Overlooking the Northwest Territories

Manuel des politiques relatives aux technologies et à la gestion de l’information

Electronic Information Security Policy

Search Manuel des politiques relatives aux technologies et à la gestion de l’information

  1. Statement of Policy
  2. Principles
  3. Definitions
  4. Responsibilities
  5. References
Back to top

1 . Statement of Policy

The Government of the Northwest Territories has a responsibility to protect the rights and entitlements of the residents of the NWT and our business partners.

The Government of the Northwest Territories recognizes the increased use of information technologies to serve the public and to record its business requires electronic information assets collected or made available electronically must be maintained in an environment that protects the confidentiality, availability, and integrity of the information over time and through technological change.

This Policy provides direction on how the Government of the Northwest Territories (GNWT) will adhere to information security directives, standards, and procedures. This policy also sets out baseline requirements and responsibilities for the secure use of information, information systems, and technologies, in order to fulfill our mandates, support program, and service delivery, achieve strategic priorities and meet accountability obligations prescribed by both legislation referred to in this policy and legislation specific to the departments, boards and authorities.

Back to top

2 . Principles

2.1 Responsibility and accountability for electronic information security must  be explicit;

  • Awareness of risks and security initiatives must be disseminated;
  • Security must be addressed taking into consideration both technical and non-technical issues such as human error;

2.2 Security must be cost-effective;

  • Security must be coordinated and integrated;
  • Security must be reassessed periodically;
  • Security policies directives and procedures must provide for  monitoring, review, and a timely response; and

2.3  The monitoring and reporting on security matters is performed solely for the function and protection of the system while respecting the rights and interests of others.

This policy applies to all electronic information assets and the underlying technologies used in the creation, maintenance, processing, storing, transmission or disposition of information within or by the GNWT, Boards, Authorities, and other arms-length organizations. These organizations are required to comply with this policy when using GNWT electronic information assets to deliver their services.

Other aspects of security, including non-electronic, information fall outside this scope.

Back to top

3 . Definitions

Availability:  refers to the assurance that information will be ready for use as expected and when required. The Territorial Archivist is empowered to ensure that records required by the  Archives may not be destroyed; however,  the approval to destroy government records still resides with the Deputy Head of each department.
Baseline security requirements are mandatory provisions of the   Government Electronic Information Security Policy and its associated operational standards, procedures and technical documentation.
“Corporate CIO” is the Government of the NWT Office of the Chief Information Officer.
Confidentiality:  refers to the attribute that information must not be disclosed to unauthorized individuals, because of the resulting injury to GNWT or other interests, with reference to specific provisions of the Access to  Information and  Protection of Privacy Act.
Electronic  Information  Assets: refer  to  the  information  and  information  technology assets used to support the delivery of government programs and services, and are comprised of the following:
“Electronic information” refers to the data and information held by the Government of the NWT and its boards and agencies, used in the management planning and delivery of its programs and services on behave of the residents of the Northwest Territories.
Information technology assets: are the user devices, computer hardware, software, and networks that are used to store, process or transmit electronic information.
Integrity:  refers to information being complete and accurate with no unauthorized alterations.  Information can be altered and retain its integrity provided the alterations are allowed by policy, are authorized, and are documented.
Threat Risk Analysis (TRA) - performed to assess the risks and threats to electronic information assets.  The TRA recommend how to minimize, avoid and accept risk 

Back to top

4 . Responsibilities

Informatics Policy Council (IPC)

The Financial Management Board established the Informatics Policy Council;
      This Policy is issued under the authority of the IPC. 

  • The authority to make exceptions and approve revisions to this Policy rests with  IPC.  
  • Nothing in this Policy shall , in  anyway, be  construed  to  limit  the prerogative of the IPC to make decisions or take action respecting information or information technology security, outside the provisions of this Policy.

IPC members, at minimum, should include:

  • The Secretary of the Financial Management Board (Chair);
  • The Deputy Minister of Public Works and Services;
  • The Deputy Minister of Education, Culture and Employment; and
  • Two other Deputy Ministers or equivalents on a rotational basis.

 The Corporate Chief Information Officer (CIO) 

Is responsible for ensuring that GNWT continues to meet its legal and fiduciary     obligations by:

  • Maintaining this policy by bringing forward any revisions to IPC;
  • Recommend   new   or   updated   security   standards   and   guidelines   in compliance with this policy to IPC; and
  • Annually report to IPC on the status of compliance and implementation of this policy.

  The CIO, will:

  • Communicate baseline security requirements to all stakeholders;
  • Produce corporate technology security standards;
  • Review  all  threat  and  risk  assessments  for  consistency,  compatibility  and  completeness;
  • Review information security classifications for consistency and compatibility; and authorize the implementation of corporate security measures.

The Technology Service Centre (TSC)
Is responsible for ensuring:

  • operational controls are adequate and compliant with corporate standards and  consistent with  the  best  practices  established  in  “Government  of  the Northwest  Territories, Standard of Best  Practice  for  Information  Security Management”
  • Ongoing monitoring of unauthorized or inappropriate network or system access to enable detection of security incidents.
  • the necessary tools exist to address the baseline security requirements for the configuration, administration, operation, and maintenance of the network, in addition to the OCIO,
  • compliance with this policy in addition to the CIO.

Employees of the GNWT and its Boards, Authorities and other arms-length organizations  

Are responsible for 

  • understanding the  privacy and  security implications  of  their position within the government and to comply with the security requirements identified  by the GNWT  Code of  Conduct  the  Network  and Acceptable  Use Policy  and the Directive on Managing Email; and, 
  • not engaging in activities (for example using unsecure storage devices and downloading malware) that may compromise the security of electronic information assets of the GNWT.

Departments Boards,  Authorities, and other arms-length organizations 

Are  responsible for:

  • all elements of information security in their custody or control including provisions for contracted services and acceptance of residual risks.  This includes:
    • Conducting  threat  and  risk  assessment  and  data  classification  for  all information assets;
    • The implementation of appropriate security measures to protect the integrity, availability, and confidentiality of the information contained within the asset consistent with those published in the GNWT’s Standard of Best Practice for Information Security Management; and formalizing their security measures in written document revisions.   Departments must maintain electronic information assets in their custody or under their control in a way that is consistent with this policy and complies with the Access to Information and Protection of Privacy Act, the Archives Act, the Financial Administration Act, and all other GNWT legislation and policies.
  • Back to top

    5 . References

  • FAA
  • ATIPP,
  • Archives Act,
  • Code of Conduct
  • Management of Electronic Information  Policy
  • Threat Risk Analysis  
  • Incident Handling Directive; (Internal)
  • Access Control Directive (Internal)
  • Directive on Managing Email
  • Electronic Security Information Standards
Back to top