From: http://www.rcmp-grc.gc.ca/html/tss-1-e.htm
+  Thanks to the Royal Canadian Mounted Police  +

In Consultation with others...

This is one of a series of publications on security published by the lead security agencies and central agencies in consultation with departments. The series is designed to help all departments meet the requirements and standards set out in the Security policy and appendices. [Links]

Published by the RCMP in consultation with: Treasury Board of Canada Secretariat , Communications Security Establishment, Information Technology Security Committee.

The Technical Security Standard for Information Technology is protected by Crown copyright; permission is granted to copy and distribute it freely within the Canadian federal government and other levels of Canadian government only.

This document, "Technical Security Standard for Information Technology" (TSSIT), is designed to assist users in implementing cost-effective security in their information technology (IT) environments. The purpose of TSSIT is to set out the detailed administrative, technical and procedural safeguards required in an IT environment in order to implement the requirements of the "Security" volume, Treasury Board Manual, herein referred to as the "Security Policy of the Government of Canada" (GSP).

This document is a technical-level standard for the protection of classified and designated information stored, processed or communicated on electronic data processing equipment. Government information is to be adequately protected through good, basic information management and physical and materiel management procedures.

This technical standard has been developed, approved and issued pursuant to the lead agency role of the Royal Canadian Mounted Police as stated in the guidelines to the GSP. As such, TSSIT is third-level documentation as outlined in the GSP, Chapter 2- 1, "Security Organization and Administration Standard".

As permitted by the GSP, when applying standards, departments may decide, on the basis of a threat and risk assessment and after consultation with the lead security agencies, to substitute alternative measures. When substituting alternative measures, care must be taken not to compromise the consistency and therefore the integrity of government-wide protection measures.

Advice and guidance on applying this standard can be obtained from the departmental security authority and from the lead agencies.

1. INTRODUCTION / 1.1 Purpose / 1.2 Scope / 1.3 Documents / Reference Documents / Related Documents / Related COMSEC Documents / 1.4 General Requirements / 1.5 System Operational Considerations / 1.5.1 General / 1.5.2 Modes of Operation / Dedicated Mode / System-High Mode / Multilevel Mode / 1.6 Security Summary Table / INFORMATION TECHNOLOGY SECURITY SUMMARY TABLE / 2. ADMINISTRATIVE AND ORGANIZATIONAL SECURITY / 2.1 Information Technology Security Organization / 2.1.1 Appointment of Security Personnel / 2.1.2 Responsibilities of Security Personnel / 2.2 Information Technology Security Administration / 2.2.1 Security Policy and Procedures / 2.2.2 Classification and Designation of Sensitive Information and Assets / 2.2.3 Statements of Sensitivity / 2.2.4 Contracting / 2.2.5 Threat and Risk Assessments / 2.2.6 Access Control and Authorization / 2.2.7 Security Logs and Records 2.2.8 Security Investigations / 2.2.9 Security Reviews / 2.3 Integrity and Availability Measures / 2.3.1 Separation of Duties / 2.3.2 Contingency Planning / 2.3.3 Critical Human Resources / 3. PERSONNEL SECURITY / Introduction / 3.1 Security Screening / 3.2 Security Awareness / 3.3 Training of Personnel / 3.4 Transfer of Personnel / 3.5 Termination of Employment / 4. PHYSICAL AND ENVIRONMENTAL SECURITY / Introduction / 4.1 Facility and Equipment Location / 4.1.1 Information Technology Facilities / 4.2 Access Control / 4.2.1 Restricted Zones / 4.2.2 Security Containers / 4.2.3 Methods of Controlling Access / 4.2.4 Methods of Authorizing Access / 4.2.5 Methods of Monitoring Access / 4.3 IT Utilities and Services / 4.3.1 General / 4.3.2 Electrical Systems / 4.3.3 Heating, Ventilating and Air Conditioning (HVAC) Systems / 4.4 Fire Protection / 4.4.1 IT Equipment / 4.4.2 Record Storage / 4.5 Destruction of IT Media / 4.6 Offsite Facilities / 4.7 Transport and Transmittal / 4.8 Evacuation Procedures

1. INTRODUCTION

1.1 Purpose

This document, Technical Security Standard for Information Technology (TSSIT), is intended to assist departments in achieving a minimum level of security for classified and designated information and assets and is based on the principles and requirements of the "Security Policy of the Government of Canada" (GSP). All government information is to be adequately protected through good, basic management procedures and practices. This standard contains both requirements, indicated by use of the word "shall", and recommended safeguards, indicated by use of the word "should".

TSSIT is used by the Security Evaluation and Inspection Team (SEIT) of the RCMP as evaluation criteria for system reviews (computer systems and computer-based networks including local area networks).

1.2 Scope

The level of security established by TSSIT requirements not only protects a department's assets, but also provides assurance that shared assets will receive a minimum level of protection regardless of the location.

Diverse applications and variation in technical implementations make it impractical to provide specific and detailed safeguards for every possible Information Technology (IT) situation. Additional safeguards are to be applied based on a threat and risk assessment (TRA).

Further, the safeguards detailed in this document do not adequately cover the processing of Top Secret information or aggregates of information necessitating a classification of Top Secret. When it is necessary to process such information, a TRA is to be used as the basis for establishing the security requirements and the relevant departmental security authority must be contacted to determine appropriate additional protective measures in conjunction with Information Technology Security Section of the RCMP and other security authorities as required.

TSSIT applies to all government departments listed in Schedule I, Parts I and II, of the Public Service Staff Relations Act, and to the Canadian Forces, the Royal Canadian Mounted Police (RCMP) and the Canadian Security Intelligence Service (CSIS). It also should be applied contractually where government information is processed by the private sector. This can be accomplished with appropriate contract security clauses based on TSSIT.

Consistent with changes in policy or technology, TSSIT will be reviewed and amended as and when necessary. A comprehensive review will be conducted at least every five years.

Questions concerning the application or interpretation of this standard, and suggestions concerning amendments should be directed to your departmental security authority, who may refer such questions and suggestions to:

1.3 Documents

Reference Documents · Access to Information Act · Financial Administration Act · Interim Policy Guide: Access to Information Act and the Privacy Act, Parts II and III · Interpretation Act · Official Secrets Act · Privacy Act · Public Service Employment Act · Public Service Staff Relations Act · Tenants Act · "Security" volume, Treasury Board Manual (Cat. No. BT52-6/3), commonly known as the "Government Security Policy" (GSP). · Guide to the Audit of Security (OCG Guide 406) · Guide to Threat and Risk Assessment for Information Technology (RCMP)

Related Documents

• Treasury Board Manual, Occupational Safety and Health, Fire Protection Standard for EDP Equipment, Chapter 3-3;
• Industrial Security Manual, SSC
• National Building Code of Canada
• Security Equipment Guide, RCMP
• The Canadian Trusted Computer Product Evaluation Criteria, Communications Security Establishment
• Underwriters' Laboratories of Canada Standards

Related COMSEC Documents (available from the Communications Security Establishment).

• CID/01/8 Canadian CCI (Controlled Cryptographic Items) Manual
• CID/01/10 INFOSEC Material Control Manual (Interim)
• CID/09/7A COMSEC Installation Planning (TEMPEST Guidance)
• CID/09/12 Specifications for the Design, Fabrication, Supply, Installation and Acceptance Testing of Radio Frequency Shielded Enclosure

1.4 General Requirements

IT security is the protection of systems, information and services from accidental and deliberate threats to confidentiality, integrity and availability. IT security is considered to consist of seven components: administrative and organizational security, personnel security, physical security, hardware security, communications security, software security and operations security. These components are applicable to all types of systems from personal computers to local area networks, mini-computers and mainframes. Some of the criteria are technology specific but the intent is applicable to all environments. For the purpose of this document, a network is a system consisting of a connection of computers and devices using communications technology. Specific network issues, including architecture, management, interconnection and operating systems, are integral parts of the above components.

The GSP makes departments responsible for the protection of sensitive information and assets, including information technology systems, based on threat and risk assessment and the application of minimum standards. While complete security is generally considered unattainable, cost-effective safeguards can be chosen which will adequately reduce the risks to an acceptable level.

The requirement for security implies the existence of an internal organization consisting of positions with defined responsibilities which are occupied by personnel who have received IT security training and who will be responsible in attending to security concerns. The requirements for such positions will depend on the size of the organization, e.g. in smaller organizations these responsibilities could be carried out as part of the duties of some other function. The fundamental elements of such organizations are defined in Administrative and Organizational Security (Chapter 2).

Security must be predicated on the loyalty and reliability of all personnel involved. The methods to be used in determining such attributes and in ensuring that personnel are made aware of their security responsibilities are contained in Personnel Security (Chapter 3). The physical and environmental requirements which are necessary to isolate the IT environment from extraneous factors are outlined in Physical and Environmental Security (Chapter 4).

Engineering of systems must follow accepted practices to ensure that security features are integrated and that there is a level of assurance or confidence in their effectiveness. Chapters 5 through 8 (Hardware, Communications, Software, Operations) deal with internal security features provided by systems and security management of these disciplines.

1.5 System Operational Considerations

1.5.1 General

It will often be desirable to mix applications and data of different sensitivities on a single system or network. Ideally, it would be convenient to identify explicitly the various mixes of sensitivities which could be accommodated without undue risk in any given type of system. Unfortunately, since the combinations of sensitivity and technical implementations are numerous, identification of such mixes would be virtually impossible. Each individual configuration and mix must be analyzed for appropriate controls.

The primary criterion in the choice of a system must be the acceptability of the others with whom the system resources are shared. It must be assumed that a knowledgeable user will find ways to circumvent normal protective mechanisms if sufficient motivation exists. For this reason, if the other users cannot be identified, or if they are known but are not totally acceptable, sensitive resources should not be shared without the strict controls of a multi-level environment.

Conversely, if all users of a system are known and identifiable and can be allowed to legitimately gain access to any information on the system, they can be considered singly and collectively to be responsible for the protection of the information. The security concern is therefore minimal and efforts can be concentrated on ensuring that unauthorized persons cannot gain access.

Often, while users are all known and acceptable, they cannot be permitted access to all system and data resources because they do not share a common need-to- know. Although security clearance procedures are in effect, they alone cannot be expected to ensure that all users can be explicitly trusted. Furthermore, system isolation mechanisms may fail causing an inadvertent unauthorized disclosure.

In such cases, it is sometimes possible to provide third party intervention between users and the system. While this may have the effect of increasing the number of personnel required, it provides the capability of manually monitoring system use and improving the separation-of-duties concept. The rules under which the third party intervention is applied can be set to match the system sensitivity.

If third party intervention is not possible, then most of the security mechanisms must be based on the automated responses of the system. For example, if the risk in a particular environment is high, then systems with high assurance levels for protective mechanisms should be used.

Finally, one must examine the capability or privileges granted to users. Compensatory controls can be applied to some privileges. For example, the privilege of being allowed to update transactions on a system can be coupled with controls which provide auditability of transactions. However, in general, if users are allowed to introduce instructions into a system by utilizing compilers, assemblers, interpreters or translators, the possibility of deliberate compromise of a system is greatly increased. For this reason, programming should not be allowed on highly sensitive systems during production periods and must be controlled at all times.

It is these conditions which will be assessed in determining the level of information that may be processed on the system without compromising the confidentiality, availability and integrity requirements. The statement of sensitivity, which contains the confidentiality, integrity and availability requirements for an application and the intended user base, must therefore be taken into consideration when determining an acceptable "Mode of Operation" for processing an application.

1.5.2 Modes of Operation

This section describes the three modes of operation. Although the differences in the three modes are based on confidentiality requirements, processing in any given mode also has an effect on the availability and integrity requirements of computer systems and networks.

Dedicated Mode

A system is operating in the dedicated mode when all the following statements are satisfied concerning the users with access to the system, network, its peripherals, remote equipment, or hosts.

• Each user has been subjected to the appropriate level of personnel screening for all information on the system or network.
• Each user has formal access approval and has signed a non-disclosure agreement for all information stored and/or processed on the system or network.
• All users have an operational need-to-know for all information contained on the system or network.

System-High Mode

A system is operating in the system-high mode when all the following statements are satisfied concerning the users with access to the system, network, its peripherals, remote equipment or hosts.

• Each user has been subjected to the appropriate level of personnel screening for all information on the system or network.
• Each user has formal access approval and has signed a non-disclosure agreement for all information stored or processed on the system or network.
• All users have an operational need-to-know for some of the information contained on the system or network.

Multilevel Mode

A system is operating in the multilevel mode when all the following statements are satisfied concerning the users with access to the system, network, its peripherals, remote equipment or hosts.

• Since different levels of information are processed on the system or network, authorized users have been subjected to different levels of personnel screening, depending on the level of information to which they require access. For example, some users may have been screened to Level II (Secret) while others may have been screened only to Reliability.
• All users have been subjected to the proper personnel screening level and the appropriate formal access approval, e.g. signed non-disclosure agreement, for the information to which they have access.
• All users have an operational need-to-know for the information to which they have access.

The selection of safeguards for each mode depends on a number of interrelated factors identified by a TRA, including sensitivity level, user access requirements and external communications. For example, basic safeguards for a system in the System-High Mode processing sensitive information at the Protected-A level would include assignment of security responsibilities, contingency plans, enhanced reliability screening for users, physical access control of servers and work areas, logical access control functionality and controlled dial communications.

1.6 Security Summary Table

Many security components must be considered when processing government information. It is therefore essential that all aspects of the IT environment be evaluated in relation to the security requirements when selecting safeguards. The Security Summary Table, which is intended as a guide only, highlights topics to be considered when determining the safeguards required in an IT environment. The table is a summary of procedural, personnel, physical and environmental, system and communications safeguards. These areas are complementary, and no one area is more important than another.

The three fonts used in the text of the table reflect increasing security concerns within a security area. The regular font, italic font and SMALL CAP font indicate safeguards increasing from basic to more sophisticated protection. There is no ranking or intended order within each font.

Some topics are repeated in different areas in the table, e.g. "Training" and "Access Controls". This repetition indicates the topic is integral to each area in which it is found.

More details on the topics listed in the Summary Table are contained in the various chapters of this document.

2.ADMINISTRATIVE AND ORGANIZATIONAL SECURITY

2.1 Information Technology Security Organization

2.1.1 Appointment of Security Personnel

1. A departmental security officer (DSO) shall be appointed by government departments and by private sector organizations doing contract work for the federal government.
2. An IT security coordinator shall be appointed.
3. An IT security representative should be appointed for each physical location.
4. Departments and private sector organizations with COMSEC concerns shall appoint a COMSEC authority.
5. Security designates should be assigned responsibility for the security aspects of personnel, physical and environment, hardware, software, operations and communications.

2.1.2 Responsibilities of Security Personnel

1. The DSO should have a functional reporting relationship to the Deputy Minister or head of the organization for reporting security issues where warranted.
2. The DSO is responsible for the development, implementation, maintenance, co- ordination, and audit of departmental IT security policies, standards and procedures, to ensure the:

• appropriate security clearances/screening of personnel handling classified/ designated or other sensitive information;
• adequacy of physical security; and
• adequacy of IT security.

3.The IT security coordinator should have a functional reporting relationship to the DSO and be responsible for:

• planning and conducting regular IT TRAs;
• preparing evaluation reports;
• developing IT security procedures, proposals for safeguards and contingency plans;
• as a minimum, annually reviewing IT security measures and contingency plans;
• addressing IT security incidents and ensuring the timely application of corrective measures to prevent possible recurrence;
• participating in the development and testing of IT contingency plans;
• participating in business resumption planning;
• alerting the DSO to potential and actual security problems;
• designing and implementing an IT security awareness program;
• reviewing contracts for inclusion and adequacy of IT security clauses;
• addressing IT security deficiencies found during investigations, reviews, etc.; and
• determining the action to be taken whenever a safeguard is bypassed.

4.The COMSEC authority should be responsible for:

• custody of cryptographic material and custodial records;
• assisting in IT TRAs and ensuring the implementation of any resultant recommendations and/or corrective measures;
• developing COMSEC procedures;
• checking COMSEC practices and correcting deficiencies;
• alerting the DSO to potential and actual COMSEC problems and ensuring that corrective measures are taken;
• instructing personnel handling COMSEC equipment to observe security measures;
• reviewing contracts for inclusion and adequacy of COMSEC security clauses;
• addressing COMSEC security incidents and ensuring the timely application of corrective measures to prevent possible recurrence;
• ensuring the disposal and destruction of superseded COMSEC material as stipulated in current doctrine and procedures; and
• advising on the action to be taken whenever a COMSEC safeguard is bypassed.

2.2 Information Technology Security Administration

2.2.1 Security Policy and Procedures

1. Departments shall develop and issue written IT security policy and procedures.
2. Departments should maintain a reference library consisting of the GSP and TSSIT and documents referenced therein. In addition, the following documents should be maintained:

• statutes affecting the security of information within the department;
• "Fire Protection Standard for Electronic Data Processing Equipment," Treasury Board Manual, Occupational Safety and Health, Chapter 3-3;
• local fire regulations; and
• for private sector only, Industrial Security Manual, Supply and Services Canada, and the COMSEC supplement (where required).

2.2.2 Classification and Designation of Sensitive Information and Assets

1. Each department shall have a classification and designation guide that contains procedures for the classification, declassification, designation and downgrading of IT information and assets.
2. The classification and designation guide should specifically address all types of information processed in the IT environment and be reviewed annually.
3. IT assets shall be classified and designated according to their confidentiality, integrity, availability and value.

2.2.3 Statements of Sensitivity

1. Prior to an application being processed on any computer system, a statement of sensitivity specifying the security classification or designation, availability requirements, and integrity concerns shall be prepared.
2. Statements of sensitivity should be available to persons responsible for the security of the computer system.

2.2.4 Contracting

1. Departments shall specify security requirements in all contracts with external organizations where those contracts affect sensitive IT services, information or equipment.
2. Departments shall use the Security Requirements Checklist (SRCL) to define the security requirements for contracts for which Public Works and Government Services Canada (PWGSC) is the contracting authority. This also applies to call-ups against standing offers where the standing offers or call-ups contain security requirements.
3. When a department is responsible for the security aspects of a contract, it shall check the security status of the contractor with PWGSC and inform PWGSC when the department has determined that the contractor meets the appropriate security requirements. The decision that a contractor meets appropriate security requirements shall be documented.
4. Where departments are the contracting authority, they shall request the Security Evaluation and Inspection Team (SEIT) of the RCMP to determine whether the contractor's IT facilities processing designated or classified information comply with the contract security clauses.
5. Private sector facilities supporting the processing of sensitive government information, or supporting an essential government service should be required by contract to ensure that:
   • employees are completely aware of their security obligations, and
   • to the degree possible, services will continue during periods of labour unrest.
6. Where information to be processed at facilities controlled by a contractor could be subject to conflict of interest, contracts should clearly specify the nature of the information to be processed and should require the contractor, its management, key officials and IT employees to declare that there is no actual or potential conflict of interest.

2.2.5 Threat and Risk Assessments

1.TRAs that address all IT systems shall be prepared and maintained. Those TRAs shall outline existing and proposed safeguards and describe threats and risks of which account has been taken.

2.2.6 Access Control and Authorization

1.Access privileges to system and information resources shall be authorized and controlled for:

• users,
• operations personnel,
• maintenance and support personnel, and
• systems analysis and programming personnel.

2.Departments shall ensure that, prior to being granted access to system and information resources, each individual shall sign a witnessed and dated acknowledgement that a specific dated version of the rules and regulations governing such access has been read and agreed upon. This acknowledgement shall be maintained for a minimum of one year after the employee terminates employment.

3.Rules and regulations associated with access to system and IT resources should stipulate:

• that system and information resources be used only in direct support of authorized departmental projects, together with explicit exceptions if required;
• the authority required to produce or modify IT executable instructions (e.g., software, command procedures, configuration control);
• the responsibilities (accountability) respecting the use of user-IDs, passwords, and access control items such as encryption keying material, keys, tokens, locks, and access cards;
• the authority required to modify, delete or add to production information;
• the authority required to access any information or software entity;
• restrictions in the movement, maintenance and use of TEMPEST equipment;
• the authority required to add, move or change communications equipment or software (Note: This authority will be the COMSEC authority for classified or otherwise sensitive communications);
• responsibilities respecting the reporting of security incidents;
• restrictions which limit an individual's access to specific locations, times, systems, files and programs (transactions);
• responsibilities respecting copyright-protected programs and data;
• the authority required to remove hardware, communications, or software products from the premises (both permanently and temporarily);
• responsibilities respecting the backup of critical programs and data;
• that all software and hardware be examined for malicious code, e.g. viruses, prior to initial use;
• that all use of departmental computer systems can and will be monitored for compliance with the rules and regulations; and
• that any violation of the spirit or intent of the rules and regulations can lead to loss of privilege and/or employment, and/or legal action.

4. Mechanisms and procedures shall be implemented to audit compliance with the rules and regulations governing access to system and information resources.

2.2.7 Security Logs and Records

1. A current list of those personnel authorized to access systems and information resources shall be maintained.
2. Departments shall identify and document:

• the types of security activities and events to be monitored,
• the method of determining how activities and events are to be monitored,
• the type of records to be kept, and
• how and when the security information is to be reported.

3.All suspected security incidents affecting the IT environment shall be recorded and reported to the appropriate authority.

2.2.8 Security Investigations

1. Departments shall define the type of event or activity which constitutes a security incident.
2. Departments shall document and issue procedures to be followed by an employee who observes or becomes aware of a security incident.
3. Security incidents shall be investigated and records maintained on each case. Security incidents that constitute a possible breach shall be reported to the Deputy Head.

2.2.9 Security Reviews

1.Departments shall request reviews of their IT security programs by the Security Evaluation and Inspection Team (SEIT) of the RCMP to determine the security status of their IT facilities.

Departments shall request SEIT reviews according to the following schedule:

ITS programs involving:

• Classified and extremely sensitive designated information- every 3 years
• All other designated or otherwise valuable information- every 5 years

· A review shall be requested immediately following a major security incident.

· A review shall be requested immediately, for cause, based on the following security-relevant major events in the system life cycle:

• physical move,
• reconfiguration,
• change in communication controls,
• change in sensitivity of information processed, or
• change in operation.

SEIT will conduct a preliminary review, including a review of any previous SEIT report, the results of which will determine whether a full review is to be carried out, consultation given or such other action taken as is applicable, e.g. further follow-up on a previous SEIT report.

2.Departments shall, within six months of receipt of the SEIT review report, inform SEIT of their plan to deal with identified problems. Departments will provide SEIT with an annual progress report until all recommendations are successfully completed.

3.Departments shall conduct and document an annual security review of IT-related activities.

2.3 Integrity and Availability Measures

2.3.1 Separation of Duties

1. Departments shall ensure, to the extent possible, that responsibilities are separated in such a way that no individual has complete control over related critical IT operations. For example, the following duties should be separated: programming, equipment operation, testing and production.
2. Departments should ensure, to the extent possible, that no individual performs all aspects of a critical process. For example, the functions of data input and processing should be separated.
3. Employees with privileged access shall be trained and their activities monitored to ensure the appropriate security is maintained during their periods of access.

2.3.2 Contingency Planning

1. Departments shall define and document, based on statements of sensitivity, the essential levels of service and the maximum acceptable periods of downtime for IT systems.
2. Departments shall assign a processing priority to application systems for the purpose of determining service continuity and backup requirements.
3. Plans shall be developed, documented and maintained to ensure the essential level of service will be provided following any loss of processing capability or destruction of the facility. Plans shall cover onsite and offsite recovery and, as a minimum, consider:

• recovery from any failure to the system and information resources;
• re-establishment of the IT services, following destruction of the facility providing those services, using none of the systems and information resources contained within the primary facility;
• forced evacuation of the facility;
• strikes in the public and private sectors;
• bankruptcy of critical suppliers;
• loss of critical support systems; and
• identification of essential systems, information resources and personnel.

4.Where plans require the use of facilities not under the control of the department, formal agreements or contracts for the use of such facilities shall be established and reviewed annually.

5.Departments shall ensure that the implementation of contingency plans does not compromise confidentiality or integrity requirements.

6.Current copies of all contingency plans, procedures and agreements shall be maintained in at least two geographically-separate locations.

7.Contingency plans should be tested annually to the extent practicable and remain consistent with security.

2.3.3 Critical Human Resources

1. There should be sufficient alternate trained personnel to assure the confidentiality, integrity and availability of critical systems.
2. Employees required to support an essential level of service shall be identified on an up-to-date list and this list shall form part of the contingency plans.
3. Employees identified to take an active role in contingency situations shall receive training and practice in their assigned duties.
4. A list of employees whose duties are necessary in the interest of safety and security of the public shall be maintained.

3.PERSONNEL SECURITY

Introduction

This chapter establishes criteria for implementing personnel security within both federal government departments and firms subject to federal contracts. It is based on the premise that the security screening process will have been conducted in accordance with the GSP, Chapter 2-4, Personnel Security Standard.

Special attention to personnel security is required where access is granted to sensitive IT systems, information or assets. Extensive holdings of sensitive information are stored on IT systems and media. The sheer volume and availability of this information are only two reasons why the information is more vulnerable, thus requiring additional personnel security measures.

3.1 Security Screening

1.Managers are responsible for:

• verifying that the appropriate security screening type and level has been specified for each position or contract, according to the highest level of sensitivity of IT systems, information or assets which might be accessed by the person occupying that position or performing the contracted duties;
• ensuring that personnel and contractors have been security screened to the level specified for their position or contract prior to authorizing their access to sensitive IT systems, information or assets;
• maintaining a current list of positions requiring access to sensitive IT systems, information or assets, the screening levels specified for the position, and the actual screening level granted to personnel occupying the positions.

2. If new duties or tasks require an individual's personnel screening level to be:

· higher, departments shall:

• make administrative arrangements to ensure that access to higher level information occurs only after the appropriate screening process is successfully completed;
• remove the person from those functions if the higher level is denied; and
• reflect these changes in a Security Screening Certificate and Briefing Form (TBS 330-47).

· lower, departments shall:

• inform the individual of the new access requirements of the position or contract;
• reflect these changes in a Security Screening Certificate and Briefing Form (TBS 330-47), or Administrative Cancellation Form (TBS 330-25).

· reactivated after a previous lowering, the original status or clearance:

• may be reactivated according to Section 4 of Chapter 2-4 of the GSP, "Personnel Security Standard;" and
• if reactivated, shall be reflected in a Security Screening Certificate and Briefing Form (TBS 330-47).

3.2 Security Awareness

1. Departments shall document and implement a security awareness program. To ensure that IT security concerns are appropriately addressed, it is important to have coordination between the DSO, IT security coordinator, managers and human resources personnel.
2. A security awareness program should inform personnel of the following items:

• security features and vulnerabilities specific to IT systems in use;
• new security issues;
• security violations;
• procedures for reporting security breaches, violations or concerns;

through such means as;

• properly-documented IT security briefings;
• security notices, pamphlets, posters, and signs;
• security videos.

3. Security briefings shall be given to personnel and contractors who will have access to sensitive IT systems, information or assets. These briefings should include:

• the access requirements of their position or contract;
• their authorized security screening level;
• their responsibilities for safeguarding sensitive information and assets;
• relevant sections of other legislation applicable to their duties;
• departmental IT security rules and regulations.

4. Conduct security briefings in person, where possible, and include a written document outlining the contents of the briefing and date given. The document should be signed by the person briefed indicating receipt of, and agreement to, its contents.

3.3 Training of Personnel

1.Personnel shall be trained on IT security principles, features and vulnerabilities of sensitive IT systems, information or assets. This training should be designed for various personnel, such as IT security coordinators, system administrators, and system users.

3.4 Transfer of Personnel

1.Procedures shall be documented and implemented to ensure that when personnel or contractors are transferred by appointment, assignment, deployment or secondment, all access privileges to IT systems, information or assets are reviewed, modified or revoked accordingly.

3.5 Termination of Employment

1.Procedures shall be documented and implemented to ensure that prior to termination of an individual's employment or contract:

• the individual is debriefed on continuing security responsibilities;
• access privileges (system passwords, user IDs, combinations etc.) to systems, restricted zones, and IT facilities are revoked; and
• all sensitive security-related items (badges, keys, documents etc.) issued to the individual are retrieved.

4. PHYSICAL AND ENVIRONMENTAL SECURITY

Introduction

This chapter establishes physical and environmental security criteria intended to protect sensitive IT systems, information or assets. Environmental security includes both utilities and services supporting IT and, by extension, the security of those utilities and services.

IT systems and media contain concentrated amounts of information and therefore warrant special attention. Areas housing IT systems may require additional physical security safeguards.

An IT facility is the setting used for the location of IT assets such as mini-computers and mainframe computers, LAN servers and telecommunications centres.

4.1 Facility and Equipment Location

4.1.1 Information Technology Facilities

1.Minimize risks to IT systems by choosing facility locations with due regard for such threats as: floods and earthquakes, electromagnetic interference and emanations, criminal activity and industrial accidents. Also consider the ease and effectiveness of controlling access in multi-tenant or public buildings.

For detailed information on site selection, refer to Guide to the Preparation of Physical Security Briefs, SSB/SG-25.

2.Where site selection cannot compensate for identified risks, identify perimeter security measures. Such measures can include fences, walls or other barriers, and the removal of trees, embankments, or other obstructions that could be used to carry out an attack.

3.Areas containing sensitive IT systems, information or assets should be located so as to minimize exposure to threats such as:

• fire, flooding, water damage, corrosive agents and smoke from adjacent areas;
• explosion or shock; and
• undesirable, externally-generated electromagnetic radiation.

4.In addition to locating sensitive equipment in appropriate restricted zones, (see 4.3.1) consideration should be given to the positioning of the equipment within the zone to prevent unauthorized overview. This can be achieved by:

• facing monitor screens away from windows or adjacent areas; and
• appropriate placement of printers, fax machines, and other peripheral equipment.

5.Where the use of shielded enclosures is necessary, compliance with the requirements of Specifications for the Design, Fabrication, Supply, Installation and Acceptance Testing of Radio Frequency Shielded Enclosures (CID/09/12) is mandatory.

6.Where the use of TEMPEST-compliant equipment is necessary, compliance with the requirements of COMSEC Installation Planning (TEMPEST Guidance) (CID/09/7A) is mandatory.

7.TEMPEST-compliant equipment shall, if possible, be installed and operated in a dedicated restricted zone, established as a Security Zone at a minimum, and separated by physical barriers from adjacent areas.

8.If the TRA does not support a dedicated restricted zone for TEMPEST-compliant equipment:

• the equipment shall be installed in a cabinet designed for such a purpose; and
• the cabinet shall be locked when the equipment is not being used.

9.To prevent compromise of the TEMPEST-compliant equipment or information by unauthorized overview or physical access, the equipment shall be positioned:

• with monitors facing away from windows or adjacent areas; and
• with printers, fax machines, and other peripheral equipment located in the appropriate restricted zone.

10.TEMPEST-compliant equipment shall not be moved or tampered with after installation and testing without the approval of the appropriate COMSEC authority.

4.2 Access Control

4.2.1 Restricted Zones

1.Departments shall establish the appropriate type and number of restricted zones for the location of sensitive IT systems, assets, information and supporting utilities. These utilities and services include: heating, ventilating and air conditioning systems (HVAC), electrical, uninterruptible power supply (UPS), and fire protection systems.

Rooms specially designed for such IT assets as mini-computers and mainframe computers, LAN servers, and telecommunications centres must also be managed as restricted zones. Such rooms will be referred to as IT facilities.

2.Access to restricted zones shall be controlled, authorized and monitored as appropriate to the zone.

3.Maintenance and service personnel, such as customer-engineers, electricians and plumbers shall, when servicing sensitive IT systems, be properly escorted and supervised by someone responsible to the department with enough background, training or qualifications to understand the risks associated with the work being done and provide assurance that only authorized access to sensitive information or assets takes place.

4.Signs or other information revealing the purpose or location of restricted zones as they relate to sensitive IT systems, information or assets should not be posted in areas accessible to the general public such as lobbies, waiting rooms and reception zones.

5.If signs are used to identify restricted zones, they should:

• denote the established restricted zone (Operations Zone, Security Zone, High-Security Zone);
• be prominently posted at all entrances to the zones; and
• meet the requirements of the Federal Identity Program Manual.

4.2.2 Security Containers

1. Sensitive IT media or assets shall be stored in locked containers that are located in the appropriate restricted zone. An exception is where a restricted zone is also an appropriate type of secure room and additional containers may not be necessary.
2. If environmental or fire protection concerns exist, appropriate containers should be used for both the onsite and offsite backup storage of sensitive IT media.
3. Keys and combinations for containers storing sensitive information or assets shall be issued only to authorized personnel and be properly controlled.

For further information on keys and containers refer to:

• Security Equipment Guide, SSB/SG-20.
• Construction Specifications, Secure Room C, SSB/SG-23.
• Construction Specifications, Secure Room D, SSB/SG-22.
• Chapter 2-2, GSP, "Physical Security Standard".

4.2.3 Methods of Controlling Access

1. Appropriate methods for controlling access to restricted zones include:

• installing electronic access controls, mechanical combination locksets, or deadbolts; and
• limiting the number of entry points to the minimum required by fire regulations.

4.2.4 Methods of Authorizing Access

1. A list shall be maintained of persons authorized to access rooms specially designed for such IT assets as mini-computers and mainframe computers, LAN servers, and telecommunications centres.
2. Access records shall be maintained of all persons accessing IT facilities processing Secret or Top Secret information on the following basis:

• for personnel authorized to work there, at the start and termination of a scheduled work shift;
• for all other individuals, upon every access and departure.

3.Access records maintained for restricted zones should include the following details to be meaningful for security audit purposes:

• the name of the person entering;
• the person's employer or affiliation;
• the name of the official authorizing entry;
• the restricted zone entered;
• date and time of entry;
• date and time of departure; and
• if required to verify identity, the specifics of any documentation produced such as a driver's licence or departmental identification card.

4.Access records maintained for restricted zones shall be reviewed by security personnel and retained for at least one year from the end of the current calendar year.

4.2.5 Methods of Monitoring Access

1.Access to Security and High-Security Zones shall be monitored. Access to Operations Zones should be monitored periodically based on a TRA. Monitoring methods can include:

• operational personnel working in the area,
• security guards,
• electronic intrusion detection (EID) systems,
• closed circuit television (CCTV) systems, and
• electronic access control (EAC) systems with recording capability.

2.An identification card should be issued to employees and contractors requiring access to IT facilities. Approved identification card specifications include:

• name and signature of cardholder,
• facial-view colour photograph or digitized image of cardholder,
• name of issuing department,
• issuing officer's signature,
• expiry date (maximum five years from issue date), and
• pre-printed serial number unique to the card.

3. Departments implementing an identification card or access badge system for facilities shall establish procedures for:

• issuing and retrieving cards and badges;
• reporting improper use, damage, loss or theft of cards or badges;
• retrieving cards or badges upon termination of employment or contract, expiration or damage;
• maintaining an inventory of issued cards and badges;
• withdrawing cards or badges for cause (e.g. a higher screening level required, employee suspended or being investigated);
• providing physical protection for blank cards, badges, and the equipment used to produce them;
• destroying all expired or damaged cards and badges; and
• preventing the removal of access badges from the facility or any restricted zones when supported by a TRA.

4.Records pertaining to the issue and retrieval of identification cards and access badges shall include the following information:

• date of issue;
• identity of the bearer;
• control number of card or badge;
• expiration date of card or badge; and
• the security screening level of the bearer, if a TRA indicates this is applicable for the facility.

5.Records shall be maintained documenting the issue and retrieval of security- related items such as:

• keys,
• door access codes, and
• padlock combinations.

6.All persons authorized to enter restricted zones should be issued, and required to wear, an approved access badge (building pass or recognition badge).

7.Access badges should meet the following minimum requirements:

• be visually and uniquely associated with the applicable restricted zone or facility;
• visually indicate the status (employee, visitor, trades person) and access privileges (e.g. Visitor - Escort Required) of the bearer;
• display a badge control serial number;
• be sealed in a tamper-proof enclosure (laminated);
• identify the issuing department by name or logo, not by address; and
• for employees, bear a facial view photograph or digitized image of the bearer.

For further information refer to Identification Cards / Access Badges, SSB/SG-27.

4.3 IT Utilities and Services

4.3.1 General

1. Maintenance procedures consistent with the manufacturers' specifications shall be documented and implemented for environmental support equipment such as electrical systems, HVAC systems, UPS systems, and fire protection systems.
2. Records shall be maintained of all environmental support equipment maintenance activities and these records shall be:

• retained for a minimum of one year; and
• reviewed at least annually to ensure that the maintenance performed is consistent with that recommended by the manufacturer.

3.Procedures shall be documented and implemented to ensure that all environmental support equipment faults are:

• brought to the attention of staff responsible for the operation and maintenance of the computer system; and
• recorded by such staff, including the action taken and the final resolution of the faults.

4.All changes to environmental support equipment shall be centrally controlled, authorized and documented.

5.Rooms housing utilities and services supporting IT equipment, and exterior air intakes located outside restricted zones established within a facility, shall be protected according to the TRA.

