Secure use of portable data storage devices within the Government of Canada
Note to readers
The Secure use of portable data storage devices within the Government of Canada ITPIN is no longer in effect. It was migrated to Appendix G: Standard on Enterprise IT Service Common Configurations as of May 04, 2022.
Information Technology Policy Implementation Notice (ITPIN)
No.: ITPIN: 2014-01
Date: May 20, 2014
To: Chief Information Officers and Heads of Information Technology Services
Subject: Secure use of portable data storage devices within the Government of Canada
Data loss prevention in the Government of Canada (GC) is everyone's responsibility. The secure use of portable data storage devices is just one aspect of a comprehensive data loss and leakage prevention program that GC departments and agencies must adopt in order to effectively safeguard confidential, protected and classified government information. TBS CIOB is currently developing a data loss prevention strategy which will be supported through the issuance of a series of ITPINs.
The purpose of this first ITPIN is to provide direction to departments and agencies on their responsibilities regarding the use of portable data storage devices within the GC, including the appropriate storage, transport, clearing of information assets stored on the devices and disposal of the devices.
The improper use and handling of portable data storage devices or the improper storage of GC information on these devices can pose significant risks to the security of GC information and may violate GC policies for security, privacy protection and information management.
The intent of this ITPIN is to mitigate against the following risks associated with the usage of portable data storage devices:
- The unauthorized access or use of information stored on the device,
- The introduction of malicious software onto GC IT networks, and
- The loss or theft of the device.
This ITPIN is effective May 20, 2014. Departments and agencies are expected to be in compliance with the requirements set forth, by September 30, 2014.
This ITPIN applies to all individuals using or connecting portable data storage devices to any component of the GC IT infrastructure.
Additionally, this ITPIN applies when storing unclassified, Protected A, Protected B, Protected C or Classified information on portable data storage devices.
When storing Protected C and Classified information on portable data storage devices additional requirements to those listed in this ITPIN also apply. Please consult Communications Security Establishment Canada (CSEC) for details.
The Chief Information Officer of the GC provides this direction in accordance with the following Treasury Board Secretariat (TBS) policies:
- Policy on Management of Information Technology
- Policy on Government Security
- Operational Security Standard: Management of Information Technology Security (MITS)
Portable Data Storage Devices
Devices that are portable and contain storage or memory into which users can store information are considered portable data storage devices.
Examples of portable data storage devices include:
- USB devices (e.g. memory sticks, external hard drives);
- eSATA (External Serial Advanced Technology Attachment) devices;
- Tablets, laptops, smart devices (e.g. BlackBerry), and cameras; and
- Portable media – tapes, optical discs (e.g. CDs and DVDs).
Physical Security
The primary safeguards for information stored on portable data storage devices are physical security safeguards.
Portable data storage devices must be properly secured at all times as appropriate to the highest level of security classification of the information stored on it. For Protected A and B, lock up the device or if recommended by a Threat Risk Assessment (TRA), select an appropriate security container. Protected C and Classified require storage in an appropriate security container.
Portable data storage devices must be labelled to indicate the highest classification level of information that has been stored on the device. Departments / agencies should use an indirect coding system that is not immediately recognizable to the general public. Examples of suggested indirect coding are barcodes, colour codes or a numbering scheme.
Existing guidance remains unchanged when transporting a portable data storage device such as a BlackBerry or laptop with GC information stored on it. The bearer must keep it under their constant control and possession at all times.
Additional physical security safeguards such as a locked carrying case or an approved dispatch case may be required based on a threat risk assessment.
Specific requirements related to physical security and security containers can be found in the TBS Operational Security Standard on Physical Security and the Royal Canadian Mounted Police (RCMP) guides G1-001, Security Equipment Guide and G1-009, Transport and Transmittal of Protected and Classified Information.
Encryption
All portable data storage devices must be password or biometric controlled and the GC information stored on them encrypted.
Password or biometric controlled portable data storage devices and encryption of the GC information stored on them supplements but do not replace physical security procedures.
Only on an exception basis, as per departmental / agency risk tolerance and with formal departmental / agency approval, may unencrypted GC information be stored on a non-password or non-biometric controlled portable data storage device.
All GC information stored on portable data storage devices must be encrypted using a Cryptographic Module Validation Program certified encryption module. Where possible departments / agencies must use Common Criteria Program accredited products.
Encryption methods used by departments / agencies should be configured to follow the methods outlined in the CSEC publication ITSA-11E, CSEC Approved Cryptographic Algorithms for the Protection of Sensitive Information and for Electronic Authentication and Authorization Applications within the Government of Canada. Additional information on encryption of GC information stored on portable data storage devices can be found in CSEC’s CSG-03, Media Encryption. CSEC's ITSG-31, User Authentication Guidance for IT Systems should also be taken into account.
Storage
Portable data storage devices are intended for the temporary storage of information only and must not be used as permanent document repositories to store GC information. Only on an exception basis, as per departmental / agency risk tolerance and with formal departmental / agency approval, may GC information be stored permanently on portable media.
Clearing and Disposal
Clearing is the process of erasing stored information from portable data storage devices in a manner that allows it to be re-used within an equivalent security environment.
Clearing must be adequate to prevent information recovery using tools normally available on the Information System. Simply deleting or erasing the files or reformatting does not clear the portable data storage device, because commands such as undelete or un-format may permit the recovery of the information.
Additionally, the clearing process is not expected to be proof against "hands-on" recovery methods using specialized IT utilities or laboratory techniques. For this reason, cleared portable data storage devices must be retained within security environments appropriate to the highest level of information that the device once contained, and the device cannot be considered for declassification.
Disposal is the identification of suitable methods to prepare portable data storage devices for declassification or disposal.
Individual users must return portable data storage devices to their department / agency for disposal.
Baseline standards and various methods have been approved by the RCMP and CSEC for the disposal of different types of devices. Methods are recommended based on specified levels of data sensitivity within a range of typical GC operating environments.
Clearing and disposal should be done in accordance with CSEC's ITSG06, Clearing and Declassifying Electronic Data Storage Devices.
Additional Departmental and Agency Responsibility
Departments and agencies must consider the following as the minimum level of their responsibility in regard to the secure use of portable data storage devices.
Only portable data storage devices issued by departments / agencies are authorized to be used to store GC information.
All portable data storage devices must be password or biometric controlled and the GC information stored on them encrypted.
All portable data storage devices issued by a department / agency for the storage of Protected C or Classified GC information must be recommended by CSEC.
Only as per departmental / agency risk tolerance and with formal departmental / agency approval are the following exceptions for the use of unauthorized portable data storage devices permissible:
- Connecting an unauthorized device to GC IT networks for the purpose of one-way transfers of information from the device to GC IT networks;
- Storing GC information on an unauthorized device;
- Permanently storing GC information on portable media; and
- Storing unencrypted GC information on a non-password or non-biometric controlled portable data storage device.
Departments / agencies must scan all portable data storage devices for malicious software each time the device is connected to GC IT infrastructure.
Portable data storage devices used on unclassified, Protected A or Protected B networks must never be connected to a classified network (Secret). Departments / agencies can request additional information about information transfer solutions using portable data storage devices between networks with different security levels from CSEC.
Departments / agencies must implement a proper administrative security process throughout the life cycle of portable data storage devices. This includes, but is not limited to, ensuring that proper practices are in place related to asset management including the monitoring of devices, accountability, authorization, storage and handling, data transfer (data loss prevention) and disposal.
Departments / agencies must maintain records of the portable data storage devices issued within their organization. At a minimum, the record will contain a unique identifier (such as a serial number) of the portable data storage device, the assignee name, the date of assignment, and the purpose and highest level of security classification of the information that is allowed to be stored on the device.
Departments / agencies must provide an Individual User training program on the proper usage of portable data storage devices. The training must be provided prior to the issuance of the portable data storage devices, and individual users must sign a portable data storage device user agreement. This user agreement may be part of an overall IT acceptable use agreement.
Departments / agencies are responsible for establishing processes and procedures for individual users to report loss or theft of portable data storage devices.
Departments / agencies are to report any real or suspected loss or theft of portable data storage devices to:
- TBS / CIOB;
- Their departmental / agency Security and Access to Information and Privacy officials; and
- The Office of the Privacy Commissioner in accordance with TBS's Guidelines for Privacy Breaches.
Departments / agencies subject to the Privacy Act must consider the legal requirement of this Act, and should apprise themselves of TBS's Guidelines for Privacy Breaches. The Act describes GC responsibilities with respect to personal information while the guidelines identify causes of privacy breaches; provide guidance on how to respond, contain and manage privacy breaches; delineate roles and responsibilities; and include links to relevant supporting documentation.
Departments / agencies may also consult the Office of the Privacy Commissioner's Key Steps for Organizations in Responding to Privacy Breaches.
References
This direction is intended to be used in conjunction with the following acts, policies, standards, directives and guidelines.
- TBS Policy on Government Security, July 1, 2009, section 5.2, Policy Statement
- TBS Policy on Management of Information Technology
- TBS Operational Security Standard: Management of Information Technology Security (MITS), April 14, 2004, section 16.4.12, "Malicious Code"
- TBS Directive on Departmental Security Management, July 1, 2009, Appendix C
- TBS Operational Security Standard on Physical Security
- TBS Guidelines for Privacy Breaches
- CSEC ITSA-11E, CSEC Approved Cryptographic Algorithms for the Protection of Sensitive Information and for Electronic Authentication and Authorization Applications within the Government of Canada
- CSEC ITSD-03, "Directive for the Control of COMSEC Material in the Government of Canada"
- CSEC ITSG06, Clearing and Declassifying Electronic Data Storage Devices
- CSEC ITSG-31, User Authentication Guidance for IT Systems
- CSEC ITSG -33, IT Security Risk Management: A Lifecycle Approach, Annex 3, section 3.10, "Family: Media Protection"
- CSEC Cryptographic Module Validation Program (CMVP) and/or Canadian Common Criteria Scheme (CCCS)
- CSEC CSG-03, Media Encryption
- RCMP guide G1-001, Security Equipment Guide
- RCMP guide G1-009, Transport and Transmittal of Protected and Classified Information
- The Privacy Act
- The Office of the Privacy Commissioner's Key Steps for Organizations in Responding to Privacy Breaches.
Please address any inquiries you may have on this ITPIN by email to the CIOB IT Division.
Please address any IT Security inquiries you may have by telephone at (613) 957-2549 or by email to the Security and Identity Management Division.
Page details
- Date modified: