Assigned Seating

  ID and Access Cards

ID and Access Cards

Be sure to check your ID and Access cards for validity before coming to the office

New request or Renewal:

• If your ID Card is expired, or you require a new one, complete the ADM5014 form (PDF, 171 KB) (opens new window) form.
• First time employees will be required to present a valid identification document (e.g. driver's license, passport, etc.)
• In the NCR, once completed, present your expired card and the completed form (hard copy or electronically) to the Identification and Access Office (140 Promenade du Portage, Gatineau, Phase IV, Level 0, Section A) between 7:30 am and 4:00 pm.
• The manager-approved form can then be submitted. If an employee doesn't have access to a printer, the manager will have to send the completed and signed ADM5014 form (PDF, 171 KB) (opens new window) to nc-fas-sfa-id_card-carte_identitee@hrsdc-rhdcc.gc.ca. Forms sent electronically will only be kept for 5 days.
• Anywhere else:
  • Atlantic Region: Email the completed ADM 5014 to the Atlantic Regional Security  along with the information in the "How to Request an ID Card (DOCX, 25 KB)" document located in the Regional Internal Integrity and Security page.
  • Quebec – submit the completed ADM 5014 to the Quebec PERSEC General Inbox qc-diis-iisd-secper-persec-gd@servicecanada.gc.ca
  • All other Regions – your manager is responsible for submitting the completed form to your Regional Security Officer

  Working With Sensitive Information

If you are working in the traditional office, follow the guidelines in the Information Categorization Tool

  Emailing Protected B Information

Emailing Protected B Information

Sending Protected B Information

• Employees are not allowed to send Protected A or B information to their personal email address for the purpose of working offline
• When sending protected information by e-mail, always double-check the recipient(s) you are sending the information
• Encrypt any Protected B emails if you are sending it outside the department

When sending to an internal (within ESDC) email recipient:

• Protected B information can be sent using Outlook after ensuring that the recipient is an ESDC employees with a valid reliability security clearance
• Always double-check that you are sending the information to the correct e-mail address
• Even when sending Protected B information internally, it is always a best practice to encrypt your e-mail, if possible

When sending to an external (outside ESDC) email recipient (effective February 9, 2021):

• Use Entrust to encrypt emails that include Protected B information and that are being sent outside the departmental firewall; the recipient should also use Entrust to decrypt received email
• Always double-check that you are sending the information to the correct e-mail address and that the recipient has the required security clearance
• If sending email with encryption is not possible:
  • Transfer all Protected B information into a password-protected document. (The Protected B information being sent externally cannot be in the body of an e-mail, it must always be in a password-protected document.) For example, if you were trying to email a PDF, you could copy and paste the PDF into a Microsoft Word Document, then password-protect the Microsoft Word Document.
  • Double-check the e-mail address and send the password to the recipient in a separate e-mail or by phone
  • Send the password-protected document to the recipient

Note: If you send a high volume of Protected B information externally on a regular basis, you may want to consider using E-Post (information on E-Post can be found as another option in the Information Categorization Tool)

  Secure Online Collaboration

Secure Online Collaboration

Online services and applications are great for collaboration and communication; however, there are security risks associated with some of them. ESDC has the 4 department-approved video conferencing software (Skype , WebEx, Virtual Meeting Room or Microsoft Teams)

When signing up or creating your account:

• Do not use the same password as your network password (the one you use to log on to your work computer) - use a different password for each account
• Enable two-factor authentication in your account if it is available
• Be aware of fake websites that are designed to look like the real ones and make sure that you are on the real website by double-checking the URL (Cyber criminals can spoof real websites by making small changes to a URL, for example www.goog1e.ca instead of www.google.ca.)

While using these services:

• Do not share links to your meeting on social media. Send the meeting details directly to participants.
• Review the settings for your online meetings. If you are hosting a meeting, some services will allow you to use features such as:
  • Setting a meeting password or access code so that only participants who have the password or code can join.
  • Controlling who can share their screen.
  • Muting and unmuting participants.
• Do not use "remember me" features and log out when you are no longer using the application.

When discussing sensitive information

• When holding a meeting using a video conferencing service, remember to always use discretion when discussing any sensitive information (up to Protected B level and up to Secret on an exceptional basis during the pandemic); the use of a headset or earbuds is strongly encouraged
• Remember to keep the sharing of sensitive information limited to those who have a need-to-know (are only accessing the information pertaining to the files they are assigned) and have the required security clearance
• A meeting where sensitive information is being discussed must not be recorded
• Sensitive information must not be added to a chat function or stored in a videoconference system
• Always be mindful of anyone in your surroundings that may be listening, and keep sensitive discussions/information to a minimum as much as possible
• Discussions of information up to Protected B with external clients, contractors or partners if using Microsoft Teams should include some considerations:
  • Ensure that the external clients, contractors or partners have the required security clearance (or equivalent) to be able to discuss ESDC Protected B information
  • Mention at the start of the discussion that protected information will be discussed and as such, appropriate precautions should be taken (wearing of earbuds or headsets, being mindful of anyone in their surroundings that may be listening, and keeping sensitive discussions/information to a minimum as much as possible)

Refer to Staying cyber-healthy during COVID-19 isolation for more information.

  Secure Use Of Technology

Follow the proper security practices when using IT equipment, and:

• use only ESDC-assigned connectivity systems (AppGate, VPN, ESDC-approved cloud software) when working on/with Protected information
• use the departmental approved Sensitive Document Collaboration Services for Protected C or classified information
• protect all computer equipment and systems from viruses: specifically, not using nor permitting the installation or use of unauthorized hardware and/or software on these systems
  • do not connect to or allow any unapproved or unauthorized portable/personal devices to department-issued IT equipment
  • return all materiel, equipment and/or information immediately upon request of the teleworking arrangement

  Unauthorized Access and Disclosure of Information

• Protect information from individuals in your work area (custodial staff, visitors, persons from other departments, etc.)
• Avoid accidental compromise by following all procedures above for sensitive information and keeping a clean desk
• Do not leave information unattended
• If possible, choose an enclosed, lockable, designated room to perform any sensitive work-related activities
• Do not share your passwords/credentials
• Be extra vigilant when using shared networks in public spaces as these are less secure and come with additional risks
• ESDC employees must always exercise due diligence to protect against unauthorized access by reporting any suspected misuse of ESDC systems or breaches of privacy to their manager.
• Be aware that we have a shared responsibility to safeguard information and departmental assets in your care and ensuring that security requirements are met by reporting real or suspected incidents to your manager

  Absences

Let your colleagues know about any scheduled absence and do not leave Protected or Classified material on your desk.

Print an "Occupant Away Card" and display at your workstation

  Boardrooms

Erase all whiteboards containing sensitive information.

Don't take pictures of whiteboard meeting notes or scan information with a personal cell phone.

Make sure to Log Off any devices used in the boardroom.

  Reporting Security Incidents

Any loss or theft of protected information in paper format or valuable departmental assets (e.g., telephone, laptop, tablet) or unauthorized disclosure of protected information must be reported immediately to your manager in accordance with the Security incident reporting procedures.

Note: Reporting security incidents is a process to monitor, assess trends and implement mitigation measures, not to punish employees. The goal of security is to find ways to improve our processes next time. In fact, not reporting a security incident goes against the Department's objective of maintaining a strong security culture.

  Clean Desk Guidelines

• Don't let a mess build up in your work area. Keeping a clean desk helps ensure that nothing sensitive is accidentally left exposed.
• Secure any sensitive information before you step away from your desk, even for a moment. Find out how in the Clean Desk Guidelines.
• Be conscious of those working around you and make sure your sensitive information is secure (these could be colleagues without a need-to-know, visitors, or family or friends if you are teleworking).
• Lock your screen when you step away from your computer, even for a moment. Use "Ctrl+Alt+Del+Enter"  or "+L"
• Be conscious of the information you create. If you record sensitive information on flip charts, whiteboards, sticky notes or in a notebook, make sure that information is properly stored or destroyed for its sensitivity level.
• Don't keep passwords or other important information on sticky notes, stuck to your screen or even under your keyboard (yes, we know that trick).
• Before you leave a work area, make sure there are no sensitive documents on printers or fax machines.
• At the end of the day, secure any ESDC devices. Put USB keys and mobile phones into a locked drawer or cabinet. Lock up laptop computers.

  Building Emergencies and Evacuations

• Building exits routes and floor plans may have changed. Review building emergency plans and procedures in the Reservation System (Archibus). Know the emergency procedures and the location of exits for the buildings or areas in which you now work.
• Emergency Meeting Locations may have changed or been consolidated. Your manager or a member of the Building Emergency and Evacuation Team (BEET) will be able to provide this information if it is not posted on site.
• Person Requiring Assistance (PRAs) returning to onsite work need to discuss with their manager to ensure they have a Personal Emergency Plan and that Monitors or other measures are in place to assist them.
• Volunteers who assist with the Building Emergency or First Aid Teams do not need to come in on a daily basis, they simply help when they are in the workplace.
• Contact your Regional Security Office (RSO) if you require assistance related to security incidents or emergency situations.

Remember that responding to emergencies which present an immediate danger, takes precedent over measures preventing the spread of COVID-19. However, as soon as you are out of immediate danger, COVID-19 prevention measures need to be maintained. Keep a mask available at all times, you might not have time to go find it when an emergency arises.