Information is a critical institute asset. Information is comparable with other assets in that, there is a cost in obtaining it and a value in using it. However, unlike many other assets, the value of reliable and accurate information appreciates over time as opposed to depreciating. Shared information is a powerful tool and loss, or misuse can be costly, if not illegal. The intent of this Security policy is to protect the information assets of the organization.
In addition, in this policy, the main objective followed by JBIHM is to establish and maintain adequate and effective security measures for users, to ensure that the confidentiality, integrity, and operational availability of information are not compromised.
Sensitive information must therefore be protected from unauthorized disclosure, modification, access, use, destruction or delay in service.
Each user has a duty and responsibility to comply with the information protection policies and procedures described in this document.
The purpose of this policy is to safeguard information belonging to JBIHM within a secure environment.
This policy informs JBIHM staff and other persons authorized to use JBIHM facilities of the principles governing the retention, use, and disposal of information.
This policy applies to all employees of JBIHM who use computer systems or work with documents or information that concerns customers, suppliers, or any other partner for whom the organization has collected information in the normal course of its business.
The goals and objectives followed of this policy are:
All users of JBIHM’s information systems must be formally authorized by the institute’s Admission & Administration department. Authorized users will be in possession of a unique user identity. Any password associated with a user identity must not be disclosed to any other person.
Authorized users shall take all necessary precautions to protect the JBIHM information in their personal possession. Confidential, personal, or private information must not be copied or transported without consideration of:
User accounts on the institute’s computer systems must only be used for the institute’s business and must not be used for personal activities during working hours.
During breaks or mealtimes, limited personal use is permitted, but use must be legal, honest, and decent while considering the rights and sensitivities of others.
Unauthorized use of the system may constitute a violation of the law, theft, and may be punishable by law. Therefore, unauthorized use of the institute‘s computer system and facilities may constitute grounds for civil or criminal prosecution.
The fundamental element of this security policy is the control of access to critical information resources that require protection against unauthorized disclosure or modification.
Access control refers to the permissions assigned to persons or systems that are authorized to access specific resources. Access controls exist at different layers of the system, including the network. Access control is implemented by username and password. At the application and database level, other access control methods can be implemented to further restrict access.
Finally, application and database systems can limit the number of applications and databases available to users based on their job requirements.
All users must have a unique username and password to access the systems. The user’s password must remain confidential and under no circumstances should it be shared with management and supervisory staff and/or any other employees. Also, all users must comply with the following rules regarding password creation and maintenance:
Any information or documents that are not to be made public are designated as “Confidential Information”. This information is invaluable to the institute and therefore, all employees who, in the course of their duties, handle this type of information are expected to behave as follows:
Information stored on computer systems must be regularly backed-up so that it can be restored if or when necessary.
All care and responsibility must be taken in the destruction of sensitive information. Electronic information relating to customers, administrative and commercial information must be disposed of in a secure manner.
Sensitive or confidential paper documents must be placed in the shredding bins or destroyed in the manner indicated to you by your department head.
Any security system relies on the users of the system to follow the procedures necessary for upholding security policies. Users are required to report any weaknesses in the institute’s computer security, any incidents of misuse or violation of this policy to their immediate supervisor.
Employees are therefore expected to:
The institute has the right and capability to monitor electronic information created and/or communicated by persons using institute computer systems and networks, including e-mail messages and usage of the Internet. It is not the institute policy or intent to continuously monitor all computer usage by employees or other users of the institute’s computer systems and network.
However, users of the systems should be aware that the institute may monitor usage, including, but not limited to, patterns of usage of the Internet (e.g. site accessed, on-line length, time of day access), and employees’ electronic files and messages to the extent necessary to ensure that the Internet and other electronic communications are being used in compliance with the law and with institute policy.
System administrators, network administrators, and security administrators will have access to the host systems, routers, hubs, and firewalls necessary to perform their tasks.
All system administrator passwords will be deleted immediately after an employee who has access to these passwords has been terminated, dismissed, or otherwise left the institute‘s employment.
Supervisors / Managers shall immediately and directly contact the institute IT Manager to report the change in employee status that requires terminating or modifying employee login access privileges.
I acknowledge that I have received a copy of the JBIHM Security policy. I have read and understood the policy. I understand that, if I violate the policy, I may be subject to disciplinary action, including termination. I further understand that I will contact my supervisor if I have any questions about any aspect of the policy.