Quick guide to information security best practices


Information Security Fundamentals


Know the Information Security Basics

This document is meant as a guide for you to develop your own security best practices. It is based on a document

developed for health service agencies in Ontario and is aligned with the Personal Health Information Protection

Act (PHIPA), 2004.

What are the core principles of information security?

  • Confidentiality – maintaining the confidentiality of client information.
  • Integrity – ensuring that client information is accurate, complete, and accessible for viewing or modification by authorized personnel only.
  • Availability – ensuring that client information is accessible to authorized individuals when and where required.



Act as an Information Security Steward

  • Be aware that everyone needs to protect client information; this includes protecting access to all the systems and resources containing that information.
  • Provide staff and volunteers with clear statements of responsibilities and ensure their awareness and appropriate training to make this policy effective. This can be in an orientation package and can be used as a practical hands-on training tool by a Manager or experienced co-worker.
  • Provide a Quick Reference Guide for staff with practical security practices in key areas affecting the operations of the Agency or office.
  • Provide direction when performing periodic reviews of practices.



Know the Responsibilities – Yours and your Organization’s

What are the organization’s responsibilities?

  • Establish, update, and communicate policies and procedures.
  • Provide awareness training to staff on the security and privacy policies and procedures.

What are your responsibilities?

  • Understand security as it relates to your role and your obligations.
  • Use good judgment to preserve and create safeguards in favour of security.
  • Challenge access to information and secure office settings by unknown, unauthorized or unescorted individuals.
  • Challenge unsecure practices.



Protect Your Workplace Access

How should information be protected?

  • Your workplace badge or key is your identity; challenge anyone without a badge and ensure that visitors in insecure or sensitive areas are escorted at all times.
  • Your security access card should not be left unattended.
  • Never store your PIN in the same place as your security access card.



Consent & Archiving Information


Personal Information

Personal Information can be defined as information about a specific individual. It is also information that could be used to identify that individual.

  • Scripts or talking points should be developed so that staff are consistent in letting service users know why you collect personal information.
  • Staff members who collect personal information should feel comfortable and knowledgeable explaining the reasons why the agency collects personal information.


Consent and Release of Information

  • Consent should be explained and obtained from service users to collect, use and/or disclose their personal information. This includes explaining to service users why they may be required to consent to the collection, use and/or disclosure of their personal information before they can receive service at your agency.
  • Staff should also explain if separate consent will be required when the information is used or disclosed for a different or new reason and that individuals can withdraw consent at any time.
  • As well, clients should know if there are any implications of withdrawing consent such as any impact on their access to services.


Limiting Use, Disclosure and Retention

  • When the agency no longer requires a client’s personal information (e.g. client moves or stops being a client), the organization should ensure the information is either archived or destroyed. You should have guidelines and procedures for destroying personal information, including electronic files.
  • A record should be kept of how a client’s personal information has been used or disclosed and, if you have used or disclosed a client’s information, the client should know they can request a copy.
  • Your organization should have policies and procedures in place to receive and respond to complaints or questions about the handling of personal information. You should keep record of the investigation of the complaint and any issues or concerns you note as a result of the investigation.


For More Information on Consent

Communications Department

Information and Privacy Commissioner of Ontario

2 Bloor Street East, Suite 1400

Toronto, ON, M4W 1A8

Email: info@ipc.on.ca

Telephone: Toronto Area: 416-326-3333

Long Distance: 1-800-387-0073 (within Ontario)

TDD/TTY: 416-325-7539; FAX: 416-325-9195

Website: www.ipc.on.ca


Security Of Your Work Environment


Clear Desk and Environment

  • When away from the office, sensitive information (paper files and computer media such as USB storage, CDs, DVDs, and Laptops) should be locked away.
  • All sensitive waste should be placed in secure shredding devices; CDs and DVDs can also be shredded.
  • Incoming and outgoing mail points and unattended fax and fax machines should be protected.
  • Unless necessary, avoid removing sensitive documents and data from business premises; encrypt when necessary.


Security at Printers, Photocopiers and Fax Machines

  • If you print something, retrieve it immediately. Do not leave originals in photocopiers or fax machines.
  • Unattended printed material should be dealt with on a daily basis.
  • If you fax something, confirm the number and verify on the fax display that you called the correct number.
  • If you are expecting or sending something by fax, especially if it is sensitive, treat it like a meeting; set a specific time and go to the fax to wait for it (reliable security features are not common in most fax machines and do not meet standards for protecting sensitive information).


Secure Phone Etiquette

  • Be aware of social engineering – a collection of techniques used to manipulate people into performing actions or divulging confidential information (search online for a full definition of “social engineering”).
  • Know to whom you are disclosing information; it may be necessary to verify with a third-party or call back using the listed number for that individual or organization.
  • Be aware when speaking on cell phones, especially in public.


Clear Air

  • Evaluate your surroundings when discussing sensitive personal information in earshot of other staff or clients.
  • Be aware of others who may overhear phone conversations, especially when client information is being discussed.
  • Ensure that confidential discussion between staff takes place in locations away from the general public.
  • Ensure that confidential information is not left on voice mail systems.


Security in Meeting Areas

  • Do not conduct meetings in public areas.
  • Clean the whiteboard when the meeting is over.
  • Clear the internet browser history and cache.
  • Remove all information from meeting rooms after the meeting.
  • Check that the phone line is closed after your meeting.



Computing Security


Password Guidelines

  • Passwords must NEVER be disclosed to anyone.
  • Change your passwords frequently (at least once a month).
  • A password must have the following characteristics:
  • Contain a minimum of six characters.
  • Include some combination of alphanumeric characters together with any of the character set acceptable to the particular access control system.
  • Should not be obvious, easily guessable, or easily generated by a computer.
  • Should not use acronyms, birthdays, sequential numbers, names of family members or pets, etc.
  • Should not be written down.

What do I do if my password has been compromised?

  • If you suspect the confidentiality of your password has been compromised, change it immediately.

Do PINs require six characters?

  • No. PINs must have at least four characters.


Computer Usage Guidelines

  • Ensure that your computer has a screen saver that activates after a predefined time and requires a password to reactivate.
  • Wherever possible, access to any databases or files holding personal information should be password protected.
  • Make sure laptops are secured with a cable or locked away when out of the office.
  • Keep computer patches and virus scans up-to-date and make sure scanning is done frequently. Install a firewall program.
  • Scan your computer weekly to ensure that no spyware or unauthorized software is installed.
  • Make weekly backups with encryption/compression of your data and keep the backups offsite or in protected storage.


Clear Screen

  • ALWAYS lock your screen when you are away from your computer.
  • Lock your screen to make it difficult for casual visitors in your office to read the content displayed on your computer monitor.
  • Computer monitors containing client information must be cleared between clients.
  • Organizations should consider enlisting specialized external agency expertise to safely clean and dispose of equipment. Some regions have not-for-profit organizations that can be used for secure disposal and donation for refurbishing and parts.


Mobile Computing Guidelines

  • Never leave your laptop/smart phone or similar items in view in the car.
  • Never leave your laptop, mobile phone or other items unattended when travelling or in any other public place.
  • Use power-on passwords – a password that must be entered before the computing device will start – but do not rely on them.


Email Do’s and Don’ts

Do

  • Use appropriate signatures and standard disclaimers in emails, faxes, and other documents.
  • Be aware of phishing: a technique used to attempt to gather personal information from you.
  • When preparing an email, fill in addressee sections of email last and think about when to use “To”, “CC” and “BCC”.
  • Mark forwarded emails (“Fw :”) as junk or delete especially when they are not business related.
  • Use encrypted storage devices to pass personal information amongst coworkers in the office.

Don’t

  • Do not email personal information among coworkers in the office.
  • Do not open obvious junk mail from unknown individuals or organizations you do not recognize as it may contain malware.
  • Do not forward sensitive materials to your personal email address.
  • Do not forward actual emails that have viruses or indicate that they may have viruses to others. Instead notify everyone to avoid opening these messages via a separate message and completely delete the original.



Security Controls


Asset Classification

Follow instructions given concerning classification of information, if unsure about the sensitivity seek clarification:

  • Public - Information that may be freely shared within an organization and with external parties. If proprietary or copyrighted, then conditions stipulated by the original accountable Executive must be complied with.
  • Internal Use Only - Information of a general nature that can be shared within an organization, on a need-to-know basis. Subject to instructions from the accountable Executive or the information originator.
  • Confidential - Access must be limited to trusted staff or other third parties for the performance of their duties, and be controlled on a need-to-know basis.
  • Highly Sensitive - Disclosure must be controlled on a limited and pre-determined basis, and be restricted to highly trusted staff. Distribution must involve accountability for access, use, and continued assurance of confidentiality.

Why do I need to classify my information?

  • Categories & classes are intended to guide the development of detailed security requirements & enhance the consistency of risk management.

Am I able to group assets with similar characteristics?

  • Yes, categorization of information resources according to type & classification according to the potential for harm are important aids in determining security requirements.


Business Continuity Planning

What is a business continuity plan (BCP)?

  • This is a plan to identify, manage and protect critical operations and services to ensure that they continue to be available while minimizing loss of access to systems and services that may be caused by natural disasters, accidents, sabotage, utility disruptions, etc.
  • The plan provides procedures for emergency responses, extended backup operations, and post-disaster recovery.

Executive commitment and support

  • Executive commitment and support are the most critical elements when developing a BCP.
  • A business case is created to gain executive support.
  • Regulatory and legal requirements, potential vulnerabilities, and possible solutions should be outlined in the business case.
  • Executives may be held liable if proper BCPs are not developed and used.



Security Breaches & Incidents


Security Breach

What is a security breach?

  • The unauthorized disclosure, destruction, modification, or withholding of information.

How does it happen?

  • Failure to comply with company policies and practices.
  • Indifference to, or unawareness of, your responsibilities.
  • Inadequate or lack of, safeguards.

What are possible consequences?

  • Public exposure, resulting in loss of trust in the organization, financial losses, theft of computing resources, loss of employment or legal consequences.


Security Incidents

What constitutes an incident?

An information security incident is any adverse event or situation associated with information resources that results in:

  • A failure to comply with the organization’s security requirements.
  • Unauthorized access, use, or probing of information resources.
  • An attempted, suspected, or actual security compromise.
  • Waste, fraud, abuse, loss of, or damage to resources.
  • The discovery of a vulnerability.

What do I do if I witness an incident?

Information security incidents with the potential for significant impact or consequences, or involving clients, must be reported to the appropriate individual.

What do I do if an asset I own experienced an incident?

All information resource owners must ensure that incidents relating to their resources are appropriately identified, responded to, escalated, and investigated.

What happens as a result of a security incident?

Both incidents and events should be used in the reassessment of risk, and the selection and establishment of security controls.

  • Asset – anything that has value to the organization.
  • Threat – a potential cause of an incident that may result in harm to system or to the organization.
  • Vulnerability – a weakness of an asset or group of assets that can be exploited by one or more threats.


Minimizing Security Incidents

  • Clearly establish and enforce all policies and procedures.
  • Routinely assess vulnerabilities in your environment.
  • Routinely check all computer systems and network devices to ensure that they have all of the latest patches installed.
  • Establish security training programs for both IT staff and end users.
  • Develop, implement, and enforce a policy requiring strong passwords.
  • Routinely monitor and analyze network traffic and system performance.
  • Routinely check all logs and logging mechanisms.
  • Verify your backup and restore procedures.



See also: Safeguarding and managing personal information

If you run into any issues, please email ocase@ohtn.on.ca for further assistance.


Thanks.

OCASE Support Team

1-877-743-6486; Ext. 2235