Policy on the Security of Informational Assets

Transcription

1 Policy on the Security of Informational Assets Policy on the Security of Informational Assets 1

2 1. Context Canam Group Inc. recognizes that it depends on a certain number of strategic information resources in order to pursue its activities and its mission. It also recognizes that information in all its forms is essential to accomplishing its current operations and, consequently, that all information must be used appropriately and protected adequately in accordance with existing legislation, such as Bill C-198, and best security practices. 2. Objectives The Policy on the Security of Informational Assets expresses Canam Group Inc.'s position with respect to the security measures it deems critical to the protection of its informational assets. This policy aims to define the rules governing the protection of these informational assets, to ensure the pursuit of the company's activities in accordance with its legal and administrative obligations and to ensure the security of the numerical data and the personal or sensitive information it gathers, owns, maintains, uses or exchanges electronically. This policy also identifies and defines the responsibilities of those in charge of its implementation and those who use the informational assets of Canam Group Inc. 3. Definition Informational assets: The informational assets of Canam Group Inc. include the documents produced or received within the scope of the company's operations, regardless of the transmission means used (paper, electronic, verbal or other), computer hardware, computer applications and documents required for their smooth operation, software and software packages, data processing and electronically processed data. 4. Scope 4.1 Assets targeted This policy applies both to information and informational assets: owned or maintained by Canam Group Inc.; owned by Canam Group Inc. and used or maintained by a service provider or third party; owned by a service provider or third party and used by either of them for the benefit of Canam Group Inc. Policy on the Security of Informational Assets 2

3 4.2 People targeted This policy is aimed at: all employees of Canam Group Inc., regardless of their status (regular, occasional, trainee, contractual or management); any person required to use these informational assets in the course of performing work or rendering services on behalf of a partner or supplier on the premises of Canam Group Inc. or other premises. Each employee must read this policy and confirm by electronic means that he/she has received a copy of the policy, has read it, understands it and undertakes to comply with it. For further information on this policy, please contact the Informational Asset Security Officer at Canam Group Inc. 5. Use of information systems 5.1 Property Any computer hardware, software or services purchased, leased or developed by the company remains the property of the company. Any program developed or any information used or produced in any form whatsoever by means of the company's information systems becomes the exclusive property of the company. 5.2 Security Access to the company's computerized services requires a User ID and one or more passwords. The employee is forbidden to allow anyone whatsoever to gain access to these services by using his/her personal ID. The employee assumes full responsibility for any action related to his/her account. Employees authorized to access Canam Group Inc. s systems via the Internet are given an "authentication key" (CryptoCard), which is used to generate onetime passwords. This key is the property of the company and should under no circumstances be loaned. Policy on the Security of Informational Assets 3

4 5.3 Information network Access-control mechanisms, such as firewalls, prevent and detect unauthorized access to the network Security measures designed to protect both the network and access to the Internet ensure the continuity of operations Security measures designed to protect data circulating on the network and on the Internet (e.g., encryption) are put in place to prevent any unauthorized person from intercepting sensitive data. 5.4 Internet use The Internet must be used strictly for business purposes and only during regular working hours. Employees are granted the privilege of using the Internet for personal purposes during breaks and meal periods, but should be aware that such use is restricted as to content. Acceptable content excludes any pornographic, discriminatory or offensive site or information. Accordingly, the company has a control system in place to limit access to certain categories of sites and to allow a detailed follow-up of Internet use. Downloading material from the Internet is strictly forbidden, unless it is clearly within the scope of the employee's duties. 5.5 Workstation The above content restrictions also apply to all files kept on a workstation as well as all "screensavers" and "backgrounds" used. 6. Electronic mail ( ) 6.1 Property Any sent or received via a company computer is the property of the company and may be subject to scrutiny. service is provided as a means of improving employee communications and productivity and must be used for business purposes only. From a practical point of view, the company permits use for personal purposes, but such use remains subject to scrutiny by the company and must be consistent with the company's policy, its current ethical and moral standards and the legislation applicable to the region in which the company operates. Audits will only be conducted by personnel authorized by the company and when circumstances warrant it. Employees recognize that they have no assurance of confidentiality in their communications by . Policy on the Security of Informational Assets 4

5 6.2 Postings The company provides each of its business locations with an electronic bulletin board, accessible via the intranet, to allow employees to post messages of general interest, such as offers to sell or purchase, and other material unrelated to the company s business. 6.3 Confidentiality s should not be viewed as totally confidential given that they are transmitted electronically. Employees should be aware of this when transmitting information of a confidential or proprietary nature. The company will take the necessary measures to protect electronically transmitted messages by preventing their unauthorized interception or modification; however, it is impossible to assure employees of the absolute reliability or confidentiality of electronic messaging. 6.4 Prohibited uses The company's electronic messaging services must not be used in an improper or abusive manner. Accordingly, it is forbidden to: distribute copyrighted material without being duly authorized to do so; send rude, inappropriate or offensive messages, such as racial, sexual or religious slurs; send and/or accept software or software components including attachments that may contain offensive jokes, explicit pictures or files with the suffix.mov,.avi,.exe or.com (types of attachments which are often used to transmit "viruses" to workstations); accept and forward "chain letters" by ; use for solicitation purposes on behalf of external firms or in connection with personal events, charitable organizations, membership in an organization, political or religious causes or for any other purpose unrelated to the company's business. 7. Software management Software represents a major investment for the company. Software refers not only to products purchased from third parties, but also to those developed in-house as well as to related documentation. All software must be safeguarded in such a way as to protect them against unlawful duplication or fraudulent use. Policy on the Security of Informational Assets 5

6 7.1 Licences The company and its employees will comply with the terms and conditions of software license agreements and copyright provisions associated with registered software, software that has been developed in-house and shareware, whether in the public domain or belonging to third parties. The company has adequate control mechanisms in place to ensure that: the company is complying with the license agreements that come with all approved software installed on computers owned or leased by the company; all software and related documentation are protected against unlawful duplication and fraudulent use; software is copied solely for disaster recovery purposes and/or in accordance with the terms and conditions of applicable license agreements. 7.2 Installation All software must be installed by EDP Operations (Electronic Data Processing) personnel to ensure that all workstations have the same configuration. Any unauthorized software will be removed. 7.3 Audits Software suppliers have the right to conduct audits at the company's facilities to ensure that it is complying with the terms and conditions of their license agreements. To ensure such compliance, the company reserves the right to inspect any and all hard drives on a regular basis to make sure that it does indeed hold the license required for every copy of software installed on a hard drive. 8. Continuity of data processing activities The company has written, tested and updated disaster emergency measures in place to ensure the recovery of its critical information systems (within a reasonable timeframe) in the event of a major disaster (e.g., fire, hacking, extended power outage, flooding or maliciousness). 9. Security awareness and training Every manager must raise his/her staff's awareness of the need to protect informational assets, the consequences of a security breach, and the roles and responsibilities of all employees in his/her department or administrative unit with respect to the protection of these assets. Policy on the Security of Informational Assets 6

7 Managers must also make sure that the members of their staff are trained to use informational assets properly and to take all the necessary security precautions to safeguard them in order to minimize the risks of a security breach. 10. Physical security in the workplace Measures to control access to the workplace and the informational assets found there are in place, implemented and kept up-to-date. All computer hardware owned or leased by Canam Group Inc. is identified and classified, and an inventory of all hardware is kept up-to-date. 11. Reporting of incidents Every user has an obligation to immediately report to the person assigned to the security of informational assets any act that may represent an actual or alleged security breach (e.g., theft, intrusion into a network or system, deliberate damage, abusive or fraudulent use). 12. Partners and suppliers Contracts and agreements signed with any Canam Group Inc. partner or supplier must include recognized provisions guaranteeing their compliance with the company s information security requirements. 13. Right of inspection Canam Group Inc. has a right of inspection with respect to the utilization of informational assets by users. This right of inspection will be exercised in accordance with the Canadian Charter of Rights and Freedoms (R.S.C., 1985, c. 42) and the Quebec Charter of Rights and Freedoms (R.S.Q., c. 12). 14. Roles and responsibilities 14.1 President and Chief Operating Officer The President and Chief Operating Officer is the person ultimately responsible for the security of informational assets at Canam Group Inc. In this capacity, he approves the Policy on the Security of Informational Assets and defines related values and policy directions, and ensures that the policy, values and policy directions are communicated to company personnel. He oversees the implementation of the Policy on the Security of Informational Assets and the normative framework derived from it. Policy on the Security of Informational Assets 7

8 He assigns specific, clearly defined responsibilities to the people responsible for the security of Canam Group Inc. s informational assets. He sets up an informational asset security committee and appoints an informational asset security officer to represent him on this issue within Canam Group Inc. and to carry out all of the above measures Informational Asset Security Committee The mandate of the Informational Asset Security Committee is primarily to "approve and recommend for approval by the President and Chief Operating Officer the priorities, policy directions, management framework, policies, guidelines and other strategic matters pertaining to the security of the company's informational assets", after ensuring that they are consistent with the relevant laws, policy directions, policies, guidelines and other recommendations made by senior management. Role and responsibilities of the Informational Asset Security Committee To fulfill its mandate, the Committee must: see annually to the development, implementation, approval and follow-up of a master plan and departmental action plans on the security of informational assets; authorize projects related to the security of informational assets, based on approved budgets; assign activities related to the security of informational assets to working groups or to certain members of personnel; inform the President and Chief Operating Officer when unforeseen circumstances related to the security of informational assets arise. Canam Group Inc. s Informational Asset Security Committee is composed of the following members: the Vice President of Information Technologies; the Systems Development Manager; the EDP Operations Manager; the Informational Asset Security Officer Informational Asset Security Officer As the appointed representative of the President and Chief Operating Officer on informational asset security matters, the Informational Asset Security Officer manages and coordinates the security of Canam Group Inc. s informational assets. Policy on the Security of Informational Assets 8

9 In this role, he: advises senior management on potential security risks and on disaster mitigation strategies; recommends to senior management strategic policy directions and intervention priorities pertaining to the security of informational assets; coordinates all security-related actions approved by the various process and informational asset owners; plans and coordinates all the activities necessary for ongoing IT services in the event of a disaster; develops, recommends for approval, implements, manages and evaluates the master plan on the security of informational assets; is responsible for developing and implementing security awareness and training programs, IT security policies, standards and procedures, as well as the authority record; serves as secretary for the Informational Asset Security Committee; coordinates and follows up on all activities resulting from the master plan and action plans on the security of informational assets Systems Development team The Systems Development team ensures that Canam Group Inc. s security requirements are implemented throughout the life cycle of numerical data. It puts in place and implements secure Systems Development practices to ensure that the security functions (availability, integrity, confidentiality, authentication and irrevocability) are applied in accordance with the requirements and access rights defined by the various process and informational asset owners. It provides these latter with the support and advice they need to protect their informational assets, limits the access to information of the IT staff under its authority to information they require to be able to perform their duties, and approves and implements procedures, practices and standards on the security of informational assets. Policy on the Security of Informational Assets 9

10 14.5 Managers With respect to the protection of informational assets, managers must primarily: inform their employees and raise their awareness of the provisions of this policy and the terms and conditions of its implementation; ensure that informational assets are used in accordance with the general principles and other requirements of this policy; be able to justify the use made of informational assets by their employees Users Informational asset users must: be fully aware of, understand and comply with the Policy on the Security of Informational Assets; use informational assets for the purposes for which they are intended and access them only with the User ID and password(s) assigned specifically to them; comply with established guidelines and procedures and with the provisions of this policy. 15. Final provisions 15.1 Sanctions When an informational asset user contravenes this policy or the in-house guidelines derived from this policy, the VP Human Resources will determine, based on the nature and seriousness of the case, whether to apply a disciplinary or administrative sanction, such as a reprimand, suspension, termination, or even the revocation of the right to use any informational assets whatsoever. The VP Human Resources is at liberty to transfer to a judicial authority any information he/she has in connection with a case of this nature which would indicate that an existing law or regulation has been breached Review This policy must be reviewed on a regular basis and no later than three years after it takes effect and whenever changes occur that may affect its content in order to ensure that it fully satisfies the security requirements of Canam Group Inc. Policy on the Security of Informational Assets 10

11 15.3 Implementation and follow-up of the policy The Informational Asset Security Officer is responsible for the implementation of this policy Effective date of the policy This policy takes effect on the date of its approval by the President and Chief Operating Officer Approval The Policy on the Security of Informational Assets is approved by the President and Chief Operating Officer. APPROVED BY: DATE: Policy on the Security of Informational Assets 11