Information Security Standards – User

Initial Version Release Date: 2023-02-09
Approved By: BCIT CSO under Policy 3502

Purpose

This document defines minimum standards and recommendations for the creation and use of passwords and passphrases for all BCIT staff, faculty, students, alumni, retirees, and contractors.

Minimum Password/Passphrase Requirements

Passwords/Passphrases must have a minimum of 12 characters and include at least:

• ONE UPPER CASE LETTER;
• one lower case letter;
• 1 number;
• Optional: For additional security, you may include special characters, the only accepted special characters are: $ ! # _ + = : . ~ ^ ( ) { } [ ].

In addition to the complexity standards above, passwords in any PCI Card Data Environment:

• must be a minimum of 12 characters;
• must be changed every 90 days;
• must be different from the last four passwords used;
• must be set to a unique value for new users and changed on first use.

Due to the increased power of password cracking technologies, BCIT recommends using passphrases with a minimum of 16 characters where systems allow. Consider using a phrase of disconnected words that you can picture in your head.

To create a complex password when a passphrase is not an option, consider using the first letter of each word in a phrase. For example, “I used to bake 15 chocolate layer cakes in a day!” becomes “Iutb15clciad!”.

Your password/passphrase should be easy for you to remember but hard for others to guess or crack.

Passphrase/Password Management

Ways to keep your password/passphrase safe:

• create a strong passphrase/password;
• never share or write your passphrase/password down;
• do not use BCIT passwords for systems outside of BCIT;
• change your password immediately if it is compromised;
• use a password vault such as 1password or KeePass to securely store and retain your passphrases/passwords.

Touchscreen Devices

On devices such as smartphones and tablets with touch-screen interfaces it might not be practical to use a long and strong password/passphrase. Instead, a numeric password/PIN (minimum 5 characters) may be used.

Biometric Interfaces

Biometric access controls such as fingerprint readers and facial recognition are acceptable alternatives to passphrases/passwords/PINs.

Remember:

BCIT IT Services will never ask for your password by email.

Users must immediately report all compromised account incidents to: BCIT IT Services @ BCIT IT Service Desk (ITS) Information Technology Services
Tel: 604-412-7444 (Option 1), 1-800-351-5533 (Option 2), Email: ITShelp@bcit.ca

1. Introduction

1. Compromises in security can potentially occur at every level of computing from an individual’s desktop computer to the largest and best-protected systems on campus. Incidents can be accidental or deliberate attempts to break into systems; purpose or consequence can be from benign to malicious. Regardless, each incident requires a careful response, at a level commensurate with its potential to cause harm to an individual and BCIT, as a whole, as defined in the BCIT Cyber Security Incident Response Plan.
2. This document defines standards for Users to report any suspicious incidents relating to the security of BCIT Electronic Information and Systems.

2. Incidents that must be Reported

1. Users must report the following information security incidents (if there is uncertainty whether a violation has occurred, Users must err on the side of caution and report the incident anyway):
2. Violations of Policy No 3501, Acceptable Use of Information Technology; examples include but are not limited to:
   1. use of BCIT computing facilities to commit illegal acts.
   2. unsolicited or spam email originating from BCIT sources;
   3. unauthorized access, use, alteration or destruction of BCIT Electronic Information or BCIT Systems, including but not limited to: software, computing equipment, Merchant Systems, network equipment and services;
   4. theft of any BCIT Electronic Information whether it be via electronic means or physical theft of any Device containing this information; and
   5. loss or theft of any Multi Factor Authentication Device (MFA Device).

3. How to Report Incidents

1. Users must immediately report all suspected information security incidents as follows:
2. To reach BCIT IT Service Desk (ITS) Information Technology Services (hours of operation)
   Tel: 604-412-7444 (Option 1), 1-800-351-5533 (Option 1), Email: techhelp@bcit.ca.
3. The Incident Response team will coordinate the incident as required in accordance with the BCIT Cyber Security Incident Response Plan.
4. Where the incident involves physical security issues on a BCIT campus, in addition to information security issues, reach to Safety and Security at 604-451-6856. OR 3612 from any campus phone and ask to be connected to the ITS Manager on call. Email: safety@bcit.ca.
5. It is essential to report incidents immediately, as time is of the essence when dealing with information security breaches and other potentially damaging incidents arising from Malicious Code.

