Information Security Roles and Responsibilities Procedure Page 1

Similar documents
Information Security Policy

In-service Education Packet Corporate Compliance

Contents. NRTT Proprietary and Confidential - Reproduction and distribution without prior consent is prohibited. 2

The Company seeks to comply with both the letter and spirit of the laws and regulations in all jurisdictions in which it operates.

Speak Up & Reporting Policy of AMG ADVANCED METALLURGICAL GROUP N.V. Strawinskylaan XX Amsterdam The Netherlands

Triple C Housing, Inc. Compliance Plan

Information Governance Policy

INTEGRITY COMPLIANCE GUIDELINES

Code of Business Ethics & Conduct

Elections Ontario Privacy Policy

CODE OF ETHICS/CONDUCT

CODE OF ETHICS AND CONDUCT

Westfield Corporation Slavery and Human Trafficking Statement. Financial Year Ended 31 December 2016

Code of Business Conduct and Ethics

Identity Provider Policy. Identity and Authentication Services (IA Services)

CHANNING SCHOOL DATA PROTECTION POLICY

Privacy and Information Security Sanction Policy

CODE OF BUSINESS CONDUCT AND ETHICS. FRONTIER AIRLINES, INC. Adopted May 27, 2004

Certified Identity Governance Expert (CIGE) Overview & Curriculum

BRONX ACCOUNTABLE HEALTHCARE NETWORK IPA INC., D.B.A. MONTEFIORE ACO PIONEER ACO CORPORATE COMPLIANCE PLAN

Corporate Code of Business Conduct and Ethics

Whistle Blowing (Draft)

An Industry Code of Conduct Maritime Autonomous Systems (Surface) MAS(S)

Subject: Definitions: None.

General Personal Data Protection Policy

LEICESTER HIGH SCHOOL DATA PROTECTION POLICY

Guidelines for Information Asset Management: Roles and Responsibilities

Department of Public Health OF SAN FRANCISCO

ECOSERVICES, LLC BINDING CORPORATE RULES

ASSOCIATED BANC-CORP CODE OF BUSINESS CONDUCT AND ETHICS

GOODWILL INDUSTRIES OF COLORADO SPRINGS

MODULE I: MEDICARE & MEDICAID GENERAL COMPLIANCE TRAINING

TELUS Supplier Code of Conduct

GENERAL ORDER DISTRICT OF COLUMBIA I. BACKGROUND

Computer Programs and Systems, Inc. Code of Business Conduct and Ethics

Finance Code of Conduct

INTEGRITY COMPLIANCE PROGRAM

DATA PROTECTION POLICY 2016

The Company seeks to comply with both the letter and spirit of the laws and regulations in all countries in which it operates.

Janus Henderson Group plc. Code of Business Conduct

Living Our Purpose and Core Values CODE. Code of Business Ethics and Conduct for Vendors

Straumann Code of Conduct

SETTING POLICIES and GUIDELINES for CONDUCTING INTERNAL INVESTIGATIONS

STARWOOD HOTELS & RESORTS WORLDWIDE, INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

CODE OF BUSINESS CONDUCT AND ETHICS (Amended and Restated as of May 7, 2013)

CENTENNIAL SCHOOL DISTRICT

TNT POLICY SECURITY CLASSIFICATION: PUBLIC

We Maintain Accurate Financial Books and Records. We Strive to Comply with All Laws and Regulations. We Maintain the Confidences Entrusted to Us

Northern Ireland Electricity Networks Limited POLICY ON MODERN SLAVERY

KWANLIN DÜN FIRST NATION. Records Management Policy

BISHOP GROSSETESTE UNIVERSITY. Document Administration. This procedure applies to staff, students, and relevant data subjects

SELECT EMPLOYMENT POLICIES

Disciplinary and Dismissal Procedure

CV, résumé, cover letter, previous work experience and education information;

Director s Draft Report

Delta Dental of Michigan, Ohio, and Indiana. Compliance Plan

Overarching Information Governance Policy

Procurement Standard. For further information contact

ETHICAL CODE OF CONDUCT

Blue Cross and Blue Shield of North Carolina Corporate Governance Guidelines

STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL

DHT HOLDINGS, INC. CODE OF BUSINESS CONDUCT AND ETHICS

Group Policy - People

The SMS Table. Kent V. Hollinger. December 29, 2006

WHISTLE BLOWER (EMPLOYEE PROTECTION) POLICY

BIG LOTS, INC. CODE OF BUSINESS CONDUCT AND ETHICS

Human Resources Security Management towards ISO/IEC 27001:2005 accreditation of an Information Security Management System

OUR CODE OF BUSINESS CONDUCT AND ETHICS

SANCTIONS COMPLIANCE POLICY OF MIKRO KAPITAL GROUP

Code of Conduct Policy

Minimum-Security Criteria for C-TPAT Foreign Manufacturers

Information Governance Policy

GENTING MALAYSIA BERHAD (58019-U) CODE OF CONDUCT AND ETHICS

INTRODUCTION CIBC CODE OF CONDUCT

(ATFL) Whistle-blowing Policy (Vigil Mechanism)

Code of Conduct for Staff

Internal Control in Higher Education

Corporate Governance: Sarbanes-Oxley Code of Ethics

International Rescue Committee, UK Modern Slavery Statement

MODA HEALTH CODE OF CONDUCT

International Standards for the Professional Practice of Internal Auditing (Standards)

Compliance Program (Decision) ISO Board of Governors January 24-25, 2007 John C. Anders Acting Corporate Secretary General Session

Scope Policy Statement Reason For Policy Procedure Definitions Sanctions Additional Contacts History. Scope. University Policies.

WEWORK PRIVACY POLICY FOR PEOPLE DATA

LIQUEFIED NATURAL GAS LIMITED

RELM WIRELESS CORPORATION (the Company ) CODE OF BUSINESS CONDUCT AND ETHICS

Macroprocesso 2-GOVERNANÇA CORPORATIVA

Our vision. A company where the best people want to work.

Internal Control Vulnerability Assessment (January 2011) Unit Name. Prepared by. Title. Reviewed by. Title. Reviewer s Comments

E-VERIFY MEMORANDUM OF UNDERSTANDING ARTICLE I PURPOSE AND AUTHORITY

CODE OF BUSINESS CONDUCT AND ETHICS

County of Sutter. Management Letter. June 30, 2012

DISCIPLINARY RULES FOR EMPLOYEES

ADELAIDE BRIGHTON LIMITED ACN

THE TIMBERLAND COMPANY CODE OF ETHICS

MiMedx Group, Inc. Code of Business Conduct and Ethics

CODE OF CONDUCT AND ETHICS

ACCOUNTABILITY FRAMEWORK FOR HUMAN RESOURCE MANAGEMENT

SOURCE SELECTION PLAN. {Insert if Phase I or Phase II} {Insert Project Name} {Insert Project Acronym} SOLICITATION XXXXXX-xx-R-xxxx

to inform employees of their obligation to report serious wrongdoing within Monsanto India;

Transcription:

Information Security Roles and Responsibilities Procedure Reference No. xx Revision No. 2 Relevant ISO Control No. 8.1.1 Issue Date: July 17 th 2012 Revision Date: Jan 16 th 2013 Approved by: Title: Ted Harvey Director, Technology Services Version History Version No. Version Date Author Summary of Changes 1.1 July 17 th 2012 Ted Harvey Minor Spelling changes Approvals Name Title Date of Approval Version No. Ray Hoppins Associate Superintendent, System Services Distribution Name Title Date of Issue Version No. Personal Communication Devices Document Control Document Title Document Location Information Sensitivity Procedure http://xxx.chinooksedge.ab.ca/ Information Security Roles and Responsibilities Procedure Page 1

Table of Contents 1.0 Overview...3 2.0 Purpose...3 3.0 Scope...4 4.0 Risks...4 5.0 Procedure Detail...4 5.1 Minimal Sensitivity: General corporate information; some personnel and technical information... Error! Bookmark not defined. 5.2 More Sensitive: Business, financial, technical, and most personnel information... Error! Bookmark not defined. 5.3 Most Sensitive: Student Information, operational, personnel, financial, IPP, & technical information integral to the success of students and division. Error! Bookmark not defined. 6.0 Enforcement...9 6.1 Compliance... 9 7.0 Procedure Governance...9 8.0 Definitions...10 9.0 References...10 Information Security Roles and Responsibilities Procedure Page 2

1.0 Overview The Information Sensitivity Policy is intended to help employees determine the roles and responsibilities of various Chinook s Edge employees for Information security. 2.0 Purpose The information covered in these guidelines includes, but is not limited to, information that is either stored or shared via any means. This includes: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing). All employees should familiarize themselves with the various roles and responsibilities for Information Security in the organization. It should be noted that even though the security roles and responsibilities are defined below, all users with access to Information should use common sense steps to protect Chinook s Edge Confidential information (e.g., Chinook s Edge Confidential information should not be left unattended in classrooms). Please Note: The impact of these guidelines on daily activity should be minimal. Questions about the proper classification of a specific piece of information should be addressed to your Principal. Questions about these guidelines should be addressed to Technology Services. Information Security Roles and Responsibilities Procedure Page 3

3.0 Scope These Roles and Responsibilities apply to all staff and third-party Agents of the School Division. Chinook s Edge personnel are encouraged to use common sense judgment in securing Chinook s Edge Confidential information to the proper extent. If an employee is uncertain of the sensitivity of a particular piece of information, he/she should contact their department manager or principal. 4.0 Risks XXXXXXXXXX 5.0 Procedure Detail 5.1 Information Security Review Committee The Technology Advisory Group is a voluntary committee whose role includes providing feedback, oversight and direction regarding information systems security and privacy assurance jurisdiction. In collaboration with the Director Technology Services, the group s specific oversight responsibilities include the following: Oversee the development, implementation, and maintenance of a mandatory division-wide strategic information systems security plan. Oversee the development, implementation, and enforcement of division-wide information systems security policy and related recommended guidelines, operating procedures, and technical standards. Oversee the process of handling requested policy exceptions. Advise COLT on related risk issues and recommend appropriate actions in support of the division s larger risk management programs. Ensure related compliance requirements are addressed, e.g., FOIP, School Technology Framework, PASI, etc. Ensure appropriate risk mitigation and control processes for security incidents as required. 5.2 Director of Technology Services The Director of Technology Services oversees the development and implementation of the divisions Information Security Policy. Specific responsibilities include: Information Security Roles and Responsibilities Procedure Page 4

Document and disseminate information security policies, procedures, and guidelines. Update and review policies based upon feedback and incidents. Coordinate the development and implementation of a Division-wide information security training and awareness program. Coordinate a response to actual or suspected breaches in the confidentiality, integrity or availability of information assets. 5.3 Data Owners A Data Owner is an individual or group of people who have been officially designated as accountable for specific data that is transmitted, used, and stored on a system or systems within a department, school, or administrative unit of the division. The role of the data owners is to provide direct authority and control over the management and use of specific information. These individuals might be department heads, directors, superintendents, principals, or designated staff. Responsibilities of a Data Owner include the following: 5.3.1 Ensure compliance with Chinook s Edge polices and all regulatory requirements: Data Owners need to understand whether or not any Chinook s Edge policies govern their information assets. Data Owners are responsible for having an understanding of organizational, legal and contractual obligations surrounding information assets within their functional areas. For example, the Freedom of Information and Privacy Act (FOIP) dictates requirements related to the handling of student information. Technology Services and the FOIP officer can assist Data Owners in gaining a better understanding of legal obligations. 5.3.2 Assign an appropriate classification to information assets All information assets are to be classified based upon its level of sensitivity, value and criticality to the Division. Chinook s Edge has adopted three primary classifications: Confidential, Internal/Private, and Public. Please see the Information Sensitivity Procedure for further reference. 5.3.3 Determine appropriate criteria for obtaining access to sensitive information assets A Data Owner is accountable for who has access to information assets within their functional areas. This does not imply that a Data Information Security Roles and Responsibilities Procedure Page 5

Owner is responsible for day-to-day provisioning of access. Provisioning access is the responsibility of a Data Custodian. A Data Owner may decide to review and authorize each access request individually or may define a set of rules that determine who is eligible for access based on business function, support role, etc. Access must be granted based on the principles of least privilege as well as separation of duties. For example, a simple rule may be that all students are permitted access to their own marks or all staff members are permitted access to their own health benefits information. These rules should be documented in a manner that allows little or no room for interpretation by a Data Custodian. 5.3.4 Approve standards and procedures related to management of information assets 5.4 Data Custodian While it is the responsibility of the Data Custodian to develop and implement operational procedures, it is the Data Owner s responsibility to review and approve these standards and procedures. A Data Owner should consider the classification of the data and associated risk tolerance when reviewing and approving these standards and procedures. For example, high risk and/or highly sensitive data may warrant more comprehensive documentation and, similarly, a more formal review and approval process. Data Custodians play a critical role in protecting division information systems and data. Data Custodians have administrative and/or operational responsibility over information assets and must follow all appropriate and related security guidelines to ensure the protection of sensitive data and intellectual property residing on systems for which they have accountability. Responsibilities of a Data Custodian include the following: 5.4.1 Understand how information assets are stored, processed, and transmitted Understanding and documenting how information assets are being stored, processed and transmitted is the first step toward safeguarding that data. Without this knowledge, it is difficult to implement or validate safeguards in an effective manner. One method of performing this assessment is to create a data flow diagram for a subset of data that illustrates the system(s) storing the data, how the data is being processed and how the data traverses the network. Data flow diagrams can also illustrate security controls as they are implemented. Regardless of approach, documentation should exist and be made available to the appropriate Data Owner. Information Security Roles and Responsibilities Procedure Page 6

5.4.2 Implement appropriate physical and technical safeguards to protect the confidentiality, integrity and availability of information assets Technology Services and Security has published guidance on implementing reasonable and appropriate security controls for the three classifications of data: Confidential, Private, and Public. Contractual obligations, regulatory requirements and Parent requests also play in important role in implementing appropriate safeguards. Data Custodians should work with Data Owners to gain a better understanding of these requirements. Data Custodians should also document what security controls have been implemented and where gaps exist in current controls. This documentation should be made available to the appropriate Data Owner. 5.4.3 Document and disseminate administrative and operational procedures to ensure consistent storage, processing and transmission of information assets Documenting administrative and operational procedures goes hand in hand with understanding how data is stored, processed and transmitted. Data Custodians should document as many repeatable processes as possible. This will help ensure that information assets are handled in a consistent manner and will also help ensure that safeguards are being effectively leveraged. 5.4.4 Provision and de-provision access as authorized by the Data Owner Data Custodians are responsible for provisioning and de-provisioning access based on criteria established by the appropriate Data Owner. As specified above, standard procedures for provisioning and deprovisioning access should be documented and made available to the appropriate Data Owner. 5.4.5 Understand and report security risks and how they impact the confidentiality, integrity and availability of information assets Data Custodians need to have a thorough understanding of security risks impacting their information assets. For example, storing or transmitting sensitive data in an unencrypted form is a security risk. Protecting access to data using a weak password and/or not patching vulnerability s in a system or application are both examples of security risks. Security risks need to be documented and reviewed with the appropriate Data Owner so that he or she can determine Information Security Roles and Responsibilities Procedure Page 7

whether greater resources need to be devoted to mitigating these risks. Technology Services can assist Data Custodians with gaining a better understanding of their security risks. 5.5 Data Users All users have a critical role in the effort to protect and maintain division information systems and data. For the purpose of information security, a Data User is any employee, contractor or third-party provider of the division who is authorized to access Chinook s Edge Information Systems and/or information assets. Responsibilities of data users include the following: 5.5.1 Adhere to policies, guidelines and procedures pertaining to the protection of information assets Information Technology Services and Security publishes various policies, procedures, and guidelines related to the protection of information assets and systems and can be found at www.chinooksedge??? Users are also required to follow all specific policies, guidelines, and procedures established by departments, schools, or administrative units with which they are associated and that have provided them with access privileges. 5.5.2 Report actual or suspected security and/or policy violations to an appropriate authority (director, principal, Technology Services, etc.) During the course of day-to-day operations, users may come across a situation where they feel the security of information assets might be at risk. For example, a user comes across sensitive information on a website that he or she feels shouldn t be accessible. If this happens, it is the users responsibly to report the situation. 5.5.3 Report actual or suspected breaches to Information Technology Services and Security Reporting a security breach goes hand in hand with reporting violations. Please visit www.chinooksedge???????. For more information on what constitutes a security breach and for what steps to take if you suspect a security breach. Information Security Roles and Responsibilities Procedure Page 8

6.0 Enforcement Compliance If any employee is found to have breached this security Procedure, they may be subject to disciplinary action. Penalty for deliberate disclosure: Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law. Any violation of the Procedure by a temporary worker, contractor or supplier may result in the termination of their contract or assignment and possible civil and/or criminal prosecution to the full extent of the law. 7.0 Procedure Governance The following table identifies who within CESD is Accountable, Responsible, Informed or Consulted with regards to this Procedure. The following definitions apply: Responsible the person(s) responsible for developing and implementing the Procedure. Accountable the person who has ultimate accountability and authority for the Procedure. Consulted the person(s) or groups to be consulted prior to final Procedure implementation or amendment. Informed the person(s) or groups to be informed after Procedure implementation or amendment. Responsible Accountable Consulted Informed Director Technology Services Associate Superintendent, System Services Technology Committee, Technology Advisory Group, FOIP Officer, Communications Officer, COLT All CESD Employees, All Contractors, All temporary workers. Information Security Roles and Responsibilities Procedure Page 9

8.0 Definitions Certain terms are used throughout this policy; in order to avoid misinterpretation, several of the more commonly used terms are defined below. TERM / DEFINITION Appropriate measures - In order to minimize risk of Chinook s Edge computer use by unauthorized personnel must be restricted so that, in the event of an attempt to access Chinook s Edge corporate information, the amount of information at risk is minimized. Information System- Any electronic system that stores, processes, or transmits information. Information Assets- Definable pieces of information in any form, recorded or stored on any media that is recognized as valuable to the Division Principle of Least Privilege- Access privileges for any user should be limited to only what is necessary to complete their assigned duties or functions, and nothing more. Principle of Separation of Duties- Whenever practical, no one person should be responsible for completing or controlling a task, or set of tasks, from beginning to end when it involves the potential for fraud, abuse, or other harm. 9.0 References Information Security Roles and Responsibilities ProcedurePage 10

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback