Information Security Policy

The Canadian Broadcast Standards Council (the “CBSC”) is a national voluntary self-regulatory organization created by Canada’s private broadcasters to deal with complaints made by viewers or listeners about programs they have seen or heard broadcast on a participating station. The CBSC administers five industry codes covering various issues relating to ethics, violence on television, equitable portrayal, journalistic ethics and cross-media ownership which set out the guidelines for television and radio programming.

The CBSC last updated its Privacy Policy in October of 2018. That policy explains how Personal Information will be handled by the CBSC, and the purposes for which it will be used, including, among other things, how the CBSC will retain Personal Information collected from website visitors and users of its complaints resolution process.

The CBSC’s Information Security Policy aims to protect the confidentiality, integrity, and availability of information in accordance with legal obligations and the reasonable requirements of the parties that control the information, the information stewards, custodians, and authorized users. It also aims to hold individual users accountable for unauthorized or inappropriate access to, use of, disclosure, disposal, modification of, or interference with personal information or services. Any CBSC employee, consultant, or employee of a vendor who violates this policy could be subject to sanctions up to and including dismissal or termination of contract.

Possible situations that could lead to corrective action or disciplinary measures include the following:

Information and associated services must be secured in line with legal and business requirements and throughout their life cycles. The system of security controls protecting the services provided by the CBSC must be designed and operated such that:

The system of security controls and individual control mechanisms must be assessed and tested prior to use and periodically thereafter. Involved technology, products or tools must be properly configured and operated to ensure that all security controls are effective.

Email data is stored and transmitted through Microsoft Canada secure datacenters, and protected by the Microsoft Office 365 security suite.
CBSC will store data, including personal information, only on secure servers or cloud-based solutions. All such data will be protected by appropriate security safeguards, in line with industry practice for similar installations, including boundary protection systems (firewalls), monitoring/intrusion detection systems, malware protection, data encryption, session encryption and content filtering. Such safeguards shall be reassessed periodically in light of current intrusion risks and available counter-measures.

CBSC’s telephone system equipment will be housed in a locked room, accessible only by CBSC personnel and external support providers who require access to perform their duties.

The CBSC’s datacenter is situtated off-site (other than terminal devices, PCs and peripherals) and will have conditioned power, UPS and backup diesel generators, as well as temperature/environmental controls appropriate to systems requirement.

CBSC employees accessing the CBSC’s database must comply with the following password standards:

The network should enforce the following password standards:

1) Passwords routed over a network must be encrypted.
2) Passwords must be entered in a non-display field.
3) System software must enforce the changing of passwords and the minimum length.
4) System software must disable the user identification code when more than four consecutive invalid passwords are given within a 15 minute timeframe. Lockout time must be set at a minimum of 30 minutes.
5) System software must maintain a history of previous passwords and prevent their reuse.