This Cyber Security Policy is established to protect MakeWay Foundation’s (“MakeWay”) information systems, data, resources, and employees from cyber threats. In today’s world, it is critical to implement appropriate measures to safeguard our digital assets and ensure the confidentiality, integrity, and availability of our information.

The purpose of this policy is to provide guidelines and procedures for securing MakeWay’s digital environment against cyber threats. It aims to educate staff, volunteers, and partners on best practices for cyber security and to outline the responsibilities and protocols necessary to protect our systems and data.

This policy applies to all employees, volunteers, contractors, and any third-party users who have access to MakeWay’s information systems and data. It covers MakeWay devices, BYOD devices, networks, and data in its many locations, used for organizational purposes.

4.01    All staff and volunteers must participate in regular cyber security training to understand their roles in protecting organizational data. This training will be provided to you by the Information Systems (“IS”) Team.

4.02    The IS Team will be responsible for overseeing cyber security measures, controls, policies, and compliance within the organization.
 

5.01    Access to MakeWay’s systems and data is granted based on the principle of least privilege. User accounts are assigned based on role requirements. User accounts are administered and monitored by IS for primary operating systems and reviewed regularly.
5.02    All systems require strong passwords and multi-factor authentication (MFA) where possible. Passwords must be in accordance with the Password Policy (Policy No. 6.01)
5.03    Access to Restricted data (See the Information Security Policy, Policy No. 3.01 for definitions) and systems must be authorized by PEL and/or the Privacy Officer, depending on the nature of the data.

6.01    Sensitive data must be encrypted both in transit and at rest. Use secure communication channels (e.g., HTTPS, VPNs) for data transfer.
6.02    Regular backups of critical data must be performed and stored securely. 
6.03    Backup procedures must be tested periodically to ensure data can be restored. Extra care should be taken that backups of sensitive data are properly secured such as through additional encryption. 
6.04    Older backups should be purged at a regular interval in accordance to record keeping procedures.

7.01    Only devices approved by MakeWay may be used to access organizational data. Personal devices must comply with MakeWay’s security standards and the BYOD Policy (Policy No. 7.01)
7.02    All devices must have up-to-date software and security patches installed. 
7.03    Devices must have antivirus and firewall software installed and regularly updated.
 

8.01    Use firewalls and other security appliances to protect MakeWay’s network from unauthorized access and threats.
8.02    Secure MakeWay wireless networks with strong passwords following best practice from the Password Policy (Policy No. 6.01) and WPA3 encryption protocols. 
8.03    Avoid using public Wi-Fi for accessing sensitive information. When you must  , use a VPN to protect your connection.
8.04    Network activities must be monitored and logged to detect and respond to suspicious activities promptly.
8.05    The Remote Access Policy (Policy No. 8.01) must be followed when accessing resources remotely.
 

9.01     MakeWay is committed to respecting the privacy and confidentiality of its users to the extent permitted by law, and any monitoring activities will be conducted in accordance with applicable privacy laws and regulations. Any review of sensitive materials will be done with the utmost care, respect and with the consultation of the Privacy Officer.
9.02    Access sessions will be passively monitored and logged to detect security incidents, and facilitate auditing and compliance efforts. Logs will include information such as user login attempts, session durations, accessed resources, and any security-related events. Log data will be retained for a specified period in accordance with organizational policies and regulatory requirements. 
9.03    Access to log files will be restricted to authorized personnel for security analysis and incident response purposes.
 

10.01    All cyber security incidents or suspicious activities must be reported immediately to the IS Team via [email protected] or by using standard issue escalation procedures.
10.02    An incident response plan must be in place, outlining steps to contain, eradicate, and recover from security incidents. Regular drills should be conducted to ensure preparedness.
 

11.01    The IS Team will conduct regular audits to assess compliance with this cyber security policy and identify areas for improvement. Audits should cover processes, technology platforms, devices and user behaviour.

11.02    Corrective steps for non-compliance could be recommended by IS such as adding additional monitoring or screening of work activities, reduction of access to sensitive data, restricted access to broader systems of tools, blocking of BYOD access, additional mandatory training and more as deemed necessary based on assessment of risk.
 

12.01     Password Policy (Policy No. 6.01)

12.02     BYOD Policy (Policy No. 7.01)

12.03     Remote Access Policy (Policy No. 8.01)