Commissioner's Directive

Information Technology Security

Responsibilities

1. The Commissioner, as deputy head, is accountable for the effective implementation, monitoring and governance of CSC's departmental security program, including the information technology (IT) security program.
2. Deputy Commissioners and Assistant Commissioners will designate an individual as a Program or Service Delivery Manager, who will be responsible for each IT system used to deliver services in their respective responsibility area.
3. Program or Service Delivery Managers, who have implemented specific IT systems or services to meet their business needs, will:
   1. consult with Information Management Services early on, for any initiative where information technology is a component and, if required, seek advice from the IT Security Coordinator to ensure compliance with Government of Canada policies and standards
   2. conduct a Business Impact Analysis for each program within their responsibility area and ensure that any gaps pertaining to IT systems or services are addressed
   3. ensure that IT security risks are assessed at the inception of any new project and that those risks are periodically reassessed in light of changes to programs, activities or services
   4. mitigate, accept or transfer any residual risks affecting the IT systems within their responsibility area
   5. ensure that no one individual can independently control all aspects of an IT system or service
   6. ensure all users of electronic information are uniquely identified and authorized to access the IT systems containing that information
   7. ensure a process is in place to regularly review access rights and revoke access as per conditions outlined in the section entitled 'Access by Authorized Users' in the procedures below
   8. ensure sensitive information processed, stored or transmitted using CSC's IT systems, is encrypted in accordance with the Communications Security Establishment Canada's (CSEC) and CSC's policies and standards when warranted by a Threat and Risk Assessment
   9. ensure that data is compartmentalized for access purposes
   10. ensure vulnerabilities are addressed in a timely manner upon the advice of the IT Security Coordinator.
4. CSC's Departmental Security Officer at National Headquarters will:
   1. ensure the integration of IT security programs and services in the departmental security program
   2. hold regular meetings with the Chief Information Officer and the IT Security Coordinator to discuss the departmental security program, review IT security threats and risks and ensure that strategies with timelines are in place to improve CSC's security posture
   3. ensure that all cryptographic devices provided to serviced agencies are implemented in accordance with CSEC's and CSC's policies and standards
   4. provide Treasury Board of Canada Secretariat with evidence of implementation and effectiveness of CSC's IT security program following consultation with the IT Security Coordinator
   5. validate and identify IT security risks based on recommendation from the IT Security Coordinator
   6. ensure a Threat and Risk Assessment or an assessment of CSC's facilities (excluding operational units) is conducted in accordance with Treasury Board's policies prior to the deployment of any IT systems
   7. investigate all security incidents and breaches involving loss or theft of IT assets and consult with the IT Security Coordinator on loss of electronic information.
5. Designated personnel having responsibilities for the departmental security activities at the regional level will:
   1. validate and identify IT security risks in collaboration with the Regional Manager, IT Security
   2. ensure a Threat and Risk Assessment of CSC's facilities within their region is conducted in accordance with Treasury Board's policies prior to the deployment of any IT systems
   3. investigate all security incidents and breaches involving loss or theft of IT assets within their region and consult with the Regional Manager, IT Security, on any loss of electronic information.
6. CSC's Chief Information Officer will:
   1. be the authority for all IT systems to operate in CSC
   2. be the designated Program or Service Delivery Manager for common IT systems or services provided by Information Management Services
   3. ensure all IT systems and services are in compliance with policies and standards published by the Treasury Board of Canada Secretariat and CSC's IT security policies, standards and procedures
   4. initiate emergency measures to protect CSC's IT systems or electronic information when warranted.
7. The Manager, IT Security, will:
   1. assume the role of the designated IT Security Coordinator as defined by Treasury Board's policies and serve as CSC's principal IT security contact
   2. be the designated point of contact for all communications with respect to IT security-related incident responses
   3. regularly report to the Chief Information Officer and the Departmental Security Officer on IT security-related matters
   4. work closely with Program or Service Delivery Managers and recommend safeguards to ensure that their IT security needs are met
   5. provide direction to the Regional Managers, IT Security, on IT security issues
   6. manage CSC's IT security certification and accreditation process and security assessment and authorization process as identified in the 'Procedures' section below
   7. establish and monitor an IT security incident handling process and verify that corrective actions have been taken on all incident or vulnerability reports
   8. monitor and evaluate any changes in the threat environment that could have a potential impact on CSC's IT systems, services or electronic information
   9. develop and monitor the effectiveness of the mandated IT security awareness and training programs delivered
   10. verify the compliance with recommendations made in assessments or audits conducted on CSC's IT systems, services or electronic information
   11. conduct Threat and Risk Assessments, Vulnerability Assessments, security tests and product evaluations, and recommend corrective actions to address any deficiencies
   12. review Business Impact Assessments, Privacy Impact Assessments, contracts and Security Requirements Checklists, as well as the IT security portions of requests for proposals, contracts and memoranda of understanding.
8. The Regional Administrator, Information Management Services, will:
   1. advise regional management on IT security policies, standards and procedures and their responsibilities for complying with those directives
   2. seek advice from the IT Security Coordinator whenever a regional IT security-related issue cannot be resolved at that level
   3. initiate emergency measures to protect CSC's regional IT systems, services or electronic information when warranted, and inform the IT Security Coordinator on the action taken.
9. The Regional Manager, IT Security, will:
   1. maintain a reporting relationship and follow the functional direction of the IT Security Coordinator, and liaise with the National Headquarters IT Security Division
   2. advise the Regional Administrator, Information Management Services, and the IT Security Coordinator on all IT security issues and incidents
   3. conduct Threat and Risk Assessments, Vulnerability Assessments, security tests and product evaluations at the regional level, and recommend corrective actions to address any deficiencies
   4. review Business Impact Assessments, Privacy Impact Assessments, contracts and Security Requirements Checklists, as well as the IT security portions of requests for proposals, contracts and memoranda of understanding at the regional level
   5. deliver the mandated IT security awareness and training programs
   6. provide guidance and advice to regional staff on various IT security-related matters.

