Information Security Policy Flashcards
Purpose
This policy defines acceptable use of Toronto Police Service Information and Technology (TPS-IT)
resources to ensure the
confidentiality, integrity, and availability of information. The guiding principles are to prevent misuse or loss of any information asset and to maintain member accountability for the protection of information assets.
Scope
This policy applies to all Authorized Users having
access to any TPS-IT resources and all
information contained within those resources.
General
- TPS-IT resources are the sole property of the Toronto Police Service (TPS). The TPS grants
Authorized Users access to its TPS-IT resources to conduct official police business only.
General
- Any records created and/or maintained on any TPS-IT resource are property of the
Service and bound by Service Governance and the TPS Records Retention By-Law.
General
- Records may become accessible through criminal or civil court processes, by
subpoena or as requested under MFIPPA.
General
- Authorized Users are responsible for complying
government law and Service Governance when using TPS-IT resources.
General
- Authorized Users who are granted access must adhere to the terms of use agreements for external databases, owned and operated by
partnering external agencies. Such systems included but are not limited to, CPIC, MTO-ISS, OSOR, MCM, etc.
General
- Authorized Users must seek approval from the
Chief Information Officer (CIO) prior to the acquisition of all new technology.
General
- Authorized Users must first consult with the CIO’s Office prior to building any
unit specific databases or repositories of information such as SharePoint, Excel, or MS Access.
General
- Authorized Users must consult with the Information Security Unit prior to the
implementation of any technology changes that involve the new collection, use or disclosure of personal information.
General
- Any misuse of a TPS-IT resource or violation of this agreement SHALL be reported immediately to a
supervisor, Unit Commander, or the Information Security Officer (ISO) following the discovery of the misuse or violation.
General
- Any unauthorized release of personal or confidential information collected on behalf of the TPS for police business SHALL be reported immediately to a
supervisor, Unit Commander, the ISO, or the Access & Privacy Coordinator.
Security of Computerized Systems and Information
- Authorized Users are responsible for safeguarding and protecting police information, both electronic and hardcopy. System access is assigned based on the
job role or function performed to ensure sensitive information is available to only authorized users. Password sharing, or providing access to another person, either deliberately or through failure to secure access, is prohibited. Hardcopies material must be shredded or discarded inside TPS secure confidential blue bins, when no longer required.
Security of Computerized Systems and Information
- Authorized Users are responsible for all
activity while logged onto any TPS-IT resource. Devices must be secured with a password-protected screensaver and must be locked or logged off when left unattended.
Security of Computerized Systems and Information
- Authorized Users will ensure reasonable care is taken to protect
TPS-IT resources from theft, damage or illegal access; and against systems designed to disrupt, damage or place excessive load on the resource.
Security of Computerized Systems and Information
- Authorized Users who are issued a smartphone will ensure that
operating system or application-level updates are applied in a timely manner.
Security of Computerized Systems and Information
- Portable storage devices containing sensitive information should be
encrypted.
Security of Computerized Systems and Information
- Authorized Users’ offsite work location is to be considered an
extension of the primary TPS work location.
Security of Computerized Systems and Information
- Authorized Users should use TPS issued equipment when
conducting police business. Use of any electronic devices on the TPS network is subject to the rules set out in this policy. The TPS may, when necessary to an ongoing lawful investigation, ask to examine relevant information in a personal device and make copies of relevant information. Individuals who deny the TPS access may face consequences for failing to cooperate.
Policy Non-Compliance
- Attempt to exploit or circumvent the user-authentication or security functions of any computer, network or account.
- Provide account or password access to an unauthorized individual, including circumstances when a member has had their access deactivated, denied or terminated.
- Unauthorized copying, destruction, deletion, distortion, removal, concealment, modification or encryption of messages, files, or other police data.
- Use any program/script/command with the intent to interfere or tamper with any computer system, network or user’s session. Execute any form of network monitoring that will intercept data, scan ports, or attempt to circumvent the corporate firewall.
- Access, create, publish or communicate material that is unsolicited, abusive, harassing, intimidating, threatening, discriminatory or offensive, and could otherwise interfere with another individual’s rights under the Human Rights Code or the Occupational Health and Safety Act.
- Use any unauthorized internet-based web services, even when used in a non-obligatory ‘free trial basis’.
- Access internet sites featuring sexual content, drugs, peer-to-peer file sharing, hate, violence, weapons, gambling and other illegal or unethical subjects – unless it is authorized for lawful or assigned job duties.
- Use any TPS-IT resource for personal commercial or financial gain, or for political causes.
Systems Auditing and Monitoring
- The TPS reserves the right to access system information, without prior notice, and use all information and data stored on and communicated through TPS-IT resources for lawful purposes – to
facilitate work in a member’s absence, to conduct routine technical administration, to routinely audit system use, to investigate suspicions of improper system use and other misconduct and to comply with legal obligations. Members who engage in personal use of TPS- IT resources are deemed to accept that the TPS has this right of access and may raise no expectation of privacy that prevents the TPS from accessing and using information and data for its legitimate purposes.
Definitions
Authorized User:
are all individuals who have been granted access to the Toronto Police Service’s
IT resources. This includes, but is not limited to, permanent members, contractors, volunteers, Temporary members, Consultant, Personnel affiliated with third parties.
Workplace Technology Device (WTD): is
is any computing end user device, typically with its own operating system, which can communicate to a network. This includes, but is not limited to, standard workstations, mobile devices, photocopiers/scanners, laptops/notebooks/tablets, monitors, fax machines, mobile workstations (MWS), external media storage devices (hard drives, USBs, etc.), printers, telephones and voice mail, handheld ticketing devices.
Information supplied Technology (IT) Resource: is
any system, service, hardware, and network resources that are owned by, or to Authorized Users by the Toronto Police Service. This includes, but is not limited to, networks and network devices, communication and business applications, software, Workplace Technology Devices, internet access.
