Direction on Enabling Access to Web Services: Policy Implementation Notice

1. Purpose

2. Scope

  • 2.1

    This PIN applies to Government of Canada (GC) electronic networks for unclassified information only. Internet-based tools and services are not to be used for communicating or storing sensitive information unless approved by the institution’s security and technical authorities.

3. Effective date

  • 3.1

    This PIN is effective as of .

4. Application

  • 4.1

    This PIN applies to all departments that are subject to the Policy on Acceptable Network and Device Use.

    Departments, agencies and organizations in the Government of Canada not subject to the Policy on Acceptable Network and Device Use are encouraged to abide by this PIN to the extent possible.

    The heads of the following organizations are solely responsible for monitoring and ensuring compliance with this PIN within their organizations:

    • Office of the Auditor General
    • Office of the Chief Electoral Officer
    • Office of the Commissioner of Lobbying of Canada
    • Office of the Commissioner of Official Languages
    • Office of the Public Sector Integrity Commissioner of Canada
    • Offices of the Information and Privacy Commissioners of Canada

5. Context

  • 5.1

    The GC recognizes that open access to modern tools is essential to transforming how public servants work and serve Canadians. Open access to the Internet, including access to GC and external tools and services:

    • enhances communication and digital collaboration
    • encourages sharing of knowledge and expertise to support innovation

    When equipped with the right tools, public servants can work more effectively. The GC must adapt to meet the demands and expectations of its clients, stakeholders, partners and employees.

  • 5.2

    The GC must also apply adequate security controls to protect users, information and assets. When access to collaboration tools and sites is restricted, instead of increasing protection, the opposite occurs. Users will find a way around the blocks if it makes their life easier. From the standpoint of IT security, connections to external tools and services are not substantially different from other connections to the Internet. Security is more than just locking things down; user experience must also be considered.

  • 5.3

    Adopting a balanced approach that considers user needs, supported by a pragmatic security program, will result in a more secure environment. Instead of banning access to certain tools and sites, making access open by default and encouraging the secure use of these tools and services will result in risks being better controlled. Consideration of the departmental risk profile and the department’s culture, mission and business objectives, and the threats that pertain to the departmental business activities, will also help determine the proportionate security measures needed to ensure the adequate protection of GC information.

6. Direction

  • 6.1

    Departments are to enable open access to the Internet for GC electronic networks and devices, including GC and external Web 2.0 tools and services, to authorized individuals, as per Section 6.1.3 of the Policy on Acceptable Network and Device Use (PANDU).

  • 6.2

    To ensure a consistent user experience government-wide while taking into consideration the departmental risk profile, departments are to reconfigure their web filtering rules to be open by default to the Internet, except for websites that support non-acceptable activities or behaviours which, as per Appendix C of PANDU:

    • are criminal or otherwise unacceptable
    • violate Treasury Board or other organizational policies, codes of conduct and other published requirements
    • impact negatively the performance of GC electronic networks and devices
    • impede organizational operations or the delivery of services
    • breach the “duty of loyalty” requirement for public servants
  • 6.3

    Departments are expected to apply web filtering rules in accordance with Appendix A of this PIN, which provides the baseline set of website categories that are to be blocked in order to comply with legal and policy requirements. All other categories, including social media and web-based collaboration or chat tools, are to be open by default. When departments limit access outside these categories, they are expected to take a risk-based approach and document a rationale for limiting such access, approved by the departmental Chief Information Officer.

  • 6.4

    Departments are responsible for ensuring continued compliance with the Policy on Government Security and Appendix E (Departmental Considerations for Security) of PANDU and are encouraged to analyze departmental security needs and implement additional security considerations (outlined in Appendix B of this PIN) to mitigate risk to an acceptable level, according to the departmental risk profile.

  • 6.5

    SSC is responsible for managing web filtering tools for departments that receive their network services from SSC, as per Section 6.2 of PANDU. However, as legacy web filtering solutions were inherited from partner organizations, SSC’s ability to monitor and report is not consistent for each SSC customer. SSC is investing in an enterprise web filtering capability which will provide a better ability to monitor and report as networks evolve from the legacy infrastructure to the SSC enterprise service. SSC customers requiring information on the reporting capabilities of their web filtering service are to contact SSC.

7. Enquiries

  • 7.1

    For interpretation of any aspect of this PIN, contact Treasury Board of Canada Secretariat Public Enquiries.

  • 7.2

    Individuals at departments should contact their departmental information technology group for any questions regarding this PIN.

  • 7.3

    Individuals from a departmental information technology group may contact their SSCService Delivery Management Executives for information related to their web filtering service.

  • 7.4

    Individuals from a departmental information technology group may contact the TBS Cyber Security (ZZTBSCYBERS@tbs-sct.gc.ca) mailbox for interpretations of this PIN.

8. References

8.1 Related policy instruments

8.2 Additional Government of Canada references

9. Definitions

acceptable use

Permitted use of GC electronic networks and devices by authorized individuals:

  • to perform activities as a part of their official duties
  • for career development and other professional activities
  • for limited personal use that is conducted on personal time (that is, use that is not for financial gain, does not incur additional costs to the department, and does not interfere with the conduct of government business)

All use of GC electronic networks and devices must be in compliance with:

Use of GC electronic networks and devices must not:

  • give rise to a real, potential or apparent conflict of interest
  • undermine the integrity of the department in any way

See Appendix B of PANDU.

access

Gaining entry to an electronic network that the federal government has provided to GC-authorized individuals. Access to such electronic networks may be from inside or outside government premises. Access may support:

  • telework and remote access situations
  • situations where authorized individuals are using electronic networks provided by the federal government on their own time for limited personal use

(Source: PANDU)

authorized individuals
Individuals working with or for the GC, including employees of the federal government, casual workers, contractors, students and other people who have been authorized by the deputy head to access GC electronic networks and devices. (Source: PANDU)
defence in depth
The concept of protecting a computer network with a series, or layer, of defensive mechanisms such that if one mechanism fails, another will already be in place to thwart an attack.
electronic network

Groups of computers and computer systems that can communicate with each other, including and without limitation:

  • the Internet
  • GC electronic data networks
  • voice and video network infrastructure
  • public and private networks that are external to a department

An electronic network includes wired and wireless components. (Source: PANDU)

external networks
Networks reached from the GC network and to which authorized individuals are granted access. External networks include permissible sites across the public Internet and via the World Wide Web, including services provided by parties, such as collaborative software. (Source: PANDU)
Internet
A global system of interconnected computer networks that uses the standard Internet protocol suite (TCP or IPFootnote 2) to serve users worldwide. (Source: PANDU)
monitoring practices

Use of a software system that:

  • monitors an electronic network for slow or failing components
  • notifies the network administrator in cases of outages
  • can monitor the network activity of specific individuals for which there is suspicion of unacceptable network usage

Recording and analysis of the use of electronic networks are used for operational purposes and for assessing compliance with government policy. (Source: PANDU)

open access
The provision of Internet access, in accordance with the Policy on Government Security, to authorized individuals via GC electronic networks and devices that, from the perspective of firewall settings, is substantively equivalent, irrespective of department or access medium. Internet sites that enhance productivity, communication and collaboration are not blocked, with the exception of those that present a legitimate IT security threat and where content substantively falls into the category of unacceptable use. (Source: PANDU)
professional use

Refers to the use of a personal social media account for purposes related to professional activities, such as:

  • communicating with professional associations
  • professional networking (for example, participating in an online conference)
  • gathering and sharing knowledge (for example, using Twitter to stay up to date on trends, or visiting government Facebook pages)
  • career development (for example, maintaining a LinkedIn profile)

(Source: Guideline on Acceptable Network and Device Use)

sensitive information or asset

Information or asset that if compromised would reasonably be expected to cause an injury. Sensitive information includes:

  • all information that falls within the exemption or exclusion criteria under the Access to Information Act and the Privacy Act
  • controlled goods and other information and assets that have regulatory or statutory prohibitions and controls

(Source: Policy on Government Security)

unacceptable use

Any activity that violates Treasury Board or departmental policy instruments or other published requirements, including but not limited to activity or behaviour that:

  • may give rise to criminal offences
  • violates federal and provincial statutes
  • impacts negatively on the performance of GC electronic networks and devices
  • impedes departmental operations or the delivery of services
  • breaches the “duty of loyalty” requirement for public servants
  • could be deemed to reasonably result in civil lawsuits

Also see Appendix C of PANDU.

Web 2.0 (external tools and services)

Includes Internet-based tools and services that allow for participatory:

  • multi-way information-sharing
  • dialogue
  • syndication
  • user-generated content

Web 2.0 can include social media, collaborative technologies and cloud-based tools and services. (Source: PANDU)

Appendix A: baseline configuration for web filtering

Table 1. Categories to be blocked

The following table outlines the categories to be configured for blocking, as per Appendix C of PANDU. When departments limit access outside these categories, they are expected to take a risk-based approach and document a rationale for limiting such access, approved by the departmental Chief Information Officer. There may be exceptions when justified by a risk assessment and based on job function (e.g. investigations that require access to a blocked site).

CategoryRationale
Anonymizer proxies (untraceable Internet traffic)Violation of organizational or Treasury Board policies and publications
Child abuseCriminal offence
Criminal activityCriminal offence
GamesViolation of organizational or Treasury Board policies and publications
HackingCriminal offence
HarassmentViolation of organizational or Treasury Board policies and publications
Hate propagandaCriminal offence
Illegal gamblingCriminal offence
Malicious Websites Violation of organizational or Treasury Board policies and publications
ObscenityCriminal offence
Peer-to-peer File Sharing (e.g. piratebay.se, utorrent.com) Impact negatively the performance of GC electronic networks and devices and/or potential criminal offence
Phishing and fraudCriminal offence
Piracy Violation of organizational or Treasury Board policies and publications
PornographyViolation of organizational or Treasury Board policies and publications
Sexually explicit Violation of organizational or Treasury Board policies and publications
Spam URLsImpact negatively the performance of GC electronic networks and devices
SpywareCriminal offence
Terrorist, militant or extremist activitiesCriminal offence
ViolenceCriminal offence

Appendix B: security considerations

Departments should apply a defence-in-depth approach, implementing measures in accordance with the threat, to manage security risks to GC electronic networks, devices and information, while balancing user needs. The following actions are recommended when enabling access to the Internet and web services:

For managers

  • Ensure that staff:
    • understand their obligation to safeguard information and assets
    • never use external Web 2.0 tools and services for communicating or storing sensitive information unless the service is approved by the institution’s security and technical authorities
  • Update guidance on information management to:
    • include best practices and describe how they apply to the use of public websites, tools and services, in accordance with Policy on Information Management
    • indicate that when information of business value is transmitted or created via GC and external Web 2.0 tools and services, the information:
      • must be capable of being extracted and documented in another format (for example, an email message or a Word document)
      • must be stored and retained in an official corporate repository
      • is subject to Access to Information and Privacy (ATIP)
  • Encourage staff to:
    • use versions of tools that have features that provide:
      • increased security assurances (for example, two-factor authentication)
      • information management controls (for example, export functionality, retention policies)
    • review terms of services to understand how their data will be used and how it will be accessed
    • use a GC email address when accessing tools solely for professional use, as doing so will help information management practices be applied
  • Remind staff:
    • to not reuse the same passwords that are used for their internal corporate credentials
    • to use strong authentication mechanisms (for example, multi-factor authentication) where possible to protect information from unauthorized access

For IT personnel

  • Implement modern operating systems and web browsers that are:
    • maintained with up-to-date software
    • configured with appropriate host-based protections
  • Filter traffic at the host or network level to mitigate threats from malicious websites and related attacks, and provide a clear rationale when blocking categories that are not included in Appendix C of PANDU
  • Leverage the defensive services of Shared Services Canada and the Communications Security Establishment (CSE) by using managed Internet gateways in accordance with CSE’s Top 10 IT Security Actions
  • Monitor and review reports from web filtering services for unusual or suspicious activity
  • Apply additional safeguards such as tools to prevent the loss of data, when justified by a risk assessment, taking into consideration cost and complexity

Appendix E of PANDU includes a non-exhaustive list of measures that can be applied to further mitigate potential threats. The Guideline on Acceptable and Network Device Use provides additional guidance to departmental managers and functional specialists responsible for implementing PANDU.