The URL can be used to link to this page

CLERK-004 - Information Security Policy_2012INFORMATION SECURITY POLICY FOR THE CITY OF SAINT JOHN (P SAINT ]MIEN Title: Information Security Policy Subject: Information Security Policy Category: Policy Policy No.: COS -CC -010 M&C Report No.: N/A Effective Date: August 27th, 2012 Next Review Date: (3 years) Area(s) this policy applies to: All City Service Areas Office Responsible for review of this Policy: The Office of the Common Clerk Related Instruments: COS -CC -001, Policy Sponsors: Common Clerk 002,003,007,010, 014 Revision History: Document Pages: This document consists of 6 -revised April 2, 2019 pages. Common Clerk's Annotation for Official Record I certify that the Information Security Policy was approved by Common Council on August 27th, 2012 April 2nd, 2019 Common Clerk Date Contact: Common Clerk Telephone: 658-2862 Email: commonclerk@saintjohn.ca INFORMATION SECURITY POLICY FOR THE CITY OF SAINT JOHN TABLE OF CONTENTS 1. PURPOSE 2. POLICY STATEMENT 3. SCOPE. 4. POLICY CONTEXT 5. LEGISLATION AND STANDARDS. :l 6. ROLES AND RESPONSIBILITIES..............................................................................................................4 7. COMPLIANCE....................................................................................................................................... 5 8. MONITOR AND REVIEW.......................................................................................................................5 9. IMPLEMENTATION............................................................................................................................... 5 10. AUTHORIZATION................................................................................................................................ 5 11. GLOSSARY.......................................................................................................................................... 5 12. INQUIRIES.......................................................................................................................................... 6 2 1 P INFORMATION SECURITY POLICY FOR THE CITY OF SAINT JOHN 1. PURPOSE The purpose of the Information Security Policy (the "Policy') for the City of Saint John (the "City') is to assist in protecting its information assets against internal, external, deliberate or accidental threat including natural disasters. Towards this end, the City will strive continuously to be in compliance with identified standards, best practices and legislation including the Right to Information and Protection of Privacy Act (RTIPPA). This policy will demonstrate that information security is a priority for the City. 2. POLICY STATEMENT The Policy will ensure the protection of records and information against any unauthorized access. This includes electronic and physical records and information. The confidentiality of information will be assured and the integrity and availability of the information maintained. In support of the aforementioned: • Business continuity plans, including a business continuity plan for essential/vital records, will be developed, tested, documented and maintained; • Computer system backups will be made for security of information and emergency system recovery purposes and not for the purpose of long-term storage of information, nor as a method to satisfy the conditions of a records retention schedule; • Procedures to support the Policy will be maintained for areas including but not limited to access, authorization, authentication, updates, virus and malware controls; • Information security education and awareness training for both electronic and physical records and information shall be available for all employees; and, • New employees must sign confidentiality/non-disclosure agreements. All suspected electronic information security breaches will be promptly reported to the Chief Information Officer (CIO). All breaches involving personal information (privacy breaches) or breaches involving physical information security will be promptly reported to the Common Clerk. Incident logs will be maintained by the Common Clerk and CIO in accordance with legislative requirements and best practices. 3. SCOPE This Policy applies to all City employees. 4. POLICY CONTEXT The Chief Information Officer: • responsible for overseeing Information Technology Systems, including: the maintenance, installation, security and support of all information technology tools used to manage information assets. The Common Clerk: • responsible for ensuring business and vital records and information are managed in accordance with legislative requirements. 3 1 P „ INFORMATION SECURITY POLICY FOR THE CITY OF SAINT JOHN 5. LEGISLATION AND STANDARDS The City acknowledges the following laws that relate to records and information management: • Charter of The City of Saint John, 1785 (U.K.) Geo. III as amended • Archives Act, S.N.B. 1977, c.A-11.1 as amended • Community Planning Act, S.N.B. 2017, c.19 as amended • Electronic Transactions Act, S.N.B. 2011, c.145 as amended • Evidence Act, R.S.N.B. 1973, c.E-11 as amended • Local Governance Act, S.N.B. 2017, c. 18 as amended • Official Languages Act, S.N.B. 2002, c.0.0.5 as amended • Personal Information Protection and Electronic Documents Act, R.S.C. 2000, c.5 as amended • Public Records Act, S.N.B. 2011, c.212 as amended • Right to Information and Protection of Privacy Act, S.N.B, 2009, c.R-10.6 as amended. The City acknowledges the following standards, guidelines and best practices that relate to information security: • ISO 27001:2005 Information technology —Security techniques —Information security management systems — Requirements. • ISO 27002:2005 Information technology —Security techniques —Code of practice for information security management. 