Brampton Real Estate Board

Information Security Policy

 

1.0 General  ……….………………….…………………… ………………………………………..1  

2.0 Definitions             ..…….…..………………………………… ………..………………………………2

3.0 Information Security Requirements …………………… …………….…………………………3

            3.1.      Privacy & Confidentiality…………………… …………….…………………….….3

            3.2.      BREB Property……………………………… …………….…………….………….3

            3.3.      Identification & Authentication……………… …………….…………….…………3

            3.4.      Use of BREB Computers…………………… ……………….…………….………..4

            3.5.      Access to BREB Information or Computers ………….……….….…………………5

            3.6.      Software ………………………………………………….….………………………5

            3.7.      Internet Communications  ………………………..……………….……….………...5

            3.8.      Physical Security  ……………………….…………………………….………….… 7

            3.9.      System Risk Management  ………………………………………….………….……7

            3.10.   Monitoring  ………………………………………………………….……….………7

4.0       Exceptions to Policy  ……………………………………………………….……….……….8

5.0       Non-compliance With Policy  …………………………………………………….…………8

 

Annex A - Password Standards ………………………………………………  …………………….9

 

1.0 General

 

The Brampton Real Estate Board ("BREB" or "the Board") has adopted this Information Security Policy to ensure that adequate protection measures are taken to assure the confidentiality and integrity of the information held by BREB and the security of the networks and computers used to store and access that information.

 

This Policy applies to Users with respect to their access to, and use of, BREB-held information as well as access to hardware, software or network facilities owned or controlled by BREB. With respect to employees, this Policy is also to be read in conjunction with and form a part of BREB's Employee Handbook and BREB’s Director’s Guide. All new employees and contractors shall receive a copy of this Policy upon employment or engagement.

 

 

In the event of questions about this Policy, please contact:

 

Lynn M. Martin                                                                      E-mail: lynn@breb.org

Executive Director                                                                Phone : (905)791-9913

Brampton Real Estate Board                                                          Fax:       (905)791-9430

10 – 35 Van Kirk Drive

Brampton, Ontario

K2C OP7

 

 

 

 

2.0 Definitions

 

"Availability" means information being accessible as required.

 

"Confidential Information" means Personal Information; BREB business, tax or accounting information; employee information and disciplinary files, and archived information pertaining to former members or employees.

 

""Confidentiality" means the restriction of access to information only to those having a business reason to have such access as authorized by the appropriate staff person within BREB or the client concerned.

 

"Disruption of network communication" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.

 

"Integrity" means the information in question has not been modified in an unauthorized manner.

 

"Internet communications" means existing and future communication protocols and services including but not limited to the World Wide Web; electronic mail ("e-mail"); Instant Messaging; Internet Relay Chat; any intranet that BREB may establishes in the future or participates in; any proprietary data transfer protocols utilized by BREB in communications with others; File Transfer Protocol, and Usenet news groups.

 

"Members" mean a salesperson, broker, firm or other type of member of BREB.

 

"Personal Information" means any information, recorded in any form, about an identified individual, or an individual whose identity may be inferred or determined from the information.

 

"Security breaches" means accessing data of which the User is not an intended recipient or logging into a server or account that the User is not expressly authorized to access, unless these activities are within the scope of regular duties.

 

"User" means (1) an individual, whether an employee, officer, director, a salesperson, broker or other type of member of BREB who creates or accesses information on BREB-owned or controlled Computer System; (2) a computer program or application operating pursuant to an individual or organization (e.g. electronic agent).

 

 

 

 

 

 

 

 

 

 

3.0 Information Security Requirements

 

3.1. Privacy 8: Confidentiality

 

Users with access to Personal Information shall respect the confidentiality of that information and adhere to the requirements of BREB's Privacy Policy and BREB’s Employee Privacy Policy.

 

Users with access to other types of Confidential Information shall respect the confidentiality of that information and not disclose such information unless specifically authorized to do so.

 

Each User that accesses information held by BREB, whether owned by the BREB or not, regardless of form (e.g. paper or electronic) or format, shall protect that information against accidental or deliberate disclosure or destruction. Any modification of such information shall be only as authorized and required for business reasons.

 

Confidential Information shall be:

 

. Physically protected through the use of locked cabinets or offices and/or technologically protected using Computer System access controls,

. Accessible for review by employees as authorized by BREB’s Executive Director,

. Corrected or marked with appropriate notation in the event inaccuracies in the

            information are identified, and

. Retained for such retention periods as required by law or as identified by BREB    management.

 

3.2. BREB Property

 

All information and/or messages composed, sent or received using BREB’s computers are the property of BREB and may be reviewed, audited, accessed and disclosed for any purpose considered appropriate by The Executive Director. USERS SHOULD NOT HAVE ANY EXPECTATION OF PRIVACY WITH RESPECT TO SUCH MESSAGES. See also Section 3.10 Monitoring below.

 

Unless contractual or licensing arrangements govern, any data or software downloaded using Internet communications into BREB computers becomes the property of BREB and may be retained, removed or destroyed at the sole discretion of The Executive Director.

 

3.3. Identification 8: Authentication

 

Each User shall be assigned a unique identifier ("User 10") and will be required to

authenticate themselves prior to gaining access to BREB computers or networks. Users shall not log on to BREB computers using another User's User 10. EACH USER SHALL BE RESPONSIBLE FOR ALL ACTIVITY CONDUCTED UNDER THEIR ASSIGNED USER ID.

 

Associated with each User 10 will be a password generated to authenticate a User prior to accessing any application, system, network or remote connection. A User shall adhere to the requirements of Annex A Password Standard. All default passwords and access codes on vendor-supplied hardware and software shall be changed prior to use by new Users and also in the event that an employee leaves the employ of BREB.

The Executive Director shall have a separate Executive Director User 10 and password. Executive Director User IDs shall only be used for system administration purposes.

 

The Executive Director's User 10 and password shall be changed immediately upon (a) the installation of any system; and (b) immediately after use by service personnel. The Executive Director's password shall be documented and stored in a secure location.

 

Where non-specific User accounts are required, they shall be assigned to a specific User for accountability purposes. The purpose of the account shall be documented and the password associated with the account changed when a User who knows the password is no longer an employee or a contractor of BREB.

 

User IDs shall be deleted from a BREB computer upon the termination of a User's employment or, in the case of contractors, contract. User IDs that are inactive for thirty days shall be disabled and removed.

 

3.4. Use of BREB Computers

 

The BREB shall provide employees and managers, and may (but is not required to) provide other Users, with workstations for the purposes of their activities with the BREB. USERS SHALL BE RESPONSIBLE AND ACCOUNTABLE FOR THEIR ACTIONS while using BREB hardware, software or networks, or components thereof, including desktop or laptop computers or personal digital assistants (PDA's) owned, leased or controlled by BREB including, but not limited to, the MLS System.

 

Users shall use BREB computers primarily for business purposes. Limited and reasonable personal use of the BREB computers permitted provided such use:

 

a.   Is not for non-BREB commercial purposes or personal gain;

 

b.  Does not:

            1) Adversely affect the primary business use of the computer or

            BREB network;

            2) Conflict with a BREB business objective or policy;

            3) Consume a large amount of BREB computer resources;

 

c.  Complies with applicable law.

 

The Executive Director shall be solely responsible for any determination as to what constitutes limited and reasonable personal use.

 

Under no circumstances is a User authorized to engage in any activity that is illegal under the laws of Ontario and Canada while utilizing the BREB computers.

 

Users shall not harm or destroy, or attempt to harm or destroy, hardware, software or data on any BREB computer, other than their own data in the course of editing such material.

 

Users shall not load, install or activate, or attempt to load, install or activate onto BREB computers any unauthorized hardware, including, but not limited to, modems, data scopes, line monitors, nodes, gateways or bridges of any kind, software, including time trial versions.

 

Users of BREB-owned or controlled portable devices (e.i, laptops, PDA's), if supplied with such equipment, shall not leave such equipment unattended when outside BREB offices. Information contained on such devices must be protected from unauthorized access using power-on passwords or pass-phrases and password or pass-phrase ­enabled time-out or lock-out features.

 

3.5. Access to BREB Information or Computers

 

User access to BREB information or to BREB computers shall be on an "as authorized"

basis in order to accomplish BREB business objectives. Networks shall have routing controls to ensure connections and information flows do not have unauthorized access to BREB information. External users accessing the MLS System (e.g. sales agents or brokers) shall be distinguishable from BREB employees during their use of BREB computer resources. Access by external users shall be provided only for the use of the MLS System.

 

Any computer or portable device with a modem operating in "inbound mode active" (permitting external callers to connect to the device using that modem) shall not be simultaneously connected to both a BREB network and any external network.  (PC Anywhere)

 

3.6. Software

 

Only software approved for deployment by The Executive Director is permitted on any

BREB computer or network. Downloading software programs (e.g. screen savers, audio software and messaging software) from the Internet is not permitted. All other file types downloaded from the Internet must be scanned with anti-virus software before being stored on BREB computers. If a User has a business requirement to download software from the Internet or to otherwise load non-BREB standard software, Section 4.0 Exceptions to Policy will govern.

 

Virus detection software shall be installed and regularly updated on BREB computers and networks. Users are required to report any known or suspected virus incidents to the Executive Director.

 

Opening e-mail attachments with ".exe" or ".com" extensions (including trial versions of software) is not permitted.  Any application to be purchased, whether custom-developed or commercially available, shall have authentication and access controls. The application should ensure that, with respect to the information that is BREB’s, the application should maintain the integrity of the data.

 

Users shall report any observed or suspected software malfunctions but shall not attempt to remove the software in question unless authorized to do so.

 

3.7. Internet Communications

 

BREB may provide all Users with Internet access for business and limited personal

purposes. BREB may also provide e-mail addresses with “@breb.org" to employees. Accordingly, the use of BREB resources that identify a user with BREB must be done in a manner that reflects well on the organization. All access to the Internet shall be done via approved BREB gateways and in a manner consistent with this Policy.  Employees must understand that Internet access is to be treated as a privilege that may be revoked at any time in the event of a failure to comply with this Policy. Withdrawal of access to the BREB network or the Internet may occur whether or not disciplinary action is taken.

 

Employees are responsible for exercising good judgment regarding the reasonableness of personal use of BREB's computers. In the absence of applicable BREB policies or if there is any uncertainty, Users should consult the Executive Director.

 

The following system and network activities are expressly prohibited:

 

1. Installing or distributing "pirated" or other software products that are not

            appropriately licensed for use by BREB;

            2. Copying and/or distributing material not authorized by The Executive Director

            including, but not limited to, music, text or photographs from magazines, books or

            other copyrighted sources;

3. Providing information about, or lists of, BREB employees to parties outside

            BREB;

4. Introducing malicious programs into the network or server (e.g., viruses, worms,

            Trojan horses, e-mail bombs, etc.)

5. Using a BREB computer to actively engage in procuring or transmitting material

that is in violation of sexual harassment or hostile workplace laws under the laws of Ontario and Canada.

6. Making fraudulent offers of products, items, or services;

7. Making statements about warranty, expressly or implied, unless it is a part of normal job duties;

8. Causing security breaches or disruptions of network communication;

9. Intercepting data not intended for the User's host computer, unless this activity is part of the employee’s normal job/duty;

10. Circumventing User authentication or security of any computer or network account;

11. Interfering' with or denying service to any user other than the User's host (for

            example, denial of service attacks);

12. Using any program/script/command, or sending messages of any kind, with the

            intent to interfere with, or disable, a User's use of a computer; and

13. Exporting or importing software, technical information, encryption software or

            technology, in violation of applicable Canadian import and export control laws.

 

The following communication activities are strictly prohibited:

 

1. Sending unsolicited email messages, including the sending of "junk mail" or other

            advertising material to individuals who did not specifically request such material;

2. Harassing BREB employees or employees of members or third parties via email,

telephone or paging, whether through language, frequency, or size of messages;

3. Forging email header information;

4. Soliciting email for any other email address, other than that of the poster's

            account, with the intent to harass or to collect replies;

5. Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any

            type; and

6. Posting the same or similar non-business-related messages to large numbers of

            newsgroups or web sites.

 

Users may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).

 

 3.8. Physical Security

 

Computers located within BREB are to be located in areas that have appropriate physical security controls, including but not limited to, keys or combination locks, access logs and alarms. Users whose employment or contract is terminated shall return all keys assigned to them. A log of office keys shall be maintained by the Executive Director, who shall also have responsibility for the issuance and retrieval of keys.

 

"Storage media shall be protected from environmental threats such as temperature, humidity and magnetism. All media containing Confidential Information shall be sanitized or destroyed before release for disposal to ensure that data recovery from such media is not possible.

 

Equipment shall be not removed from the BREB offices or facilities without permission from the Executive Director.

 

3.9. System Risk Management

 

Any new computer system or modification to existing BREB computers or network shall

be assessed for risk prior to deployment. Such a risk assessment shall examine any potential consequences of a loss of confidentiality, integrity or availability of BREB information or other assets, and the realistic likelihood of a loss occurring in the light of prevailing threats and vulnerabilities, and the controls currently implemented. This risk assessment may be completed by the Executive Director, or such person(s) as the Executive Director believes appropriate to conduct such an assessment.

 

3.10. Monitoring

 

The BREB reserves the right to monitor computers or networks to ensure compliance

with this Policy. For security and network maintenance purposes, authorized individuals within BREB may monitor and access equipment, systems and network traffic at any time.

Such access may include:

 

. User level and/or system level access to any computing or communications

            device;

. Access to information (electronic, hardcopy, etc.) that may be produced,

            transmitted or stored on BREB computers or property;

. Access to work areas (offices, desk areas, storage areas, etc.).

 

For BREB computers important to the activities of BREB, at a minimum, the following information shall be recorded either electronically or manually:

. Login and logout attempts;

. Unauthorized attempts to access system files;

. Attempts to create, remove, set passwords or change the system privileges of

            the Executive Directors;      

. System alerts or failures; and

. System configuration changes and maintenance information.

 

 All logs, whether electronic or manual, must contain the date and time of the event and the User 10 which caused the event and are to be reviewed, at a minimum, on a monthly basis.

 

Where a computer records information that is required to be logged and operates a clock, that computer's clock should be set, as required, to Standard Time or Daylight Savings Time in Ontario. Computer system clocks shall be checked every 60 days as to their accuracy.

Logs are to be protected against unauthorized changes or operational failures (e.g. logging media exhausted; failing to record events or overwriting itself).

Monitoring tools and systems audit processes are to be configured so as to only allow designated personnel to change such tools and processes.

Audit logs shall be archived monthly and retained according to BREB's Records Retention and Destruction Policy.

Security processes and controls are to be audited annually.

 

4.0 Exceptions to Policy

 

Exceptions to any policy requirement stated in Section 3 may be permitted if:

 

. An appropriate business reason is provided;

. The request is approved by the Executive Director; and

. The User making the request accepts all responsibility for any additional risk created by the exception.

 

5.0  Non-compliance With Policy

 

While records of communications can be created for monitoring and review purposes, BREB will not actively monitor the communications of Users. However, the BREB may do so upon suspicion or evidence of a breach of any law or the BREB policy and any past communication may be examined in the course of an investigation of a security breach or in the course of disciplinary action. See Section 3.2.

 

Any User who disregards, disobeys, disables or circumvents any element of this Policy or any security mechanism, or who attempts to do so, shall be subject to disciplinary action, up to and including termination of employment or, in the case of contractors, termination of contracts. Users should also note that, if circumstances warrant, an incident may be referred to the appropriate authorities for prosecution.

 

 

BREB reserves the right to restrict any User's access to BREB information or computers.

 

Agreements with external vendors or suppliers shall require compliance with this Policy in the event of use of BREB computers or networks by such vendors or suppliers. or employees or agents, thereof.

 

 

 

 

 

 

 

Annex A - Password Standards

 

Passwords should never be written down or stored on-line.

 

Do not use the same password for BREB accounts as for other non-BREB accounts

            (e.g., personal SP account).

 

Where possible, don't use the same password for different access needs within the

            BREB systems. For example, select a separate password to be used to access the

MLS system.

 

All passwords are to be treated as sensitive, Board Confidential Information.

 

Do not hint at the format of a password in any conversation or communication (e.g.,

            "my family name").

 

Do not use the "Remember Password" feature of applications (e.g., Eudora,

            Outlook, Netscape Messenger).

 

Do not reveal a password:

            a)         Over the phone to ANYONE;

            b)         In an email message;

            c)         In front of others;

            d)         To family members or co-workers; or

e)                 On questionnaires or forms.

 

All passwords are to be logged with the Executive Director.  In the event of the need to change a password, employees will make that change with the Executive Director, prior to making any changes on the computer system.