Public Works and Government Services Canada Canada wordmark
 
Français Contact Us Help Search Canada Site
PWGSC Home About PWGSC Services Canadians Businesses
Canadian and International Industrial Security Directorate
What's New Site Map CIISD Home
About Us
  Personnel
Security Screening
  Organization
Security Screening
  Contract Security
  International Security
  Joint Certification
Program
  Forms
  F A Q
Industrial Security
Manual
  Bulletins
  Links
  Search
Industrial Security Sector
Industrial Security Manual


ISM  › CHAPTER 8  

CHAPTER 8 - INFORMATION TECHNOLOGY SECURITY

ISM Table of Contents
Print the Manual
Print this Page


800. GENERAL

  1. Purpose and Scope

    1. This chapter establishes operational standards in Canadian industry for the safeguarding of Government information electronically processed, stored or transmitted. It also applies to the safeguarding of the technology assets.

    2. In addition to these standards, the administrative and organizational, physical and personnel security standards as documented in this manual also apply to the information technology environment.

    3. The Government Security Policy requires that the degree of safeguarding provided by industry be commensurate with the level of the information and assets and the associated threats and risks. Without appropriate safeguards, the confidentiality, integrity and availability of information systems and services could be adversely affected.

  2. Roles and Responsibilities

    Government institutions are responsible for safeguarding PROTECTED and CLASSFIED information and assets under their control. With respect to government contracts with the private sector, the contracting authority is responsible for ensuring that the requirements of the Government Security Policy are met and that the security standards are applied. The security standards contained in the Government Security Policy, Information Technology Standards, are the minimum standards for security in the private sector. Technical Security Standards for Information Technology are found on the following web site:

    www.rcmp-grc.ca/tsb/index.htm    .

  3. Guidance

    Assessments, advice and guidance regarding these standards are available from CIISD.
Top of Page

801. ORGANIZATION AND ADMINISTRATION

  1. Organization

    Depending on the size of the organization's Information Technology Facility, the complexity of the Information Technology Security portion of the contract(s) and the number of contracts being processed concurrently, the organization may be required to appoint a full-time security person to be responsible for Information Technology Security. Questions regarding this policy are to be discussed with CIISD.

  2. Planning

    1. Cost-effective information technology security depends on planning that takes into account all phases of a system's life-cycle, from creation of the source documentation, through input transaction, communications, processing, storage, retrieval, output and disposal. As well, plans must incorporate the interrelationship of physical and personnel security with information technology security and confidentiality, integrity and availability requirements. Because of emission security (TEMPEST) considerations, plans should also address communications-electronic security (COMSEC) requirements even if communications links are not involved in the present information system. The application of TEMPEST measures will always be based on a threat identified in a threat/risk assessment.

    2. Any security program consists of an organizational structure and administrative procedures which support the three subsystems: physical security, information technology security and personnel security. These subsystems are interrelated, and the total effectiveness of the security system depends on the performance and therefore the coordinated planning of all subsystems.
Top of Page

802. ROLES AND RESPONSIBILITIES

  1. Canadian and International Industrial Security Directorate

    1. Whenever an organization is awarded a contract, through PWGSC, to electronically process government information using Information Technology (IT) equipment, the FISO will arrange for and coordinate an IT inspection. The FISO will also coordinate an IT inspection for cause.

    2. The organization will be contacted directly by the FISO to discuss and finalize an inspection date. The inspection team could comprise from one to five members and it may take from 1/2 day to two weeks to complete the inspection depending on the complexity of the contract and other factors such as the level of sensitivity of the data.

    3. Once the IT inspection team has completed their inspection, they will provide a report to the FISO for review. A copy of the report will be forwarded to the organization for action after the FISO has reviewed the report and concurs with its findings. The organization must submit an action plan to address the implementation of the recommendations within 30 days of receiving the report, and they must report to CIISD on the status of the outstanding recommendations on a regular basis, usually once a month. CIISD will issue a call letter to the organization when the inspection update status report is required.

    4. It is most important to remember that the implementation of recommendations is mandatory, while suggestions represent good business practice and while it is not mandatory for their implementation, the organization should consider their implementation.

    5. The report's contents will not be released outside of CIISD without the expressed permission of the organization.

    6. If the data requires TEMPEST protection, CIISD will request that the Communications Security Establishment (CSE) verify its adequacy. This will involve either the testing of the TEMPEST compliant equipment or witnessing the final test of the shielded enclosure.

    7. CSE will also provide a report to CIISD, however, it will only state the status of the equipment or shield and recommend corrective actions as required. Once the equipment or shield have passed all necessary tests and inspections, a certificate indicating its acceptability will be issued by the PWGSC COMSEC Group.

  2. Contractor

    1. The prime contractor's Information Technology Facility(s) must be approved by CIISD prior to processing government information. It is the prime contractor's responsibility, however, to ensure that Information Technology Security requirements are specified to and observed by subcontractors and that upon termination of the subcontract, no residual information is left on the subcontractor's computer(s) or in other areas.

    2. The organization (prime contractor) will be contacted directly by the FISO and by CSE, if applicable, to arrange for and finalize a time frame to conduct their inspection or test.

    3. The organization should arrange to have available a copy of their IT operational procedures and security procedures, organizational charts and list of contact personnel, complete with telephone numbers for distribution to the IT inspection team during the initial meeting of the inspection. In some instances, the inspection team leader may request a preliminary visit, approximately 2-4 weeks prior to the actual inspection day, in order to meet the staff, tour the facility and pick-up any documentation for study.

    4. At the conclusion of the inspection, the IT inspection team will conduct a debriefing session for the purpose of informing the contractor of their findings. The opportunity should be taken at this time, by the organization, to clarify any points or discuss proposed solutions. The documentation requested earlier will be returned during the CSE to verify its adequacy. This will involve either the testing of the TEMPEST compliant equipment or witnessing the final test of the shielded enclosure.

    5. CSE will also provide a report to CIISD, however, it will only state the status of the equipment or shield and recommend corrective actions as required. Once the equipment or shield have passed all necessary tests and inspections, a certificate indicating its acceptability will be issued by the PWGSC COMSEC Group.

    6. CIISD will subsequently issue a call letter to the organization requesting that it submit to CIISD an updated status report on all outstanding Security Evaluation and Inspection Team recommendations and suggestions. In completing the request for an updated status report, the organization should indicate the status of each recommendation by using key words accompanied by essential detail when necessary. The key words are:

      1. Implemented: should indicate HOW (by using or upgrading software, hardware, procedures, etc.) the recommendation was implemented;

      2. Active: should indicate WHAT is being done by WHOM, and WHEN is completion of the recommendation expected;

      3. Deferred: should state the reason(s) WHY the implementation of the recommendation has been delayed, and WHEN reactivation to implement the recommendation is expected; and
      4. Rejected: should given substantive reasons WHY no action to implement the recommendation will be taken.
Top of Page

803. REQUIREMENTS FOR EMISSION SECURITY (TEMPEST)

  1. The purpose for applying TEMPEST measures to telecommunications or electronic information processing equipment is to protect information from compromise through the intercept and analysis of electromagnetic emissions by unauthorized persons.

  2. The specific TEMPEST measures required will be determined by CIISD on a case-by-case basis taking into account threat and risk.
Top of Page

804. SECURE TELECOMMUNICATIONS REQUIREMENTS

In addition to TEMPEST considerations, an organization which needs to transmit government information over telecommunication links or networks must protect this information through the use of government approved encryption or other government approved COMSEC measures such as approved (physically protected) circuits. CIISD should be made aware of such requirements as soon as possible. In such cases, CIISD will provide instructions and directions specific to the communications security systems involved.

Top of Page

805. SECURITY OF COMMUNICATIONS SECURITY (COMSEC) INFORMATION AND ASSETS

  1. COMSEC material includes all documents, devices, equipment or apparatus and crypto material used in establishing or maintaining secure communications. Crypto material is all material containing information essential to the encryption, decryption or authentication of communications, including documents, devices or equipment.

  2. An organization which has a validated requirement to hold COMSEC material will be required to establish a COMSEC account with CIISD and must appoint a qualified COMSEC Custodian and Alternate COMSEC Custodian who together with the Company Security Officer will be held accountable for safeguarding this material.

  3. Because of the special sensitivity of COMSEC material, a comprehensive set of rules and procedures for the handling and physical safeguarding of COMSEC material is provided in the Industrial COMSEC Material Control Manual and the Industrial Security Manual. All organizations with a need to hold COMSEC material must obtain a copy of the Industrial COMSEC Material Control Manual.

Top of Page Chapter 9


ABOUT US     PERSONNEL SECURITY SCREENING     ORGANIZATION SECURITY SCREENING     CONTRACT SECURITY     INTERNATIONAL SECURITY    
JOINT CERTIFICATION PROGRAM     FORMS    FAQ   
INDUSTRIAL SECURITY MANUAL     LINKS     SEARCH
    Maintained by the CIISD Important Notices
Last Updated: 2006-5-2