7. Management framework and responsibilities
Appendix "A" – Responsibilities
February 1, 2002
The Government of Canada depends on its personnel and assets to deliver services that ensure the health, safety, security and economic well-being of Canadians. It must manage these resources with due diligence and take appropriate measures to safeguard them from injury.
Threats that can cause injury to government personnel and assets, in Canada and abroad, include violence toward employees, unauthorized access, theft, fraud, vandalism, fire, natural disasters, technical failures and accidental damage. The threat of cyber attack and malicious activity through the Internet is prevalent and can cause severe injury to electronic services and critical infrastructures. Threats to the national interest, such as transnational criminal activity, foreign intelligence activities and terrorism, continue to evolve as the result of changes in the international environment.
The Government Security Policy prescribes the application of safeguards to reduce the risk of injury. It is designed to protect employees, preserve the confidentiality, integrity, availability and value of assets, and assure the continued delivery of services. Since the Government of Canada relies extensively on information technology (IT) to provide its services, this policy emphasises the need for departments to monitor their electronic operations.
This policy complements other Treasury Board policies for the management of human resources (e.g., harassment, occupational safety and health), official languages, information, materiel, real property and financial resources.
To support the national interest and the Government of Canada's business objectives by safeguarding employees and assets and assuring the continued delivery of services.
Employees under threat of violence must be safeguarded according to baseline security requirements and continuous security risk management.
Assets must be safeguarded according to baseline security requirements and continuous security risk management.
Continued delivery of services must be assured through baseline security requirements, including business continuity planning, and continuous security risk management.
This policy applies to all departments listed in Schedule I, Schedule I.1 and Schedule II of the Financial Administration Act (FAA).
It also applies to:
Certain agencies and crown corporations can enter into agreements with the Treasury Board of Canada Secretariat to adopt the requirements of this policy and apply them to their organization.
Deputy heads are accountable for safeguarding employees and assets under their area of responsibility and for implementing this policy. In the context of the Department of National Defence, Deputy heads include the Deputy Minister of National Defence and the Chief of the Defence Staff for the Canadian Forces, as appropriate.
Refer to Appendix A.
Refer to Appendix B.
This policy is supplemented by:
Departments must comply with the baseline requirements of this policy and its associated operational standards and technical documentation. These requirements are based on integrated assessments of threats and risks to the national interest and to government employees and assets. Departments must conduct their own threat and risk assessments to determine the necessity of safeguards above baseline levels.
The requirements of this policy complement other government measures on the management of emergency situations (e.g., fire, bomb threats, hazardous materials, power failures, evacuations, civil emergencies).
The Government of Canada may direct departments to implement heightened security levels in emergency or increased threat situations.
Departments must appoint a Departmental Security Officer (DSO) to establish and direct a security program that ensures co-ordination of all policy functions and implementation of policy requirements. These functions include general administration (departmental procedures, training and awareness, identification of assets, security risk management, sharing of information and assets), access limitations, security screening, physical security, protection of employees, information technology security, security in emergency and increased threat situations, business continuity planning, security in contracting and security incident investigations.
Given the importance of this role, consideration should be given to appointing a Departmental Security Officer with sufficient security experience who is strategically positioned within the organization so as to provide department-wide strategic advice and guidance to senior management.
Departments must implement this policy when sharing Government of Canada information and other assets with other governments (including foreign, provincial, territorial, and municipal), international, educational and private sector organizations. In these cases, departments must develop arrangements that outline security responsibilities, safeguards to be applied, and terms and conditions for continued participation.
Departments must treat information and other assets received from other governments (including foreign, provincial, territorial, and municipal), international (e.g., NATO), educational and private sector organizations, in accordance with agreements or arrangements between the parties concerned.
Departments that share in the common Information Management and Information Technology infrastructure for on-line service delivery and other purposes must conform to all security standards established for that infrastructure.
Some requirements of this policy may be difficult to apply in certain foreign environments. In such situations, special standards may be developed in consultation with the Department of Foreign Affairs and International Trade.
Restrictions may be placed on personal activities at locations where the environment is particularly dangerous. All employees, unless on diplomatic posting and covered by the Vienna Conventions, are automatically subject to local laws and regulations. For travel information and specific security arrangements and limitations, employees must contact the Department of Foreign Affairs and International Trade or the nearest Canadian embassy. Diplomats must be aware that serious breaches of local laws abroad can, under Canadian law, be prosecuted in Canada.
