Main Index Help Contact Us

Text Size


	B.C. Home

Resources
News Statutes and Regulations Reports and Publications B.C. Government Directory
Government
Quick access to information based on government's structure B.C. Government Ministries and Organizations Other Levels of Government

Information Security Policy - FAQs

Questions	Answers
Who does the Information Security Policy (ISP) apply to?	All government personnel. (Personnel – includes employees and other individuals e.g., contractors, consultants, volunteers, third-party organizations).
Is the Information Security Policy based on something or a standard?	Yes. The ISP is a comprehensive security policy based on the international standard ISO/IEC 17799:2005. This standard is used by many agencies around the world. Wikipedia - ISO/IEC 17799:2005
Is there other government policy about information security?	The Information Security Policy is a supplemental to Chapter 12, Information Management and Information Technology Management of the government Core Policy and Procedures Manual (CPPM). There are also references to information security Chapter 15, Security.
Is the policy regularly reviewed and revised?	Yes. There is an annual review process (ISP 1.1.2b) that is completed by the Information Security Branch, Security Strategies Unit. Revisions are logged over the year then discussed and reviewed. There is a defined policy review process that enables stakeholder feedback. Once the Office of the Chief Information Officer (GCIO) provides signoff on the revisions the Information Security Policy is distributed and posted to the web. http://www.cio.gov.bc.ca/services/security/ISP.asp
Will awareness and trainings programs be provided for the new policy?	The Information Security Branch has delivered a number of presentations regarding the policy and security awareness. Education and awareness of the policy is also the responsibility of each organization (ISP 2.1.1d) and Human Resources. (ISP 4.2.2) Policy Summaries have been created to help personnel and management understand their roles and responsibilities in policy subject areas.
What is a 'Policy Summary' and where can I get them?	Policy summaries were created to highlight and provide guidance on specific subject areas of the Information Security Policy. Some of the subjects covered are Media Handling, Wireless Networking, Security Review and Audit, Working from Home and Access Control, etc. There are thirty-one summaries, the first eight are published, with the remainder in pre-publishing review. The summaries are available on the Information Security Policy web page.
Has anyone started using the Information Security Policy?	The policy has been distributed to all ministries and is in use. The policy has also been shared with select vendors entering into contract negotiations with the Province so that the new security requirements could be identified.
Is the policy effective immediately?	Yes. However, it is understood that ministry time and resources will be required to develop and implement the necessary local policies, procedures and processes to ensure business operations comply with policy requirements. It is also recognized that similar effort will be required to implement changes within the technical environment, application coding, operating systems, etc. to meet requirements. The Information Security Branch, Office of the Chief Information Officer has developed a Compliance Program to measure corporate compliance with the policy. This includes doing compliance reviews and using monitoring programs to ensure accountability for the security of government’s information and technology resources.
What is the timeline for implementing all the Information Security Policy?	The Information Security Branch has developed and is improving upon a compliance program to measure and report compliance with the Information Security Policy. Ministries will be able to plan for the implementation of the policies in their budget planning cycle.
Who is responsible for implementing the new policy?	As with other corporate policies each ministry will need to determine how to incorporate the Information Security Policy into their business operations. The Office of the Chief Information Officer is responsible for the corporate implementation of the Information Security Policy.
Who do I contact if I have questions or want more information?	Your ministry will have a Ministry Information Security Officer (MISO). Contact your MISO first regarding any general questions you have regarding the protection of information. Content interpretation, clarification or general security assistance: Information Security Branch, Office of the Chief Information Officer Lori Bulmer - Director, Security Strategies Henry Lee - Manager, Security Strategies Unit, Policy and Research

Last Revised: February 11, 2009