Annex C: Guidelines for safeguarding information and assets
Use this annex in conjunction with the Chapter 6: Handling and safeguarding information and assets of the Contract Security Manual (CSM).
On this page
I. Secure environment
Organizations must effectively use restricted zones in an office environment to safeguard information and assets. Information about the types of secure zones is in Annex B: Guidelines for facility protection. Appropriate security procedures include:
- respecting the need-to-know principle, having mechanisms to ensure that the proper personnel security clearances are in place, and respecting zone perimeters
- escorting visitors
- securing information and assets when leaving the work area
- discussing information only when in the appropriate zone and with individuals who have a need-to-know and appropriate security screening
- locating equipment, such as shredders, that can be used without leaving information and assets unattended
- performing regular security audits
- preparing and handling Protected C information and assets in a security zone or, if recommended in a threat and risk analysis, in a higher security zone
- storing personnel security screening documentation containing personal information in a separate security file as protected information, not in the organization’s general personnel files
- safeguarding Protected B completed personnel security clearance questionnaires pending transmittal to Public Services and Procurement Canada’s (PSPC) Contract Security Program (CSP) and any adverse information regarding an individual
Contracts for statistical studies or surveys involving confidentiality, or other contracts for the collection of personnel information, will contain additional protection provisions.
II. Records management
Organizations must have a suitable location, such as a registry, to receive, distribute record and store protected and classified information and assets.
Organizations must keep records of the dates, names and transactions associated with all classified information and assets indicating the receipt, distribution, creation, reproduction and destruction within the facility. Organizations may keep records of all foreign Restricted information and assets if the requirement is included in the contract clauses.
All records of classified information and assets and all classified information and assets must be available for inspection by PSPC’s CSP field industrial security officers (FISO).
A. Records office security
For protected and classified information and assets, registries, or parts of it, must follow these procedures:
- be managed according to the highest security category of information being stored
- ensure records employees hold the appropriate security status or clearance
- file and circulate information in file jackets that indicate the contents and are marked according to the highest security category of information kept in it
- manage areas where mail is opened as a security zone or high-security zone
- limit the release of files to employees with the appropriate level of security status or clearance and a need-to-know
- identify personnel with authorized access on an access list approved by the responsible manager (such as the project manager)
- deliver mail marked "to be opened only by the addressee" to the intended recipient directly
- ensure classified mail is opened only by the appointed authority within the facility responsible for its registration
- protect foreign classified information in the same way as Canadian information of equivalent classification and store in a separate container. Contact PSPC’s CSP for further advice and assistance by email at tpsgc.dgsssiprojetintl-dobissintlproject.pwgsc@tpsgc-pwgsc.gc.ca
- implement special precautions to prevent unauthorized disclosure or access to non-Canadian nationals. Foreign classified information and information with restrictive markings such as “for Canadian eyes only” cannot be released to such persons without approval of PSPC’s CSP
- Contact PSPC’s CSP by email at tpsgc.dgsssiprojetintl-dobissintlproject.pwgsc@tpsgc-pwgsc.gc.ca for assistance on any further restrictions regarding international and multinational contracts, programs or projects
III. Security markings
Protected and classified information must be appropriately marked using the following guidelines:
- the size of the letters must be larger than those used in the text of the document
- all materials (background information) used in preparing the documents must indicate the category
- covering or transmittal letters, forms, or circulation slips must indicate the highest level of category or designation of the attachments
- in addition to marking individual pages, documents must be appropriately marked on the outside of both the front and back covers
- every sheet of loose pages must be marked
- images such as charts, maps and drawings must be marked near the margin or title block with the marking clearly visible when the document is folded
- security markings should include the applicable designation and the date at which declassification or downgrading is to occur, if it is determined at the time the information is created or collected
A. Protected and classified information
The following markings must be used for original documents and copies:
- Protected A, B, or C must be written in the upper right corner of the face of the document
- Confidential must be written in the upper right corner of the face of the document. Number each copy, show the copy number on the face of each copy, and maintain a distribution list
- Secret must be written in the upper right corner of each document page. Number each copy, show the copy number on the face of each copy and maintain a distribution list
- Top Secret must be written in the upper right corner of each page and show the total number of pages on all pages (for example, page 2 of 10). Assign a unique whole number to each copy, mark the copy number on each page and maintain a distribution list
- Foreign government, European Union (EU), European Space Agency (ESA), North Atlantic Treaty Organization (NATO) Classified information must be marked with both the foreign classification marking and the annotation to be treated as its Canadian equivalent. More information can be found in Chapter 9: International security of this manual and by contacting PSPC’s CSP by email at dgsssiprojetintl-dobissintlproject@tpsgc-pwgsc.gc.ca.
B. Microforms
Microform is a generic term for any storage medium that contains micro-images. Organizations must implement the following procedures:
- Assign the highest designation or categorization of the information contained on the microform
- Mark protected or classified on microforms containing protected or classified information in eye-readable form, with the microform number and the total number of microforms
C. Electronic storage material
Electronic storage material includes items such as CDs, USB drives, removable hard drives, SD cards, microSD cards, phones, tablets, laptops.
Organizations must implement the following procedures:
- Assign the highest designation or categorization of the information contained on the electronic storage material
- Where possible, the security marking should be in both eye-readable and machine-readable form. If this is not possible, the security marking should be machine-readable
- Removable storage material should bear standard labels. Where bypass label processing is allowed, procedures are needed to ensure that the proper item is loaded into the computer
- Store material in the same manner as paper documents, when not in use
Refer to Chapter 7: Information technology security of this manual for further information.
PSPC’s CSP can provide specific advice on how to mark various forms of electronic storage material by email at ssi-iss@tpsgc-pwgsc.gc.ca.
IV. Storage
As a minimum, protected A and B information and assets must be stored in a locked container such as cabinets, safes, vaults and/or secure rooms when located in an approved operations zone. Protected C information and assets and all classified information must be stored in an approved security container consistent with the Royal Canadian Mounted Police (RCMP) Security Equipment Guide, when located in an appropriate approved zone (secret, top secret, Protected C minimum security zone). Protected or classified information and assets may be stored on open shelving in a secure room, only after inspection and approval by PSPC’s CSP.
Foreign classified information must be stored separate from other forms of foreign or domestic classified and protected information. Protected and classified information and assets must not be stored in the same container as negotiable or attractive assets.
A. Keys for containers
Keys (devices such as cards, combinations and code numbers used to open and close containers) must be safeguarded at the highest security category of the information or assets to which they provide access. This also applies to recorded information that would allow a key to be produced. The company security officer (CSO) must control access to keys, combinations and code numbers, and keep distribution records.
Assigned keys should be changed at least every 12 months and when those with access to the container are transferred, released or no longer require access. The organization's security office must maintain a record of the dates of, and reasons for, all key changes.
Note
The key must be changed immediately when a container has been or is suspected of having been compromised.
B. Precautions
When protected and classified information and assets are removed from approved storage containers, organizations must ensure that they are not left unattended and that they cannot be viewed, or a discussion of it overheard, by persons not possessing the appropriate level of personnel security clearance or without a need-to-know.
For further advice and assistance, contact PSPC’s CSP by email at tpsgc.ssidie-issiid.pwgsc@tpsgc-pwgsc.gc.ca.
C. Equipment
Organizations required to store protected and classified information and assets are permitted to purchase approved security equipment through PSPC. In consultation with PSPC’s CSP, the CSO or Alternate Company Security Officer (ACSO) should determine the required equipment and submit the equipment purchase form. After PSPC’s CSP endorses the request, it will be processed, however, the invoicing and delivery for the equipment is between the purchaser (the CSO) and the supplier. Examples of the most requested equipment available through this procedure are:
1. Filing cabinet with integral combination lock—Lateral (2-drawer)
Security steel, cap, filing cabinet with integral combination lock—lateral (2-drawer)
- Model
- global model FG36-2FCL
- Dimensions
- 36 inches wide, 18 inches deep, 26.625 inches high
- NATO stock number
- 7110-20-002-8735
2. Filing cabinet with integral combination lock—Lateral (4 drawer)
Security steel, cap, filing cabinet with integral combination lock—lateral (4 drawer)
- Model
- global model FG36-4FCL
- Dimensions
- 36 inches wide, 18 inches deep, 26.625 inches high
- NATO stock number
- 7110-20-002-8736
3. Filing cabinet—Security cabinet (2-drawer safe)
- Dimensions
- 19 inches wide, 28 inches deep, 27.375 inches high
- Weight
- 250 pounds
- NATO stock number
- 7110-21-852-6693
4. Filing cabinet—Security cabinet (4-drawer safe)
- Dimensions
- 19 inches wide, 28 inches deep, 51.375 inches high
- Weight
- 450 pounds
- NATO stock number
- 7110-21-852-6695
5. Locker safe
- Dimensions
- 23.125 inches wide, 32.5 inches deep, 51.625 inches high
- Weight
- 400 pounds (without cabinet)
- NATO stock number
- 7110-21-108-0743
Note
Four drawer filing cabinet insert for locker safe is also available.
V. Packaging and transmitting
When transmitting protected and classified information and assets, organizations must safeguard its security during transmission with proper packaging, maintain a record while it’s in transit and of its delivery. Contact PSPC’s CSP by email at tpsgc.ssidie-issiid.pwgsc@tpsgc-pwgsc.gc.ca for information.
Records of distribution, circulation and return within the facility must include a signed receipt by the persons involved. Persons who have access to classified information and assets must be briefed on their responsibilities for protecting it and any special restrictions concerning its use or further distribution.
Protected and classified information and assets must be packaged and transmitted in a manner consistent with the RCMP’s Transport and Transmittal Standards of protected and classified information. This includes hand carrying and/or bulk shipping specific protected and classified information and assets. PSPC’s CSP FISOs can provide specific instructions.
For any international document transfer, including hand carriage, you must contact PSPC’s CSP by email at dgsssiprojetintl-dobissintlproject@tpsgc-pwgsc.gc.ca for guidance and approval.