Directive on Departmental Security Management
- Public Key Infrastructure in the Government of Canada, Guideline on the Management of
- Security Plan, Guideline on Developing a Departmental
- Operational Security - Business Continuity Planning (BCP) Program, Standard
- Operational Security - Readiness Levels for Federal Government Facilities, Standard
- Operational Security : Management of Information Technology Security (MITS), Standard
- Operational Security Standard on Physical Security
- Operational Standard for the Security of Information Act
- Security and Contracting Management Standard
- Security Organization and Administration Standard
- Security Screening, Standard on
1. Effective date
1.1 This directive takes effect on July 1, 2009.
1.2 The transition period for full implementation of requirements related to the departmental security plan as specified in sections 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.8, 6.1.11, 6.1.12, 6.1.21 and 6.1.23 will begin July 1, 2009, and end June 31, 2012.
2.1 This directive applies to:
- All departments within the meaning of Schedules I, I.1, II, IV and V of the Financial Administration Act (FAA),unless excluded by specific acts, regulations or Orders in Council.
3.1 The management of security is an essential component of the effective management of a department and the government as a whole. Departmental security activities must be centrally coordinated and systematically woven into day-to-day operations to ensure that individuals, information, assets and services are safeguarded, departments do not increase risks to other departments or the government as a whole, and critical services and operations continue in the event of an emergency.
3.2 This directive defines the roles and responsibilities of departmental employees who support deputy heads in the management of departmental security. These responsibilities form the basis for effective decision making and accountability related to departmental security activities. This directive also establishes the minimum security control objectives that a department must achieve to ensure that its mandate, operations, priorities and security requirements are met.
3.3 This directive is to be read in conjunction with the Foundation Framework for Treasury Board Policies and the Policy on Government Security and the Directive on Identity Management.
3.4 Additional mandatory requirements are set out in standards supporting the following subject areas:
- Information and identity assurance
- Individual security screening
- Physical security
- Information technology security
- Emergency and business continuity management
- Security in contracting
4.1 For definitions of terms used in this directive, refer to Appendix A—Definitions.
5. Directive statement
The objective of this directive is to achieve efficient, effective and accountable management of security within departments.
5.2 Expected results
The expected results of this directive are that:
- Security management is an identifiable and integral element of departmental governance, programs and services;
- Departments adopt a systematic and consistent approach to the planning, operation and monitoring of security activities;
- Minimum controls are in place within departments to support interoperability and information exchange;
- Active management of threats, vulnerabilities and incidents support the delivery of services to Canadians and government operations; and
- Security management activities within a department do not increase risk to other departments or the government as a whole.
The management of security is most effectively accomplished with the involvement and collaboration of the departmental security officer (DSO), security practitioners and managers at all levelswho have the collective corporate knowledge to understand the department's priorities, the importance of the department's information, assets, services and people, and the level of security that must be achieved to safeguard them.
6.1 Departmental security
Departmental security officer (DSO)
The DSO, designated by the deputy head in compliance with the Policy on Government Security, is to manage the departmental security program and is responsible for:
6.1.1 Developing, implementing, monitoring and maintaining a departmental security plan (DSP) that:
18.104.22.168 Provides an integrated view of departmental security requirements,
22.214.171.124 Identifies security threats, risks and vulnerabilities to determine an appropriate set of control objectives (for minimum security controls objectives departments are required to achieve, refer to Appendix C—Security Control Objectives),
126.96.36.199 Identifies and establishes minimum and additional controls when necessary to meet control objectives and achieve an acceptable level of residual risk, and
188.8.131.52 Outlines security strategies, objectives, priorities and timelines for improving the department's security posture;
6.1.2 Coordinating with security practitioners the implementation of security controls and other activities necessary to achieve the objectives and priorities of the DSP;
6.1.3 Evaluating the achievement objectives outlined in the DSP and reporting the results to the appropriate governance committees; and
6.1.4 Updating the DSP based on the results of performance measurement, evaluation and risk assessments.
6.1.5 Ensuring that accountabilities, delegations, reporting relationships, and roles and responsibilities of departmental employees with security responsibilities are defined, documented and communicated to relevant persons; and
6.1.6 Establishing security governance mechanisms (e.g., committees, working groups) to ensure the coordination and integration of security activities with departmental operations, plans, priorities and functions to facilitate decision making.
