- Guidelines and Standards
Guideline for New Media Related to Policy 2.5.1: Corporate Information Technology Security and Employee Use of IT Assets
CBC/Radio-Canada departments or groups that are responsible for CBC/Radio-Canada websites, such as CBC.CA, RADIO-CANADA.CA, RADIO 3 sites, ZED.CBC.CA, and Bande-a-Part sites (all of which are referred to New Media) have a need to experiment with leading edge internet and Web technologies. They test new technologies and applications in a sand box environment, which is totally disconnected from CBC/Radio-Canada Corporate networks or any Production and test environments. An exemption is provided to these departments and groups from IT Security Policy 2.5.1 provided that these untested and unauthorized applications are used and tested strictly in the totally isolated sand box environment such that no data or software is transferred by any means to the corporate network and production environment.
The purpose for this exemption certificate is to provide the flexibility necessary for the New Media departments and groups to carry out their mandate.
The scope of this exemption includes all hardware, software (including software versions upgrades and downloads), practices and procedures under evaluation or development by the New Media departments or groups for use within CBC/Radio-Canada. During the course of normal day-to-day activities, it may be necessary for the members of the New Media departments and groups to disregard some restrictions within IT Security Policy 2.5.1.
Each of the following listed activities permitted under this exemption are restricted to use within the controlled sand box environment of the New Media departments and groups labs/networks:
- Download/install any software package on computers within the New Media departments and Groups labs/networks for evaluation purposes.
- Develop Web related software tools to provide necessary functions for the day-to-day operation of the CBC/Radio-Canada authorized Websites.
- Install any type of network server/service within the New Media labs/networks.
- Use hacking, cracking and “sniffer” tools for security and performance evaluation on network devices located within the New Media labs/networks.
The CBC Technology department(s) may at any time request proof that the above guideline is being followed properly and in a comprehensive manner.
February 2, 2006
Guideline for Real Estate Division Related Policy 2.5.1: Corporate Information Technology Security and Employee Use of IT Assets
The Real Estate Division has many stand alone PCs or CPUs unconnected with the corporate network. While corporate security policies apply to all IT infrastructures, there is a need to provide an exemption for totally isolated devices such as CPUs used to control elevators. Therefore, an exemption is provided to the Real Estate Division from IT Security Policy 2.5.1 for totally isolated stand alone computing devices provided that no data or software is transferred by any means to the corporate network and production environment or from the Internet.
Enable the Real Estate Division to deploy or maintain any device or system, which is not connected to the Internet or to a computer network within the CBC/Radio-Canada.
The scope of this exemption includes all devices that are not attached to the Internet or to any wired or wireless corporate IT network within the CBC/Radio-Canada.
- Any device which has the ability to upload or download data from any type of media must be protected from Viruses, Trojans and Worms using IT approved security software
- The Real Estate Division shall have final approval on building management systems (elevators, HVAC, lighting, etc.) as they pertain to the facility/property management specialty. Real Estate must always ensure that IT authorizes the implementation of all building applications connected to the IT network or to the Internet in regards to systems safety issues. Real Estate shall also proactively advise IT every time a building management application connected to the Corporate network or to the Internet is upgraded.
The CBC/Radio-Canada Technology Department(s) may at any time request proof that the above guideline is being followed properly and in a comprehensive manner.
February 2, 2006
Guideline for Managers Related Policy 2.5.1: Corporate Information Technology Security and Employee Use of IT Assets
Information technology security is a process that involves people, in addition to technologies, management and administrative processes and procedures. Although security involves a technology component managed by CBC/Radio-Canada Technology, every CBC/Radio-Canada employee is responsible for using IT assets in a secure and responsible manner. All CBC/Radio-Canada managers are part of the process by identifying requirements, providing information to CBC/Radio-Canada Technology, collaborating in audits/ security investigations and contributing to security procedures when required. By participating in the security process, users and managers ensure that the technology components of security provide added value to the business, as opposed to obstructing it.
The present guidelines contain a number of principles and best practices that are derived from established industry best practices concerning security. Managers must be familiar with the present guidelines and apply them. Specific details and procedures particular to specific technologies are found in IT security standards and procedures.
Principle 1: IT Security supports the mission of the CBC/Radio-Canada.
The purpose of IT security is to protect CBC/Radio-Canada’s valuable resources such as data, hardware, and software. In a digital world, these resources include content assets. Through the selection and application of appropriate safeguards, IT security helps CBC/Radio-Canada’s mission by protecting the Corporation’s physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets. Well-chosen security measures and procedures do not exist for their own sake; they are put in place to protect important assets and support the overall CBC/Radio-Canada organizational mission.
Principle 2: IT Security is everyone’s business
IT Security is not just the set of the tools used to protect IT assets; an effective IT security program combines people, processes and technologies. Each regional manager, program delivery manager, CBC/Radio-Canada Technology personnel, general end-user, human resources personnel and other is contributing to CBC/Radio-Canada IT Security; we are all working together in a concerted manner to achieve and maintain the same high level of IT security across the Corporation. Although program and service delivery managers may delegate responsibility for IT security to technical experts, they remain accountable for ensuring the IT security of the programs and services under their authority.
Principle 3: IT Security should be cost effective.
The costs and benefits of IT security measures should be carefully examined to ensure that the cost of controls does not exceed expected benefits. Security should be appropriate and proportionate to the value of and degree of reliance on the IT systems and to the severity, probability, and extent of potential harm.
Principle 4: IT Security should be reassessed periodically.
Many types of changes affect IT security: technological developments, connection to external networks; a change in the value or use of information; bypassing security practices, or the emergence of a new security threat. Changes in system or the environment can create new vulnerabilities. These issues make it necessary to reassess periodically the security of IT systems, networks and applications.
Principle 5: CBC Managers should implement separation of duties.
“Separation of duties” refers to dividing roles and responsibilities so that a single individual cannot subvert a critical process. In other words, no individual should have exclusive control over any type of valuable information asset. The purpose is to ensure no one can subvert a process and compromise the security of critical assets without someone else being able to notice and prevent or remedy the damage.
Principle 6: Access rights should be granted on a least privilege basis.
“Least privilege” refers to not granting more access rights than those that are required to perform one's function. The purpose of least privilege is to limit the damage that can result from accident, error or unauthorized use. The responsible manager must identify what accesses are required by the employee to fulfill his/her duties and ensure that the accesses granted do not exceed the requirements.
Principle 7: Access rights should be granted on a need-to-know basis.
“Need-to-know” refers to granting access only to information of a private or confidential nature that one needs to use for performing one's function. The purpose of need-to-know is to protect the confidentiality of data and the privacy of individuals. The responsible manager must identify what access to private or confidential information is required by the employee to fulfill his/her duties and ensure that the access rights granted do not exceed the requirements.
When IT assets are implemented in the manager's business area, the responsibilities of the manager regarding the security policy and compliance of the personnel reporting to the manager are:
- To enforce the Corporate IT security policy, guidelines, standards and procedures;
- To approve every individual’s network access with appropriate security levels and to periodically review these levels of access, as necessary;
- To review access violation security reports for IT resources they own, and work with CBC/Radio-Canada Technology to resolve problem situations;
- To ensure that their staff are fully aware of security policies and guidelines, and not to provide objectives that conflict with policy;
- To ensure that issue-specific IT security standards and procedures applicable to their lines of business are maintained and followed by their staff;
- To submit proposals for exemptions from security policies, standards and procedures to the Strategy and Planning Department for approval by the Chief Technology Officer (CTO);
- To take appropriate disciplinary action for any violation of the CBC/Radio-Canada Corporate IT Security Policy 2.5.1.
February 2, 2006