Rescinded - Policy on Electronic Authorization and Authentication
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
This policy is replaced by:
1. Effective date
This policy takes effect on July 15, 1996 and replaces the former version dated October 1, 1994.
- Electronic authorization and authentication (EAA) is the electronic process that affixes proof of authorization to a transaction, contributes to the protection of data integrity and ensures that the authorizer can be identified. Together with appropriate management practices, this will result in accountability controls for the conduct of electronic business.
- Sound management practice requires departments to establish and maintain adequate controls within their systems to ensure the completeness, accuracy, and authority of all business transactions. These controls are also essential to good management control and accountability.
- With the advancement of technology, the availability of powerful electronic workstations and networks, and the requirement to make operations as efficient as possible, government administrative systems are moving towards seamless, on-line systems and a paperless environment, which the government encourages.
- Manual controls are used in paper-based systems. For example, a signature has always been the most desirable form of evidence of authorization or confirmation or work performed. A signature clearly designates who is assuming responsibility for each control function and is suitable at all levels of responsibility.
- These controls are an essential part of any system and ensure that all transactions are entered and processed accurately, and that information is properly authorized. In general, standards of accuracy and authority required for transaction data apply equally to financial, operational and administrative data.
- In a paperless environment there must be an electronic alternative available to replace the function of the paper signature. Controls would ensure that the electronic signature is as unique to an individual as his or her own signature and that the integrity of that signature is maintained to ensure both the accountability and protection of the person assuming responsibility.
- This policy aims to ensure that appropriate controls are in place to maintain the integrity of transactions and their related authorization throughout the process.
- Another important aspect of paperless systems is that the delegation of authorities process could also be paperless. In such cases the delegation of authorities and their communication would be done electronically. Electronic delegation matrices that delineate the authority of each user would replace delegation charts. A combination of user identification codes, passwords, personal authorization numbers, special keys in personal access devices, verification of physical characteristics, etc., would replace signatures. Validation and authentication processes would replace specimen signature cards.
- This policy aims to ensure that the integrity of the electronic delegation of authorities and authentication processes are maintained.
- The Communications Security Establishment (CSE) is responsible for providing departments with endorsements or approvals of cryptography and key management processes for the protection of classified information, as well as for the protection of designated information. The CSE is the Government of Canada authority for approving encryption, digital signature algorithms, key management algorithms and key management systems used in electronic authorization and authentication processes. Departments may also request CSE guidance regarding the requirements for and the strength of non-cryptographic security features required for the implementation of EAA processes.
- The Security Policy, Chapter 1-1 of the "Security" volume, Treasury Board Manual contains other central agencies' security responsibilities.
For the purposes of this policy:
- Business transaction (opération commerciale)
- is any event, condition, action or commitment, the result of which is the acquisition, disposition or use of assets or resources; the increase or reduction in a liability; the receipt or payment of funds; or the provision of services of which a client is charged. Business transactions occur commonly in, but are not limited to, such diverse areas as finance, administration, personnel, contracts, and program management. Business transactions may also include formal approvals or authorizations such as correspondence.
- Electronic authorization (autorisation électronique)
- is the process by which a digital signature is linked to an electronic business transactions to signify that a person with delegated authority has effectively authorized the further processing of that data and cannot credibly deny that s/he has done so.
- Electronic authentication (authentification électronique)
- is the process by which an electronic authorization is verified to ensure, before further processing, that the authorizer can be positively identified, that the integrity of the authorized data was preserved and that the data are original.
- Confidentiality (confidentialité)
- refers to information being made available or disclosed only to individuals, entities or processes authorized to see or use that information.
- Data integrity (intégrité des données)
- is the quality or condition of being accurate and complete and not altered or destroyed in an unauthorized manner.
- Digital signature (signature numérique)
- is the cryptographic transformation of data, which when added to a message, allows the recipient to verify the signer and whether the initial message has been altered or the signature forged since the transformation was made.
- Encryption (chiffrage)
- is the process by which plain text data are transformed to conceal their meaning or provide data integrity. Encryption is a reversible process effected by using a cryptographic algorithm and key.
- Key management (gestion des clés)
- is a process designed to ensure that the keys and keying material used in the authorization and authentication process are managed in accordance with a security policy. The process includes the generation, distribution, application, certification, storage, archiving and destruction of keys. A key is a sequence of symbols that controls the operation of encryption and decryption.
4. Policy objective
To ensure adequate control and protection of business transactions in electronic form through proper authorization and authentication.
5. Policy statement
It is government policy that electronic business transactions must be properly authorized, validated and safeguarded against loss, alteration, duplication, substitution or destruction.
- This policy applies to all organizations considered to be departments within the meaning of Section 2 of the Financial Administration Act (FAA).
- This policy applies to all electronic business systems where transactions are authorized electronically.
- For systems under development, this policy is effective within two years of it's coming into force. Existing systems need not comply with this policy unless a new threat and risk assessment indicates a requirement for electronic authorization and authentication.
- Existing systems using digital signatures should conform to this policy within the next two years.
7. Policy requirements
- The integrity of electronic business transactions must be maintained at all times.
- A digital signature must be used to authorize electronic business transactions.
- The method used to generate the digital signature must employ both special knowledge (e.g. password) and physical possession of an object (e.g., diskette, token or card etc.).
- For every system where a digital signature is used, a risk and threat analysis will determine whether a physical object must be used. For existing systems and systems under development, departments are allowed a period of two years starting from the effective date of this policy to complete the risk and threat analysis and meet the requirements of the policy.
- When physical objects such as diskettes, tokens or cards are used, departments must ensure that every object holder is informed of his or her responsibilities and restrictions regarding the use of the objects and agrees to them. Physical objects are to be used as personal access devices which link an object with only one individual.
