1.1 This policy takes effect on July 1, 2009.
1.2 This version of the policy incorporates updates effective April 1, 2012.
2.1 This policy applies to:
3.1 Government security is the assurance that information, assets and services are protected against compromise and individuals are protected against workplace violence. The extent to which government can ensure its own security directly affects its ability to ensure the continued delivery of services that contribute to the health, safety, economic well-being and security of Canadians.
3.2 Security begins by establishing trust in interactions between government and Canadians and within government. In its interactions with the public when required, the government has a need to determine the identity of the individuals or institutions. Within government, there is a need to ensure that those having access to government information, assets and services are trustworthy, reliable and loyal. Consequently, a broad scope of government activities, ranging from safeguarding information and assets to delivering services, benefits and entitlements to responding to incidents and emergencies, rely upon this trust.
3.3 In a department, the management of security requires the continuous assessment of risks and the implementation, monitoring and maintenance of appropriate internal management controls involving prevention (mitigation), detection, response and recovery. The management of security intersects with other management functions including access to information, privacy, risk management, emergency and business continuity management, human resources, occupational health and safety, real property, materiel management, information management, information technology (IT) and finance. Security is achieved when it is supported by senior management—an integral component of strategic and operational planning—and embedded into departmental frameworks, culture, day-to-day operations and employee behaviours.
3.4 At a government-wide level, security threats, risks and incidents must be proactively managed to help protect the government's critical assets, information and services, as well as national security. Advice, guidance and services provided by lead security agencies support departments and government in maintaining acceptable levels of security while achieving strategic goals and service delivery imperatives.
3.5 The management of security is most effective when it is systematically woven into the business, programs and culture of a department and the public service as a whole.
3.6 Deputy heads are accountable for the effective implementation and governance of security and identity management within their departments and share responsibility for the security of government as a whole. This comprises the security of departmental personnel, including those working in or for offices of Ministers or Ministers of State, and departmental information, facilities and other assets.
3.7 Ministers of the Crown, ministers, and Ministers of State are responsible for the security of their staff and offices as well as the security of sensitive information and assets in their custody, as directed by the prime minister.
3.8 This policy is issued under section 7 of the FAA.
3.9 Treasury Board has delegated to the President of the Treasury Board the authority to amend directives that support the policy in the following subject areas:
and to issue and amend standards that support the policy in the following subject areas:
3.10 This policy is to be read in conjunction with the Foundation Framework for Treasury Board Policies, the Directive on Departmental Security Management and the Directive on Identity Management.
4.1 For definitions of terms used in this policy, refer to Appendix A—Definitions.
5.1 The objectives of this policy are to ensure that deputy heads effectively manage security activities within departments and contribute to effective government-wide security management.
5.2 The expected results of this policy are:
6.1 Deputy heads of all departments are responsible for:
6.1.1 Establishing a security program for the coordination and management of departmental security activities that:
6.1.2 Appointing a departmental security officer (DSO) functionally responsible to the deputy head or to the departmental executive committee to manage the departmental security program (Note: The deputy head of a small department or agency (SDA) can assume the role of DSO);
6.1.3 Establishing a formal arrangement with the service provider when the role of the DSO is fulfilled by a third party (e.g., shared or clustered service provider or a portfolio department);
6.1.4 Approving the departmental security plan that details decisions for managing security risks and outlines strategies, goals, objectives, priorities and timelines for improving departmental security and supporting its implementation;
6.1.5 Ensuring that managers at all levels integrate security and identity management requirements into plans, programs, activities and services;
6.1.6 Ensuring that all individuals who will have access to government information and assets, including those who work in or for offices of Ministers and Ministers of State, are security screened at the appropriate level before the commencement of their duties and are treated in a fair and unbiased manner;
6.1.7 Ensuring that their authority to deny, revoke or suspend security clearances is not delegated;
6.1.8 Ensuring that when significant issues arise regarding policy compliance, allegations of misconduct, suspected criminal activity, security incidents, or workplace violence they are investigated, acted on and reported to the appropriate law enforcement authority, national security agency or lead security agency.
6.2 Deputy heads of lead security agencies are responsible for:
6.2.1 Providing departments with advice, guidance and services related to government security, consistent with their mandated responsibilities;
6.2.2 Appointing an executive or executives to coordinate and oversee the provision of support services to departments and to represent the deputy head to TBS in this regard; and
6.2.3 Ensuring that the security support services provided help government departments achieve and maintain an acceptable state of security and readiness and that those services remain aligned with government-wide policies, priorities and plans related to government security.
6.3 Monitoring and reporting requirements
Within departments
By departments
Lead security agencies
Government-wide
7.1 The deputy head is responsible for ensuring appropriate remedial actions are taken to address issues regarding policy compliance, allegations of misconduct, suspected criminal activity or security incidents, including denying, revoking or suspending security clearances and reliability status, as appropriate.
7.2 If the Secretary of the Treasury Board determines that a department may not have complied with any requirement of this policy or its supporting directives or standards, the secretary of the Treasury Board may request that the deputy head:
7.2.1 Conduct an audit or a review, the cost of which will be paid from the department's reference level, to assess whether requirements of this policy or its supporting directives have been met; and/or
7.2.2 Take corrective actions and report back on the outcome.
7.2.3 Consequences of non-compliance with this policy and its supporting directives and standards or failure to take corrective actions requested by the secretary of the Treasury Board may include recommending to Treasury Board that measures deemed appropriate in the circumstances be imposed.
Legislation relevant to this policy includes the following:
Treasury Board policies, directives and standards relevant to this policy include the following:
Please direct enquiries about this policy to your DSO. For interpretation of this policy, the DSO should contact:
Security and Identity Management Division
Chief Information Officer Branch
Treasury Board Secretariat
Ottawa ON K1A 0R5
Email: SIDM-SGID@tbs-sct.gc.ca
Telephone: (613) 946-5046
Fax: (613) 952-7232
Teletype: (613) 957-9090 (TBS)
Lead security agencies provide advice, guidance and services to support the day-to-day security operations of departments and enable government as a whole to effectively manage security activities, coordinate response to security incidents, and achieve and maintain an acceptable state of security and readiness. This appendix describes their responsibilities as they relate to their areas of expertise.
Treasury Board Secretariat (TBS) establishes and oversees a whole-of-government approach to security and identity management as a key component of all management activities and monitors the adequacy of services to support these activities and practices across government. TBS is responsible for:
Privy Council Office (PCO) advises and supports the prime minister and Cabinet on national security matters and coordinates the related activities of departments and agencies. PCO is responsible for:
Public Safety Canada (PS) coordinates activities related to emergencies (which include IT incidents) affecting the GC and provides leadership in the area of emergency management, which includes continuity of operations and IT incident management. PS is responsible for:
Communications Security Establishment Canada (CSEC) provides leadership and coordination for departmental activities that help ensure the protection of electronic information and information systems of importance and serves as the government's national authority for SIGINT and COMSEC. CSEC is responsible for:
Public Works and Government Services Canada (PWGSC) provides leadership and coordination of activities to help ensure the application of security safeguards through all phases of the contracting process within the scope of the industrial security program (ISP). It also provides services related to physical security respecting the PWGSC Real Property Program and common services related to IT security for increased efficiency and economy of the GC. PWGSC is responsible for:
Canadian Security Intelligence Service (CSIS) collects, investigates, analyzes and retains information and intelligence that may be suspected of constituting threats to the security of Canada and provides security assessments to departments within its statutory mandate. CSIS is responsible for:
Royal Canadian Mounted Police (RCMP) provides leadership and coordination for departmental activities that help ensure the physical protection of government information, assets, facilities and people and provides services related to crime prevention, personnel screening, policing, law enforcement and investigations. RCMP is responsible for:
Library and Archives of Canada (LAC) provides leadership and coordinates among government departments to help ensure the preservation of government information and records. LAC is responsible for:
Department of Foreign Affairs and International Trade (DFAIT) is the lead department for conducting foreign relations and the NATO National Security Authority for Canada. DFAIT is responsible for:
Department of National Defence (DND) / Canadian Forces (CF)
DND / CF are responsible for:
Canada School of Public Service (CSPS)
CSPS is responsible for: