BCIT Information Security Standards – User
- The BCIT Cybersecurity Officer has issued these standards under the authority of Policy 3501, Acceptable Use of Information and Policy 3502, Information Security.
- These Standards apply to BCIT users (Including Staff, Faculty, Students, Contractors, Alumni, Retirees)
- Please reach out to Cyber Security Office if you have any questions regarding Information Security Standards.
Note: ISS stands for Information Security Standard.
Initial Version Release Date: 2023-02-09
Approved By: BCIT CSO under Policy 3502
Purpose
This document defines minimum standards and recommendations for the creation and use of passwords and passphrases for all BCIT staff, faculty, students, alumni, retirees, and contractors.
Minimum Password/Passphrase Requirements
Passwords/Passphrases must have a minimum of 15 characters and include at least:
- ONE UPPER CASE LETTER;
- one lower case letter;
- 1 number;
- Optional: For additional security, you may include special characters, the only accepted special characters are: $ ! # _ + = : . ~ ^ ( ) { } [ ].
In addition to the complexity standards above, passwords in any PCI Card Data Environment:
- must be a minimum of 12 characters;
- must be changed every 90 days;
- must be different from the last four passwords used;
- must be set to a unique value for new users and changed on first use.
Due to the increased power of password cracking technologies, BCIT recommends using passphrases with a minimum of 16 characters where systems allow. Consider using a phrase of disconnected words that you can picture in your head.
To create a complex password when a passphrase is not an option, consider using the first letter of each word in a phrase. For example, “I used to bake 15 chocolate layer cakes in a day!” becomes “Iutb15clciad!”.
Your password/passphrase should be easy for you to remember but hard for others to guess or crack.
Passphrase/Password Management
Ways to keep your password/passphrase safe:
- create a strong passphrase/password;
- never share or write your passphrase/password down;
- do not use BCIT passwords for systems outside of BCIT;
- change your password immediately if it is compromised;
- use a password vault such as 1password or KeePass to securely store and retain your passphrases/passwords.
Touchscreen Devices
On devices such as smartphones and tablets with touch-screen interfaces it might not be practical to use a long and strong password/passphrase. Instead, a numeric password/PIN (minimum 5 characters) may be used.
Biometric Interfaces
Biometric access controls such as fingerprint readers and facial recognition are acceptable alternatives to passphrases/passwords/PINs.
Remember:
BCIT IT Services will never ask for your password by email.
Users must immediately report all compromised account incidents to: BCIT IT Services @ BCIT IT Service Desk (ITS) Information Technology Services
Tel: 604-412-7444 (Option 1), 1-800-351-5533 (Option 2), Email: ITShelp@bcit.ca
Initial Version Release Date: 2023-06-09
Approved By: BCIT CSO under Policy 3502
Definitions
| Public | Information deemed to be public by legislation or policy. Information in the public domain. Examples include annual reports, public announcements, the telephone directory, and specific categories of employee and student information including, employee business contact information and student’s record of graduation.
Sensitivity: Low |
| Internal Use | Information not approved for general circulation outside BCIT. Loss would inconvenience the organization or management; disclosure is unlikely to result in financial loss or serious damage to credibility. Examples include internal memos sent to faculty/staff, minutes of meetings, internal project reports, unit budgets, accounting information.
Sensitivity: Low/Medium |
| Confidential
Protected |
Information that is available only to authorized persons. Loss could seriously impede the organization’s operations; disclosure could have a significant financial impact or cause damage to the organization’s reputation. Examples include information protected by legal privilege, all Personal Information (PI) governed by the BC FIPPA, specific categories of employee and student information such as legal suits, medical/health information, appeals, grievances, bank routing information, credit card information, as well as clinical patient data and Requests for Proposals during a purchasing process.
Sensitivity: High |
| Governing Laws and Regulations | FIPPA: 30, 30.1 | PCI DSS: 3.1, 3.2c, 3.3, 4.1, 4.1a, 4.2, 4.2b | ||
| Class | Access Restrictions |
Transmission | Storage | Disposal |
| Public | No restrictions on access. | No special handling required. | No special safeguards. | Can be recycled. |
| Internal Use | Access is limited to employees and other authorized users and must be revoke immediately on termination. | No special handling required but encryption is strongly recommended on public networks. | Stored within a controlled access system (e.g. password protected file or file system or locked file cabinet). | Shredded, erased. |
| Confidential
Protected |
Access is limited to authorized users with a demonstrated need to know and must be revoked immediately on termination or on leaving a custodial unit. Access must be from within Canada unless temporarily traveling or an exception is granted by the CIO.
Remote Access: authorized persons require; automatic disconnect of session after 15 minutes of idle time and may not copy, move, or store credit card or banking data to remote devices. |
Encryption required.
Hard copies must use secure methods for external transportation and be clearly marked as confidential. Note: Use of 3rd party services must comply with theCloud Security Standard TBD. Note: PCI Cardholder data may not be sent or accepted by email fax or other end user messaging technologies. |
Stored within a controlled access system within locations defined by the CIO (e.g., password protected file, file system or locked file cabinet or storage container). For any portable medium such as USB drives, notebooks, tablets, and SmartPhones – Encryption is required.
PI storage must comply with the BC FOIPPA Act. All confidential information storage must comply with the Mobile Device Standard, and the Cloud Security Standard TBD. Note: PCI Cardholder data must not be electronically or physically retained after processing is completed. Physical storage of cardholder data may occur temporarily prior to processing |
Cross cut shredded, pulped, degaussed (removal of magnetic information), or Securely Erased to render any information unrecoverable.
Note: Credit Card Sensitive Authentication Data must be deleted upon completion of authentication and Personal Account Numbers must be securely deleted/destroyed as soon as business requirements have been met. |
Initial Version Release Date: 2023-07-11
Approved By: BCIT CSO under Policy 3502
Purpose
This standard establishes the cyber security controls for all mobile computing and storage devices, regardless of ownership, accessing information under the custody and control of the British Columbia Institute of Technology (BCIT). BCIT will enforce these standards where possible.
Mobile computing devices include but are not limited to the following:
- Laptop, notebook, netbook, tablets, and similar portable personal computers
- Smartphones and PDAs (Android, iPhone, and others)
Mobile Storage Devices include but are not limited to the following:
- Magnetic storage devices (diskettes, tapes, USB hard drives).
- Optical storage devices (CDs, DVDs, magneto-optical disks).
- Memory storage devices (SD cards, thumb drives, etc).
All mobile computing and storage devices that access, store, process or transmit BCIT Data, regardless of ownership, must comply with the following minimum required safeguards
| Safeguard | Handheld mobile device (i.e. smart phone, tablet, etc.) | Laptop/notebook computer/ USB flash drives, and any other mobile storage media. |
| Password
Passphrase PIN |
Minimum 4-character passcode using at least 2 unique characters. | Must use Password/Passphrase meeting BCIT’s Password/Passphrase Standard. |
| Consider using biometric access: facial recognition, fingerprint, etc. | Consider using biometric access: facial recognition, fingerprint, etc. | |
| Lock Out | Lockout after 10 incorrect attempts or increasing delay after incorrect attempts. | Lockout after 25 incorrect attempts within 2 hrs. |
| Encryption | Enabled by default with a password or PIN on iPhones and Android 10+ | Full disk encryption required.
See the BCIT Cyber Security Information Classification Standard for examples of confidential information types. |
| Remote wiping capability | The ITS team will assist with remote wiping based on the circumstances of reported loss or theft. Please note that in order to protect sensitive BCIT data, there is a possibility that remote wiping may also affect personal devices (BYOD) that have been configured to access BCIT services, under certain conditions.
While every effort will be made to limit the impact on personal devices, the primary objective of remote wiping is to ensure the security of BCIT data. Therefore, it is recommended that users take necessary precautions and regularly back up their personal data to avoid potential loss during the remote wiping process. |
Performed by ITS for BCIT equipment. |
| Application Controls | ITS team will assist with remote wiping based on the circumstances of reported loss or theft. Please note that in order to protect sensitive BCIT data, there is a possibility that remote wiping may also affect personal devices (BYOD) that have been configured to access BCIT services, under certain conditions.
Applications accessing BCIT services may potentially be wiped by ITS. (List TBD) For BCIT provided devices, these applications will be installed by default. |
While every effort will be made to limit the impact on personal devices, the primary objective of remote wiping is to ensure the security of BCIT data. Therefore, it is recommended that users take necessary precautions and regularly back up their personal data to avoid potential loss during the remote wiping process.
Applications accessing BCIT services may potentially be wiped by ITS. (List TBD) For BCIT provided devices, these applications will be installed by default. |
| Inactivity Time-out Protection | Automatic screen locking after a maximum 15 minutes of idle time | Automatic screen locking after a maximum 15 minutes of idle time |
| Malware Protection | Recommend that these devices include a recognized malware detection and response tool. | Must include a recognized malware detection and response tool. For BCIT owned equipment this will be installed by default. |
| Secure Connectivity | Any confidential information transmitted to or from the mobile device (e.g., wireless or the Internet) must be encrypted. Communication protocols such as SMS (Text Messaging) and SMTP (e-mail) are not considered secure and should not be used to transmit confidential information. | |
| Secure Disposal | Any residual settings, data, and applications on the mobile device must be removed or wiped prior to disposal or transfer to another user. | Any residual settings, data, and applications on the mobile device must be removed or wiped prior to disposal or transfer to another user. |
| Physical Protection | All BCIT employees using Smartphones which access or store any confidential BCIT information must ensure that these devices always remain in their possession.
When not in use, BCIT owned mobile computing devices must be stored in locked file drawers, locked rooms, closets, or cupboards. |
Consider using a lock cable for notebooks to secure these devices to furniture if possible.
USB drives and other media containing personal information, or any other confidential data should be stored in a locked drawer or filing cabinet. |
Lost or stolen devices must be reported to the Safety Security Emergency Management (SSEM) department or BCIT ITS Service Desk as soon as possible
Contact Information:
BCIT SSEM Tel: 604-434-5734, Email: safety@bcit.ca
BCIT IT Service Desk Tel: 604-412-7444 (Option 1), 1-800-351-5533 (Option 1), Email: techhelp@bcit.ca