1. No category

5.06 Computer Use - Government of PEI

SECTION 5
TERMS AND CONDITIONS OF EMPLOYMENT
5.06 IT SECURITY AND COMPUTER USE
AUTHORITY:
TREASURY BOARD MINUTE # 714/90
MANAGEMENT BOARD MINUTE # 278/95
TREASURY BOARD MINUTE # 74/98
ADMINISTRATION:
GOVERNMENT DEPARTMENTS / AGENCIES
Sub-Section 5.06
IT Security and Computer Use
1.
4.
1 of 18
The purpose of this policy is to provide information on government’s
security policies and practices.
APPLICATION
2.01
3.
Page
01 October 2002
PURPOSE
1.01
2.
Date
This policy applies to all employees, anyone under contract to the
government or anyone having access to the computer network(s).
POLICY
3.01
Computer Resources (including those transported and/or used outside the
office) contain client and personal information whose confidentiality,
integrity and availability must be preserved and protected at all times.
3.02
All employees who have been granted access to these resources must
read and understand the IT Security Handbook and Acceptable Use Policy
for Computer Systems (Attachment 4.01).
3.03
All employees must also sign the Acceptable Use Policy for Computer
Systems at the time they receive access to these resources. This signed
document is then given to the Human Resource Manager for their
Department (or designate) and kept on file.
ATTACHMENT
4.01
Attachment - Information Technology Security Handbook and Acceptable
Use Policy for Computer Systems.
Information Technology
Security Handbook
and
Acceptable Use Policy
for Computer Systems
January 2001
Attachment 4.01
Maintaining Trust and Confidence
Islanders entrust the Government of Prince Edward Island with their sensitive and
private information and rely on us as employees to adequately safe-guard this
information from unauthorized use. As employees, we must accept that security is
an important responsibility as we conduct the day-to-day business of government. The
measures contained in this handbook specify what protections should be taken to fulfil
this trust.
This handbook summarizes the main provisions of the government’s information
security policies and practices. It contains the highlights only and should not be
referenced as a substitute for detailed information contained in the formal policies,
standards and applicable legislation. These reference documents are available on the
government Intranet site at http://iis.peigov/. (Where the policy does not cover a specific
situation, common sense should prevail).
Minimum IT security standards have been formulated by the IT Security
Coordinators Council with input and feedback from Senior Management and
approval of Treasury Board.
You should keep this document readily available during your employment with
government. It has been developed for your convenience and you are encouraged to
refer to it often. Responsible protection of private and confidential information is
essential to maintaining the trust and confidence of Islanders we serve.
Bill Drost, Chief Information Officer
Government of Prince Edward Island
Introduction
The security requirements in this handbook apply to all employees, anyone under
contract to the government or anyone having access to the government-wide
computer network(s). Although this handbook deals primarily with electronic
records, similar safeguards should be in place for recorded information in other
formats, including printouts of electronic information.
Some of the information applies specifically to managers and supervisors and is
highlighted accordingly. If you have any questions regarding security
procedures, endorsed procedures or you need clarification or interpretation of
the contents of this handbook, please contact your manager/supervisor or your
departmental Information Technology Security Coordinator.
Note to Managers/Supervisors______________
As a manager/supervisor, you need to be aware of the contents of
this handbook in order to ensure your staff are aware of and are
following these procedures. You are responsible for the security
within your assigned area.
Information You Need to Safeguard
All government information and assets require good, basic care. There are,
however, certain types of information and assets which are more sensitive or
valuable and these require enhanced safeguarding. We must categorize
information and services that have a confidentiality, integrity or an availability
requirement and protect them accordingly.
Confidentiality
Confidentiality is the expectation of privacy of information. There are three
levels of confidentiality: none, normal and high. The no (none)
confidentiality requirement is for information that is considered public
knowledge, and as such, would not cause any embarrassment to government
or any individual should the information be released.
The normal confidentiality requirement is for information that could cause
embarrassment to government or any individual should the information be
released.
The high confidentiality requirement is for information that could likely
cause significant financial or social hardship or embarrassment to
government or to an individual should the information be released.
Integrity
Integrity is the correctness of the information once it is entered into the
computer system; that is to say, the data or information has not been altered,
except by an authorized individual. Integrity also has three levels: none,
normal and high. No integrity requirement would mean that there would be
no impact if the data were incorrect.
Normal integrity requirement would mean that the information should be
correct and accurate, but the impact of it being incorrect would have minor
consequences.
High integrity requirement would mean that the information must be correct
and accurate, or there could be significant financial or other serious
implications.
Availability
Availability is the maximum acceptable downtime for computer systems that
the organization or government can accept while still maintaining its
objectives and deliverables. More than seven days availability means that
the computerized information or services could be unavailable for at least a
week, with no serious impact to the organizational or governmental
deliverables.
Between one and seven days availability means that the computerized
information or services must be available within this time frame.
Less than one day availability means that the computer information or
service is critical to the programs being delivered by the organization and
government.
Information Classifications
All sensitive government information and systems
must be protected or guarded from unauthorized
access, disclosure, removal, modification and/or
interruption. After information has been
categorized, it must be classified depending on its
sensitivity.
Three classifications determine the level of
sensitivity of information and assets within the
government.
Open or Public Information and Assets
With open or public information and assets, the disclosure or loss would
not be an invasion of privacy, or cause hardship or monetary loss to our
citizens or ourselves, e.g. general policies and procedures and legislation.
Protected Information
With protected information or assets, the disclosure or loss would be
expected to be an invasion of privacy, or cause hardship or monetary loss, or
could be detrimental to relations between governments, i.e. information that
needs to be accurate and correct, such as payroll or accounting data;
information or systems that are essential to the government such as health
information or computer systems. In general, information about individuals
which is not widely available should be protected whether or not such
information would be embarrassing to that person.
Particularly Sensitive Information
With particularly sensitive information, the disclosure would be expected
to be a major invasion of privacy; cause serious harm to either citizens,
corporations or employees; or could be detrimental to relations between
governments, e.g. highly sensitive data such as client health records,
investigative reports of law violations, and pre-release budget information.
This information requires special handling and security procedures to
adequately protect it.
In the absence of legislation, it is difficult to define information which falls
within the protected or particularly sensitive categories. However, the
following classes of information should be adequately protected:
< information which, if disclosed, could be harmful to business
interests; an unreasonable invasion of personal privacy; harmful to
law enforcement; harmful to economic and other interests of a public
body; or harmful to intergovernmental relations; and
< pre-decisional advice and recommendations involving staff and
members of Executive Council or confidences of a public body.