- Electronic authorizations of electronic business transactions must be authenticated.
- The electronic authentication process must effectively and positively identify the authorizer, in such a way that he or she will not be able to credibly deny having authorized a transaction.
- A complete audit trail of the electronic business transactions, including electronic authorization and authentication, must be maintained.
- The integrity and confidentiality of the electronic authorization and authentication system and processes must be maintained at all times.
- When required, the confidentiality of transactions will be ensured by encrypting part or all of the data or transaction.
- Departments must perform a threat and risk assessment to evaluate the potential threats to the electronic business system as well as to the electronic authorization and authentication process and to determine the level of control required to minimize the risks, commensurate with costs.
- Departments must establish policies and procedures that will ensure that an adequate level of control is maintained on all processes involving the electronic authorization and authentication of business data.
- Departments must establish policies and procedures that will ensure that the distribution and communication of authorities and the delegation process itself, when in an electronic form, are protected by an approved digital signature and key management process. Encryption and key management processes for EAA must be endorsed or approved by CSE.
- Departments will conduct internal audits of their compliance with this policy and the efficiency of its implementation.
- The Treasury Board Secretariat will monitor compliance with this policy through internal audit reports.
- In addition, the Treasury Board Secretariat will conduct, in consultation with departments, operational reviews to assess the effectiveness of the policy.
9. Performance indicators
Departments are responsible for the effective and efficient implementation of this policy. Performance indicators should relate primarily to:
- effectiveness of the process of authorization and authentication for electronic business transactions;
- adequacy of threat and risk assessment reviews to periodically confirm that the level of control is appropriate; and,
- efficiency of documentation (e.g. policies, procedures, training material) and systems to ensure effective authorization and authentication of electronic transactions.
This policy is issued under the authority of the Financial Administration Act.
10.2 Treasury Board Secretariat publications
- Blueprint for Renewing Government Services Using Information Technology.
- Information Technology Standards TBITS 10.1 Government of Canada Implementation Guideline for Electronic Data Interchange Security - Technical Specifications.
- Security Policy, Chapter 1-1 of the "Security" volume, Treasury Board Manual.
- Information Technology Security Standard, Chapter 2-3 of the "Security" volume, Treasury Board Manual.
10.3 Other publications
- Communications Security Establishment, Government of Canada Security, Government of Canada Electronic Authorization and Authentication Guideline, CID/01/15.
- Communications Security Establishment, A Guide to Security Risk Management for Information Technology Systems.
- Royal Canadian Mounted Police, Guide to Threat and Risk Assessment for Information Technology.
Enquiries about this policy should be directed to your departmental Security Officer at headquarters. For interpretation of this policy, departmental headquarters should contact:Financial and Contract Management Sector
Financial and Information Management Branch
Treasury Board Secretariat
Telephone: (613) 957-7233
Facsimile: (613) 952-9613
For assessments, advice and guidance on the implementation of electronic authorization and authentication provisions involving encryption, digital signature algorithms, and key management systems, contract:ITS Client Services
Communications Security Establishment
P.O. Box 9703, Ottawa Postal Terminal
Telephone: (613) 991-7532
Facsimile: (613) 991-7411
Appendix A - Guidelines
- Threat and risk assessment is a process used to identify operations and data whose protection is essential and to determine an appropriate level and scope of controls required. The frequency of threat and risk assessments will depend on such factors as the vulnerability to potential financial or data losses or the potential embarrassment to the minister or government. Changes to external factors that could make current controls ineffective should also be triggers for threat and risk assessments. An example of such changes is new software programs designed to offset information technology safeguards and which may be used to gain unauthorized access. Therefore, threat and risk assessments should be conducted periodically and controls should be identified to protect the integrity, confidentiality and authentication of business transactions.
- A sound EAA control framework will include the following:
- Access control
- Access control, that will ensure that at all times only authorized persons have access to the data (before and after authorization), the application program files, the electronic authorization and authentication data and program files, and the telecommunication facilities. Access control includes both logical access controls and physical access controls.
- Logical access control should include the following: user ID, password, portable security device such as a smart token, diskette, smart card, smart disk, etc. used in combination with user profiles, electronic delegation matrices, and security software.
- Physical access control, including providing a secure area, locked rooms or security device attached to the computer. The need and nature of physical access controls of the various components of the system should be based on threat and risk assessments.
- Appropriate logs of logical and physical access and reporting procedures should be in place to identify problems quickly and facilitate immediate action to resolve them.
- Key management
- Key management policies and procedures should deal with the protection of the keys (e.g. passwords, authentication codes, physical devices, etc.) used in the authorization and authentication processes. This should include the protection of the keys used to generate other keys, of the encryption algorithms, of the authorization and authentication files and programs and of the physical devices.
- Key management includes the full life cycle of the keying material: generation, distribution, application, certification, storage, archiving, and destruction of certificates and keys.
- The electronic authorization and authentication system and processes should be designed to ensure complete auditability. The audit trail should include delegation matrices, user profiles and all the electronic authorization and authentication data and files required to reconstruct the sequence of events and the transactions processed.
- Access control
- When an electronic authorization and authentication system is considered by a department, the project team should include representatives from the audit and information technology security areas.
- Electronic authorization and authentication requirements should be considered early in the application system development life cycle.
- Departments should not require paper transaction documents with signatures where electronic transactions with digital signatures replace them. Conversely, departments may determine that paper based transaction processes are a viable alternative where electronic processing is not possible, efficient or cost effective. Such decisions should be based on a threat and risk assessment and/or, where appropriate, a business case.