Directive on Security Management

Aims to achieve efficient, effective and accountable management of security within departments and agencies.
Date modified: 2019-07-01

Supporting tools

Mandatory procedures:

More information


Print-friendly XML
The Directive on Security Management and its Mandatory Procedures took effect on July 1, 2019. It replaced the Directive on Departmental Security Management, as well as the Operational Security Standard - Business Continuity Planning (BCP) Program, the Operational Security Standard on Physical Security, the Operational Security Standard - Readiness Levels for Federal Government Facilities, and the Operational Security Standard: Management of Information Technology Security (MITS).

Appendix E: Mandatory Procedures for Information Management Security Control

E.1 Effective date

  • E.1.1These procedures take effect on July 1, 2019.

E.2 Procedures

  • E.2.1These procedures provide details on the requirements to support the deputy head accountability.
  • E.2.2Procedures are as follows:
    • E.2.2.1Information management requirements and practices: Define, document and maintain departmental information management security requirements and practices.
      • E. all governmental information resources and intellectual property, including transitory records; information received from Canadian citizens, private sector organizations, other orders of government, international organizations or other partners; information that constitutes controlled goods; COMSEC material; and other information that supports government programs, services and activities:
        1. Assign a security category to departmental information resources commensurate with the degree of injury that could reasonably be expected as a result of its compromise, and group, where appropriate, information resources of equivalent sensitivity (see Appendix J: Standard on Security Categorization);
        2. Identify and assess threats to which departmental information resources are exposed; and
        3. Define and document requirements for ensuring the protection of information resources under the custody or control of the department throughout their life cycle, commensurate with potential impacts of a compromise and identified threats, and in accordance with applicable legislation, policies, contracts, agreements and memoranda of understanding;
        4. Define and document departmental security practices for implementing and maintaining information management security controls, in accordance with departmental security requirements.
    • E.2.2.2Information management security controls: Define, document, implement and maintain security controls to meet departmental information management security requirements, in accordance with departmental practices.
      • E. marking: Apply security markings to alert users of the level of protection that should be applied to the information:
        1. Apply security markings at the time that information is created or collected, based on the assigned security category and any applicable caveats; and
        2. Apply security markings to information in physical and electronic form and, where required, to electronic media and storage devices that contain sensitive information.
      • E. and upgrading: Ensure that the time frame for protection of information is kept as short as possible and that the security category continues to reflect the potential impacts of a compromise:
        1. Where appropriate and in accordance with privacy requirements and other legal or policy obligations, downgrade the security category assigned to information resources when the expected injury is reduced;
        2. Consult the relevant authority before downgrading any information that originates from another organization;
        3. When downgrading information received from other orders of government, private sector organizations or international organizations, abide by agreements or memoranda of understanding with these governments or organizations; and
        4. Where appropriate, upgrade the security category assigned to information resources when the expected injury is increased.
      • E. controls: Implement additional controls, as required, to meet departmental security requirements.
    • E.2.2.3Security in the information management life cycle: Integrate security considerations into information management processes throughout all stages of the information life cycle, including planning, creation, receipt, organization, use, dissemination, maintenance, transfer and disposition.
    • E.2.2.4Monitoring and corrective actions: Monitor information management security practices and controls to ensure consistent application, and implement changes, as required, to ensure that these practices and controls continue to meet the needs of the department.
Date modified: