The purpose of this Policy Implementation Notice (PIN) is to provide direction to departmentsFootnote 1 on enabling access to web services, in accordance with the Policy on Acceptable Network and Device Use.
This PIN applies to Government of Canada (GC) electronic networks for unclassified information only. Internet-based tools and services are not to be used for communicating or storing sensitive information unless approved by the institution’s security and technical authorities.
This PIN is effective as of .
This PIN applies to all departments that are subject to the Policy on Acceptable Network and Device Use.
Departments, agencies and organizations in the Government of Canada not subject to the Policy on Acceptable Network and Device Use are encouraged to abide by this PIN to the extent possible.
The heads of the following organizations are solely responsible for monitoring and ensuring compliance with this PIN within their organizations:
The GC recognizes that open access to modern tools is essential to transforming how public servants work and serve Canadians. Open access to the Internet, including access to GC and external tools and services:
When equipped with the right tools, public servants can work more effectively. The GC must adapt to meet the demands and expectations of its clients, stakeholders, partners and employees.
The GC must also apply adequate security controls to protect users, information and assets. When access to collaboration tools and sites is restricted, instead of increasing protection, the opposite occurs. Users will find a way around the blocks if it makes their life easier. From the standpoint of IT security, connections to external tools and services are not substantially different from other connections to the Internet. Security is more than just locking things down; user experience must also be considered.
Adopting a balanced approach that considers user needs, supported by a pragmatic security program, will result in a more secure environment. Instead of banning access to certain tools and sites, making access open by default and encouraging the secure use of these tools and services will result in risks being better controlled. Consideration of the departmental risk profile and the department’s culture, mission and business objectives, and the threats that pertain to the departmental business activities, will also help determine the proportionate security measures needed to ensure the adequate protection of GC information.
Departments are to enable open access to the Internet for GC electronic networks and devices, including GC and external Web 2.0 tools and services, to authorized individuals, as per Section 6.1.3 of the Policy on Acceptable Network and Device Use (PANDU).
To ensure a consistent user experience government-wide while taking into consideration the departmental risk profile, departments are to reconfigure their web filtering rules to be open by default to the Internet, except for websites that support non-acceptable activities or behaviours which, as per Appendix C of PANDU:
Departments are expected to apply web filtering rules in accordance with Appendix A of this PIN, which provides the baseline set of website categories that are to be blocked in order to comply with legal and policy requirements. All other categories, including social media and web-based collaboration or chat tools, are to be open by default. When departments limit access outside these categories, they are expected to take a risk-based approach and document a rationale for limiting such access, approved by the departmental Chief Information Officer.
Departments are responsible for ensuring continued compliance with the Policy on Government Security and Appendix E (Departmental Considerations for Security) of PANDU and are encouraged to analyze departmental security needs and implement additional security considerations (outlined in Appendix B of this PIN) to mitigate risk to an acceptable level, according to the departmental risk profile.
SSC is responsible for managing web filtering tools for departments that receive their network services from SSC, as per Section 6.2 of PANDU. However, as legacy web filtering solutions were inherited from partner organizations, SSC’s ability to monitor and report is not consistent for each SSC customer. SSC is investing in an enterprise web filtering capability which will provide a better ability to monitor and report as networks evolve from the legacy infrastructure to the SSC enterprise service. SSC customers requiring information on the reporting capabilities of their web filtering service are to contact SSC.
For interpretation of any aspect of this PIN, contact Treasury Board of Canada Secretariat Public Enquiries.
Individuals at departments should contact their departmental information technology group for any questions regarding this PIN.
Individuals from a departmental information technology group may contact their SSCService Delivery Management Executives for information related to their web filtering service.
Individuals from a departmental information technology group may contact the TBS Cyber Security (ZZTBSCYBERS@tbs-sct.gc.ca) mailbox for interpretations of this PIN.
Permitted use of GC electronic networks and devices by authorized individuals:
All use of GC electronic networks and devices must be in compliance with:
Use of GC electronic networks and devices must not:
See Appendix B of PANDU.
Gaining entry to an electronic network that the federal government has provided to GC-authorized individuals. Access to such electronic networks may be from inside or outside government premises. Access may support:
(Source: PANDU)
Groups of computers and computer systems that can communicate with each other, including and without limitation:
An electronic network includes wired and wireless components. (Source: PANDU)
Use of a software system that:
Recording and analysis of the use of electronic networks are used for operational purposes and for assessing compliance with government policy. (Source: PANDU)
Refers to the use of a personal social media account for purposes related to professional activities, such as:
(Source: Guideline on Acceptable Network and Device Use)
Information or asset that if compromised would reasonably be expected to cause an injury. Sensitive information includes:
(Source: Policy on Government Security)
Any activity that violates Treasury Board or departmental policy instruments or other published requirements, including but not limited to activity or behaviour that:
Also see Appendix C of PANDU.
Includes Internet-based tools and services that allow for participatory:
Web 2.0 can include social media, collaborative technologies and cloud-based tools and services. (Source: PANDU)
The following table outlines the categories to be configured for blocking, as per Appendix C of PANDU. When departments limit access outside these categories, they are expected to take a risk-based approach and document a rationale for limiting such access, approved by the departmental Chief Information Officer. There may be exceptions when justified by a risk assessment and based on job function (e.g. investigations that require access to a blocked site).
Category | Rationale |
---|---|
Anonymizer proxies (untraceable Internet traffic) | Violation of organizational or Treasury Board policies and publications |
Child abuse | Criminal offence |
Criminal activity | Criminal offence |
Games | Violation of organizational or Treasury Board policies and publications |
Hacking | Criminal offence |
Harassment | Violation of organizational or Treasury Board policies and publications |
Hate propaganda | Criminal offence |
Illegal gambling | Criminal offence |
Malicious Websites | Violation of organizational or Treasury Board policies and publications |
Obscenity | Criminal offence |
Peer-to-peer File Sharing (e.g. piratebay.se, utorrent.com) | Impact negatively the performance of GC electronic networks and devices and/or potential criminal offence |
Phishing and fraud | Criminal offence |
Piracy | Violation of organizational or Treasury Board policies and publications |
Pornography | Violation of organizational or Treasury Board policies and publications |
Sexually explicit | Violation of organizational or Treasury Board policies and publications |
Spam URLs | Impact negatively the performance of GC electronic networks and devices |
Spyware | Criminal offence |
Terrorist, militant or extremist activities | Criminal offence |
Violence | Criminal offence |
Departments should apply a defence-in-depth approach, implementing measures in accordance with the threat, to manage security risks to GC electronic networks, devices and information, while balancing user needs. The following actions are recommended when enabling access to the Internet and web services:
Appendix E of PANDU includes a non-exhaustive list of measures that can be applied to further mitigate potential threats. The Guideline on Acceptable and Network Device Use provides additional guidance to departmental managers and functional specialists responsible for implementing PANDU.
Throughout this document, the term “department” denotes “departments” as defined in section 2 of the Financial Administration Act, with the exceptions of paragraphs (b) and (c).
Transmission Control Protocol or Internet Protocol