February 1, 2002
The Government of Canada depends on its personnel and assets
to deliver services that ensure the health, safety, security and
economic well-being of Canadians. It must manage these resources
with due diligence and take appropriate measures to safeguard
them from injury.
Threats that can cause injury to government personnel and
assets, in Canada and abroad, include violence toward employees,
unauthorized access, theft, fraud, vandalism, fire, natural
disasters, technical failures and accidental damage. The threat
of cyber attack and malicious activity through the Internet is
prevalent and can cause severe injury to electronic services and
critical infrastructures. Threats to the national interest, such
as transnational criminal activity, foreign intelligence
activities and terrorism, continue to evolve as the result of
changes in the international environment.
The Government Security Policy prescribes the application of
safeguards to reduce the risk of injury. It is designed to
protect employees, preserve the confidentiality, integrity,
availability and value of assets, and assure the continued
delivery of services. Since the Government of Canada relies
extensively on information technology (IT) to provide its
services, this policy emphasises the need for departments to
monitor their electronic operations.
This policy complements other Treasury Board policies for the
management of human resources (e.g., harassment, occupational
safety and health), official languages, information, materiel,
real property and financial resources.
To support the national interest and the Government of
Canada's business objectives by safeguarding employees and assets
and assuring the continued delivery of services.
Employees under threat of violence must be safeguarded
according to baseline security requirements and continuous
security risk management.
Assets must be safeguarded according to baseline security
requirements and continuous security risk management.
Continued delivery of services must be assured through
baseline security requirements, including business continuity
planning, and continuous security risk management.
This policy applies to all departments listed in Schedule I,
Schedule I.1 and Schedule II of the Financial Administration
Act (FAA).
It also applies to:
- Any commission under the Inquiries Act that is
designated by order of the Governor in Council as a department
for the purposes of the FAA.
- The Canadian Forces with the proviso that any reference in
this policy to employees does not include members of the Canadian
Forces.
Certain agencies and crown corporations can enter into
agreements with the Treasury Board of Canada Secretariat to adopt
the requirements of this policy and apply them to their
organization.
Deputy heads are accountable for safeguarding employees and
assets under their area of responsibility and for implementing
this policy. In the context of the Department of National
Defence, Deputy heads include the Deputy Minister of National
Defence and the Chief of the Defence Staff for the Canadian
Forces, as appropriate.
Refer to Appendix A.
Refer to Appendix B.
This policy is supplemented by:
- Operational security standards approved by the Secretary of
the Treasury Board. They contain mandatory and recommended
measures to direct and guide the implementation of the
policy.
- Technical documentation, directed and co-ordinated by the
Treasury Board of Canada Secretariat, to complement the
operational standards. This documentation includes technical
security standards, specifications, best practices and guidelines
developed and issued by lead security departments.
Departments must comply with the baseline requirements of this
policy and its associated operational standards and technical
documentation. These requirements are based on integrated
assessments of threats and risks to the national interest and to
government employees and assets. Departments must conduct their
own threat and risk assessments to determine the necessity of
safeguards above baseline levels.
The requirements of this policy complement other government
measures on the management of emergency situations (e.g., fire,
bomb threats, hazardous materials, power failures, evacuations,
civil emergencies).
The Government of Canada may direct departments to implement
heightened security levels in emergency or increased threat
situations.
10.1 Security program
Departments must appoint a Departmental Security Officer (DSO)
to establish and direct a security program that ensures
co-ordination of all policy functions and implementation of
policy requirements. These functions include general
administration (departmental procedures, training and awareness,
identification of assets, security risk management, sharing of
information and assets), access limitations, security screening,
physical security, protection of employees, information
technology security, security in emergency and increased threat
situations, business continuity planning, security in contracting
and security incident investigations.
Given the importance of this role, consideration should be
given to appointing a Departmental Security Officer with
sufficient security experience who is strategically positioned
within the organization so as to provide department-wide
strategic advice and guidance to senior management.
10.2 Sharing of information and other assets
Departments must implement this policy when sharing Government
of Canada information and other assets with other governments
(including foreign, provincial, territorial, and municipal),
international, educational and private sector organizations. In
these cases, departments must develop arrangements that outline security responsibilities, safeguards to be applied, and
terms and conditions for continued participation.
Departments must treat information and other assets received
from other governments (including foreign, provincial,
territorial, and municipal), international (e.g., NATO),
educational and private sector organizations, in accordance with
agreements or arrangements between the parties concerned.
Departments that share in the common Information Management
and Information Technology infrastructure for on-line service
delivery and other purposes must conform to all security
standards established for that infrastructure.
10.3 Security outside of Canada
Some requirements of this policy may be difficult to apply in
certain foreign environments. In such situations, special
standards may be developed in consultation with the Department of
Foreign Affairs and International Trade.
Restrictions may be placed on personal activities at locations
where the environment is particularly dangerous. All employees,
unless on diplomatic posting and covered by the Vienna
Conventions, are automatically subject to local laws and
regulations. For travel information and specific security
arrangements and limitations, employees must contact the
Department of Foreign Affairs and International Trade or the
nearest Canadian embassy. Diplomats must be aware that serious
breaches of local laws abroad can, under Canadian law, be
prosecuted in Canada.
10.4 Contracting
This policy applies equally to the contracting process as it
does to internal government operations. The contracting
authority, whether it is Public Works and Government Services
Canada or another department, must comply with the requirements
of this policy and the security in contracting standards and
technical documentation.
The contracting authority must:
- Ensure security screening of private sector organizations and
individuals who have access to protected and classified
information and assets, as specified in the standards.
- Ensure safeguarding of government assets, including IT
systems.
- Specify the necessary security requirements in terms and
conditions in any contractual documentation.
10.5 Security training, awareness and briefings
Departments must:
- Ensure that individuals who have specific security duties
receive appropriate, up to date training.
- Have a security awareness program to inform and regularly
remind individuals of security responsibilities, issues and
concerns.
- Brief individuals on the access privileges and prohibitions
attached to their screening level prior to commencement of
duties, or when required in the update cycle.
10.6 Identification of assets
Confidentiality
Departments must identify information and other assets when
their unauthorized disclosure, with reference to specific
provisions of the Access to Information Act and the
Privacy Act, could reasonably be expected to cause injury
to:
- the national interest. Such information is classified. It
must be categorized and marked based on the degree of potential
injury (injury: "Confidential"; serious injury: "Secret";
exceptionally grave injury: "Top Secret").
- private and other non-national interests. Such information is
protected. It must be categorized and marked based on the degree
of potential injury (low: "Protected A"; medium: "Protected B",
high: "Protected C").
Availability, Integrity and Value
Departments must identify and categorize assets, especially
critical services, based on the degree of injury (low, medium,
high) that could reasonably be expected to result from compromise
to their availability or integrity. They must consider the value
(e.g., monetary, heritage) of assets in determining injury. In
order to indicate the level of safeguarding, departments should
consider marking for availability and integrity purposes.
10.7 Security risk management
Departments must conduct ongoing assessments of threats and
risks to determine the necessity of safeguards beyond baseline
levels. They must continuously monitor for any change in the
threat environment and make any adjustment necessary to maintain
an acceptable level of risk and a balance between operational
needs and security.
Threat and risk assessments involve:
- Establishing the scope of the assessment and identifying the
employees and assets to be safeguarded (see sections 10.6 and
10.10).
- Determining the threats to employees and assets in Canada and
abroad, and assessing the likelihood and impact of threat
occurrence.
- Assessing the risk based on the adequacy of existing
safeguards and vulnerabilities.
- Implementing any supplementary safeguards that will reduce
the risk to an acceptable level.
10.8 Access limitations
Departments must limit access to classified and protected
information and other assets to those individuals who have a need
to know the information and who have the appropriate security
screening level. To the extent necessary, they must also limit
access to other assets requiring additional safeguarding for
availability, integrity or value purposes. This includes ensuring
that no one individual can independently control all aspects of a
process or a system.
10.9 Security screening
The Government of Canada must ensure that individuals with
access to government information and assets are reliable and
trustworthy. For national security, it must also ensure
the individual's loyalty to Canada in order to protect itself
from foreign intelligence gathering and terrorism. Special care
must be taken to ensure the continued reliability and loyalty of
individuals, and prevent malicious activity and unauthorized
disclosure of classified and protected information by a
disaffected individual in a position of trust.
Departments must ensure that, prior to the commencement of
duties, individuals who require:
- Access to government assets (except for Governor in Council
appointees) undergo a reliability check and are granted a
reliability status.
- Access to classified information and assets have a valid
reliability status, undergo a security assessment and are granted
a security clearance at the appropriate level. This includes
foreign nationals visiting or working in a department. Certain
limitations to a security clearance may be imposed as specified
in the security screening standard.
- Access to facilities that are critical to the national
interest or to restricted areas for major events have a site
access clearance. Departments must obtain Treasury Board of
Canada Secretariat approval in order to have site access
clearance programs.
Departments must also:
- Obtain individuals' written consent before any check may be
initiated.
- Treat individuals in a fair and unbiased manner, and give
them an opportunity to explain adverse information before a
decision is reached.
- Advise individuals of their rights of review or redress in
case of denial, suspension or revocation.
- Ensure managers remain vigilant, once a reliability status or
security clearance is granted, and act on any new information
that could put into question an individual's reliability or
loyalty.
- Update reliability status and security clearances
regularly.
- For cause, review, revoke, suspend or downgrade a reliability
status or a security clearance.
A delegated manager may grant or deny a reliability status.
The DSO may grant a security clearance on behalf of the deputy
head. Only the deputy head can deny, revoke or suspend a security
clearance. Deputy heads must consult the Privy Council Office
(PCO) on any disagreement with the Security Intelligence Review
Committee recommendation on security clearances. They must also
consult with PCO on decisions to recommend to the Governor in
Council the suspension or dismissal of any individual as the
result of a denial, revocation or suspension of a security
clearance.
Departments must obtain Treasury Board of Canada Secretariat
approval of any security screening proposal involving cost
recovery.
10.10 Protection of employees
Departments are responsible under the Canada Labour
Code, Part II, and under Treasury Board policy for the health
and safety of employees at work. This responsibility extends to
situations where employees are under threat of violence because
of their duties or because of situations to which they are
exposed. Such situations include, but are not limited to threat
letters or calls, the receipt of potentially dangerous
substances, stalking and assault.
Departments must have in place mechanisms to:
- Identify, protect and support employees under threat of
violence, based on a threat and risk assessment of specific
situations. In certain cases, protection and support may have to
be extended to family members and others.
- Report incidents to management, human resources, security and
police authorities, as may be the case.
- Provide information, training, and counselling to
employees.
- Maintain thorough records and statements on reported
incidents.
10.11 Physical security
Physical security involves the proper layout and design of
facilities and the use of measures to delay and prevent
unauthorized access to government assets. It includes measures to
detect attempted or actual unauthorized access, and activate an
appropriate response. Physical security also provides measures to
safeguard employees from violence.
Departments must ensure that security is fully integrated
early in the process of planning, selecting, designing and
modifying their facilities. They are required to:
- Select, design and modify their facilities in order to
facilitate the control of access.
- Demarcate restricted access areas, and have the necessary
entry barriers, security systems and equipment based on threat
and risk assessments.
- Include the necessary security specifications in planning,
request for proposals and tender documentation.
- Incorporate related costs in funding requirements.
Departments must also ensure the secure storage, transmittal
and disposal of classified and protected information in all
forms, in accordance with the requirements of the physical
security standards. When warranted by a threat and risk
assessment, they must also ensure the secure storage, transmittal
and disposal of other assets.
Continuous review of physical security safeguards is essential
to reflect changes in the threat environment and take advantage
of new cost-effective technologies.
10.12 Information technology security
Information systems must be secured against rapidly evolving
threats that have the potential to impact their confidentiality,
integrity, availability, intended use and value. To defend
against these threats, an IT security (ITS) strategy is required
that accommodates changes in threat conditions, which may be
sudden, and supports the continuous delivery of services. This
dictates that departments apply baseline security controls,
continuously monitor service delivery levels, track and analyse
threats to departmental IT systems, and establish effective
incident response and IT continuity mechanisms.
Departments must ensure that ITS is an integral part of each
stage in the system development life cycle. Security requirements
and related funding must be identified and included in planning,
requests for proposals, and tender documents for IT projects.
By conforming to ITS operational and technical standards,
departments will be better prepared to prevent, detect, react to
and recover from incidents.
10.12.1 Prevention
To prevent the compromise of IT systems, departments must
implement baseline security controls and any additional control
identified through a threat and risk assessment. These controls,
and the security roles and responsibilities of all personnel,
must be clearly defined, documented and communicated to
departmental program, legal, administrative, technical and
general staff.
To ensure policy compliance, departments must:
- Certify and accredit IT systems prior to operation and
subject them, including associated security safeguards, to sound
configuration management practices.
- Conduct periodic security evaluations of systems, including
assessments of configuration changes conducted on a routine
basis.
- Periodically seek review by third parties in order to
get an independent assessment.
10 .12.2 Detection
Since services may rapidly degrade due to computer incidents,
ranging from a simple slowdown to a complete halt, departments
must continuously monitor the operations of their systems to
detect anomalies in service delivery levels.
10.12.3 Response
Departments must:
- In the context of investigation of security incidents
(section 10.15), establish mechanisms to respond
effectively to IT incidents and exchange incident-related
information with designated lead departments in a timely
fashion.
- Designate an IT security point of contact for communications
with respect to government-wide incident response.
- To prevent unintentional degradation of another department's
security posture, conduct security activities, including incident
response, in a manner that recognises that government is, in
effect, a single interconnected entity.
10.12.4 Recovery
To ensure the ongoing availability of critical services,
departments must develop IT continuity plans as part of their
overall business continuity planning and recovery activities.
10.13 Security in emergency and increased threat
situations
Departments must develop plans and procedures to move up to
heightened security levels in case of emergency and increased
threat. The Government of Canada may direct departments to
implement heightened security levels.
Departments must co-ordinate these plans with other emergency
prevention and response plans (e.g., fire, bomb threats,
hazardous materials, power failures, evacuations, civil
emergencies).
10.14 Business continuity planning
Critical services and associated assets must remain available
in order to assure the health, safety, security and economic
well-being of Canadians, and the effective functioning of
government. Departments must establish a business continuity
planning (BCP) program to provide for the continued availability
of critical services and assets, and of other services and assets
when warranted by a threat and risk assessment.
The program shall include the following elements:
- Within the context of the departmental security program and
organization (section 10.1), a governance structure establishing
authorities and responsibilities for the program, and for the
development and approval of business continuity plans.
- Within the context of the identification of assets (section
10.6), an impact analysis to identify and prioritize the
department's critical services and assets.
- Plans, measures and arrangements to ensure the continued
availability of critical services and assets, and of any other
service or asset when warranted by a threat and risk
assessment.
- Activities to monitor the department's level of overall
readiness.
- Provision for the continuous review, testing and audit of
business continuity plans.
10.15 Investigation of Security Incidents
Through effective reporting and investigation of security
incidents, vulnerabilities can be determined and the risk of
future occurrence reduced.
Departments must develop procedures for reporting and
investigating security incidents and taking corrective
action.
They must also report:
- Incidents suspected of constituting criminal offences to the
appropriate law enforcement authority.
- Incidents involving the compromise of Cabinet confidences to
the Privy Council Office.
- Incidents involving threats to the national interests to the
Canadian Security Intelligence Service.
- Incidents and threats affecting the availability of critical
assets and services to the Office of Critical Infrastructure
Protection and Emergency Preparedness.
- Incidents which can be considered as a "hazardous occurrence"
or involve employee injury to the health and safety committee and
to Health and Safety Officers appointed under the Canada
Labour Code.
- Incidents that have an impact on government operations or
that could require revisions to operational standards or
technical documentation, to the Treasury Board of Canada
Secretariat.
10.16 Sanctions
Departments are required to apply sanctions in response to
security incidents when in the opinion of the deputy head there
has been misconduct or negligence.
Departments are required to conduct active monitoring and
internal audits of their security program. The results of
internal audits must be reported to the Treasury Board of Canada
Secretariat.
The Treasury Board of Canada Secretariat, with assistance from
departments, will produce a mid-term report to the Treasury Board
on the effectiveness of the policy.
This policy will be reviewed within 5 years.
The authority for this policy derives from
Section 7 of the Financial Administration Act. This policy
replaces the June 9, 1994 policy and its November 1994 and June
1995 amendments.
Legislation relevant to this policy
includes:
-
- Access to Information Act
- Canada Labour Code
- Canadian Security Intelligence Service Act
- Charter of Rights and Freedoms
- Criminal Code
- Criminal Records Act
- Defence Production Act
- Emergency Preparedness Act
- Financial Administration Act
- Interpretation Act
- National Defence Act
- Official Secrets Act
- Personal Information Protection and Electronic Documents
Act
- Privacy Act
- Public Service Employment Act
- Public Service Staff Relations Act
- Queen's Regulations and Orders
- Young Offender's Act
Documents relevant to this policy may be found on the Treasury
Board Web site.
http://publiservice.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_12A/siglist_e.asp
Direct enquiries about this policy should be directed to the
Departmental Security Officer. For interpretation of the policy,
the Departmental Security Officer should contact:
Security Policy Group, Information and Security
Policy Division
Government Operations Sector, Treasury Board of Canada
Secretariat
8th Floor, East Tower, L'Esplanade Laurier
Ottawa, Ontario, K1A 0R5
Telephone: (613) 946-5046 or 957-2534
Facsimile: (613) 952-7287
1. Treasury Board
The Treasury Board approves the Government Security
Policy.
2. Treasury Board of Canada Secretariat
As the central agency for security and service delivery issues
for the Government of Canada, the Treasury Board of Canada
Secretariat is responsible to:
- Develop and update the Government Security Policy.
- Provide strategic direction, leadership, advice and
assistance on security and service delivery issues.
- In consultation with departments, develop operational
standards and technical documentation for the general
administration of the policy, security screening, protection of
employees, security in emergency and increased threat situations,
business continuity planning, investigation of security incidents
and other related issues as required.
- Direct and co-ordinate the development of operational
standards and technical documentation for physical security,
information technology security, and security in
contracting.
- Co-ordinate the provision of security training and
awareness.
- Co-ordinate security research and development.
- Provide policy management of the strategic Information
Management/Information Technology infrastructure in support of
the Government of Canada's service delivery and business
objectives, including common information technology services and
common infrastructure accreditation.
- Monitor and report to the Treasury Board, with the assistance
of departments, on the implementation of the policy and the state
of security in the Government of Canada.
- Develop and pursue a strategy that will enable the Government
of Canada to identify, recruit, retain and continually educate
security professionals.
- Issue security policy implementation notices and
advisories.
- Represent the Government of Canada on national and
international committees related to security policy.
3. Committees
Various security related committees provide advice and
guidance to the Treasury Board of Canada Secretariat on the
implementation of the Government Security Policy, its
effectiveness, and the state of security in the Government of
Canada.
These committees also review and recommend operational
security standards and technical documentation for approval by
the appropriate authority.
4. Lead security departments
Certain departments have government-wide responsibilities
under the Government Security Policy. Specific responsibilities
of these departments are listed below.
4.1 Canadian Security Intelligence Service
As part of its role in security and intelligence, the Canadian
Security Intelligence Service (CSIS) is responsible to:
- Investigate and analyse physical and cyber threats to
national security, as defined in the CSIS Act, and provide
related advice. These threats include espionage and sabotage,
foreign influence activity and politically motivated
violence.
- Provide security and intelligence advice, including threat
and risk assessment information, to departments.
- Conduct investigations and provide security assessments, as
requested by departments for the processing of security
clearances.
- Maintain a central index of security assessments conducted
and resulting recommendations.
4.2 Communications Security Establishment
As the cryptology and information technology security (ITS)
technical authority, the Communications Security Establishment
(CSE) is responsible to:
- In consultation with the Treasury Board of Canada Secretariat
and other departments, develop operational standards and
technical documentation as it relates to Signals Intelligence
(SIGINT), Communications Security (COMSEC), and ITS in terms of
system certification and accreditation, risk and vulnerability
analysis, product evaluation, system and network security
analysis.
- Provide advice and assistance to departments on operational
standards and technical documentation developed by CSE.
- Provide security engineering services, technical and
operational assistance to support the design, implementation and
operation of government and national IT systems and
infrastructure elements.
- Develop and provide specialised SIGINT and ITS training,
especially with respect to COMSEC, network vulnerabilities and
relevant technical safeguards.
- Test, inspect and evaluate IT products and systems to
identify risks, vulnerabilities and appropriate mitigation, and
conduct related technical research and development.
- Certify private sector test and evaluation facilities.
- Assess and report on the application of COMSEC and ITS
technical safeguards in both the public and private sectors, upon
request or when mandated by security standards.
- Manage the distribution of SIGINT, cryptographic equipment,
accountable publications and key material. Operate key management
systems. Maintain the national inventory of personnel cleared for
access to SIGINT.
- Represent the Government of Canada on national and
international SIGINT and ITS committees and negotiate agreements
with allied agencies.
4.3 Foreign Affairs and International Trade
As the lead department for conducting foreign relations, the
Department of Foreign Affairs and International Trade (DFAIT) is
responsible to:
- Provide a safe and secure environment for Government of
Canada employees and assets housed at Canadian diplomatic and
consular missions abroad through the provision of operational
guidance on all aspects of physical security.
- Arrange and co-ordinate security for official visitors at
DFAIT facilities.
- As the common carrier for official communications between
departments and Canadian diplomatic missions abroad, ensure the
confidentiality, integrity and availability of common IT services
under its control.