6. ROLES AND RESPONSIBILITIES The City Manager: • accountable for holding employees responsible for complying with City policy. The Common Clerk: • accountable for the Policy and delegates the day to day administration and implementation to appropriate staff, • responsible for advising the City on the appropriate privacy safeguards that need to be implemented; providing training and awareness sessions; and monitoring and compliance with respect to the handling of personal and confidential information. The Chief Information Officer: • responsible for securely maintaining the City's electronic information repositories, according to the City's Information Security Policy and procedures, such that the integrity and authenticity of the City's information is assured. • responsible for monitoring and compliance; assessing security risks; investigating security incidents; and providing training and awareness sessions for electronic systems. Service Area Managers: • responsible for ensuring employees comply with the Policy, procedures and applicable legislation. 4 1 P „ INFORMATION SECURITY POLICY FOR THE CITY OF SAINT JOHN Program Area Commissioners: • provide management support and leadership. City employees are responsible for ensuring the security of all information within their realm of responsibility as defined by City policies, procedures and applicable legislation. City employees: • responsible for ensuring the security of all information within their realm of responsibility as defined by City policies, procedures and applicable legislation. 7. COMPLIANCE Non-compliance with the Policy, regardless of size or scope, may carry significant consequences for the City. Violations may constitute theft, fraud, destruction or alteration of corporate information; privacy breach; unauthorized disclosure of information assets; and/or loss of intellectual property. Violations of the Policy may cause employee disciplinary action, up to and including dismissal. 8. MONITOR AND REVIEW The Policy is subject to review as required. The review will be conducted by a committee established by the Office of the Common Clerk. The committee may be comprised of a cross -functional internal membership or an independent third party. 9. IMPLEMENTATION The Policy will be implemented upon approval by Common Council. 10. AUTHORIZATION This Policy has been approved by Common Council on the August 27th, 2012. 11. GLOSSARY Disposition The range of processes associated with implementing records retention, destruction or transfer decisions which are documented in authorities or other instruments. Employee An employee is an individual or corporation hired by the City to perform work under either a contract for services or a contract of service. Information Data presented in readily comprehensible form to which meaning has been attributed within the context of its use. Unless the context otherwise requires, this means information contained in a record. Information Security The protection of information and information systems from a wide range of risks including unauthorized access, use, disclosure, disruption, modification or destruction in order to provide authenticity, integrity, confidentiality and availability. 5 1 P „ INFORMATION SECURITY POLICY FOR THE CITY OF SAINT JOHN Personal Information Recorded information about an identifiable individual, including but not limited to, (a) the individual's name, (b) the individual's home address or electronic mail address or home telephone or facsimile number, (c) information about the individual's age, gender, sexual orientation, marital status or family status, (d) information about the individual's ancestry, race, colour, nationality or national or ethnic origin, (e) information about the individual's religion or creed or religious belief, association or activity, (fl personal health information about the individual, (g) the individual's blood type, fingerprints or other hereditary characteristics, (h) information about the individual's political belief, association or activity, (i) information about the individual's education, employment or occupation or educational, employment or occupational history, (j) information about the individual's source of income or financial circumstances, activities or history, (k) information about the individual's criminal history, including regulatory offences, (1) the individual's own personal views or opinions, except if they are about another person, (m) the views or opinions expressed about the individual by another person, and (n) an identifying number, symbol or other particular assigned to the individual. Privacy Breach An unauthorized access, collection, use, or disclosure of personal information. Record Recorded information, regardless of medium or characteristics, made or received by an organization that is evidence of its operations, and has value requiring its retention for a specific period of time. Records Retention and Disposition Schedule A schedule that authorizes the City to dispose of (transfer or destroy) records it no longer requires. This schedule identifies the period of time that personal information in the custody of the City is to be retained. 12. INQUIRIES For more information on this Policy, please contact the Common Clerk. 6 1 P