CoMIS Security Policy
Alberta Solicitor General and Stakeholders
April 09/2009
Suggestions for revision or other comments concerning this document should be directed to:
CoMIS Manager
Alberta Solicitor General and Public Security Dept., Corporate Services Division, IT Branch
9th Floor North, J. E. Brownlee Building
10365 – 97 Street
Edmonton, Alberta Canada T5J 3W7
Phone: (780) 427-1190; Fax: (780) 415-2887
COMIS SECURITY POLICY
TABLE OF CONTENTS
1.
SECURITY POLICY..................................................................................................... 1
A.
B.
C.
D.
2.
Purpose .............................................................................................................................................................. 1
Objective ............................................................................................................................................................ 1
Scope .................................................................................................................................................................. 1
Acknowledgement ........................................................................................................................................... 1
SECURITY ORGANIZATION....................................................................................... 1
A.
B.
C.
3.
Department of Solicitor General .................................................................................................................. 1
CoMIS Administration .................................................................................................................................... 2
CoMIS Users ..................................................................................................................................................... 2
INFORMATION SECURITY ......................................................................................... 3
A.
B.
C.
Introduction....................................................................................................................................................... 3
Classification .................................................................................................................................................... 3
Disclosure of Information .............................................................................................................................. 4
4.
PERSONNEL SECURITY ............................................................................................ 5
5.
BREACHES OF SECURITY ........................................................................................ 6
6.
THIRD PARTY ACCESS AND ACCOUNTABILITY .................................................... 7
7.
PENALTY/CONSEQUENCE ....................................................................................... 8
Last printed 3/9/2016 1:51:00 AM
Page i
COMIS SECURITY POLICY
1. Security Policy
A. Purpose
This document provides Solicitor General Correctional Management Information System
(CoMIS) administrators and users with a framework for implementing security procedures as
part of their daily operational responsibilities.
The policy is meant to define reasonable information and information technology security
measures that foster confidence in electronic service delivery and to meet legal and practical
business obligations.
B. Objective
To ensure the appropriate safeguarding of CoMIS information, assets and operations from
loss or harm caused by deliberate or unintentional actions.
C. Scope
This policy and its guidelines apply to all CoMIS users, to all contracted services and to all
organizations that exchange information with CoMIS or have access to any component of
the system (which includes, but is not limited to, CoMIS hardware, software and related
networks). Failure to abide by this policy will be considered a breach of security.
D. Acknowledgement
This document borrows directly from British Columbia’s General Management Operating
Policy, Alberta’s Health Sector Security Policy, the Government of Alberta Information
Technology Security Policy, and the Alberta Justice Online Information System (JOIN).
2. Security Organization
This section identifies stakeholders who accept the risk and liability for security, and who have
authority for policy enforcement and granting exceptions from the policy.
A. Department of Solicitor General
Alberta Solicitor General is accountable and responsible for securing information in its
custody or under its control.
Last printed 3/9/2016 1:51:00 AM
Page 1
COMIS SECURITY POLICY
B. CoMIS Administration
CoMIS Maintenance Team - Is responsible for the following: implementing, maintaining
and enforcing the CoMIS security program; ensuring all users agree to comply with the
terms and conditions established by this policy before CoMIS access is provided;
ensuring all personnel are aware of what constitutes a security incident and the
procedures for reporting an incident; modifying and revoking access privileges to the
system and its information when employees are transferred by appointment, assignment,
secondment, or permanently leave the work environment.
Office Managers and IT Personnel – Are responsible for the following: ensuring the
safety of CoMIS personnel and continued security of protected information and assets
during and after an evacuation; ensuring restricted access zones, or secured areas, are
controlled, authorized and monitored; locating and protecting system components from
the threat of floods, earthquakes, electromagnetic interference and emanations, criminal
activity and accidents; ensuring non-requisite information and system components are
safeguarded while awaiting destruction, then appropriately destroyed.
CoMIS Management and Operations – Are responsible for the following: developing and
annually reviewing the CoMIS security program; ensuring that all breaches of security
incidents are immediately investigated, documented and reported to the CoMIS
maintenance team ensuring security logs are retained and regularly reviewed for unusual
or suspicious activity; documenting and implementing procedures and rules regarding
system changes and the issuance, change, cancellation and audit of personal identifiers;
delivering a business resumption and/or recovery plan; and maintaining a list of all
personnel authorized to access CoMIS and information resources, including their levels
of access.
C. CoMIS Users
All stakeholders using the CoMIS system or information produced by the system are
required to adhere to this policy.
Partners, employees or contractors directly or indirectly using CoMIS are responsible for
safeguarding the equipment and the information in their custody or under their control in
accordance with this policy.
The above statements apply to employees of organizations that support the hardware,
software or networks associated with CoMIS or that require access to CoMIS
information in order to perform their business (e.g., municipal, provincial and federal
correctional or enforcement agencies, other government departments). They are referred
to as Third Parties within this document.
Last printed 3/9/2016 1:51:00 AM
Page 2
COMIS SECURITY POLICY
3. Information Security
Security works in protective layers. These layers include network, operating systems, application
and information security. This section of the policy provides guidelines for ensuring CoMIS
information or data is appropriately protected.
A. Introduction
Information security:
i. ensures the integrity of all records;
ii. protects sensitive information from unauthorized access or disclosure; and
iii. protects valuable information from damage or loss.
Information is an asset that must be protected to a level consistent with its value and sensitivity.
Information security ensures the confidentiality, integrity and availability of information in all
physical formats.
B. Classification
Information classification means clearly identifying the security category at the time a document,
file or records series is created or acquired (or later analyzed) to alert those who handle it that it
requires protection at the applicable level.
CoMIS information may be classified as:
i. Protected: Ban on Publication information that cannot be released as this information
would be damaging to the integrity or effective operations of Alberta Solicitor General or
stakeholders if improperly used or disclosed.
ii. Sensitive: documents, files or records containing personal or “internal use only”
information that should not be released to the general public or to unauthorized personnel.
Most information in or relating to CoMIS is sensitive. Access to this information will be
provided on a “need to know” basis (see following section).
Last printed 3/9/2016 1:51:00 AM
Page 3
COMIS SECURITY POLICY
C. Disclosure of Information
i. “Need to Know” Principle
Sensitive CoMIS information must be disclosed on a need-to-know basis, i.e., access is
restricted to authorized individuals whose duties require such access. Individuals are not
entitled to access merely because of status, rank or office.
The need-to-know principle may be implemented in various ways. These include
physically segregating and controlling access to certain records, listing individuals who
may access certain records, or installing access controls on automated information
systems. CoMIS employs all three methods.
ii. Public Access
A decision to grant or deny access to information to members of the public is not based on
security categories. Access to information is based on the provisions of the Freedom of
Information and Protection of Privacy Act or other legislation.
iii. Information Received from Other Organizations
To the extent possible under the Freedom of Information and Protection of Privacy Act,
Alberta Solicitor General must protect information received from other organizations or
partners in accordance with their security policies or with agreements or understandings
between the parties concerned.
iv. Dissemination of Information
Information dissemination is a combination of activities; including creating, editing,
producing, marketing, and distributing CoMIS information. This information includes but
is not limited to management information reports and statistics, user guides, personal
information, design specifications, business resumption plans, audit records, financial
figures, minutes of committee meetings and research results which may be available in a
variety of formats including paper, electronic and audio-visual and which:
a) are intended to be made available internally or to the public
b) are produced using funds provided by the Alberta Government; and
c) meet the requirements of Part I, Division 2 of the Freedom of Information and
Protection of Privacy Act. Part 1; Division 2 covers exceptions to disclosure.
Last printed 3/9/2016 1:51:00 AM
Page 4
COMIS SECURITY POLICY
4. Personnel Security
In order to reduce the risk of human error, theft, fraud or misuse of CoMIS, security
responsibilities must be addressed at the recruitment stage to ensure the employee or contractor
understands the security policy throughout their employment.
i. When an individual is assigned a personal user identification code (referred to as a userID) he/she is solely responsible for all actions taken under that user-ID.
ii. CoMIS Operations staff will review all user-IDs every six months and remove user-IDs
that have not been in use.
iii. Users leaving or who have lost access privileges will have their user-ID immediately
removed upon termination or at the request of their supervisor or manager.
iv. Organizations’ access may be terminated based on earlier agreed upon timelines.
v. Access is denied (user-ID revoked) after three unsuccessful sign-on attempts. CoMIS
Operations, or GoA Help Desk must verify access privileges and re-set the user-ID.








Specifically:
All employees and Third Parties are responsible for ensuring reasonable and appropriate usage
of CoMIS information and the system in accordance with the Freedom of Information and
Protection of Privacy, and the employees and third parties are expected to use discretion and
good judgment when accessing CoMIS
All Government of Alberta employees are responsible for ensuring reasonable and appropriate
usage of CoMIS information and the system with the Code of Conduct and Ethics for the
Government of Alberta and the Official Oath.
Employees and contractors must sign an agreement to comply with the CoMIS Security Policy,
having read and understood it.
Sharing of user-IDs and/or passwords or permitting its use by any other unauthorized person is
not permitted.
The deletion, examination, copying or modification of data for which other users are responsible
is not permitted without prior consent of the Manager, IT Branch, Corporate Services Division.
Users are responsible for following all policies and procedures relating to security and
confidentiality. In particular, accessing restricted or sensitive information that is not required in
the normal course of duty is not permitted.
Unauthorized decryption of any encrypted information or any attempts to do so, are not
permitted.
Any Alberta Government employee who intentionally causes loss of CoMIS data or damage to
the system may be subject to disciplinary action up to and including dismissal.
Last printed 3/9/2016 1:51:00 AM
Page 5
COMIS SECURITY POLICY











Upon termination of their agreement with Alberta Solicitor General, employees or other third
parties must return all information assets.
Supervision and approval is required for new or inexperienced staff by either their immediate
supervisor or a more experienced peer to ensure security is enforced and knowledge is
continually shared.
Departments must have documented procedures and rules regarding the issue, change,
cancellation and audit of access.
There are numerous security groupings based on users’ or organizational requirement. The
security has three levels for each group as follows:
File Type Access consists of exclusions (e.g. file type access for data entry) and inclusions (e.g.
inquiries to the data).
General Access is separated into two levels: User and System Administration. This allows data
entry functions to reside at a user level and the system tables to reside at a system administrator
level. Both levels include menus, reports, inquiry, add, changes and deletes.
Functional Access allows security to be determined for each screen. A user could potentially
have access to add and change, but not delete.
Organization types are typically the various organizations that access CoMIS (e.g. Crown,
Courts, Police, etc.).
CoMIS Operations staff can assign the privileges for a user, as well as protect privileges from
users outside of the organization. This allows them to maintain the ownership of the data and its
integrity.
Sentence Administrator ID’s are designated for Correctional Centre staff by the CoMIS
Operations staff. Those Sentence Administrators have a higher level of access to the system.
The CoMIS Operations staff is responsible for all maintenance on the ID’s as well as the users
outside of Correctional Centres and Community Offices.
5. Breaches of Security
Ministries or Third Parties must establish policies and procedures for dealing with actual or
potential security violations or breaches. The policies and procedures should cover the following
points:
i. Immediate reporting of actual or suspected security violations to a supervisor.
ii. Reporting breaches of security to a ministry security officer or appropriate Third Party
security official.
iii. Reporting breaches suspected of constituting criminal offences to the appropriate law
enforcement agency.
iv. Where applicable, informing the ministry originating or owning the information that a
breach of security has occurred.
Last printed 3/9/2016 1:51:00 AM
Page 6
COMIS SECURITY POLICY
6. Third Party Access and Accountability
Contractors, consultants (including researchers), service providers and business partners often
require access to CoMIS. Their requirements must not compromise the security of Alberta
Solicitor General’s system or data. All Third Party (i.e. people not in the employ of Alberta
Solicitor General) access must be known and approved and subject to the following security
measures:
i. An agreement or contract must be completed and signed for all Third Parties who require
access to CoMIS and its information assets, to ensure they are aware of and comply with
the CoMIS Security Policy.
ii. Third Parties, contractors, consultants, service providers or business partners under contract
as above, that require access to Alberta Solicitor General systems will not have any access
until the appropriate authorization is obtained from the Correctional Services Division.
iii. The Manager, Client Services and Office Automation, IT Branch, Corporate Services Division
must assess all Third Party access requirements. Risks will be identified to the Executive
Director, Young Offender Branch and Executive Director, Adult Centre Operations Branch.
iv. Approval will be based upon a risk assessment that identifies the requirements for specific
controls, type of access, the value of the information, controls employed by the Third Party
and the implications of this access to the security of the organization.
Last printed 3/9/2016 1:51:00 AM
Page 7
COMIS SECURITY POLICY
7. Penalty/Consequence
i. The violation of this policy can lead to legal implications for unauthorized access to
information systems or facilities.
ii. Access to CoMIS computing resources by unauthorized people or by unauthorized
methods is a serious breach of security that can lead to serious vulnerabilities to Alberta
Solicitor General.
iii. Violation of this policy can expose the organization to unauthorized access to hardware,
software, network, systems and information.
In all cases of abuse or violation of the CoMIS Security Policy, and depending on the severity of
the circumstances, any or all of the following actions may be taken by Alberta Solicitor General:
- termination of the access privilege,
- termination of contract,
- penalties,
- sanctions,
- other disciplinary actions.
I agree to abide by the terms of the CoMIS security policy and I am fully aware of the
consequences of breach of this trust.
Organization/Department:
__________________________________________
--------------------------------------------------Print Name
---------------------------------------------------Phone Number
--------------------------------------------------Acknowledgment of Policy, Sign Name
---------------------------------------------------Date
Last printed 3/9/2016 1:51:00 AM
Page 8