Directive on Security Management

• A.2.2.1 Conduct security screening in accordance with the Standard on Security Screening, including:
  1. Security screening requirements and practices;
  2. Collection, use, disclosure, retention and disposition of personal information for security screening;
  3. Evaluation, decision-making and review for cause;
  4. Review and rights of redress; and
  5. Aftercare.

The procedures and subsections are as follows:

• B.2.2.1For all information systems that support departmental programs, services or activities or that hold departmental information or information under the custody or control of the department:
  • B.2.2.1.1Identify pertinent physical security, business continuity, disaster recovery and information security requirements;
  • B.2.2.1.2Identify and assess threats to which information systems are exposed; and
  • B.2.2.1.3Define and document requirements for ensuring the protection of departmental information systems throughout their life cycle, commensurate with identified security requirements and threats, and in accordance with applicable legislation, policies, contracts, agreements and memoranda of understanding; and
• B.2.2.2Define and document departmental security practices for implementing and maintaining IT security controls, including practices for conducting IT security assessment and authorization, in accordance with departmental security requirements.

• B.2.3.1Identification and authentication management: Implement measures to ensure that individuals and devices are uniquely identified and authenticated to an appropriate level of assurance before being granted access to information in information systems, in accordance with Appendix A: Standard on Identity and Credential Assurance of the Directive on Identity Management.
• B.2.3.2Access management: Implement measures to ensure that access to information (electronic data) and information systems is limited to authorized users who have been security-screened at the appropriate level and who have a need for access:
  • B.2.3.2.1Establish approval, notification, monitoring and operational requirements and procedures for the creation, activation, modification, periodic review, and disabling or deletion of information system accounts;
  • B.2.3.2.2Define access privileges based on departmental security requirements and the principles of least privilege, segregation of duties, and acceptable use of government information systems;
  • B.2.3.2.3Inform authorized users of expectations for acceptable use of government information systems, of monitoring practices being applied, and of the consequences for unacceptable use of those systems;
  • B.2.3.2.4Establish measures to control the use of accounts that have administrative privileges, including restricting the number of users who have administrative privileges, and restricting the information systems, networks and applications that can be accessed and the operations that can be performed using privileged accounts;
  • B.2.3.2.5Verify that individuals who are authorized to conduct privileged operations, such as setting or changing access privileges and implementing or maintaining other IT security controls, are not permitted to alter records of these operations and have been security-screened commensurate with their access level; and
  • B.2.3.6Review access privileges periodically, and remove access when it is no longer required (for example, when an employee leaves or changes responsibilities).
• B.2.3.3Security in IT configuration management: Manage the configuration of information systems to maintain known and approved system and component designs, settings, parameters and attributes:
  • B.2.3.3.1Ensure that change management practices consider security impacts that may result from proposed changes;
  • B.2.3.3.2Design and configure information systems to provide only required capabilities and to specifically prohibit, disable or restrict the use of unnecessary functions, ports, protocols and services;
  • B.2.3.3.3Establish measures to ensure that only authorized applications and application components are installed and executed on information systems and their components; and
  • B.2.3.3.3Establish measures to ensure that only authorized hardware and devices are connected to, or have access to, information systems and their components.
• B.2.3.4Secure data storage management: Implement measures to protect information on electronic media and electronic storage devices at rest (for example, in use or in storage), in transit (for example, in transport or in transmittal), and through appropriate sanitization or destruction before reuse or disposal of the equipment, commensurate with the sensitivity of the information and in accordance with departmental practices:
  • B.2.3.4.1Identify secure electronic storage, transportation, transmittal, sanitization and destruction devices, methods and services that are authorized for use in the department, including but not limited to portable storage devices; and
  • B.2.3.4.2Implement appropriate safeguards where other devices, methods or services are used for operational purposes, subject to approval by an individual who has the required authority.
• B.2.3.5Physical and environmental protection: Implement measures to protect information systems, their components, and the information processed from physical and environmental threats, commensurate with the sensitivity of the information:
  • B.2.3.5.1Implement appropriate physical and environmental safeguards in facilities where information systems are developed, operated, maintained or stored;
  • B.2.3.5.2Place physical information system components in appropriate physical security zones; and
  • B.2.3.5.3Use emanations security or other measures, as required, to protect information systems from information leakage owing to the emanation of electromagnetic signals.
• B.2.3.6System and communications protection: Implement measures to protect information systems and their components, as well as the information they process and transmit, from internal and external network-based threats, such as threats related to the use of public networks, wireless communications and remote access:
  • B.2.3.6.1Define and establish security zones to maintain appropriate separation within physical and virtual IT environments, and ensure that information systems (including virtual instances) that reside in these environments are provided with consistent protection levels that are commensurate with the threat type and level, the sensitivity of the information, and other pertinent security considerations, such as criticality of services and activities supported by the information system;
  • B.2.3.6.2Restrict the number of discrete external connections to departmental networks to the minimum necessary to meet departmental and government requirements; and
  • B.2.3.6.3Use encryption and network safeguards to protect the confidentiality of sensitive data transmitted across public networks, wireless networks or any other network where the data may be at risk of unauthorized access.
• B.2.3.7System and information integrity management: Implement measures to protect information systems, their components and the information they process and transmit against attacks that leverage vulnerabilities in information systems to affect their integrity and that could have an impact on their availability or confidentiality (for example, malicious code):
  • B.2.3.7.1Monitor information systems to detect attacks and indicators of potential attacks; unauthorized local, network and remote connections; and unauthorized use of IT resources;
  • B.2.3.7.2Identify, document and report vulnerabilities in information systems and their components to the responsible security functional specialist and others, as defined in the department’s security governance and security event management processes;
  • B.2.3.7.3Analyze impacts of identified vulnerabilities, and implement corrective actions (for example, apply patches and updates, in accordance with defined timelines and, as required, on an emergency basis);
  • B.2.3.7.4Coordinate processes for managing vulnerabilities in information systems with departmental and government-wide security event management processes;
  • B.2.3.7.5Use, review and regularly update measures to prevent, detect and eliminate malicious code (for example, viruses) in information systems and their components; and
  • B.2.3.7.6Establish source authentication and other mechanisms, where required, to ensure that information (for example, messages and financial transactions) can be attributed to an authorized individual.
• B.2.3.8Information system audit management: Create, protect and retain information system audit logs and records to enable monitoring, reporting, analysis, investigation and implementation of corrective actions, as required, for each system, in accordance with departmental practices:
  • B.2.3.8.1Implement measures to enable user activities to be authoritatively audited, to ensure that users are accountable for their activities; and
  • B.2.3.8.2Monitor the acceptable use of government information systems, regardless of location of access or system used, and report through appropriate channels potential instances of unacceptable use in the department.
• B.2.3.9Security in IT maintenance: Ensure that the maintenance of information systems and their components is authorized and recorded and that the maintenance conforms to departmental security practices:
  • B.2.3.9.1Ensure that individuals performing maintenance have appropriate authorization, access and direction in the performance of their duties.
• B.2.3.10IT continuity management: Establish mechanisms to enable information systems to maintain or return to defined service levels, as applicable:
  • B.2.3.10.1Define recovery strategies and restoration priorities for data and information systems, in accordance with departmental business continuity requirements;
  • B.2.3.10.2Implement measures to meet identified recovery strategies and restoration priorities; and
  • B.2.3.10.3Test IT continuity management mechanisms to ensure an acceptable state of preparedness as an integral element of practices for departmental business continuity management.

• B.2.5.1Integrate system security engineering and security design processes at the appropriate stages of the system development lifecycle process;
• B.2.5.2Implement supply chain security measures to establish and maintain reasonable confidence in the security of sources of information systems and IT components, in accordance with applicable security requirements;
• B.2.5.3Identify and address any risks regarding transmission, processing or storage of data, both internal and external to Canada, when planning for an information system, including the complete life cycle of the system; and
• B.2.5.4For information systems managed for or by another organization, and for information systems shared or interconnected by two or more organizations, establish documented arrangements that define applicable security requirements and respective security responsibilities.

• B.2.6.1Assess whether security controls are effective and whether applicable security requirements are met;
• B.2.6.2Implement and document risk mitigation measures when security requirements cannot be fully met before putting an information system into operation, subject to approval by an individual who has the required authority;
• B.2.6.3Authorize an information system before putting it into operation through established IT security assessment and authorization processes;
• B.2.6.4Document security assessments and authorization decisions, including the formal acceptance of residual risk by an individual who has the required authority; and
• B.2.6.5Evaluate and maintain authorization throughout the information system’s operational life cycle.

• B.2.7.1Monitor threats and vulnerabilities;
• B.2.7.2Analyze information system audit logs and records;
• B.2.7.3Review the results of system monitoring, security assessments, tests and post-event analysis; and
• B.2.7.4Take pre-emptive, reactive and corrective actions to remediate deficiencies and ensure that IT security practices and controls continue to meet the needs of the department.

The procedures and subsections are as follows:

• C.2.2.1For all departmental materiel, materiel held in trust by the department, and other movable assets that support government programs, services and activities, including IT assets, controlled goods, heritage assets, communications security (COMSEC) material, acquisition cards, travel cards, cash, negotiable instruments and any other valuable or sensitive assets:
  • C.2.2.1.1Assign a security category to assets commensurate with the degree of injury that could reasonably be expected as a result of their compromise, and group, where appropriate, assets of equivalent sensitivity (see Appendix J: Standard on Security Categorization);
  • C.2.2.1.2Identify and assess threats to which assets are exposed; and
  • C.2.2.1.3Define and document requirements for ensuring the protection of assets under the custody or control of the department throughout their life cycle, commensurate with potential impacts of a compromise and identified threats, and in accordance with applicable legislation, policies, contracts, agreements and memoranda of understanding;
• C.2.2.2For all facilities that support departmental programs, services or activities, or for which the department has custodial responsibility:
  • C.2.2.2.1Identify relevant information, asset and employee protection and business continuity requirements;
  • C.2.2.2.2Identify and assess threats to which facilities are exposed; and
  • C.2.2.2.3Define and document requirements for ensuring the protection of departmental facilities throughout their life cycle, commensurate with identified security requirements and threats, and in accordance with applicable legislation, policies, contracts, agreements and understandings; and
• C.2.2.3Define and document departmental security practices for implementing and maintaining physical security controls, including practices for conducting facility security assessment and authorization, and security inspections of facilities, in accordance with departmental security requirements.

• C.2.3.1Design of the facility environment: Design, integrate and manage the external and internal environments of a facility to create conditions that together with specific security controls, detect attempted or actual unauthorized entry and activate an effective response to meet departmental security requirements, including electronic surveillance.
• C.2.3.2Access management: Implement measures to ensure that access to information in physical form, government facilities and other assets, including sensitive equipment, telecommunications cabling and information systems, is restricted to authorized individuals who have been security-screened at the appropriate level and who have a need for access:
  • C.2.3.2.1Issue identification to employees;
  • C.2.3.2.2Issue access cards to employees and other individuals to identify the facility or zone to which the bearer has authorized access, as applicable;
  • C.2.3.2.3Define and establish a discernable hierarchy of physical security zones to progressively control access, and provide consistent protection levels that are commensurate with the threat type and level and with the sensitivity of the programs, services, activities, information or assets in each zone;
  • C.2.3.2.4Authorize, control and monitor individuals and assets entering and, where appropriate, exiting government facilities, zones and sensitive areas, and maintain records of these activities, in accordance with departmental security practices and with records retention and disposition schedules; and
  • C.2.3.2.5Review access privileges periodically, and remove access when it is no longer required (for example, when an employee leaves or changes responsibilities).
• C.2.3.3Secure storage, transport, transmittal and destruction: Implement measures to protect information in physical form, including assets at rest (for example, in use or in storage), in transit (for example, in transport or in transmittal), and through appropriate destruction, in accordance with their sensitivity and with departmental security practices:
  • C.2.3.3.1Identify authorized secure physical storage, transportation, transmittal and destruction devices, methods and services for use in the department;
  • C.2.3.3.2Implement appropriate safeguards where other devices, methods or services are used for operational purposes, subject to approval by an individual who has the required authority; and
  • C.2.3.3.3Where appropriate, apply relevant security markings to sensitive assets to alert users of the level of protection that should be applied to the asset.
• C.2.3.4Additional controls: Implement additional controls, as required, to meet departmental security requirements or to achieve a higher readiness level in the event of emergencies or increased threat situations (for example, screening of incoming mail or deliveries for suspicious packages, special discussion areas, secure rooms, technical surveillance countermeasures, emergency destruction instructions, and measures for safeguarding sensitive or valuable information or assets).

• C.2.4.1Integrate security considerations into the planning, site selection, design, procurement, contracting, construction, modification, operation and maintenance of facilities; and
• C.2.4.2Integrate security considerations when assessing requirements, analyzing options and planning the acquisition, operation, use, maintenance, disposal and replacement of materiel.

• C.2.5.1Assess whether security controls are effective and whether applicable security requirements are met;
• C.2.5.2Implement and document risk mitigation measures when security requirements cannot be fully met before putting a facility into operation, subject to approval by an individual who has the required authority;
• C.2.5.3Authorize facilities before putting them into operation through established facility security assessment and authorization processes;
• C.2.5.4Document security assessments and authorization decisions, including the formal acceptance of residual risk by an individual who has the required authority; and
• C.2.5.5Evaluate and maintain authorization throughout the use, occupancy and maintenance of a facility.

• C.2.6.1Ensure that security inspections are conducted by authorized persons and in accordance with defined processes and timelines;
• C.2.6.2In emergency or increased threat situations, increase the frequency or depth of security inspections to achieve a higher readiness level; and
• C.2.6.3Report issues of non-compliance in accordance with defined processes to enable the implementation of corrective actions, and report to the responsible authorities, as applicable.

• C.2.7.1For facilities where the department is the building custodian:
  • C.2.7.1.1Define base building security requirements;
  • C.2.7.1.2Provide base building security;
  • C.2.7.1.3Inform any tenants of the base building security provided in tenant-occupied facilities;
  • C.2.7.1.4Consider tenant security requirements when conducting site selection; and
  • C.2.7.1.5Coordinate the integration of additional safeguards into base building infrastructure to meet tenant security requirements;
• C.2.7.2For facilities where the department is a tenant:
  • C.2.7.2.1Define tenant security requirements, while considering resources and activities in tenant-occupied facilities, in consultation with other stakeholders with whom facilities are shared, as applicable;
  • C.2.7.2.2Inform the custodian department of its tenant security requirements, to support site selection and tenant fit-up; and
  • C.2.7.2.3Verify that additional safeguards have been integrated into base building infrastructure to meet tenant security requirements;
• C.2.7.3For multi-tenant facilities occupied or managed by the department, establish or verify that mechanisms are in place to enable the coordination of security activities, including a building security committee, alignment of the hierarchy of security zones for common areas, identification of responsibilities of the lead tenant, and security event management processes; and
• C.2.7.4When individuals from another department or organization require regular access to facilities occupied or managed by the department, establish or verify that mechanisms are in place to address security requirements and enable the coordination of security activities, including security screening, access management and security event management.

• C.2.8.1Monitor threats and vulnerabilities;
• C.2.8.2Analyze access records;
• C.2.8.3Review the results of security assessments, security inspections and post-event analysis; and
• C.2.8.4Take pre-emptive, reactive and corrective actions to ensure that physical security practices and controls continue to meet the needs of the department.

• D.2.2.1Business continuity management practices: Define, document and maintain departmental business continuity management practices, addressing:
  1. Processes for conducting business impact analysis and for developing business continuity plans, measures and arrangements;
  2. Coordination of business continuity management with security event management and emergency management activities;
  3. Processes and timelines for providing awareness and training and for testing business continuity plans, measures and arrangements;
  4. Coordination with partners and other stakeholders; and
  5. Processes and timelines for review and maintenance of business impact analysis and business continuity plans, measures and arrangements.
• D.2.2.2Business impact analysis: Define departmental business continuity management requirements for all departmental services and activities supporting continued availability of services and associated assets that are critical to the health, safety, security or economic well-being of Canadians or to the effective functioning of government, based on an analysis of the potential impacts of disruption:
  • D.2.2.2.1Assign a security category to services and activities commensurate with the degree of injury that could reasonably be expected as a result of their interruption or degradation, and, where appropriate, group services and activities of equivalent criticality (see Appendix J: Standard on Security Categorization);
  • D.2.2.2.2Liaise with clients (for services provided to another department) and other stakeholders who may be affected by disruptions in departmental services or activities, to inform them of continuity requirements, strategies and priorities;
  • D.2.2.2.3Provide information to the Treasury Board of Canada Secretariat, on a regular basis or when requested, regarding the department’s identified critical services and activities;
  • D.2.2.2.4Define business continuity management requirements, expressed as maximum allowable downtime, minimum service levels, recovery time objectives and recovery point objectives;
  • D.2.2.2.5Define continuity strategies and recovery priorities;
  • D.2.2.2.6Identify supporting resources, including employees, contractors, suppliers, information and assets such as information systems, materiel and facilities, including where the department relies on or supports another organization in delivering a service or activity; and
  • D.2.2.2.7Identify any existing operational plans that support business continuity management requirements.
• D.2.2.3Business continuity plans, measures and arrangements: Establish business continuity plans, measures and arrangements based on the results of the business impact analysis.
• D.2.2.4Awareness and training: Provide awareness and training to all individuals, including specialized training for individuals directly involved in the implementation of business continuity plans, in accordance with departmental practices.
• D.2.2.5Testing: Conduct regular testing of business continuity plans to ensure an acceptable state of preparedness, in accordance with departmental practices.
• D.2.2.6Monitoring and corrective actions: Review and maintain business impact analysis and business continuity plans, measures and arrangements, while considering changes in services, activities, resources or threat environment, based on the results of tests and the activation of plans, to ensure business continuity management practices continue to meet the needs of the department.

• E.2.2.1Information management requirements and practices: Define, document and maintain departmental information management security requirements and practices.
  • E.2.2.1.1For all governmental information resources and intellectual property, including transitory records; information received from Canadian citizens, private sector organizations, other orders of government, international organizations or other partners; information that constitutes controlled goods; COMSEC material; and other information that supports government programs, services and activities:
    1. Assign a security category to departmental information resources commensurate with the degree of injury that could reasonably be expected as a result of its compromise, and group, where appropriate, information resources of equivalent sensitivity (see Appendix J: Standard on Security Categorization);
    2. Identify and assess threats to which departmental information resources are exposed; and
    3. Define and document requirements for ensuring the protection of information resources under the custody or control of the department throughout their life cycle, commensurate with potential impacts of a compromise and identified threats, and in accordance with applicable legislation, policies, contracts, agreements and memoranda of understanding;
    4. Define and document departmental security practices for implementing and maintaining information management security controls, in accordance with departmental security requirements.
• E.2.2.2Information management security controls: Define, document, implement and maintain security controls to meet departmental information management security requirements, in accordance with departmental practices.
  • E.2.2.2.1Security marking: Apply security markings to alert users of the level of protection that should be applied to the information:
    1. Apply security markings at the time that information is created or collected, based on the assigned security category and any applicable caveats; and
    2. Apply security markings to information in physical and electronic form and, where required, to electronic media and storage devices that contain sensitive information.
  • E.2.2.2.2Downgrading and upgrading: Ensure that the time frame for protection of information is kept as short as possible and that the security category continues to reflect the potential impacts of a compromise:
    1. Where appropriate and in accordance with privacy requirements and other legal or policy obligations, downgrade the security category assigned to information resources when the expected injury is reduced;
    2. Consult the relevant authority before downgrading any information that originates from another organization;
    3. When downgrading information received from other orders of government, private sector organizations or international organizations, abide by agreements or memoranda of understanding with these governments or organizations; and
    4. Where appropriate, upgrade the security category assigned to information resources when the expected injury is increased.
  • E.2.2.2.3Additional controls: Implement additional controls, as required, to meet departmental security requirements.
• E.2.2.3Security in the information management life cycle: Integrate security considerations into information management processes throughout all stages of the information life cycle, including planning, creation, receipt, organization, use, dissemination, maintenance, transfer and disposition.
• E.2.2.4Monitoring and corrective actions: Monitor information management security practices and controls to ensure consistent application, and implement changes, as required, to ensure that these practices and controls continue to meet the needs of the department.

The procedures and subsections are as follows:

• F.2.2.1Define department-wide security requirements that should apply to all contracts or arrangements;
• F.2.2.2Establish a process for identifying security requirements for a specific contract or arrangement;
• F.2.2.3Establish a process for verifying and monitoring continued compliance with security requirements, including any permitted exceptions and risk mitigation measures, as applicable; and
• F.2.2.4Integrate security considerations into departmental procurement processes and into information management, asset management and program management processes, while considering information- and asset-sharing arrangements.

• F.2.3.1Determine security requirements based on the sensitivity of information, assets or sites to which individuals will require access; the location and the type of work to be performed; the need for the supplier, partner or department to safeguard, process or produce sensitive information or assets at its facilities or in its information systems; and other relevant factors:
  • F.2.3.1.1Security screen individuals who require access to sensitive information, assets or sites in the performance of their work; individuals who need to be relied on to produce and deliver the goods and services being procured; and individuals who, because of their position, could gain access to sensitive information, assets or sites or could adversely affect the delivery of goods and services, including supplier security points of contact and, for certain contracts, suppliers’ key senior officials;
  • F.2.3.1.2Verify and obtain assurance of the appropriate implementation of;
    1. Physical security controls in facilities that are used to store or produce sensitive information or assets or that need to be relied on to produce or deliver the goods or services being procured;
    2. Security controls to protect information systems that are used to electronically process or transmit sensitive information or that are relied on to produce or deliver the goods or services being procured;
    3. Administrative and operational security controls (including designation of security points of contact, governance, planning, management of subcontracts or arrangements with third parties, security awareness and training, and security event monitoring, reporting and response, as applicable);
    4. Any other specific security requirements to meet statutory, regulatory or other obligations (for example, requirements for the management of COMSEC material; international or defence contracts that are subject to negotiated treaties, international agreements and multinational arrangements; and requirements where duties or access to information, assets or facilities are related to or directly support security and intelligence functions); and
    5. Risk-based approach for verifying and monitoring supplier, partner and departmental compliance with security requirements, as applicable.
• F.2.3.2Identify security requirements in the documentation associated with a contract or arrangement:
  • F.2.3.2.1For contracts and other arrangements with suppliers, document security requirements in the Security Requirements Check List or an equivalent document and in other documentation associated with the contract or arrangement;
  • F.2.3.2.2For other types of arrangements, document security requirements in the arrangement;
  • F.2.3.2.3For contracts or arrangements involving a subcontractor or another third party, identify in the contract or arrangement the need for the supplier or partner to extend applicable security requirements to any other entity involved in fulfilling the contract or arrangement; and
  • F.2.3.2.4For contracts or arrangements that do not involve any security requirements, include an attestation to that effect in the documentation of the contract or the arrangement.

• F.2.4.1Verify compliance with, and obtain assurance of the implementation of, the security requirements using the risk-based approach defined for the contract or arrangement. To avoid duplication, where possible and in accordance with privacy requirements and other legal or policy obligations:
  • F.2.4.1.1Provide the security records of Government of Canada suppliers to internal enterprise service organizations and other departments; and
  • F.2.4.1.2Consult the security records of Government of Canada suppliers when verifying supplier compliance;
• F.2.4.2Implement and document risk mitigation measures when security requirements to limit access to sensitive information, assets or sites cannot be fully met before awarding a contract or entering into an arrangement, subject to approval by an individual who has the required authority; and
• F.2.4.3Establish documented arrangements that define respective security responsibilities for contracts or arrangements managed for or by another organization.

The procedures and subsections are as follows:

• G.2.2.1Define security event management processes, including responsibilities of all stakeholders, with consideration given to partners (for example, other departments, suppliers and other orders of government) and government-wide processes;
• G.2.2.2Designate an official departmental contact to support government-wide communications of threats and vulnerabilities, and responses to security incidents and other security events, in accordance with government-wide processes;
• G.2.2.3Establish resources to support the implementation of security event management processes and to enable secure exchange of relevant information within the department and with other stakeholders;
• G.2.2.4Implement measures to ensure that security event management processes can be triggered in the event of disruptions that affect their supporting resources;
• G.2.2.5Coordinate security event management processes with communications plans and with business continuity, emergency management, strike management, and other contingency plans and measures, as applicable; and
• G.2.2.6Test security event management processes to ensure preparedness and to support continuous process improvement.

• G.2.3.1Ensure that reporting and sharing of information related to threats, vulnerabilities, security incidents and other security events is restricted to authorized users who have been security-screened at the appropriate level and who need to access the information to ensure appropriate preparedness, response or recovery; is effected using mechanisms that provide protection commensurate with the sensitivity of the information and threats to which the information may be exposed; and is conducted within the bounds of applicable legislation, policies or other obligations;
• G.2.3.2Report security events that affect, or that have the potential to affect, government-wide preparedness, response or recovery, to the appropriate lead security agency or central agency;
• G.2.3.3Report all suspected criminal activity, including but not limited to theft and breach of trust, to the appropriate law enforcement authority; provide all relevant documents, materials and details; and follow protocols to ensure preservation of evidence and cooperation between the department and law enforcement authorities; and
• G.2.3.4Inform other departments and stakeholders when there is reason to believe that an event originated from, or could potentially affect, an organization, including internal enterprise service organizations, departments that provide or receive services under agreements or other arrangements, suppliers and other partners.

• G.2.4.1Apply defined readiness levels based on the level of threat to Government of Canada employees, information, assets or service delivery;
• G.2.4.2Identify responsibilities for all departmental employees who have responsibilities for implementing readiness processes and measures:
  • G.2.4.2.1Designate the departmental contact for security event management as the official liaison for purposes of declaring and applying heightened readiness levels within the department;
• G.2.4.3Report, without delay, a declaration of a higher readiness level and a return to lower levels of readiness to the Privy Council Office, in accordance with Appendix I: Standard on Security Event Reporting;
• G.2.4.4Implement changes in readiness level when directed by the Privy Council Office, in response to emergency and increased threat situations that may affect multiple departments, national security and the government as a whole; and
• G.2.4.5Coordinate readiness processes and measures with security event management processes and business continuity plans and with emergency preparedness and response measures.

• G.2.5.1Define practices for the conduct of administrative investigations of security events;
• G.2.5.2Inform parties who are involved in administrative investigations of security events of their rights and obligations; and
• G.2.5.3Conduct administrative investigations of security events independently of, and without any specific intent to advance, a criminal investigation in order to avoid compromising such investigations.

• G.2.6.1Communicate results of post-event analysis to the appropriate lead security agency or central agency, as applicable and based on the severity and scope of the event.

• G.2.7.1Apply protective measures to ensure that access to security event records is restricted to security officials and other authorized users, to maintain the integrity of these records.

• H.2.2.1Security awareness requirements and practices: Define, document and maintain departmental security awareness and training requirements and practices, in accordance with government-wide policy requirements.
• H.2.2.2Security awareness: Develop, deliver, document and maintain security awareness activities and products to inform and remind individuals of security threats and risks and of their security responsibilities, in accordance with departmental security awareness requirements.
• H.2.2.3Security training: Provide, or arrange and document the provision of, security training to all employees, including specialized security training for those individuals who have specific security responsibilities or who could affect the achievement of security objectives as part of their duties, in accordance with departmental security training requirements.
• H.2.2.4Monitoring and corrective actions: Assess the effectiveness of security awareness and training activities, and implement changes, as required, to ensure that these activities continue to meet the needs of the department.