PROCEDURES

Access by Authorized Users

10. Access to IT systems, services or electronic information will only be granted to individuals who have obtained the security screening level required for the position.
11. Only authorized users will access CSC's IT systems, services or electronic information.
12. Users will be authorized access based on business needs and security considerations. All authorizations will also be granted on a need-to-know basis and limited to minimum access required for the individual to perform his/her duties.
13. All authorized users will be uniquely identified in the system so that access to the sensitive information can be both controlled and monitored.
14. Authorized users will:
    1. maintain the security screening level required for the position
    2. read, understand and sign CSC's use of electronic resources agreement (CD 226 - Use of Electronic Resources)
    3. use authentication mechanisms, such as passwords, keys or tokens, to access CSC's IT systems, services or electronic information and safeguard these authentication mechanisms from compromise.
15. Access rights will be revoked if:
    1. the business need no longer exists
    2. the user has failed to satisfy conditions outlined above
    3. the user has left the organization, or
    4. the Departmental Security Division is notified of any adverse information regarding the authorized user.

Access by Offenders

16. Offenders will not be given access to CSC's IT systems, services or electronic information, unless approved under specific CSC programs. All such programs will be reviewed and approved by the IT Security Coordinator.
17. Offender access to CSC's IT systems, services or electronic information will be granted only after IT Security has completed an assessment and all recommendations have been implemented by the operational unit or the Program or Service Delivery Manager.
18. Offenders will be denied access to CSC's IT systems and services that are:
    1. capable of retrieving personal information on members of the public, government employees or other offenders
    2. capable of communicating with another computing device inside or outside the institution (other than approved printers or networks), or
    3. required to support the IT infrastructure of any facilities of the serviced agencies.
19. Offender accessible devices, such as computers, game consoles or other electronic devices, are only permissible if they abide by the conditions outlined in this directive and:
    1. only if they are authorized by a CSC policy, an educational program, a work program or for legal discovery purposes, and
    2. after IT Security has completed an assessment and all recommendations have been implemented by the institution or the Program or Service Delivery Manager.

Separation of Duties

20. No one individual user will perform all aspects of a critical IT process independently. For example, the individual that approves an action, the individual that carries out an action, and the individual that monitors that action must all be different people.

Security Classification of Information

21. The security classification or designation of serviced agencies' electronic information will be determined by the owner or originator of that information and must be made in accordance with CSC's Guide to Information Security and Information Security Requirements chart.

Contracts

22. When developing contracts in which connectivity to CSC's IT systems or processing of CSC's information has been identified, the approval of the IT Security Coordinator must be sought before the contract is signed. All security concerns must be addressed in the contract.
23. The Security Requirements Checklist (TBS/SCT 350-103) must be completed by the Program or Service Delivery Manager issuing the contract and approved by the IT Security Coordinator at National Headquarters or the Regional Manager, IT Security, in the regions.

Information Sharing

24. Program or Service Delivery Managers will consult with the IT Security Coordinator on implications of electronic information sharing with parties outside of the serviced agencies. An assessment will be conducted and all safeguards will be implemented prior to sharing electronic information.
25. Any Memoranda of Understanding or similar agreements for information sharing with other government departments or private organizations will include clauses ensuring that safeguards are in place for data transmission, storage, processing, handling and disposal in accordance with policies and standards published by the Treasury Board of Canada Secretariat.
26. All individuals viewing or processing serviced agencies' electronic information will have the appropriate level of security screening, and the facilities where that information will be processed or stored will have obtained the level of accreditation, as outlined by the Security Requirements Checklist (TBS/SCT 350-103).

Security Assessment and Authorization

27. The IT Security Coordinator will establish and manage CSC's IT security certification and accreditation process and security assessment and authorization process. Program or Service Delivery Managers are responsible for ensuring that the requirements of the process are fulfilled.
28. All new IT systems and services must be certified or assessed by the IT Security Coordinator, and accredited or authorized by the Chief Information Officer prior to being deployed for use.
29. IT systems and services will be granted an Interim Authority to Operate, or full accreditation or authorization based on the recommendation of the IT Security Coordinator.
30. Managers of IT systems and services that have not been certified or accredited, but are already in use to support the serviced agencies' business requirements, will provide a plan to complete the certification activities to the IT Security Coordinator. The Chief Information Officer may deny the provision of services for any system that does not meet all security requirements within an established timeframe.
31. All changes to existing components of CSC's IT systems or services will go through a formal change review and approval process.

Business Continuity Planning

32. The Business Continuity Plan of the Information Management Services Branch will be invoked in a situation that has been declared as a disaster by the Commissioner. This will ensure the quick recovery of the serviced agencies' mission critical IT systems at the designated recovery location.
33. Disaster Recovery Plans will be developed by Information Management Services for all mission critical IT systems and services. These plans will clearly identify the systems, any dependencies on other components of CSC's IT infrastructure, recovery processes and the personnel required to recover those systems.
34. IT Continuity Plans will be developed by Information Management Services for all non-mission critical IT systems and services unless otherwise agreed. IT Continuity Plans must clearly identify roles and responsibilities, dependencies and recovery processes.
35. All Disaster Recovery Plans and IT Continuity Plans will be reviewed and approved by the Disaster Recovery Coordinator in IT Security at National Headquarters and the Regional Manager, IT Security, at the regional level.
36. All Disaster Recovery Plans and IT Continuity Plans will be tested on a regular basis and continually maintained by Information Management Services.

Monitoring

37. Appropriate monitoring will be conducted on CSC's IT systems, services or electronic information to:
    1. meet security requirements as identified in assessments or audits
    2. ensure compliance with CD 226 - Use of Electronic Resources, or
    3. ensure that systems are functioning within their normal parameters.
38. All monitoring will be designed in order to detect and prevent any malicious use of CSC's IT systems, services or electronic information or to correct system failures.

Security Investigations

39. All suspected or actual IT security violations and incidents affecting CSC's IT systems, services or electronic information will be investigated by the IT Security Coordinator or the Regional Manager, IT Security, at the regional level. The national Departmental Security Officer and designated personnel having responsibilities for the departmental security activities at the regional level will be advised.
40. All IT security incident reports will be continuously analyzed to detect trends and propose corrective measures.
41. The IT Security Coordinator will provide periodic summaries of IT security incidents to the Chief Information Officer and the Departmental Security Officer at National Headquarters.
42. A written report will be prepared on each security incident and shared with appropriate stakeholders on a need-to-know basis.

Audits

43. Audits of CSC's IT systems, services or electronic information will be carried out by CSC's Internal Audit Branch or by an approved non-CSC auditing organization on a regular basis.
44. Audit results will be shared with all Program or Service Delivery Managers within the scope of the audit, and action plans will be developed to address any identified deficiencies.

Commissioner,

Original Signed by:

Don Head

ANNEX A

CROSS-REFERENCES AND DEFINITIONS

CROSS-REFERENCES

• CD 226 - Use of Electronic Resources
• Treasury Board Directive on Electronic Authentication and Authorization of Financial Transactions
• Appendix A of the Treasury Board Policy on Government Security

DEFINITIONS

Adverse information: negative or unfavourable information about an individual which raises doubts and concerns about the ability to hold a reliability status and/or security clearance, e.g., criminal conduct, substance abuse, or unfavourable information regarding an individual's financial stability or loyalty to Canada.

Assessment: an analysis done on all new IT systems and changes to existing systems. Depending on the scope of the change or implementation of new systems, the assessment could include a Threat and Risk Assessment, an impact assessment or a vulnerability assessment.

Certification and accreditation process: a formal process designed to ensure that all components of CSC's IT infrastructure have been carefully reviewed for security considerations and any deficiencies identified have been addressed. The certification and accreditation process requires gathering certification evidence, such as the results of any applicable Threat and Risk Assessments, Business Impact Assessments, Privacy Impact Assessments, vulnerability assessments, security tests and product evaluations, self-assessments, audits and security reviews. Systems are accredited after evidence shows that all safeguards were implemented.

Information technology (IT) services: a capability delivered by an IT service provider, which directly or indirectly supports one or more business processes or functions.

Information technology (IT) system: a collection of resources and configuration items (such as hardware, software and documentation) that operates as a whole.

Security assessment and authorization process: an ongoing process of evaluating the performance of IT security controls throughout the life cycle of information systems to ensure the departmental business needs for security are met. Authorization is a decision by a senior organizational official, based on a security assessment, to authorize operation of an information system and to explicitly accept the risk of relying on the information system to support a set of business activities.

Serviced agencies: the agencies receiving services from the Information Management Services Branch, i.e. the Correctional Service of Canada, the Parole Board of Canada and the Office of the Correctional Investigator.

Threat and Risk Assessment: a formal process which assists in the determination of security requirements and recommends risk mitigation strategies.