Chapter 6: Handling and safeguarding information and assets
Use this chapter in conjunction with Annex C: Guidelines for safeguarding information and assets.
- 6.1 Overview
- 6.2 Secure environment
- 6.3 Records management
- 6.4 Security markings
- 6.5 Storage
- 6.6 Use of computers
- 6.7 Packaging and transmitting
- 6.8 Transfer of information and assets
- 6.9 Verbal and message communication
- 6.10 Destruction of records
When an organization has Public Services and Procurement Canada’s (PSPC) Contract Security Program’s (CSP) authority to possess and store protected or classified information and assets (Subsection 3.2.2: Safeguards), it must have an asset security system that:
- identifies management and employee responsibilities
- defines assets requiring safeguards
- establishes a document registry, which includes maintaining an inventory, reporting and handling security incidents, and maintaining a threat and risk assessment
- details proper personnel and physical security measures
Access to protected and classified information and assets must be limited to persons who have the appropriate security status or clearance and who have a need to know.
These requirements also apply to any foreign classified and North Atlantic Treaty Organization (NATO) classified information, in addition to other NATO requirements (Chapter 10.2: North Atlantic Treaty Organization). The safeguarding principles outlined in this chapter for classified information apply to foreign or domestic government information, as well as to NATO, European Union (EU) and European Space Agency (ESA) classified information.
Improper handling and safeguarding of protected and classified information and assets could result in the suspension or revocation of an organization’s designated organization screening (DOS) or facility security clearance (FSC), or an employee’s security status or clearance, depending on the situation. Revocation or suspension of a DOS or FSC may result in the loss of any government contract requiring the organization to hold a security screening status.
The following sections provide an overview of each requirement for safeguarding protected and classified information and assets. Annex C: Guidelines for safeguarding information and assets provides further details on these requirements and should be read in conjunction with this chapter. These measures apply to any information that is copied or translated, which retains the security categorization level of the original information. Specific instructions on whether information can be copied or translated may be provided in the contract or in bilateral security instruments.
6.2 Secure environment
In an office environment, organizations must use restricted zones to safeguard information and assets. Appropriate security procedures ensure that information and assets are accessed only by persons authorized at the appropriate security level and with a need to know; that it is not left unattended; and that it is recorded, stored and disposed of properly. (Annex C: I. Secure environment)
6.2.1 Security level requirements
The security level determines the requirements for handling, storing, marking and disposing of protected and classified information and assets. Information on the types of security zones is available in Annex B: Guidelines for facility protection.
- Secret and Top Secret information and assets must be processed, stored and destroyed in a security zone unless a threat and risk analysis recommends a higher level of security zone
- Protected C information and assets must be processed, stored and destroyed in a security zone unless a threat and risk analysis recommends a higher security zone
- Confidential information and assets must be processed, stored and destroyed in an operations zone or higher
- Protected A and Protected B information and assets should be processed, stored and destroyed in an operations zone or higher
6.3 Records management
Organizations must have a suitable location, called a registry, to receive, distribute and store protected and classified information and assets.
Organizations must keep records of the dates, names and transactions of all classified information and assets indicating the receipt, distribution, creation, reproduction and destruction within the facility.
All records of classified information and assets and all classified information and assets must be available for inspection by PSPC’s CSP field industrial security officers (FISO). Unless identified in a contract, organizations are not required to keep records of protected information and assets, except for Protected C, which must be recorded in the same manner as classified information and assets.
The use of secure registries and implementing proper procedures protects all information and assets. These procedures include treating the registry as a security zone, implementing measures that prevent unauthorized access, and opening, releasing and marking records with the appropriate level of security. (Annex C: II. Records management)
Organizations must keep records of foreign information and assets unless otherwise stipulated in the contract clauses.
6.3.1 Retaining records
When a bid is not accepted, or when the contract is completed or terminated, protected and classified material and assets must be returned to the client department, destroyed using an approved third party destruction company or be destroyed onsite if the organization has an approved shredder as specified by PSPC’s CSP (Chapter 6.10: Destruction of records) or as directed by PSPC’s CSP. Organizations may be authorized to retain such material when approved by the originator through PSPC’s CSP.
Requests for retention authority must identify the material, the period of time and the justification.
If the organization has been authorized to retain related protected and classified information for a specific period after contract completion, details of this authorization must be included with the retention request.
Unless the retention authority is received in writing, protected and classified information must be disposed of according to Chapter 6.10: Destruction of records and instructions from PSPC’s CSP.
6.4 Security markings
Protected and classified information must be appropriately marked using specific procedures and markings according to the level of sensitivity and the type of media, including microforms and electronic storage material.
Markings on international documentation is guided by international security memoranda of understanding, agreements or other international standards and guidelines (Annex C: III. Security markings). Email PSPC’s CSP at firstname.lastname@example.org for advice and assistance.
As a minimum, when located in an approved operations zone, protected and restricted information and assets must be stored in locked containers, such as cabinets, safes, vaults and secure rooms, unless otherwise stipulated in contract clauses. Protected C, Secret and Top Secret information and assets must be stored in an approved security container in a security zone (Chapter 5.2: Physical security), in accordance with the Royal Canadian Mounted Police (RCMP) Security Equipment Guide. Classified information at the Confidential level must be kept in an RCMP container, when located in an approved operations zone. When constructed to the specifications identified in the RCMP’s Secure Storage Rooms Guide and located in the appropriate zones, protected or classified information and assets may be stored on open shelving in a secure room. The FISO will provide advice and must inspect and approve the rooms before use.Foreign classified information must be stored separate from all other forms of foreign or domestic classified and protected information. Protected and classified information and assets must not be stored in the same container as negotiable or attractive assets.
Organizations are permitted to purchase approved security equipment through PSPC’s CSP. The company security officer (CSO) or alternate security officer (ACSO) should consult with the FISO by email at email@example.com to determine the required equipment. After the FISO approves the order, PSPC’s CSP will process the request, although the invoicing and delivery for the equipment is between the purchaser (the CSO) and the supplier. Examples of equipment available through this procedure are listed in Annex C: IV. Storage.
6.6 Use of computers
A computer, including portable computers, used for protected or classified information must not be removed from the organization without written permission from the CSO or ACSO. Computers used for protected or classified information must follow the security procedures for storage established by the organization, as well as transport and transmittal standards if it is removed from the organization. Further information about the informational technology security is available in Chapter 7: Information technology security.
6.7 Packaging and transmitting
When transmitting classified and protected information and assets, organizations must protect its security with proper packaging, maintain a record during transit and of delivery. Contact PSPC’s CSP by email at firstname.lastname@example.org for information.
Records of distribution, circulation and return within the facility must include receipt by signature of the persons involved. Persons who have access to classified information and assets must be briefed on their responsibilities for protecting it and any special restrictions concerning its use or further distribution.
Protected and classified information and assets must be packaged and transmitted in accordance with the RCMP’s standards on transport and transmittal of protected and classified information and approved by PSPC’s CSP for international transmittal. Hand carrying and/or bulk shipping specific protected and classified information and assets must follow specific procedures; the FISO will provide advice and assistance.
Organizations can submit their screening forms to PSPC’s CSP by email since it is the organization’s protected information, but if the information is protected in relation to contracts, then the protected information should be encrypted before emailing.
Organizations must have the prior approval of the Canadian Designated Security Authority before internationally transmitting protected or classified information or assets. For more information, contact PSPC’s CSP by email at email@example.com.
6.8 Transfer of information and assets
In Canada, with the exception of Top Secret, Protected C and communication security (COMSEC) material, as well as all NATO and foreign classified information, protected and classified information and assets may be transferred from an organization’s cleared site to another site only if that site has document safeguarding capability (DSC) clearance at the required level. Both organizations’ CSOs and ACSOs must give written permission and use PSPC’s CSP approved method of transportation to exchange protected and classified information. Both organizations’ CSOs and ACSOs must also account for and record the change in the document registry.
PSPC’s CSP must approve removing and transporting of information and assets at Protected C and COMSEC material, as well as all NATO, foreign and Canadian classified information at Confidential or above. For more information, contact PSPC’s CSP by email at firstname.lastname@example.org.
6.9 Verbal and message communication
Unprotected telephones or facsimiles cannot be used to communicate information classified above restricted or designated above Protected A. The Communications Security Establishment (CSE) will provide assistance to coordinate secure telephones or facsimiles.
Classified information can only be discussed in a room that has been constructed to ensure nothing is overheard. Any conference rooms used for discussing classified matters must:
- be constructed as a sensitive discussion area (SDA) as stated in the contract
- have sensitive areas located in a security or high-security zone (Annex B: Guidelines for facility protection)
- be safeguarded against acoustic or electronic eavesdropping and must not contain unapproved electronic devices such as telephones, intercoms, radios, or tape recorders
6.10 Destruction of records
As identified in the contract clauses, protected and classified information and assets can either be returned to the client department, destroyed using an approved third party destruction company or the organization can shred onsite if they have an approved shredder. An organization’s shredder will be inspected by the FISO during the DSC inspection if a company indicates that they will be shredding on site. A certificate of destruction is required for classified information.
PSPC’s CSP does not normally retrieve protected or classified information unless stipulated in the contract, requested to do so or in certain cases where the DSC is being revoked.
All foreign classified Information must be destroyed in accordance with the contract clauses. Always validate with PSPC’s CSP before destruction of foreign classified information. Foreign Restricted information and assets must also be destroyed in accordance with the requirements established in the contract clauses.
Protected and classified information and assets that have been authorized for destruction must be disposed of with the following requirements:
- by approved destruction equipment, or at a facility with DSC clearance authorized by PSPC’s CSP
- be safeguarded according to the highest level of asset involved while awaiting, or in transit to, destruction
- kept separate from other information and assets awaiting destruction
- be monitored by an employee with a proper security status or clearance, as applicable
- surplus copies and waste that could reveal protected and classified information must be protected to the appropriate level and should be promptly destroyed
Destruction of classified information and assets must be recorded on a certificate of destruction form, a copy of which must be forwarded to PSPC’s CSP by email at email@example.com.
- Date modified: