Commissioner's Directive

POLICY OBJECTIVES

1. To ensure the protection of the Information Technology (IT) systems, services and electronic information used by the Correctional Service of Canada (CSC), the Parole Board of Canada (PBC) and the Office of the Correctional Investigator (OCI), hereafter referred to as serviced agencies.
   
   
2. To provide a framework for IT risk management and for the implementation and maintenance of CSC’s IT security program.

Authorities

3. Treasury Board Secretariat Framework for the Management of Risk
   
   Treasury Board Secretariat Policy on Government Security
   
   Treasury Board Secretariat Operational Security Standard: Management of Information Technology Security

APPLICATION

4. This Commissioner’s Directive applies to all individuals who have been authorized to use CSC’s IT systems, services or electronic information.

Responsibilities

5. The Commissioner, as deputy head, is accountable for the effective implementation, monitoring and governance of CSC’s departmental security program, including the IT security program.
   
   
6. Deputy Commissioners and Assistant Commissioners will designate an individual as a Program or Service Delivery Manager, who will be responsible for each IT system used to deliver services in their respective responsibility area.
   
   
7. Program or Service Delivery Managers, who have implemented specific IT systems or services to meet their business needs, will:
   1. consult with Information Management Services early on, for any initiative where information technology is a component and, if required, seek advice from the Director, IT Security, to ensure compliance with Government of Canada policies and standards;
      
      
   2. conduct a Business Impact Analysis for each program within their responsibility area and ensure that any gaps pertaining to IT systems or services are addressed;
      
      
   3. ensure that IT security risks are assessed at the inception of any new project and that those risks are periodically reassessed in light of changes to programs, activities or services;
      
      
   4. mitigate, accept or transfer any residual risks affecting the IT systems within their responsibility area;
      
      
   5. ensure that no one individual can independently control all aspects of an IT system or service;
      
      
   6. ensure all users of electronic information are uniquely identified and authorized to access the IT systems containing that information;
      
      
   7. ensure a process is in place to regularly review access rights and revoke access as per conditions outlined in the section entitled “Access by Authorized Users” in the procedures below;
      
      
   8. ensure sensitive information processed, stored or transmitted using CSC’s IT systems, is encrypted in accordance with the Communications Security Establishment Canada’s (CSEC) and CSC’s policies and standards when warranted by a Threat and Risk Assessment; and
      
      
   9. ensure that data is compartmentalized for access purposes.
8. CSC’s Departmental Security Officer at National Headquarters will:
   1. ensure the integration of IT Security programs and services in the departmental security program;
      
      
   2. hold regular meetings with the Chief Information Officer and the Director, IT Security, to discuss the departmental security program, review IT security threats and risks and ensure that strategies with timelines are in place to improve CSC’s security posture;
      
      
   3. ensure that all cryptographic devices provided to serviced agencies are implemented in accordance with CSEC’s and CSC’s policies and standards;
      
      
   4. provide Treasury Board Secretariat with evidence of implementation and effectiveness of CSC’s IT security program following consultation with the Director, IT Security;
      
      
   5. validate and identify IT security risks based on recommendation from the Director, IT Security;
      
      
   6. ensure a Threat and Risk Assessment or an assessment of CSC’s facilities (excluding operational units) is conducted in accordance with Treasury Board Secretariat’s policies prior to the deployment of any IT systems; and
      
      
   7. investigate all security incidents and breaches involving loss or theft of IT assets and consult with the Director, IT Security, on loss of electronic information.
9. CSC’s Regional Departmental Security Officers will:
   1. validate and identify IT security risks in collaboration with the Regional Manager, IT Security;
      
      
   2. ensure a Threat and Risk Assessment of CSC’s facilities within their region is conducted in accordance with Treasury Board Secretariat’s policies prior to the deployment of any IT systems; and
      
      
   3. investigate all security incidents and breaches involving loss or theft of IT assets within their region and consult with the Regional Manager, IT Security, on any loss of electronic information.
10. CSC’s Chief Information Officer will:
    1. have the authority to authorize all IT systems to operate in CSC;
       
       
    2. be the designated Program or Service Delivery Manager for common IT systems or services provided by Information Management Services;
       
       
    3. ensure all IT systems and services are in compliance with policies and standards published by the Treasury Board Secretariat and CSC’s IT security policies, standards and procedures; and
       
       
    4. initiate emergency measures to protect CSC’s IT systems or electronic information when warranted.
11. The Director, IT Security, will:
    1. assume the role of the designated IT Security Coordinator as defined by Treasury Board Secretariat policies and serve as CSC’s principal IT security contact;
       
       
    2. be the designated point of contact for all communications with respect to IT security-related incident responses;
       
       
    3. regularly report to the Chief Information Officer and the Departmental Security Officer on IT security related matters;
       
       
    4. work closely with Program or Service Delivery Managers and recommend safeguards to ensure that their IT security needs are met;
       
       
    5. provide direction to the Regional Managers, IT Security, on IT security issues;
       
       
    6. manage CSC’s IT security certification and accreditation process as identified in the “Procedures” section below;
       
       
    7. establish and monitor an IT security incident handling process and verify that corrective actions have been taken on all incident or vulnerability reports;
       
       
    8. monitor and evaluate any changes in the threat environment that could have a potential impact on CSC’s IT systems, services or electronic information;
       
       
    9. develop and monitor the effectiveness of the mandated IT security awareness and training programs delivered;
       
       
    10. verify the compliance with recommendations made in assessments or audits conducted on CSC’s IT systems, services or electronic information;
        
        
    11. conduct Threat and Risk Assessments, Vulnerability Assessments, security tests and product evaluations, and recommend corrective actions to address any deficiencies; and
        
        
    12. review Business Impact Assessments, Privacy Impact Assessments, contracts and Security Requirements Checklists, as well as the IT security portions of requests for proposals, contracts and memoranda of understanding.
12. The Regional Administrator, Information Management Services, will:
    1. advise regional management on IT security policies, standards and procedures and their responsibilities for complying with those directives;
       
       
    2. seek advice from the Director, IT Security, whenever a regional IT security related issue cannot be resolved at that level; and
       
       
    3. initiate emergency measures to protect CSC’s regional IT systems, services or electronic information when warranted, and inform the Director, IT Security, on the action taken.
13. The Regional Manager, IT Security, will:
    1. maintain a functional reporting relationship with the Director, IT Security, and liaise with the National Headquarters IT Security Division;
       
       
    2. advise the Regional Administrator, Information Management Services, on all IT security issues and incidents;
       
       
    3. conduct Threat and Risk Assessments, Vulnerability Assessments, security tests and product evaluations at the regional level, and recommend corrective actions to address any deficiencies;
       
       
    4. review Business Impact Assessments, Privacy Impact Assessments, contracts and Security Requirements Checklists, as well as the IT security portions of requests for proposals, contracts and memoranda of understanding at the regional level;
       
       
    5. deliver the mandated IT security awareness and training programs; and
       
       
    6. provide guidance and advice to regional staff on various IT security related matters.

PROCEDURES

Access by Authorized Users

14. Access to IT systems, services or electronic information will only be granted to individuals who have obtained the security screening level required for the position.
    
    
15. Only authorized users will access CSC’s IT systems, services or electronic information.
    
    
16. Users will be authorized access based on business needs and security considerations. All authorizations will also be granted on a “need-to-know” basis and limited to “minimum access” required for the individual to perform his/her duties.
    
    
17. All authorized users will be uniquely identified in the system so that access to the sensitive information can be both controlled and monitored.
    
    
18. Authorized users will:
    1. maintain the security screening level required for the position;
       
       
    2. read, understand and sign CSC’s use of electronic resources agreement
       (CD 226 – Use of Electronic Resources); and
       
       
    3. use authentication mechanisms, such as passwords, keys or tokens, to access CSC’s IT systems, services or electronic information and safeguard these authentication mechanisms from compromise.
19. Access rights will be revoked if:
    1. the business need no longer exists;
       
       
    2. the user has failed to satisfy conditions outlined above;
       
       
    3. the user has left the organization; or
       
       
    4. the Departmental Security Division is notified of any adverse information regarding the authorized user.