4.3.2 Electrical Systems

1. Utility service lines (hydro, water, gas, oil) providing support to IT facilities should enter the building underground or be physically protected by other means, such as enclosing exposed hydro lines in conduit, installing barriers around water and gas mains or meters, and locking fuel tank inlet pipes.
2. Services supporting IT equipment, such as power distribution panels, communications and telephone closets, and HVAC systems, when located outside restricted zones established within a facility, shall:

• be appropriately secured by such measures as locks; and
• have access limited to persons with a functional requirement for access.

3.Electrical systems for IT facilities shall conform to the "Fire Protection Standard for Electronic Data Processing Equipment", Treasury Board Manual, Occupational Safety and Health, Chapter 3-3. Primary areas include:

• power supply cables,
• exposed wiring and cables in plenum and underfloor spaces,
• service transformers,
• power disconnection for IT equipment in a computer room,
• uninterruptible power supply system (UPS),
• enclosures for unsealed-type battery banks for UPS,
• electrical conductors between IT equipment and UPS if located in different fire compartments, and
• emergency lighting for computer rooms.

4.Power services for IT equipment shall be consistent with manufacturers' specifications, and where necessary, equipped with power conditioners capable of providing a stable power supply.

4.3.3 Heating, Ventilating and Air Conditioning (HVAC) Systems

1. HVAC systems servicing government computer systems shall conform to the "Fire Protection Standard for Electronic Data Processing Equipment", Treasury Board Manual, Occupational Safety and Health, Chapter 3-3.
2. Computer systems considered either essential or non-essential but of high value (exceeding $1 million), as defined in the "Fire Protection Standard for Electronic Data Processing Equipment", Treasury Board Manual, Occupational Safety and Health, Chapter 3-3, shall have air conditioning units that provide:

• continuous monitoring and recording of temperature and humidity; and
• appropriate signalling of deviation from acceptable levels of temperature and humidity.

3.External openings for HVAC systems shall be screened or filtered to protect against the insertion of hazardous objects or the intrusion of pollutants.

4.Where criticality of service is a concern, redundant air conditioning capacity should be provided.

4.4 Fire Protection

4.4.1 IT Equipment

1.Computer systems considered either essential or non-essential but of high value (exceeding $1 million), shall comply with the requirements of the "Fire Protection Standard for Electronic Data Processing Equipment", Treasury Board Manual, Occupational Safety and Health, Chapter 3-3.

4.4.2 Record Storage

1.Records stored and handled in IT facilities shall be managed according to the requirements set out in Record Storage, FC 311(M), including:

• limit the number of records kept to the minimum daily requirements and store these in closed metal containers or cabinets;
• if essential to operations, store records in containers having a fire-resistance rating of at least one hour;
• store master records, from which operating or current records can readily be reproduced, in a different fire compartment, or offsite in containers having a fire- resistance rating of at least one hour; and
• where the retention of data on IT media is a requirement, after each periodic updating, store the previous record or generation of data in an approved record- storage facility.

4.5 Destruction of IT Media

1. IT media containing sensitive information shall be destroyed in an approved manner, using equipment listed in the Security Equipment Guide, SSB/SG-20. Destruction methods include shredding, disintegration, and incineration.
2. While awaiting destruction or in transit to destruction, IT media containing sensitive information shall:

• be safeguarded according to the highest sensitivity of the information; and
• be kept separate from non-sensitive media.

3.The destruction of IT media containing sensitive information shall be monitored by an employee with a security screening level at least equal to the highest sensitivity of the information.

For further information on destruction, see these documents:

• TSSIT, Operations Security, Media section.
• Physical Security Standard, Destruction section, Treasury Board Manual "Security" volume, Chapter 2-2.
• Security Equipment Guide, SSB/SG-20.

4.6 Offsite Facilities

1. Departments shall document and implement plans to ensure that physical and environmental safeguards available at offsite facilities provide at least the same level of security as at the primary site. Such offsite facilities can include those used for storage of sensitive IT media, or as backup facilities for critical services.
2. Offsite storage or backup facilities should not be subject to the same physical and environmental threats as the primary site.

4.7 Transport and Transmittal

1. The transport and transmittal of sensitive IT media and assets shall conform with the Standard for the Transport and Transmittal of Sensitive Information and Assets, SSB/SG-30.
2. IT media such as tapes, diskettes, cartridges and hard drives should be adequately packaged, transported and transmitted to protect against rough handling, tampering, and environmental threats such as extreme heat, cold and humidity, all of which can damage or destroy the media itself as well as the sensitive information resident on it. Protective measures include:

• securely packing bulk quantities of IT media in solid containers (usually plastic) designed for that purpose;
• packaging diskettes and cartridges in hard-covered sleeves or cartons before wrapping;
• adequately securing containers with ties (plastic or metal) which cannot be opened unless broken, or with padlocks; and
• using vehicles with adequate temperature and humidity controls.

4.8 Evacuation Procedures

1.Evacuation procedures for IT facilities shall be documented to ensure personnel safety and to maintain security of sensitive information and assets during and following evacuation. Evacuation procedures should include:

• circumstances under which evacuation is to be implemented,
• a list of facilities or restricted zones subject to these procedures, and
• names and specific security duties of personnel delegated responsibilities during evacuation.

2. Evacuation procedures for IT facilities shall be distributed and regularly tested to ensure that:

• assigned personnel are familiar with their duties,
• existing procedures are adequate, and
• security is maintained during and following evacuation.