top of page

Mango IT Security Policy

​Comprehensive Information Security Policies
for Government + Professional Services Compliance

VERSION 3.0 | EFFECTIVE DATE: JULY 1 2025 | REVIEW DATE: ANNUAL

 

1. Policy Overview + Scope

1.1 Purpose

This Security Policy Framework establishes comprehensive information security standards for Mango IT and all client environments. These policies ensure compliance with British Columbia Freedom of Information and Protection of Privacy Act (FOIPPA), Personal Information Protection and Electronic Documents Act (PIPEDA), and government contracting security requirements.

1.2 Scope

This policy applies to:

  • All Mango IT personnel and subcontractors

  • All client systems under Mango IT management

  • All information systems, networks, and devices within scope of services

  • All data processing activities involving Protected Information

1.3 Information Security Policy Requirements

Mango IT maintains an information security policy that is:

  • Based on recognized industry standards (NIST Cybersecurity Framework, ISO 27001)

  • Reviewed and updated at least every three years

  • Aligned with BC Government security standards and federal privacy requirements

 

2. INFORMATION CLASSIFICATION + HANDLING

2.1 Information Classification

All information is classified according to BC Government standards:

  • Public: No restrictions on disclosure

  • Protected A: Basic personal information (names, addresses)

  • Protected B: Sensitive personal information (medical records, legal files)

  • Protected C: Highly sensitive information requiring maximum protection

2.2 Data Protection Standards

  • All Protected Information is encrypted using AES-256 encryption minimum

  • Transport Layer Security (TLS) 1.2 minimum for all communications

  • No Protected Information stored on unencrypted portable media without prior written authorization

  • Logical isolation of Protected Information maintained at all times

 

3. ACCESS CONTROLS + AUTHENTICATION

3.1 User Identity Management

  • All user identifiers are unique and personal for each system access

  • Multi-factor authentication required for all administrative access

  • Role-based access controls implemented through Microsoft 365/Google Workspace

  • Least privilege principles enforced for all user accounts

3.2 Authentication Requirements

Standard Authentication:

  • Minimum 12-character passwords with complexity requirements

  • Passwords changed every 12 months minimum

  • Account lockout after 5 failed attempts

  • Session timeouts implemented for all systems

Enhanced Authentication (Protected B/C Information):

  • Two-factor authentication required for all access

  • Enhanced logging of all access attempts

  • Request-based access with approval workflows

  • No standing access privileges

3.3 Access Management Procedures

  • Formal user registration process including access level verification

  • Regular access reviews conducted quarterly

  • Account inventory maintained and reviewed monthly

  • Automated account deactivation after 90 days of inactivity

 

4. PHYSICAL + ENVIRONMENTAL SECURITY

4.1 Physical Access Controls

  • Mango IT facilities secured with locked access and alarm systems

  • Client facilities accessed only by authorized personnel

  • Physical access logs maintained and reviewed monthly

  • Visitor access controlled and logged

4.2 Environmental Protection

  • Client systems protected from fire, environmental hazards, and power interruptions

  • Climate-controlled environments for server infrastructure where possible

  • Physical separation of production and development environments

  • Secure disposal procedures for all hardware containing Protected Information

 

5. SYSTEMS + NETWORK SECURITY

5.1 System Hardening

All managed systems implement:

  • Industry-standard security configurations

  • Automatic security updates through Datto RMM

  • Endpoint protection via Datto EDR on all devices

  • Application-layer firewalls configured per security best practices

5.2 Network Security Controls

Perimeter Security:

  • Stateful packet inspection firewalls at all network perimeters

  • Intrusion detection and prevention systems deployed

  • Network segmentation isolating critical systems

  • Secure remote access through encrypted VPN connections only

Network Monitoring:

  • Continuous network monitoring through Datto EDR

  • Automated alerting for security events

  • Network access controls preventing unauthorized connections

5.3 Database and Application Security

  • Database access controls restrict administrative utilities

  • Formal approval process for database content disclosure requests

  • Data integrity checking through automated consistency verification

  • Application security testing prior to production deployment

 

6. VULNERABILITY MANAGEMENT + PATCHING

6.1 Proactive Vulnerability Management

  • Automated vulnerability scanning through Datto RMM monthly

  • Current threat intelligence monitoring implemented

  • Security patches deployed within required timeframes:

    • Critical vulnerabilities: 30 days maximum

    • High vulnerabilities: 90 days maximum

    • Medium/Low vulnerabilities: 180 days maximum

6.2 Patch Management

  • Automated patch deployment through Datto RMM

  • Testing procedures for critical system patches

  • Emergency patch procedures for zero-day vulnerabilities

  • Patch status reporting provided to clients quarterly

6.3 Antivirus and Malware Protection

All managed devices include:

  • Real-time antivirus protection via Datto EDR

  • Daily signature updates

  • Weekly full system scans for latent infections

  • Automatic quarantine and remediation procedures

 

7. BACKUP + DISASTER RECOVERY

7.1 Backup Requirements

Comprehensive backup strategy includes:

  • Annual backup policy review and testing

  • Automated backups through Datto Workstation/Server backup solutions

  • Cloud replication for geographic redundancy

  • Backup frequency based on data criticality and industry best practices

7.2 Business Continuity Planning

  • Documented business continuity and disaster recovery plans reviewed annually

  • Systems protected from loss, damage, and interruptions

  • Recovery time objectives defined per client requirements

  • Business impact analysis updated annually

7.3 Backup Security

  • All backup data encrypted using AES-256 encryption

  • Backup integrity testing performed monthly

  • Secure disposal procedures for retired backup media

  • Backup access controls equivalent to production systems

 

8. INCIDENT RESPONSE + SECURITY MONITORING

8.1 Security Event Monitoring

Comprehensive logging includes:

  • Security event logs enabled on all applicable systems

  • 90-day minimum retention for system event logs

  • Automated correlation and analysis through Datto EDR

  • Real-time alerting for critical security events

8.2 Incident Response Management

Security incident response includes:

  • 24/7 security monitoring through Datto SOC services

  • Incident response procedures documented and tested annually

  • Immediate reporting to clients for any incidents affecting Protected Information

  • Forensic investigation capabilities through qualified third parties

8.3 Investigation Support

  • Security investigation capabilities for incident analysis

  • Evidence collection and chain of custody procedures

  • Legal proceeding support when required

  • Threat assessment support through industry threat intelligence

 

9. COMPLIANCE + AUDIT

9.1 Regulatory Compliance

Mango IT ensures compliance with:

  • Freedom of Information and Protection of Privacy Act (FOIPPA)

  • Personal Information Protection and Electronic Documents Act (PIPEDA)

  • BC Government Information Security Classification standards

  • Industry-specific requirements (medical, legal professional standards)

9.2 Audit and Assessment

  • Annual security assessments conducted by qualified third parties

  • Vulnerability scan reports provided every six months

  • Patch status reports provided quarterly

  • Compliance verification available upon reasonable notice

9.3 Documentation and Records

  • Security controls documentation maintained and current

  • Policy compliance monitoring through automated tools

  • Annual policy review and update procedures

  • Evidence retention for compliance verification

 

10. ASSET MANAGEMENT + DISPOSAL

10.1 Asset Management

Comprehensive asset tracking includes:

  • Current asset inventory maintained through Datto RMM

  • Asset criticality assessment and security classification

  • Software licensing compliance monitoring

  • Hardware lifecycle management procedures

10.2 Secure Disposal

Secure disposal procedures ensure:

  • Complete data destruction using NIST 800-88 standards

  • Physical destruction of media containing Protected Information

  • Certificates of destruction provided for audit compliance

  • Environmental compliance for electronic waste disposal

 

11. PERSONNEL SECURITY

11.1 Staff Requirements

  • Background verification appropriate to access levels

  • Security awareness training annually for all personnel

  • Confidentiality agreements for all staff and contractors

  • Regular security training updates on emerging threats

11.2 Third-Party Management

  • Due diligence procedures for all subcontractors

  • Contractual security requirements for vendor services

  • Regular assessment of third-party security controls

  • Incident notification requirements in vendor agreements

 

12. CHANGE MANAGEMENT + CONFIGURATION

12.1 Change Control

  • Formal change control processes for all systems

  • Security impact assessment for significant changes

  • Testing requirements prior to production implementation

  • Rollback procedures for failed changes

12.2 Configuration Management

  • Baseline security configurations documented and maintained

  • Configuration drift monitoring through automated tools

  • Regular configuration audits and remediation

  • Secure configuration templates for new deployments

 

13. POLICY COMPLIANCE + ENFORCEMENT

13.1 Non-Compliance Reporting

  • Immediate notification to affected parties for any non-compliance

  • Corrective action plans developed within reasonable timeframes

  • Progress reporting on remediation activities

  • Escalation procedures for persistent non-compliance

13.2 Policy Updates and Communication

  • Annual policy review and update procedures

  • Change notification to all affected parties

  • Training updates for policy changes

  • Documentation version control and distribution

 

14. CONTACT INFORMATION + EMERGENCY PROCEDURES

14.1 Security Contacts

  • Primary Security Contact: [Name, Title]

  • 24/7 Emergency Response: [Phone Number]

  • Incident Reporting Email: [Email Address]

  • Client Notification Procedures: [Process Description]

14.2 Regulatory Reporting

  • Privacy breach notification procedures per PIPEDA/FOIPPA requirements

  • Government agency notification timelines and procedures

  • Legal counsel engagement criteria and contact information

  • Public disclosure requirements and procedures

This policy framework meets or exceeds requirements for BC Government contracting, FOIPPA compliance, PIPEDA requirements, and professional services industry standards. Last revised 2025.

Contact

hello@mangoit.ca

250 419. 7616

Address

37a 11TH Avenue South
Cranbrook, BC V1C 2N9

Mango IT Managed Service Provider Computer Repair Data Protection

 © 2024 by Mango IT

Serving the Kootenays

Kimberley

Cranbrook

Fernie

Invermere

Creston

Nelson

Trail

Castlegar

 

As well as all over

British Columbia + Alberta

bottom of page