4. Related Documents and Resources

• Policy No 3501, Acceptable Use of Information Technology
• Policy No 3502, Information Security
• BCIT Cyber Security Incident Response Plan

1. Introduction

1. BCIT Electronic Information used by Users has varying degrees of sensitivity which have corresponding levels of risk and protection requirements; therefore, it is necessary to classify this information to ensure it has the appropriate level of protection.
2. Information may be accessed and handled by many different Users at individuals throughout its life cycle, therefore it has to be protected through the life cycle.
3.  The purpose of this standard is to define the ITS information classification scheme, and to describe the protection requirements for each level of classification. The standard mandates how information is classified in ITS.

2. Information Security Classification

1. Assigning classification to information enables us to set requirements for how to treat the information, whether it is at rest, in transit, or in storage. Additionally, it helps determine the appropriate way to destroy information once it is no longer required.
2. Classifying information also helps those who come into contact with it understand what they need to do to protect it.
   

   Category and scope of Information-Classification Level	Description	Example	Potential Impact
   Public	Applies to data and information that if compromised, would not result in injury to individuals, or to BCIT or its partners	Names and work contact information of BCIT staff and faculty members Information that is posted on our public website Research information of a nonpersonal, non-proprietary nature	Minor embarrassment, minor operational disruptions
   Protected A	Applies to data and information that if compromised, could cause injury to an individual or harm to BCIT and its partners	Names and work contact information of BCIT staff and faculty and staff members Information that is posted on BCIT public website Research information of a nonpersonal, non-proprietary nature	Reputational and financial impact, loss of priority of publication, copyrights copyrighted materials
   Protected B	Applies to data and information that if compromised, could cause serious injury to an individual or severe harm to BCIT and partners	Personal Information, which must be protected under the BC Freedom of Information and Protection of Privacy Act (FIPPA), including: Full face photographic images, Student name, Student or Employee ID, Student grades, Home address. Payment Card Industry (PCI) Information, which must be protected under the Payment Card Industry – Data Security Standard (PCI-DSS) (e.g. credit card numbers, names, expiry dates or PINs) Note: No credit card information is stored on BCIT Systems.	Moderate harm to one or more individuals, identity theft, impact to BCIT reputation or operations, financial loss, such as regulatory fines
   Protected C	Applies to data and information that, if compromised, could cause grave injury to an individual or severe harm to BCIT and its partners	Social Insurance Number (SIN) Official government identity card (e.g. Passport ID, Driver’s License No.) Bank account information (e.g. direct deposit details) Biometric data Personally, identifiable genetic data Date of Birth (DoB)	Significant harm to one or more individuals, identity theft, severe impact to BCIT reputation or operations, financial loss, such as regulatory fines or damages from litigation

4. Information Labelling-to refer to Records Management

1. All information must be classified, but not all information should be labelled. Labels added manually by the end-user or automatically generated by a digital system for example can be an important additional control that leads to greater awareness of the relative sensitivity of a subset of information and can ensure that the right measures are in place.

5. Responsibilities

1. Business\Academic departmental Heads (owners) is responsible for determining the information security classification based on the definitions and examples in the table above. Based on other relevant factors, information may be classified at a higher level than indicated above, but not at a lower level.
2. In order to comply with our legal obligations, it is recommended that the Business\Academic departmental Heads keep an inventory of types of records that contain Protected B and/or Protected C Information. At a minimum, the inventory should contain the type of information, description and storage location. Refer to the sample inventory attached to this standard. This responsibility may be delegated to the Information Steward/Owner.
3. BCIT Users are responsible for knowing the types of BCIT Electronic Information under their control, its information security classification and where it is stored.

6. Related Documents and Resources

• Policy No 3501, Acceptable Use of Information Technology
• Policy No 3502, Information Security
• BC Freedom of Information and Protection of Privacy Act (FIPPA)
• Information Security and Risk Classification