Information Security Policy

The Canadian Broadcast Standards Council (the “CBSC”) is a national voluntary self-regulatory organization created by Canada’s private broadcasters to deal with complaints made by viewers or listeners about programs they have seen or heard broadcast on a participating station. The CBSC administers five industry codes covering various issues relating to ethics, violence on television, equitable portrayal, journalistic ethics and cross-media ownership which set out the guidelines for television and radio programming.

The CBSC last updated its Privacy Policy in October of 2018. That policy explains how Personal Information will be handled by the CBSC, and the purposes for which it will be used, including, among other things, how the CBSC will retain Personal Information collected from website visitors and users of its complaints resolution process.

The CBSC’s Information Security Policy aims to protect the confidentiality, integrity, and availability of information in accordance with legal obligations and the reasonable requirements of the parties that control the information, the information stewards, custodians, and authorized users. It also aims to hold individual users accountable for unauthorized or inappropriate access to, use of, disclosure, disposal, modification of, or interference with personal information or services. Any CBSC employee, consultant, or employee of a vendor who violates this policy could be subject to sanctions up to and including dismissal or termination of contract.

Possible situations that could lead to corrective action or disciplinary measures include the following:

• Unauthorized disclosure of personnel information;
• Unauthorized disclosure of a sign-on code or password;
• Using or attempting to use another person’s sign-on code or password;
• Installing or using unlicensed software on CBSC computers;
• The intentional unauthorized destructions of CBSC information; and,
• Attempting to get access to sign-on codes for purposes other than official business, including completing fraudulent documentation to gain access.

Information and associated services must be secured in line with legal and business requirements and throughout their life cycles. The system of security controls protecting the services provided by the CBSC must be designed and operated such that:

• All business security requirements are met;
• There is diversity and redundancy in the security controls so that unexpected failure of a given control mechanism will not result in significant harm;
• The harm resulting from a security failure is limited and contained, with minimal potential to expand beyond predetermined bounds; and,
• The control framework provides evidence/assurance of its own effectiveness, and includes mechanisms for correction of deficiencies.

The system of security controls and individual control mechanisms must be assessed and tested prior to use and periodically thereafter. Involved technology, products or tools must be properly configured and operated to ensure that all security controls are effective.

Email data is stored and transmitted through Microsoft Canada secure datacenters, and protected by the Microsoft Office 365 security suite.
CBSC will store data, including personal information, only on secure servers or cloud-based solutions. All such data will be protected by appropriate security safeguards, in line with industry practice for similar installations, including boundary protection systems (firewalls), monitoring/intrusion detection systems, malware protection, data encryption, session encryption and content filtering. Such safeguards shall be reassessed periodically in light of current intrusion risks and available counter-measures.

CBSC’s telephone system equipment will be housed in a locked room, accessible only by CBSC personnel and external support providers who require access to perform their duties.

The CBSC’s datacenter is situtated off-site (other than terminal devices, PCs and peripherals) and will have conditioned power, UPS and backup diesel generators, as well as temperature/environmental controls appropriate to systems requirement.

CBSC employees accessing the CBSC’s database must comply with the following password standards:

• Passwords must never be shared with another person, unless the person is a designated manager of this information;
• Passwords should be changed regularly (between 5-6 months);
• Passwords must have a minimum length of six characters;
• Passwords must not be programmed into a PC or recorded anywhere that someone may find and use them.
• When creating a password, it is important not to use words that can be found in dictionaries or words that are easily guessed due to their association with the user (i.e. children’s names, pets’ names, birthdays, etc..). The password must include a combination of alphanumeric characters (lower and upper case), numbers and symbols.

The network should enforce the following password standards:

1) Passwords routed over a network must be encrypted.
2) Passwords must be entered in a non-display field.
3) System software must enforce the changing of passwords and the minimum length.
4) System software must disable the user identification code when more than four consecutive invalid passwords are given within a 15 minute timeframe. Lockout time must be set at a minimum of 30 minutes.
5) System software must maintain a history of previous passwords and prevent their reuse.