This policy applies equally to the contracting process as it does to internal government operations. The contracting authority, whether it is Public Works and Government Services Canada or another department, must comply with the requirements of this policy and the security in contracting standards and technical documentation.
The contracting authority must:
Departments must:
Confidentiality
Departments must identify information and other assets when their unauthorized disclosure, with reference to specific provisions of the Access to Information Act and the Privacy Act, could reasonably be expected to cause injury to:
Availability, Integrity and Value
Departments must identify and categorize assets, especially critical services, based on the degree of injury (low, medium, high) that could reasonably be expected to result from compromise to their availability or integrity. They must consider the value (e.g., monetary, heritage) of assets in determining injury. In order to indicate the level of safeguarding, departments should consider marking for availability and integrity purposes.
Departments must conduct ongoing assessments of threats and risks to determine the necessity of safeguards beyond baseline levels. They must continuously monitor for any change in the threat environment and make any adjustment necessary to maintain an acceptable level of risk and a balance between operational needs and security.
Threat and risk assessments involve:
Departments must limit access to classified and protected information and other assets to those individuals who have a need to know the information and who have the appropriate security screening level. To the extent necessary, they must also limit access to other assets requiring additional safeguarding for availability, integrity or value purposes. This includes ensuring that no one individual can independently control all aspects of a process or a system.
The Government of Canada must ensure that individuals with access to government information and assets are reliable and trustworthy. For national security, it must also ensure the individual's loyalty to Canada in order to protect itself from foreign intelligence gathering and terrorism. Special care must be taken to ensure the continued reliability and loyalty of individuals, and prevent malicious activity and unauthorized disclosure of classified and protected information by a disaffected individual in a position of trust.
Departments must ensure that, prior to the commencement of duties, individuals who require:
Departments must also:
A delegated manager may grant or deny a reliability status. The DSO may grant a security clearance on behalf of the deputy head. Only the deputy head can deny, revoke or suspend a security clearance. Deputy heads must consult the Privy Council Office (PCO) on any disagreement with the Security Intelligence Review Committee recommendation on security clearances. They must also consult with PCO on decisions to recommend to the Governor in Council the suspension or dismissal of any individual as the result of a denial, revocation or suspension of a security clearance.
Departments must obtain Treasury Board of Canada Secretariat approval of any security screening proposal involving cost recovery.
Departments are responsible under the Canada Labour Code, Part II, and under Treasury Board policy for the health and safety of employees at work. This responsibility extends to situations where employees are under threat of violence because of their duties or because of situations to which they are exposed. Such situations include, but are not limited to threat letters or calls, the receipt of potentially dangerous substances, stalking and assault.
Departments must have in place mechanisms to:
Physical security involves the proper layout and design of facilities and the use of measures to delay and prevent unauthorized access to government assets. It includes measures to detect attempted or actual unauthorized access, and activate an appropriate response. Physical security also provides measures to safeguard employees from violence.
Departments must ensure that security is fully integrated early in the process of planning, selecting, designing and modifying their facilities. They are required to:
Departments must also ensure the secure storage, transmittal and disposal of classified and protected information in all forms, in accordance with the requirements of the physical security standards. When warranted by a threat and risk assessment, they must also ensure the secure storage, transmittal and disposal of other assets.
Continuous review of physical security safeguards is essential to reflect changes in the threat environment and take advantage of new cost-effective technologies.
Information systems must be secured against rapidly evolving threats that have the potential to impact their confidentiality, integrity, availability, intended use and value. To defend against these threats, an IT security (ITS) strategy is required that accommodates changes in threat conditions, which may be sudden, and supports the continuous delivery of services. This dictates that departments apply baseline security controls, continuously monitor service delivery levels, track and analyse threats to departmental IT systems, and establish effective incident response and IT continuity mechanisms.
Departments must ensure that ITS is an integral part of each stage in the system development life cycle. Security requirements and related funding must be identified and included in planning, requests for proposals, and tender documents for IT projects.
By conforming to ITS operational and technical standards, departments will be better prepared to prevent, detect, react to and recover from incidents.
To prevent the compromise of IT systems, departments must implement baseline security controls and any additional control identified through a threat and risk assessment. These controls, and the security roles and responsibilities of all personnel, must be clearly defined, documented and communicated to departmental program, legal, administrative, technical and general staff.
To ensure policy compliance, departments must:
Since services may rapidly degrade due to computer incidents, ranging from a simple slowdown to a complete halt, departments must continuously monitor the operations of their systems to detect anomalies in service delivery levels.
Departments must:
To ensure the ongoing availability of critical services, departments must develop IT continuity plans as part of their overall business continuity planning and recovery activities.
Departments must develop plans and procedures to move up to heightened security levels in case of emergency and increased threat. The Government of Canada may direct departments to implement heightened security levels.
Departments must co-ordinate these plans with other emergency prevention and response plans (e.g., fire, bomb threats, hazardous materials, power failures, evacuations, civil emergencies).
Critical services and associated assets must remain available in order to assure the health, safety, security and economic well-being of Canadians, and the effective functioning of government. Departments must establish a business continuity planning (BCP) program to provide for the continued availability of critical services and assets, and of other services and assets when warranted by a threat and risk assessment.
The program shall include the following elements:
Through effective reporting and investigation of security incidents, vulnerabilities can be determined and the risk of future occurrence reduced.
Departments must develop procedures for reporting and investigating security incidents and taking corrective action.
They must also report:
Departments are required to apply sanctions in response to security incidents when in the opinion of the deputy head there has been misconduct or negligence.
Departments are required to conduct active monitoring and internal audits of their security program. The results of internal audits must be reported to the Treasury Board of Canada Secretariat.
The Treasury Board of Canada Secretariat, with assistance from departments, will produce a mid-term report to the Treasury Board on the effectiveness of the policy.
This policy will be reviewed within 5 years.
The authority for this policy derives from Section 7 of the Financial Administration Act. This policy replaces the June 9, 1994 policy and its November 1994 and June 1995 amendments.
Legislation relevant to this policy includes:
Documents relevant to this policy may be found on the Treasury Board Web site.
http://publiservice.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_12A/siglist_e.asp
Direct enquiries about this policy should be directed to the Departmental Security Officer. For interpretation of the policy, the Departmental Security Officer should contact:
Security Policy Group, Information and Security
Policy Division
Government Operations Sector, Treasury Board of Canada
Secretariat
8th Floor, East Tower, L'Esplanade Laurier
Ottawa, Ontario, K1A 0R5
Telephone: (613) 946-5046 or 957-2534
Facsimile: (613) 952-7287
The Treasury Board approves the Government Security Policy.
As the central agency for security and service delivery issues for the Government of Canada, the Treasury Board of Canada Secretariat is responsible to:
Various security related committees provide advice and guidance to the Treasury Board of Canada Secretariat on the implementation of the Government Security Policy, its effectiveness, and the state of security in the Government of Canada.
These committees also review and recommend operational security standards and technical documentation for approval by the appropriate authority.
Certain departments have government-wide responsibilities under the Government Security Policy. Specific responsibilities of these departments are listed below.
As part of its role in security and intelligence, the Canadian Security Intelligence Service (CSIS) is responsible to:
As the cryptology and information technology security (ITS) technical authority, the Communications Security Establishment (CSE) is responsible to:
As the lead department for conducting foreign relations, the Department of Foreign Affairs and International Trade (DFAIT) is responsible to:
As the lead department responsible for the management of government records, the National Archives of Canada is responsible to:
As part of their roles, the Deputy Minister of the Department of National Defence and the Chief of the Defence Staff for the Canadian Forces are jointly or separately responsible, as appropriate, to:
As part of its role to provide national leadership in critical infrastructure protection and effective emergency management, the Office of Critical Infrastructure Protection and Emergency Preparedness (OCIPEP) is responsible to:
As part of its role to support Cabinet and set overall policy directions for security and intelligence in government, the Privy Council Office is responsible to:
As a common service department for contracting, real property management, information technology and telecommunications, Public Works and Government Services Canada is responsible to:
As lead department for federal law enforcement, with a crime prevention mission, the Royal Canadian Mounted Police (RCMP) is responsible to:
For Information Technology Security (ITS):
For Physical Security:
For Security Screening:
As the lead department for land, air and marine security, and administering the Aeronautics Act, Transport Canada is responsible to administer the Airport Restricted Area Access Program.
Custodian departments are responsible for, but not limited to, the following aspects of physical security for facilities that they administer, unless otherwise arranged with tenants:
Accreditation (accréditation) - the official authorisation by management for the operation of an IT system, and acceptance by that management of the associated residual risk. Accreditation is based on the certification process as well as other management considerations.
