The scope of this security policy includes all information assets owned, operated, or maintained by BISCAST, whether the information is on electronic media, printed as hardcopy, or transmitted over public/private networks. At their discretion, the College Information Technology Office and Multimedia Hub reserve the right to modify this policy at any point in time. Information security requires the participation and support from all members of the BISCAST community with access to information assets. It is the responsibility of every member of the BISCAST community to help ensure that all information assets are kept secure and available.
This policy applies to all members of the BISCAST community, which includes, but is not limited to employees, students, visitors, volunteers, third parties, contractors, consultants, clients, temporaries, and others (collectively known as “users”), who have access to, support, administer, manage, or maintain BISCAST information assets.
The Vice President Administrative and Finance shall review this policy on the time updates or changes are presented by ICT Office and Multimedia Hub. All revisions will be presented to the President of the college for approval.
BISCAST’s information assets are essential to its success. Therefore, access to all information assets will be granted in a controlled manner based on need to know and subject to the approval of the designated information asset owner. Users will be explicitly granted access to information assets; there is no implicit right of access. Controls must be developed, implemented, monitored and maintained to create user accountability and to prevent any compromise of the confidentiality, availability, and integrity of information assets.
Acceptable Use Agreement
Users must comply with the College’s Acceptable Use Policy and may be asked to sign a written Acceptable use Agreement prior to being granted access to BISCAST information assets.
Upon employment and/or admission to the College, an BISCAST user account is created for everyone. Typically this account includes access to BISCAST email, eDisk and InsideBISCAST. Access to other BISCAST information assets are granted as per the policies outlined below.
Requirements for Access
Users must obtain permission from the data steward of the Records Office and demonstrate a justifiable case to access data. Authorization must be documented and authorization forms must be retained for historical purposes. Information asset owners will grant access on a need to know basis, as required by job functions. Access requestors must not approve their own access. Applicable legislation and/or regulatory restrictions must be considered when granting access to information assets.
Before receiving access to information assets, members of the Professional Staff must undergo background checks performed by Human Resources (HR). Background checks may include criminal checks and verification of employment records. At the discretion of Human Resources, certain BISCAST positions may require more or less extensive background checks. Credentials for members of the Faculty are reviewed as per normal hiring procedures as outlined by the Office of the Provost and the Academic Departments.
Role Based Access
User access should be established based upon job description, duties, or function. The use of roles provides consistent and efficient administration of access rights. Data Stewards must understand the security controls and privileges for the systems they are responsible for in order to make and recommend appropriate controls.
User Role Changes
Access for users who change roles or transfer to other areas of the college should be immediately given the access required for the new role. Access that is no longer required for the new role should be removed or disabled immediately.
When access is granted, users are responsible for all system activity under their unique account. Users have the responsibility to protect their account by creating and maintaining passwords compliant with the Password Policy. In addition, users are responsible for maintaining the confidentiality of their unique ID and password by not sharing it with any other party.
Review of Access Privileges
Data Stewards should re-evaluate the privileges granted to BISCAST users at least annually to ascertain that the access is still commensurate with the user’s job responsibilities. User accounts found to be invalid should be disabled.
Non-employee user accounts and access privileges, including visitors, volunteers, third parties, contractors, consultants, clients, and temporaries, should be re-evaluated every six months. User accounts found to be invalid should be disabled.
Temporary Access Control Privileges
If privileged access must be temporarily granted to a user, the privilege should be removed at a pre-set expiration time. The appropriate information asset owner needs to approve all temporary access in writing.
User accounts of terminated or resigned users should be disabled from all information systems and other I.T. related systems by the ICT Office and Multimedia Hub immediately upon notification from Human Resources (HR).
Unauthorized Testing of Information Assets
BISCAST users with full-time responsibility for information security and Internal Audit are chartered by BISCAST Management to perform information security tests to ensure the company is adequately protecting information assets. All other users must not test, or attempt to compromise internal controls unless specifically approved in advance and in writing by the ICT Manager.
Users must not exploit vulnerabilities or deficiencies in information systems security. Users must not attempt to access assets beyond those they have been authorized to obtain or modify other users’ level of access, unless specifically approved in advance and in writing by the ICT Office. Vulnerabilities found by users must be promptly reported to the ICT Office or Multimedia Hub.
Modification and Testing of Production Data
System privileges allowing the modification of BISCAST production information must be highly restricted. Privileges should be established such that users are not able to modify production data in an unrestricted manner and only with an appropriately detailed and automated audit trail that clearly indicates the date and time, change made and associated account making the change. Users may only modify production data in predefined ways that preserve or enhance its integrity. Users must be permitted to modify production data only when employing a controlled process approved by the Data Steward of the Records Office associated with the impacted data.
Policy Maintained by: