Archived [2009-07-06] - Government Security Policy
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
1. Effective date
February 1, 2002
2. Preamble
The Government of Canada depends on its personnel and assets to deliver services that ensure the health, safety, security and economic well-being of Canadians. It must manage these resources with due diligence and take appropriate measures to safeguard them from injury.
Threats that can cause injury to government personnel and assets, in Canada and abroad, include violence toward employees, unauthorized access, theft, fraud, vandalism, fire, natural disasters, technical failures and accidental damage. The threat of cyber attack and malicious activity through the Internet is prevalent and can cause severe injury to electronic services and critical infrastructures. Threats to the national interest, such as transnational criminal activity, foreign intelligence activities and terrorism, continue to evolve as the result of changes in the international environment.
The Government Security Policy prescribes the application of safeguards to reduce the risk of injury. It is designed to protect employees, preserve the confidentiality, integrity, availability and value of assets, and assure the continued delivery of services. Since the Government of Canada relies extensively on information technology (IT) to provide its services, this policy emphasises the need for departments to monitor their electronic operations.
This policy complements other Treasury Board policies for the management of human resources (e.g., harassment, occupational safety and health), official languages, information, materiel, real property and financial resources.
3. Policy objective
To support the national interest and the Government of Canada's business objectives by safeguarding employees and assets and assuring the continued delivery of services.
4. Policy statement
Employees under threat of violence must be safeguarded according to baseline security requirements and continuous security risk management.
Assets must be safeguarded according to baseline security requirements and continuous security risk management.
Continued delivery of services must be assured through baseline security requirements, including business continuity planning, and continuous security risk management.
5. Application
This policy applies to all departments listed in Schedule I, Schedule I.1 and Schedule II of the Financial Administration Act (FAA).
It also applies to:
- Any commission under the Inquiries Act that is designated by order of the Governor in Council as a department for the purposes of the FAA.
- The Canadian Forces with the proviso that any reference in this policy to employees does not include members of the Canadian Forces.
Certain agencies and crown corporations can enter into agreements with the Treasury Board of Canada Secretariat to adopt the requirements of this policy and apply them to their organization.
6. Accountability
Deputy heads are accountable for safeguarding employees and assets under their area of responsibility and for implementing this policy. In the context of the Department of National Defence, Deputy heads include the Deputy Minister of National Defence and the Chief of the Defence Staff for the Canadian Forces, as appropriate.
7. Management framework and responsibilities
Refer to Appendix A.
8. Definitions
Refer to Appendix B.
9. Supporting documentation
This policy is supplemented by:
- Operational security standards approved by the Secretary of the Treasury Board. They contain mandatory and recommended measures to direct and guide the implementation of the policy.
- Technical documentation, directed and co-ordinated by the Treasury Board of Canada Secretariat, to complement the operational standards. This documentation includes technical security standards, specifications, best practices and guidelines developed and issued by lead security departments.
10. Requirements
Departments must comply with the baseline requirements of this policy and its associated operational standards and technical documentation. These requirements are based on integrated assessments of threats and risks to the national interest and to government employees and assets. Departments must conduct their own threat and risk assessments to determine the necessity of safeguards above baseline levels.
The requirements of this policy complement other government measures on the management of emergency situations (e.g., fire, bomb threats, hazardous materials, power failures, evacuations, civil emergencies).
The Government of Canada may direct departments to implement heightened security levels in emergency or increased threat situations.
10.1 Security program
Departments must appoint a Departmental Security Officer (DSO) to establish and direct a security program that ensures co-ordination of all policy functions and implementation of policy requirements. These functions include general administration (departmental procedures, training and awareness, identification of assets, security risk management, sharing of information and assets), access limitations, security screening, physical security, protection of employees, information technology security, security in emergency and increased threat situations, business continuity planning, security in contracting and security incident investigations.
Given the importance of this role, consideration should be given to appointing a Departmental Security Officer with sufficient security experience who is strategically positioned within the organization so as to provide department-wide strategic advice and guidance to senior management.
10.2 Sharing of information and other assets
Departments must implement this policy when sharing Government of Canada information and other assets with other governments (including foreign, provincial, territorial, and municipal), international, educational and private sector organizations. In these cases, departments must develop arrangements that outline security responsibilities, safeguards to be applied, and terms and conditions for continued participation.
Departments must treat information and other assets received from other governments (including foreign, provincial, territorial, and municipal), international (e.g., NATO), educational and private sector organizations, in accordance with agreements or arrangements between the parties concerned.
Departments that share in the common Information Management and Information Technology infrastructure for on-line service delivery and other purposes must conform to all security standards established for that infrastructure.
10.3 Security outside of Canada
Some requirements of this policy may be difficult to apply in certain foreign environments. In such situations, special standards may be developed in consultation with the Department of Foreign Affairs and International Trade.
Restrictions may be placed on personal activities at locations where the environment is particularly dangerous. All employees, unless on diplomatic posting and covered by the Vienna Conventions, are automatically subject to local laws and regulations. For travel information and specific security arrangements and limitations, employees must contact the Department of Foreign Affairs and International Trade or the nearest Canadian embassy. Diplomats must be aware that serious breaches of local laws abroad can, under Canadian law, be prosecuted in Canada.
10.4 Contracting
This policy applies equally to the contracting process as it does to internal government operations. The contracting authority, whether it is Public Works and Government Services Canada or another department, must comply with the requirements of this policy and the security in contracting standards and technical documentation.
The contracting authority must:
- Ensure security screening of private sector organizations and individuals who have access to protected and classified information and assets, as specified in the standards.
- Ensure safeguarding of government assets, including IT systems.
- Specify the necessary security requirements in terms and conditions in any contractual documentation.
10.5 Security training, awareness and briefings
Departments must:
- Ensure that individuals who have specific security duties receive appropriate, up to date training.
- Have a security awareness program to inform and regularly remind individuals of security responsibilities, issues and concerns.
- Brief individuals on the access privileges and prohibitions attached to their screening level prior to commencement of duties, or when required in the update cycle.
10.6 Identification of assets
Confidentiality
Departments must identify information and other assets when their unauthorized disclosure, with reference to specific provisions of the Access to Information Act and the Privacy Act, could reasonably be expected to cause injury to:
- the national interest. Such information is classified. It must be categorized and marked based on the degree of potential injury (injury: "Confidential"; serious injury: "Secret"; exceptionally grave injury: "Top Secret").
- private and other non-national interests. Such information is protected. It must be categorized and marked based on the degree of potential injury (low: "Protected A"; medium: "Protected B", high: "Protected C").
Availability, Integrity and Value
Departments must identify and categorize assets, especially critical services, based on the degree of injury (low, medium, high) that could reasonably be expected to result from compromise to their availability or integrity. They must consider the value (e.g., monetary, heritage) of assets in determining injury. In order to indicate the level of safeguarding, departments should consider marking for availability and integrity purposes.
10.7 Security risk management
Departments must conduct ongoing assessments of threats and risks to determine the necessity of safeguards beyond baseline levels. They must continuously monitor for any change in the threat environment and make any adjustment necessary to maintain an acceptable level of risk and a balance between operational needs and security.
Threat and risk assessments involve:
- Establishing the scope of the assessment and identifying the employees and assets to be safeguarded (see sections 10.6 and 10.10).
- Determining the threats to employees and assets in Canada and abroad, and assessing the likelihood and impact of threat occurrence.
- Assessing the risk based on the adequacy of existing safeguards and vulnerabilities.
- Implementing any supplementary safeguards that will reduce the risk to an acceptable level.
10.8 Access limitations
Departments must limit access to classified and protected information and other assets to those individuals who have a need to know the information and who have the appropriate security screening level. To the extent necessary, they must also limit access to other assets requiring additional safeguarding for availability, integrity or value purposes. This includes ensuring that no one individual can independently control all aspects of a process or a system.
10.9 Security screening
The Government of Canada must ensure that individuals with access to government information and assets are reliable and trustworthy. For national security, it must also ensure the individual's loyalty to Canada in order to protect itself from foreign intelligence gathering and terrorism. Special care must be taken to ensure the continued reliability and loyalty of individuals, and prevent malicious activity and unauthorized disclosure of classified and protected information by a disaffected individual in a position of trust.
Departments must ensure that, prior to the commencement of duties, individuals who require:
- Access to government assets (except for Governor in Council appointees) undergo a reliability check and are granted a reliability status.
- Access to classified information and assets have a valid reliability status, undergo a security assessment and are granted a security clearance at the appropriate level. This includes foreign nationals visiting or working in a department. Certain limitations to a security clearance may be imposed as specified in the security screening standard.
- Access to facilities that are critical to the national interest or to restricted areas for major events have a site access clearance. Departments must obtain Treasury Board of Canada Secretariat approval in order to have site access clearance programs.
Departments must also:
- Obtain individuals' written consent before any check may be initiated.
- Treat individuals in a fair and unbiased manner, and give them an opportunity to explain adverse information before a decision is reached.
- Advise individuals of their rights of review or redress in case of denial, suspension or revocation.
- Ensure managers remain vigilant, once a reliability status or security clearance is granted, and act on any new information that could put into question an individual's reliability or loyalty.
- Update reliability status and security clearances regularly.
- For cause, review, revoke, suspend or downgrade a reliability status or a security clearance.
A delegated manager may grant or deny a reliability status. The DSO may grant a security clearance on behalf of the deputy head. Only the deputy head can deny, revoke or suspend a security clearance. Deputy heads must consult the Privy Council Office (PCO) on any disagreement with the Security Intelligence Review Committee recommendation on security clearances. They must also consult with PCO on decisions to recommend to the Governor in Council the suspension or dismissal of any individual as the result of a denial, revocation or suspension of a security clearance.
Departments must obtain Treasury Board of Canada Secretariat approval of any security screening proposal involving cost recovery.
10.10 Protection of employees
Departments are responsible under the Canada Labour Code, Part II, and under Treasury Board policy for the health and safety of employees at work. This responsibility extends to situations where employees are under threat of violence because of their duties or because of situations to which they are exposed. Such situations include, but are not limited to threat letters or calls, the receipt of potentially dangerous substances, stalking and assault.
Departments must have in place mechanisms to:
- Identify, protect and support employees under threat of violence, based on a threat and risk assessment of specific situations. In certain cases, protection and support may have to be extended to family members and others.
- Report incidents to management, human resources, security and police authorities, as may be the case.
- Provide information, training, and counselling to employees.
- Maintain thorough records and statements on reported incidents.
10.11 Physical security
Physical security involves the proper layout and design of facilities and the use of measures to delay and prevent unauthorized access to government assets. It includes measures to detect attempted or actual unauthorized access, and activate an appropriate response. Physical security also provides measures to safeguard employees from violence.
Departments must ensure that security is fully integrated early in the process of planning, selecting, designing and modifying their facilities. They are required to:
- Select, design and modify their facilities in order to facilitate the control of access.
- Demarcate restricted access areas, and have the necessary entry barriers, security systems and equipment based on threat and risk assessments.
- Include the necessary security specifications in planning, request for proposals and tender documentation.
- Incorporate related costs in funding requirements.
Departments must also ensure the secure storage, transmittal and disposal of classified and protected information in all forms, in accordance with the requirements of the physical security standards. When warranted by a threat and risk assessment, they must also ensure the secure storage, transmittal and disposal of other assets.
Continuous review of physical security safeguards is essential to reflect changes in the threat environment and take advantage of new cost-effective technologies.
10.12 Information technology security
Information systems must be secured against rapidly evolving threats that have the potential to impact their confidentiality, integrity, availability, intended use and value. To defend against these threats, an IT security (ITS) strategy is required that accommodates changes in threat conditions, which may be sudden, and supports the continuous delivery of services. This dictates that departments apply baseline security controls, continuously monitor service delivery levels, track and analyse threats to departmental IT systems, and establish effective incident response and IT continuity mechanisms.
Departments must ensure that ITS is an integral part of each stage in the system development life cycle. Security requirements and related funding must be identified and included in planning, requests for proposals, and tender documents for IT projects.
By conforming to ITS operational and technical standards, departments will be better prepared to prevent, detect, react to and recover from incidents.
10.12.1 Prevention
To prevent the compromise of IT systems, departments must implement baseline security controls and any additional control identified through a threat and risk assessment. These controls, and the security roles and responsibilities of all personnel, must be clearly defined, documented and communicated to departmental program, legal, administrative, technical and general staff.
To ensure policy compliance, departments must:
- Certify and accredit IT systems prior to operation and subject them, including associated security safeguards, to sound configuration management practices.
- Conduct periodic security evaluations of systems, including assessments of configuration changes conducted on a routine basis.
