Information Security Policy

Effective Date: December 6, 2021

Purpose

The Toronto Public Library (“the Library”) is committed to achieving a safe and secure IT environment, including a targeted level of protection from internal and external cyber security threats.

This policy outlines the roles and responsibilities for the security of information, including governance, training and awareness, technical security systems and monitoring of the Library’s information security program to ensure a safe and secure IT environment that will minimize the risks of cyberattacks. Policies and procedures will be aligned to federal, provincial, and municipal principles. This include adherence to relevant legislation (such as the Municipal Freedom of Information and Protection of Privacy Act) and industry best practices.

Accordingly, the library will implement ongoing governance, policies, practices, and security controls that will address the following objectives:

  • Ensure the protection of the Library’s data and information assets;
  • Establish controls for protecting the Library’s information and information systems against theft, abuse, and other forms of harm or loss;
  • Enable the requirements for confidentiality, privacy, integrity, and availability for the Library’s employees, contractors, vendors, and other users;
  • Ensure business continuity, including the recovery of data and operational capabilities in the event of a security breach;
  • Motivate administrators and employees to maintain the responsibility for, ownership of, and knowledge about information security;
  • Ensure that external service providers are made aware of, and comply with, the Library’s information security needs and requirements and continuously assess whether they maintain an acceptable security posture;
  • Balance the need for the above with the investment and policy constraints required to achieve an appropriate level of protection while maintaining business agility; and

Ensure compliance with all applicable laws, regulations, and the Library’s policies, controls, standards and guidelines.

Scope

This Library Information Security Policy applies to:

  • All information, information technology assets, including data and facilities owned and managed by the Library (both on premise and offsite);
  • All permanent and temporary employees and agents of the Library;
  • All contractors and suppliers, including computer software/ hardware/ applications vendors, dependent contractors, professional services, and IT services vendors;
  • Other users of the Library’s IT assets wherever they may be located; and
  • All technology, including free, procured, trial/ promotional, and open source.

The policy covers governance, policies, standards, practices, and controls for information security, including cybersecurity.

Underlying Principles

Information management and protection of the Library’s assets is critical to TPL’s achievement of its vision, mission, strategic priorities, and digital strategy. TPL’s security practices are in alignment with the value of intellectual freedom, and respecting an individual’s right to privacy and choice in accessing Library programs and services.

Information is a vital asset to the Library as it relies heavily on it for the delivery of services and management of resources. As such, the Library recognizes the importance of protecting information in its custody from unauthorized access, modification, disclosure or destruction. It also recognizes the urgency to safeguard the library against cyber attackers with the intention to steal, alter, and/or destroy data and/or assets.

Policy Statement

The Library will enable excellent and responsive Library services through the protection of staff, suppliers, and customers by maintaining the confidentiality, availability, integrity, and security of the Library’s information assets.

The Library adheres to industry standards and best practice and reasonably provides safeguards against accidental or unlawful destruction, loss, alteration or unauthorized disclosure or access to Library data.

Through an enterprise-wide IT Security, Risk and Governance Program, the Library will apply security frameworks, standards, protective and detective practices and controls to predict, identify and address threats to information security and enable the Library to operate securely and meet its digital service delivery commitments.

The Chief Information Officer (CIO) will provide corporate direction and oversight for developing and implementing the IT Security, Risk and Governance Program.

Compliance to this policy and standards will be monitored. Anyone that observes non-compliance to this policy must immediately report this to both their supervising manager, the Manager of Human Resources, and the Manager, Security and Enterprise Architecture. Any breach of this policy may be a serious offence and will result in the consideration of appropriate sanctions up to and including termination of employment, contract, or legal action. Exceptions to the policy will be assessed between the line of business Director and the CIO. Any permitted exceptions will be assessed for risk and be reviewed on an annual basis.

All employees, agents of the Library, contractors, and customers of the Library IT assets have the duty to take reasonable precautions to protect the Library’s information assets and adhere to the policy, standards, practices and controls. Specific directives regarding the following are outlined in this policy:

  • Personnel Security
  • Physical Security
  • Security Operations
  • Access and Authorizations to Information Assets
  • Computing Devices
  • Network Security
  • Cloud Security
  • Information Encryption
  • Information System Procurement
  • Risk Management
  • Incident Management

Personnel Security

This section identifies security responsibilities and management processes throughout the employment cycle.

Managers and supervisors must ensure:

  1. During employment, employees are informed about the information security policies and procedures, information Security roles and responsibilities, and take any relevant training;
  2. At the end of employment, employees are reminded of their ongoing confidentiality responsibilities following termination of employment in accordance with the Employee Code of Ethics;
  3. Potential or actual information security breaches are investigated and reported, and invoke incident management processes where necessary; and
  4. Contractor responsibilities for information security are identified in contractual agreements, which must adhere to the principles and intentions of this Policy

Physical Security

This section identifies operational requirements for protecting facilities to enable IT Security.

The physical security practices will:

  1. Design, document and implement security controls for IT facilities based on an assessment of security risks to the facility;
  2. Review, and where appropriate test, physical security and environmental control requirements;
  3. Establish appropriate entry controls to restrict access to secure areas, and to prevent unauthorized physical access to information and devices;
  4. Incorporate physical security controls to protect against natural disasters, malicious attacks or accidents; and
  5. Ensure security controls are maintained when computer equipment, information or software is used outside the Library facilities.

Security Operations

This section establishes the requirements to control, monitor, and manage information security changes.

Information & Technology Services (ITS) will:

  1. Plan, document and implement change management processes to ensure changes to information systems and information processing facilities are applied correctly and do not compromise the security of information and information systems;
  2. Monitor and maintain information systems software throughout the software lifecycle;
  3. Define, document, assess, and test backup and recovery processes regularly;
  4. Implement processes for monitoring, reporting, logging, analyzing and correcting errors or failures in information systems reported by users and detection systems;
  5. Ensure operating procedures and responsibilities for managing information systems and information processing facilities are authorized, documented and reviewed on a regular basis;
  6. Establish controls to protect log files from unauthorized modification, access or disposal;
  7. Establish processes to identify, assess, and respond to vulnerabilities; and
  8. Enable synchronization of computer clocks to ensure integrity of information system logs and accurate reporting.

Access and Authorizations to Information Assets

This section identifies security roles, responsibilities and management processes relating to access and authorization controls for digital information, applications, data, and devices.

Access to digital information, applications, data and devices are granted to individuals based on business requirements and the principles of “least privilege” and “need-to-know.”

Information & Technology Services (ITS) will:

  1. will support the mechanisms that evaluate the strength of passwords and define the password change frequency for every type of applications, services and devices.

Managers and supervisors must:

  1. Ensure the assignment and revocation of access rights follow a formal process; and
  2. Regularly, and upon change of employment, review, and update where appropriate, employee access rights to ensure they are up-to-date.

Employees, agents of the Library, contractors, and users of the Library IT assets must:

  1. Know and adhere to access and password standards and security practices; and
  2. Passwords should be protected and avoid being written down or shared.

Computing Devices

This section defines requirements for secure management of computing devices.

Information & Technology Services (ITS) will:

  1. Maintain an inventory of computing devices, including portable storage devices, and mobile devices;
  2. Validate the measures taken to protect information systems and devices as part of an enterprise risk management strategy. This includes maintaining, documenting, verifying and valuing asset inventories on a regular basis;
  3. Document the return of computing devices in the possession of employees upon termination of their employment;
  4. Remove TPL’s information from devices that are no longer needed; and
  5. Securely dispose of devices in a manner appropriate for the sensitivity of the information the device contained.

Employees, agents of the Library, contractors, and users of the Library IT assets must:

  1. must lock and/or secure unattended mobile devices and laptops to prevent unauthorized use or theft; and
  2. ensure that information and devices are protected regardless of the type of access or physical location of employees.

Network Security

This section identifies requirements for the protection of sensitive or confidential information on computer networks.

Information & Technology Services (ITS) will:

  1. Document network security controls prior to commencement of service delivery;
  2. Ensure security features are implemented prior to commencement of service delivery;
  3. Document, implement and manage changes to network security controls and security management practices to protect information systems from security threats;
  4. Ensure segregation of services, information systems, and users to support business requirements based on the principles of least privilege, management of risk and segregation of duties;
  5. Ensure implementation of network controls to prevent unauthorized access or bypassing of security control;
  6. Ensure electronic messaging services are protected commensurate to the value and sensitivity of message content; and
  7. Ensure information transfers between the Library and external parties are protected using services approved for use.

Cloud Security

The Chief Information Officer provides corporate direction and leadership on the secure use of cloud services by:

  1. Establishing policy and providing strategic direction on the use of cloud services;
  2. Establishing roles and responsibilities; and
  3. Establishing information security requirements for cloud services.

Managers must:

  1. Seek approval from the CIO and the Manager of Procurement and Contracts prior to procuring cloud services;
  2. Consider existing cloud service offerings provided by ITS prior to procuring new cloud services; and
  3. Obtain CIO approval for any exceptions to ITS service offerings and ensure cloud services align with the TPL’s architectural principles.

Information Encryption

This section defines encryption methods for improving the protection of information and for reducing the likelihood of compromised sensitive information.

The Chief Information Officer will:

  1. Provide direction and leadership in the use of encryption and create an encryption standard that will set corporate direction for the management (generating, storing, archiving, distributing, retiring and destroying) of encryption keys throughout their lifecycle;
  2. The use of encryption controls will be commensurate to the information value and security classification; and
  3. Employees and contractors will ensure that any relevant encryption mechanisms will be provided or approved by the CIO.

Information System Procurement

This section defines requirements to ensure security controls are included in business and contract requirements for building and information systems, including commercial off the shelf and custom-built software.

Procurements must:

  1. Develop, implement and manage the processes and procedures necessary to ensure that information security risks and privacy requirements are taken into account throughout the systems development lifecycle;
  2. Assess business requirements and associated risks related to external party access to information and ensure that they are identified, assessed, mitigated and managed;
  3. Ensure security controls, service definitions, and delivery levels are identified and included in agreements with external parties prior to using external information and technology services;
  4. Ensure security requirements are agreed upon and documented prior to granting external parties access to information, information systems or information processing facilities;
  5. Ensure that changes to the provision of services by suppliers take into account the criticality of the information and the assessment of risks;
  6. Establish processes to manage and review the information security controls of services delivered by external parties, on a regular basis; and
  7. Apply vulnerability scanning, security testing, and system acceptance processes commensurate to the value and risks of the information system.

Risk Management

This section defines the requirements to manage IT security risk, including cyber security.

The Chief Information Officer shall develop and maintain an information security risk management methodology. The methodology will:

  1. Align with TPL’s enterprise risk management policy based on probability and impact;
  2. Describe TPL’s position with respect to IT security risk;
  3. Address the degree of protections with very high security risks being protected with greater security controls than IT assets with a lower risk rating; and
  4. Maintain a risk registry that will report on TPL’s IT security risk posture.

IT Incident Management

This section defines the requirements to report, respond, and recover from IT Security Incidents.

The Chief Information Officer shall develop and maintain an incident response and recovery methodology. The methodology will:

  1. Describe the process for reporting a suspected IT security breach;
  2. Describe the process for preparation, detection and analysis, containment, eradication and recovery;
  3. Ensure appropriate escalations and reporting of major incidents;
  4. Conduct post-incident assessment and address improvement recommendations; and
  5. Maintain an incident log that will report on TPL’s IT security risk posture.

Compliance Management

This section defines the requirements to support TPL’s compliance requirements.

The methodology will:

  1. Align IT security controls with the requirements of TPL’s compliance practices; and
  2. Address changes to the compliance requirements.

Accountability

The Director, Digital Strategy and Chief Information Officer is responsible for overseeing the implementation of, and adherence, to this Policy.

Chief Information Officer (CIO)

The CIO provides vision and leadership for developing and implementing the IT Security, Risk and Governance Program.

The accountabilities of the CIO include:

  • Set strategy for the information security program consistent with the corporate strategic plan, Digital Strategy and IT Strategy;
  • Governance over information security program;
  • Deliver cyber risk management advice and cyber and digital security solutions
  • Align with the Policy, Planning & Performance Management (PPPM) department to ensure that security controls support the Privacy policy;
  • Report to the Board on a regular basis regarding information security risk and major cyber security incidents;
  • Maintain relationships with local, provincial, and federal law enforcement and other related government agencies; and
  • Validate the integrity of the information security program through independent security audits.

Manager, IT Security and Enterprise Architecture

The Manager, Security and Enterprise Architecture develops, implements and administers the IT Security, Risk and Governance Program:

  • Information security governance to ensure that controls are functioning;
  • Provide security awareness training for the enterprise;
  • Develop and maintain enterprise architecture standards, including information security standards;
  • Co-ordinate information security risk assessments and audits;
  • Lead implementation of the Cybersecurity plan including incident response and recovery;
  • Lead in the investigation of information security incidents;
  • Support completion of Privacy Impact Assessments for new projects or programs;
  • Design security controls for current and new systems;
  • Provide security assurance;
  • Remain current on information security trends; and
  • Continuous improvement and maintenance of the Security program.

Appendices

Relevant Legislation

  • Municipal Freedom of Information and Privacy Protection, R.S.O. 1990, c. M.56
  • Public Libraries Act, R.S.O. 1990, c. P.44

Relevant Library Policies

  • Acceptable Use of IT Resources Policy
  • Access to Information and Protection of Privacy
  • Employee Code of Ethics
  • Financial Control Policy
  • Human Rights and Harassment Policy
  • Purchasing Policy
  • Risk Management Policy
  • Signing Authority Policy

Definitions

Agent
A person authorized by a custodian to acts for, or on behalf of, a custodian and not the agent’s own purposes. For example, third party employees, contractors, and volunteers.
Assets
A person authorized by a custodian to acts for, or on behalf of, a custodian and not the agent’s own purposes. For example, third party employees, contractors, and volunteers.
Audit
An independent examination of an information system and process to detect unauthorized activities.
Availability
The ability of a configuration item or IT service to perform its agreed function when required to ensure information, systems, and data are ready for use when need.
Compromise
Unauthorized disclosure, destruction, removal, modification, interruption or use of assets.
Confidentiality
The protection of sensitive or private information from unauthorized disclosure.
Digital Assets
Digital Assets include hardware, software, data, and business processes.
DRP
Disaster Recovery Plan – a documented, structured approach that describes how an organization can quickly resume work after an unplanned incident. A DRP is an essential part of a business continuity plan.
Employee / agent
A Library employee, agent, contractor, volunteer, Board member, or anyone who is authorized to have access to the Library computer environment.
Integrity
The accuracy and completeness of assets, and the authenticity of transactions.
Physical security
Physical safeguards to prevent and delay unauthorized access to assets, detect attempted and actual unauthorized access, and activate appropriate responses.
Risk Assessment
A process that identifies and evaluates risks and their potential impact on an organization in quantitative and qualitative terms.
Security incident
The compromise of an asset, or any act or omission that could result in a compromise. A threat or an act of violence toward employees.

Enquiries

Director, Digital Strategy & CIO
Manager, IT Security & Enterprise Architecture

Print this page