Assets (biens) - tangible or intangible things of the Government of Canada. Assets include but are not limited to information in all forms and media, networks, systems, materiel, real property, financial resources, employee trust, public confidence and international reputation. (The inclusion of information in this definition is for the purposes of this policy only and should not be interpreted as importing any legal consequences applicable for assets to information.)
Availability (disponibilité) - the condition of being usable on demand to support operations, programs and services.
Baseline security requirements (exigences sécuritaires de base) - mandatory provisions of the Government Security Policy and its associated operational standards and technical documentation.
Business continuity planning (planification de la continuité opérationnelle) - an all-encompassing term which includes the development and timely execution of plans, measures, procedures and arrangements to ensure minimal or no interruption to the availability of critical services and assets.
Certification (certification) - a comprehensive evaluation of the technical and non-technical security features of an IT system and other related safeguards to establish the extent to which a particular design and implementation meets a specific set of security requirements, made in support of the accreditation process.
Classified assets (biens classifiés) - assets whose unauthorized disclosure would reasonably be expected to cause injury to the national interest.
Classified information (renseignements classifiés) - information related to the national interest that may qualify for an exemption or exclusion under the Access to Information Act or Privacy Act, and the compromise of which would reasonably be expected to cause injury to the national interest.
Compromise (compromission) - unauthorized disclosure, destruction, removal, modification, interruption or use of assets.
COMSEC - communications security: cryptographic, transmission and emission security measures applied to information stored, processed or transmitted electronically; a subset of information technology security.
Confidentiality (confidentialité) - the attribute that information must not be disclosed to unauthorized individuals, because of the resulting injury to national or other interests, with reference to specific provisions of the Access to Information Act and the Privacy Act.
Contracting process (processus de passation des marchés) - includes bidding, negotiating, awarding, performance and termination of contracts.
Critical assets (bien essentiels) - assets supporting a critical service.
Critical service (service critique) - service whose compromise in terms of availability or integrity would result in a high degree of injury to the health, safety, security or economic well-being of Canadians, or to the efficient functioning of the Government of Canada.
Facility (installation) - a physical setting used to serve a specific purpose. A facility may be part of a building, a whole building, or a building plus its site; or it may be a construction that is not a building. The term encompasses both the physical object and its use.
For cause (pour un motif valable) - a determination that there is sufficient reason to review, revoke, suspend or downgrade a reliability status or a security clearance. In the context of a security assessment, a determination whether more in-depth verifications are required.
Information technology security (sécurité des technologies de l'information) - safeguards to preserve the confidentiality, integrity, availability, intended use and value of electronically stored, processed or transmitted information.
Integrity (intégrité) - the accuracy and completeness of assets, and the authenticity of transactions.
National interest (intérêt national) - concerns the defence and maintenance of the social, political and economic stability of Canada.
Need-to-know (besoin de connaître) - the need for someone to access and know information in order to perform his or her duties.
Physical security (sécurité matérielle) - the use of physical safeguards to prevent and delay unauthorized access to assets, detect attempted and actual unauthorized access and activate appropriate response.
Protected assets (biens protégés) - assets whose unauthorized disclosure would reasonably be expected to cause injury to a non-national interest.
Protected information (renseignements protégés) - information related to other than the national interest that may qualify for an exemption or exclusion under the Access to Information Act or Privacy Act, and the compromise of which would reasonably be expected to cause injury to a non-national interest.
Reliability status (cote de fiabilité) - indicates successful completion of a reliability check; allows regular access to government assets and with a need to know to protected information.
Restricted access area (aire à accès restreint) - work area where access is limited to authorized individuals.
Risk (risque) - the chance of a vulnerability being exploited.
Security clearance (cote de sécurité) - indicates successful completion of a security assessment; with a need to know, allows access to classified information. There are three security clearance levels: Confidential,Secret and Top Secret.
Security incident (incident de sécurité) - compromise of an asset, or any act or omission that could result in a compromise; threat or act of violence toward employees.
Site access clearance (cote spéciale d'accès) - required for access to installations critical to the national interest or to restricted areas for special events.
Threat (menace) - any potential event or act, deliberate or accidental, that could cause injury to employees or assets.
Value (valeur) - estimated worth, monetary, cultural or other.
Vulnerability (vulnérabilité)
- an inadequacy related to security that could permit a
threat to cause injury.