Managers will report all instances of suspected unlawful or unacceptable activities or IT-related incidents pertaining to the use of CSC's electronic resources to the IT Security Coordinator or the Regional Manager, IT Security, at the regional level. The Departmental Security Officer and designated personnel having responsibilities for the departmental security activities at the regional level will be advised.
On the recommendation of the IT Security Coordinator and the Departmental Security Officer, managers will seek legal advice in cases of suspected unlawful or unacceptable uses of CSC's electronic resources.
Authorized individuals using CSC's electronic resources will:
abide by the laws, government policies, directives and any other instructions published by CSC on the use of electronic resources
take reasonable measures to control the use of their password, user identification or computer accounts. This includes assuming responsibility for any actions or costs arising from the unauthorized use of electronic resources
use IT security features (e.g. encryption, virus and data protection) provided by the CSC
ensure that their communications using CSC's electronic resources do not reflect badly on CSC or the Government of Canada and comply with any policies pertaining to professional conduct and the use of Web 2.0 technology (see CD 227 - Use of Web 2.0 Technology)
report suspected unlawful or unacceptable activities or IT-related incidents to their manager(s)
seek clarification from the IT Security Coordinator when in doubt as to whether a planned use is acceptable and lawful
use only IT products authorized and installed by CSC-authorized Information Management/ Information Technology personnel
leave CSC electronic resources with the department upon departure.
AUTHORIZED USES OF ELECTRONIC RESOURCES
Use for Official Business
Electronic resources must be used for official business. This includes, but is not limited to, creating, accessing, manipulating, storing and transmitting:
electronic mail messages (email)
electronic records or information on CSC-managed electronic resources
information on the CSC Intranet
information on the Internet.
Limited personal use of CSC's electronic resources by authorized individuals is permitted only when such use:
occurs on the individual's personal time withinnormal working hours
does not incur any unauthorized additional cost to the CSC
observes rules governing professional conductand prohibitions related to unlawful and unacceptable conduct as outlined in this policy and elsewhere
does not require CSC to provide additional privacy protection for personal information stored, transmitted or processed beyond that which is already provided
allows CSC to read the contents of communications and files and access personal information pursuant to the section entitled "Monitoring" in this directive.
PROHIBITED USES OF ELECTRONIC RESOURCES
Authorized individuals are prohibited from using government electronic resources to:
operate, transmit or store games or other entertainment software
maintain or support a personal private business or to assist relatives, friends, or other persons in such activities, or
conduct any unlawful or unacceptable activityor to store or transmit information relating thereto, except where specifically authorized as part of an official investigation.
Offender access to CSC's electronic resources is prohibited except where specifically authorized by CSC policy for approved purposes such as an educational or work program, in compliance with applicable rules related to the protection of personal information (see CD 730 - Offender Program Assignments and Inmate Payments).
Routine monitoring of electronic resources will be performed by staff designated by the Chief Information Officer and Shared Services Canada to assess performance, to protect the availability, integrity, confidentiality, value and intent of use of government assets and to ensure compliance with government policy. Routine monitoring may involve:
identifying the size and type(s) of file(s) suspected of causing problems
identifying patterns of usage
determining the originator, intended recipient and subject line of email messages
testing for viruses
keyword searches on networks, computer systems and electronic storage devices.
CSC's electronic resources automatically log the identity of individuals and their activities while on the resource(s).
Copies of files and email records (including "draft" records) are automatically backed up and retained on a daily basis.
To the greatest extent possible, the CSC seeks to preserveindividual privacy; however, users should be aware that their use of CSC's electronic resources is not private. While CSC does not routinely read email or file content, under certain circumstances, CSC may monitor the activity and accounts of individual users including, but not limited to, individual login sessions, communications, email and file content.
All cases of individual monitoring must be authorized in advance by either the IT Security Coordinator, the Director General, Security, or the Assistant Commissioner, Human Resource Management, except:
for the cases specified in paragraph 15a
for the cases required by law, or
when this type of monitoring is necessary to respond to legitimate emergency situations.
Monitoring for Unlawful Activity and Unacceptable Conduct
If there are reasonable grounds to suspect that an authorized individual is misusing electronic resources, including during personal use, monitoring without notice, including viewing the content of individual email records or files, may occur under the following circumstances:
the authorized individual has voluntarily made electronic files or email accessible to CSC or to the public
it is necessary to do so to protect the integrity, ensure the security and/or the liability exposure of CSC
there are reasonable grounds to suspect that the authorized individual has utilized CSC's electronic resources in the commission of a violation of CSC or other government policy
there are reasonable grounds to suspect that the authorized individual is using electronic resources for an unlawful or unacceptable activity
an account appears to be engaged in unusual or unusually excessive activity, as indicated by the routine monitoring of general activity and usage patterns, or
upon the receipt of a warrant or other legal instrument from a law enforcement agency.
Individuals who are obliged to read the content of electronic communications as part of an investigation must keep the information confidential and use it only for the purposes authorized.
DISCIPLINARY MEASURES AND SANCTIONS
CSC may pursue disciplinary measures or sanctions in cases of unlawful and/or unacceptable activity related to the use of its electronic resources. Disciplinary measures will be commensurate with the seriousness and circumstances of the unlawful and/or unacceptable activity. In cases where disciplinary measures are required, Labour Relations must be consulted to ensure that the application of disciplinary measures is consistent across CSC.
Disciplinary measures may include:
a verbal or written reprimand
restrictions on access to the electronic resources
review of an individual's reliability status or security clearance
suspension or termination of employment.
Following consultation with Legal Services, CSC will report suspected unlawful activities related to the use of its electronic resources to law enforcement authorities.
Departmental Security Procedures Manual - Security of Information and Assets
Standards of Professional Conduct in the Correctional Service of Canada
Authorized individuals: CSC employees as well as contractors and any other individuals who have been authorized by a CSC authority to access CSC's electronic resources.
Electronic resource: any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. Within the context of this document, electronic resources refer to all electronic resources owned or operated by CSC or services to which CSC has subscribed (e.g. routers, computers, USB devices, smart phones, etc.).
Personal use: an activity that is conducted for purposes other than accomplishing official or otherwise authorized activity.
Unacceptable activity: any activity that violates CSC, Treasury Board or other government policy (for examples, see Appendix C of the Treasury Board Policy on Acceptable Network and Device Use), or that violates the limitations on personal use as set out in this policy and in Appendix C of the above-mentioned Treasury Board policy.
Unlawful activity: criminal offences, contraventions of non-criminal regulatory federal and provincial statutes, and actions that make an authorized individual or an institution liable to a civil lawsuit. For examples, refer to Appendix A of the Treasury Board Policy on Acceptable Network and Device Use.
Web 2.0 technology: includes Internet-based tools and services that allow for participatory multi-way information sharing, dialogue, syndication, and user-generated content. This can include social media and collaborative technologies (e.g. Facebook, Twitter and Wikis).