Skip to main content Skip to site utility navigation Skip to main site navigation Skip to site search Skip to footer
Login
Hide Menu
Menu

Information Security Policy

Ref. No. Executive sponsor Policy steward Approval authority First approved Last reviewed Effective date Next review
64.01 Vice President, College Services and Strategy Chief Information Officer Executive Council Feb. 19, 2019 Sept. 20, 2022 Feb. 19, 2019 Sept. 2027
  1. Purpose
    1. The purpose of this policy is to:
      1. Define authorities, responsibilities, and accountabilities for Information Resources and Information Systems security in compliance with ISO standard ISO/IEC 27001:2013.
      2. Help ensure the College achieves our commitment to the protection of privacy and compliance with the Freedom of Information and Protection of Privacy Act, Personal Information International Disclosure Act and other relevant legislation.
    2. The NSCC Information Security Management Program (ISMP) supports the following objectives:
      1. To develop and implement an ISMP that is easy to understand and manage.
      2. Demonstrate management commitment to, and support for, information security.
      3. Establish directives and principles for action in regard to information security.
      4. Ensure alignment with legal and legislative / regulatory requirements.
      5. Ensure alignment of the ISMP with the Colleges’ enterprise risk management program.
    3. Reasonable security arrangements for Information Resources and Information Systems are necessary.
  1. Scope
    1. This policy applies to:
      1. All NSCC Community members.
      2. all Information Resources and Information Systems in the custody or under the control of NSCC regardless of physical location.
      3. all functions/activities performed by an employee of NSCC using College Information Resources and/or Information Systems.
    2. This policy must be implemented when receiving or sharing Information Resources with other Units, legal entities, or persons, including but not limited to educational, governmental, charitable and private sector organizations.
  1. Definitions
Term Definition
NSCC Community NSCC Community member under this policy includes, but is not limited to the following:
  1. Employee: any person who is employed by NSCC or provides services to NSCC under an employment contract.
  2. Student: anyone applying to or registered in NSCC programs or otherwise participating in NSCC courses, programs, events, and activities.
  3. Volunteer: any person performing work for NSCC in an unpaid capacity.
  4. Contractor: any individual or company (and its employees) who provides services to NSCC under a service contract (i.e., a non-employee/employer relationship)
  5. NSCC Community Member: any person working in collaboration with NSCC for a business or academic purpose or an external community member, including all graduates and alumni of NSCC.
  6. NSCC Board of Governors: the governing body of the College.
Administrative Authority Any individuals with administrative responsibility for Units (e.g. Senior Leadership Forum (SLF) members).
Information Resources Assets and infrastructure owned by, explicitly controlled by, or in the custody of the College including but not limited to data, records, electronic services, network services, software, computers, and Information Systems.
Information Security Office A unit within Digital Innovation & Technology that comprises College employees responsible for coordinating and managing the security of College Information Resources.
Information System The people, processes, organization, technologies, equipment and facilities that collect, process, store, display, transmit, and disseminate information.
ISMP The NSCC Information Security Management Program.
Least Privilege Giving a User account only those privileges which are essential to perform its intended function.
Records Documents created or received and retained in the day-to-day operations of business. This includes, but is not limited to, documents, maps, drawings, photographs, videos, letters, vouchers, papers and any other thing on which information is recorded or stored by graphic, electronic, mechanical or other means, but does not include a computer program or any other mechanism that produces records.
Security Incident Any adverse event whereby some aspect of information security could be threatened, including but not limited to: loss of data or records confidentiality, disruption of data or system integrity, or disruption or denial of availability.
Unit A group of Users, linked by a common interest or purpose, including but not limited to, faculties, departments, divisions, schools and centers.
User Any individual or Unit that uses or accesses College Information Resources.
  1. Policy
    1. College Commitment
      We are committed to:
      1. Ensuring the confidentiality, integrity, and availability of information (CIA).
      2. Creating a secure yet open computing environment in which the College Community can teach, learn, conduct research and perform administrative functions.
    2. Guiding Principles for the College’s ISMP
      1. Proactive: The College will take pre-emptive action to prevent Security Incidents before they happen.
      2. Monitor: The College will electronically monitor the network and connected Information Systems for potential security exposures and balance the monitoring with privacy requirements.
      3. Standards: The College will establish and continuously evaluate and improve information security procedures, standards and guidelines.
      4. Risk: Risk exposure will be balanced with the cost of risk mitigation when assessing security choices.
      5. Institutional Consistency: The Information Security Office will implement consistent institution-wide standards for electronic Information Resources.
      6. Audit: Internal Audit will provide independent ethics and effectiveness guidance for security management process.
      7. Authentication: Security enforcement applies to authentication processes and authorized role access.
      8. Universality: Each College system User is responsible for understanding and applying (where applicable) the security policies and procedures.
      9. Best practices: The College will implement industry-accepted security best practices where appropriate.
      10. Defense-in-depth: The College will implement multiple levels of information security defense.
      11. Education: Awareness of system Users about security principles and the application of these principles are critical to the success of the security policy.
      12. Respond: The College will respond with corrective action to security incidents where appropriate.
      13. Least Privilege: The College will follow the concept of Least Privilege in the design and implementation of Information Systems.
    3. Roles and Responsibilities
      Each member of the College Community will make reasonable security arrangements and protect Information Resources for which the member is responsible.
      1. Management Commitment
        All levels of management will actively support and promote an information security culture and the security of Information resources. This includes:
        1. Supporting a periodic third party and internal information security reviews to determine the effectiveness of information security policies, processes and procedures and updating them as needed.
        2. Actively participating in the coordination of organization-wide information security efforts.
      2. Chief Information Officer
        1. Accountable for the confidentiality, integrity, availability (CIA) of all Information Resources and Information Systems.
        2. Provides strategic direction for the Information Security Management Program (ISMP).
        3. Creates awareness across the College Community about members’ responsibilities within this policy.
        4. Identifies and defines the Information Resources for the College.
        5. Ensures that reasonable security arrangements are implemented across the College and establishes acceptable levels of security risk for the Information Resources
      3. Manager, Digital Innovation & Technology (Security Portfolio)
        1. Ensures the processes and resources for monitoring, compliance, protection, detection and correction are in place and regularly reviewed.
        2. Reviews & Approves/Denies:
          1. Any changes to network access rules or protocols.
          2. Any external network access privileges.
        3. Will establish pre-determined protocols to approve or reject remote access requests.
        4. Manages College ISMP, including the creation and continuous improvement of policies and procedures.
        5. Collaborates with Director, Internal Audit and/or third party on audits of College ISMP.
        6. Provides management oversight to information security incident response and liaises with law enforcement as appropriate.
        7. As needed, proposes processes and methodologies for coordinating and tracking information security requirements.
      4. Senior Security Analyst
        1. Implements and monitors technical security controls.
        2. Monitors networks for access control violations or unauthorized changes.
        3. Leads information security incident response.
        4. Audits user access privileges.
        5. Will confirm that any external connection point is secure and meets all network security requirements.
      5. College Leaders, Managers & Supervisors (CLF)
        1. Will confirm that any employee, Contractor or Volunteer who is no longer associated with NSCC no longer has access to any Information Resources and/or Information Systems.
        2. Will immediately identify any significant threats or current and possible vulnerabilities and will take the appropriate action to correct the problem(s).
        3. Will confirm that information security controls are in place, are working and are executed to comply with the information security policy or policies related to the controls.
        4. Will promote security awareness.
      6. Employees
        1. Will actively participate in all security training and exercises deemed mandatory by College Executive Team.
        2. Will report any suspicious cyber security related activities to the Digital Innovation & Technology Dept. i.e. Suspicious Emails.
    4. Exceptions
      Exceptions to requirements of this policy in extenuating circumstances can only be granted by the VP, College Services or Chief Information Officer and must be obtained in advance.
    5. Compliance
      1. The Information Security Office will investigate suspected violations of this policy; recommend or implement corrective action; suspend, disable, terminate, or remove access to or from Information Resources; or take other action in accordance with collective agreements, and College policies and procedures.
      2. Where suspected violations of this policy involve personal information, the Director, Internal Audit, in consultation with relevant College stakeholders where appropriate, will initiate an investigation and may recommend appropriate action.
  1. Policy Supports

64.02 Information Security Classification Procedure
64.03 Password Management Procedure
64.04 Access Control Procedure
64.05 Physical and Environmental Security Procedure
64.06 Physical Access to IT Infrastructure Procedure
64.07 Secure Disposal or Reuse of Equipment Procedure

Top