This Information Security Policy is a set of rules and guidelines that our institution implements to ensure the confidentiality, integrity, and availability of its information and systems. This policy helps protect against cyber threats such as hacking, malware and data breaches, and also helps our organization comply with relevant laws and regulations, including the Act respecting the governance and management of information resources of public bodies and government enterprises (LRQ, chapter. G1.03) and the Directive on Information Security creates obligations for college institutions in their capacity as public bodies.
The specific content of the information security policy will vary depending on the specific risks it faces. It is used to protect a wide range of sensitive information, including:
In addition to protecting this sensitive information, the college’s technology information security policy also covers topics such as acceptable use of college-provided technology, including guidelines for Internet, email, and social media use. It also covers physical security measures for technology equipment and data centers, as well as procedures for responding to security incidents and violations
Stakeholders affected by the information security policy include:
Overall, the information security policy also includes other groups of individuals or entities, such as vendors, partners, and consultants who use information assets.
The security policy is mainly part of a context governed by:
We take reasonable steps to protect the security of student, professors, and staff personal information through the implementation of the Information Security Policy including:
A. Access Control: limit access to sensitive information to only those who need it to perform their job duties. This is done through the use of user accounts and passwords, as well as stronger methods such as two-factor authentication.
B. Data Encryption: encrypt sensitive data, both in storage and in transit, to prevent unauthorized access or interception. This includes email encryption, as well as encryption of data stored on laptops and other mobile devices.
C. Network Security: protect the college network from external threats such as hackers and malware. This is accomplished through the use of firewalls, intrusion detection and prevention systems, and other security tools.
D. Physical Security: protect physical assets such as servers and data centers from unauthorized access or tampering. This includes locked doors, security cameras and badge access systems.
E. Training and Awareness: educate students, professors and staff on information security best practices and the importance of protecting sensitive data. This includes regular reminders about the importance of strong passwords and the dangers of phishing scams, as well as more formal training programs.
We collect information about you in several ways:
We use the information we collect about you for a few different purposes:
We do not share your personal information with third parties except under the following circumstances:
In this Information Security Policy, there will be some level of risk considered acceptable, such as:
It is important to note that the level of acceptable risk varies depending on the specific needs and goals of our organization. What may be considered an acceptable risk for our organization may not be for another.
The implementation of the information security policy includes different parties with the following responsibilities:
A breach of security or policy can damage the college’s reputation, which can have long-term consequences. This can result in loss of trust from students, professors, and other stakeholders, and even financial loss.
Sanctions are consequences that can be imposed on individuals or groups that violate the information security policy. They depend on the nature of the policy violation and the severity of the violation. The sanctions that will be applied for violations of the college’s information security policy are as follows:
The ISR, assisted by the Information Technology (IT) Department Head, is responsible for the dissemination and updating of the policy. The Information Security Policy will be reviewed no later than four years after its adoption.
This policy shall become effective on the date of its adoption by the Board of Directors on June 20, 2022.