Information Security Police - Toronto Police Service Flashcards
What’s the Purpose?
This policy defines acceptable use of Toronto Police Service Information and Technology (TPS-IT) resources to ensure the confidentiality, integrity, and availability of information. The guiding principles are to prevent misuse or loss of any information asset and to maintain member accountability for the protection of information assets.
Scope
This policy applies to all Authorized Users having access to any TPS-IT resources and all information contained within those resources.
Definitions - Authorized User
are all individuals who have been granted access to the Toronto Police Service’s IT resources. This includes, but is not limited to,
permanent members
contractors
volunteers
temporary members
consultants
personnel affiliated with third parties
Definitions - Workplace Technology Device (WTD)
is any computing end user device, typically with its own operating system, which can communicate to a network. This includes, but is not limited to,
standard workstations
mobile devices
photocopiers/scanners
laptops/notebooks/tablets
monitors
fax machines
mobile workstations (MWS)
external media storage devices (hard drives, USBs, etc.)
printers
telephones and voice mail
handheld ticketing devices
Definitions - Information and Technology (IT) Resource
is any system, service, hardware, and network resources that are owned by, or supplied to Authorized Users by the Toronto Police Service. This includes, but is not limited to
networks and network devices
communication and business applications
software
Workplace Technology Devices
internet access
Definitions - Confidential Information
is all police information, and is to be used for official business use only. This includes, but is not limited to,
privileged information
any other information collected, obtained or derived for or from TPS records that must be kept confidential under the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), Police Services Act (PSA), Youth Criminal Justice Act (YCJA), or any other applicable legislation.
third party information
personal information
Definitions - Personal Devices and Technology
any telecommunication equipment and technology that is not issued or authorized by the Service
- General
1.1 TPS-IT resources are the sole property of the Toronto Police Service (TPS). The TPS grants Authorized Users access to its TPS-IT resources to conduct official police business only.
1.2 Any records created and/or maintained on any TPS-IT resource are property of the Service and bound by Service Governance and the TPS Records Retention By-Law.
1.3 Records may become accessible through criminal or civil court processes, by subpoena or as requested under MFIPPA.
1.4 Authorized Users are responsible for complying government law and Service Governance when using TPS-IT resources.
1.5 Authorized Users who are granted access must adhere to the terms of use agreements for external databases, owned and operated by partnering external agencies. Such systems included but are not limited to, CPIC, MTO-ISS, OSOR, MCM, etc.
1.6 Authorized Users must seek approval from the Chief Information Officer (CIO) prior to the acquisition of all new technology. (Please refer to Routine Order 2020.06.10-529 regarding the approval process for request submissions).
1.7 Authorized Users must first consult with the CIO’s Office prior to building any unit specific databases or repositories of information such as SharePoint, Excel, or MS Access.
1.8 Authorized Users must consult with the Information Security Unit prior to the implementation of any technology changes that involve the new collection, use or disclosure of personal information.
1.9 Any misuse of a TPS-IT resource or violation of this agreement SHALL be reported immediately to a supervisor, Unit Commander, or the Information Security Officer (ISO) following the discovery of the misuse or violation, in accordance with the Standards of Conduct, Section 1.3 – Contravention of Service of Legislative Governance and/or Misconduct.
1.10 Any unauthorized release of personal or confidential information collected on behalf of the TPS for police business SHALL be reported immediately to a supervisor, Unit Commander, the ISO, or the Access & Privacy Coordinator (only where the unauthorized release involved personal information) following the discovery of the breach, in accordance with TPS Procedures, Section 17-02 – Information Breaches.
- Security of Computerized Systems and Information
2.1 Authorized Users are responsible for safeguarding and protecting police information, both electronic and hardcopy. System access is assigned based on the job role or function performed to ensure sensitive information is available to only authorized users. Password sharing, or providing access to another
person, either deliberately or through failure to secure access, is prohibited. Hardcopies material must be shredded or discarded inside TPS secure confidential blue bins, when no longer required.
2.2 Authorized Users are responsible for all activity while logged onto any TPS-IT resource. Devices must be secured with a password-protected screensaver, and must be locked or logged off when left unattended.
2.3 Authorized Users will ensure reasonable care is taken to protect TPS-IT resources from theft, damage or illegal access; and against systems designed to disrupt, damage or place excessive load on the resource.
2.4 Authorized Users who are issued a smartphone will ensure that operating system or application level updates are applied in a timely manner.
2.5 Authorized Users will ensure that workplace technology devices and external media storage devices are secure when not in use, as this type of portable equipment is especially vulnerable to breaches. Portable storage devices containing sensitive information should be encrypted.
2.6 Authorized Users’ offsite work location is to be considered an extension of the primary TPS work location. All requirements set out in this policy also apply to members authorized to work remotely.
2.7 Authorized Users should use TPS issued equipment when conducting police business. Use of any electronic devices on the TPS network is subject to the rules set out in this policy. The TPS may, when necessary to an ongoing lawful investigation, ask to examine relevant information in a personal device and make copies of relevant information. Individuals who deny the TPS access may face consequences for failing to cooperate.
- Policy Compliance
3.1 TPS-IT resources and the information generated by, and contained within them, fall under the ownership of the Toronto Police Service. Therefore, while the TPS is aware of, and respects the privacy interests of those who use its IT resources, it is stressed that authorized users will be subject to a significantly diminished expectation of personal privacy when making use of TPS-IT resources.
- Policy Non-Compliance
4.1 Attempt to exploit or circumvent the user-authentication or security functions of any computer, network or account.
4.2 Provide account or password access to an unauthorized individual, including circumstances when a member has had their access deactivated, denied or terminated.
4.3 Unauthorized copying, destruction, deletion, distortion, removal, concealment, modification or encryption of messages, files, or other police data.
4.4 Use any program/script/command with the intent to interfere or tamper with any computer system, network or user’s session. Execute any form of network monitoring that will intercept data, scan ports, or attempt to circumvent the corporate firewall.
4.5 Access, create, publish or communicate material that is unsolicited, abusive, harassing, intimidating, threatening, discriminatory or offensive, and could otherwise interfere with another individual’s rights under the Human Rights Code or the Occupational Health and Safety Act.
4.6 Use any unauthorized internet-based web services, even when used in a non-obligatory ‘free trial basis’.
4.7 Build, publish or maintain externally facing portals using any type of unapproved cloud-based web development services (i.e. Wix, WordPress, Zyro, etc.).
4.8 Access internet sites featuring sexual content, drugs, peer-to-peer file sharing, hate, violence, weapons, gambling and other illegal or unethical subjects – unless, it is authorized for lawful or assigned job duties.
4.9 Install unauthorized/unlicensed software on any IT resource that may result in the installation of a virus, harmful component, corrupted data, or exposes TPS information to vulnerabilities.
4.10 Use any TPS-IT resource for personal commercial or financial gain, or for political causes.
- Systems Auditing and Monitoring
5.1 The TPS reserves the right to access system information, without prior notice, and use all information and data stored on and communicated through TPS-IT resources for lawful purposes – to facilitate work in a member’s absence, to conduct routine technical administration, to routinely audit system use, to investigate suspicions of improper system use and other misconduct and to comply with legal obligations. Members who engage in personal use of TPS- IT resources are deemed to accept that the TPS has this right of access and may raise no expectation of privacy that prevents the TPS from accessing and using information and data for its legitimate purposes.
5.2 When a violation of this policy is suspected, the TPS may restrict, suspend or revoke access to any TPS-IT system or resource, at any time and without notice, pending completion of an investigation. If a violation of this policy has been substantiated, the TPS will exercise its rights to take appropriate disciplinary action against any offending member, up to and including termination of employment. Compliance with this policy will be enforced.
5.3 Violation of this policy may be considered discreditable conduct under the Police Services Act (PSA) and its related regulations, and may face discipline proportional to the degree and severity. The use of TPS-IT resources in any manner that violates statutory codes or Service Governance may also become subject to discipline.
5.4 Users are encouraged to seek guidance from an appropriate supervisor, Unit Commander, or the ISO if they require further clarification on the application of this policy, or if they have any concerns regarding compliance.
NEW STANDARD OF CONDUCT 1.9.2 – RESPECT FOR GENDER DIVERSITY AND TRANS-INCLUSIVE POLICING
Our Service is committed to delivering effective police services which are sensitive to the needs of Toronto’s diverse communities. As part of this commitment, the Service has developed Standard of Conduct 1.9.2 “Respect for Gender Diversity and Trans-Inclusive Policing”
Compliance with Standards of Conduct 1.9.2 is crucial for enhancing public trust and confidence: STANDARD OF CONDUCT 1.9.2 “RESPECT FOR GENDER DIVERSITY AND TRANS-INCLUSIVE POLICING” STATES:
Members SHALL, in the performance of their duty, treat people of all gender identities and gender expressions, including trans and gender diverse individuals, with respect, courtesy, and consideration.
Members SHALL comply with Standards of Conduct 1.9.2 in their interactions, including but not limited to:
respect the rights of all individuals to be addressed by the name, pronoun, and gender that corresponds to their gender identity;
respect the rights of all individuals to express their self-identified gender, including through access to facilities, clothing and/or other personal items to support their gender identity and expression;
respect privacy and confidentiality relating to a persons gender identity and expression;
conduct themselves in a manner that is inclusive and respectful of trans and gender diverse individuals and communities.
Members SHALL NOT:
knowingly, intentionally, or repeatedly misgender any individual;
use derogatory, demeaning, discriminatory, abusive, or offensive language relating to gender identity or expression;
engage in gender-biased policing, which includes stereotyping based on gender identity or expression, or treating an individual’s gender identity or expression as a basis for suspicion;
disclose an individual’s trans or gender diverse identity without that individual’s consent, except where it is relevant and necessary for the performance of the member’s duty, or there is an immediate risk to health and safety.
Unit Commanders SHALL ensure all members under their command are made aware of and comply with the contents of this Order.
Per: Professional Standards Support - Governance
