Policy 2.5.1: Corporate Information Technology (IT) Security and Employee Use of IT Assets

Effective: February 2, 2006

STATEMENT OF POLICY

CBC/Radio Canada owns and has control over the use of all of its IT Assets 1, i.e. its electronic networks including, but not limited to, related systems, workstations, equipment, software, data messages and all information entered, processed, stored, retrieved or sent using CBC/Radio-Canada IT Networks. CBC/Radio-Canada has the right to protect its IT Assets. Employees have an obligation to protect and use these IT Assets responsibly, in conformity with applicable federal and provincial laws, for the purpose of their work, and to not endanger these IT Assets.

The use and security of all CBC/Radio-Canada’s IT Assets are governed by this Policy. Of paramount concern and importance is CBC/Radio-Canada’s ability to secure and protect its IT Assets from malfunction, reduced performance and improper use, and to maintain Data integrity and confidentiality.

Any use of or connection to CBC/Radio-Canada IT Assets including, but not limited to, the use of the Internet or E-Mail via these IT Assets, will constitute consent to the terms and conditions of this Policy. Employees do not have any personal privacy rights when using CBC/Radio-Canada IT Assets.

APPLICATION

This policy applies to all CBC/Radio-Canada employees, including permanent, temporary, casual or contract employees, and all CBC/Radio-Canada IT Assets.

It is recognized that the rules governing the use of IT Assets for a media and journalistic entity such as CBC/Radio-Canada must have some flexibility. Consequently, it is understood that for journalistic, programming or other valid business purposes, exemptions to portions of this Policy may be justified for particular employees. Any exemption must be consistent with CBC/Radio-Canada’s high standards of journalistic and program practices and policies. Requests for exemptions must be originated by senior management. Any questions and/or requests for an exemption from this Policy must be submitted to the Senior Director, Strategy and Planning, CBC Technology or his/her delegate(s), for approval from the Vice-President, Chief Technology Officer (CTO) or his/her delegate(s).

DESCRIPTION

Access to CBC/Radio-Canada IT Assets from within and outside CBC/Radio-Canada premises, when provided to employees, is a privilege that imposes certain responsibilities and obligations on all employees and is granted on the understanding that all use is in compliance with this Policy. CBC/Radio-Canada reserves its right to limit, extend or terminate any use of and access to its IT Assets. In order to manage this function, the CBC Technology Department(s) designated by the Vice-President, Chief Technical Officer (CTO) must be informed of any additions, deletions or modifications to access rights to CBC/Radio-Canada IT Assets, including, but not limited to, Workstations, Networks, IT Applications, and the use of the Internet and E-Mail accounts. The required information provided should include the identity of the user, the type and level of access as well as the duration of access.

Employees are provided with access to CBC/Radio-Canada IT Assets for business use and for the purpose of performing job-related activities. Although some limited personal use will be tolerated, it is subject to this Policy and must not interfere with or detract from employees' assigned tasks.

CBC/Radio-Canada may monitor its IT assets for the purpose of troubleshooting, capacity planning and the enforcement and consistent application of this Policy. CBC/Radio-Canada may also, during the course of investigating misuse of its IT Assets, access and view information related to an employee’s use of these IT Assets, including, but not limited to, the use of E-Mail and the Internet. This applies to both CBC business related and personal use of CBC/Radio-Canada IT Assets. Accordingly, although the CBC does not expect to unreasonably interfere with individual privacy, employees should not expect to have personal privacy rights in or associated with the use of CBC/Radio-Canada IT Assets.

Failure to comply with this CBC/Radio-Canada Policy may lead to discipline up to and including discharge.