Note to Managers/Supervisors__________________
As a manager/supervisor, you are responsible for ensuring that
information authored in your area of operations is properly
categorized; that all employees are aware of the correct
classification in your area; and that all employees are aware of
the correct classification of information used in your area but
authored elsewhere.
Access to Information
You are entitled to have access to all information and assets needed to perform
your assigned work. Access to information and assets is not permitted to satisfy
your personal interests. You must always be alert and not reveal information to
your co-workers or others unless they specifically require it for their own
assigned tasks. Beware of any attempt by non-authorized personnel to gain
access to sensitive information, and report to your manager/supervisor all such
attempts.
Mailing of Information and Assets
Open or public information and assets can be sent internally and externally in
any manner appropriate, i.e. no special security procedures are necessary.
Protected information and assets (except cash and negotiables) may be mailed
within government by using a reusable (economy) envelope, or externally by
using a properly addressed, single gum-sealed envelope.
Particularly sensitive information is not normally mailed outside of
government. However, it may be mailed within the government by using a single
gum-sealed envelope properly addressed and labelled To be opened by
addressee only. A return address is required. Externally, particularly sensitive
information may only be sent by courier or registered mail with proof-of-mailing.
A record of delivery is required.
Electronic Mail
The government approved e-mail system transmits all its internal messages and
attachments in an encrypted form, i.e. if you are sending a message or document to
someone else within the government, the message or document will be protected within
the system. Therefore, it is permissible to send any category of information via the email system within government.
Messages going to someone outside of the provincial government will be
decrypted and sent without protection when it leaves the control of the
government approved e-mail system. Therefore, messages and documents being
sent to outsiders should not contain sensitive information unless alternate forms
of encryption can be applied.
Here are some general rules to follow regarding the use of e-mail:
< The Internet should not be used for any level of sensitive information,
unless it is encrypted as noted above. Exercise caution.
< Keep attachment size to less than the current government standard. Use
FTP to exchange files greater than the government standard size.
(Contact your system administrator for information on FTP.)
< Don’t carbon copy mail unnecessarily.
< External e-mail accounts provided free by Internet search sites and
engines, e.g. Hotmail, Infoseek mail, Yahoo mail, Hotbot mail, must not
be used to exchange government information.
< E-mail is to be used in direct support of authorized projects and
activities.
< Never abuse the e-mail system by changing the sender’s name.
< Never abuse the system by sending offensive e-mail.
< Never abuse the e-mail system by sending mail to everyone in the Post
Office unless authorized to do so by your deputy.
Storing Information and Assets
Open or public information and assets are to be stored in an appropriate
manner.
Protected information must be secured in a locked cabinet or storage container
when not being accessed or used or when you will be away from your desk for an
extended period of time. Information and assets must be protected from individuals
who do not share your need to access in order to perform their assigned tasks.
Particularly sensitive information, when not being used, is to be stored in a
locked filing cabinet.
Disposing of Information and Assets
All information created by or supplied to government must be regarded as
government records. As such, you are bound by the provisions of the Archives
Act regarding disposal of information. No recorded information should be
disposed of except in accordance with the procedures outlined in the Archives
Act.
Information, including open or public information and assets, must be destroyed
in the manner outlined in the Recorded Information Management Policy which
can be located at the provincial government Intranet site at http:/iis.peigov/. For
information you should contact your department’s Records Management Liaison
Officer.
Due to the potential embarrassment it might create if it were improperly disposed
of, protected and particularly sensitive information is to be destroyed.
Computer storage media, e.g. floppy disks, CDs, and video and audio tapes are
to be disposed of as outlined in the “ Procedures for the Disposal of Government
Information on Computer Media”.
Note to Managers/Supervisors______________________
As a manager/supervisor, you must ensure that your staff know
about the proper procedures for disposal of recorded information
and assets.
Computer Use and Access
Information technology systems include all types of computer systems, such as
the mainframe, servers, workstations, personal computers, laptop/notebook
systems, handhelds and PDAs (Personal Digital Assistants).
The use of these systems and the software and information they contain is
granted on a need-to-know basis only. All systems with access to sensitive
information and assets will require you to identify yourself by a user ID, and to
confirm your identity with a password. You are responsible and accountable for
all activities performed under your user ID and accesses made to computer
systems may be recorded and monitored.
Therefore, you should follow these security guidelines:
Passwords
All users are to be uniquely identified by user ID and verified by password
before being granted access to any sensitive information stored or processed
on departmental computer systems.
Passwords are to be selected by the user, must contain at least one special
character, and should be difficult to guess. Family names, dates, telephone numbers, or
words found in dictionaries should not be used as passwords.
Passwords must be a minimum of five characters in length.
Passwords should be memorized (not written down) and not shared.
Network accounts are to be locked after five login attempts and may only be
re-activated by an authorized person.
Passwords are to be changed at least every 90 days. Passwords should be changes
immediately if compromise is suspected.
Computer Use
When leaving your computer you should log out, lock your workstation or
use a password protected screen saver to prevent others from accessing
information under your user ID. Screen savers with passwords are required
to deactivate the display of a session after five minutes of inactivity unless
exceptions are approved in writing by the Information Technology Security
Coordinator for that department or area. It is good practice to sign off if you
plan to be away from your workstation for more than two hours.
You should position your computer screen in such a way as to minimize the
possibility of others reading the information shown there.
Data Files
Removable media such as tapes, disks and CDS containing software and
government information are to be stored in a locked cabinet or drawer when
not being used.
Do not store sensitive information on your hard drive or removable media
unless it is encrypted by approved software.
Remote access to or from computer systems storing or processing sensitive
government information will only be permitted if it is in accordance with
endorsed guidelines.
If you must store information on your workstation, you are responsible for
making backup copies at regular intervals, and storing them in a secure
place, off-site if necessary. You should be using LAN systems to store
essential information, as they are backed up daily.
Note to Managers/Supervisors___________________
As a manager/supervisor, you should ensure that your staff know
the proper procedures for creating and using passwords, storing
sensitive information and remotely accessing systems. You must
ensure that staff know how to virus scan, store essential
information on LAN systems and backup information on their
workstation.
Software
Removal of or alterations to computer hardware or components and
changing computer system configurations is not permitted unless approved
by the IT Security Coordinator or designate.
Software used on government computer systems must comply with all
copyrights and vendor agreements on use and distribution. Computer
software installed on computer systems must be approved by the IT Security
Coordinator or designate as non-approved software cannot be supported if
problems occur, and can have a negative effect on the performance and
security of all computer systems.
Virus Protection
Computer viruses can infect and destroy valuable information. Your daily
work may be lost or corrupted if your workstation is infected, and
everyone’s daily work may be affected if the LAN system becomes infected.
Therefore, you should scan all data, programs and disks from any outside
sources, as well as new or rented equipment, before use. Endorsed computer
virus protection software must be active on all computer systems.
Note to Managers/Supervisors____________________
As a manager/supervisor, you must ensure that computer
hardware alterations and configurations are handled by IT staff;
that sufficient copies of required software licences are available at
the work site; that copyright agreements are respected; that
unauthorized software is not installed on departmental systems
and that staff know how to virus scan.
Modems
Modems must not be connected to your computer system unless approved
by your IT Security Coordinator. Exceptions may be granted for dial-out
access only under the following conditions:
< the dial-out access is required to conduct government business;
< the service required cannot be provided in any other way;
< the modem must have auto-answer disabled;
< external modems must be powered off when not in use; and
< internal modems must be disconnected from the phone line when not in
use.
Refer to Endorsed Procedures for Remote Access.
Note to Managers/Supervisors____________________
As a manager/supervisor, you must ensure that no modems are
connected to networked computers unless approved by IT Security
Coordinator or designate.
Facsimile Machines
Facsimile machines should not be used to transmit particularly sensitive or protected
information. For open or public information, care must be exercised that the number
dialled is the correct number as the transmission will proceed, even if it is not the
intended destination.
Protecting Information and
Assets Outside the Office
Open or public information requires no special handling procedures or authorizations
when taken outside the office.
Protected information and assets may be taken outside the office provided you have
proper authorization. You must take care to ensure that such information or assets are
not exposed to viewing by unauthorized individuals and that sensitive conversations are
not overheard by others. Such information and assets should be contained in an
appropriate briefcase or container with an identification tag indicating the return address
or telephone number. If you use an automobile, the briefcase or container should be
placed in the trunk or at least out of sight if you leave the locked automobile unattended.
If protected information is in electronic format, e.g. on a laptop computer, it
must be encrypted and all users must adhere to Portable Computer Endorsed
Procedures. Protected information and assets may be left in rental
accommodation or kept at an employee’s residence provided they are returned to
the locked briefcase or container and placed out of sight.
Particularly sensitive information should not normally be taken outside
government offices. If such information must be removed from the office,
approval must be obtained from a manager or supervisor. The information must
be locked in a cabinet or significant sized container when not being worked
upon.
If a computer (laptop, notebook or desktop) is moved offsite, then Portable
Computer Endorsed Procedures must be followed.
Note to Managers/Supervisors___________________
As a manager/supervisor, you should ensure your employees are
aware of security precautions when taking sensitive information or
assets outside the workplace.
Security Incidents
A security incident is any occurrence which did or could compromise the
security of government information, systems or employees. It includes the
unauthorized access or attempts to access sensitive government information or
assets, theft of assets, or contraventions of the security policies and rules. All
such incidents should be reported to your supervisor/manager, and to the IT
Security Coordinator or designate for your area if it involves computer systems.
Good business practices dictate that the department apply sanctions when a
security violation occurs as a result of negligence or misconduct by an employee.
Such circumstances could therefore lead to administrative, disciplinary or
statutory actions. For more information, contact your supervisor/manager.
Note to Managers/Supervisors_____________________
As a Manager/Supervisor, you should investigate every reported
security incident, and implement corrective action as needed. You
are also responsible to report incidents to your IT Security
Coordinator or designate if they involve computer systems.
Business Resumption Planning
Business Resumption Planning is a program designed to prepare managers to
resume the provision of essential services, programs and operations after they
have been disrupted for any reason. A contingency plan to restore computer
services should be included in the business resumption plan.
Note to Managers/Supervisors______________________
As a manager/supervisor, you should ensure that business
resumption plans for areas under your authority which are involved
in essential services, programs and activities, are developed,
implemented and kept up-to-date for use in the event of a disruption.
IT Security Coordinators’ Council
Security and Privacy Officer
Provincial Treasury Garth Matthews
Committee Members
Agriculture and Forestry Catherine Millar
Auditor General’s Office Vaughn Smith
Community and Cultural Affairs Murray Brownell
Development and Technology Charlotte Gorrill
Education Linda Trenton
Fisheries, Aquaculture and Environment Gordon Jenkins
Health and Social Services Faye Campbell
Office of the Attorney General Murray Brownell
PEI Business Development Mark MacBeth
Provincial Treasury Keith Larter
Provincial Treasury ( Taxation ) Sherry McCourt
Public Service Commission Janet McGarry
Tourism Trevor Waugh
Transportation and Public Works Dawn Lund
Transportation and Public Works Rose Gallant
Information on policies or endorsed procedures may be obtained from your
supervisor, departmental IT Security Coordinator or from the Information
Security section on the PEI Government Intranet site at: http://iis.peigov/
___________________References___________________
Organization and Responsibilities (Treasury Board Policy and Procedures
16:01)
Planning and Management of Information Technology (Treasury Board
Policy and Procedures 16:02)
Minimum IT Security Standards (Treasury Board Policy and Procedures
16:02 - III)
Acceptable Use Policy for Computer Systems
Endorsed Procedures for Disposal or Transfer
Endorsed Procedures for Remote Access
Endorsed Procedures for Virus Protection
Endorsed procedures for Encryption
Firewall Rule Change Procedure
Portable Computer Endorsed Procedures
Information Technology Security Handbook
Definitions:
Electronic Data means data that is stored and readable in electronic form without
regard to the hardware or software used to produce the data, excluding computer
software.
Computer Software is defined as written programs, procedures or rules and
associated documentation pertaining to the operation of a computer system, which
includes packaged software, down loadable executables, screen savers, macros,
freeware, and shareware.
Computer Hardware is defined as Workstations, Personal Computers, Network
Computers, Laptops, Notebooks, Servers, Handhelds and any other peripherals.
Computer Systems is a combination of Computer Software and Computer Hardware.
Computer Resources are defined as the Computer Systems and all electronic data.
The following is the Government of Prince Edward Island’s Acceptable Use
Policy for Computer Systems. All computer users are required to sign this
document to acknowledge that they have read and understand this policy. Once
signed it is to be given to your Human Resource Manager or designate.
Government of Prince Edward Island
Acceptable Use Policy for Computer Systems
Policy:
Computer Resources (including those transported and/or used outside the office)
contain client and personal information whose confidentiality, integrity and
availability must be preserved and protected at all times. You have been granted
access to these resources with the understanding that you will observe the
following:
1. Computer Resources will be used only in direct support of authorized
projects and activities.
2. You are responsible and accountable for the use of your user ID,
passwords and access control items in your possession for the computer
systems. They are not to be shared with anyone without the approval of
your IT Security Coordinator or designate.
3. Removal of, or alterations to, computer hardware or components must be
approved by the IT Security Coordinator or designate.
4. Computer software installed on computer systems must be approved by the
IT Security Coordinator or designate.
5. Changing computer systems configuration is not permitted unless approved
by the IT Security Coordinator or designate.
6. Copyright provisions of computer software must be adhered to - no
unauthorized copying.
7. Electronic data received from external sources, including the Internet, must
be scanned for computer viruses before being executed or stored on
computer systems.
8. Computer systems are not to be used for any activity which will cause
embarrassment to you or the government and must not be used to access or
promote pornography, racism, hatred or any illegal activities.
9. Electronic data must be stored on the file server where possible. If
electronic data is not stored on the file server, it is your responsibility to
prepare and maintain backup copies.
10. Any breach of this policy is to be reported immediately to your supervisor
and the IT Security Coordinator or designate.
11. You will be held personally responsible for a violation of this policy,
which can lead to loss of access privilege, or disciplinary actions up to and
including dismissal.
12. Use of computer systems can and will be monitored periodically for
compliance with this policy.
I have read and understand the Information Technology Security Handbook
and The Acceptable Use Policy for Computer Systems.
Date: _______________ Name of User: ________________________
User’s Signature: _____________________________
Witness: ___________________________________
Guide to Information Security
Information Guide for Employees
Contents
Introduction ............................................................................................................................1
Information Security Policies and Procedures ..........................................................................2
Confidentiality, Integrity, Availability ..........................................................................................3
Information Categorization System ..........................................................................................4
Basic Security Principles ..........................................................................................................5
Safe Electronic and Physical Document Handling.................................................................... 6
Passwords ...............................................................................................................................7
Internet, E-mail and Social Media.............................................................................................8
Social Engineering....................................................................................................................9
Authorized and Acceptable Use of Software ......................................................................... 10
Privacy and Access................................................................................................................ 11
Protecting Your Work Space ................................................................................................. 11
Mobile Computing and Working Away from the Office........................................................... 13
Reporting Incidents or Problems ............................................................................................ 14
References ............................................................................................................................. 15
Websites of Interest ............................................................................................................... 15
For further information contact:
[email protected]
T: 620-3600
F: 368-4716
[email protected]
or
T: 569-7509
F: 569-7632
Introduction
Treating information safely and securely, we all help build a stronger PEI based on public
trust and confidence.
We all play an important part securing the information and information technology systems
that we work with every day.
Information and information technology systems are important parts of our work
environment. We all handle documents, enter data into applications, create electronic
messages and post and use content on web sites. Recently, more and more of us are
using mobile computing and wireless technology as part of our daily work. We use
information and information technology systems to analyze and resolve problems make
decisions, plan actions and deliver services to the residents of Prince Edward Island.
Islanders must be able to trust the government to protect the information we collect from
them and rely on the accuracy and quality of information that is provided by government to
make policy decisions and deliver services.
This guide provides a brief overview to all employees
and contractors of the Government`s responsibilities
regarding information security. The guide will help you
understand basic security principles and facts, your role
in protecting information and information technology
systems and how to get the security training that you
need.
It is our goal to have all personnel complete security
awareness training at least annually and upon
commencement with the Provincial Government.
For some employees, reviewing this guide will help you meet the requirements, while others
may require additional training.
As you follow the tips provided in this guide, you will be helping to secure the information
stored across government. By treating information safely and securely, we all help build a
stronger Island based on public trust and confidence. So, whether you have been with the
government for a short period of time or for decades, make information security one of your
top priorities.
Page | 1
Information Security Policies and Procedures
Sensitive information is information that is sensitive to unauthorized disclosure or loss of
confidentiality.
Protecting the personal information of Islanders is a priority for the Government of Prince Edward
Island. All Government of Prince Edward Island employees and contractors must be committed to
protecting client information from unauthorized collection, use and disclosure.
The government’s information security program is directed by
the Office of Information Protection. This office is responsible
for overseeing all aspects of security for the Government of
Prince Edward Island information technology systems. The
Office of Information Protection maintains a manual that helps
complement security directives and provide more detailed
direction on how to handle specific issues such as security
incidents, managing passwords and assessing security risks.
The Office of Information Protection’s main role is to assist
departments in making sound business decisions by providing reliable information about security
threats and risks.
Throughout this guide, you will find references to “sensitive information”. Sensitive information is
information that is sensitive to unauthorized disclosure or loss of confidentiality.
Unrestricted information is not sensitive and includes information that can be routinely shared with
the public including application forms, published news releases, fact sheets, public reports and
policy statements.
Protected information is considered sensitive if shared outside government, but is usually available
within government to employees who need to know the information to do their job. Protected
information can include draft versions of documents and some internal discussion papers intended
to provide options for decision makers.
Confidential information is sensitive even inside the government and is accessible only to
employees in specific functions or roles. This includes information such as personnel files or exam
results.
Restricted information is highly sensitive and only available to specific employees. This includes
investigation documentation, personal medical records, witness protection information and child
abuse records.
Page | 2
Confidentiality, Integrity, Availability
First and foremost, ensuring the security and privacy of sensitive taxpayer information is a must.
We are all accountable for protecting the confidentiality, integrity and availability of information.
Information is a valuable government asset and is essential for the delivery of services and the
development of policy decisions that are in the best interests of Islanders.
Protecting the confidentiality of information includes the sharing of sensitive or proprietary
information with others. Such sharing must only take place if you have been authorized to do so,
and only if there is a need to know or a right to know. It also means taking steps to prevent any
unauthorized disclosure of information.
Leaving files with sensitive information in a public place or storing documents unprotected on a
mobile device such as an iPad is something that causes loss of confidentiality.
The integrity of information is about maintaining the reliability and accuracy of information so it can
be used to make informed business decisions. An unauthorized change of financial information
used for decision making is an example of something that causes loss of integrity.
Ensuring the continued availability of information means it is accessible to those who need the
information when it is required. A system outage is something that causes loss of availability and
depending on how important the system is the more severe the consequences.
When there has been an event that causes loss of confidentiality, integrity or availability, this is a
security incident that will be discussed later in this guide.
