Information Security

Purpose

To establish and outline the practices and processes that govern and keep secure all electronic accounts provisioned and maintained by the organization.

Policy statement

Access to accounts

  1. User accounts shall be provisioned for use by one (1) individual only. Shared user accounts are not permitted for individual use.

  2. Individuals shall not access user accounts for which they are not authorized.

  3. Any requests for access to user accounts by any individual other than the account holder must be authorized by the Director Unified Communications (or designate) as well as the Chief Executive Officer or President.

  4. Any requests for access to user accounts by any user other than the account holder must be supported by a written rationale.

  5. In the interest of transparency, users shall be provided with a copy of the supporting documentation used prior to their account being accessed.

  6. In the event that one or both of the individuals named in 1.3 cannot be reached, the request for access may be granted by the Chief Executive Officer AND Chairperson of the Board of Directors (or designate).

  7. To provide access to another user account, administrators shall enable mailbox and/or calendar delegation on accounts. It is prohibited to access another user’s account using direct credentials.

Passwords

  1. Users shall not share passwords with other users to provide unauthorized access to accounts.

  2. In the interest of account security, account passwords must be reset every one hundred and eighty-five (185) days.

  3. If there is reason to believe that account security has been compromised, the organization may require a user to reset the password for their account.

  4. Any password resets or account unlocks shall be made by the account holder. In the event that the account holder is not requesting the password reset or account unlock, users shall receive authorization from the account holder before submitting a request. Any requests made on behalf of the account holder shall be authorized by the Director, Communications AND the account holder or Chief Executive Officer.

  5. Requestors of password resets shall verify their identity using a method of communication for which individual ownership can be validated (e.g., district school board email address).

  6. Password resets shall not be used to access other users’ accounts; proper delegation of access protocols shall be followed.

Responsibilities

All users with accounts provisioned by OSTA-AECO shall comply with this policy.