- Periodically seek review by third parties in order to get an independent assessment.
10.12.2 Detection
Since services may rapidly degrade due to computer incidents, ranging from a simple slowdown to a complete halt, departments must continuously monitor the operations of their systems to detect anomalies in service delivery levels.
10.12.3 Response
Departments must:
- In the context of investigation of security incidents (section 10.15), establish mechanisms to respond effectively to IT incidents and exchange incident-related information with designated lead departments in a timely fashion.
- Designate an IT security point of contact for communications with respect to government-wide incident response.
- To prevent unintentional degradation of another department's security posture, conduct security activities, including incident response, in a manner that recognises that government is, in effect, a single interconnected entity.
10.12.4 Recovery
To ensure the ongoing availability of critical services, departments must develop IT continuity plans as part of their overall business continuity planning and recovery activities.
10.13 Security in emergency and increased threat situations
Departments must develop plans and procedures to move up to heightened security levels in case of emergency and increased threat. The Government of Canada may direct departments to implement heightened security levels.
Departments must co-ordinate these plans with other emergency prevention and response plans (e.g., fire, bomb threats, hazardous materials, power failures, evacuations, civil emergencies).
10.14 Business continuity planning
Critical services and associated assets must remain available in order to assure the health, safety, security and economic well-being of Canadians, and the effective functioning of government. Departments must establish a business continuity planning (BCP) program to provide for the continued availability of critical services and assets, and of other services and assets when warranted by a threat and risk assessment.
The program shall include the following elements:
- Within the context of the departmental security program and organization (section 10.1), a governance structure establishing authorities and responsibilities for the program, and for the development and approval of business continuity plans.
- Within the context of the identification of assets (section 10.6), an impact analysis to identify and prioritize the department's critical services and assets.
- Plans, measures and arrangements to ensure the continued availability of critical services and assets, and of any other service or asset when warranted by a threat and risk assessment.
- Activities to monitor the department's level of overall readiness.
- Provision for the continuous review, testing and audit of business continuity plans.
10.15 Investigation of Security Incidents
Through effective reporting and investigation of security incidents, vulnerabilities can be determined and the risk of future occurrence reduced.
Departments must develop procedures for reporting and investigating security incidents and taking corrective action.
They must also report:
- Incidents suspected of constituting criminal offences to the appropriate law enforcement authority.
- Incidents involving the compromise of Cabinet confidences to the Privy Council Office.
- Incidents involving threats to the national interests to the Canadian Security Intelligence Service.
- Incidents and threats affecting the availability of critical assets and services to the Office of Critical Infrastructure Protection and Emergency Preparedness.
- Incidents which can be considered as a "hazardous occurrence" or involve employee injury to the health and safety committee and to Health and Safety Officers appointed under the Canada Labour Code.
- Incidents that have an impact on government operations or that could require revisions to operational standards or technical documentation, to the Treasury Board of Canada Secretariat.
10.16 Sanctions
Departments are required to apply sanctions in response to security incidents when in the opinion of the deputy head there has been misconduct or negligence.
11. Monitoring
Departments are required to conduct active monitoring and internal audits of their security program. The results of internal audits must be reported to the Treasury Board of Canada Secretariat.
The Treasury Board of Canada Secretariat, with assistance from departments, will produce a mid-term report to the Treasury Board on the effectiveness of the policy.
12. Review
This policy will be reviewed within 5 years.
13. References
The authority for this policy derives from Section 7 of the Financial Administration Act. This policy replaces the June 9, 1994 policy and its November 1994 and June 1995 amendments.
Legislation relevant to this policy includes:
- Access to Information Act
- Canada Labour Code
- Canadian Security Intelligence Service Act
- Charter of Rights and Freedoms
- Criminal Code
- Criminal Records Act
- Defence Production Act
- Emergency Preparedness Act
- Financial Administration Act
- Interpretation Act
- National Defence Act
- Official Secrets Act
- Personal Information Protection and Electronic Documents Act
- Privacy Act
- Public Service Employment Act
- Public Service Staff Relations Act
- Queen's Regulations and Orders
- Young Offender's Act
Documents relevant to this policy may be found on the Treasury Board Web site.
14. Enquiries
Direct enquiries about this policy should be directed to the Departmental Security Officer. For interpretation of the policy, the Departmental Security Officer should contact:
Security Policy Group, Information and Security Policy Division
Government Operations Sector, Treasury Board of Canada Secretariat
8th Floor, East Tower, L'Esplanade Laurier
Ottawa, Ontario, K1A 0R5
Telephone: (613) 946-5046 or 957-2534
Facsimile: (613) 952-7287
Appendix "A" – Responsibilities
1. Treasury Board
The Treasury Board approves the Government Security Policy.
2. Treasury Board of Canada Secretariat
As the central agency for security and service delivery issues for the Government of Canada, the Treasury Board of Canada Secretariat is responsible to:
- Develop and update the Government Security Policy.
- Provide strategic direction, leadership, advice and assistance on security and service delivery issues.
- In consultation with departments, develop operational standards and technical documentation for the general administration of the policy, security screening, protection of employees, security in emergency and increased threat situations, business continuity planning, investigation of security incidents and other related issues as required.
- Direct and co-ordinate the development of operational standards and technical documentation for physical security, information technology security, and security in contracting.
- Co-ordinate the provision of security training and awareness.
- Co-ordinate security research and development.
- Provide policy management of the strategic Information Management/Information Technology infrastructure in support of the Government of Canada's service delivery and business objectives, including common information technology services and common infrastructure accreditation.
- Monitor and report to the Treasury Board, with the assistance of departments, on the implementation of the policy and the state of security in the Government of Canada.
- Develop and pursue a strategy that will enable the Government of Canada to identify, recruit, retain and continually educate security professionals.
- Issue security policy implementation notices and advisories.
- Represent the Government of Canada on national and international committees related to security policy.
3. Committees
Various security related committees provide advice and guidance to the Treasury Board of Canada Secretariat on the implementation of the Government Security Policy, its effectiveness, and the state of security in the Government of Canada.
These committees also review and recommend operational security standards and technical documentation for approval by the appropriate authority.
4. Lead security departments
Certain departments have government-wide responsibilities under the Government Security Policy. Specific responsibilities of these departments are listed below.
4.1 Canadian Security Intelligence Service
As part of its role in security and intelligence, the Canadian Security Intelligence Service (CSIS) is responsible to:
- Investigate and analyse physical and cyber threats to national security, as defined in the CSIS Act, and provide related advice. These threats include espionage and sabotage, foreign influence activity and politically motivated violence.
- Provide security and intelligence advice, including threat and risk assessment information, to departments.
- Conduct investigations and provide security assessments, as requested by departments for the processing of security clearances.
- Maintain a central index of security assessments conducted and resulting recommendations.
4.2 Communications Security Establishment
As the cryptology and information technology security (ITS) technical authority, the Communications Security Establishment (CSE) is responsible to:
- In consultation with the Treasury Board of Canada Secretariat and other departments, develop operational standards and technical documentation as it relates to Signals Intelligence (SIGINT), Communications Security (COMSEC), and ITS in terms of system certification and accreditation, risk and vulnerability analysis, product evaluation, system and network security analysis.
- Provide advice and assistance to departments on operational standards and technical documentation developed by CSE.
- Provide security engineering services, technical and operational assistance to support the design, implementation and operation of government and national IT systems and infrastructure elements.
- Develop and provide specialised SIGINT and ITS training, especially with respect to COMSEC, network vulnerabilities and relevant technical safeguards.
- Test, inspect and evaluate IT products and systems to identify risks, vulnerabilities and appropriate mitigation, and conduct related technical research and development.
- Certify private sector test and evaluation facilities.
- Assess and report on the application of COMSEC and ITS technical safeguards in both the public and private sectors, upon request or when mandated by security standards.
- Manage the distribution of SIGINT, cryptographic equipment, accountable publications and key material. Operate key management systems. Maintain the national inventory of personnel cleared for access to SIGINT.
- Represent the Government of Canada on national and international SIGINT and ITS committees and negotiate agreements with allied agencies.
4.3 Foreign Affairs and International Trade
As the lead department for conducting foreign relations, the Department of Foreign Affairs and International Trade (DFAIT) is responsible to:
- Provide a safe and secure environment for Government of Canada employees and assets housed at Canadian diplomatic and consular missions abroad through the provision of operational guidance on all aspects of physical security.
- Arrange and co-ordinate security for official visitors at DFAIT facilities.
- As the common carrier for official communications between departments and Canadian diplomatic missions abroad, ensure the confidentiality, integrity and availability of common IT services under its control.
- Provide measures to safeguard assets under its control in Canada and abroad. Conduct or arrange the inspection of the above measures including that transmitted by electronic means.
- Provide advice to departments, and the means for them to transmit and transport assets abroad in order to ensure continuity and uniformity of safeguarding.
- Liase with all departments to ensure they accord adequate safeguards to North Atlantic Treaty Organization (NATO) documents under their control.
- Process security screening for employees of non-governmental organizations and other levels of government co-located at DFAIT facilities abroad.
- Provide advice to departments on security initiatives with foreign governments and international organizations.
4.4 National Archives
As the lead department responsible for the management of government records, the National Archives of Canada is responsible to:
- Identify security implications involved in the identification, organization, storage, preservation, retention and disposal of government information holdings.
- Develop and disseminate appropriate record-keeping advice and guidance.
4.5 National Defence
As part of their roles, the Deputy Minister of the Department of National Defence and the Chief of the Defence Staff for the Canadian Forces are jointly or separately responsible, as appropriate, to:
- Provide advice to departments on military intelligence for threat and risk assessment purposes.
- Arrange and co-ordinate security for any foreign military personnel visiting Canada or otherwise present at a defence facility.
- Verify departments' compliance with agreements for the safeguarding of NATO atomic information.
4.6 Office of Critical Infrastructure Protection and Emergency Preparedness
As part of its role to provide national leadership in critical infrastructure protection and effective emergency management, the Office of Critical Infrastructure Protection and Emergency Preparedness (OCIPEP) is responsible to:
- In consultation with the Treasury Board of Canada Secretariat and other departments, develop operational standards and technical documentation relating to the protection and assurance of the critical networks, information systems and other critical assets of the Government of Canada.
- Assist the Treasury Board of Canada Secretariat in the development of the business continuity planning standards and in consultation with the Treasury Board of Canada Secretariat, provide advice to departments on the development and maintenance of business continuity plans.
- Provide advice to departments concerning the cyber aspects of the protection of the networks, information systems and infrastructures that are critical to the Government of Canada.
- Assist departments in identifying and depicting their critical assets, in conducting vulnerability assessments of these assets, and providing an overall vulnerability and dependency analysis of the Government of Canada's critical assets.
- Act as the centre for the Government of Canada, 24 hours per day, 7 days per week for:
- departmental reporting of real or imminent threats and incidents potentially affecting the networks, information systems and other assets and infrastructures that are critical to the functioning of the Government of Canada;
- monitoring and analysing cyber attacks and threats against networks of the Government of Canada
- issuing alerts, advisories and other information and advice to departments related to these threats and incidents;
- co-ordinating a federal response to cyber and physical threats or incidents affecting the functioning of the Government of Canada;
- responding to requests from departments for specific technical advice, guidance and information on cyber-related incident prevention, detection, response and recovery.
- In co-operation with other departments, develop and promote education, training and awareness programs.
- In collaboration with other departments, provide a research and development capability to contribute to the security of critical networks, information systems and other assets of the Government of Canada.
- Represent the Government of Canada on national and international committees on critical infrastructure protection and emergency preparedness.
4.7 Privy Council Office
As part of its role to support Cabinet and set overall policy directions for security and intelligence in government, the Privy Council Office is responsible to:
- Establish procedures for the security of confidences of the Queen's Privy Council for Canada and records administered under the Cabinet Papers System.
- Advise, when requested, deputy heads on decisions to order a formal investigation of suspected unauthorized disclosures of Cabinet confidences.
- Advise, when requested, deputy heads on decisions to deny, revoke or suspend security clearances.
- Advise deputy heads regarding any disagreement with a Security Intelligence Review Committee recommendation on security clearances, and on decisions to recommend to the Governor in Council the suspension or dismissal of any individual as the result of denial, revocation or suspension of a security clearance
- Direct departments to implement heightened security levels in emergencies and increased threat situations.
4.8 Public Works and Government Services Canada
As a common service department for contracting, real property management, information technology and telecommunications, Public Works and Government Services Canada is responsible to:
- In consultation with the Treasury Board of Canada Secretariat and other departments, develop operational standards and technical documentation on security in contracting.
- Administer the Industrial Security Program under the Government Security Policy and the Controlled Goods Registration Programs under the Defence Production Act.
- Provide advice to departments on the operational standards and technical documentation on security in contracting.
- Develop and provide security in contracting training.
- Maintain a database of private sector organizations and individuals that are security screened for access to government assets.
- Ensure compliance with the security policy in contracts that are outside delegated contracting responsibilities of departments, and afford access to government assets.
- On request, ensure compliance with the security policy in contracts that are within delegated contracting responsibilities of departments, and afford access to government assets.
- In consultation with the Department of Foreign Affairs and International Trade, negotiate international industrial security agreements, arrangements and memoranda of understanding on behalf of the Government of Canada.
- Ensure international industrial security agreements, arrangements and memoranda of understanding are complied with in contracts that afford access to classified foreign government information, and in contracts that afford foreign contractors access to assets of the Government of Canada.
- Control all government Communications Security (COMSEC) assets in the private sector.
- Ensure that contractors meet the security requirements of contracts that involve information technology security assets.
- When it is the custodian department, ensure the provision of base building security.
- Ensure the confidentiality, integrity and availability of common IT services provided to other departments.
- Represent the Government of Canada on national and international initiatives related to industrial security and controlled goods.
4.9 Royal Canadian Mounted Police
As lead department for federal law enforcement, with a crime prevention mission, the Royal Canadian Mounted Police (RCMP) is responsible to:
For Information Technology Security (ITS):
- In consultation with the Treasury Board of Canada Secretariat and other departments, develop ITS operational standards and technical documentation as it relates to the application of access controls and biometrics, data forensics, media disposal, system monitoring, malicious software, major events, reviews, inspections and audits.
- Provide advice to departments on:
- ITS operational standards and technical documentation developed by the RCMP;
- the process of threat and risk assessments, and
- the conduct of IT system security reviews, inspections and audits.
- Develop and provide ITS training and awareness for users, system-support staff and ITS officers.
- Provide technical assistance to investigations related to IT.
- Conduct research and development on new ITS technologies and counter-measures as it relates to cyber-crime.
- Assess and report on cyber-crime threats and counter-measures.
- Represent the Government of Canada on national and international law enforcement and cyber-crime prevention initiatives.
For Physical Security:
- In consultation with the Treasury Board of Canada Secretariat and other departments, develop operational standards and technical documentation on the security design of facilities, the control and monitoring of access to facilities and assets, and the storage, transmittal, transport and disposal of assets.
- Provide advice to departments on the application of the operational standards and technical documentation, the security design of facilities and on physical security equipment, systems and procedures.
- Develop and provide physical security training and awareness.
- Review and advise on counter-technical intrusion detection.
- Conduct related research and develop counter-measures for physical threats.
- Represent the Government of Canada on national and international law enforcement and physical crime prevention initiatives.
For Security Screening:
- Provide advice to departments and the results of Criminal Records Name Checks (CRNC), both electronically and manually against the Canadian Police Information Centre (CPIC) central criminal record database.
- Provide advice to departments and the results of certified fingerprint searches against the fingerprint repository.
- Develop business procedures, technology enhancements, and consult with other departments for continual improvement of the CRNC and the fingerprint search processes.
- Provide criminal assessments to departments related to individuals' reliability.
- Conduct investigations and security assessments for RCMP personnel.
4.10 Transport Canada
As the lead department for land, air and marine security, and administering the Aeronautics Act, Transport Canada is responsible to administer the Airport Restricted Area Access Program.
5. Custodian Departments
Custodian departments are responsible for, but not limited to, the following aspects of physical security for facilities that they administer, unless otherwise arranged with tenants:
- Providing and funding safeguards considered necessary by the custodian to protect facilities, based on a threat and risk assessment conducted by or for the custodian.
- Providing and funding for specific sites, subject to a threat and risk assessment, guard services to protect facilities at a level the custodian considers necessary.
- Arranging for additional safeguards, where required and funded by tenants.
- Advising tenants of proposed changes to facilities that could affect security, and consulting tenants about proposed changes to facility safeguards.
- Advising tenants of changes of occupancy or use in multiple occupancy buildings that could affect security.
Appendix "B" - Glossary
Accreditation (accréditation) - the official authorisation by management for the operation of an IT system, and acceptance by that management of the associated residual risk. Accreditation is based on the certification process as well as other management considerations.
Assets (biens) - tangible or intangible things of the Government of Canada. Assets include but are not limited to information in all forms and media, networks, systems, materiel, real property, financial resources, employee trust, public confidence and international reputation. (The inclusion of information in this definition is for the purposes of this policy only and should not be interpreted as importing any legal consequences applicable for assets to information.)
Availability (disponibilité) - the condition of being usable on demand to support operations, programs and services.
Baseline security requirements (exigences sécuritaires de base) - mandatory provisions of the Government Security Policy and its associated operational standards and technical documentation.
Business continuity planning (planification de la continuité opérationnelle) - an all-encompassing term which includes the development and timely execution of plans, measures, procedures and arrangements to ensure minimal or no interruption to the availability of critical services and assets.
Certification (certification) - a comprehensive evaluation of the technical and non-technical security features of an IT system and other related safeguards to establish the extent to which a particular design and implementation meets a specific set of security requirements, made in support of the accreditation process.
Classified assets (biens classifiés) - assets whose unauthorized disclosure would reasonably be expected to cause injury to the national interest.
Classified information (renseignements classifiés) - information related to the national interest that may qualify for an exemption or exclusion under the Access to Information Act or Privacy Act, and the compromise of which would reasonably be expected to cause injury to the national interest.
Compromise (compromission) - unauthorized disclosure, destruction, removal, modification, interruption or use of assets.
COMSEC - communications security: cryptographic, transmission and emission security measures applied to information stored, processed or transmitted electronically; a subset of information technology security.
Confidentiality (confidentialité) - the attribute that information must not be disclosed to unauthorized individuals, because of the resulting injury to national or other interests, with reference to specific provisions of the Access to Information Act and the Privacy Act.
Contracting process (rocessus de passation des marchés) - includes bidding, negotiating, awarding, performance and termination of contracts.
Critical assets (bien essentiels) - assets supporting a critical service.
Critical service (service critique) - service whose compromise in terms of availability or integrity would result in a high degree of injury to the health, safety, security or economic well-being of Canadians, or to the efficient functioning of the Government of Canada.
Facility (installation) - a physical setting used to serve a specific purpose. A facility may be part of a building, a whole building, or a building plus its site; or it may be a construction that is not a building. The term encompasses both the physical object and its use.
For cause (pour un motif valable) - a determination that there is sufficient reason to review, revoke, suspend or downgrade a reliability status or a security clearance. In the context of a security assessment, a determination whether more in-depth verifications are required.
Information technology security (sécurité des technologies de l'information) - safeguards to preserve the confidentiality, integrity, availability, intended use and value of electronically stored, processed or transmitted information.
Integrity (intégrité) - the accuracy and completeness of assets, and the authenticity of transactions.
National interest (intérêt national) - concerns the defence and maintenance of the social, political and economic stability of Canada.
Need-to-know (besoin de connaître) - the need for someone to access and know information in order to perform his or her duties.
Physical security (sécurité matérielle) - the use of physical safeguards to prevent and delay unauthorized access to assets, detect attempted and actual unauthorized access and activate appropriate response.
Protected assets (biens protégés) - assets whose unauthorized disclosure would reasonably be expected to cause injury to a non-national interest.
Protected information (renseignements protégés) - information related to other than the national interest that may qualify for an exemption or exclusion under the Access to Information Act or Privacy Act, and the compromise of which would reasonably be expected to cause injury to a non-national interest.
Reliability status (cote de fiabilité) - indicates successful completion of a reliability check; allows regular access to government assets and with a need to know to protected information.
Restricted access area (aire à accès restreint) - work area where access is limited to authorized individuals.
Risk (risque) - the chance of a vulnerability being exploited.
Security clearance (cote de sécurité) - indicates successful completion of a security assessment; with a need to know, allows access to classified information. There are three security clearance levels: Confidential,Secret and Top Secret.
Security incident (incident de sécurité) - compromise of an asset, or any act or omission that could result in a compromise; threat or act of violence toward employees.
Site access clearance (cote spéciale d'accès) - required for access to installations critical to the national interest or to restricted areas for special events.
Threat (menace) - any potential event or act, deliberate or accidental, that could cause injury to employees or assets.
Value (valeur) - estimated worth, monetary, cultural or other.
Vulnerability (vulnérabilité) - an inadequacy related to security that could permit a threat to cause injury.