All employees are required to:

  • Read, understand and follow this Policy when using or accessing CBC/Radio-Canada’s IT Assets within CBC/Radio-Canada premises or outside of them, whether they are using CBC/Radio-Canada- provided Workstations or using non- CBC/Radio-Canada Workstations such as a home or other Workstations, or from an outside Network;
  • Maintain and protect the secrecy of information related to their assigned (or selected) password-protected accounts, user identity and other security access control methods that may be put in place by the CBC Technology Department(s) to protect CBC/Radio-Canada IT Assets;
  • Inform their immediate supervisor if they become aware of any compromise or suspected compromise of IT security, or non-compliance to this Policy;
  • Access only files and data to which they have authorized access, which are necessary to the execution of their functions, or which are publicly available;
  • Include a company disclaimer as part of each message when posting to Usenet newsgroups, Internet mailing lists, etc.;
  • Cooperate with IT security investigations;
  • Attend IT security awareness sessions and formal security training as appropriate;
  • Use and protect CBC/Radio-Canada’s IT Assets in accordance with this Policy as well as other related standards, practices, procedures and guidelines put in place by the CBC Technology Department(s); and
  • Be responsible for all activities and consequences associated with the IT Assets CBC/Radio-Canada has provided them to carry out their work, including, but not limited to, accessing CBC/Radio-Canada IT Assets via their assigned (or selected) password-protected accounts, as well as any other security access control methods that may be put in place by the CBC Technology Department(s) to protect CBC/Radio-Canada IT Assets, such as other authentication methods.

All use of CBC/Radio-Canada IT Assets must be lawful and in accordance with this Policy. Any inappropriate or unauthorized use of these IT Assets is prohibited. Such improper use includes, but is not limited to, the following:

  • Downloading, viewing and distributing offensive material including, but not limited to, accessing pornographic or illegal sites unless authorized and required for journalistic or programming purposes;
  • Accessing, sending, soliciting, storing or willfully receiving sexually-oriented messages or material unless authorized and required for journalistic or program purposes;
  • Accessing, sending, soliciting, storing or willfully receiving discriminatory or harassing messages or material that disparages others on the basis of race, national origin, colour, gender, sexual orientation, age, disability, and/or religious beliefs, unless authorized and required for journalistic or programming purposes;
  • Conducting illegal activities or gambling/soliciting for personal gain or profit;
  • Sending, forwarding or replying to unauthorized mass E-Mails, chain letters, petitions, unrelated to CBC/Radio-Canada business activities;
  • Distributing or forwarding unsolicited commercial E-Mail or conducting any non-CBC/Radio-Canada-related commercial activity;
  • Transmitting or releasing sensitive, confidential, proprietary or privileged information without proper authorization in the context of their assigned functions;
  • Reproducing or distributing copyrighted works, including, but not limited to, images, music, video, text, or software, in contravention of Intellectual Property Rights;
  • Providing discrediting information concerning CBC/Radio-Canada;
  • Representing personal opinions as those of CBC/Radio-Canada;
  • Doing non-business-related activities that will cause congestion or , disruption of CBC/Radio-Canada IT Assets including, but not limited to: online games, online gambling, unnecessary List Serve subscriptions and E-Mail attachments, and chat rooms, such as Internet Relay Chat (IRC), Instant Messenger and similar computer conferencing chat rooms on the Internet, when not related to CBC/Radio-Canada business or without permission from the CBC Technology Department;
  • Signing up for "instant messaging" or contact services when not related to CBC/Radio-Canada business and without permission from the CBC Technology Department;
  • Compromising the confidentiality of CBC/Radio-Canada Data;
  • Intentionally interfering with the normal operation of CBC/Radio-Canada's IT Assets and the services they provide;
  • Removing, bypassing or in any other way making ineffective any IT security feature or device designed to protect the CBC/Radio-Canada from IT security threats;
  • Damaging the integrity of CBC/Radio-Canada’s IT Assets including, but not limited to, intentional spreading of viruses, and gaining or attempting to gain unauthorized access to any Workstations, Networks, IT Applications, or Data;
  • Misrepresenting, obscuring, suppressing, or replacing a user’s identity on the Internet or E-Mail including the use of false or misleading subject headers and presentation of information in the distribution of E-Mail, and any form of identity theft;
  • Using CBC/Radio-Canada IT Assets as a conduit for unauthorized access attempts on other IT systems, not necessarily owned by CBC/Radio-Canada;
  • Connecting Workstations to CBC/Radio-Canada’s Networks without permission from the CBC Technology Department(s) designated by the Vice-President CTO, to manage this function;
  • Proceeding with IT Application development or IT Application acquisition plans and activities without the prior approval of the Vice-President CTO, or his/her delegate(s);
  • Downloading or installing any IT Applications and/or Software on CBC/Radio-Canada’s IT Assets or changing any existing Applications without obtaining a prior approval from the Vice-President CTO, or his/her delegate(s);
  • Interfering with, removing or bypassing any security features or devices designed to protect CBC/Radio-Canada from IT security attacks such as viruses, hackers, etc.;
  • Using CBC/Radio-Canada IT Assets in such a way that the nature or volume of use compromises the ability of these IT Assets to serve other employees;
  • Developing or maintaining a personal Web page and/or personal file transfer or share server on a CBC/Radio-Canada Workstation without permission from the CBC Technology Department(s) designated by the Vice-President CTO, to manage this function;
  • Making improper and unauthorized use of CBC/Radio-Canada’s IT Assets or access rights or making these available to unauthorized persons without permission from the CBC Technology Department(s) designated by the Vice-President CTO to manage this function;
  • Any other use that violates or is not in compliance with any other CBC/Radio-Canada Policies including the Journalistic Standards and Practices;
  • Other inappropriate uses as identified by the Vice-President CTO;

HISTORY

This Policy replaces the existing Information Technology Policy 2.5.1: “Use of Electronic Networks by Employees”.

REFERENCES

  • Human Resources Policy 2.2.3 - Conflicts of Interest and Ethics
  • Human Resources Policy 2.2.10 - Discipline
  • Human Resources Policy 2.2.15 - Harassment
  • Corporate Secretariat Legal Policy 2.9.1 - Records and Information Management
  • Corporate Secretariat Legal Policy 2.9.2 - Personal Information and Privacy Protection
  • Finance and Administration Policy 2.3.2 - Assets
  • Finance and Administration Policy 2.3.6 - Procurement
  • Program Policy 1.1 - Program Policies
  • Program Policy 1.2 - Journalistic Standards and Practices

PERSON RESPONSIBLE FOR ITS APPLICATION

Vice-President and Chief Technology Officer (CTO)

DEPARTMENT RESPONSIBLE FOR UPDATING THIS WEBPAGE

Corporate Secretariat

APPENDIX A - DEFINITIONS

Any use of the words, IT, IT Assets, Workstations, Networks, Data and IT Applications, for the purpose of this policy have the following meaning:


  • IT refers to information technologies in general, as opposed to CBC Technology’s IT Department(s).
  • IT Assets includes IT related assets such as hardware and software, including computers, peripherals, systems, servers, Workstations, Networks, Data and IT Applications as defined below. These definitions apply also to those IT assets that are used in the content acquisition, creation, publishing, production, broadcast, distribution & delivery environments, that are or may be connected to CBC/Radio-Canada IT Network(s)
  • Workstations refers to any devices that can be network-connected, including but not limited to desktop computers, portable computers (laptops, notebooks), or any other portable/handheld devices (including mobile & cellular phones) which can be used as a computer or a network access device), whether they are located on or off CBC/Radio-Canada premises and whether or not they are the property of CBC/Radio-Canada.
  • Networks refers to Data networks and telecommunication networks (including voice), both wired and wireless; but does not include dedicated broadcast satellite and terrestrial networks that do not carry IT data & voice.
  • IT Applications is defined as software code designed to perform particular function(s). It includes IT application code, interfaces and its related database(s);.
  • Data refers to messages, databases, and any information entered, stored, processed, retrieved or sent using IT Assets.

1. See Appendix A for Definitions.

Search highlight tool