integrity or availability of information assets. 5.3 Data Owners A Data Owner is an individual or group of people who have been officially designated as accountable for specific data that is transmitted, used, and stored on a system or systems within a department, school, or administrative unit of the division. The role of the data owners is to provide direct authority and control over the management and use of specific information. These individuals might be department heads, directors, superintendents, principals, or designated staff. Responsibilities of a Data Owner include the following: 5.3.1 Ensure compliance with Chinook s Edge polices and all regulatory requirements: Data Owners need to understand whether or not any Chinook s Edge policies govern their information assets. Data Owners are responsible for having an understanding of organizational, legal and contractual obligations surrounding information assets within their functional areas. For example, the Freedom of Information and Privacy Act (FOIP) dictates requirements related to the handling of student information. Technology Services and the FOIP officer can assist Data Owners in gaining a better understanding of legal obligations. 5.3.2 Assign an appropriate classification to information assets All information assets are to be classified based upon its level of sensitivity, value and criticality to the Division. Chinook s Edge has adopted three primary classifications: Confidential, Internal/Private, and Public. Please see the Information Sensitivity Procedure for further reference. 5.3.3 Determine appropriate criteria for obtaining access to sensitive information assets A Data Owner is accountable for who has access to information assets within their functional areas. This does not imply that a Data Information Security Roles and Responsibilities Procedure Page 5
Owner is responsible for day-to-day provisioning of access. Provisioning access is the responsibility of a Data Custodian. A Data Owner may decide to review and authorize each access request individually or may define a set of rules that determine who is eligible for access based on business function, support role, etc. Access must be granted based on the principles of least privilege as well as separation of duties. For example, a simple rule may be that all students are permitted access to their own marks or all staff members are permitted access to their own health benefits information. These rules should be documented in a manner that allows little or no room for interpretation by a Data Custodian. 5.3.4 Approve standards and procedures related to management of information assets 5.4 Data Custodian While it is the responsibility of the Data Custodian to develop and implement operational procedures, it is the Data Owner s responsibility to review and approve these standards and procedures. A Data Owner should consider the classification of the data and associated risk tolerance when reviewing and approving these standards and procedures. For example, high risk and/or highly sensitive data may warrant more comprehensive documentation and, similarly, a more formal review and approval process. Data Custodians play a critical role in protecting division information systems and data. Data Custodians have administrative and/or operational responsibility over information assets and must follow all appropriate and related security guidelines to ensure the protection of sensitive data and intellectual property residing on systems for which they have accountability. Responsibilities of a Data Custodian include the following: 5.4.1 Understand how information assets are stored, processed, and transmitted Understanding and documenting how information assets are being stored, processed and transmitted is the first step toward safeguarding that data. Without this knowledge, it is difficult to implement or validate safeguards in an effective manner. One method of performing this assessment is to create a data flow diagram for a subset of data that illustrates the system(s) storing the data, how the data is being processed and how the data traverses the network. Data flow diagrams can also illustrate security controls as they are implemented. Regardless of approach, documentation should exist and be made available to the appropriate Data Owner. Information Security Roles and Responsibilities Procedure Page 6
5.4.2 Implement appropriate physical and technical safeguards to protect the confidentiality, integrity and availability of information assets Technology Services and Security has published guidance on implementing reasonable and appropriate security controls for the three classifications of data: Confidential, Private, and Public. Contractual obligations, regulatory requirements and Parent requests also play in important role in implementing appropriate safeguards. Data Custodians should work with Data Owners to gain a better understanding of these requirements. Data Custodians should also document what security controls have been implemented and where gaps exist in current controls. This documentation should be made available to the appropriate Data Owner. 5.4.3 Document and disseminate administrative and operational procedures to ensure consistent storage, processing and transmission of information assets Documenting administrative and operational procedures goes hand in hand with understanding how data is stored, processed and transmitted. Data Custodians should document as many repeatable processes as possible. This will help ensure that information assets are handled in a consistent manner and will also help ensure that safeguards are being effectively leveraged. 5.4.4 Provision and de-provision access as authorized by the Data Owner Data Custodians are responsible for provisioning and de-provisioning access based on criteria established by the appropriate Data Owner. As specified above, standard procedures for provisioning and deprovisioning access should be documented and made available to the appropriate Data Owner. 5.4.5 Understand and report security risks and how they impact the confidentiality, integrity and availability of information assets Data Custodians need to have a thorough understanding of security risks impacting their information assets. For example, storing or transmitting sensitive data in an unencrypted form is a security risk. Protecting access to data using a weak password and/or not patching vulnerability s in a system or application are both examples of security risks. Security risks need to be documented and reviewed with the appropriate Data Owner so that he or she can determine Information Security Roles and Responsibilities Procedure Page 7
whether greater resources need to be devoted to mitigating these risks. Technology Services can assist Data Custodians with gaining a better understanding of their security risks. 5.5 Data Users All users have a critical role in the effort to protect and maintain division information systems and data. For the purpose of information security, a Data User is any employee, contractor or third-party provider of the division who is authorized to access Chinook s Edge Information Systems and/or information assets. Responsibilities of data users include the following: 5.5.1 Adhere to policies, guidelines and procedures pertaining to the protection of information assets Information Technology Services and Security publishes various policies, procedures, and guidelines related to the protection of information assets and systems and can be found at www.chinooksedge??? Users are also required to follow all specific policies, guidelines, and procedures established by departments, schools, or administrative units with which they are associated and that have provided them with access privileges. 5.5.2 Report actual or suspected security and/or policy violations to an appropriate authority (director, principal, Technology Services, etc.) During the course of day-to-day operations, users may come across a situation where they feel the security of information assets might be at risk. For example, a user comes across sensitive information on a website that he or she feels shouldn t be accessible. If this happens, it is the users responsibly to report the situation. 5.5.3 Report actual or suspected breaches to Information Technology Services and Security Reporting a security breach goes hand in hand with reporting violations. Please visit www.chinooksedge???????. For more information on what constitutes a security breach and for what steps to take if you suspect a security breach. Information Security Roles and Responsibilities Procedure Page 8
6.0 Enforcement Compliance If any employee is found to have breached this security Procedure, they may be subject to disciplinary action. Penalty for deliberate disclosure: Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law. Any violation of the Procedure by a temporary worker, contractor or supplier may result in the termination of their contract or assignment and possible civil and/or criminal prosecution to the full extent of the law. 7.0 Procedure Governance The following table identifies who within CESD is Accountable, Responsible, Informed or Consulted with regards to this Procedure. The following definitions apply: Responsible the person(s) responsible for developing and implementing the Procedure. Accountable the person who has ultimate accountability and authority for the Procedure. Consulted the person(s) or groups to be consulted prior to final Procedure implementation or amendment. Informed the person(s) or groups to be informed after Procedure implementation or amendment. Responsible Accountable Consulted Informed Director Technology Services Associate Superintendent, System Services Technology Committee, Technology Advisory Group, FOIP Officer, Communications Officer, COLT All CESD Employees, All Contractors, All temporary workers. Information Security Roles and Responsibilities Procedure Page 9
8.0 Definitions Certain terms are used throughout this policy; in order to avoid misinterpretation, several of the more commonly used terms are defined below. TERM / DEFINITION Appropriate measures - In order to minimize risk of Chinook s Edge computer use by unauthorized personnel must be restricted so that, in the event of an attempt to access Chinook s Edge corporate information, the amount of information at risk is minimized. Information System- Any electronic system that stores, processes, or transmits information. Information Assets- Definable pieces of information in any form, recorded or stored on any media that is recognized as valuable to the Division Principle of Least Privilege- Access privileges for any user should be limited to only what is necessary to complete their assigned duties or functions, and nothing more. Principle of Separation of Duties- Whenever practical, no one person should be responsible for completing or controlling a task, or set of tasks, from beginning to end when it involves the potential for fraud, abuse, or other harm. 9.0 References Information Security Roles and Responsibilities ProcedurePage 10