Sources Community Resources Society Policy and Procedure Manual SECTION 11 POLICY AND PROCEDURE MANUAL INFORMATION TECHNOLOGY
Sources Community ResourcesSociety Policy and Procedure Manual Created: 2015 Revised: 2019; 2023 Section 11: Information Technology 11-2 TABLE OF CONTENTS 11. INFORMATION TECHNOLOGY.....................................................................................................3 11.1 Purpose (2019) ......................................................................................................................3 11.2 Policy (2019)...........................................................................................................................3 11.3 Roles and Responsibilities (2019)...................................................................................3 11.3.1 Program Managers ................................................................................................................... 3 11.3.2 Information Technology Officer ............................................................................................ 3 11.3.3 IT Administrators ..................................................................................................................... 4 11.4 Acceptable Use Policy..........................................................................................................4 11.4.1 Waiver of privacy ................................................................................................................................. 4 11.4.2 Personal Use........................................................................................................................................... 4 11.4.3 Unauthorized activities...................................................................................................................... 4 11.4.4 Use of Sources Cell Phones ......................................................................................................... … 5 11.5 Data security (Revised 2019)…………………………………………………………………………...6 11.5.1 Data Ownership .................................................................................................................................... 6 11.5.2 Data Confidentiality Levels............................................................................................................... 6 11.5.3 Passwords ............................................................................................................................................... 7 11.5.4 Securing Computers that are Not in Use ..................................................................................... 8 11.5.5 Security While Off-Site ....................................................................................................................... 8 11.5.6 Electronic Transmission of Confidential Information (Rev. 2015)...................................9 11.5.7 Printing or downloading data (2019)................................................................................10 11.5.8 Equipment and Data Disposal...................................................................................................... 10 11.5.9 System Backups ................................................................................................................................. 11 11.5.10 Confidentiality/Security Breaches ............................................................................................. 11 11.6 Disaster Recovery...............................................................................................................11 11.7 Subscription Software Management (New 2023)…………………..……………….………12 11.8 Electronic Device Return from Departing Employees (New 2023)…….…...….13 11.9 Use of Personal Electronic Devices (New 2023)………………………….……….…..…13 11.10 Online Communications (2021)……………………………………………………………………14
Sources Community ResourcesSociety Policy and Procedure Manual Created: 2015 Revised: 2019; 2023 Section 11: Information Technology 11-3 11. Information Technology 11.1 Purpose (2019) 1. To provide Sources staff with the appropriate terms, conditions, and restrictions on the use of information technology at Sources 2. To protect the integrity, security, and confidentiality of data and/or information stored on Sources computing systems. 3. To define authorities, responsibilities, and accountabilities for information resources and information systems security. Inappropriate use can expose Sources to various risks such as virus or malware attacks, compromise of network systems, client data leaks and legal issues. 11.2 Policy (2019) Sources shall commit appropriate resources, equipment, and personnel to the protection of privacy and compliance with the Freedom of Information and Protection of Privacy Act and other relevant legislation. All members of Sources, affiliates, and third parties will comply with this IT security procedure and, where appropriate, compliance will be monitored. 11.3 Roles and Responsibilities (2019) 11.3.1 Program Managers are responsible for: • The effective management of information and technology throughout their departments, • IT onboarding and training of new employees (peer training), • The sound implementation of investment decisions in the management of information and technology. 11.3.2 Information Technology (I.T.) Manager The I.T. Manager oversees all aspects of I.T. across Sources and, as applicable, the subcontracting of the organization’s information and technology management.
Sources Community ResourcesSociety Policy and Procedure Manual Created: 2015 Revised: 2019; 2023 Section 11: Information Technology 11-4 11.3.1 IT Administrators Any staff administering a Sources database or server must ensure the protection of information and must not abuse their elevated privileges. 11.4 Acceptable Use Policy 11.4.1 Waiver of privacy All electronic communication systems and information transmitted by, received from, or stored in electronic systems are the property of Sources. There is no expectation of privacy in connection with the use of any of Sources’ equipment or with the transmission, receipt, or storage of information. Equipment may be monitored at any time at the Society’s discretion. Such monitoring may include viewing emails entering, leaving, or stored in electronic systems, listening to voicemail, and reviewing text messages in the ordinary course of business, with due regard for client confidentiality. 11.4.2 Personal Use Sources’ computer systems are for Society-related business. Reasonable personal use, outside of scheduled work hours, is permissible providing it does not consume resources, interfere with worker productivity, or interfere with any Society business. 11.4.3 Unauthorized activities The use of Society’s resources, including electronic communications, should never create either the appearance or the reality of inappropriate use. Viewing pornography, hate propaganda, illegal or illicit content is prohibited. Users must exercise good judgment when using internet and e-mail services. a. No downloading or sending of non-business-related data. Downloading files from the internet is acceptable, however, downloading or sending files should be limited to tasks which relate directly to the business of Sources.