- Provide measures to safeguard assets under its control in
Canada and abroad. Conduct or arrange the inspection of the above
measures including that transmitted by electronic means.
- Provide advice to departments, and the means for them to
transmit and transport assets abroad in order to ensure
continuity and uniformity of safeguarding.
- Liase with all departments to ensure they accord adequate
safeguards to North Atlantic Treaty Organization (NATO) documents
under their control.
- Process security screening for employees of non-governmental
organizations and other levels of government co-located at DFAIT
facilities abroad.
- Provide advice to departments on security initiatives with
foreign governments and international organizations.
4.4 National Archives
As the lead department responsible for the management of
government records, the National Archives of Canada is
responsible to:
- Identify security implications involved in the
identification, organization, storage, preservation, retention
and disposal of government information holdings.
- Develop and disseminate appropriate record-keeping advice and
guidance.
4.5 National Defence
As part of their roles, the Deputy Minister of the Department
of National Defence and the Chief of the Defence Staff for the
Canadian Forces are jointly or separately responsible, as
appropriate, to:
- Provide advice to departments on military intelligence for
threat and risk assessment purposes.
- Arrange and co-ordinate security for any foreign military
personnel visiting Canada or otherwise present at a defence
facility.
- Verify departments' compliance with agreements for the
safeguarding of NATO atomic information.
4.6 Office of Critical Infrastructure Protection and
Emergency Preparedness
As part of its role to provide national leadership in critical
infrastructure protection and effective emergency management, the
Office of Critical Infrastructure Protection and Emergency
Preparedness (OCIPEP) is responsible to:
- In consultation with the Treasury Board of Canada Secretariat
and other departments, develop operational standards and
technical documentation relating to the protection and assurance
of the critical networks, information systems and other critical
assets of the Government of Canada.
- Assist the Treasury Board of Canada Secretariat in the
development of the business continuity planning standards and in
consultation with the Treasury Board of Canada Secretariat,
provide advice to departments on the development and maintenance
of business continuity plans.
- Provide advice to departments concerning the cyber aspects of
the protection of the networks, information systems and
infrastructures that are critical to the Government of
Canada.
- Assist departments in identifying and depicting their
critical assets, in conducting vulnerability assessments of these
assets, and providing an overall vulnerability and dependency
analysis of the Government of Canada's critical assets.
- Act as the centre for the Government of Canada, 24 hours per
day, 7 days per week for:
- departmental reporting of real or imminent threats and
incidents potentially affecting the networks, information systems
and other assets and infrastructures that are critical to the
functioning of the Government of Canada;
- monitoring and analysing cyber attacks and threats against
networks of the Government of Canada
- issuing alerts, advisories and other information and advice
to departments related to these threats and incidents;
- co-ordinating a federal response to cyber and physical
threats or incidents affecting the functioning of the Government
of Canada;
- responding to requests from departments for specific
technical advice, guidance and information on cyber-related
incident prevention, detection, response and recovery.
- In co-operation with other departments, develop and promote
education, training and awareness programs.
- In collaboration with other departments, provide a research
and development capability to contribute to the security of
critical networks, information systems and other assets of the
Government of Canada.
- Represent the Government of Canada on national and
international committees on critical infrastructure protection
and emergency preparedness.
4.7 Privy Council Office
As part of its role to support Cabinet and set overall policy
directions for security and intelligence in government, the Privy
Council Office is responsible to:
- Establish procedures for the security of confidences of the
Queen's Privy Council for Canada and records administered under
the Cabinet Papers System.
- Advise, when requested, deputy heads on decisions to order a
formal investigation of suspected unauthorized disclosures of
Cabinet confidences.
- Advise, when requested, deputy heads on decisions to deny,
revoke or suspend security clearances.
- Advise deputy heads regarding any disagreement with a
Security Intelligence Review Committee recommendation on security
clearances, and on decisions to recommend to the Governor in
Council the suspension or dismissal of any individual as the
result of denial, revocation or suspension of a security
clearance
- Direct departments to implement heightened security levels in
emergencies and increased threat situations.
4.8 Public Works and Government Services Canada
As a common service department for contracting, real property
management, information technology and telecommunications, Public
Works and Government Services Canada is responsible to:
- In consultation with the Treasury Board of Canada Secretariat
and other departments, develop operational standards and
technical documentation on security in contracting.
- Administer the Industrial Security Program under the
Government Security Policy and the Controlled Goods
Registration Programs under the Defence Production
Act.
- Provide advice to departments on the operational
standards and technical documentation on security
in contracting.
- Develop and provide security in contracting training.
- Maintain a database of private sector organizations
and individuals that are security screened for access to
government assets.
- Ensure compliance with the security policy in contracts that
are outside delegated contracting responsibilities of
departments, and afford access to government assets.
- On request, ensure compliance with the security policy in
contracts that are within delegated contracting responsibilities
of departments, and afford access to government assets.
- In consultation with the Department of Foreign Affairs and
International Trade, negotiate international industrial security
agreements, arrangements and memoranda of understanding on behalf
of the Government of Canada.
- Ensure international industrial security agreements,
arrangements and memoranda of understanding are complied with in
contracts that afford access to classified foreign government
information, and in contracts that afford foreign contractors
access to assets of the Government of Canada.
- Control all government Communications Security (COMSEC)
assets in the private sector.
- Ensure that contractors meet the security requirements of
contracts that involve information technology security
assets.
- When it is the custodian department, ensure the provision of
base building security.
- Ensure the confidentiality, integrity and availability of
common IT services provided to other departments.
- Represent the Government of Canada on national and
international initiatives related to industrial security and
controlled goods.
4.9 Royal Canadian Mounted Police
As lead department for federal law enforcement, with a crime
prevention mission, the Royal Canadian Mounted Police (RCMP) is
responsible to:
For Information Technology Security (ITS):
- In consultation with the Treasury Board of Canada Secretariat
and other departments, develop ITS operational standards and
technical documentation as it relates to the application of
access controls and biometrics, data forensics, media disposal,
system monitoring, malicious software, major events, reviews,
inspections and audits.
- Provide advice to departments on:
- ITS operational standards and technical documentation
developed by the RCMP;
- the process of threat and risk assessments, and
- the conduct of IT system security reviews, inspections and
audits.
- Develop and provide ITS training and awareness for users,
system-support staff and ITS officers.
- Provide technical assistance to investigations related to
IT.
- Conduct research and development on new ITS technologies and
counter-measures as it relates to cyber-crime.
- Assess and report on cyber-crime threats and
counter-measures.
- Represent the Government of Canada on national and
international law enforcement and cyber-crime prevention
initiatives.
For Physical Security:
- In consultation with the Treasury Board of Canada Secretariat
and other departments, develop operational standards and
technical documentation on the security design of facilities, the
control and monitoring of access to facilities and assets, and
the storage, transmittal, transport and disposal of assets.
- Provide advice to departments on the application of the
operational standards and technical documentation, the security
design of facilities and on physical security equipment, systems
and procedures.
- Develop and provide physical security training and
awareness.
- Review and advise on counter-technical intrusion
detection.
- Conduct related research and develop counter-measures for
physical threats.
- Represent the Government of Canada on national and
international law enforcement and physical crime prevention
initiatives.
For Security Screening:
- Provide advice to departments and the results of Criminal
Records Name Checks (CRNC), both electronically and manually
against the Canadian Police Information Centre (CPIC) central
criminal record database.
- Provide advice to departments and the results of certified
fingerprint searches against the fingerprint repository.
- Develop business procedures, technology enhancements, and
consult with other departments for continual improvement of the
CRNC and the fingerprint search processes.
- Provide criminal assessments to departments related to
individuals' reliability.
- Conduct investigations and security assessments for RCMP
personnel.
4.10 Transport Canada
As the lead department for land, air and marine security, and
administering the Aeronautics Act, Transport Canada is
responsible to administer the Airport Restricted Area Access
Program.
5. Custodian Departments
Custodian departments are responsible for, but not limited to,
the following aspects of physical security for facilities that
they administer, unless otherwise arranged with tenants:
- Providing and funding safeguards considered necessary by the
custodian to protect facilities, based on a threat and risk
assessment conducted by or for the custodian.
- Providing and funding for specific sites, subject to a threat
and risk assessment, guard services to protect facilities at a
level the custodian considers necessary.
- Arranging for additional safeguards, where required and
funded by tenants.
- Advising tenants of proposed changes to facilities that could
affect security, and consulting tenants about proposed changes to
facility safeguards.
- Advising tenants of changes of occupancy or use in multiple
occupancy buildings that could affect security.
Accreditation (accréditation) -
the official authorisation by management for the operation of an
IT system, and acceptance by that management of the associated
residual risk. Accreditation is based on the certification
process as well as other management considerations.
Assets (biens) - tangible or intangible
things of the Government of Canada. Assets include but are not
limited to information in all forms and media, networks, systems,
materiel, real property, financial resources, employee trust,
public confidence and international reputation. (The inclusion of
information in this definition is for the purposes of this policy
only and should not be interpreted as importing any legal
consequences applicable for assets to information.)
Availability (disponibilité) - the
condition of being usable on demand to support operations,
programs and services.
Baseline security requirements (exigences
sécuritaires de base) - mandatory provisions of the
Government Security Policy and its associated operational
standards and technical documentation.
Business continuity planning (planification
de la continuité opérationnelle) - an
all-encompassing term which includes the development and timely
execution of plans, measures, procedures and arrangements to
ensure minimal or no interruption to the availability of
critical services and assets.
Certification (certification) - a
comprehensive evaluation of the technical and non-technical
security features of an IT system and other related safeguards to
establish the extent to which a particular design and
implementation meets a specific set of security requirements,
made in support of the accreditation process.
Classified assets (biens
classifiés) - assets whose unauthorized disclosure
would reasonably be expected to cause injury to the national
interest.
Classified information (renseignements
classifiés) - information related to the national
interest that may qualify for an exemption or exclusion under the
Access to Information Act or Privacy Act, and the compromise of
which would reasonably be expected to cause injury to the
national interest.
Compromise (compromission) - unauthorized
disclosure, destruction, removal, modification, interruption or
use of assets.
COMSEC - communications security: cryptographic, transmission and emission security measures
applied to information stored, processed or transmitted
electronically; a subset of information technology security.
Confidentiality (confidentialité)
- the attribute that information must not be disclosed to
unauthorized individuals, because of the resulting injury to
national or other interests, with reference to specific
provisions of the Access to Information Act and the
Privacy Act.
Contracting process (processus de passation
des marchés) - includes bidding, negotiating,
awarding, performance and termination of contracts.
Critical assets (bien essentiels) - assets
supporting a critical service.
Critical service (service critique) - service
whose compromise in terms of availability or integrity would
result in a high degree of injury to the health, safety, security
or economic well-being of Canadians, or to the efficient
functioning of the Government of Canada.
Facility (installation) - a physical
setting used to serve a specific purpose. A facility may be part
of a building, a whole building, or a building plus its site; or
it may be a construction that is not a building. The term
encompasses both the physical object and its use.
For cause (pour un motif valable) - a
determination that there is sufficient reason to review, revoke,
suspend or downgrade a reliability status or a security
clearance. In the context of a security assessment, a
determination whether more in-depth verifications are
required.
Information technology security
(sécurité des technologies de l'information)
- safeguards to preserve the confidentiality, integrity,
availability, intended use and value of electronically stored,
processed or transmitted information.
Integrity (intégrité) - the
accuracy and completeness of assets, and the authenticity of
transactions.
National interest (intérêt
national) - concerns the defence and maintenance of the
social, political and economic stability of Canada.
Need-to-know (besoin de connaître)
- the need for someone to access and know information in order to
perform his or her duties.
Physical security (sécurité
matérielle) - the use of physical safeguards to
prevent and delay unauthorized access to assets, detect attempted
and actual unauthorized access and activate appropriate
response.
Protected assets (biens
protégés) - assets whose unauthorized
disclosure would reasonably be expected to cause injury to a
non-national interest.
Protected information (renseignements
protégés) - information related to other than
the national interest that may qualify for an exemption or
exclusion under the Access to Information Act or Privacy Act, and
the compromise of which would reasonably be expected to cause
injury to a non-national interest.
Reliability status (cote de
fiabilité) - indicates successful completion of a
reliability check; allows regular access to government assets and
with a need to know to protected information.
Restricted access area (aire à
accès restreint) - work area where access is limited
to authorized individuals.
Risk (risque) - the chance of a
vulnerability being exploited.
Security clearance (cote de
sécurité) - indicates successful completion of
a security assessment; with a need to know, allows access to
classified information. There are three security clearance
levels: Confidential,Secret and Top Secret.
Security incident (incident de
sécurité) - compromise of an asset, or
any act or omission that could result in a compromise; threat or
act of violence toward employees.
Site access clearance (cote spéciale
d'accès) - required for access to installations
critical to the national interest or to restricted areas for
special events.
Threat (menace) - any potential event or act,
deliberate or accidental, that could cause injury to employees or
assets.
Value (valeur) - estimated worth,
monetary, cultural or other.
Vulnerability (vulnérabilité)
- an inadequacy related to security that could permit a
threat to cause injury.
|