Other Related Documents

Introduction

This handbook summarizes and explains the main provisions of the government security policy. It contains only highlights and should not be read as a substitute for the policy. For further information consult your organization's security manual or your security officer. The security policy and standards are available in the Security volume of the Treasury Board Manual. It is to be noted that the security policy also applies to Minister's Offices, including exempt staff.

The security policy establishes a framework of policy guidelines for implementing information security and privacy requirements. This framework requires departments to properly safeguard the personal information and other sensitive data contained in their information systems and used in their programs and services. It is based on the principle that safeguards for information and assets should reflect their sensitivity, importance and value - no more and no less.

Deputy heads are accountable for implementation of the security policy in their departments and agencies. They may delegate authority for carrying out any part of the policy, except for the denial, revocation or suspension of a security clearance.

Departments should ensure accountability for the security, integrity and availability of their information holdings through common information management infrastructures.

Good management provides the foundation for effective and efficient security, thus the importance of your role in the departmental security program.

What needs to be safeguarded?

All government assets, including information, require good care. Some assets, however, are more sensitive or valuable and require additional safeguards. These are categorized as:

• classified information
• designated information
• assets other than information, including
• information technology systems

Classified Information

The security policy requires that information be classified if its unauthorized disclosure or compromise could reasonably be expected to cause injury to the national interest, with reference to specific provisions of the Access to Information Act or the Privacy Act.

Information considered sensitive in the national interest includes:

• information on federal-provincial relations, international affairs, defense or the economic interests of Canada
• advice and recommendations connected with the above information
• information on investigations into threats to the security of Canada

In addition, information under the Cabinet Paper System is classified. Other Cabinet Confidences, that contain information sensitive in the national interest are also classified. Otherwise they are designated as sensitive, as described on page 7.

Information must be marked with the appropriate level of classification. There are three levels:

• TOP SECRET. This applies when compromise might reasonably cause exceptionally grave injury to the national interest. The possible impact must be great, immediate and irreparable. Obviously, the amount of information that merits this classification level is small.
• SECRET. This applies when compromise might reasonably cause serious injury to the national interest.
• CONFIDENTIAL. When disclosure might reasonably cause injury to the national interest. Most of the information meriting classification should fall in this class.

Designated Information

Certain information cannot be disclosed under the access and privacy legislation because of the possible injury to particular public or private interests. This type of information concerns:

• law enforcement investigations
• the safety of individuals
• the government's competitive position
• research and testing procedures
• business information of a third party
• solicitor-client privilege
• other levels of government (when given in confidence)
• medical records
• individual members of the public or federal employees
• information that other laws, such as the Income Tax Act, prohibit disclosing.

This information must be designated as sensitive if it could reasonably be expected to qualify for an exemption under the access and privacy legislation.

Advice related to designated information must also be assessed for the potential injury its disclosure could cause. It, too, may be designated. However, such information is usually scattered throughout an organization's information holdings, and common sense must prevail in deciding how much and precisely which items merit designation.

Designated information should be marked "PROTECTED".

Designated information also varies in its sensitivity. There are three levels of designation:

•  
• Extremely Sensitive. When disclosure could reasonably be expected to cause extremely grave injury outside the national interest, for example, loss of life. This applies to a very limited amount of information and very few departments are likely to have this level of designation. This information warrants special safeguards based on an assessment of the threats and related risks.
•  
• Particularly Sensitive. When disclosure could reasonably be expected to cause serious injury outside the national interest, for example loss of reputation or competitive advantage.
•  
• Low-Sensitive. When disclosure could reasonably be expected to cause injury outside the national interest, for example, loss of privacy through the disclosure of an exact salary figure.

Be sure to mark designated information PROTECTED to signal the application of minimum standards, especially when it is sent outside the unit that created or collected it. Departments have the option to use additional markings to designated information to signal the need for additional safeguards. Departments may add letters after "Protected" as follows:

Designated Particularly Sensitive Personal Information

As with other sensitive data, personal information should be collected only as required to meet mandates, business, policy and legislative requirements.

Particularly sensitive personal information offers a high risk of theft or loss and thus must be properly identified and appropriately safeguarded. As a manager, you should be aware that certain information about government employees is also sensitive and must receive special protection. Such information includes:

• individual's racial or ethnic origin or religious or political beliefs and associations or lifestyle
• appraisals
• medical records
• conflict of interest declarations.

Bear in mind that you must protect any advice given in making decisions that directly affect individuals.

Designated Cabinet Confidences

Cabinet confidences not classified in the national interest are to be designated. This includes Treasury Board papers:

• submissions to the Treasury Board
• aide-memoire
• extracts from the Treasury Board Minutes
• Treasury Board Decision Letters
• Treasury Board Agendas
• Briefing Notes for the Treasury Board, including precis.

General Considerations

Treat information given in confidence by other governments according to any agreements or understandings negotiated with them. If you receive this type of information, check with your security officer for any special procedures.

Information derived from records that are already classified or designated should normally be classified or designated to match the original information.

Each organization has a classification and designation guide that specifies types of information (for example, briefing notes to the Minister) and the way in which they should be marked (and therefore protected). Managers should familiarize themselves with this document.

Protecting Personnel

The Canada Labour Code makes departments responsible for the safety and health of employees at work. As their manager, you must ensure that employees, especially those whose role may subject them to security threats, are provided with adequate protection. Examples of such roles include front-desk jobs where employees may encounter hostile or emotionally upset members of the public, and high-profile positions where employees may be threatened by severely disturbed persons or publicity seekers. Refer to your security officer for advice regarding appropriate physical protection for employees at work.

Assets other than information

Valuable assets (for example, cash, laptop computers, items of historic or cultural value) or systems critical to a government operation (for example, utilities) are to be designated and safeguarded appropriately.

As a manager, you are responsible for having a complete, up-to-date inventory of assets. Guidance on their designation, classification and safeguarding is available from your security office.

Information Technology Systems

The security of computer and telecommunications equipment and systems requires special consideration. This is due in part to the need to protect sensitive information. It is also due to the significant extent to which many government operations and services are dependent on such information technology.

In addition to protecting the confidentiality of the information on these systems, you must also define the importance that accuracy, completeness and availability play in the management of your information technology systems.

If you have access to a public network such as the Internet, refer to your security office to clarify security requirements related to the Information Highway. Also, a TBS guidance document entitled "The Internet: A Guide to Internet Use in the Federal Government" released in July 1995, is available on the Internet at the following address: http://www.tbs-sct.gc.ca

It is your responsibility to ensure employees are aware that sensitive information must not be transmitted on a public network unless it is protected in accordance with departmental directives.

Before sharing information systems, you must be aware of and comply with the requirements of the Access to Information and the Privacy Acts, the Management of Government Information Holdings Policy as well as your departmental Security Policy. The responsibilities and accountabilities set out in these acts, related regulations and policies are applicable whether you are the owner, the delivery agent or simply the user of the information on the system. Performance clauses included in contractual agreements must specify these responsibilities and accountabilities to delivery agents within or outside government when sharing information on systems. Refer to your information technology, contracting or security officials for more guidance on shared information systems.

Defining the importance of the availability of information and services is the first step in making plans to resume business within acceptable time and resource limits in the event of loss of data, systems or programs. Contingency planning is a basic responsibility for any manager of operations dependent on computer or telecommunications systems.

Also important is the identification of potentially vulnerable communications systems. The risk of someone overhearing sensitive information on the telephone cannot be ignored in view of the ease with which this can be done. Conversations over cellular telephones are notoriously easy to intercept. Facsimile machines warrant special attention because of the chance of misdirecting sensitive information through an error in transmission.

Help in identifying the security requirements of computer and electronic communication systems is available from your security office, IT security coordinator and communications security coordinator.

What Safeguards are Required?

Managers should review security needs for the information and assets under their control by assessing related threats and risks:

• Ensure that inventories of information and assets are complete and up to date.
• Review potential threats. For example, how could sensitive information be lost or changed? What impact would this have on client confidence in your programs? Who would be affected and how?
• Review safeguards and make adjustments as necessary. These safeguards include administrative, physical or technical safeguards and those that apply to the people who have access to the information, material or system. This review should be done on a regular basis and as required, to be sure of continued effectiveness.

Your security officer will help you carry out this assessment.

Administrative, Physical and Technical Safeguards

Some examples are:

• written staff responsibilities and security procedures
• arrangements to resume operations in case of loss of computer-based data or capabilities
• use of physical barriers, security zones and containers to restrict access
• use of proper containers and procedures for the secure processing, storage, transmission and disposal of information and other assets
• use of software, hardware or operating system access controls
• use of secure telephones.

Telework Security

The government Telework policy enables employees to work at locations other than their official workplace. However, it does not diminish responsibilities for the security of sensitive information and assets. Managers must ensure that employees who telework are briefed on the safe custody and control of sensitive information and assets. They should also know that because of the higher risks, telework should not involve information designated as extremely sensitive or classified as top secret. Consult your security officer for advice and assistance in minimizing the risks inherent to working with sensitive information away from the official workplace.

Personnel Security

Good personnel management requires the examination of the trustworthiness and suitability of all employees to protect the employer's interests. This process usually involves reference enquiries, verification of qualifications and, often, credit and criminal history checks. Until the proper checks or clearances on an individual are complete, a person cannot be appointed to a position or have access to classified or designated information or assets.

Limited access and screening apply whether a person is in an indeterminate position, term position, seconded, on contract or assignment or from an agency.

Types of Personnel Screening

Basic reliability status is the minimum type of personnel screening required for all individuals appointed or assigned to a position for six months or more. It is optional for periods of less than six months. An individual granted this status may have access only to unclassified or undesignated information and assets.

Basic reliability checks are done by verifying personal data, educational and professional qualifications, data on previous employment and references. As well, a name check of criminal records may be required. In cases where a criminal records name check is not conducted, a declaration concerning criminal convictions will be necessary.

Enhanced reliability status is the type of personnel screening required when the duties or tasks of a position demand access to designated information or assets. This applies regardless of the duration of an assignment or appointment. An individual granted this status may have access to, on a need-to-know basis, designated information and assets.

In addition to the basic reliability checks, enhanced reliability status includes a criminal records name check and may require a fingerprint check and a credit check.

Security clearances are required for anyone who will need access to classified information or assets, regardless of the type of assignment or appointment involved. Assessments to determine security clearances are carried out in addition to a basic or enhanced reliability check.

There are three levels of security clearance. They parallel the three levels of classification:

Level I - access to CONFIDENTIAL

Level II - access to SECRET

Level III - access to TOP SECRET.

Your organization's security office requests security assessments from the Canadian Security Intelligence Service. (The Department of National Defense and the Royal Canadian Mounted Police conduct their own assessments.)

General Considerations for Personnel Screening

The purpose of the security screening is to assess reliability and loyalty, not to verify professional or technical competence.

Personal information is protected under the Privacy Act and cannot be used for security screening without the written consent of the person to be screened. The individual must be advised of the results of the checks and informed of the right of review or redress if the request for clearance is turned down. Your security office has forms and procedures designed to ensure that these requirements are met.

Security screening must be updated regularly - every ten years for enhanced reliability checks and security clearances for access to confidential and secret information; every five years for security clearances for access to top secret information. An individual's screening status may be updated at any time for cause.

When the needs of the position change and the security screening level is no longer needed, the incumbent must be informed that the requirements of the position have changed and that this does not reflect on the person's loyalty or reliability. If requirements change again, reliability status or a security clearance can be reactivated through your security office.

An individual's security screening level may be transferred when moving from one position or contract to another, between contracts or between departments.

Security Awareness and Training

People are the key to a good security program. To play an effective part, however, people must understand and appreciate what is expected of them and what their responsibilities are. This is best achieve where management sets the standard by acting according to their departmental security policy and procedures in their own office and work.

You should ensure that your personnel know how to classify and designate information and assets properly and how to apply the proper security measures. They should be alert to reporting security problems and know how to do this. It is also helpful if they are encouraged to suggest improvements to the system.

Your security officer will be able to help you with written materials, briefings and training.

Security and Contingency Management

There are three aspects of managing security and contingencies: Business Resumption Planning; Contingency Planning; and, Planning for security during emergencies.

Business Resumption Planning concerns restoring business operations following an interruption and aims at ensuring the availability of services, programs and operations, including all resources involved, that are essential to your Department's mission. It is your responsibility as a manager to develop and test business resumption plans for the assets under your responsibility, as warranted by a threat and risk assessment (TRA).

Information technology systems warrant attention in business resumption plans if the information processed is considered essential, or if the value of the systems themselves is high. If you are not sure that your area is covered by adequate plans, contact your security office or your emergency planning office for assistance.

Contingency Planning concerns restoring computer operations following an interruption. The purpose is to recover computer operations more easily through such means as backup data and systems, within a period of maximum acceptable downtime. Contingency planning is related to business resumption planning, but is narrower in focus. Departments are required to develop and test contingency plans, as warranted by a TRA.

Planning for security during emergencies may form part of other departmental emergency plans or be included in the departmental security policy and procedures; in either case, you should ensure that your employees are aware of them and are trained to carry them out. You should also ensure they are instructed on their responsibilities for the security of sensitive information and assets in the event of an emergency. Consult your security office for advice.

Breaches and Violations of Security

A security breach refers to the unauthorized disclosure of classified or designated information, or the loss, theft or deliberate damage of designated or classified equipment or material. Security breaches must be reported to the deputy minister or head of agency using your organization's procedures.

Security violations are events that could have led to a security breach but did not. A security violation occurs for instance, when a person:

• fails to classify or designate information according to the Security Policy
• classifies or designates information in contravention of the Security Policy
• alters, keeps, destroys or removes classified or designated information or assets without authorization
• fails to protect classified or designated information or assets (for example, failure to lock up).

Sanctions, Review and Redress

The deputy minister or head of agency has the discretion to apply administrative or disciplinary sanctions, or both, for security breaches or violations. Sanctions, depending on the circumstances and the record of the employee, may include the removal of their screening status and loss of access to sensitive material, verbal or written reprimand, suspension without pay, and dismissal.

One of the principal objectives of the Security Policy is to ensure the fair and equitable treatment of individuals who have consented to security screening or who are subject to disciplinary action related to security. It is your responsibility, with advice from the security office to ensure that this important objective is met.

Before a negative decision on a reliability check or security clearance is made, the individual must be made aware of the information obtained and be given an opportunity to correct or explain it. Your security office has procedures to follow in such an event.

When a security clearance or reliability status has been denied or when any disciplinary action related to security is taken, affected individuals must be officially informed that they may personally seek a review of their case as follows:

Denial of reliability status:

• Employees who wish to challenge a negative decision about a basic or enhanced reliability check may do so through normal grievance procedures. All such grievances must go immediately to the final level.
• Outside candidates who are denied reliability status can complain to the Canadian Human Rights Commission, the Public Service Commission's Investigations Directorate or the Federal Court Trial Division, according to the specifics of each case.

Denial of security clearance:

• The Security Intelligence Review Committee investigates complaints about the denial of security clearances. Such a review is available to employees, contractors and outside candidates denied a security clearance. Review may also be sought through the Trial Division of the Federal Court.

Disciplinary action:

• Redress for any disciplinary sanctions, except the removal of a security clearance, can be sought be employees through sections 91 and 92 of the Public Service Staff Relations Act, or the equivalent procedures for those not governed by that Act.

Security in Contracting

The Security Policy applies to members of the private sector working under contract to the government as well as to government employees.

For contracts for which you are responsible, you must determine the security requirements, including physical and technical measures and personnel screening. Contracts must state these requirements and they must be met before access to classified or designated information or assets is allowed.

Some points to note regarding personnel screening are:

• basic reliability status is required for all contractors and employees of contractors who are under contract for more than six months, who will have access to government premises and who will not have access to sensitive or valuable material
• enhanced reliability status is required for all contractors and employees of contractors for all contracts that involve access to designated information or assets
• a security clearance is required for contractors and employees of contractors who must have access to classified information.

Your Role as Manager

The following checklist may assist you in reviewing your security responsibilities as a manager.

1. Is all sensitive information within your area of responsibility properly classified or designated? Is this set out in a guide book available to staff?
2. Have all the important or valuable material assets and systems within your area of control been identified?
3. Have you approved a threat and risk assessment for your area of responsibility?
4. Have you determined ways and means of continuing operations and services in case of the loss of information or systems?
5. Have you approved and implemented measures to protect your employees as well as classified or designated information and assets?
6. Do you inform contracting authorities of the security requirements of work to be performed under contract?
7. Have you reviewed job descriptions to determine which positions require an enhanced reliability check or a security clearance?
8. Have you participated in carrying out reliability checks?
9. Are you sure that the required reliability status or clearance has been granted before individuals start performing their duties or tasks?
10. Are you sure that your staff are aware of their responsibilities and rights described in the Security Policy?
11. Do you periodically monitor compliance with the security policy and standards?

12. And, most important,

13. Do you apply your organization's security policy and procedures in your own work?