We also have obligations to protect personal information under
the Freedom of Information and Protection of Privacy Act
(FOIPP) and other applicable PEI legislation or policies. As
public servants providing a wide range of services, we are
stewards of the personal information Islanders provide to us.
If part of your work includes managing or designing an
information technology system or application, you should
conduct a threat and risk assessment to identify what kinds of
safeguards are needed.
Protecting information at work isn’t much different from protecting valuables in your home. In some
situations, simple locks on doors and closed windows are enough. In others, access passes or
security alarms may be required. Assessing the risk helps you determine the necessary level of
protection.
Page | 3
Information Categorization System
The Government of Prince Edward Island has set out a categorization system which is outlined in
the Treasury Board Manual, section 16, Planning and Management of Information Technology.
iis.peigov/dept/tboard/manual/index
Throughout this guide, you will find references to “sensitive information”. Sensitive information is
information that is sensitive to unauthorized disclosure or loss of confidentiality.
Sensitive Government information and services have three components of security:
Confidentiality is the expectation of privacy of information.
There are three levels of confidentiality requirements for
information: none, normal, and high confidentiality.
Integrity is the correctness of the information once it is entered
into the computer system; that is to say, the data or
information has not been altered, except by an authorized
individual.
Integrity also has three levels or degrees: none, normal and
high.
Availability is the maximum acceptable downtime for computer systems that the organization or
Government can accept while still maintaining its objectives and deliverables. The availability of
computer systems therefore depends on the degree of manual processing that can be done to
deliver departmental or governmental objectives and deliverables. Convenience or effectiveness
should not be a factor. In determining the maximum downtime, the worst-case scenario must be
used. Once again, there are three levels of availability: more than 7 days, between 1 and 7 days,
and less than 1 day.
Page | 4
Basic Security Principles
Directors/Managers should regularly review what sensitive information they collect, use and disclose
and who has access.
There are some basic security principles that you should all be aware of:
Need-to-Know: People should have the minimum amount of sensitive information that they need
to know in order for them to perform their duties. If they aren’t required to know sensitive
information, they shouldn’t be given access to it. From an administrative perspective, managers
should regularly review the kinds of sensitive information that their employees have access to. The
“need-to-know” principle is not intended to limit information sharing across government or among
employees, but it is intended to ensure that the information being shared is being shared with
legitimate need or purpose (such as improving service delivery or creating a new policy).
Segregation of Duties: This means dividing job responsibilities for sensitive job functions between
several individuals in order to provide a check and balance. For example, someone investigating a
security or privacy incident should not be someone who was involved in the incident.
Authorization to Use and Disclose: Once you’ve been given
access to information, you are required to use that information
only during the course of your work for the purpose for which
it was collected and for which you need to know the
information. Using or disclosing that information for personal
gain, for unrelated purposes or outside your responsibility is
prohibited.
Page | 5
Safe Electronic and Physical Document Handling
If there are any questions about securing information, please contact the Office of Information
Protection.
When you are using or handling sensitive or personal information as part of your work, there are
some general guidelines you should follow to keep it secure.
•
Ensure that sensitive information you are working on is not visible to others, whether it is on
your monitor or on your desk.
•
Verify that you are using the correct e-mail address, fax number or printer name before sending
sensitive information.
•
Lock your computer workstation when you need to leave your desk. (Control-Alt-Delete).
•
If you are not sure whether you are authorized to share certain information with someone, be
cautious and ask your supervisor.
Your department or program area may also have specific practices
that you will need to follow, so be aware of them.
The Government of Prince Edward Island retains official records of
information and has records retention and disposition schedules
for handling these records. Draft documents or copies of original
material are referred to as ”transitory records” and can usually be
regularly disposed of when no longer needed for day-to-day work.
Get to know the procedures for properly handling and disposing
of transitory records in your program area. Your Senior Records
Management Liaison Officer can provide you with more
information about records management processes.
Removable storage devices such as CDs or USB drives should be locked away when you leave for
the day. The Service Centre or the Office of Information Protection can tell you what types of
devices are acceptable and the best procedure for disposing of information when you no longer
need it.
Page | 6
Passwords
To err is human….to really foul up you require a password.
Effective passwords protect your computer and other devices, such as mobile devices, from being
used or abused by others. To check your current computer security, ask yourself the following
questions:
Do I use passwords that someone could easily guess, like my pets name or my birthday?
Do I use common words found in the dictionary?
Do I routinely allow my computer to remember passwords so I don’t have to type it in every time?
Do I use the same password elsewhere?
If you answered yes to any of the above questions, the information on your computer could be at
risk. When selecting a password, your goal is to make it as difficult as possible for someone to
guess. This is a small yet critical step in protecting the confidentiality, integrity and availability
within the workplace.
Create a password that is at least eight characters long and is a combination of mixed case letters
and digits.
Create a password that is at least eight characters long and is
a combination of mixed-case letters and digits, for example
AbGrl4498. Consider choosing a line or two from a song or
poem and use the first letter of each word. For example, “I’m
Bud the spud, from the bright red mud” becomes IBtSftbrm.
Then take a random number and insert it so it becomes
IBtS65ftbrm.
Examples of effective passwords include: We2raed? (Who
eats two red apples every day?) Gt%Real2dY! (Get real
today!). Intentionally misspelling a word is even better, such as:
Git@Rele2dY.
Examples of weak passwords include: Bbrown123 (user name and simple number) Scuba41
(hobby with user’s age).
It is also very important not to share your ID and password with others, even your supervisor. Your
User ID identifies you as the person accessing a desktop, network or website. Allowing others to
use your User ID (and password) put you at risk. You are accountable for all activities that occur
under your User ID.
Page | 7
Internet, E-mail and Social Media
DO NOT post anything you wouldn’t want your Mother to hear at your trial.
The Government of Prince Edward Island has an Acceptable Use Agreement which provides a
directive on what is appropriate in nature and will not incur additional cost or increased risk to the
Government. Technology that is provided by the Government of Prince Edward Island should not
be used for any personal activity that may cause embarrassment to the user or the Government
and must not be used to access or promote inappropriate sites.
Remember, information you send or attach to your e-mail can be intercepted, misused, stolen or
altered if sent to an address outside Government. Only the information that is sent within the
government network is encrypted. This could lead to the accidental release of sensitive
information. E-mail exchanged between two Government of PEI e-mail accounts remains within
our corporate computing network and is protected from disclosure.
Here are some general guidelines to follow:
• Don’t carbon copy mail unnecessarily.
• External e-mail accounts provided free by Internet search sites and engines, e.g., Hotmail,
Gmail, Yahoo mail, must not be used to exchange Government information.
• E-mail messages, once received or sent, are Government records; as such, users should
not have an expectation of privacy.
• Sending e-mail to all users in the system can only be done under the signature of your
deputy minister and must be sent at the end of the business day.
Social media networking sites such as Facebook, YouTube,
Twitter, Flickr and blogs are being utilized more and more to
communicate with citizens and stakeholders. Employees, acting
as private citizens, must use a private e-mail when posting
material to social media sites and ensure that they respect the
confidentiality of the Government of Prince Edward Island and
do not do anything that could harm the reputation of the
Government.
One major thing to remember: when you post something to a
website, it is immediately public and there is no way to change
that.
Also, information you send or attach to your electronic
messages can be intercepted, misused, stolen or altered if sent
to an address outside government. This could lead to the
accidental release of sensitive information. Messages exchanged between Government of Prince
Edward Island e-mail accounts remain within our corporate computing network and are protected
from disclosure. You should also take into consideration that your electronic messages may get
forwarded to another person or location by the person who received your e-mail.
Page | 8
Social Engineering
Check the bottom of your browser for the lock icon when considering providing personal or
sensitive information.
You may have heard the term social engineering; a technique used to try and trick users into
divulging information they should not. This can transpire on the phone, an e-mail or by having a
casual conversation with someone.
One form of social engineering is phishing, a term derived from the phrase password harvesting. A
phishing e-mail tries to trick you into disclosing a password or other sensitive information.
An example is an e-mail which tells you to update your online banking information. This e-mail will
include a link to a phishing website that looks very much like your bank’s website – but isn’t a
legitimate site – and asks you to enter your online banking password. By typing in your password,
a malicious party operating the phishing website now has access to your online banking. Banks
never use e-mail to contact their customers to update any information. Read the e-mail carefully,
as you can often identify it as malicious through spelling errors, web addresses that are very similar
to a legitimate website but with small changes or any items that seem out of place. The Province
of Prince Edward Island’s e-mail is filtered for spam and potentially threatening e-mails and a great
majority of the incoming e-mails are blocked. Some spam or phishing e-mails will get past the
filters. If you get an e-mail that appears to be spam or phishing, delete it.
Another way to avoid phishing attacks is to not click on any links
within the body of an e-mail. Your best bet is to type the web
address, like gov.pe.ca, into the address bar. Sometimes
phishing websites have names similar to the name of a legitimate
site to try and trick users. Check the bottom of the browser to
see if the lock icon is present when providing personal or
sensitive information. If you still have doubts, pick up the phone
and call the Service Centre or the Office of Information Protection
and ask whether this is something that you should be doing.
Think before you “click”. Before you click on a link, check
whether it is actually connected to the address it claims to be. Move your cursor over the link
without clicking and the address will be displayed. Familiarize yourself with the addresses of the
site(s) you often use.
Page | 9
Authorized and Acceptable Use of Software
Programs for sale: fast, reliable, cheap – choose two.
Malware is short for malicious software. It is software specifically designed to damage or disrupt a
computer system. A computer virus, for example, is malware that spreads rapidly through the
Internet and e-mail attachments. It often hits without warning and when you least suspect it.
Malware might be disguised as appealing software such as a game, a toolbar or a screen saver
and you might not notice any immediate effect.
Spyware is a form of malware that captures information about you or your computer use habits
and sends that information over the Internet to a third party. Some spyware captures your
passwords or credit card information. Some reads your personal files or anything that you type
into your computer. Other forms of spyware monitor the websites you visit. It then uses this
information to market products or service(s) to you. Spyware almost always collects this
information without your consent. It may try to get you to consent to the collection by hiding it
within an agreement.
What can you do about malware? Be careful; if you are not
certain what the attachment is or who it is from, do not open
it. Do not attempt to change the settings of the virus
protection software installed on your computer.
It is
configured to regularly scan for viruses and other malicious
software. And last but not least, contact the Service Centre
immediately if you suspect your computer has a virus.
Never download and install untested programs. In fact, most
government employees do not have administrative rights on
their computers, and are unable to install programs directly
from the Internet. It is for your protection and ultimately, for the
protection of all Islanders.
Page | 10
Privacy and Access
Questions regarding FOIPP? Check out gov.pe.ca/foipp
Government employees also have an obligation to protect personal information under the Freedom
of Information and Protection of Privacy (FOIPP) Act. All departments, agencies, boards, crown
corporations and commissions are bound by FOIPP. The act provides rules regarding the provision
of access to records and for protecting the privacy of all Islanders. Administering PEI’s FOIPP
legislation is an important part of the Government’s commitment to openness and accountability –
balanced by our responsibility to guard the personal information entrusted to us.
Privacy
Personal privacy is protected by legislation that outlines the
rules that must be followed when collecting, using and
disclosing personal information. No personal information may
be collected by or for a public body unless the collection is
expressly authorized by or under an enactment of Prince
Edward Island or the information is collected for the purpose
of law enforcement, or the information relates directly to and
is necessary for an operating program or activity of the
Government. When collecting information directly from an
individual, we need to tell that person why we’re collecting it,
under what authority, who their information will be shared
with and a contact if they have any questions.
All information collected can only be used or disclosed for the purpose for which it was collected
unless authorized. We must ensure that personal information is kept secure and confidential.
Access to Personal Records
Everyone has the right to see their own personal information – with few exceptions. Everyone also
has the right to request corrections to factual information to ensure accuracy. Opinions can’t be
changed. An annotation can be attached to the file stating that someone disagreed with the
opinion but the original record can’t be altered. Although legislation sets out a single process for
anyone to access records, it does not replace existing practices or limit alternative procedures for
providing access to information. Rather, the Act complements existing practices by establishing a
procedure for providing access where none exists.
Access to Information
You are entitled to have access to all information and assets needed to perform your assigned
work. Access to information and assets is not permitted to satisfy your personal interests. You
must always be alert and not reveal information to your co-workers or others unless they
specifically require it for their own assigned tasks. Beware of any attempt by non-authorized
personnel to gain access to sensitive information, and report to your manager or supervisor all
such attempts.
Page | 11
Protecting Your Work Space
Ask for ID, legitimate visitors won’t mind.
Keeping your work space protected is another important part of information security.
Here are a few general practices:
•
Keep your desk or work area clear of papers or other materials when you are out.
•
Lock all sensitive information in your desk or a filing cabinet.
•
Lock any portable computing and storage devices in your desk or filing cabinet.
