Archived [2019-06-28] - Directive on Departmental Security Management

for cause (pour un motif valable)

A determination that there is sufficient reason to review, revoke, suspend or downgrade a reliability status, a security clearance or site access.

integrity (intégrité)

The state of being accurate, complete, authentic and intact.

managers at all levels (gestionnaires à tous les niveaux)

Includes supervisors, managers and executives.

protected asset or information (renseignement ou bien protégé)

An asset or information that may qualify for an exemption or exclusion under the Access to Information Act or the Privacy Act because its disclosure would reasonably be expected to compromise the non-national interest.

residual risk (risque résiduel)

Level of risk remaining after security measures have been applied

security program (programme de sécurité)

A group of security-related resource inputs and activities that are managed to address a specific need or needs and to achieve intended results.

The DSO or other designated individual is responsible for reporting security incidents and incidents suspected of constituting a national threat or a threat to an organization other than their own as follows:

• National security concerns, including those related to terrorism, are reported to the Canadian Security Intelligence Service (CSIS) at 613-993-9620.
• Suspected criminal activity is reported to the RCMP National Operations Centre (NOC), a 24/7 service, at 613-993-4460 (reports or calls may be redirected to local law enforcement organizations as appropriate).
• Enquiries related to law enforcement assessments are directed to Operational Support and Client Services of the RCMP Canadian Criminal Real Time Identification Services (CCRTIS) by email at RTID_ITR@rcmp-grc.gc.ca.
• Cyber incidents, physical security breaches of critical systems or services, and IT or IT security incidents that are not part of normal operations, cause or may cause a disruption to or reduction in the quality of service or productivity, or are characterized by an unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource are reported as per the GC IT Incident Management Plan.
• Incidents involving accountable COMSEC material must be reported to DSO of the department in which the COMSEC incident occurred

Departments are responsible for selecting, implementing, monitoring and maintaining sustainable security controls to achieve the security control objectives. Security controls may be administrative, managerial, operational, technical or procedural. Mandatory and recommended security controls are specified in standards and guidelines that support the Policy on Government Security. Additional security controls and control objectives are selected and implemented by departments based on the results of risk assessments.

Information assurance

• Information is protected from unauthorized access, use, disclosure, modification, disposal, transmission or destruction.
• Information is identified and categorized based on the degree of injury that could be expected to result from the compromise of its confidentiality, availability or integrity.
  • Information is identified and categorized as Classified (Confidential, Secret or Top Secret) when unauthorized disclosure could reasonably be expected to cause injury to the national interest.
  • Information is identified and categorized as Protected (A, B and C ) when unauthorized disclosure could reasonably be expected to cause injury to interests other than the national interest.
  • Information is identified and categorized as High, Medium or Low when unauthorized disclosure, modification, interruption or destruction could reasonably be expected to result in compromise of its availability or integrity.
• Access to classified and protected information is limited to authorized individuals who have been security screened at the appropriate level and who have an express need for access.
• Modification and destruction of information is limited to authorized individuals.
• Appropriate security measures are in place for accessing, storing, transmitting and disposing of information.
• The security of information is addressed through all phases of its life cycle or the life cycle of the information system to ensure security requirements are identified early, security controls are reviewed, management authorization is provided before operation and authorization is maintained through continuous monitoring of the security posture.

Individual security screening

• All individuals who require access to government information, assets or facilities undergo an examination of their trustworthiness and honesty and, as appropriate, loyalty or reliability as it relates to loyalty to Canada before being granted access to government information, assets or sites.
• The security screening process is fair, objective and respectful of individual rights, including privacy.
• Individuals are formally briefed on access privileges and prohibitions attached to their screening level before the commencement of their duties, when required in the update cycle, and whenever a change occurs in their screening level, and they are required to sign appropriate briefing forms.
• Individuals are treated in a fair manner should their security screening status come under review, be revoked, denied, temporarily suspended or downgraded for cause.
• Security screenings are conducted in a manner that meets Government of Canada (GC) standards and enables them to be transferred between departments.

Physical security

• Information, assets and facilities are protected from unauthorized access, disclosure, modification or destruction, in accordance with their level of sensitivity, criticality and value.
• Access to government assets and facilities is limited to authorized individuals who have been security screened at the appropriate level and who have an express need for access.
• Custodian-tenant relationships are defined in a formal agreement that ensures shared and individual responsibilities are addressed to achieve optimum security outcomes.
• Security considerations are fully integrated into the process of planning, selecting, designing, modifying, building, implementing, operating and maintaining facilities and equipment.
• External and internal environments of a facility are managed to create conditions that, together with specific physical security controls, reduce the risk of workplace violence, protect against unauthorized access, detect attempted or actual unauthorized access and activate an effective response.
• Containers, processes and procedures defined or recommended in GC standards and guidelines are used for the transport, transmittal, or destruction of protected and classified information and assets.

IT security

• IT security considerations are fully integrated to meet business objectives at each stage of the IT system's life cycle, including definition, design, development, operations, maintenance and decommissioning.
• Users must be identified and authenticated before access is granted to IT systems.
• Access to electronic information and IT systems is limited to authorized users, including the types of transactions and functions that authorized users are permitted to exercise, based on business and security requirements.
• Confidence in the security of IT systems is assured through the following:
  • Assessing security controls;
  • Reducing or eliminating deficiencies;
  • Authorizing before operation; and
  • Maintaining authorization.
• The IT security posture is continuously maintained by monitoring threats and vulnerabilities, detecting malicious activity and unauthorized access, and taking both pre-emptive and response actions to minimize effects.
• IT system audit logs and records are created, protected and retained to enable monitoring, analysis and investigation so that users can be held accountable for their actions.
• Data on all portable electronic media and devices are protected and sanitized or destroyed before disposal or reuse of the equipment.
• Electronic communications are protected by network security zones and perimeter defence at network boundaries.

Security in contracting

Security requirements are identified, addressed, formally documented, implemented and monitored in all phases of the procurement and throughout the life cycle of the contract.

• Information, assets, systems and facilities entrusted to industry meet the industrial security requirements and are afforded an appropriate level of protection throughout their life cycle.

Sharing information and assets with other governments and organizations

• Government information, assets and facilities entrusted to or shared with organizations outside the GC are afforded an appropriate level of protection throughout their life cycle.
• Third-party information and assets entrusted to the GC are afforded an appropriate level of protection throughout their life cycle.
• Documented arrangements clearly outline respective accountabilities and responsibilities of participants, in accordance with government and industry standards, and are periodically reviewed to confirm that they are still appropriate and relevant.

Obtaining security services from other organizations

• Formal arrangements are established when security services are obtained from another organization.
• Arrangements contain security provisions that clearly outline respective accountabilities and responsibilities of the department and the service provider.
• Monitoring is conducted to verify compliance with security provisions, assess their continued relevance and update them as necessary.

Security awareness

• A departmental security awareness program covering all aspects of departmental and government security is established, managed, delivered and maintained to ensure that individuals are informed and regularly reminded of security issues and concerns and of their security responsibilities.
• Individuals understand and comply with their security responsibilities and do not inadvertently compromise security.

Security training

• DSOs, security practitioners and other individuals with specific security responsibilities receive appropriate and up-to-date training to ensure they have the necessary knowledge and competencies to effectively perform their security responsibilities and do not inadvertently compromise security.

Security incident management

• Measures are taken to ensure preparedness and timely mitigation, response or recovery from security incidents and to prevent or minimize effects and potential losses.
• Incidents that affect, or have the potential to affect, government-wide preparedness, mitigation, response or recovery from threats and vulnerabilities are reported to the appropriate lead security agency or law enforcement authority (see Appendix B—Points of Contact for Incident Handling), and as appropriate, other departments when there is reason to believe that the security breach originated from that department
• Post-incident analysis and follow-up is conducted and communicated to the appropriate lead security agency.

Protection of employees from workplace violence

• Protective measures are in place to safeguard employees (and family members, if deemed necessary based on threat and risk assessment of specific situations) from workplace violence that could arise because of their duties or situations to which they may be exposed in the course of their work.
• Information and training is available to employees regarding the handling of such situations.
• Thorough records and statements are maintained on reported incidents involving workplace violence.

Security inspections

• Routine inspections are conducted of sites or systems where sensitive information and assets are processed or stored to ensure compliance with departmental security requirements (e.g., checking office areas during limited-access hours).
• Security inspections are conducted in a manner that conforms to collective agreements and underlying legislation, are reasonable in the circumstances, and their procedures are made known to employees in advance of being performed.
• Security inspections are conducted by assigned persons and do not target specific employees.
• Suspected violations or breaches of security are reported without delay and investigated as a basis for remedial action or reporting to the responsible authorities, as appropriate.

Administrative investigations related to security incidents

• Investigations are conducted in a manner that does not jeopardize or compromise evidence, the rights of individuals or civil or criminal proceedings.
• Procedures are developed and implemented to establish the conditions under which each administrative investigation will be conducted.
• Incidents suspected of constituting criminal offences are reported to the appropriate law enforcement authority and protocols are established to ensure cooperation between the department and law enforcement agencies.
• Parties involved in the investigation are appropriately informed of their rights and obligations.

Security in emergency and increased threat situations

• Plans and procedures are in place to escalate to heightened security levels in case of emergency and increased threat.
• Departments can coordinate with other emergency prevention and response plans (e.g., fire, bomb threats, hazardous materials, power failures, evacuations or civil emergencies) in the event of an emergency or increased threat situation.

Emergency and business continuity planning

• Business continuity plans and contingency plans support the recovery and restoration of critical business services and functions and their associated assets and resources for uninterrupted minimum service delivery.
• Departmental services and assets are analyzed, identified and prioritized in terms of criticality
• An up-to-date inventory of critical services and associated information, assets and dependencies is maintained and provided to Public Safety Canada as requested.
• Business continuity plans and recovery strategies are developed and arrangements made for all critical services.
• Business continuity plans are tested and readiness exercises conducted to ensure efficient and effective response and recovery.