HomeMy Public PortalAbout2019-12-12_Information Access and Protection Policy_P-90LL696WmA L616kiWA
1106umation
icy
Effective Date: December 12, 2019
Information Access & Protection Policy P-90 (continued)
MUNICIPALITY OF THE DISTRICT OF CHESTER
POLICY P-90
INFORMATION ACCESS AND PROTECTION POLICY
1. PURPOSE
1.1. The Municipality of the District of Chester is responsible for
protecting information as an
asset. Recognizing that there are risks associated with users acce
N to conduct municipal business, the Information Access
ssing and handling
and Protection
Is and
Policy commits the Municipality to develop and implement Clll necessary protoco
guidelines for maintaining the availability, quality, confidentiality, and privacy of
information under its custody and control. As a result, this policy:
1.1.1. Provides the framework for the Municipality to:
• Identify and protect its data, records, and information technology assets,
• Detect physical and cyber threats; and respond and recover from information
security and privacy breach incidents immediately whenever they occur;
• Specify the technology and information asset types that must be protected
and information security risks that must be mitigated; and
• Outline the Municipality's roles and responsibilities for information
governance.
2. DEFINITIONS
2.1. "Access Control" is the process by which users are granted access and usage
privileges to Municipal information systems and resources. This includes the
authorization, authentication, and audit of the access granted.
2.2. "Business Continuity" is the ability to keep critical operations within the Municipality
functioning during and after a disaster through a variety of coordinated business and
emergency measure responses, including disaster recovery.
2.3. "CAO" means the Chief Administrative Officer, or her/his designate.
2.4. "Council" means the elected officials that make up the Council of the Municipality of the
District of Chester.
Notice of Intention to Adopt —Committee of the Whole — 2019/11/21 (2019-526}
First Notice —Council —November 28, 2019 (2019-544)
Second Notice — Council — December 12, 2019 (2019-576}
Effective — December 12, 2019
Page2of6
Information Access & Protection Policy P -W (continued)
2.5. "Disaster Recovery" protects the Municipality's information assets from the negative
consequences of cyberattacks, natural disasters, or device failures. This includes
strategies to restore information systems and data needed for business continuity.
2.6. "Endpoint Protection" refers to applications, services, and systems used for securing
individual workstations, tablets, cellphones, and copiers that connect to the Municipal
network. This includes installing and managing specialized software such as antivirus,
antispyware, firewall, and host intrusion protection systems.
2.7. "Information Technology Assets" are co
network infrastructure comprised of:
mponents of the Municipality's systems and
2.7.1. Computer Hardware: servers, personal computers, peripheral devices,
and tablets.
2.7.2. System Software: operating systems, database management systems, backup
and restore software.
2.7.3. Application Software: custom written software applications, and commercial off
the shelf software packages used by departments within the Municipality.
2.7.4. Communications Hardware and Software: routers, switches, firewalls, private
lines, desk phones, mobile devices, CCTV systems, and associated network
management software and tools.
2.7.5. Physical Storage: offsite file storage lockers, onsite file rooms, and office file
cabinets.
2.8. "Municipality" means the Municipality of the District of Chester.
3. POLICY STATEMENTS
3.1. All users of the Municipality's system are obligated to protect information techn
and data assets from unauthorized access, loss, damage, and destruction.
ology
3.2. This policy ensures that the appropriate risk mitigation protocols and guidelines are
developed, implemented, and maintained for:
Notice of Intention to Adopt —Committee of the Whole — 2019/11/21 (2019-526}
First Notice —Council —November 28, 2019 (2019-544}
Second Notice — Council — December 12, 2019 (2019-576)
Effective — December 12, 2019
Page 3 of 6
Information Access & Protection Policy P-90 (continued)
3.2.1. Access control: Users present unique and untransferable credentials to access
Municipal systems or information.
3.2.2. Data collection, use, and retention: Data is collected, used, and retained only
when:
• required for operations.
• there is a duty to document; or
• mandated by enactment.
3.2.3. Data protection and loss prevention: Sensitive data is identified, monitored,
and logged to prevent intrusion, leaks, or theft.
3.2.4. Disaster recovery and business continuity: Essential systems and data can
be recovered to resume and continue operations following a natural, accidental, or
malicious disruption in service.
3.2.5. Endpoint protection and security: Network devices are identified, monitored,
and secured.
3.2.6. Information and privacy breach: Information securit
incidents are reported, investigated, and remediated.
y and privacy breach
3.2.7. User awareness and education: Users are aware of and practice secure work
habits and are routinely trained to recognize and respond to cyberauacks.
3.2.8. Vulnerability discovery and remediation: Cyber risks are proactively assessed
Dy identifying, classifying, and mitigating IT system threats and vulnerabilities.
4. GUIDING PRINCIPLES AND VALUES
4.1. The Municipality of the District of Chester is the custodian of extensive information
holdings and relies on its information assets to provide effective service delivery, meet
fiscal obligations, and ensure legal compliance. The Municipality is required to protect
the confidentiality, integrity, and availability of the information assets in its c
I be fully accountable to the public by ensuring authorized access to informa
while preventing unauthorized collection, use, or disclosure.
are and
Notice of Intention to Adopt —Committee of the Whole — 2019/11/21 (2019-526)
First Notice —Council —November 28, 2019 (2019-544)
Second Notice — Council — December 12, 2019 (2019-576)
Effective — December 12, 2019
Page 4 of 6
Information Access & Protection Policy P-90 (continued)
4.2. Non-compliance with this policy could have a significant effect on the efficient operation
of the Municipality and may result in financial loss, loss of reputation, and an inability to
provide necessary services to our residents.
4.3. All internal protocols and guidelines will be authorized and approved by the CAO or
designate as required.
RELATED DOCUMENTATION
The following is related legislation, regulations, by-laws, resolutions, policies, and other
documentation that support this policy.
Municipal Government Act, Part XX
Provincial
Consulted
Accountable
Legislation
2019
Personal
Information
International Disclosure Protection Act
Provincial
Legislation
Records
Management
Policy P-78
Municipal
Information
2019
Policy
Routine
Access Policy
P-70
Munici
al
Policy
Surveillance
Policy P-50
Strategic Initiatives
Municipal
Policy
Coordinator; CAO
REVIEW REQUIREMENTS
The Responsible Officer will lead a review of this policy at the direction of the CAO or
Council. Any recommendations for amendments or repeal must also be authorized by
Council. Amendments must be captured in the Version Log below. Note any former
policies replaced by a new or amended policy under `Amendment Description', when
applicable.
Version
Number
Amendment
Descri tion
Consulted
Accountable
Approval Date
2019
Policy created in
Records
Director of
December 12,
2019
Management &
Information
2019
Quality Control
Services
Coordinator;
Strategic Initiatives
Coordinator; CAO
Notice of Intention to Adopt —Committee of the Whole — 2019/11/21 (2019-526)
First Notice —Council —November 28, 2019 (2019-544)
Second Notice — Council — December 12, 2019 (2019-576)
Effective — December 12, 2019
Page 5 of 6
Information Access &Protection Policy P-90 (continued)
A:
To protect information as an asset and to
develop and implement all necessary protocols
K iiReason for Adoption and guidelines for maintaining the availability,
quality, confidentiality, and privacy of
information under its custody and control
Notice of Intention to Adopt Committee of the Whole
November 21, 2019 (2019-526)
Date of First Notice at Council Council
November 28, 2019 (2019-544)
Date of Second Notice at Council Council
December 12, 2019 (2019-576)
Effective Date December 12, 2019
I certify that this Policy was approved by Council as indicated above.
De", aj,4 17
Pamela M. M ra, Municipal Clerk Date
Ago -
Notice of Intention to Adopt —Committee of the Whole — 2019/11/21 (2019-526}
First Notice —Council —November 28, 2019 (2019-544}
Second Notice — Council — December 12, 2019 (2019-576)
Effective — December 12, 2019
Page 6 of 6