Chief security officer
The chief security officer (CSO) designated by the deputy head in compliance with the Policy on Government Security is responsible for managing the departmental security function and the following:
Supporting the deputy head’s accountabilities under the Policy on Government Security;Leading the departmental security function, including:
Responsibilities for defining, documenting, implementing, assessing, monitoring and maintaining security requirements, practices and controls; andAuthorities for related security risk management decisions;Overseeing the development, implementation and maintenance of the department’s security plan, in collaboration with other senior officials and other stakeholders, which:
Provides an integrated view of departmental security threats, risks and requirements; andIncludes strategies, priorities, responsibilities and timelines for maintaining, strengthening, monitoring and continuously improving the security practices and security controls described in appendices A to H;Overseeing the establishment of department-wide processes to assess and document actions taken regarding residual security risks for the department’s programs and services and their supporting resources; Reporting at least annually to the deputy head on progress in achieving the priorities defined in the department’s security plan and, as required, recommending changes to departmental security practices, security controls and priorities; Overseeing the establishment of department-wide processes to monitor and ensure a coordinated response to, and reporting of, department-specific threats, vulnerabilities, security incidents and other security events, including identification of actions to address any deficiencies; Ensuring that any significant issues regarding policy compliance, suspected criminal activity, national security concerns or other security issues are assessed, investigated, documented, acted on and reported to the deputy head and, as required, to the appropriate law enforcement authority and/or security and intelligence agency (see Appendix I: Standard on Security Event Reporting), and to affected stakeholders, and as required, cooperating in any resulting criminal or other investigation(s);Collaborating with other senior officials and other stakeholders to respond to direction, advice and information requests issued by the Privy Council Office, the Treasury Board of Canada Secretariat as the employer (for example, the Office of the Chief Human Resources Officer), and the Government Operations Centre regarding security events that require an immediate or coordinated government-wide action; and Verifying that written agreements are in place when the organization provides or receives security services from another department or organization pursuant to subsections 6.2 and 6.3Senior officials in the department’s security governance
Senior officials, who are individuals designated by the deputy head in the departmental security governance as having responsibility for aspects of security and are responsible for the following:
Participating in and reporting to the department’s security governance, in accordance with their assigned security responsibilities;Assigning security responsibilities for programs, services and activities in their area of responsibility, as an integral element of the department’s security governance; Providing advice to the deputy head, the CSO and other stakeholders on departmental security matters in their area of responsibility;When the department relies on or supports another organization to fulfill a security function or to support the delivery of programs, services or activities within their area of responsibility:
Establishing, or recommending the establishment of, a written agreement that defines applicable security requirements and respective security responsibilities; Verifying that these requirements and responsibilities are met; and Monitoring continued compliance (see subsections 6.2 and 6.3);Identifying security requirements and related resource needs for programs, services and activities within their area of responsibility, while considering other stakeholders and acting in accordance with the department’s security governance; Ensuring that security practices and security controls (see appendices A to H) are defined, documented, implemented, monitored and maintained to meet identified security requirements for programs, services and activities within their area of responsibility, in accordance with the departmental security plan and in collaboration with other senior officials, security functional specialists, partners and other stakeholders; Documenting or recommending actions to be taken regarding residual security risks for programs, services and activities within their area of responsibility, and their supporting resources, in accordance with their assigned authority and department-wide processes and in consultation with the CSO;Establishing processes to monitor, respond to and report threats, vulnerabilities, security incidents and other security events within their area of responsibility, as an integral element of department-wide processes;Addressing security events that could impact programs, services and activities within their area of responsibility or that require an immediate or coordinated government-wide action, in collaboration with the CSO, partners and other stakeholders; andMonitoring and reporting on the effectiveness of security practices and controls within their area of responsibility, and sharing the results with the CSO.Security functional specialists and other designated individuals
Security functional specialists and other individuals are responsible for coordinating, managing and providing advice and services related to the departmental security controls and program. Other designated individuals in the department’s security governance who provide input into the departmental security program are responsible for the following:
Defining, documenting, implementing, assessing, monitoring and maintaining departmental security requirements, practices and security controls (see appendices A to H and Appendix J);Providing advice to the CSO and other stakeholders, as appropriate, on departmental security matters within their area of responsibility; andMonitoring and reporting on the effectiveness of security practices and security controls within their area of responsibility, and sharing the results with the CSO, to:
Assess the extent to which departmental security requirements are met; andIdentify necessary actions to address any deficiencies.Supervisors
Supervisors are responsible for the following:
Integrating security and related resource considerations into planning and other administrative activities;Ensuring that individuals are informed of their security responsibilities and that employees are provided with security awareness and training to maintain the required knowledge and skills to meet their responsibilities;Verifying that employees apply and adhere to departmental security practices and are taking or recommending corrective actions to address any deficiencies;Informing the CSO of any issues regarding policy compliance, suspected or alleged criminal activity, national security concerns, security incidents or other security events within their area of responsibility; andCooperating with the CSO and other stakeholders in the investigation of security incidents and other security events and in identifying and implementing corrective actions.Employees
Employees are responsible for the following:
Adhering to government security policy and departmental security practices, including safeguarding information and assets under their control, whether working on-site or off-site;Participating in security awareness and training activities to maintain awareness of security concerns and issues and understanding of security responsibilities; andMaintaining vigilance and reporting changes in circumstances, potential security deficiencies, security incidents, suspected criminal activity, national security concerns and other security issues through appropriate departmental channels. Individuals designated by deputy heads of internal enterprise service organizations to oversee their internal enterprise service activities
Individuals designated by deputy heads of internal enterprise service organizations to oversee their internal enterprise service activities, which is a service provided by one government of Canada department to another, under the Policy on Government Security are responsible for the following:
Leading the establishment of security governance for internal enterprise services that:
Includes responsibilities and authorities for identifying and meeting security requirements throughout the planning, design, delivery, operations and maintenance of services provided to departments; and Is an integral element of the department’s security and corporate governance; Liaising with client departments when identifying security requirements for internal enterprise services, and with the Treasury Board of Canada Secretariat, for services intended to be offered government-wide;Communicating to client departments the security practices and controls that have been implemented to meet defined security requirements, the security conditions that need to be in place in the client environment, and any remaining residual risks and recommended mitigation measures;Establishing processes for monitoring services provided to departments to ensure that issues regarding fulfillment of security requirements are examined and acted on, in coordination with affected stakeholders, and that issues that have potential government-wide impacts are documented and reported to the Treasury Board of Canada Secretariat; andResponding and taking necessary actions regarding security events that could impact the security of the services provided to departments, in collaboration with the CSO, clients and other stakeholders.