Archived [2009-07-06] - Government Security Policy

Departments must appoint a Departmental Security Officer (DSO) to establish and direct a security program that ensures co-ordination of all policy functions and implementation of policy requirements. These functions include general administration (departmental procedures, training and awareness, identification of assets, security risk management, sharing of information and assets), access limitations, security screening, physical security, protection of employees, information technology security, security in emergency and increased threat situations, business continuity planning, security in contracting and security incident investigations.

Given the importance of this role, consideration should be given to appointing a Departmental Security Officer with sufficient security experience who is strategically positioned within the organization so as to provide department-wide strategic advice and guidance to senior management.

Departments must implement this policy when sharing Government of Canada information and other assets with other governments (including foreign, provincial, territorial, and municipal), international, educational and private sector organizations. In these cases, departments must develop arrangements that outline security responsibilities, safeguards to be applied, and terms and conditions for continued participation.

Departments must treat information and other assets received from other governments (including foreign, provincial, territorial, and municipal), international (e.g., NATO), educational and private sector organizations, in accordance with agreements or arrangements between the parties concerned.

Departments that share in the common Information Management and Information Technology infrastructure for on-line service delivery and other purposes must conform to all security standards established for that infrastructure.

Some requirements of this policy may be difficult to apply in certain foreign environments. In such situations, special standards may be developed in consultation with the Department of Foreign Affairs and International Trade.

Restrictions may be placed on personal activities at locations where the environment is particularly dangerous. All employees, unless on diplomatic posting and covered by the Vienna Conventions, are automatically subject to local laws and regulations. For travel information and specific security arrangements and limitations, employees must contact the Department of Foreign Affairs and International Trade or the nearest Canadian embassy. Diplomats must be aware that serious breaches of local laws abroad can, under Canadian law, be prosecuted in Canada.

This policy applies equally to the contracting process as it does to internal government operations. The contracting authority, whether it is Public Works and Government Services Canada or another department, must comply with the requirements of this policy and the security in contracting standards and technical documentation.

The contracting authority must:

1. Ensure security screening of private sector organizations and individuals who have access to protected and classified information and assets, as specified in the standards.
2. Ensure safeguarding of government assets, including IT systems.
3. Specify the necessary security requirements in terms and conditions in any contractual documentation.

Departments must:

1. Ensure that individuals who have specific security duties receive appropriate, up to date training.
2. Have a security awareness program to inform and regularly remind individuals of security responsibilities, issues and concerns.
3. Brief individuals on the access privileges and prohibitions attached to their screening level prior to commencement of duties, or when required in the update cycle.

Confidentiality

Departments must identify information and other assets when their unauthorized disclosure, with reference to specific provisions of the Access to Information Act and the Privacy Act, could reasonably be expected to cause injury to:

1. the national interest. Such information is classified. It must be categorized and marked based on the degree of potential injury (injury: "Confidential"; serious injury: "Secret"; exceptionally grave injury: "Top Secret").
2. private and other non-national interests. Such information is protected. It must be categorized and marked based on the degree of potential injury (low: "Protected A"; medium: "Protected B", high: "Protected C").

Availability, Integrity and Value

Departments must identify and categorize assets, especially critical services, based on the degree of injury (low, medium, high) that could reasonably be expected to result from compromise to their availability or integrity. They must consider the value (e.g., monetary, heritage) of assets in determining injury. In order to indicate the level of safeguarding, departments should consider marking for availability and integrity purposes.

Departments must conduct ongoing assessments of threats and risks to determine the necessity of safeguards beyond baseline levels. They must continuously monitor for any change in the threat environment and make any adjustment necessary to maintain an acceptable level of risk and a balance between operational needs and security.

Threat and risk assessments involve:

1. Establishing the scope of the assessment and identifying the employees and assets to be safeguarded (see sections 10.6 and 10.10).
2. Determining the threats to employees and assets in Canada and abroad, and assessing the likelihood and impact of threat occurrence.
3. Assessing the risk based on the adequacy of existing safeguards and vulnerabilities.
4. Implementing any supplementary safeguards that will reduce the risk to an acceptable level.

Departments must limit access to classified and protected information and other assets to those individuals who have a need to know the information and who have the appropriate security screening level. To the extent necessary, they must also limit access to other assets requiring additional safeguarding for availability, integrity or value purposes. This includes ensuring that no one individual can independently control all aspects of a process or a system.

The Government of Canada must ensure that individuals with access to government information and assets are reliable and trustworthy. For national security, it must also ensure the individual's loyalty to Canada in order to protect itself from foreign intelligence gathering and terrorism. Special care must be taken to ensure the continued reliability and loyalty of individuals, and prevent malicious activity and unauthorized disclosure of classified and protected information by a disaffected individual in a position of trust.

Departments must ensure that, prior to the commencement of duties, individuals who require:

1. Access to government assets (except for Governor in Council appointees) undergo a reliability check and are granted a reliability status.
2. Access to classified information and assets have a valid reliability status, undergo a security assessment and are granted a security clearance at the appropriate level. This includes foreign nationals visiting or working in a department. Certain limitations to a security clearance may be imposed as specified in the security screening standard.
3. Access to facilities that are critical to the national interest or to restricted areas for major events have a site access clearance. Departments must obtain Treasury Board of Canada Secretariat approval in order to have site access clearance programs.

Departments must also:

1. Obtain individuals' written consent before any check may be initiated.
2. Treat individuals in a fair and unbiased manner, and give them an opportunity to explain adverse information before a decision is reached.
3. Advise individuals of their rights of review or redress in case of denial, suspension or revocation.
4. Ensure managers remain vigilant, once a reliability status or security clearance is granted, and act on any new information that could put into question an individual's reliability or loyalty.
5. Update reliability status and security clearances regularly.
6. For cause, review, revoke, suspend or downgrade a reliability status or a security clearance.

A delegated manager may grant or deny a reliability status. The DSO may grant a security clearance on behalf of the deputy head. Only the deputy head can deny, revoke or suspend a security clearance. Deputy heads must consult the Privy Council Office (PCO) on any disagreement with the Security Intelligence Review Committee recommendation on security clearances. They must also consult with PCO on decisions to recommend to the Governor in Council the suspension or dismissal of any individual as the result of a denial, revocation or suspension of a security clearance.

Departments must obtain Treasury Board of Canada Secretariat approval of any security screening proposal involving cost recovery.

Departments are responsible under the Canada Labour Code, Part II, and under Treasury Board policy for the health and safety of employees at work. This responsibility extends to situations where employees are under threat of violence because of their duties or because of situations to which they are exposed. Such situations include, but are not limited to threat letters or calls, the receipt of potentially dangerous substances, stalking and assault.

Departments must have in place mechanisms to:

1. Identify, protect and support employees under threat of violence, based on a threat and risk assessment of specific situations. In certain cases, protection and support may have to be extended to family members and others.
2. Report incidents to management, human resources, security and police authorities, as may be the case.
3. Provide information, training, and counselling to employees.
4. Maintain thorough records and statements on reported incidents.

Physical security involves the proper layout and design of facilities and the use of measures to delay and prevent unauthorized access to government assets. It includes measures to detect attempted or actual unauthorized access, and activate an appropriate response. Physical security also provides measures to safeguard employees from violence.

Departments must ensure that security is fully integrated early in the process of planning, selecting, designing and modifying their facilities. They are required to:

1. Select, design and modify their facilities in order to facilitate the control of access.
2. Demarcate restricted access areas, and have the necessary entry barriers, security systems and equipment based on threat and risk assessments.
3. Include the necessary security specifications in planning, request for proposals and tender documentation.
4. Incorporate related costs in funding requirements.

Departments must also ensure the secure storage, transmittal and disposal of classified and protected information in all forms, in accordance with the requirements of the physical security standards. When warranted by a threat and risk assessment, they must also ensure the secure storage, transmittal and disposal of other assets.

Continuous review of physical security safeguards is essential to reflect changes in the threat environment and take advantage of new cost-effective technologies.

Information systems must be secured against rapidly evolving threats that have the potential to impact their confidentiality, integrity, availability, intended use and value. To defend against these threats, an IT security (ITS) strategy is required that accommodates changes in threat conditions, which may be sudden, and supports the continuous delivery of services. This dictates that departments apply baseline security controls, continuously monitor service delivery levels, track and analyse threats to departmental IT systems, and establish effective incident response and IT continuity mechanisms.

Departments must ensure that ITS is an integral part of each stage in the system development life cycle. Security requirements and related funding must be identified and included in planning, requests for proposals, and tender documents for IT projects.

By conforming to ITS operational and technical standards, departments will be better prepared to prevent, detect, react to and recover from incidents.

10.12.1 Prevention

To prevent the compromise of IT systems, departments must implement baseline security controls and any additional control identified through a threat and risk assessment. These controls, and the security roles and responsibilities of all personnel, must be clearly defined, documented and communicated to departmental program, legal, administrative, technical and general staff.

To ensure policy compliance, departments must:

1. Certify and accredit IT systems prior to operation and subject them, including associated security safeguards, to sound configuration management practices.
2. Conduct periodic security evaluations of systems, including assessments of configuration changes conducted on a routine basis.
3. Periodically seek review by third parties in order to get an independent assessment.

10.12.2 Detection

Since services may rapidly degrade due to computer incidents, ranging from a simple slowdown to a complete halt, departments must continuously monitor the operations of their systems to detect anomalies in service delivery levels.

10.12.3 Response

Departments must:

1. In the context of investigation of security incidents (section 10.15), establish mechanisms to respond effectively to IT incidents and exchange incident-related information with designated lead departments in a timely fashion.
2. Designate an IT security point of contact for communications with respect to government-wide incident response.
3. To prevent unintentional degradation of another department's security posture, conduct security activities, including incident response, in a manner that recognises that government is, in effect, a single interconnected entity.

10.12.4 Recovery

To ensure the ongoing availability of critical services, departments must develop IT continuity plans as part of their overall business continuity planning and recovery activities.

Departments must develop plans and procedures to move up to heightened security levels in case of emergency and increased threat. The Government of Canada may direct departments to implement heightened security levels.

Departments must co-ordinate these plans with other emergency prevention and response plans (e.g., fire, bomb threats, hazardous materials, power failures, evacuations, civil emergencies).

Critical services and associated assets must remain available in order to assure the health, safety, security and economic well-being of Canadians, and the effective functioning of government. Departments must establish a business continuity planning (BCP) program to provide for the continued availability of critical services and assets, and of other services and assets when warranted by a threat and risk assessment.

The program shall include the following elements:

1. Within the context of the departmental security program and organization (section 10.1), a governance structure establishing authorities and responsibilities for the program, and for the development and approval of business continuity plans.
2. Within the context of the identification of assets (section 10.6), an impact analysis to identify and prioritize the department's critical services and assets.
3. Plans, measures and arrangements to ensure the continued availability of critical services and assets, and of any other service or asset when warranted by a threat and risk assessment.
4. Activities to monitor the department's level of overall readiness.
5. Provision for the continuous review, testing and audit of business continuity plans.

Through effective reporting and investigation of security incidents, vulnerabilities can be determined and the risk of future occurrence reduced.

Departments must develop procedures for reporting and investigating security incidents and taking corrective action.

They must also report:

1. Incidents suspected of constituting criminal offences to the appropriate law enforcement authority.
2. Incidents involving the compromise of Cabinet confidences to the Privy Council Office.
3. Incidents involving threats to the national interests to the Canadian Security Intelligence Service.
4. Incidents and threats affecting the availability of critical assets and services to the Office of Critical Infrastructure Protection and Emergency Preparedness.
5. Incidents which can be considered as a "hazardous occurrence" or involve employee injury to the health and safety committee and to Health and Safety Officers appointed under the Canada Labour Code.
6. Incidents that have an impact on government operations or that could require revisions to operational standards or technical documentation, to the Treasury Board of Canada Secretariat.

Departments are required to apply sanctions in response to security incidents when in the opinion of the deputy head there has been misconduct or negligence.