Access by Offenders

20. Offenders will not be given access to CSC’s IT systems, services or electronic information, unless approved under specific CSC programs. All such programs will be reviewed and approved by the Director, IT Security.br>
    
21. Offender access to CSC’s IT systems, services or electronic information will be granted only after IT Security has completed an assessment and all recommendations have been implemented by the operational unit or the Program or Service Delivery Manager.br>
    
22. Offenders will be denied access to CSC’s IT systems and services that are:
    1. capable of retrieving personal information on members of the public, government employees or other offenders;
       
       
    2. capable of communicating with another computing device inside or outside the institution (other than approved printers or networks); or
       
       
    3. required to support the IT infrastructure of any facilities of the serviced agencies.
23. Offender accessible devices, such as computers, game consoles or other electronic devices, are only permissible if they abide by the conditions outlined in this directive and:
    1. only if they are authorized by a CSC policy, an educational program, a work program or for legal discovery purposes; and
       
       
    2. after IT Security has completed an assessment and all recommendations have been implemented by the institution or the Program or Service Delivery Manager.

Separation of Duties

24. No one individual user will perform all aspects of a critical IT process independently. For example, the individual that approves an action, the individual that carries out an action, and the individual that monitors that action must all be different people.

Security Classification of Information

25. The security classification or designation of serviced agencies’ electronic information will be determined by the “owner” or originator of that information and must be made in accordance with CSC’s Guide to Information Security and Information Security Requirements chart.

Contracts

26. When developing contracts in which connectivity to CSC’s IT systems or processing of CSC’s information has been identified, the approval of the Director, IT Security, must be sought before the contract is signed. All security concerns must be addressed in the contract.
    
    
27. The Security Requirements Checklist (TBS/SCT 350-103) must be completed by the Program or Service Delivery Manager issuing the contract and approved by the Director, IT Security, in National Headquarters or the Regional Manager, IT Security, in the regions.

Information Sharing

28. Program or Service Delivery Managers will consult with the Director, IT Security, on implications of electronic information sharing with parties outside of the serviced agencies. An assessment will be conducted and all safeguards will be implemented prior to sharing electronic information.
    
    
29. Any Memoranda of Understanding or similar agreements for information sharing with other government departments or private organizations will include clauses ensuring that safeguards are in place for data transmission, storage, processing, handling and disposal in accordance with policies and standards published by the Treasury Board Secretariat.
    
    
30. All individuals viewing or processing serviced agencies’ electronic information will have the appropriate level of security screening, and the facilities where that information will be processed or stored will have obtained the level of accreditation, as outlined by the Security Requirement Checklist (TBS/SCT 350-103).

Certification and Accreditation

31. The Director, IT Security, will establish and manage CSC’s IT security certification and accreditation process. Program or Service Delivery Managers are responsible for ensuring that the requirements of the process are fulfilled.
    
    
32. All new IT systems and services must be certified by the Director, IT Security, and accredited by the Chief Information Officer prior to being deployed for use.
    
    
33. IT systems and services will be granted an Interim Authority to Operate or a full accreditation based on the recommendation of the Director, IT Security.
    
    
34. Managers of IT systems and services that have not been certified or accredited, but are already in use to support the serviced agencies’ business requirements, will provide a plan to complete the certification activities to the Director, IT Security. The Chief Information Officer may deny the provision of services for any system that does not meet all security requirements within an established timeframe.
    
    
35. All changes to existing components of CSC’s IT systems or services will go through a formal change review and approval process.

Business Continuity Planning

36. The Business Continuity Plan of the Information Management Services Branch will be invoked in a situation that has been declared as a disaster by the Commissioner. This will ensure the quick recovery of the serviced agencies’ mission critical IT systems at the designated recovery location.
    
    
37. Disaster Recovery Plans will be developed by Information Management Services for all mission critical IT systems and services. These plans will clearly identify the systems, any dependencies on other components of CSC’s IT infrastructure, recovery processes and the personnel required to recover those systems.
    
    
38. IT Continuity Plans will be developed by Information Management Services for all non-mission critical IT systems and services, clearly identifying roles and responsibilities, dependencies and recovery processes.
    
    
39. All Disaster Recovery Plans and IT Continuity Plans will be reviewed and approved by the Disaster Recovery Coordinator in IT Security at National Headquarters and the Regional Manager, IT Security, at the regional level.
    
    
40. All Disaster Recovery Plans and IT Continuity Plans will be tested on a regular basis and continually maintained by Information Management Services.

Monitoring

41. Appropriate monitoring will be conducted on CSC’s IT systems, services or electronic information to:
    1. meet security requirements as identified in assessments or audits;
       
       
    2. ensure compliance with CD 226 – Use of Electronic Resources; or
       
       
    3. ensure that systems are functioning within their normal parameters.
42. All monitoring will be designed in order to detect and prevent any malicious use of CSC’s IT systems, services or electronic information or to correct system failures.

Security Investigations

43. All suspected or actual IT security violations and incidents affecting CSC’s IT systems, services or electronic information will be investigated by the Director, IT Security, or the Regional Manager, IT Security, at the regional level. The national and regional Departmental Security Officers will be advised.
    
    
44. All IT security incident reports will be continuously analyzed to detect trends and propose corrective measures.
    
    
45. The Director, IT Security, will provide periodic summaries of IT security incidents to the Chief Information Officer and the Departmental Security Officer at National Headquarters.
    
    
46. A written report will be prepared on each security incident and shared with appropriate stakeholders on a need-to-know basis.

Audits

47. Audits of CSC’s IT systems, services or electronic information will be carried out by CSC’s Internal Audit Branch or by an approved non-CSC auditing organization on a regular basis.
    
    
48. Audit results will be shared with all Program or Service Delivery Managers within the scope of the audit, and action plans will be developed to address any identified deficiencies.

ENQUIRIES

49. Strategic Policy Division
    National Headquarters
    Email: Gen-NHQPolicy-Politi@CSC-SCC.GC.CA

Commissioner,

Original signed by
Don Head

ANNEX A

CROSS-REFERENCES AND DEFINITIONS

CROSS-REFERENCES

CD 226 – Use of Electronic Resources

Directive on Electronic Authentication and Authorization of Financial Transactions – Treasury Board Secretariat

DEFINITIONS

Adverse information: negative or unfavourable information about an individual which raises doubts and concerns about the ability to hold a reliability status and/or security clearance, e.g., criminal conduct, substance abuse, or unfavourable information regarding an individual’s financial stability or loyalty to Canada.

Assessment: is done on all new IT systems and changes to existing systems. Depending on the scope of the change or implementation of new systems, the assessment could include a Threat and Risk Assessment, an impact assessment or a vulnerability assessment.

Information Technology (IT) System: a collection of resources and configuration items (such as hardware, software and documentation) that operates as a whole.

Information Technology (IT) Services: a capability delivered by an IT service provider, which directly or indirectly supports one or more business processes or functions.

Certification and accreditation process: formal process designed to ensure that all components of CSC’s IT infrastructure have been carefully reviewed for security considerations and any deficiencies identified have been addressed. The certification and accreditation process requires gathering certification evidence, such as the results of any applicable Threat and Risk Assessments, Business Impact Assessments, Privacy Impact Assessments, Vulnerability Assessments, security tests and product evaluations, self-assessments, audits and security reviews. Systems are accredited after evidence shows that all safeguards were implemented.

Serviced agencies: the agencies receiving services from the Information Management Services Branch, i.e. the Correctional Service of Canada, the Parole Board of Canada and the Office of the Correctional Investigator.

Threat and Risk Assessment: a formal process which assists in the determination of security requirements and recommends risk mitigation strategies.

All other applicable definitions of information technology and security terms used in this document may be found in Appendix A of the Policy on Government Security (2009).