Management of security risks
6.1.7 Developing, documenting, implementing and maintaining processes for the systematic management of security risks to ensure continuous adaptation to the changing needs of the department and threat environment; and
6.1.8 Ensuring that managers at all levels formally accept or recommend for acceptance residual risks as defined in the Departmental Security Plan.
Monitoring and oversight
6.1.9 Monitoring the effectiveness of the security controls to ensure that that remain current and address the security requirements identified in risk assessments;
6.1.10 In liaison with security practitioners monitor for changes in the threat and vulnerability environments to ensure that security controls remain current and corrective action is taken when necessary.
Performance measurement and evaluation
6.1.11 Measuring performance on an ongoing basis to ensure that an acceptable level of residual risk is achieved and maintained; and
6.1.12 Implementing a quality assurance program to verify that security controls most efficiently and effectively meet departmental security requirements.
6.1.13 Reporting security incidents, issues or concerns to central security agencies and security service providers in a timely manner (refer to Appendix B—Contacts for Incident Handling);
6.1.14 Coordinating the implementation of mitigation advice provided by lead security agencies and reporting on the actions taken to the appropriate lead security agency; and
6.1.15 Participating in interdepartmental forums and committees, sharing best practices or lessons learned, and communicating departmental needs for advice, guidance and services, as appropriate.
Security practitioners are persons responsible for coordinating, managing and providing advice and services related to the security activities that are part of a coordinated departmental security program, which include but are not limited to information technology (IT) security, physical security, personnel security screening, business continuity planning and regional security operations. Security practitioners are responsible for:
6.1.16 Maintaining a functional or direct reporting relationship (depending on the structure of the department's security program) with the DSO to ensure departmental security activities are coordinated and integrated;
6.1.17 Selecting, implementing and maintaining security controls related to their area of responsibility to ensure that control objectives are achieved;
6.1.18 Evaluating the implementation and effectiveness of security controls, reporting on the achievement of control objectives to the DSO, and recommending corrective action to address deficiencies identified in performance measurement and evaluations;
6.1.19 Providing the DSO, managers at all levels and employees with expert advice on the application and effectiveness of security controls related to their area of responsibility;
6.1.20 Supporting the DSO in the development and delivery of security awareness for employees and managers at all levels; and
6.1.21 Participating in threat and risk assessments and contributing to the development of the DSP, as required.
Managers at all levels
Managers at all levels are responsible for ensuring the protection of employees and safeguarding the information, assets and services for which they are responsible. Managers are responsible for:
6.1.22 Ensuring that security requirements are integrated into business planning, programs, services and other management activities
6.1.23 Assessing security risks, formally accepting residual risks or recommending acceptance of residual risks as definedin the Departmental Security Plan and periodically reassessing and re-evaluating risks in light of changes to programs, activities or services and taking corrective action to address identified deficiencies;
6.1.24 Monitoring the implementation and effectiveness of security controls and reporting accordingly to the DSO or security practitioner, as appropriate;
6.1.25 Ensuring employees apply effective security practices in day-to-day operations; and
6.1.26 When contracts are required, identifying any security requirements and classified or protected information and assets in contractual documentation and other arrangements and confirming that contractors meet security prerequisites before granting access to government information and assets.
All employees are responsible for:
6.1.27 Safeguarding information and assets under their control whether working on- or off-site;
6.1.28 Applying security controls related to their area of responsibility to ensure that security requirements are part of their day-to-day processes, practices and program delivery (these include but are not limited to administrative and corporate practices, such as access to information and privacy (ATIP), risk management, human resources, real property, materiel management, procurement, occupational health and safety, information management (IM), IT and finance.)
6.1.29 Reporting security incidents through the appropriate channels and taking direction from the DSO and security practitioners; and
6.1.30 Maintaining awareness of security concerns and issues to ensure their actions do not compromise departmental security.
6.2 Monitoring and reporting requirements
- The DSO is responsible for:
6.2.1 Monitoring the implementation of security activities within the department and recommending appropriate remedial action to the deputy head or senior management committee (as appropriate) to address any deficiencies.
- Managers at all levels are responsible for:
6.2.2 Monitoring adherence to this directive within their area of responsibility and reporting to the DSO any security incident or breach of security.
- The DSO is responsible for:
6.2.3 Providing TBS with evidence (upon request) of the implementation and effectiveness of the departmental security program and departmental security plan, including the following:
- Description of departmental security governance and organization;
- Specific evidence related to the implementation of security controls; and
- Results of performance measurement and evaluation.
- TBS is responsible for:
6.2.4 Monitoring compliance with all aspects of this directive and the achievement of expected results in a variety of ways, including but not limited to assessments under the Management Accountability Framework (MAF) and examination of Treasury Board submissions, departmental performance reports, and results of audits, evaluations and studies.
7.1 The deputy head is responsible for investigating and responding to issues of non-compliance with this directive. The deputy head is also responsible for ensuring appropriate remedial actions are taken to address these issues.
7.2 If the Secretary of the Treasury Board determines that a department may not have complied with any requirements of this directive, the secretary of the Treasury Board may request that the deputy head:
7.2.1 Conduct an audit or a review, the cost of which will be paid from the department's reference level, to assess whether requirements of this directive have been met; and/or
7.2.2 Take corrective actions and report back on the outcome.
Legislation relevant to this directive includes the following:
- Access to Information Act
- Canada Labour Code
- Canada Occupational Health and Safety Regulations
- Canadian Charter of Rights and Freedoms
- Canadian Human Rights Act
- Canadian Security Intelligence Service Act
- Criminal Code
- Criminal Records Act
- Emergency Management Act
- Federal Real Property and Federal Immovables Act
- Financial Administration Act
- Library and Archives of Canada Act
- Privacy Act
- Public Servants Disclosure Protection Act
- Public Service Employment Act
- Public Service Labour Relations Act
- Security of Information Act
- Statistics Act
- Youth Criminal Justice Act
Treasury Board policies and regulations relevant to this directive include the following:
- Access to Information, Policy on
- Communications Policy of the Government of Canada
- Contracting Policy
- Controlled Goods Directive
- Evaluation, Policy on
- Federal Identity Program
- Fire Protection, Investigation and Reporting, Policy on
- Government Security, Policy on
- Identity Management, Directive on
- Foundation Framework for Treasury Board Policies
- Information and Technology, Policy Framework for
- Information Management, Policy on
- Information Management Roles and Responsibilities, Directive on
- Integrated Risk Management Framework
- Internal Audit, Policy on
- Internal Control, Policy on
- Learning, Training, and Development, Policy on
- Long-Term Capital Plans, Policy on
- Losses of Money and Offences and Other Illegal Acts Against the Crown, Policy on
- Management of Assets and Acquired Services, Policy Framework for the
- Management of Compensation, Policy Framework for the
- Management of Information Technology, Policy on
- Management of Materiel, Policy on
- Management of Real Property, Policy on
- Management, Resources and Results Structure, Policy on
- Occupational Safety and Health
- Official Languages for Human Resources Management, Policy on
- Official Languages Policy Framework
- Operational Security Standard - Business Continuity Planning (BCP) Program
- Operational Security Standard - Management of Information Technology Security (MITS)
- Operational Security Standard - Physical Security
- Personnel Security Standard
- Privacy Protection, Policy on
- Project Management Policy
- Risk Management, Policy on
- Security and Contracting Management Standard
- The Values and Ethics Code for the Public Service
Other policy instruments relevant to this directive:
- Communications security (COMSEC) policy instruments
Please direct enquiries about this directive to your DSO. For interpretation of this policy, the DSO should contact Security and Identity Management Division.
- for cause (pour un motif valable)
- A determination that there is sufficient reason to review, revoke, suspend or downgrade a reliability status, a security clearance or site access.
- integrity (intégrité)
- The state of being accurate, complete, authentic and intact.
- managers at all levels (gestionnaires à tous les niveaux)
- Includes supervisors, managers and executives.
- protected asset or information (renseignement ou bien protégé)
- An asset or information that may qualify for an exemption or exclusion under the Access to Information Act or the Privacy Act because its disclosure would reasonably be expected to compromise the non-national interest.
- residual risk (risque résiduel)
- Level of risk remaining after security measures have been applied
- security program (programme de sécurité)
- A group of security-related resource inputs and activities that are managed to address a specific need or needs and to achieve intended results.
Appendix B—Points of Contact for Incident Handling
The DSO or other designated individual is responsible for reporting security incidents and incidents suspected of constituting a national threat or a threat to an organization other than their own as follows:
- National security concerns, including those related to terrorism, are reported to the Canadian Security Intelligence Service (CSIS) at 613-993-9620.
- Suspected criminal activity is reported to the RCMP National Operations Centre (NOC), a 24/7 service, at 613-993-4460 (reports or calls may be redirected to local law enforcement organizations as appropriate).
- Enquiries related to law enforcement assessments are directed to Operational Support and Client Services of the RCMP Canadian Criminal Real Time Identification Services (CCRTIS) by email at RTID_ITR@rcmp-grc.gc.ca.
- Cyber incidents, physical security breaches of critical systems or services, and IT or IT security incidents that are not part of normal operations, cause or may cause a disruption to or reduction in the quality of service or productivity, or are characterized by an unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource are reported as per the GC IT Incident Management Plan.
- Incidents involving accountable COMSEC material must be reported to DSO of the department in which the COMSEC incident occurred
Appendix C—Security Control Objectives
Departments are responsible for selecting, implementing, monitoring and maintaining sustainable security controls to achieve the security control objectives. Security controls may be administrative, managerial, operational, technical or procedural. Mandatory and recommended security controls are specified in standards and guidelines that support the Policy on Government Security. Additional security controls and control objectives are selected and implemented by departments based on the results of risk assessments.
- Information is protected from unauthorized access, use, disclosure, modification, disposal, transmission or destruction.
- Information is identified and categorized based on the degree of injury that could be expected to result from the compromise of its confidentiality,
availability or integrity.
- Information is identified and categorized as Classified (Confidential, Secret or Top Secret) when unauthorized disclosure could reasonably be expected to cause injury to the national interest.
- Information is identified and categorized as Protected (A, B and C ) when unauthorized disclosure could reasonably be expected to cause injury to interests other than the national interest.
- Information is identified and categorized as High, Medium or Low when unauthorized disclosure, modification, interruption or destruction could reasonably be expected to result in compromise of its availability or integrity.
- Access to classified and protected information is limited to authorized individuals who have been security screened at the appropriate level and who have an express need for access.
- Modification and destruction of information is limited to authorized individuals.
- Appropriate security measures are in place for accessing, storing, transmitting and disposing of information.
- The security of information is addressed through all phases of its life cycle or the life cycle of the information system to ensure security requirements are identified early, security controls are reviewed, management authorization is provided before operation and authorization is maintained through continuous monitoring of the security posture.
Individual security screening
- All individuals who require access to government information, assets or facilities undergo an examination of their trustworthiness and honesty and, as appropriate, loyalty or reliability as it relates to loyalty to Canada before being granted access to government information, assets or sites.
- The security screening process is fair, objective and respectful of individual rights, including privacy.
- Individuals are formally briefed on access privileges and prohibitions attached to their screening level before the commencement of their duties, when required in the update cycle, and whenever a change occurs in their screening level, and they are required to sign appropriate briefing forms.
- Individuals are treated in a fair manner should their security screening status come under review, be revoked, denied, temporarily suspended or downgraded for cause.
- Security screenings are conducted in a manner that meets Government of Canada (GC) standards and enables them to be transferred between departments.
- Information, assets and facilities are protected from unauthorized access, disclosure, modification or destruction, in accordance with their level of sensitivity, criticality and value.
- Access to government assets and facilities is limited to authorized individuals who have been security screened at the appropriate level and who have an express need for access.
- Custodian-tenant relationships are defined in a formal agreement that ensures shared and individual responsibilities are addressed to achieve optimum security outcomes.
- Security considerations are fully integrated into the process of planning, selecting, designing, modifying, building, implementing, operating and maintaining facilities and equipment.
- External and internal environments of a facility are managed to create conditions that, together with specific physical security controls, reduce the risk of workplace violence, protect against unauthorized access, detect attempted or actual unauthorized access and activate an effective response.
- Containers, processes and procedures defined or recommended in GC standards and guidelines are used for the transport, transmittal, or destruction of protected and classified information and assets.
- IT security considerations are fully integrated to meet business objectives at each stage of the IT system's life cycle, including definition, design, development, operations, maintenance and decommissioning.
- Users must be identified and authenticated before access is granted to IT systems.
- Access to electronic information and IT systems is limited to authorized users, including the types of transactions and functions that authorized users are permitted to exercise, based on business and security requirements.
- Confidence in the security of IT systems is assured through the following:
- Assessing security controls;
- Reducing or eliminating deficiencies;
- Authorizing before operation; and
- Maintaining authorization.
- The IT security posture is continuously maintained by monitoring threats and vulnerabilities, detecting malicious activity and unauthorized access, and taking both pre-emptive and response actions to minimize effects.
- IT system audit logs and records are created, protected and retained to enable monitoring, analysis and investigation so that users can be held accountable for their actions.
- Data on all portable electronic media and devices are protected and sanitized or destroyed before disposal or reuse of the equipment.
- Electronic communications are protected by network security zones and perimeter defence at network boundaries.
Security in contracting
Security requirements are identified, addressed, formally documented, implemented and monitored in all phases of the procurement and throughout the life cycle of the contract.
- Information, assets, systems and facilities entrusted to industry meet the industrial security requirements and are afforded an appropriate level of protection throughout their life cycle.
Sharing information and assets with other governments and organizations
- Government information, assets and facilities entrusted to or shared with organizations outside the GC are afforded an appropriate level of protection throughout their life cycle.
- Third-party information and assets entrusted to the GC are afforded an appropriate level of protection throughout their life cycle.
- Documented arrangements clearly outline respective accountabilities and responsibilities of participants, in accordance with government and industry standards, and are periodically reviewed to confirm that they are still appropriate and relevant.
Obtaining security services from other organizations
- Formal arrangements are established when security services are obtained from another organization.
- Arrangements contain security provisions that clearly outline respective accountabilities and responsibilities of the department and the service provider.
- Monitoring is conducted to verify compliance with security provisions, assess their continued relevance and update them as necessary.
- A departmental security awareness program covering all aspects of departmental and government security is established, managed, delivered and maintained to ensure that individuals are informed and regularly reminded of security issues and concerns and of their security responsibilities.
- Individuals understand and comply with their security responsibilities and do not inadvertently compromise security.
- DSOs, security practitioners and other individuals with specific security responsibilities receive appropriate and up-to-date training to ensure they have the necessary knowledge and competencies to effectively perform their security responsibilities and do not inadvertently compromise security.
Security incident management
- Measures are taken to ensure preparedness and timely mitigation, response or recovery from security incidents and to prevent or minimize effects and potential losses.
- Incidents that affect, or have the potential to affect, government-wide preparedness, mitigation, response or recovery from threats and vulnerabilities are reported to the appropriate lead security agency or law enforcement authority (see Appendix B—Points of Contact for Incident Handling), and as appropriate, other departments when there is reason to believe that the security breach originated from that department
- Post-incident analysis and follow-up is conducted and communicated to the appropriate lead security agency.
Protection of employees from workplace violence
- Protective measures are in place to safeguard employees (and family members, if deemed necessary based on threat and risk assessment of specific situations) from workplace violence that could arise because of their duties or situations to which they may be exposed in the course of their work.
- Information and training is available to employees regarding the handling of such situations.
- Thorough records and statements are maintained on reported incidents involving workplace violence.
- Routine inspections are conducted of sites or systems where sensitive information and assets are processed or stored to ensure compliance with departmental security requirements (e.g., checking office areas during limited-access hours).
- Security inspections are conducted in a manner that conforms to collective agreements and underlying legislation, are reasonable in the circumstances, and their procedures are made known to employees in advance of being performed.
- Security inspections are conducted by assigned persons and do not target specific employees.
- Suspected violations or breaches of security are reported without delay and investigated as a basis for remedial action or reporting to the responsible authorities, as appropriate.
Administrative investigations related to security incidents
- Investigations are conducted in a manner that does not jeopardize or compromise evidence, the rights of individuals or civil or criminal proceedings.
- Procedures are developed and implemented to establish the conditions under which each administrative investigation will be conducted.
- Incidents suspected of constituting criminal offences are reported to the appropriate law enforcement authority and protocols are established to ensure cooperation between the department and law enforcement agencies.
- Parties involved in the investigation are appropriately informed of their rights and obligations.
Security in emergency and increased threat situations
- Plans and procedures are in place to escalate to heightened security levels in case of emergency and increased threat.
- Departments can coordinate with other emergency prevention and response plans (e.g., fire, bomb threats, hazardous materials, power failures, evacuations or civil emergencies) in the event of an emergency or increased threat situation.
Emergency and business continuity planning
- Business continuity plans and contingency plans support the recovery and restoration of critical business services and functions and their associated assets and resources for uninterrupted minimum service delivery.
- Departmental services and assets are analyzed, identified and prioritized in terms of criticality
- An up-to-date inventory of critical services and associated information, assets and dependencies is maintained and provided to Public Safety Canada as requested.
- Business continuity plans and recovery strategies are developed and arrangements made for all critical services.
- Business continuity plans are tested and readiness exercises conducted to ensure efficient and effective response and recovery.