7610-2 Information Security Policy

PREAMBLE

The Act respecting the governance and management of information resources of public bodies and government enterprises (L.R.Q., c. G-1.03), known in French as Loi sur la gouvernance et la gestion des ressources informationnelles des organismes publics (LGGRI), imposes obligations on academic institutions in their capacity as public bodies. In order to meet its regulatory and legislative obligations, Vanier College must adopt, implement, maintain and enforce an information security policy that establishes the implementation of formal information security processes to ensure risk management, access management and incident management.

Where discrepancies exist between this policy and the aforementioned Act, the Act takes precedence. Any new directive issued based on the LGGRI is considered force of law and is also considered applicable even if not explicitly quoted herein.

In addition to the information security management frameworks, the College must comply with applicable laws, regulations and standards.

1. PURPOSE

1.01 This policy is a key element to ensure the realization of the mission and the institutional objectives of the College, to maintain its reputation and to comply with the applicable legal, regulatory and contractual requirements.

1.02 The main objective of this policy is to communicate the College's determination and commitment to managing information security risks effectively and efficiently. The approach adopted is aimed at identifying the stakeholders and defining their roles, and designing and implementing measures to effectively safeguard the security of information assets.

1.03 The policy also promotes user awareness of the risks associated with information handling and emphasizes the importance of maintaining the availability, integrity, and confidentiality of information throughout its lifecycle, regardless of the medium or means of communication.

2. SCOPE

2.01 This policy is intended for all users, that is, anyone who has access to the data and/or information assets of the College regardless of employment status, including contract workers and exchange personnel as well as any/all partners, suppliers or other stakeholders.

2.02 This policy applies to all information that the College holds, uses, or safeguards in the course of fulfilling its mission, throughout its entire lifecycle and regardless of its form, medium, or location. It encompasses data owned by the College, data held or used by partners, suppliers, or other stakeholders on behalf of the College, as well as third-party information retained by the College to support its functions.

2.03 Any activity involving the use, disclosure, or preservation, in any form, of data or information assets owned by or used by the College is covered by the policy, whether on premises, off site, or for users working remotely.

This policy applies from the earliest phase of design or creation of the data or information asset and during the development, realization or modification of the asset or any associated business processes.

2.04 The policy covers all aspects of digital data security including information technology, ensuring consistent protection across all environments and formats.

3. DEFINITIONS

• “Board”: the Vanier College Board of Governors, appointed in accordance with By-law 1 The General Administration of the College.
• “College”: Vanier College of General and Vocational Education, which may be abbreviated to Vanier College, or CEGEP Vanier College as deemed necessary or expedient, and includes each of its campuses.
• Availability: In the context of informational assets, it is the assurance that information is accessible in a timely and appropriate manner to an authorized individual.
• Confidentiality: A property of data or information such that it is accessible only to designated or authorized persons or entities.
• Confidential information: For the purposes of the Act respecting Access to Documents Held by Public Bodies and the Protection of Personal Information, CQLR c A-2.1, confidential information is considered to be personal information and any information the disclosure of which would have harmful implications for any of the following: intergovernmental relations, negotiations between public bodies, the economy, third parties with respect to their industrial, financial, commercial, scientific or technical information, the administration of justice and public safety, administrative or political decisions and verification.
• Directive: In the context of this policy, this refers to an official instruction or order issued by the provincial government of Quebec.
• Information assets: All active, semi-active and inactive information and documents created or received by College personnel in the pursuit of their duties regardless of their nature (administrative, financial, legal or otherwise), media (hard copy, digital, audiovisual, web or otherwise) and the format in which they are produced.
• Information lifecycle: Stages through which every document or record goes, from its creation, storage, transfer, consultation, processing and transmission, to its retention or destruction, in accordance with the Vanier College retention schedule.
• Integrity: The assurance that information assets remain accurate, complete, and unaltered except by authorized individuals or processes, and are stored on media that ensure stability and durability throughout their lifecycle.
• Information security management framework: A collection of objectives and practices based on industry information technology governance standards or stipulated by directives under the LGGRI.
• Off-site: In reference to off-site assets, these assets are stationary units (e.g. servers, switches) that are not housed on Vanier campus
• Users: Any person using College IT resources.

4. LEGAL FRAMEWORK

• General and Vocational Colleges Act c. C-29
• Vanier College By-law 1 The General Administration of the College
• Charter of Human Rights and Freedoms, CQLR c C-12
• Loi sur la gouvernance et la gestion des ressources informationnelles des organismes publics (LGGRI); (Eng : An Act Respecting the Governance and Management of The Information Resources of Public Bodies and Government Enterprises, CQLR c G-1.03)
• Loi modernisant des dispositions législatives en matière de protection des renseignements personnels, LQ 2021, c 25
  • Règles de gouvernance en matière de protection des renseignements personnel (Vanier)chapitre P-39.1: LOI SUR LA PROTECTION DES RENSEIGNEMENTS PERSONNELS DANS LE SECTEUR PRIVÉ
  • Regulation respecting the distribution of information and the protection of personal information, CQLR c A-2.1, r 2
• Directive concernant le traitement et la destruction de tout renseignement, registre, donnée, logiciel, système d’exploitation ou autre bien protégé par un droit d’auteur, emmagasiné sur un équipement micro-informatique ou sur un support informatique amovible
• An Act to Establish a Legal Framework for Information Technology, CQLR c C-1.1
• Records Classification and Management Policy (Vanier College)
• Public Administration Act, SQ 2000, c 8
• Public Service Act, CQLR c F-3.1.1
• Canadian Human Rights Act, RSC 1985, c H-6
• Criminal Code, RSC 1985, c C-46
• Copyright Act, RSC 1985, c C-42
• Directive sur les services de certification offerts par le gouvernement du Québec pendant la phase intérimaire

5. CONTENT

5.1 Governance and Accountability

Roles and Responsibilities

In this policy and its application, the following mandates are assigned to different stakeholders:

5.1.01 Board of Directors

1. Adopts the policy as well as any amendment thereto.

5.1.02 Auditors (external and mandated by MEES/MCN)

1. Ensures the adequacy of the information security framework in effect, in relation to the risks incurred;
2. Ensures that measures are in place to reduce information security risks to a level deemed acceptable for the organization

5.1.03 Director General

1. Is informed of the College’s actions in the area of information security, particularly with respect to the annual information security reports.

5.1.04 Coordonnateur Organisationnel des Mesures de Sécurité de l’Information (COMSI)

1. Responsible for coordinating the implementation of operational security measures within their organization. They work closely with the CSIO
2. Supervises the information security risk management process and the application of the policy

5.1.05 Chef de la Sécurité de l’Information Organisationnelle (CSIO)

1. Responsible for the overall governance of information security within their organization.

5.2 Guidelines

5.2.1 Physical security of buildings and premises

The College will ensure the physical security of College premises where data and information assets are stored. The College will establish and update an access list of authorized personnel that it is verified and updated periodically or during a significant organizational change.

5.2.2 Protection of information

Information security must be ensured throughout its life cycle and the means used to ensure it must be proportional to its value and the risks to which it is exposed and such that private personal information as defined in law 25 has appropriate safeguards around its use and collection. Thus, any information that the College holds, processes or transmits must be subject to security measures designed to ensure availability, integrity, and confidentiality of the information. To achieve this, all individuals are given authorization for accessing only the information assets deemed necessary to their role, equipment and services are regularly maintained, contingency plans and alternatives exist for essential services, and all persons under the scope of this policy are also made aware of threats and risks to information security.

5.2.3 Service Continuity

The College maintains reliable processes, systems, and technologies that support service continuity. The College also establishes and regularly updates contingency plans, provides alternative solutions for essential services, and ensures that high-availability systems are in place to support uninterrupted access to critical information.

5.2.4 Integrity and Security of Information Assets

The College is committed, as per LGGRI, to ensuring the integrity of its information by preventing unauthorized alteration or destruction and by maintaining it on stable, durable media. The College applies technological and procedural safeguards that verify, throughout the information’s lifecycle, that it remains complete and unaltered.

5.2.5 Confidentiality and Authentication Safeguards

The College, in accordance with the Records Classification and Management Policy managed by Corporate Affairs, collects and retains only the information necessary to fulfill its mission, in accordance with applicable legislation. Access to this information is strictly controlled through authentication mechanisms and access profiles as required by LGGRI, ensuring that only authorized individuals, devices, or systems can view or handle it.

Each administrative unit is accountable for managing the security of the information assets under its control, including those delegated to third parties.

5.3 Particular Provisions

5.3.1 Security and Security Awareness

The Vanier College community is regularly made aware of information regarding security risks and how to protect themselves per the LGGRI including the requirement on information security training.

5.3.2 Disposal of old computer systems and equipment

The rules for the safe destruction of any microcomputer equipment declared as “surplus movable property” and any removable computer media intended for disposal or entrusted to a supplier must be applied in a timely manner and in accordance with the Directive concernant le traitement et la destruction de tout renseignement, registre, donnée, logiciel, système d’exploitation ou autre bien protégé par un droit d’auteur, emmagasiné sur un équipement micro-informatique ou sur un support informatique amovible of the Treasury Board of Quebec.

The same applies to any microcomputer or removable media equipment entrusted to a supplier for repair, maintenance, destruction or retrieval of the information stored therein.

Disposal of information, documents, equipment, or materials—whether obsolete, surplus, or transferred for maintenance or destruction—is carried out in accordance with approved procedures and retention schedules to prevent unauthorized access or disclosure.

5.3.3 Document management and destruction

Vanier College’s IST department shall support the Director of Communications and Corporate Affairs in the application of Vanier’s “Records Classification and Management Policy” by providing the tools and technical support required.

5.3.4 Right of inspection

The College shall exercise, in conformity with the legislation and the regulations in force, the right of inspection on any use of its informational assets.

5.3.5 Compliance with Intellectual Property and Software Use Regulations

All users must comply with the requirements for the use of products, documents and information, in respect of which there may be an intellectual property right. Thus, the use of proprietary software and free software must comply with the Copyright Act, RSC 1985, c C-42.

Information Systems and Technology Services will ensure that its software licenses are properly managed. Only software provided by the College must be used.

The use of any other software is subject to a specific authorization from the College’s COMSI.

5.3.6 Payment Card Industry Data Security Standard (PCI DSS)

Vanier College must comply with the Payment Card Industry Data Security Standards (PCI DSS) to protect all cardholder data. PCI DSS requirements, established by major credit card companies, govern how payment card data is processed, transmitted, stored, and disposed of. The College’s PCI DSS Departmental Responsibilities & Procedures outline these obligations and ensure proper internal controls.

The College does not process payment cards on its own systems; instead, it outsources all payment card transactions to approved, PCI compliant external vendors to reduce risk and compliance scope. When payment card transactions occur in on campus merchant operations, these standards fully apply to all campus users, external merchants, systems, and networks that handle payment card data, including account numbers, cardholder names, expiration dates, service codes, and any sensitive authentication data. All merchant activities involving PCI DSS must be reviewed and approved annually by the Director of Financial Services.

5.4 Administrative Measures and Sanctions

5.4.1 Reporting

The College shall have an incident reporting procedure.

Every user has an obligation to protect the information assets made available to him or her by the College. To this end, the user shall report, without delay, to their manager or to IST HelpDesk any act likely to represent a real or presumed infringement of the security of the information. Qualified incidents will be referred to Corporate Affairs to be logged in the register of confidentiality incidents as per Article 63.11 of Act respecting Access to documents held by public bodies and the Protection of personal information.

The COMSI must also be notified when a security incident occurs, in order to determine the measures to be taken to resolve the problem, as may be required.

5.4.2 Sanctions

When a user contravenes this policy or its attendant directives, they may incur disciplinary, administrative or legal action, depending on the severity of their action. Such measures may include suspension of privileges, reprimand, suspension, dismissal or otherwise, in accordance with the provisions of collective agreements, other agreements or contracts.

The College may transmit to any judicial authority the information gathered and which leads it to believe that an infringement of any law or regulation in force has been committed.

5.5 Final Dispositions

5.5.1 Policy application and monitoring

The COMSI and CSIO are responsible for the application and monitoring of this policy.

5.5.2 Entry into force

This policy comes into effect on the date of its adoption by the Board of Governors. As of that date, it replaces all previously adopted versions of this Policy.

6. REVIEW PERIOD

This Policy shall be reviewed at least once each 5 years, or sooner if required in accordance with ongoing changes to legislative and regulatory obligations, taking into account new governmental orientations as well as the evolution of information security best practices.