|Policy Title||Information Security Policy|
|Responsible Executive||Chief Technology Officer (CTO)|
|Contact||Chief Technology Officer (CTO)|
|Effective Date||First version: October 21, 2020|
|Last Update||September 18, 2021|
The purpose of this policy is to provide a security framework that will ensure the protection of Fero’s as well as clients’ Information from unauthorized access, loss or damage while supporting the open, information-sharing needs of the business. The Information may be verbal, digital, and/or hardcopy, individually controlled or shared, stand-alone, or networked, used for administration, research, teaching, or other purposes. Standards and procedures related to this Information Security Policy will be developed and published separately.
Failure to comply with this policy may subject you to disciplinary action and to potential penalties.
The Information Security Policy applies to all Fero staff, as well as to any contractors, partners, vendors, or client representatives acting on behalf of Fero through service on groups such as task forces, project teams, and management committees (for example, the Project Management Office (PMO), or User Research Groups). This policy also applies to all other individuals and entities granted use of Fero and client Information, including, but not limited to, contractors, temporary employees, and volunteers.
Authorization – the function of establishing an individual’s privilege levels to access and/or handle information.
Availability – ensuring that information is ready and suitable for use.
Confidentiality – ensuring that information is kept in strict privacy.
Integrity – ensuring the accuracy, completeness, and consistency of information.
Unauthorized access – looking up, reviewing, copying, modifying, deleting, analyzing, or handling information without proper authorization and legitimate business need.
Information – information that Fero collects, possesses, or has access to, regardless of its source. This includes information contained in hard copy documents or other media, communicated over voice or data networks, or exchanged in conversation.
Fero appropriately secures its information from unauthorized access, loss or damage while supporting the open, information-sharing needs of our business and client needs.
All Fero and client Information is classified into one of four levels based on its sensitivity and the risks associated with disclosure. The classification level determines the security protections that must be used for the information.
When combining information, the classification level of the resulting information must be re-evaluated independently of the source information’s classification to manage risks.
The classifications levels are:
The following Information is classified as Restricted:
This security policy requires that unauthorized access to any Restricted information must be reported to the clients or any appropriate external agency or agencies. All reporting of this nature to external parties must be done by or in consultation with the Fero and Clients’ senior management.
Sharing of Restricted information within Fero may be permissible if necessary to meet the Fero and clients’ legitimate business needs. Except as otherwise required by law (or for purposes of sharing between law enforcement entities), no Restricted information may be disclosed to parties outside Fero, including contractors, without the proposed recipient’s prior written agreement
The Information is classified as Confidential if it falls outside the Restricted classification but is not intended to be shared freely within or outside Fero due to its sensitive nature and/or contractual or legal obligations. Examples of Confidential Information include all non-Restricted information contained in personnel files, misconduct, and law enforcement investigation records, Internal financial data, or any other pertinent client information.
Sharing of Confidential information may be permissible if necessary to meet Fero’s legitimate business needs. Unless disclosure is required by law (or for purposes of sharing between law enforcement entities), when disclosing Confidential information to parties outside Fero, the proposed recipient must agree
Any Information is classified as Unrestricted Within Fero if it falls outside the Restricted and Confidential classifications but is not intended to be freely shared outside Fero. One example is the clients’ business processes.
The presumption is that such information will remain within Fero. However, this information may be shared outside of Fero if necessary to meet Fero’s legitimate business needs, and the proposed recipient agrees not to re-disclose the information without the Fero’s consent.
The Information is classified as Publicly Available if it is intended to be made available to anyone inside and outside of Fero.
All Fero employees, consultants, and others granted use of Fero and client Information are expected to:
At a minimum, the Information Security Policy will be reviewed every 24 months.