This appendix describes the security controls that are mentioned in subsection 4.1.5 of this policy.
Security screening is conducted in a way that is effective, rigorous, consistent and fair to provide reasonable assurance that individuals can be trusted to safeguard government information and assets and can reliably conduct their work duties, and to enable transferability of security screening between departments.Information technology security requirements, practices and controls are defined, documented, implemented, assessed, monitored and maintained throughout all stages of an information system’s life cycle to provide reasonable assurance that information systems can be trusted to adequately protect information, are used in an acceptable manner, and support government programs, services and activities. Physical security requirements, practices and controls are defined, documented, implemented, assessed, monitored and maintained throughout all stages of the real property and materiel management life cycles to provide reasonable assurance that individuals, information and assets are adequately protected, thereby supporting the delivery of government programs, services and activities.Business continuity management is conducted systematically and comprehensively to provide reasonable assurance that in the event of a disruption, the department can maintain an acceptable level of delivery of critical services and activities, and can achieve the timely recovery of other services and activities. Information management security requirements, practices and controls are defined, documented, implemented, assessed, monitored and maintained throughout all stages of the information life cycle to provide reasonable assurance that information is adequately protected in a manner that respects legal and other obligations and balances the risk of injury and threats with the cost of applying safeguards.Security requirements associated with contracts and other arrangements are identified and documented, and related security controls are implemented and monitored throughout all stages of the contracting or arrangement process to provide reasonable assurance that information, individuals, assets and services associated with the contract or arrangement are adequately protected.Security event management practices are defined, documented, implemented and maintained to monitor, respond to and report on threats, vulnerabilities, security incidents and other security events, and ensure that such activities are effectively coordinated within the department, with partners and government-wide, to manage potential impacts, support decision-making and enable the application of corrective actions.Security awareness and training is conducted systematically and comprehensively to ensure that individuals are informed of their security responsibilities and maintain the necessary knowledge and skills to effectively carry out their functions, and to provide reasonable assurance that individuals will not knowingly compromise security and that they understand the potential consequences of not meeting their security responsibilities.