•
Ensure access to areas where sensitive information is processed or stored is controlled and
restricted to authorized personnel only.
•
Promptly retrieve any sensitive documents that are sent to centralized printers.
•
Consider whether you really need to print a document. If you do not print a confidential document,
it is not going to get lost and you will not have a document to
securely dispose of when you are finished.
•
Keep aware of the people who are around your work space. Are
they authorized to be in the area?
Page | 12
Mobile Computing and Working Away from the Office
As valuable as the equipment is, the information is the true valuable asset.
Portable devices such as laptops, personal digital assistants (PDAs), cell phones and Blackberries
are convenient and provide us with options to work outside the office. As our desire for a flexible
workplace grows, so does the potential of portable computing equipment being lost or stolen. As
valuable as the equipment is, the information stored on it may well be more valuable.
If you’ve received authorization to take sensitive information home or access it from another
location, ensure that the information is safe. Treat it like you would your wallet or credit card. Some
additional suggestions and tips for keeping your laptop or portable computing equipment secure
are:
• Use a locking cable or device to secure your laptop to your workspace.
• Store your laptop in a locked drawer or cabinet or in a locked office.
• Avoid leaving your portable computing device in a vehicle. If you do so, ensure that it is locked
in the trunk out of sight.
• Store personal or confidential information on your portable computing device only if you have
permission to do so and only for as long as you need it. Store only the minimum amount you
require.
• Always ensure that you use a password or other form of authentication to access information on
your portable computing device.
• If you discover your mobile computing device is missing, report it to your Supervisor and the
Service Centre immediately.
Remember, these are general suggestions and your specific circumstances may require different
protection. Discuss your situation with your supervisor and contact the Service Center to determine
what will meet your specific needs.
You should follow similar steps to protect paper-based information. Don’t leave files in plain sight in
your car or review confidential files in a public place such as an airplane or coffee shop.
If you need to work on your laptop or portable computer
outside the office, contact the Service Centre, the support staff
can help outline what services are available and provide
direction on how to manage information safely.
Page | 13
Reporting Incidents or Problems
Report any incidents to the Service Centre and your Departmental Manager immediately.
Imagine someone breaking into your computer or account and using your Government e-mail
address. You have no control over the message being sent, yet every indication is that the e-mail
came from you. Eventually, you may be able to identify who sent the message, but this situation
can be avoided by taking effective information security precautions.
Other indicators of potential incidents might include files on your
computer that you’re not familiar with, changes to your hardware
or software configurations, services that are no longer accessible
or if your computer shuts down for no apparent reason. If
something seems amiss with your computer, notify your
supervisor or the Service Centre immediately.
Personal or sensitive information may also be lost if you forget
your briefcase while travelling, or your car, hotel room or home is
broken into, or your laptop, cell phone or Blackberry is lost or
stolen. Whether the sensitive information is paper-based or
electronic, it is still a security incident.
If you think personal or sensitive information has been accidentally disclosed, you must notify your
supervisor and the Service Centre immediately.
This will allow:
•
your information security staff to review the facts and determine what needs to be corrected to
ensure it doesn’t happen again; and
•
department’s to take steps to minimize any harm to individuals that may result from the loss of
their personal information.
We learn from our mistakes. The objective of reporting and reviewing incidents is not to place
blame but to make improvements to better manage information security in the future.
If your computer or electronic device has been lost or stolen, you must report this incident to the
Service Center and your supervisor immediately. There is a User Check list located at
insite.gov.pe.ca/group/itss-community/documents-and-forms.
.
Page | 14
References
Information about Freedom of Information and Protection of Privacy (FOIPP)
gov.pe.ca/jps/index.php3?number=1024336&lang=F
Office of the Information and Privacy Commissioner of Prince Edward Island
assembly.pe.ca/index.php3?number=1013943&lang=E
Websites of Interest
•
•
•
Canadian Anti-Fraud Call Centre – antifraudcentre.ca
Public Safety Canada - publicsafety.gc.ca/index-eng.aspx
RCMP Scams - rcmp-grc.gc.ca/scams-fraudes/index-eng.htm
Useful Websites for Home Internet Users
•
AVG Free AntiVirus Software: grisoft.com/
•
Ad-Aware Free AntiSpyware Software: lavasoftusa.com/
Page | 15
Acceptable Use Agreement for Government-Provided
Computer Technology
Introduction:
This agreement is in place to protect employees, the employer and the information in the Governments custody or
under the control of a public body. It applies to all employees, independent contractors, temporary workers and all
other individuals using Government owned electronic information resources.
The confidentiality, integrity and availability of computer technology used inside or outside the work place,
that contains client and personal information, must be preserved at all times. Access to this Governmentprovided technology is granted under the following conditions:
1.
2.
Government-provided computer technology is to be used to support authorized programs and services.
Users must use only system information technology they are authorized to use and use them only in the manner and to
the extent authorized. Ability to access information technology resources does not, by itself, imply authorization to do so.
3. Changing the Government –provided computer system configuration is not permitted unless approved by End User
Support.
4. Personal use of Government-provided computer technology is to be of an appropriate nature that will not incur additional
cost or increased risk to the Government. Such technology is not to be used for any personal activity that may cause
embarrassment to you or the Government and must not be used to access or promote inappropriate sites, including but
not limited to pornography, racism, hatred, gambling, obscenity or any illegal activities.
5. You are responsible and accountable for the use of your user ID, passwords and other access control items in your
possession for computer technology. They are not to be shared.
6. The bandwidth available to Government is limited. Therefore the use of streaming audio and video (e.g. Online radio,
YouTube, etc.) should be limited to a work related need.
7. Removal of, or alterations to, Government-provided computer hardware or components must be approved by End User
Support.
8. Prior to downloading or installing software on Government-provided hardware confirmation of acceptability must be
obtained from your Departmental Information Technology Architect (ITA).
9. You must not violate the privacy of other users and their accounts, regardless of whether those accounts are securely
protected. Technical ability to access other’s accounts does not, by itself, imply authorization to do so.
10. You should not leave your computer unattended while logged on to the network. A password protected screen saver is
required to reactivate a session after 5 minutes of inactivity.
11. Work related electronic data must be stored on the Government-provided file server where possible. If work related
electronic data is not stored on the file server it is your responsibility to prepare and maintain backup copies in
accordance with Government Policies, the Archives and Records Act and the Freedom of Information and Protection of
Privacy Act.
12. Wilful or intentional violations of this agreement will be considered to be misconduct and violators of this agreement may
be denied access to the Government-provided computer technology and may be subject to other penalties and
disciplinary action in accordance with the Civil Service Act and Regulations. Violation of this Agreement may result in
discipline that may include but not be limited to termination or employment and/or other legal action.