Sources Community ResourcesSociety Policy and Procedure Manual Created: 2015 Revised: 2019; 2023 Section 11: Information Technology 11-5 b. Downloading /installation of software Downloading or installation of application software requires review and approval from the IT Manager, or an Executive Director who has reviewed the request with the IT Manager. Such software may contain embedded viruses, be untested, and may interfere with the function of standard company applications. c. Participation in web-based surveys and newsgroups When using the internet, the user implicitly involves the Society in their activities. Therefore, users should not participate in online surveys, lists, newsgroups, or interviews without prior authorization. d. Transmittal of Society information Confidential, proprietary, or exclusive information related to Society operations may not be transmitted (sent, forwarded etc.) without prior approval from the Chief Operating Officer or Privacy Officer. This includes Society documents forwarded to personal e-mail accounts for later usage. e. Misuse of Sources IT devices Mobile phones, computers or any other technology or applications must not be utilized to: - Make threats against a person or property, - Spread false information about Sources, a Sources program or administrative policies or issues, - Spread or post hateful, obscene, or libelous content and/or - To access chat services. Employees who violate any of the above policies may be subject to corrective action, up to and including termination of employment. 11.4.4 Use of Sources Cell Phones Employees are responsible for any charges incurred from personal use of their Sources-issued phone. Charges for personal long-distance calls, calls exceeding allotted minutes, app downloads, games, etc. are the responsibility of the employee. Cell phone usage may be monitored (2008).
Sources Community ResourcesSociety Policy and Procedure Manual Created: 2015 Revised: 2019; 2023 Section 11: Information Technology 11-6 11.5 Data security (Revised 2019) Web-based technologies and electronic communications include, but are not limited to, the organization’s own website, client databases (My outcomes, Sharevision, Link2Feed etc.), email, external websites, blogs, social media and networking sites, wikis, discussion forums, and photo and video sharing sites where the organization’s staff and volunteers may interact with each other or with service recipients. This policy applies to all IT related equipment, processes, and data that belong to Sources, or is managed on its behalf, wherever accessed. 11.5.1 Data Ownership All data collected, recorded, and produced by Sources is owned by Sources. Sources data may not be used for purposes other than that for which it was originally intended without approval by the CEO or designate. 11.5.2 Data Confidentiality Levels The security procedures applied to a given set of information will depend on its characteristics. The following classification scheme indicates the level of protection that must be applied. a. Sensitive Sensitive information is accessed by a controlled group of users, with the owners’ consent, and with the highest security levels applied. This information is not to be passed on without consent and is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), Personal Information Protection Act (PIPA), and/or Freedom of Information and Protection of Privacy Act (FOIPPA) as appropriate to the nature of the Society’s contract with the individual. Examples of sensitive information include medical, criminal, or financial information of a personal or business critical nature. b. Confidential Confidential information is personal information about an individual (e.g., name, home address, phone number, date of birth) and is to be kept secure and accessed only for Society business. It is passed on to third parties only with
Sources Community ResourcesSociety Policy and Procedure Manual Created: 2015 Revised: 2019; 2023 Section 11: Information Technology 11-7 consent and only as required for the fulfillment of the Society’s contract with the individual. Confidential information is subject to privacy legislation (PIPEDA, PIPA, and/or FOIPPA). c. General General information does not contain any personal information and is not restricted to anything other than section 10.4 of this policy manual, which permits only the CEO (or designate) to comment publicly on the affairs of the Society. 11.5.3 Passwords Passwords are the key to many systems and applications. A password helps to prove identity, ensure personal privacy, and helps protect the security of the data being accessed. a. Strong Passwords (Rev. 2019) A strong password is one that is difficult to guess. It will use a wide range of characters in an unpredictable order. A password must be at least seven characters long and must use a mixture of at least three of the following four characteristics: - Upper case letters, - Lower case letters, - Numbers, - Punctuation characters. Sources policy ensures secure passwords by implementing a system that will not allow a weak password to be used and requires passwords to be reset every 90 days. b. Password Security Additional password security requirements are as follows: - A good password is one that can be remembered easily and typed in quickly so that others within viewing range are unable to distinguish the password.
Sources Community ResourcesSociety Policy and Procedure Manual Created: 2015 Revised: 2019; 2023 Section 11: Information Technology 11-8 - Passwords must not be displayed on screens as they are entered. As an added precaution, the password display feature is inactive for all Sources devices. - Passwords do not need to be tracked in case they are forgotten. They can be reset by the IT contractor. - Passwords must not be disclosed to anyone. - When allocated a new or temporary password, the user must immediately change it. 11.5.4 Securing Computers when Not in Use When a computer is left unattended, it is essential to protect it from unauthorized viewing or access/use. For security purposes, all Sources computers are set to lock after a period of inactivity. When leaving a computer unattended in the presence of others, staff must use one of the following security measures: a. Log Out Logging out will prevent any access until an authorized user enters their username and password. b. Lock the Keyboard Locking the keyboard will prevent any access until the current user re-enters their username and password. To lock the keyboard, the user must press Ctrl/Alt/Delete and select the ‘lock’ option. To unlock the computer, the user must press Ctrl/Alt/Delete again and re-enter their username and password. The computer will resume from the point at which it was locked. 11.5.5 Security While Off-Site Several checks must be performed when a laptop or phone is used. Data must be placed on the identified secure agency storage by accessing the agency server through remote access or, if an internet connection is not available off-site, immediately on return to the program. Once the data is saved on the server, it must be erased from the device memory.
Sources Community ResourcesSociety Policy and Procedure Manual Created: 2015 Revised: 2019; 2023 Section 11: Information Technology 11-9 a. Device Security Device security is the responsibility of the user. Laptops and phones must be safely secured when not in use and must not be left unattended in a public place or vehicle. b. Software Security Users of agency-owned laptops must not install unapproved software. This applies to software downloaded from the internet; unlicensed or illegal software, or software obtained from any other source. Advice on installing additional software can be obtained from the IT Manager. c. Virus Protection All agency-owned laptops must have approved security software which includes anti-virus and anti-spyware components. The anti-virus software must be updated regularly, preferably daily, but at least once a week by connecting the laptop directly to a network connection. d. Password Security All portable computing devices that contain agency information must be password protected. e. Off-Site Access to Data (Rev. 2019) Staff may only access data through a Sources-issued or approved electronic device. Sources’ data must not be stored on a personal device. 11.5.6 Electronic Transmission of Confidential Information (Rev. 2015) Employees who deliver services using electronic media, including phone and computer, discuss associated risks with service recipients. a. Sources Email System Employees must use only the Sources email systems for agency related emails.
Sources Community ResourcesSociety Policy and Procedure Manual Created: 2015 Revised: 2019; 2023 Section 11: Information Technology 11-10 b. Incoming Messages When using email, employees must not open messages, attachments, or any other solicitation which is unexpected or from unknown addresses to avoid viruses or other malicious intent. c. Outgoing Messages Employees must carefully check email addresses before sending messages and must include a standard privacy message in their email signatures. d. USB and Other Data Storage Devices USB and other data storage devices are permitted for temporary storage of general Sources data only. Data classified as sensitive or confidential (see data confidentiality levels above) may not be stored on portable data storage devices unless authorized by the CEO. 11.5.7 Printing or downloading data (2019) Employees should refrain from downloading or printing confidential or sensitive information. In the event of confidential or sensitive information being downloaded or printed, this information must be secured and destroyed as soon as it has been used. Employees are advised to keep their desks clear of any confidential or sensitive information. To maintain information security, employees must ensure printed information is not left unattended. Sources printers should not be in locations accessible by the public. 11.5.8 Equipment and Data Disposal The agency disposes electronic equipment in an environmentally responsible manner. Prior to disposal, a secure data erasure procedure is completed. This procedure applies to PCs, printers, hard drives, USB memory sticks, and any other devices that may potentially contain data. Such devices may contain sensitive or confidential information and must never be thrown away or given away.
Sources Community ResourcesSociety Policy and Procedure Manual Created: 2015 Revised: 2019; 2023 Section 11: Information Technology 11-11 Equipment must be given directly to the IT Manager for all data to be located and erased. If the equipment is to be reused within the agency, the data will be erased, and the software prepared for the new user. All other hardware will be recycled by the IT Manager. 11.5.9 System Backups System backups are important to ensure business continuity in the event of an IT equipment or software failure by providing a method of restoring systems to pre-failure state. Backup of Sources’ server data is conducted by the IT Manager or contractor. Information stored on individual devices is not backed up, therefore all agency information is required to be on agency servers or verified/approved cloud storage. 11.5.10 Confidentiality/Security Breaches All incidents which result in a loss of hardware, data, or any type of security breach must be reported immediately to the appropriate Executive Director. The Executive Director and Privacy Officer will investigate the incident and determine the threat to security. Reportable incidents include but are not limited to: - Loss/theft of hardware, - Loss/theft of software/data, - Unauthorized access, - Misuse of system/privileges, and - Illegal software download. 11.6 Disaster Recovery When an electronic system is used to store data and there is an interruption to Sources’ ability to access the system (due to power failure, technical failure, catastrophe, external threat or other emergency), the following procedures will apply to minimize the disruption to services and operations:
Sources Community ResourcesSociety Policy and Procedure Manual Created: 2015 Revised: 2019; 2023 Section 11: Information Technology 11-12 a. The Program Manager (or substitute) will immediately notify the IT Manager of the problem and (if known) its cause. If the initial assessment by the Manager and/or the IT Manager identifies a complex problem, or a problem which will have a broad impact on access to data, the Executive Team will be notified. b. While the issue is addressed, staff will, to the best of their ability, continue to deliver services to clients by accessing other forms of available data and completing required documentation using alternate means for subsequent data entry into the electronic system. Staff should not deliver services if the inability to access information presents a safety concern. In this case, the client(s) will be contacted, and service will be suspended until access to critical data is restored. Extended disruption of services to a client or group of clients must be reported to the relevant funding and/or governing body. c. Where the IT Manager cannot resolve the data interruption within a reasonable time, Sources will request access to back-up data through the IT Manager. See Section 4.11.10 on Data Back-up. If the data interruption has also affected back-up data, Sources will follow data retrieval procedures outlined in the relevant program(s) Emergency Response Plan. 11.7 Subscription Software Management (New 2023) Acquisition of software through subscription or purchase requires review by, and approval of, the Program Manager, Executive Director, and the CFO. The approval process ensures that subscriptions and purchases align with the organization's goals, budget and minimizes duplication. 11.7.1 Purchase Requests Requests for subscriptions and purchases of software are submitted in writing and include: • Purpose of the subscription or purchase, • Anticipated cost and frequency of payment, • Demonstration of the need for the subscription or purchase, • And a comparison to alternative options, if applicable.
Sources Community ResourcesSociety Policy and Procedure Manual Created: 2015 Revised: 2019; 2023 Section 11: Information Technology 11-13 11.7.2 Inventory Sources maintains an up-to-date inventory of all subscriptions and management systems including details of purpose, cost, and renewal dates. The inventory is available on request to identify preferred software, avoid duplication of accounts, review subscriptions or licenses, and ensure the software continues to meet service needs. 11.7.3 Contract Review Subscription contracts and management system agreements are reviewed regularly by the IT and finance teams and include evaluation of continued need, cost effectiveness, and comparative pricing. Cancellation and/or replacement decisions are reached in collaboration with the primary user group. 11.8 Electronic Device Return from Departing Employees (2023) To protect confidential information, employees in possession of Sources-owned electronic devices are required to return the devices on or before their last day of work following resignation, termination of employment, or on request from their manager. All original components and accessories must be returned with the device. Devices may included laptops, phones, and/or tablets. 11.8.1 Procedures for Return 1. Prior to return, devices must be cleared of personal accounts (unless directed not to or if requested to return device for an investigation) such as email, that would prevent the device from being reused. 2. Do not transfer or retain any confidential or proprietary information, including but not limited to client data, financial information, and other sensitive information. Employees must promptly notify their supervisor if they believe confidential or proprietary information has been accidentally disclosed or if they have any questions about the appropriate handling of such information. 3. All devices are returned to the IT Manager, or Program Manager, on or before the last day of employment. Devices should be returned in good working order, with all cables.
Sources Community ResourcesSociety Policy and Procedure Manual Created: 2015 Revised: 2019; 2023 Section 11: Information Technology 11-14 4. Departing employees who do not return Sources-owned electronic devices may be held liable for the loss and/or recovery of data, confidential information, and damage or loss of the device. 5. Review and sign-off of this policy is included in the onboarding process for employees assigned electronic devices. The HR and IT departments will monitor implementation. 11.9 Use of Personal Electronic Devices (2023) Information collected in the course of work is owned by Sources and subject to privacy legislation. Sources-issued devices and software are equipped with stringent security features to guard against cyber attacks, data breaches, and other risks to sensitive information. Storage of confidential information must meet requirements of the Freedom of Information and Protection of Privacy Act and the Personal Information Protection Act. Storing Sources-related data on personal devices puts Sources’ compliance with these Acts at risk. 11.9.1 Procedures: Personal electronic devices (laptops, phones etc) may not be used to download or store Sources-owned information, including all client-related work (i.e., client notes, files, contact information etc.). Use of personal electronic devices for work and/or client related activities requires pre-approval of the CEO. Exceptions will only include non-client related purposes. Please note: • Client-related information may only be accessed through password protected web-based case management systems. • Do not set passwords to auto-fill on personal devices. • Client information must not be downloaded to personal devices. • Always close any Sources-owned software after use.
Sources Community ResourcesSociety Policy and Procedure Manual Created: 2015 Revised: 2019; 2023 Section 11: Information Technology 11-15 The request and rationale for an exception is submitted in writing to the CEO through the relevant Executive Director. The exception cannot be implemented without prior approval of the CEO. 11.11 Online Communications (2021) Sources utilizes various web-based applications to connect and communicate with our community. Platforms include websites, social media, and email marketing. Any account opened in Sources’ name, or in the name of any program, service, or event, etc. of Sources, must receive approval prior approval from Communications and/or the CEO. Content must comply with the Society’s privacy policies and procedures. Online communication platforms must be administered by staff with demonstrated knowledge and skills required to securely manage the platform system. Training may be provided by Communications staff or through recommended tutorials. 11.10.1 Websites Sources maintains two websites. One for the Society and one for the Foundation. Additions and changes to the website are made through Communications. Programs may create affiliated websites with permission from the CEO and in collaboration with Communications. Content requires pre-approval, before posting, from the designated employee in charge of the website or Communications. 11.10.2 Social Media Sources maintains accounts on Facebook, Instagram, X, LinkedIn, and YouTube. Accounts are managed and monitored by Communications. The creation of a programspecific social media account requires advance approval of the CEO and participation of Communications staff to oversee appropriate branding, Content submissions for social media posts can be sent to Communications for consideration. Hootsuite is used to plan and schedule posts. Canva is used to design posts.
Sources Community ResourcesSociety Policy and Procedure Manual Created: 2015 Revised: 2019; 2023 Section 11: Information Technology 11-16 11.10.3 Email Newsletters Constant Contact is used to develop marketing materials and dissemination of information to subscribers. A database of email subscribers is maintained within the platform. Communications sent out via email include the external newsletter, notification of events, and manage RSVP’s and follow up correspondence. 11.10.4 Other Platforms Programs may utilize secondary platforms such as Eventbrite or Mailchimp, with permission from the CEO. A primary administrator must be identified and maintain responsibility for all login information and passwords, including changing passwords or cancelling access when necessary. Communications staff and the IT Manager must be notified and provided access to the platform for control purposes. Accounts will be closed if they become dormant or no longer serve their intended purpose. 11.10.5 Guidelines for Use Content on web-based platforms must advance the objectives of Sources and/or it’s programs. The posting or dissemination of online communication must reflect the values of Sources and be inclusive of diverse audiences. Inappropriate content or use of online platforms will result in revocation of access privileges. Online communication must adhere to Sources policies on confidentiality and privacy to safeguard the dignity and safety of persons served, as well as employees, volunteers or other associated parties. Media Consent and Release Forms must be understood and signed by individuals if any written or photographic, or otherwise identifying information is used as content. Appropriate citing of original sources of content (audio, video, images, design, text) is required. Questions regarding copyright or fair use can be directed to Communications staff.
Sources Community ResourcesSociety Policy and Procedure Manual Created: 2015 Revised: 2019; 2023 Section 11: Information Technology 11-17 11.10.6 Prohibited Use Sources’ online communication platforms may not be used for: • Unauthorized or inappropriate contact between staff and clients • Unauthorized or inappropriate use of Sources’ logos. • Expressing personal views, opinions, or beliefs. • Promotion or mention of non-Sources business, activities, or events. • Inadvertent or deliberate disclosure of confidential or proprietary information, • Inadvertent or deliberate disclosure of confidential information about service recipients, personnel, or other stakeholders. • Spreading hate based on race, religion, nationality or ethnic origin. • Bullying or harassment. • Promotion of controversial views whether through posts or comment sections. • Any purpose outside of supporting and promoting the services of Sources.