Information Security Policy

Windsor, Ontario

This is the exact embedded text of the captured official document. Snapshot b475301ea94e · verified 2026-06-10 · original document · archived snapshot · unofficial consolidation, the official version is held by the municipal clerk.

Information Security Policy Page 1 of 2 THE CORPORATION OF THE CITY OF WINDSOR POLICY Service Area: Corporate Services Policy No.: CS.A5.07 Department: Information Technology Approval Date: May 28, 2007 Division: Approved By: CR 210/2007 Effective Date: May 28, 2007 Subject: Information Security Policy Procedure Ref.: Review Date: March 25, 2018 Pages: 2 Replaces: Prepared By: Steve Francia Date: 1. POLICY 1.1 Information, in any way it is produced, kept, transported, or used, is a valuable asset of the Corporation of the City of Windsor ("Corporation") and must be protected. 1.2 Information assets include all categories of electronic information, records, files, databases, software, and equipment. 1.3 The Chief Administrative Officer shall ensure rules governing information security are developed and enforced. 2. PURPOSE The purpose of this Policy is to: 2.1 Establish clear responsibility and authority for protecting information assets. 2.2 Ensure operational continuity. 2.3 Minimize damage to information assets and technology systems from security incidents. 2.4 Effectively manage the risk of security exposure within technology systems. 2.5 Alert users of their responsibility for protecting information assets. 2.6 Ensure that this Policy, along with the Corporation's Acceptable Use Policy, combine to create a comprehensive policy framework for protecting information assets and technology systems. 3. SCOPE This Policy applies to: 3.1 All of the employees of the Corporation, elected officials, contractors, consultants, and all other individuals affiliated with third parties who access, either from internal or external locations, any of the corporate-owned information assets, network facilities, and technology systems, or any outsourced data or applications run by third parties on behalf of the Corporation, collectively known as the user. 3.2 Technology systems for which the Corporation has administrative responsibility. It encompasses all electronic information created, processed or used in support of the Corporation's activities and services, regardless of the form or format. Controls over access to information are provided by a combination of adequate security Information Security Policy Page 2 of 2 applied to the physical infrastructure, computer and network systems, remote access capabilities, and applications. 4. RESPONSIBILITY The following is a description of the organizational structure charged with the responsibility for administering this Policy: 4.1 Chief Administrative Officer (CAO) The CAO shall ensure rules governing information security are developed and enforced. The CAO shall ensure that this Policy is reviewed at least once every 4 years. 4.2 Corporate Technology Advisory Group (TAG) The TAG is the executive level committee that oversees the Corporation's information security policies and plans, and recommends changes to the Information Security Policy to City Council. This committee has the authority to approve information security rules that support this Policy. The members of TAG include the Corporate Leadership Team, Executive Director of I.T., City Solicitor, and are chaired by the Chief Administrative Officer. 4.3 Information Owner The Information Owner is the management level individual of the service area, department or division that is responsible for creating or updating the information and whose business function the information asset supports. The Information Owner is ultimately responsible for approving a user's access rights to the information asset. The Information Owner is also responsible for contingency planning. 4.4 Information Technology Department The Information Technology department identifies information assets. They conduct assessments of the information assets with the Information Owner. They maintain a record of the assessments. They must train users in their responsibility for protecting information assets. 5. GOVERNING RULES AND REGULATIONS 5.1 Referenced or Governing Policies, Regulations, and Legislation 5.1.1 City of Windsor - Acceptable Use Policy 5.1.2 Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), R.S.O. 1990, c. M.56, and amendments thereto. 5.1.3 Personal Information Protection and Electronic Documents Act (PIPEDA), [2000, c. 5], and amendments thereto. 5.1.4 The Criminal Code, [R. S., 1985, c. C-46], and amendments thereto.