Information Security Policy

STATEMENT of POLICY and PROCEDURE
Department Information Systems Policy No. (or n/a) 3.01
Name Information Security Policy Review Frequency 3 yr
Approved by Board Replaces  
Effective date August 1, 2025 Dated:  

1    OVERVIEW

The Information Security Policy is a set of rules and guidelines aimed at ensuring MakeWay Foundation's (“MakeWay”) organization data remains secure.

2    PURPOSE

The purpose of this policy is to ensure the proper access, collection, use, storage, transfer, and disposal of MakeWay data in compliance with applicable data protection laws, regulations, and other MakeWay policies.

3     SCOPE

This policy applies to all employees, contractors, partners, vendors, and anyone who handles data on behalf of MakeWay.

4    INFORMATION CLASSIFICATION

Information is classified in 4 levels within 2 categories:

Non-Sensitive Data

  • Public: Information intended for public dissemination, such as marketing materials, public website content, and press releases.
  • Internal: Information that is not sensitive but is meant for internal use only, like internal policies, and routine administrative documents.

Sensitive Data

  • Confidential: Sensitive information that should be restricted to specific individuals or teams, such email, donor records, participant records, and financial records.
  • Restricted: Highly sensitive information that requires the highest level of protection, including personal identifiable information (PII) and health records, personnel and performance records.
     

5    CLASSIFICATION PRACTICES

Classification practices emphasize the importance of restricting access to information to the right people, at the right times, and ensure that these restrictions are clearly communicated and enforced.

5.01    Access to information should be limited based on its classification level. Only individuals with the appropriate clearance or need-to-know basis should have access.

5.02    Only those individuals who are relevant to the information or task should be granted access.

5.03    Access should be limited to specific time periods when appropriate. This means that depending on classification of the information, individuals should only have access during times when they need it, and it should be revoked when it is no longer necessary.

5.04    Whenever possible, information should be clearly marked or identified according to its classification and access restrictions. This ensures that everyone should be aware of the sensitivity of the information and the access controls in place.

5.05    Departments such as Finance and People Engagement and Learning (PEL) should take particular care with Confidential and Restricted records.
 

6    ROLES AND RESPONSIBILITIES

6.01    It is the duty of the Information Systems (“IS”) Team to ensure there is a process and adequate controls in place and the organization has tools available to maintain those controls. The IS Team has the added duty of vetting technology systems to ensure they comply with data security practices in the organization.

6.02    It is the duty of the Privacy Officer to ensure there is clarity on the Classification Practices    

6.03    It is the duty of the People Engagement and Learning (PEL) Team to ensure there is adequate training on information classification and responsibilities.

6.04    It is the duty of the managers / directors of a department to ensure information is sorted in proper classification.

6.05    It is the duty of individual Staff to adhere to the Classification Practices.

6.06    It is everyone's duty to raise concerns about lapses in policies, potential risks, and breaches of the policy.

7    SENSITIVE DATA PRINCIPLES

7.01    Sensitive data shall be processed lawfully, fairly and in a transparent manner.

7.02    Sensitive data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes. 

7.03    Sensitive data processed shall be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

7.04    Sensitive data shall be accurate and, where necessary, kept up to date. Reasonable steps must be taken to ensure inaccurate personal data is erased or fixed.

7.05    Sensitive data should only be kept in an identifiable form for as long as it is needed to fulfil the purposes for which it was collected. Once the data is no longer needed for those purposes, it should be anonymized or destroyed to protect the privacy of the individuals.

7.06    Sensitive data shall be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organizational measures.

8    DATA HANDLING BEST PRACTICES

8.01    Ensure data is protected with standard level encryption, and limit the use of external media such as external drives, usb keys, etc.

8.02    Ensure sensitive data when shared is done so with time-based access, and limited (user defined) sharing permissions whenever possible.

8.03    When transmitting sensitive data over email, it is best to include a link to the file, which can be revoked or will auto-expire vs sending attachments.

8.04    Do not delete or destroy information unless instructed to do so.

8.05    All information transmitted, stored and processed in MakeWay Systems is assumed to be the property of MakeWay and may be scanned, reviewed, archived and backed up by MakeWay for regular business and security processes.

8.06    Minimize data sets and collect only information which is necessary.

9    ACCESS CONTROL

9.01    Administering access control must follow access best practices of “least privilege” that grants users the minimum necessary access based on their roles.

9.02    When changing roles, previous access may be revoked and new access provided based on the needs of the role.

9.03    Regular audits of access are to be done by systems administrators   to ensure compliance. Permissions may be adjusted as needed.

9.04    Logging and monitoring of systems to detect and respond to unauthorized access attempts will be conducted to maintain robust information security.

10    SECURITY

10.01    Staff should ensure data is secure by adhering to other relevant MakeWay policies:

  • Acceptable Use of Technology Policy (Policy No. 4.01)
  • Remote Access Policy (Policy No. 8.01)
  • Password Policy (Policy No. 6.01)
  • BYOD Policy (Policy No. 7.01)
  • Cyber Security Policy (Policy No. 2.01)

This ensures the handling of Confidential and Restricted information with due care, preventing data from harm or loss. 

10.02   The IS Team will ensure data is secure by ensuring that MakeWay policies, applicable laws and regulatory requirements (PIPEDA, PCI DSS, PHIPA, etc..) for information security are adhered to through monitoring and regular audits.

11    DISPOSAL

Sensitive documents and data, when no longer needed, should be destroyed using methods like shredding physical papers and securely wiping electronic devices according to applicable laws, regulatory requirements and the Records Retention Policy (SPP No. 010.02).

12.01      Acceptable Use of Technology Policy (Policy No. 4.01)

12.02      Remote Access Policy (Policy No. 8.01)

12.03      Password Policy (Policy No. 6.01)

12.04      BYOD Policy (Policy No. 7.01)

12.05      Cyber Security Policy (Policy No. 2.01)

12.06      Records Retention Policy (SPP No. 010.02)