INFORMATION MANAGEMENT AND SECURITY POLICY

Transcription

1 INFORMATION MANAGEMENT AND SECURITY POLICY Technology Department 2016

2 Table of Contents 1. INTRODUCTION Preamble Objectives Scope LEGAL FRAMEWORK GUIDING PRINCIPLES Management and protection of information assets Reporting incidents Intellectual or legal property rights Protection of confidential information Continuity of the Organization's activities Training and awareness building Right of oversight ACCOUNTABILITY FOR THE POLICY Person responsible for administration, finance and human resources Person responsible for information security Person responsible for information technology FINAL PROVISIONS Measures in the event of non-compliance with the Policy Review and revision Effective date... 9 Information management and security policy 2

3 1. INTRODUCTION 1.1 Preamble Groupe Ultima Inc. ("Ultima") acknowledges that information is essential to its day-to-day operations, and correspondingly, that information must be evaluated, appropriately used and suitably protected. Ultima also acknowledges that it holds or has access to personal and sensitive information that can have legal, administrative or economic value. Consequently, Ultima is implementing this Information Management and Security Policy, which states the Organization's position on the security mechanisms considered essential to the protection of information resources (i.e., assets). Reliable and effective management and security rely on the ongoing involvement and support of all the employees and the individuals contractually linked to Ultima, who use Company information as part of their job. These employees and contractors are responsible for managing the information under their control and custody, and for complying with the standards and policies herein. 1.2 Objectives Given that Ultima receives, uses and transmits a significant amount of information as a result of the nature of its services, the implementation of an overall Information Management and Security Policy is considered necessary. The objective of this Policy is to establish a formal framework overseeing the use of computer equipment and information throughout Ultima's technological (computer and telecommunications) network, from work stations to servers. More specifically, the main objective of this Policy is to guarantee that the information under Ultima's control is managed and secured effectively and efficiently in order to avoid compromising its credibility and compliance. This Policy is also aimed at ensuring compliance with laws, regulations and other obligations as regards the use of information and information technology. The following are the Organization's more specific objectives with regard to information security: To ensure availability, integrity and confidentiality in the use of information assets and computer networks; To ensure respect for individual privacy, including the confidentiality of all identifying information relating to the Organization's clients and employees; To gather together the guidelines and the roles and responsibilities of security stakeholders. Information management and security policy 3

4 This Policy includes a series of guidelines, procedures, standards and practices, clarifying the terms and obligations arising out of the Policy, in order to implement an information management and security mechanism. 1.3 Scope This Policy applies to the following: Information assets Those belonging to and exploited by the Organization; Those belonging to the Organization but exploited or held by a service provider; Those belonging to third parties. Employees of the Organization: All employees of the Organization, be they regular or casual, and regardless of status, as well as any duly authorized person using the Organization's information assets. Consultants using and having access to Company property or having the Organization's property in their custody have the same obligations as the Organization's employees. Activities: All activities involving the handling or use of any kind of the Organization's information assets, whether they take place on the Organization's premises, in another location or remotely. 2. LEGAL FRAMEWORK The Organization is subject to and must ensure its compliance with the following laws. The following list is non-exhaustive: Canadian Charter of Rights and Freedoms (1982, c. 11) Charter of Human Rights and Freedoms (CQLR c. C-12) Civil Code of Québec (CQLR, 1991, c. 64) Criminal Code of Canada Canadian Copyright Act (RSC, 1985, c. C-42) An Act to Establish a Legal Framework for Information Technology (CQLR c. C-1.1) An Act Respecting the Distribution of Financial Products and Services (CQLR c. D-9.2) Trade-marks Act (RSC 1985, c. T-13) Personal Information Protection and Electronic Documents Act (SC 2000, c. 5) An Act Respecting the Protection of Personal Information in the Private Sector (CQLR c P-39.1) Information management and security policy 4

5 Archives Act (CQLR c. A-21.1) An Act Respecting Insurance (CQLR c. A-32) Insurance Companies Act (SC 1991, c. 47). 3. GUIDING PRINCIPLES 3.1 Management and protection of information assets The Organization's information assets are essential to its day-to-day operations and must be subject to appropriate use and protection. This overall Information Management and Security Policy is based on the following guiding principles: Management of information assets a. The information contained in the information assets is presumed confidential; b. Information assets are managed in such a way as to facilitate legal access to them, foster the trust of clients and partners, and optimize the use of information in accordance with the obligations imposed by laws and regulations; c. The gathering, use and communication of personal information must be restricted to the minimum amount necessary for the provision of services, in accordance with personal information protection laws and other laws in effect. Furthermore, the information created, acquired or stored to meet the Organization's needs must be relevant, reliable and complete; d. The gathering, use and communication of information, regardless of the type of information or the type of media on which it is stored, must be done in such a way as to protect its authenticity, integrity and clarity, for as long as necessary; e. Accountability structures must be implemented. Protection levels are assigned according to the sensitivity of the information assets and their exposure to the risk of accidents, errors and malicious use; f. Managers, and especially those designated to be owners/holders of information assets, have primary responsibility for the management of these assets, the use of those assets by employees and the application of necessary supervisory measures; g. The use of information assets is a privilege, not a right. This privilege can be withdrawn at any time. Any user not complying with the overall Information Management and Security Policy, including its guidelines, may have this privilege revoked. Information management and security policy 5

6 Protection of information assets h. Periodic assessments must be carried out on the risks and threats to, and the protective measures for, information assets, to remain assured that the deployed protection measures are in alignment with the risks and threats; i. Documents that are essential to the continuity of key services and operations must be protected; j. Information that is no longer required for operational purposes must be destroyed in a timely manner; k. Information security management must be included and applied throughout the life cycle of all information assets; l. No individual shall modify or destroy without authorization any data, software programs or packages, documentation, information systems, or computer or telecommunications equipment. 3.2 Reporting incidents All users are required to immediately report to the head of administration any irregularity, violation of this Policy, or act likely to represent an actual or alleged violation of security regulations such as theft, unauthorized network or system access, wilful damage, misuse, fraud or information disclosure. 3.3 Intellectual or legal property rights Users must comply with legal requirements regarding the use of products that could be subject to intellectual property rights and the use of proprietary software products. Making copies of software is authorized only for security purposes. 3.4 Protection of confidential information All electronic and non-electronic information considered confidential or sensitive must be protected against unauthorized and unlawful access and use. Information considered confidential, within the meaning of personal information protection laws, includes personal information, identifying information and any information whose disclosure could reduce the effectiveness of security measures designed to protect property or persons. 3.5 Continuity of the Organization's activities Information management and security policy 6

7 The Organization must have emergency measures in place, as outlined in its business and service continuity plan. These measures should be set down in writing, tested and updated regularly to ensure that the information assets deemed essential can be back in operation within a reasonable amount of time after a major disaster. 3.6 Training and awareness building All managers in the Organization must build the awareness of their staff on the issue of information asset security, on the consequences of a security breach and on the roles and obligations of all employees in the asset protection process. In order to minimize potential security risks, managers must also ensure that all staff is trained on security procedures and on the proper use of information assets. 3.7 Right of oversight The Organization has a right to oversee users' use of its information assets including the Internet, and telephony and systems. The circumstances under which this right of oversight may be exercised shall be defined and distributed to users in the guidelines resulting from the Policy. This right of oversight will be exercised in compliance with applicable laws including the Canadian Charter of Rights and Freedoms (1982) and Quebec's Charter of Human Rights and Freedoms (CQLR c. C-12). 4. ACCOUNTABILITY FOR THE POLICY Ultima's executive committee must approve this Policy, and ensure that it is implemented and that its application within corporate operations is monitored. It must also establish the Information Management and Security Committee to act as a coordination and consultation mechanism within the Organization. The Information Management and Security Committee nominates the person responsible for applying the overall Policy and the person responsible for information security. It also makes recommendations to the executive committee about overall directions and guidelines. 4.1 Person responsible for administration, finance and human resources Application of the overall Information Management and Security Policy comes under the jurisdiction of the Vice-President of Administration, Finance and Human Resources, who must ensure that all the Organization's managers and employees share the same values and overall directions in the area of security. To these ends, the Vice-President of Administration, Finance and Human Resources oversees the application of the Policy within the Organization, provides the financial and logistical support needed for the implementation and application of this Policy, submits to Information management and security policy 7

8 the board of directors a summary report on the application of the Policy, exercises his or her power of investigation and, when necessary, applies the sanctions set out in this Policy. 4.2 Person responsible for information security The execution of all measures related to information security comes under the jurisdiction of the Vice-President of Technology, who acts as the designated person responsible for coordinating information security for the Organization. To these ends, the Vice-President of Technology has the following responsibilities: To propose information security guidelines and communicate them to the Organization's employees, clients and partners; To develop information security policies and to monitor and periodically update them; To ensure compliance with the information security policy; To enquire about security requirements from information holders and managers, propose solutions and coordinate the implementation of these solutions; To provide security support and advice to the holders of information assets; To propose the standards, guidelines and procedures arising from the implementation of this Policy; To manage all aspects relating to the escalation of security incidents and to assess the security situation. 4.3 Person responsible for information technology The application of requirements relating to the security of information assets falls under the jurisdiction of the Vice-President of Technology. The person responsible for information technology implements the security requirements for the Organization's information assets, and has the following main responsibilities: To ensure the security of information assets; To ensure the availability, integrity and confidentiality of information assets, as per the requirements defined by the holders of those assets; To ensure that access by employees working in information technology is restricted to the information vital to the performance of their duties; To supervise the application of the guidelines, practices and standards. 5. FINAL PROVISIONS 5.1 Measures in the event of non-compliance with the Policy Information management and security policy 8

9 Any violation of or non-compliance with this overall Information Management and Security Policy may result in administrative and/or disciplinary measures, such as a notice, reprimand, suspension or even immediate dismissal, depending on the circumstances and in proportion to the behaviour in question. The responsibility for deciding on the appropriate measures in the event of a violation of or non-compliance with this Policy falls under the jurisdiction of those responsible for corporate functions, in conjunction with those responsible for the administration. The executive committee may also transmit to the competent authorities any information leading it to believe that a violation of any applicable law or regulation has occurred. 5.2 Review and revision This Policy shall be subject to periodic reviews by the Information Management and Security Committee, and may be modified as needed to bring it in line with the relevant legal and/or regulatory provisions or to reflect new practices or means of operation of the Company. Employees shall be advised promptly of any modifications. 5.3 Effective date This overall Information Management and Security Policy came into effect on January 15, Information management and security policy 9