ARCHIVED – Chapter 8: Information technology security
This information has been archived and replaced by the Contract Security Manual.
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived.
Purpose and scope
- This chapter establishes operational standards in Canadian industry for the safeguarding of government information electronically processed, stored or transmitted. It also applies to the safeguarding of the technology assets
- In addition to these standards, the administrative and organizational, physical and personnel security standards as documented in this manual also apply to the information technology (IT) environment
- The Policy on Government Security and the ARCHIVED—Operational Security Standard: Management of Information Technology Security requires that the degree of safeguarding provided by industry be commensurate with the level of the information and assets and the associated threats and risks. Without appropriate safeguards, the confidentiality, integrity and availability of information systems and services may be adversely affected
Roles and responsibilities
Government institutions are responsible for safeguarding protected and classified information and assets under their control. With respect to government contracts with the private sector, the contracting authority is responsible for ensuring that the requirements of the Policy on Government Security are met and that the security standards are applied. The security standards contained in the Policy on Government Security and the ARCHIVED—Operational Security Standard: Management of Information Technology Security are the minimum standards for security in the private sector.
Assessments, advice and guidance regarding these standards are available from Public Services and Procurement Canada's (PSPC) Contract Security Program (CSP).
801. Organization and administration
The organization may be required to appoint a full-time security person to be responsible for IT security depending on the:
- size of the organization's IT facility
- complexity of the IT security portion of the contract(s)
- number of contracts being processed concurrently
Questions regarding this policy are to be discussed with PSPC's CSP.
- Cost-effective IT security depends on planning that takes into account all phases of a system's life-cycle, from creation of the source documentation, through input transaction, communications, processing, storage, retrieval, output and disposal. In addition, plans must incorporate the interrelationship of physical and personnel security with IT security, confidentiality, integrity, and availability requirements. Because of TEMPEST emission security considerations, plans should also address communications security (COMSEC) requirements even if communications links are not involved in the present information system. The application of TEMPEST measures will always be based on a threat identified in a threat or risk assessment
- Any security program consists of an organizational structure and administrative procedures which support the 3 subsystems: physical security, information technology security and personnel security. These subsystems are interrelated. The total effectiveness of the security system depends on the performance, and therefore, the coordinated planning of all subsystems
802. Roles and responsibilities
Public Services and Procurement Canada’s Contract Security Program
- Whenever an organization is awarded a contract, through PSPC, to electronically process government information using IT equipment, the field industrial security officer (FISO) will arrange for and coordinate an IT inspection. The FISO will also coordinate an IT inspection for cause
- The FISO will contact the organization directly to discuss and finalize an inspection date. The inspection team may comprise 1 to 5 members and it may take between a half-day to 2 weeks to complete the inspection, depending on the complexity of the contract and other factors such as the level of sensitivity of the data
- Once the IT inspection team has completed their inspection, they will provide a report to the FISO for review. A copy of the report will be forwarded to the organization for action after the FISO has reviewed the report and confirms its findings. The organization must submit an action plan to address how it will implement the recommendations within 30 days of receiving the report, and they must report to PSPC's CSP on the status of the outstanding recommendations on a regular basis, usually once a month. PSPC's CSP will issue a call letter to the organization when the inspection update status report is required
- The implementation of recommendations is mandatory, while suggestions represent good business practice. Although implementing a report's suggestions is not mandatory, the organization should eventually implement them
- The contents of the report will not be released outside of PSPC without the expressed permission of the organization
- If the data requires TEMPEST protection, PSPC's CSP will request that the Communications Security Establishment (CSE) verify its adequacy. This involves either the testing of the TEMPEST compliant equipment or witnessing the final test of the shielded enclosure
- CSE will also provide a report to PSPC's CSP, however, the report only states the status of the equipment or shield and recommends corrective actions, as required. Once the equipment or shield have passed all necessary tests and inspections, the PSPC COMSEC group issues a certificate indicating that the equipment or shield is satisfactory
- PSPC's CSP must approve the prime contractor's IT facility(s) before processing government information. However, it is the prime contractor's responsibility to ensure that subcontractors are informed of and meet IT security requirements and that upon termination of the subcontract, no residual information is left on the subcontractor's computer(s) or in other areas
- The FISO and CSE, if applicable, will contact the organization (prime contractor) to arrange for and finalize a time frame to conduct their inspection or test
- The organization must arrange to provide a copy of their IT operational procedures and security procedures, organizational charts and list of contact personnel, complete with telephone numbers for distribution to the IT inspection team during the initial meeting of the inspection. In some instances, the inspection team leader may request a preliminary visit, approximately 2 to 4 weeks before the actual inspection day, in order to meet the staff, tour the facility and pick-up any documentation for study
- At the conclusion of the inspection, the IT inspection team will conduct a debriefing session for the purpose of informing the contractor of their findings. The organization should take advantage of this opportunity to clarify any points or discuss proposed solutions. The documentation requested earlier will be returned during the meeting with CSE, once it verifies the adequacy of the organization's TEMPEST measures. This will involve either the testing of the TEMPEST compliant equipment or witnessing the final test of the shielded enclosure
- CSE will also provide a report to PSPC's CSP, however, it will only state the status of the equipment or shield and recommend corrective actions as required. Once the equipment or shield have passed all necessary tests and inspections, the PSPC COMSEC group will issue a certificate indicating that the equipment or shield is satisfactory
- PSPC's CSP will subsequently issue a call letter to the organization requesting that it submit to PSPC's CSP an updated status report on all outstanding security evaluation and inspection team recommendations and suggestions. When completing the request for an updated status report, the organization should indicate the status of each recommendation by using key words accompanied by essential detail when necessary. The key words are:
- implemented: indicating how (by using or upgrading software, hardware, procedures, etc.) the recommendation was implemented
- active: indicating what is being done by whom, and when the completed recommendation is expected
- deferred: stating the reason(s) why the implementation of the recommendation has been delayed, and when reactivation to implement the recommendation is expected
- rejected: giving substantive reasons why no action to implement the recommendation will be taken
803. Requirements for emission security
- The purpose for applying TEMPEST measures to telecommunications or electronic information processing equipment is to protect information from compromise through the intercept and analysis of electromagnetic emissions by unauthorized persons
- PSPC's CSP will determine the TEMPEST measures required on a case-by-case basis, taking into account threat and risk
804. Secure telecommunications requirements
In addition to TEMPEST considerations, an organization which needs to transmit government information over telecommunication links or networks must protect this information through the use of government approved encryption or other government approved COMSEC measures such as approved (physically protected) circuits. PSPC's CSP must be made aware of such requirements as soon as possible. In such cases, PSPC's CSP will provide instructions and directions specific to the communications security systems involved.
805. Security of communications security information and assets
- COMSEC material includes all documents, devices, equipment or apparatus and crypto material used in establishing or maintaining secure communications. Crypto material is all material containing information essential to the encryption, decryption or authentication of communications, including documents, devices or equipment
- An organization which has a validated requirement to hold COMSEC material will be required to establish a COMSEC account with PSPC's CSP and must appoint a qualified COMSEC custodian and alternate COMSEC custodian who together with the company security officer will be held accountable for safeguarding this material
- Because of the special sensitivity of COMSEC material, a comprehensive set of rules and procedures for the handling and physical safeguarding of COMSEC material is provided in the Industrial COMSEC Material Control Manual and the Industrial Security Manual. All organizations with a need to hold COMSEC material must obtain a copy of the COMSEC Support to the Private Sector—Project Managers' Quick Reference Guide, which is available from the CSP
- Date modified: