EPSB.ca » Our District » Board Policies & Administrative Regulations » C - District Administration » CNA.BP Information Security

Information Security

  • Code: CNA.BP
    Topic: Information Security
    Issue Date: 26/06/2013
    Effective Date: 25/06/2013
    Review Year: 2020

Purpose

To ensure that information and information systems are adequately protected against damage, loss, and unauthorized use, disclosure or modification. 

When information and information systems are protected, the District is better positioned to: protect the privacy of staff and students; manage risks; preserve resources; enable innovation and provide seamless and integrated educational programming. 

All records created in the service of Edmonton Public Schools, regardless of form or creator, are the property of Edmonton Public Schools. Records are an asset and support the District's work in providing a quality education to each student to reach their maximum potential.

Definitions

District information is data in any form (physical or digital, in transmission or stored) created or captured for the purpose of Edmonton Public Schools activities in line with the District's educational mandate and Mission, Vision and Priorities. 

Information security is the protection of information from losses of:

  • Confidentiality: Information must not be disclosed, purposefully or inadvertently, to anyone who does not have authority to receive it.
  • Integrity: Information needs to be accurate and complete.
  • Availability: Information must be available when required.

Policy

The Board is committed to a district-wide, systematic and coordinated approach to ensuring the confidentiality, integrity and availability of district information assets in order to support the District's work in providing a quality education to students in a safe and secure learning environment. The Board believes that the District's approach to information security should be consistent with international standards, should enable business and educational outcomes, and expects the following principles to guide this work: 

  1. Accountability - The responsibilities and accountability of the District, its staff and all users of district information systems should be explicit. 
  2. Awareness - The District, its staff and all users of district information should be aware of the need for the security of information systems and what they can do to enhance security. 
  3. Ethics - The information systems and the security of information systems should be provided and used in such a manner that the rights and legitimate interest of others are respected.
  4. Multidisciplinary - Measures, practices and procedures for the security of information systems should take account of and address all relevant considerations and viewpoints. 
  5. Proportionality - Security levels, costs, measures, practices and procedures should be appropriate and proportionate to the value of and degree of reliance on the information systems and to the severity, probability and extent of potential harm.
  6. Integration - Measures, practices and procedures for the security of information systems should be coordinated and integrated with other measures, practices and procedures of the organization so as to create a coherent system of security.
  7. Timeliness - The District should act in a timely coordinated manner to prevent and respond to breaches of security of information systems.
  8. Reassessment - The security of information systems should be reassessed periodically, as information systems and the requirements for their security vary over time. 
  9. Transparency - The security of information systems should be compatible with the legitimate use and flow of data and information in an open and accountable public institution.

Expectations

  1. The Superintendent of Schools shall ensure implementation of this policy through appropriate administrative regulations, defined and communicated processes, practices, and assignment of roles and responsibilities.
  2. The Superintendent of Schools shall notify the Board of Trustees of any significant breaches of information security in a timely fashion.

Accountability

  1. A yearly report of information security actions and issues regarding confidentiality, integrity and availability shall be completed internally, and a report of the findings presented to the Board as part of the district's annual results review. 
  2. An external audit of information security shall be completed every four years, and a report of the findings presented to the Board of Trustees.

References

CN.BP Managing District Information
CN.AR Creation, Use and Maintenance of District Information
CNA.AR Security of Personal and District Information
DK.BP District Technology
HO.AR Student Records
Freedom of Information and Protection of Privacy Act
ISO/IEC 27001:2005
Provincial Approach to Student Information (PASI) Usage Agreement
Alberta Education - Student Record Regulation
School Act