Page 1 of 2

Chinook’s Edge School Division No. 73 - Administrative Procedures

AP 1 – 29 Information Security Management System

Classification: General Administration Effective Date: 2014 Jan

Sponsor/Contact: Associate Superintendent System Services Last Reviewed: 2013

Exhibits: none

PURPOSE

To ensure information confidentiality and information integrity is based on recommendations contained in ISO27001 and the Government of Alberta School Technology Framework. SCOPE

This procedure outlines information security management practices that will be employed by the Superintendent or designate and will affect all parties using the Division’s information systems including, but no limited to, students, parents, employees, contractors, partner organizations, volunteers, and the Board of Education. DEFINITIONS

Information – is any information owned by or under control of Chinook’s Edge School Division. This includes information that is stored, in use or at rest on the Division’s information systems, as well as information in transit across the Division’s digital networks. Further, it includes the entire lifecycle of information from the information’s creation or acquisition to its disposal. Information Security Management – is the process of protecting information from unauthorized access or manipulation and designed to protect information, staff, students and the Division’s reputation. ISO27001 Standard – is a code of practice for information security management. PROCEDURES

1. The Superintendent or designate shall develop and implement appropriate and practicable technology procedures which: a. Protect the organization’s information assets from all threats both internal and external. b. Provide direction and support for information security. c. Define and designate responsibilities to all users of the Division’s information systems. d. Foster stakeholder confidence by acting in accordance with security standards. e. Establish regular review of measurable security objectives at relevant functions and levels of the

organization. f. Comply with business and legal regulatory requirements and contractual security obligations. g. Provide systems for protection against unauthorized access. h. Ensure confidentiality of data. i. Create mechanisms to identify and review the risk and impact of breaches in protected information

versus the needs of staff and student learning. j. Outline the steps for reporting breaches of security.

2. The Superintendent or designate shall develop and maintain strategies based on specific risk assessments to

maintain critical learning and business functions in the event of any significant disruption to critical services, system or facilities.

Page 2 of 2

3. The Superintendent or designate shall ensure that all employees are made aware of the need for security to a level commensurate with their role. The Superintendent or designate shall ensure that applicable information security management procedures and guidelines will be accessible to all users and that users are made aware of changes.

4. The Superintendent or designate may access usage history and monitor use, of information systems including, but not limited to, email and internet, if he or she deems those actions are necessary to carry out his or her duties outlined in this Procedure.

5. The Superintendent or designate shall assess risks to the Division’s information systems and manage these risks in accordance with the Government of Alberta School Technology Framework.

6. The Superintendent or designate shall monitor all Chinook’s Edge School Division employees to ensure they adhere to all legislation pertaining to information storage and processing including, but not limited to, Alberta Freedom of Information and Privacy Act (FOIP), Personal Information Protection Act (PIPA) and Alberta Human Rights Act.

7. The Superintendent or designate shall communicate all pertinent technology procedures to all parties using the Division’s information systems.

8. The Superintendent or designate shall consult with all technology committees, technology advisory groups, and the Technology Services staff prior to implementing or changing Technology procedures.

REFERENCES Alberta School Technology Framework replace with Learning and Technology Policy Framework (2004) - http://education.alberta.ca/admin/technology/standards.aspx Alberta Freedom of Information and Privacy Act Personal Information Protection Act Alberta Human Rights Act HISTORY Approved: 2014 Jan 7