The URL can be used to link to this page

Home My Public Portal About2019-12-12_Information Access and Protection Policy_P-90LL696WmA L616kiWA 1106umation icy Effective Date: December 12, 2019 Information Access & Protection Policy P-90 (continued) MUNICIPALITY OF THE DISTRICT OF CHESTER POLICY P-90 INFORMATION ACCESS AND PROTECTION POLICY 1. PURPOSE 1.1. The Municipality of the District of Chester is responsible for protecting information as an asset. Recognizing that there are risks associated with users acce N to conduct municipal business, the Information Access ssing and handling and Protection Is and Policy commits the Municipality to develop and implement Clll necessary protoco guidelines for maintaining the availability, quality, confidentiality, and privacy of information under its custody and control. As a result, this policy: 1.1.1. Provides the framework for the Municipality to: • Identify and protect its data, records, and information technology assets, • Detect physical and cyber threats; and respond and recover from information security and privacy breach incidents immediately whenever they occur; • Specify the technology and information asset types that must be protected and information security risks that must be mitigated; and • Outline the Municipality's roles and responsibilities for information governance. 2. DEFINITIONS 2.1. "Access Control" is the process by which users are granted access and usage privileges to Municipal information systems and resources. This includes the authorization, authentication, and audit of the access granted. 2.2. "Business Continuity" is the ability to keep critical operations within the Municipality functioning during and after a disaster through a variety of coordinated business and emergency measure responses, including disaster recovery. 2.3. "CAO" means the Chief Administrative Officer, or her/his designate. 2.4. "Council" means the elected officials that make up the Council of the Municipality of the District of Chester. Notice of Intention to Adopt —Committee of the Whole — 2019/11/21 (2019-526} First Notice —Council —November 28, 2019 (2019-544) Second Notice — Council — December 12, 2019 (2019-576} Effective — December 12, 2019 Page2of6 Information Access & Protection Policy P -W (continued) 2.5. "Disaster Recovery" protects the Municipality's information assets from the negative consequences of cyberattacks, natural disasters, or device failures. This includes strategies to restore information systems and data needed for business continuity. 2.6. "Endpoint Protection" refers to applications, services, and systems used for securing individual workstations, tablets, cellphones, and copiers that connect to the Municipal network. This includes installing and managing specialized software such as antivirus, antispyware, firewall, and host intrusion protection systems. 2.7. "Information Technology Assets" are co network infrastructure comprised of: mponents of the Municipality's systems and 2.7.1. Computer Hardware: servers, personal computers, peripheral devices, and tablets. 2.7.2. System Software: operating systems, database management systems, backup and restore software. 2.7.3. Application Software: custom written software applications, and commercial off the shelf software packages used by departments within the Municipality. 2.7.4. Communications Hardware and Software: routers, switches, firewalls, private lines, desk phones, mobile devices, CCTV systems, and associated network management software and tools. 2.7.5. Physical Storage: offsite file storage lockers, onsite file rooms, and office file cabinets. 2.8. "Municipality" means the Municipality of the District of Chester. 3. POLICY STATEMENTS 3.1. All users of the Municipality's system are obligated to protect information techn and data assets from unauthorized access, loss, damage, and destruction. ology 3.2. This policy ensures that the appropriate risk mitigation protocols and guidelines are developed, implemented, and maintained for: Notice of Intention to Adopt —Committee of the Whole — 2019/11/21 (2019-526} First Notice —Council —November 28, 2019 (2019-544} Second Notice — Council — December 12, 2019 (2019-576) Effective — December 12, 2019 Page 3 of 6 Information Access & Protection Policy P-90 (continued) 3.2.1. Access control: Users present unique and untransferable credentials to access Municipal systems or information. 3.2.2. Data collection, use, and retention: Data is collected, used, and retained only when: • required for operations. • there is a duty to document; or • mandated by enactment. 3.2.3. Data protection and loss prevention: Sensitive data is identified, monitored, and logged to prevent intrusion, leaks, or theft. 3.2.4. Disaster recovery and business continuity: Essential systems and data can be recovered to resume and continue operations following a natural, accidental, or malicious disruption in service. 3.2.5. Endpoint protection and security: Network devices are identified, monitored, and secured. 3.2.6. Information and privacy breach: Information securit incidents are reported, investigated, and remediated. y and privacy breach 3.2.7. User awareness and education: Users are aware of and practice secure work habits and are routinely trained to recognize and respond to cyberauacks. 3.2.8. Vulnerability discovery and remediation: Cyber risks are proactively assessed Dy identifying, classifying, and mitigating IT system threats and vulnerabilities. 4. GUIDING PRINCIPLES AND VALUES 4.1. The Municipality of the District of Chester is the custodian of extensive information holdings and relies on its information assets to provide effective service delivery, meet fiscal obligations, and ensure legal compliance. The Municipality is required to protect the confidentiality, integrity, and availability of the information assets in its c I be fully accountable to the public by ensuring authorized access to informa while preventing unauthorized collection, use, or disclosure. are and Notice of Intention to Adopt —Committee of the Whole — 2019/11/21 (2019-526) First Notice —Council —November 28, 2019 (2019-544) Second Notice — Council — December 12, 2019 (2019-576) Effective — December 12, 2019 Page 4 of 6 Information Access & Protection Policy P-90 (continued) 4.2. Non-compliance with this policy could have a significant effect on the efficient operation of the Municipality and may result in financial loss, loss of reputation, and an inability to provide necessary services to our residents. 4.3. All internal protocols and guidelines will be authorized and approved by the CAO or designate as required. RELATED DOCUMENTATION The following is related legislation, regulations, by-laws, resolutions, policies, and other documentation that support this policy. Municipal Government Act, Part XX Provincial Consulted Accountable Legislation 2019 Personal Information International Disclosure Protection Act Provincial Legislation Records Management Policy P-78 Municipal Information 2019 Policy Routine Access Policy P-70 Munici al Policy Surveillance Policy P-50 Strategic Initiatives Municipal Policy Coordinator; CAO REVIEW REQUIREMENTS The Responsible Officer will lead a review of this policy at the direction of the CAO or Council. Any recommendations for amendments or repeal must also be authorized by Council. Amendments must be captured in the Version Log below. Note any former policies replaced by a new or amended policy under `Amendment Description', when applicable. Version Number Amendment Descri tion Consulted Accountable Approval Date 2019 Policy created in Records Director of December 12, 2019 Management & Information 2019 Quality Control Services Coordinator; Strategic Initiatives Coordinator; CAO Notice of Intention to Adopt —Committee of the Whole — 2019/11/21 (2019-526) First Notice —Council —November 28, 2019 (2019-544) Second Notice — Council — December 12, 2019 (2019-576) Effective — December 12, 2019 Page 5 of 6 Information Access &Protection Policy P-90 (continued) A: To protect information as an asset and to develop and implement all necessary protocols K iiReason for Adoption and guidelines for maintaining the availability, quality, confidentiality, and privacy of information under its custody and control Notice of Intention to Adopt Committee of the Whole November 21, 2019 (2019-526) Date of First Notice at Council Council November 28, 2019 (2019-544) Date of Second Notice at Council Council December 12, 2019 (2019-576) Effective Date December 12, 2019 I certify that this Policy was approved by Council as indicated above. De", aj,4 17 Pamela M. M ra, Municipal Clerk Date Ago - Notice of Intention to Adopt —Committee of the Whole — 2019/11/21 (2019-526} First Notice —Council —November 28, 2019 (2019-544} Second Notice — Council — December 12, 2019 (2019-576) Effective — December 12, 2019 Page 6 of 6