AP 630: Network and Information Security

Communication & Technology

Background

The Division has, in its possession, confidential information (confidential data) that must be protected. To this end, the Superintendent establishes procedures to ensure the appropriate protection of the Division’s information systems.

The Division’s various technology systems utilize digital environments and Internet based (Cloud) services and applications as well as cloud storage and electronic file transfer services; as a result, personal information may be stored in electronic format. All personal information is sensitive; therefore, privacy shall be protected during the collection, storage, use, sharing and transmission of all personally identifiable information.

All staff have a statutory and ethical responsibility when using technology and cloud services. Staff shall adhere to the provisions in Alberta's Freedom of Information and Protection of Privacy Act, the Education Act and relevant Division Administrative Procedures.

Definitions

a) Cloud services: shall refer to any Internet or online service or digital information storage provided by organizations or vendors other than Parkland School Division.

b) Personal Information: as defined in the Freedom of Information and Protection of Privacy Act, shall mean recorded information about an identifiable individual, including:

a. Name, home or business address, or home or business telephone number;

b. Race, national or ethnic origin, colour or religious or political beliefs or associations;

c. Age, sex, marital status or family status;

d. An identifying number, symbol or other particular assigned to the individual;

e. Fingerprints, other biometric information, blood type, genetic information or inheritable characteristics, and photo likeness;

f. Information about the individual's health and health care history, including information about a learning, physical or mental disability;

g. Information about the individual's educational, financial, employment or criminal history, including criminal records where a pardon has been given;

h. Another’s opinion about the individual; and

i. The individual's personal views or opinions, except if they are about someone else.

c) Portable storage device: shall be deemed to refer to any mobile device that can store or process or transmit information digitally. These include, but are not limited to; laptops, tablets, smartphones, thumb/portable drives, CD/DVD.

Procedures

With respect to Network Security

1. All users of the Division’s computer systems and network resources have the responsibility to ensure its overall security and to behave in a manner consistent with this security administrative procedure.

1.1. Each user is responsible for understanding and complying with Administrative Procedure 610 – Responsible Use of Technology.

2. The Director of Technology Services shall be responsible for:

2.1. Establishing, maintaining, implementing, administering and interpreting network systems security standards, guidelines, and procedures;

2.2. Providing specific guidance, direction and authority for network system security;

2.3. Providing network backup services;

2.4. Establishing and maintaining a network disaster recovery plan; and

2.5. Ensuring that Division owned technology has up-to-date antivirus software.

3. Staff and/or students shall not:

3.1. Establish network services onto any existing Division networks (including, but not limited to: personal web servers, File Transfer Protocol (FTP) servers, news servers, electronic bulletin boards, Really Simple Syndication (RSS) feeds, local area networks, modem connections of any kind); or

3.2. Make any configuration changes or install any network devices that may have a negative impact on network performance/security.

4. Any Division owned technology that has been deemed surplus is to be decommissioned and properly disposed of by Technology Services.

5. Only personnel authorized by the Director, Technology Services or designate shall install applications on servers or workstations.

6. Each user shall have a unique network account with an encrypted password.

7. Wireless Networks shall be administered by Technology Services:

7.1. Wireless Networks shall hall have all wireless access points apply the latest security protocols;

7.2. Wireless Networks shall utilize the latest encryption protocols.

8. Personally owned technology shall not be permitted on the internal network, however

8.1. A separate wireless Wi-Fi network shall be provided to support personally owned devices.

With respect to Information Security

9. All personal information collected by the Division shall be stored and protected against unauthorized access.

10. Portable storage devices shall not be used to store any personal information unless authorized to do so by the Superintendent or designate:

10.1. When permitted, the information shall be encrypted and password protected;

10.2. Personal information on portable devices shall only be temporary as permitted and removed upon completion of the task.

11. Use by staff of cloud-based applications or cloud-based storage shall not include data that contains personal information of staff or students unless:

11.1. The privacy agreement with the service provider contains specific clauses compelling them to adhere to the Freedom of Information and Protection of Privacy Act;

11.2. The service is hosted in a country whose legislation does not have the potential to override the Freedom of Information and Protection of Privacy Act;

11.3. Any data accessed or transferred must be encrypted and password protected;

11.4. The Superintendent or designate shall approve all vendor privacy agreements;

11.4.1. The agreement is to provide for the security of as well as backup/disaster recovery of data stored.

12. Division staff shall report any breaches of information security, whether actual or suspected, to their immediate supervisor for investigation.

12.1. Supervisors shall contact the Director of Technology Services for assistance with respect to an alleged security breach.

13. Privacy breaches shall be immediately reported to the Associate Superintendent, Corporate and Financial Services.


Approved:

signature

Date Approved: January 8, 2020

Reference:
Education Act: 33, 196, 197, 222
Freedom of Information and Protection of Privacy Act
Canadian Charter of Rights and Freedoms
Criminal Code (Canada)
Copyright Act

Reviewed or Revised:
Executive: January, 2021

References shall be updated as required and do not require additional approval.