I have read and understand “The Acceptable Use Agreement for Government –Provided Computer
Technology” and recognize that technical monitoring takes place to protect the system and ensure users are
complying with this policy. I agree to access and use the Government-provided computer technology only in
accordance with the terms and conditions set out in this Agreement.
Date: ___________________________
Name of User: __________________________
(Please Print)
Witness: _________________________
User Signature: _________________________
Definitions:
Acceptable Use Policy (AUP) is a written agreement all users of the Government-provided computer technology
adhere to for the common good. An AUP defines the intended uses of the network including unacceptable uses and
the consequences for non-compliance.
Computer Hardware refers to workstations, stand alone computers, network computers, laptops, notebooks,
servers, PDAs, Blackberries and any other peripherals.
Computer Software refers to written programs, procedures or rules and associated documentation pertaining to the
operation of a computer system, which includes packaged software, downloadable executables, screen savers,
macro, freeware and shareware.
Computer Technology, for the purpose of this agreement, is Computer Systems and all electronic data.
Electronic Data is data that is stored and readable in electronic form without regard to the hardware or software
used to produce the data, excluding computer software.
Office of Information is the designated authority responsible for maintaining and monitoring compliance with
Government Security Policies and Directives.
SecurID: is a mechanism developed for performing two-factor authentication for a user to a network resource.
Token: are used to prove one's identity electronically. The token is used in addition to or in place of a password to
prove that the employee is who they claim to be. The token acts like an electronic key to access something.
Virtual Private Network (VPN): is a network that uses primarily public telecommunication infrastructure, such as
the Internet, to provide remote offices or traveling user’s access to a central organizational network.
Disciplinary Action:
Please take the time to peruse the following two links. It will be useful in explaining where the discipline
consequence arise from any violation.
1. Treasury Board – Section 16.02 – Security Policies: http://iis.peigov/dept/tboard/manual/pdf/sec1602.pdf
2. Civil Service Act and Regulations :
Section 31 – 33 of the CSA Regulation: http://www.gov.pe.ca/law/regulations/pdf/C&08G.pdf
Acceptable Use Agreement for Government-Provided
Computer Technology for External Contracts
Introduction:
This agreement is in place to protect employees, the employer and the information in the Governments custody or
under the control of a public body. It applies to all employees, independent contractors, temporary workers and all
other individuals using Government owned electronic information resources.
The confidentiality, integrity and availability of computer technology used inside or outside the work place,
that contains client and personal information, must be preserved at all times. Access to this Governmentprovided technology is granted under the following conditions:
1.
2.
Government-provided computer technology is to be used to support authorized programs and services.
Users must use only system information technology they are authorized to use and use them only in the manner and to
the extent authorized. Ability to access information technology resources does not, by itself, imply authorization to do so.
3. Changing the Government –provided computer system configuration is not permitted unless approved by End User
Support.
4. Personal use of Government-provided computer technology is to be of an appropriate nature that will not incur additional
cost or increased risk to the Government. Such technology is not to be used for any personal activity that may cause
embarrassment to you or the Government and must not be used to access or promote inappropriate sites, including but
not limited to pornography, racism, hatred, gambling, obscenity or any illegal activities.
5. You are responsible and accountable for the use of your user ID, passwords and other access control items in your
possession for computer technology. They are not to be shared.
6. The bandwidth available to Government is limited. Therefore the use of streaming audio and video (e.g. Online radio,
YouTube, etc.) should be limited to a work related need.
7. Removal of, or alterations to, Government-provided computer hardware or components must be approved by End User
Support.
8. Prior to downloading or installing software on Government-provided hardware confirmation of acceptability must be
obtained from your Departmental Information Technology Architect (ITA).
9. You must not violate the privacy of other users and their accounts, regardless of whether those accounts are securely
protected. Technical ability to access other’s accounts does not, by itself, imply authorization to do so.
10. You should not leave your computer unattended while logged on to the network. A password protected screen saver is
required to reactivate a session after 5 minutes of inactivity.
11. Work related electronic data must be stored on the Government-provided file server where possible. If work related
electronic data is not stored on the file server it is your responsibility to prepare and maintain backup copies in
accordance with Government Policies, the Archives and Records Act and the Freedom of Information and Protection of
Privacy Act.
12. Wilful or intentional violations of this agreement will be considered to be misconduct and violators of this agreement may
be denied access to the Government-provided computer technology and may be subject to other penalties and
disciplinary action. Violation of this Agreement may result in discipline that may include but not be limited to termination
or employment and/or other legal action.
I have read and understand “The Acceptable Use Agreement for Government –Provided Computer
Technology” and recognize that technical monitoring takes place to protect the system and ensure users are
complying with this policy. I agree to access and use the Government-provided computer technology only in
accordance with the terms and conditions set out in this Agreement.
Date: ___________________________
Name of User: __________________________
(Please Print)
Witness: _________________________
User Signature: _________________________
Definitions:
Acceptable Use Policy (AUP) is a written agreement all users of the Government-provided computer technology
adhere to for the common good. An AUP defines the intended uses of the network including unacceptable uses and
the consequences for non-compliance.
Computer Hardware refers to workstations, stand alone computers, network computers, laptops, notebooks,
servers, PDAs, Blackberries and any other peripherals.
Computer Software refers to written programs, procedures or rules and associated documentation pertaining to the
operation of a computer system, which includes packaged software, downloadable executables, screen savers,
macro, freeware and shareware.
Computer Technology, for the purpose of this agreement, is Computer Systems and all electronic data.
Electronic Data is data that is stored and readable in electronic form without regard to the hardware or software
used to produce the data, excluding computer software.
Office of Information is the designated authority responsible for maintaining and monitoring compliance with
Government Security Policies and Directives.
SecurID: is a mechanism developed for performing two-factor authentication for a user to a network resource.
Token: are used to prove one's identity electronically. The token is used in addition to or in place of a password to
prove that the employee is who they claim to be. The token acts like an electronic key to access something.
Virtual Private Network (VPN): is a network that uses primarily public telecommunication infrastructure, such as
the Internet, to provide remote offices or traveling user’s access to a central organizational network.
Disciplinary Action:
Please take the time to peruse the following link. It will be useful in explaining where the discipline consequence
arise from any violation.
Treasury Board – Section 16.02 – Security Policies: http://iis.peigov/dept/tboard/manual/pdf/sec1602.pdf

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz