|
Subject/Title
Information Security |
Reference Number: |
| Effective Date: | |
| Approving Authority: Executive Management |
Date Revised: |
| Classification: Information Security and Privacy |
Last Review: |
| Next Review: |
| Note: The Calgary Health Region is committed to ensuring the accuracy and consistency of the policies on its Regional Policy Website. As policies are reviewed and updated periodically, the information contained in this document is accurate only on the date that it is viewed/printed (2010/09/02). Before relying on the information after this date, please check the Regional Policy Website for any changes to the policy. If you have any questions regarding this notice or the information presented in this policy, please contact Regional Policy Services using the Feedback link below. |
| Feedback |
|
Reason For Policy • To protect the confidentiality and Integrity of Information in the custody or control of the Calgary Health Region (the “Region”). • To clarify roles and responsibilities for maintaining the Security of Information and for the management of Information Security Incidents. • To comply with the Freedom of Information and Protection of Privacy Act (FOIPP), the Health Information Act (HIA), and mandated controls as defined by Alberta Health and Wellness. Policy Statement The Region shall develop, implement and maintain appropriate standards, processes, and procedures to ensure the Security and confidentiality of personal, health, and business Information in its care and custody, in compliance with applicable legislation and mandated controls as defined by Alberta Health and Wellness. Applicability This policy applies to all staff (including employees, independent contractors, medical, dental, podiatry, and midwifery staff, and other health professionals), students, volunteers, and other persons acting on behalf of the Region. Process 1. SECURITY OF CALGARY HEALTH REGION INFORMATION The Region’s Information at all Region and non-Region (e.g., contracted) facilities shall be held and stored in an organized, safe and secure manner. Access to Information shall be granted only as necessary for a permissible purpose based on Security and business requirements. The Region may audit and assess policies, processes, standards, and Information Technology (IT) Resources employed in the use and storage of Information. 1.1. INFORMATION CLASSIFICATION Information generated or maintained by the Region shall be classified at the time that it is first generated by its owner. The owner shall ensure that Information (including records, schedules, personal Information bank directories, or other relevant inventories of Region records) complies with Appendix “A”. In each administrative or clinical area, the appropriate Executive/Medical Director (or designate) is responsible for ensuring that Information in his/her custody or control is classified and secured in accordance with Appendix “A.” Such Information shall be available to authorized Users only. 1.2. INFORMATION ASSET INVENTORY Information is identified, marked, secured, and classified based on its degree of sensitivity and risk of Compromise. Information shall be categorized, retained, and stored at the time it is created or received in accordance with the Region’s statutory and business requirements in order to protect against loss, destruction, and falsification. The Manager/Director (or designate) of each administrative or clinical area shall ensure an inventory of all Information is maintained in accordance with the Records Retention Guide. Inventories shall include location, ownership, classification, and a Security level in accordance with Appendix “A” and shall be reviewed and updated annually. 1.3. PRIVACY IMPACT ASSESSMENTS Under the direction of the Information and Privacy (I&P) Office, a Privacy Impact Assessment (PIA) shall be completed for all new administrative practices or Information System projects that meet one or more of the following criteria: • the collection, use, or Disclosure of Information in new Information repositories; • the expanded collection, use, or Disclosure of Information within existing Information repositories; • data matching among or between existing personal Information repositories and those outside the Region to create identifying Information; or • the development of policies, procedures, or other changes that may significantly increase Security risks for Information in the care and custody of the Region. Prior to the implementation of the new practice or project, a request shall be submitted to the I&P Office to determine whether a PIA is required. If required, the project shall not be implemented until the PIA is completed and submitted to the Office of the Information and Privacy Commissioner (OIPC). Staff shall cooperate with the I&P Office for the timely completion of PIAs. Any changes to a project that has received prior PIA acceptance from the OIPC shall be reported immediately to the I&P Office. 1.4. INFORMATION TRANSMISSION AND TRANSPORT 1.4.1. Electronic transmission (including fax and e-mail) of high- and extreme-sensitive Information (see Appendix “A”) shall occur only to provide timely access for authorized Users. The transmission shall be reasonably and directly connected to the purpose for which the Information was originally collected and conducted in accordance with the Transmission of Information by Facsimile or Electronic Mail policy (#1420) and Appendix “A”. 1.4.2. Physical transportation of all high- and extreme-sensitive Information shall be in secured packaging or lockable chart transport bags in accordance with Appendix “A.” 1.5. DOCUMENT TRACKING Each Department shall maintain a tracking log to record the temporary or permanent removal or internal or external transfer of all sensitive, high-sensitive, and extreme-sensitive Region Information, including copies (see Appendix “A”). The tracking log shall indicate the: • nature of the material and purpose of removal or transfer; • name of the person removing or transferring document(s); • date of removal or transfer; • destination; and • anticipated return date (if applicable). 1.6. DOCUMENT RETENTION AND DISPOSAL All documents containing sensitive, high- or extreme-sensitive Information (see Appendix “A”) shall be stored and disposed of in a safe and secure manner by the information owner (or designate). Information retention and disposal shall be in accordance with Appendix “A” and the Records Retention Guide. Disposal of high- or extreme-sensitive Information shall be logged to maintain an audit trail. 1.7. ENCRYPTION Cryptographic controls shall be developed (where appropriate) by Advanced Technology based on a Risk Assessment to ensure the confidentiality, authenticity, and Integrity of the Information. The IT Security Office shall ensure that the design and implementation of cryptographic controls comply with applicable legislation and Collective Agreements. 1.8. SYSTEM DOCUMENTATION Information System documentation shall be stored in a secured physical location, and shall not be stored electronically on a public network. 1.9. ELECTRONIC COMMERCE Controls shall be applied to protect electronic data interchange, e-mail, and online transactions across public networks from fraudulent activity threats, contract disputes, and Disclosure or modification of Information. Security considerations shall include: • Authentication • Authorization • Contract and tendering processes • Pricing Information • Order transactions • Settlement • Ordering • Liability • Vetting 2. STAFF RESPONSIBILITY FOR INFORMATION SECURITY All Users shall ensure that their use of Information and Information Systems is in accordance with applicable legislation and Regional policies. A User’s performance during the course of employment, contract, agreement, or appointment may be monitored to reduce risks of human error, fraud, or Information misuse. All Information and IT Resources shall be returned to the Region upon termination of employment, contract, agreement, or appointment. 2.1. SCREENING AND VERIFICATION Expectations for compliance with Information Security policies shall be part of the recruitment process, and be included in job descriptions and contracts as appropriate. Information Security requirements shall be incorporated into the conditions of employment, contract, agreement or appointment. Verification checks on all employment, appointment, and re-appointment applications shall be conducted prior to the commencement of employment or appointment. Verification checks shall include, but are not limited to: • a minimum of two (2) character references; • confirmation of academic and professional qualifications (if applicable); • a criminal background check for all new staff; and • a credit check (if applicable). 2.2. CONFIDENTIALITY AGREEMENTS All staff shall sign a Confidentiality Agreement upon commencement of their employment, contract, agreement, or appointment with the Region, acknowledging their understanding and agreement to comply with the Information Security and Privacy policies and applicable legislation. Staff shall continue to maintain confidentiality after termination of employment, contract, agreement or appointment with the Region. 2.3. INFORMATION SECURITY EDUCATION AND AWARENESS TRAINING Each Department’s Manager/Director (or designate) shall ensure staff are aware of and appropriately trained on the processes for safeguarding Information (including all Security updates). The IT Security Office shall manage the Region’s Information Security Education and Awareness Training program (e.g., at staff orientations, through video or web-based training, or upon request). This program includes, but is not limited to: • HIA/FOIPP • Mandated Alberta Health and Wellness requirements • Applicable Regional policies • Information classification • Physical Security • Information Security Incident Reporting • Disciplinary measures for Information Security Incidents or violation of the Region’s Security policies and processes 2.4. USER RESPONSIBILITY FOR ACCESS TO INFORMATION SYSTEMS Users are responsible for all activities conducted under their User-Id and are responsible for following the User password management procedures identified in the IT Security Standards and the IT Acceptable Use policy (#1410). 3. INFORMATION SECURITY INCIDENTS 3.1. Assessment of Information Security Incidents Users shall be trained on how to report Information Security Incidents as part of the Information Security Education and Awareness Training Program. Users shall immediately assess an Information Security Incident for impact and risk, and report the Incident to the Manager/Director (or designate). Information Security Incidents involving IT Resources or physical access/Security shall be reported to the IT Security Office (see Appendix “B”). All other Information Security Incidents shall be reported to the I&P Office (see Appendix “C”). 3.2. INFORMATION SECURITY INCIDENT RESPONSE 3.2.1. The responsible Manager/Director (or designate) shall take all reasonable steps to stop the Information Security Incident immediately. The IT Security Office or the I&P Office shall directly assist in stopping the Incident or advise the Manager/Director (or designate) on an appropriate course of action. In situations where an Incident may result in violence or threatens the physical safety of any individual, the Manager/Director (or designate) shall contact: • Protection Services or the individual or Department responsible for a facility’s Security (Facility Designate); or • the police, as necessary. 3.2.2. Upon receiving a report of an Information Security Incident, the IT Security Office or the I&P Office shall assign a severity level to the Incident and provide a summary report to the responsible Manager/Director (or designate). Further action is based on processes as described in Appendices “B” and “C”. All disciplinary actions shall be in accordance with legal and Regional requirements, including union or contractual obligations, and are carried out through established human resources’ processes. 3.2.3. Upon resolution of an Information Security Incident, notification is sent to the individual or Department that reported the Incident. Depending on the severity of the Incident, management of applicable Departments may also be notified. The IT Security Office or the I&P Office shall create and retain a record of all relevant details of the Incident, and produce a final review and summary document. This document shall be used to identify areas for security enhancement. 3.2.4. In the event of an Information Security Incident, the IT Security Office or the I&P Office shall maintain appropriate contacts with law enforcement authorities, regulatory bodies, IT service providers, and telecommunications providers to ensure that appropriate action is taken and advice obtained. 4. INFORMATION SECURITY INSPECTIONS AND INVESTIGATIONS 4.1. INSPECTIONS The IT Security Office or the I&P Office shall make periodic or random inspections of sites, procedures, standards, and IT Resources employed in the use, transmission, processing, or storage of Region Information at both Region and non-Region sites. Inspections shall be performed to ensure compliance with Information Security and Privacy policies and the IT Security Standards. 4.2. INVESTIGATIONS Information Security Incident investigations are carried out (when necessary) in response to specific events. The findings of investigations may form the basis for remedial action and for reporting to appropriate authorities. 4.3. EVIDENCE COLLECTION The IT Security Office or the I&P Office shall ensure evidence is collected after any Information Security Incident involving potential legal action. Where appropriate, Legal Services shall be contacted for guidance prior to the collection of evidence. Collection, retention and presentation of evidence shall conform to legislated rules of evidence. To achieve admissibility of evidence, Information Systems shall comply with published standards or codes of practice for evidence production. To achieve quality and completeness, evidence shall be subject to a strong evidence trail. 5. INFORMATION SYSTEMS MANAGEMENT Advanced Technology shall ensure that a separation of duties exists between the groups responsible for the development, operation, administration, and review of Region Information Systems. All Information System development and maintenance shall be performed in accordance with the IT Resource Security policy (#1487). The IT Security Office shall perform Risk Assessments on highly susceptible systems to ensure Information Security. 6. PHYSICAL AND ENVIRONMENTAL SECURITY 6.1. The IT Security Office shall establish written responsibilities and procedures for the management and operations of all information processing and storage facilities. 6.2. Information Processing and storage facilities shall be located in secure areas, protected by a defined Security perimeter with appropriate barriers and entry controls to protect against unauthorized access, damage, and interference. 6.3. Facilities shall incorporate appropriate physical Security features to support Information Security and Privacy policies. The IT Security Office and Protection Services, or the Facility Designate where appropriate, shall be included in the design phase of any new facility and shall provide advice and recommendations for necessary Security features. 6.4. CLEAR DESK AND CLEAR SCREEN 6.4.1. All papers, diskettes, and other media containing high- or extreme-sensitive Information shall be stored securely after working hours, or while otherwise not in use. Sensitive, high- sensitive and extreme-sensitive Information shall be cleared from computer printers, photocopiers, scanners, and fax machines as soon as reasonably possible. 6.4.2. Desks or workstations shall be cleared of any sensitive, high-sensitive, or extreme-sensitive Information when such Information is not in use. Such Information shall be secured to prevent any unauthorized disclosure. 6.4.3. Computers shall be configured with screensavers that automatically lock out monitor screens after a defined period of inactivity and require password validation to be unlocked. Users shall manually lock out monitor screens when leaving a computer unattended. 6.5. IT EQUIPMENT MAINTENANCE IT equipment shall be maintained by authorized personnel. 6.6. MOBILE COMPUTING DEVICES Mobile Computing Device (MCD) Users shall save all Information on the Region’s protected network drives and avoid storing Information on the MCD hard drive or removable media devices. Definitions For the purposes of this policy: ADVANCED TECHNOLOGY means the department of Advanced Technology. COMPROMISE means actual or potential unauthorized Disclosure, use, destruction, removal, modification or interruption of Region Information or assets. DEPARTMENT means any department, division, unit, program, portfolio, section or service within the Region’s organizational structure. DISCLOSURE means the act and effect of granting individual(s) access to certain Information, either directly or indirectly. FACILITY DESIGNATE means the individual or Department responsible for ensuring access controls are met at a Region facility. A Facility Designate shall be identified in facilities where Protection Services is not employed. INFORMATION means knowledge, documents, text, or data of any kind and in any form or medium (e.g., paper, digital, audio-visual, et cetera) derived from recorded, written, verbal, observed, or other forms of communication which is used, created, received, or maintained by the Region or any individual or organization acting on the Region’s behalf. INFORMATION SECURITY means the preservation of the Integrity of Information. INFORMATION SECURITY INCIDENT means any incident where a violation or breach of Information Security, or a weakness or malfunction of IT infrastructure that could potentially cause a violation or breach, occurs. An Information Security breach is a Compromise of sensitive Information Security, whether deliberate or accidental, which could result in the Information being viewed, used or held by unauthorized persons. An Information Security violation is a particular incident or system-wide condition that violates this or other Information Security and Privacy policies, but does not necessarily result in an Information Security breach. INFORMATION SYSTEMS means all the components that collect, manipulate, and disseminate data or Information including, but not limited to data, hardware, software, communications systems, and the people involved in running a system. INTEGRITY means assuring the confidentiality, accuracy, authenticity, availability, and completeness of Information and processing methods. IT RESOURCE means any Region owned asset used to generate, process, transmit, store, or access the Region’s Information, which includes but is not limited to IT infrastructure, systems, hardware, software, Information Systems, networks, shared drives, computer equipment and devices, Internet, e-mail, databases, applications, and Mobile Computing Devices. MOBILE COMPUTING DEVICE(MCD) means portable electronic devices including but not limited to: Portable Digital Assistants (PDA’s), notebook computers, laptops, Tablet PCs, Palm Pilots, Pocket PCs, text pagers, smart phones, and other similar devices. RISK ASSESSMENT means an assessment of the threats to, impacts on, and vulnerability of Information and information processing and storage facilities. SECURITY means the guarding or guaranteeing of the safety of the Region’s Information and IT Resources against any Compromise, misuse, theft, destruction, or other dangers, and the protection of privacy and confidentiality of Information. USER means any individual who uses or discloses Information, or an individual who uses any Region owned IT Resource including but not limited to IT equipment, Information Systems, IT infrastructure, networks, shared drives, databases, systems, hardware, software, internet, e-mail, and applications. Cross References to Calgary Health Region Policies Information Technology Resource Security Web Page Development and Maintenance Additional References Appendix "A" - Information Security Classification and Standards Chart Appendix "B"- Information Security Incident Levels and Advanced Technology Response Summary Appendix "C" - Information Security Incident Levels and I&P Response Summary Appendix "D" - Information Security Organization Freedom of Information and Protection of Privacy Act Health Information Act International Organization for Standardization (ISO) BS 7799-2: 2002 |