ESDC Security Code of Practice

The practice of security touches everyone and everything – employees, programs and services, Canadians and our workplace. The management of security is most effective when it is systematically incorporated into the programs, business processes and culture of the organization.

Knowing and understanding the roles and responsibilities at all levels as well as the collective adherence to the objectives, principles and requirements is essential in having sound security practices. We must strive to embed security into our practices, culture, behaviours and day-to-day operations.

The following roles and responsibilities will help guide employees and managers on key areas of security.

• All Employees

  The role and responsibility of an ESDC employee is to:

  • Maintain an awareness of security concerns, issues, and responsibilities to ensure that their actions do not compromise ESDC or Government of Canada security
  • Take the mandatory Stewardship of Information and Workplace Behaviours (SIWB) course and five (5) topic-specific courses identified within the Workplace Effectiveness Program and recertify every two years
  • Comply with security controls to ensure that security requirements are addressed as a component of their day-to-day processes, practices, and program delivery
  • Wear a photo ID/Access card at all times while on site and report any lost or stolen cards immediately to a Manager/Team Leader
  • Escort all visitors (guests, other government department/agency representatives, clients, courier services, etc.) accessing ESDC facilities and politely challenge unfamiliar visitors who do not display an employee photo identification card or temporary visitor's badge
  • Report any suspicious or disruptive behavior (which may include oral or written statements, gestures, or expressions that communicate a direct or indirect threat of physical harm) or any detected or suspected unauthorized access of personal information or wrongdoing immediately to a Manager/Team Leader, or in the event the manager is involved, to another manager in the chain of command
  • Protect personal information of Canadians by only accessing departmental database information strictly pertaining to assigned workload and duties. Access to personal and sensitive information is on a right to know and right to access principle

  Security Incidents

  • Report real and suspected security incidents and breaches immediately to their Manager/ Program/Regional Lead and/or the Regional Security Office (RSO)
  • If a security incident occurs, take necessary measures to protect individuals, information and assets, ensuring their own safety and security if the incident may involve potential violent or dangerous situations
  • In cases of imminent danger, threats of violence or a serious threat of suicide, contact Emergency Services /911 and advise their Manager* and the Regional Security Office (RSO). (*Only managers with delegated authority can disclose personal information to Emergency Services/911, or to any other stakeholder)
  • Report any incidents of actual violence immediately to 911

  Protection of Information and Assets

  • Protect all personal and sensitive information, in all forms and formats, against loss, theft and unauthorized disclosure, copying, use and modification
  • Safeguard information and assets under their control by applying the proper security requirements as stipulated in ESDC’s Information Categorization Tool in the handling, storage, transmission, release and disposal of such information
  • Safeguard information and assets under their control whether working on- or off-site
  • Store and secure information and assets in accordance with established security guidelines. Protected and classified information must be stored in approved containers within restricted access areas
  • Abide by IT policies and directives by moving electronic information securely and using computers and information technology assets securely
  • Do not upload departmental information to external websites
  • Do not use BlackBerrys™ for communicating or storing confidential or sensitive information
  • Do not send protected or personal information to external e-mail addresses
  • Do not connect personal equipment or devices to the network, workstations or laptop computers
  • Only use departmental-procured and issued USB keys for storage
  • Allow access to sensitive information only to persons with the appropriate security screening level and on a “need to know” basis
  • Safeguard departmental workspace by applying ESDC’s Clean Desk Guidelines
  • Notify your manager of any changes in personal circumstances that may affect the security status or clearance you have been granted. Also notify your manager of any persistent or unusual contact, of any attempt by another individual to solicit or obtain access to sensitive information, assets or facility without proper authorization
  • Ensure that disclosed personal information is in compliance with the Privacy Act and other applicable legislation, regulations, policies and agreements
  • Are not to use social media as an ESDC employee or use social media on behalf of the department and are not to openly criticize the department or the Government of Canada
• Managers

  The role and responsibility of a Manager is to:

  • Ensure the protection of employees and the safeguarding of information, assets and services for which they are responsible and ensuring their own safety in a potentially violent or dangerous situation
  • Ensure employees effectively and consistently apply security and privacy practices in day-to-day activities
  • Apply security controls related to their area of responsibility to ensure that security requirements are part of their day-to-day processes and integrated into business planning, practices, program delivery and management activities (these include but are not limited to administrative and corporate practices, such as Access to Information and Privacy (ATIP), Risk Management, Human Resources, Real Property, Materiel Management, Procurement, Occupational Health and Safety, Information Management (IM), Information Technology (IT) and Finance)
  • Consult with their Regional Security Office on any security risks, concerns or issues
  • Periodically reassess and re-evaluate security risks in light of changes to programs, activities, and services and taking corrective action to address identified deficiencies
  • Monitor and inform the RSO or security practitioner, as appropriate, on the implementation and effectiveness of established controls
  • Monitor compliance with security requirements within their area of responsibility
  • Ensure security requirements are incorporated in contracts for goods and services, in arrangements for sharing information and assets with other organizations, and in service level agreements for obtaining security services
  • If responsibilities include site management, support the RSO in the Threat and Risk Assessment process and the implementation of related recommendations as per established Threat and Risk Assessment Guidelines
  • Ensure employees are aware that they can only access personal information required to perform their authorized and assigned workload and duties
  • Report any detected or suspected unauthorized access to Canadian citizens’ information to the Regional Security Office, their Manager or the Senior Disclosure Officer (SDO)

  Security Incidents

  • Report any real or suspected incident and any security breach to their Regional Security Office and complete the Security Incident Report Webform (opens new window) as soon as possible
  • Support their RSO in the management of security incidents
  • Call Emergency Services/911 if necessary, when the safety and security of an individual is at risk (imminent threat)

  Protection of Information and Assets

  • Ensure that document security categorization within their area of responsibility is being conducted according to departmental policies, standards, guidelines, directives and best practices
  • Ensure security is considered for telework agreements
  • Identify, authenticate and authorize their staff, prior to granting access to information and information technology systems
  • Conduct the required verifications to ascertain the reliability, trustworthiness, integrity and honesty of their employees and ensure procedures for security clearances are followed and adhered to
  • When contracts are required, identify any security requirements and classified or protected information and assets in contractual documentation and other arrangements and confirming that contractors meet security prerequisites before granting access to government information and assets
  • Provide information, awareness and training on security to their employees as required and ensure employees take mandatory security training and recertification (i.e. Stewardship of Information and Workplace Behaviours (SIWB)
  • Apply mechanisms and processes to ensure information and assets are properly classified and appropriately protected
  • Consult RSO to ensure security is considered when developing an Information Sharing Arrangement with a party outside of the federal government
  • Ensure that employees are using approved secure briefcases or containers for the transportation of Protected C and Classified information. Inform the RSO when new RCMP approved briefcases are purchased in accordance with the Department’s Secure Briefcase Tagging Process
• Chief Security Officer (CSO)

  The role and responsibility of the Chief Security Officer is to:

  • Support the deputy head's accountabilities under the Policy on Government Security
  • Manage the departmental security program in compliance with the Policy on Government Security
  • Have functional responsibility for security activities in the Department and provide functional guidance and support to the Regions
  • Lead and oversee the development, implementation and maintenance of the Departmental Security Plan
  • Monitor the implementation of security activities within the department and recommend appropriate remedial action to the Deputy Head or senior management committee (as appropriate) to address any deficiencies
  • Ensure that accountabilities, delegations, reporting relationships, and roles and responsibilities of departmental employees with security responsibilities are defined, documented and communicated to relevant persons
  • Establish security governance mechanisms (e.g., committees, working groups) to ensure the coordination and integration of security activities with departmental operations, plans, priorities and functions to facilitate decision making
  • Develop, document, implement and maintain processes for the systematic management of security risks to ensure continuous adaptation to the changing needs of the department and threat environment
  • Monitor changes in the threat and vulnerability environments and the effectiveness of security controls to ensure that they remain current and that corrective action is taken when necessary
  • Evaluate performance on an ongoing basis to ensure that an acceptable level of residual risk is achieved and maintained
  • Implement a quality assurance program to verify that security controls meet departmental security requirements
  • Review and approve the Security Requirements Check List (SCRL) (PDF, 395 KB) for National and Information Technology (IT) contracts

  Government-wide context

  • Report (as required) security incidents, issues or concerns to lead security agencies and security service providers in a timely manner
  • Coordinate the implementation of mitigation advice provided by lead security agencies and reporting on the actions taken to the appropriate lead security agency.
    • Lead security agencies provide advice, guidance and services to support the day-to-day security operations of departments and enable government as a whole to effectively manage security activities, coordinate response to security incidents, and achieve and maintain an acceptable state of security and readiness. (i.e.: Treasury Board Secretariat, Privy Council Office, Public Safety, Communications Security Establishment Canada etc.)
  • Participates in interdepartmental forums and committees, shares best practices or lessons learned, and communicates departmental needs for advice, guidance and services, as appropriate
• Corporate Security Team (NHQ)

  The role and responsibility of the Corporate Security Team in NHQ is to:

  • Coordinate, manage and provide advice and services related to the security activities as part of the Departmental Security Program
  • Provide functional advice, guidance, support and tools as required to Regional Security Offices (RSO) on behalf of the CSO
  • Provide the CSO with expert advice on the application and effectiveness of security activities and controls
  • Develop National guidelines and directives on corporate security
  • Oversee the management and coordination of security incidents, Threat and Risk Assessments and Physical Security Inspections
  • Coordinate advisory activities for security incidents (Communications, ATIP etc)
  • Coordinate incident management activities for incidents involving more than one branch or region
  • Report to the CSO on the state of all aspects of departmental security
  • Support the CSO in the development and delivery of security awareness activities and products for employees and managers at all levels
• IT Security Coordinator

  The role and responsibility of the IT Security Coordinator is to:

  • Manage the IT security component of the departmental security program in compliance with the Policy on Government Security
  • In support of the Departmental Security Plan, monitor the implementation of IT security activities within the department and recommends appropriate remedial action to the CSO or senior management committee (as appropriate) to address any deficiencies
  • Ensure that accountabilities, delegations, reporting relationships, and roles and responsibilities of departmental employees with IT security responsibilities are defined, documented and communicated to relevant persons
  • Develop, document, implement and maintain processes for the systematic management of IT security risks to ensure continuous adaptation to the changing needs of the department and threat environment
  • Monitor changes in the threat and vulnerability environments and the effectiveness of IT security controls to ensure that they remain current and corrective action is taken when necessary
  • Implement a quality assurance program to verify that IT security controls most efficiently and effectively meet departmental security requirements
• Assistant Deputy Ministers and Regional Assistant Deputy Ministers

  The role and responsibility of an Assistant Deputy Minister and a Regional Assistant Deputy Minister is to:

  • Have administrative responsibility for security activities in a Branch or Region
• Regional Executive Directors of Integrity Services

  The role and responsibility of a Regional Executive Director is to:

  • Manage the Security Program within their Regions, in consultation with the CSO
  • Report functionally to the CSO on security matters given the CSO’s responsibility for Departmental security activities and his role in providing functional guidance and support to Regions.
    • In this context, the functional reporting relationship establishes a connection between the Regional Executive Directors of Integrity Services and the CSO based on the specialized nature of the function (Security) for which mutual responsibility is shared
• Regional Security Offices (RSO)

  The role and responsibility of a Regional Security Office is to:

  • Manage and operate all aspects of security and emergency management in their Regions by ensuring employees & commissionaires adhere to departmental security and emergency policies and procedures
  • Provide advice and guidance on the appropriate safeguards that are in place to protect personnel, information and assets within their Regions
  • Monitor adherence to departmental and government security policies and procedures
  • Continuously monitor security related tools and products to ensure that the appropriate safeguards are up to date and department-approved to prevent the risk of compromise/injury
  • Provide managers and employees with expert advice on the application and effectiveness of security controls related to their area of responsibility
  • Coordinate or provide security information, awareness and training to employees and managers as required to mitigate security risks or improve security behaviors within their region
  • Coordinate, conduct and monitor Threat and Risk Assessments (TRA) within their region in accordance with Departmental Guidelines on TRAs
  • Review and approve Security Requirement Check Lists (SRCL) (PDF, 395 KB) in accordance with the Departmental Procurement Policy
  • Assess security risks and authorize the operation of programs, activities and services for which they are responsible, taking into account the recommendations of the Chief Security Officer (CSO) and / or security practitioner
  • Monitor the implementation and effectiveness of security controls and reporting accordingly to the CSO or security practitioner, as appropriate and recommend corrective action to address deficiencies identified in performance measurement and evaluations

  Security Incidents

  • Coordinate the management of security issues or incidents within their regions and report them to senior management and the CSO as per established protocols. Also ensure liaison with the employee, team leader/manager and, if necessary, the Security Incident Management Unit (SIMU)
  • Support the CSO in the development of departmental security guidelines, directives or products
  • Report to the CSO on the state of security within their regions, including, but not limited to, Security Posture, Threat Risk Assessments and Physical Security Inspections as per established guidelines and schedules

  Protection of Information and Assets

  • Conduct physical security inspections and apply mechanisms and processes to ensure information and assets are properly classified and appropriately protected
  • Identify any security requirements in contracting and confirm that contractors meet security prerequisites before granting access to government information and assets
  • Ensure security is considered when developing an Information Sharing Agreement with a party outside of the federal government

The management of departmental security is guided by the department's commitment to the following fundamental security principles:

• Security as an integral component of strategic and operational planning—and embedded into departmental frameworks, programs, culture, day-to-day operations and employee behaviors
• Proactive management of security threats, risks and incidents to help protect departmental employees, assets, information and services
• Continuous assessment of risks and the implementation, monitoring and maintenance of appropriate internal management controls involving prevention (mitigation and safeguards), detection, response and recovery

By adopting the best practice recommendations in this code, employees and managers will be able to manage security in a fair and responsible manner. The Code will also help to identify the issues that need to be considered when making sound decisions that may affect security practices.

The Deputy Minister (Deputy Head) is accountable for the effective implementation and governance of security and identity management within the department.

The Chief Security Officer (CSO) is accountable for the development and delivery of the Departmental Security Program.