Workplace Technology Security Policy - Template Form Pro · EN-CA-law

WORKPLACE TECHNOLOGY AND INFORMATION SECURITY POLICY

of

________

(the “Company”)

§ 1) INTRODUCTION AND EFFECTIVE DATE

a. This Workplace Technology and Information Security Policy (the “Policy”) is effective and/or last revised as of ________, and shall remain in force until amended, replaced or rescinded by the Company.

b. The purpose of this Policy is to safeguard the confidentiality, integrity and availability of the information systems and data of ________. The Company relies on its technology and systems to communicate with and serve its clients, which requires appropriate security protocols to prevent unauthorized access to confidential information and to mitigate the risk of data breaches.

c. The Company is committed to complying with all applicable federal and provincial privacy, data protection and security legislation, including with respect to the collection, use, disclosure, retention and safeguarding of personal information relating to its clients, employees and other individuals.

d. This Policy is governed by and shall be construed in accordance with the laws of the Province of ________ and the federal laws of Canada applicable therein.

§ 2) SCOPE

a. This Policy applies to all individuals who access or utilize the computing, network, communications or information resources of ________, including, without limitation, all employees (whether full-time, part-time, temporary or permanent), officers, directors, agents, consultants, independent contractors, prospective employees, secondees, volunteers and all persons affiliated with third parties (collectively, “employees” or “users”).

b. This Policy applies whether the user accesses Company resources on the Company’s premises, remotely, or through any device, and forms part of the terms and conditions of employment or engagement with the Company.

§ 3) OBJECTIVES AND COMPLIANCE

a. The primary objectives of this Policy are to ensure the cybersecurity of Company communications, to foster secure transactions among all stakeholders, to maximize organizational awareness of how to prevent and mitigate risks, to establish protocols to manage risk, and to ensure compliance with applicable legal and regulatory requirements.

b. Cybersecurity is a collective responsibility shared among all members of the organization. The prevention and mitigation of cyberattacks, vulnerabilities, information leakage, and system and network compromises require the participation of all users. The Company expects full participation and compliance from its users. Any breach of, or non-compliance with, this Policy may result in disciplinary action, up to and including termination of employment for cause.

§ 4) ACCEPTABLE USE OF TECHNOLOGY

a. “Acceptable use” refers to the Company’s criteria governing what users may do with Company hardware and software, including the use of the Internet via the Company’s networks and equipment, and access to the Company’s intranet, if any.

b. Employees shall, at all times, exercise sound judgment when using the Internet during working hours and when accessing it through the Company’s networking resources. Use of the Internet on Company hardware, whether working remotely or on-premises, shall be restricted primarily to business purposes.

c. Where access to the Internet is provided, such use shall be limited to work-related purposes and workplace productivity. Incidental personal use is permitted only during authorized breaks or as may be prescribed from time to time, provided such use does not contravene this Policy.

d. Inappropriate use of the Internet may result in disciplinary action. Prohibited use includes, without limitation, accessing explicit or unlawful content, gambling, hacking, illicit activities, cyberbullying, distributing malware or spyware, fraud and spamming. The Information Technology (“IT”) team may employ filtering and may block certain websites, working in tandem with Human Resources to make such determinations. Where an employee requires access to a blocked website for legitimate business purposes, an IT support request may be submitted.

e. The Company may monitor the Internet and technology use of its employees in accordance with applicable law and as further described in § 13 of this Policy.

f. Third-party software may be required for certain tasks. The acceptable use of such software shall be governed by the applicable licensing arrangement with the vendor or by a Software-as-a-Service agreement, including any subscription terms, whether payable monthly, annually or otherwise.

g. When accessing the Internet and using publicly available material, users shall not reproduce copyrighted material without the prior authorization of the rights holder, in compliance with the Copyright Act (R.S.C., 1985, c. C-42).

h. Private Internet browsing and personal communications should be conducted using personal devices and personal data, and not the Company’s networks.

i. Employees retain a diminished but reasonable expectation of privacy with respect to Company property and items stored on or within Company property. Company-owned hardware is subject to audit and investigation to ensure cybersecurity, workplace safety and process management. Employees are cautioned that any personal use of Company-issued hardware may be revealed during such audits and investigations.

§ 5) USER ACCESS, PASSWORDS AND CONTROL

a. Users with access to the hardware and information technology of the Company are required to review all accounts at least twice per year, or as otherwise directed by the Company.

b. All users who utilize Company devices and access the Company’s network must observe the following security measures:

• avoid clicking on suspicious links sent by email, including spam;
• avoid webpages lacking adequate security features;
• refrain from accessing or executing malicious software;
• refrain from downloading software without prior Company approval;
• never share passwords under any circumstances, and, where there is any suspicion that a password has been compromised, immediately change the password and notify the IT department of the suspicious activity;
• employ multi-factor authentication for all user accounts;
• use secure encryption when transmitting confidential information by email; and
• regularly update software and operating systems to patch and remediate security vulnerabilities.

c. Employees must ensure that hardware is password-protected and that each user account, including desktop and web-based applications, uses a unique password distinct from any other account.

d. Temporary passwords shall be issued to new users requiring access to new software or technology for their roles. Upon first successful login, users must immediately create a new password meeting the Company’s security criteria.

e. Passwords must be changed at least every six (6) months, or more frequently as the Company may require.

§ 6) MOBILE DEVICES AND REMOTE WORK

a. Use of mobile devices (including cell phones, tablets, laptops and desktops) to access workplace communications and Company data requires the prior endorsement of the Company. This subsection applies whether or not the user is telecommuting.

b. Employees using mobile devices for work shall ensure that all stored data is encrypted using Company-approved encryption software. Such devices shall be equipped with remote-wipe capability. Any lost or stolen device must be reported to management immediately.

c. Where applicable, a cloud-based virtual private network (“VPN”) shall be used to access Company information from any location, enabling the secure transmission of data between the Company and the end user.

d. Whether a device is owned by the Company or personally owned, any remote-connect system used to access the Company’s network requires the Company’s prior approval.

Lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat duis aute irure dolor in reprehenderit voluptate velit esse cillum dolore eu fugiat nulla pariatur lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis.

f. Granting family members or other members of the household access to Company software and hardware is strictly prohibited.

g. Remote employees shall use Company-approved VPN software. Any associated VPN fees shall be borne by the Company.

h. Employees using a VPN shall ensure that only the authorized employee has access to the Company’s network.

i. Subject to Company approval, personal devices used for work must be configured to the same standard as Company-owned hardware, including remote-wipe capability.

§ 7) NETWORK PROTECTION AND MANAGEMENT

a. The Company shall use segregated networks to maintain the security of information stored on its servers, and shall implement proportionate security measures as business partnerships and information sharing increase.

b. Clients or customers wishing to use Company WiFi while on the premises shall access a segregated network that is entirely separate from the Company’s primary servers holding business information.

c. Where applicable, network firewalls shall be installed and maintained. The Company shall monitor user access and network traffic, including any hybrid-cloud network, and shall monitor Company dataflow.

d. Where applicable, the Company shall employ anti-malware software and detection tools to prevent system attacks.

e. The Company may implement DNS filtering to prevent users from accessing malicious webpages or applications that could expose the Company’s systems to malware and vulnerabilities.

f. Devices connecting wirelessly to the Company network are subject to approval and oversight as set out in § 6.

g. All wireless access points on the Company’s premises must be secured.

h. The Company may, from time to time, deploy a honeypot or sinkhole to protect its network from potential cyberattacks and to divert malicious or unwanted traffic.

§ 8) INFORMATION SYSTEMS AND SUPPLY-CHAIN SECURITY

a. New information systems must be designed and implemented securely, incorporating measures such as user authentication; restriction of privileged access to limited authorized users; and the availability, confidentiality and integrity of information.

b. Where applicable, secure development and secure coding techniques must be employed.

c. Where the Company uses third-party software, it shall ensure that the third-party provider adheres to recognized security principles across all architecture layers, and that any agreement contains appropriate confidentiality, security and data-protection obligations.

d. Where the Company engages an external supplier or contractor (such as for IT infrastructure), it shall implement controls to ensure there are no network compromises or threats emanating from the supply chain, and shall monitor the work of such suppliers and contractors through appropriate supervision and contractual safeguards.

§ 9) PHYSICAL SECURITY OF PREMISES AND WORKSTATIONS

a. The premises, including any area in which Company hardware is located, shall be protected. Where applicable, server rooms shall be locked and secured daily prior to vacating the premises. Only authorized personnel may access server rooms. Access by unauthorized personnel may be granted only in the narrowest of circumstances and as soon as practicable (for example, to replace a failed hard drive). An entry-and-exit log must be maintained for all persons accessing such rooms, with appropriate controls to prevent tampering.

b. Rooms containing sensitive information should not be labelled in a manner that draws attention and shall be kept locked at all times except when in use by authorized personnel.

c. Where applicable, off-site backup facilities shall be secured and locked to prevent physical access to the data centre by unauthorized persons. No person other than authorized personnel shall be permitted access to a storage facility.

d. When stepping away from a workstation, whether working remotely or otherwise, employees shall ensure that their workspace does not reveal sensitive information and that confidential information is not visible on screen. Employees should activate screen lock or sleep mode when leaving a workstation, and shall, at all times, exercise sound judgment to ensure that colleagues, family members or other persons do not gain access to sensitive information.

§ 10) INCIDENT RESPONSE AND BREACH NOTIFICATION

a. Cyberattacks may be perpetrated by means of malware, IP spoofing, session hijacking, phishing, drive-by attacks, social engineering and other methods.

b. In the event of a system compromise, interception or security incident, the Company shall implement an appropriate course of action as soon as practicable to mitigate harm. Authorized personnel shall be informed immediately of any actual or anticipated threat, whether minor or significant, and shall respond in coordination with the IT department. The following personnel are designated to respond to incidents:

I. ________

II. ________

c. To neutralize a threat, the Company shall, where possible, verify all applications and change passwords, employ account-recovery options, contact financial institutions where necessary, scan hardware to detect compromises, isolate or remove affected data, and conduct security audits.

d. Authorized personnel shall promptly investigate to identify the source of the incident, devise an appropriate solution, and issue a Company-wide communication to raise employee awareness.

e. Once a solution is implemented and awareness established, the Company shall maintain a detailed record of the incident.

Lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat duis aute irure dolor in reprehenderit voluptate velit esse cillum dolore eu fugiat nulla pariatur lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris.

g. The Company’s systems shall be resilient to attacks and, where applicable, the Company shall employ redundancies so that the failure of one system is supported by another.

§ 11) STORAGE AND BACKUP OF INFORMATION

a. The Company shall regularly back up information using a Company-prescribed solution, with such backups being periodically tested and securely destroyed when obsolete and where legally permitted.

b. The Company may use a physical data centre or a cloud data centre to store and share data, subject to compliance with applicable data-residency and privacy requirements.

c. In the event of a power surge, power failure, media failure or force majeure, the Company shall maintain backup protocols to ensure the preservation of data.

d. The Company may use an alternative facility to hold separate copies of data so that, in the event of a disaster at the primary premises, information may be securely restored. Such measures may include redundant array of independent disks (RAID) technology via Network Attached Storage (NAS), Storage Area Network (SAN) technology, or object/cloud storage, configured according to the classification and sensitivity of the information and the scale of operations. The Company may use multiple off-site backup locations.

e. The Company may enable a hybrid-cloud network, consisting of on-premises and cloud-based technology, which the Company may select and alter from time to time.

§ 12) TRAINING AND AWARENESS

a. The Company recognizes that cybersecurity is a shared responsibility and that the effectiveness of this Policy depends on the awareness and vigilance of all users. Accordingly, the Company shall provide regular training to its employees on cybersecurity best practices.

• b. Training shall include, without limitation, the identification of phishing attempts and other social-engineering attacks, safe Internet and email practices, password management, the handling of confidential information, and the proper response to suspected security incidents.
• c. New employees shall receive cybersecurity training as part of their onboarding, prior to being granted access to the Company’s networks and systems.
• d. The Company shall conduct periodic refresher training and may, from time to time, perform simulated cyberattacks, such as simulated phishing campaigns, to assess and reinforce employee awareness.
• e. Employees are required to remain vigilant and to report any suspicious activity, vulnerability or potential security incident to the IT department without delay.
• f. The Company shall maintain records of training completed and may require employees to attest to their understanding of the material covered.
• g. The Company shall keep employees informed of any material changes to this Policy and of emerging threats relevant to the workplace.
• h. Failure to complete required training or to comply with the practices set out in this Policy may result in disciplinary action, up to and including termination.
• i. All users are expected to apply the knowledge gained through training in their day-to-day activities and to foster a culture of cybersecurity awareness throughout the organization.

§ 13) PRIVACY AND MONITORING

a. The Company collects, uses and discloses personal information only in accordance with applicable privacy legislation, including the Personal Information Protection and Electronic Documents Act and any applicable provincial privacy statutes.

b. By accessing the Company’s systems, users acknowledge and consent that the Company may, to the extent permitted by law, monitor, access, intercept, audit and disclose data, communications and activity conducted on or transmitted through Company networks, hardware and accounts, for purposes including security, compliance, business operations and the investigation of suspected misconduct.

c. The Company shall conduct such monitoring in a manner that is reasonable and proportionate in the circumstances.

§ 14) APPLICABLE LAWS

The Company is committed to compliance with all applicable legislation, including, without limitation:

• the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5);
• applicable provincial privacy legislation in the Province of ________;
• An Act to promote the efficiency and adaptability of the Canadian economy (Canada’s Anti-Spam Legislation / CASL) (S.C. 2010, c. 23);
• the Criminal Code (R.S.C., 1985, c. C-46);
• the Copyright Act (R.S.C., 1985, c. C-42);
• the National Security Act, 2017 (S.C. 2019, c. 13);
• the Communications Security Establishment Act (S.C. 2019, c. 13, s. 76);
• the Security of Information Act (R.S.C., 1985, c. O-5);
• applicable employment and labour standards legislation;
• applicable intellectual property and privacy laws; and
• applicable jurisprudence.

§ 15) AMENDMENT AND SEVERABILITY

a. The Company reserves the right, at its sole discretion, to amend, modify, supplement or rescind this Policy at any time, with such changes becoming effective upon communication to users.

b. If any provision of this Policy is found to be invalid or unenforceable, such provision shall be severed and the remaining provisions shall continue in full force and effect.

c. This Policy is not intended to alter the at-common-law or statutory rights and obligations of the Company and its employees, except as expressly stated, and shall be interpreted consistently with applicable employment law in the Province of ________.

§ 16) CONTACT

Should you have any questions or concerns arising from this Policy, or need to report an incident, please contact the Company using the following information:

________

________

T: ________

E: ________

§ 17) ACKNOWLEDGEMENT AND CONSENT

I have received, read and reviewed this Workplace Technology and Information Security Policy and I understand my obligations under it. I understand that failure to comply with this Policy may result in disciplinary action, up to and including termination of my employment for cause.

I understand and agree that ________ reserves the right to make changes, amendments and modifications to this Policy from time to time.

I further acknowledge and consent that ________ may, to the extent permitted by applicable law, monitor and conduct audits of its systems and Company-issued hardware to ensure compliance with this Policy.

_________________________
Employee Signature

_________________________
Employee Name (Print): ________

_________________________
Date: ________