Effective: January 22, 2018
Responsibility: Executive Vice-President, Media Technology and Infrastructure Services
This Policy applies to all employees, subcontractors and consultants working for CBC/Radio-Canada (thereafter “personnel”).
To outline practices which promote and implement information security and the responsible use of technology assets.
Information: Any knowledge element or data, either owned by or in the care of CBC/Radio-Canada, including information related to products and services, operations, third parties, employees, know-how, business processes, intellectual property and trade secrets, regardless of the medium on which it is stored, or through which it is communicated or processed.
Information Security: The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, availability, authenticity and reliability of information, and ensuring that entities can be held accountable.
Technology Asset: Any element of a technological nature owned or in the custody of CBC/Radio-Canada, as well as any personal device connected to CBC/Radio-Canada technology. Technology assets include but are not limited to: software, hardware, networks, infrastructure, servers, databases, telephony, workstation computers, laptops, mobile devices, input-output devices, technical equipment, software and externally hosted or managed technology services, such as cloud-based solutions.
4. STATEMENT OF POLICY
CBC/Radio-Canada is committed to manage the risks related to information security by enforcing the roles and responsibilities pertaining to this policy (see appendix B).
4.1 Responsible use
CBC/Radio-Canada strictly prohibits any unlawful or inappropriate use of information and technology assets (see Appendix A). Inappropriate use of information and technology assets may be tolerated if required for journalistic purposes and therefore authorized in accordance with the CBC/Radio-Canada’s Journalistic Standards and Practices. In those cases, it is mandatory to follow the appropriate exemption procedure.
Personnel must use CBC/Radio-Canada information and technology assets responsibly and in accordance with applicable federal, provincial and municipal laws, and corporate policies.
Personnel must use CBC/Radio-Canada information and technology assets primarily for the purpose of performing job-related activities. Limited personal use is tolerated; however, it must be lawful, appropriate and must not interfere with or detract from assigned tasks. Although CBC/Radio-Canada does not intend to unreasonably interfere with an individual’s privacy, personnel should not expect to have personal privacy rights associated with the use of CBC/Radio-Canada technology assets.
4.2 Information Protection
Personnel must handle information and use CBC/Radio-Canada technology assets in a manner that maintains the security of information. Personnel must not reduce the effectiveness of any safeguard put in place by the CBC/Radio-Canada. Personnel must ensure that they do not irresponsibly grant access or disclose information to unauthorized users.
Personnel must promptly report any unlawful or inappropriate use (see Appendix A), suspected compromise, unmanaged security risk or the loss of information or technology assets to their manager, the local technology support team, the Shared Services Centre, or through the Disclosure of Wrongdoings (Whistleblower Policy).
4.3 Control of Use
CBC/Radio-Canada reserves the right to control the use of its technology assets as well as the information communicated, processed or stored on them.
CBC/Radio-Canada reserves the right to:
- Implement protective measures and limit, extend or terminate access to its technology assets, as required, in order to protect these assets from malfunction, reduced performance and improper use, and to safeguard information availability, integrity and confidentiality.
- Monitor its technology assets for the purpose of troubleshooting, capacity planning, cost control, compliance, security, and the enforcement and consistent application of this Policy.
- Access and view personal information during the course of an investigation of employee activities or behaviour.
- Appendix A – Unlawful or Inappropriate Use of Technology Assets
- Appendix B – Roles and Responsibilities
6. SUBSIDIARY POLICY INSTRUMENTS
Rules and Procedures
- Rules and Procedures on Mobile Device Management
- Rules and Procedures on Identity and Access Management
- Rules and Procedures on Security Incident Response
- Rules and Procedures on System Security Monitoring
- Exemption Procedure : Policy on Information Security and the Responsible Use of Technology Assets
- Cloud Checklist
- Code of Conduct
- Policy 2.9.1: Records and Information Management
- Policy 2.9.2: Personal Information and Privacy Protection
- Policy 2.9.4: Disclosure of Wrongdoings (Whistleblower Policy)
- Policy on the Business Continuity Program
- Journalistic Standards and Practices
This Policy replaces the existing Policy 2.5.1: Use of Technology Assets (2013).
All questions pertaining to the interpretation or application of this Policy should be referred to the Information Security Director.
All use of CBC/Radio-Canada technology assets must be lawful and appropriate. Improper use includes, but is not limited to the following:
- Accessing, downloading, viewing or distributing offensive material including, but not limited to pornographic or sexually-oriented content and discriminatory or harassing messages, unless authorized and required for journalistic or programming purposes.
- Sharing personal user identities, passwords and other security access controls instead of using authorized delegation mechanisms.
- Using privileged Group IDs, Shared IDs, Generic IDs or delegated access outside of its intended use. Such IDs are reserved for performing specialized administrative functions and must not be used as personal IDs for day-to-day access.
- Conducting illegal activities, including but not limited to gambling, or soliciting for personal gain or for profit.
- Sending, forwarding or replying to unauthorized mass emails, chain letters, and petitions unrelated to business activities.
- Reproducing or distributing work protected by the copyright law and intellectual property rights, including, but not limited to images, music, video, text, or software.
- Intentionally interfering or altering the normal operation or services of technology assets to remove corporate or vendor-imposed limitations such as password protection, anti-virus, encryption of information etc.
- Removing, bypassing or making ineffective any security feature or device designed to protect from security threats.
- Damaging the integrity of technology assets including, but not limited to intentional spreading of viruses and gaining or attempting to gain unauthorized access to any workstations, networks, mobile devices, applications, or data.
- Using technology assets as a conduit for unauthorized access attempts on other IT systems, whether they are property of CBC/Radio-Canada or third parties.
- Downloading or installing any application or software on a technology asset that provides remote access capability and might compromise the integrity of the information security system.
- Installing any license controlled software or application for which a license has not been purchased.
- Establishing personal accounts such as mobile accounts with application service provider stores using a CBC/Radio-Canada employee expenses card.
- Implementing technology services (networks, remote services, applications, etc.) within the CBC/Radio-Canada network without explicit authorization.
- Adopting or acquiring externally hosted or managed technology services such as cloud-based solutions and software-as-services without explicit authorization.
- Storing confidential information on removable disks such as USB keys, or portable hard drives without previously encrypting it.
>VICE-PRESIDENTS AND DELEGATES
Vice-Presidents and their delegates are responsible for:
- Ensuring that processes are in place within their component/department to manage information in accordance with the Policy on Records and Information Management (2.9.1) ;
- Supporting security programs put in place by the Information Security Director related to information security and responsible use of technology assets within their unit;
- Promptly reporting suspected information security compromises or related events within their unit to the Information Security Director;
- Maintaining the proper management of access privileges for personnel or systems within their component/department;
- Complying with the Policy with regard to delegated or outsourced services within their unit.
INFORMATION SECURITY DIRECTOR
The Information Security Director is responsible for:
- Implementing an awareness program covering information security and the responsible use of technology assets, including regular communications and seasonal mandatory education;
- Conducting annual assessments of risks related to information security and responsible use of technology assets;
- Supervising a security program in response to the risk assessment;
- Implementing and verifying business continuity programs for critical processes, and information systems and technologies, including financial reporting systems and broadcast networks;
- Maintaining ongoing intrusion protection, monitoring, detection and reactive measures to prevent and report on malicious activities related to technology assets, such as intrusion attempts.