Province of British Columbia Information Security Policy Page 3 Office of the Government Chief Information Officer
Government is the custodian of extensive information holdings and relies upon its information assets for fiscal, policy and program delivery initiatives. The management of public information requires government to protect confidentiality, integrity and availability of the information assets in its care. The Information Security Policy is based on the ISO 27002:2005 standard for information security management. This standard provides a structured approach to identifying the broad spectrum of information security activities in the life-cycle of information systems. The Information Security Policy provides the framework for government organizations to establish local policies and procedures necessary for the protection of government information and technology assets. Implementation of a structured Information Security Program will provide more consistent protection of government information and technology resources. The policies incorporate a risk assessment approach to security using Security Threat and Risk Assessments to consider:
Business process and government service delivery implications;
Technological implications; and,
Communications strategies including changes to personnel information security awareness programs. The risk assessment approach enables:
Compliance with legislative and policy objectives;
Cost-effective allocation of resources based on a risk assessment;
governance of the Province’s information assets; and,
Secure provision of government e-services.
The Information Security Policy includes a Glossary of key terms. The first instance of a defined term in a policy is italicized. Terms from existing policies are adopted where appropriate.
The Information Security Policy is issued under the authority of the Government Chief Information Officer. Exemptions to this policy may be granted subject to the approval of the Government Chief Information Officer. A Briefing Note, outlining the exemption required and supporting documentation for the business need must be submitted to the Government Chief Information Officer for consideration of the exemption. The next Scheduled Review of the Information Security Policy is December 2013. Suggested modifications will be reviewed and policies updated as required.
This version includes metrics for policy statements to facilitate compliance. It also includes changes from, and references to, new and updated standards since last revision, including the Payment Card Industry Data Security Standard 2.0. Revisions are made to improve clarity. Broken links and obsolete references are corrected and kept current. The itemized change log is available from the Information Security Branch, Office of the Government Chief Information Officer (CITZCIOSecurity@gov.bc.ca).