What do you want to do with this information?
— Protected B

Avoid using speakerphone when discussing sensitive information; use earbuds or headsets to prevent an unauthorized disclosure of the discussion.

Ensure that any work that includes the discussion of sensitive information, over the phone, is conducted in such a way as to prevent the mention of this information within hearing distances of others and/or any virtual assistant recording devices (e.g. Siri, Google Home, Amazon Alexa, etc.) as this could result in a security incident and/or possible privacy breach. Some examples include, but are not limited to, personal information such as names, dates of birth, social insurance numbers, medical or financial information,business numbers, and/or an employer’s or a company’s business number, etc.

Use Video Conferencing Systems securely when discussing sensitive information; use earbuds or headsets to prevent an unauthorized disclosure of the discussion.

Ensure that any work that is carried out by videoconferencing, including discussions and/or visual displays of sensitive information/assets, is conducted in such a way as to prevent the mention of this information within hearing distance of others, and/or any virtual assistant recording devices (e.g. Siri, Google Home, Amazon Alexa, etc.) as well as a visual display of this information, as this could result in a security incident and/or possible privacy breach. Some examples include, but are not limited to, personal information such as names, dates of birth, social insurance numbers, medical or financial information,business numbers, and/or an employer’s or a company’s business number, etc.

Top right-hand corner of each page.

Internal:

Protected B information can be sent within the department using MS Outlook or Skype. Ensure the recipient is an ESDC employee.

External:

Use Entrust to encrypt emails that include Protected B information and that are being sent outside the departmental firewall. Email recipient should also use Entrust to decrypt received email.

How to send an encrypted email

Entrust is to be used to send encrypted files/emails internally and between other Government of Canada (GoC) departments. The recipient of the encrypted material must be listed in your GoC Outlook address book.

How to send an encrypted email Instruction:

log in to Entrust

1. In the system tray (in the toolbar), right click on the ESP icon and choose Log In.
2. Click Browse.
3. Navigate to your F: drive location and open the maCLÉ-myKEY folder.
4. Click to highlight the only file in the folder (username.epf).
5. Click Open. This will fill in the name field in the Entrust Entelligence Security Provider box.
6. Enter your MyKEY password (the same as you use to access Compensation Web Applications) and click OK. This will complete the authentication process.

By Mail In Canada

Internal mail (ESDC Courier within local ESDC locations):

Double sealed envelope (no security markings on outer envelope), appropriately addressed. Warning on the inner envelope " To be opened by…name or position title)" with security markings.

To client (personal information):

One sealed envelope (no security markings on envelope) and appropriately addressed. Can be sent by Regular Mail.

Across Canada - ESDC Regions and other stakeholders (Federal Departments / Agencies, Provincial Governments or third party private sectors contracted by the department):

Double sealed envelope (no security markings on outer envelope), appropriately addressed. Warning on the inner envelope "To be opened only by … (name or position title)" with security markings. Can be sent by Regular Mail.

By Mail Outside Canada:

To client (personal information) :

Double sealed envelope ( no security markings on the outer envelope) appropriately addressed and security markings on inner envelope. Can be sent by Regular Mail.

Other stakeholders (Federal Departments / Agencies, Provincial Governments or third party private sectors contracted by the department):

Double sealed envelope (no security markings on outer envelope) appropriately addressed. Warning on the inner envelope "To be opened only by (name or position)" and security markings. The use of Priority mail, Xpresspost or messenger service is required as they are using a tracking and signature on reception process.

Epost Connect is a secure digital delivery platform that facilitates sending and receiving sensitive messages and documents with one or multiple recipients. It enables seamless, secure collaboration with one or many customers, clients, colleagues, partners and suppliers through one common platform.

As an alternative to send Protected B information externally (outside of the department) ,when encryption is not possible, epost Connect is a departmental approved software solution that allows Protected B information to be sent to Canadian . Using approved encryption algorithm thus providing a safe and secure option to share protected information. The data is also stored on a secure Canada Post server residing in Canada.

The use of epost Connect services requires a service agreement between your business line and Canada Post. Please note there is a cost for using this software such as licenses and data storage fees.

Contact Corporate security to get the contact information at Canada Post.

Secure Fax is required. Any of the following installations are authorized.

Admiral with normal fax

Certifax/Admiral Operating Instructions

What information should be sent using a secure fax: Documents that are Protected "A" or "B".

This procedure applies to ALL Service Canada locations using an Admiral or Certifax encryption device. MOBIUS encryption devices are no longer approved to secure faxed information therefore are no longer accessible. If you have a MOBIUS device in your office, please contact your Regional Security Officer (RSO) or the undersigned for further instructions.

Please consult the "Information Categorization Tool" for details.

Domain:

*00

= Clear domain

*01 (Default)

= Service Canada Protected (ESDC-EDSC)

*02

= Service Canada / Canada Revenue Agency Protected (CRA-SVC)

Non-Encrypted (Clear) Faxes

To send a CLEAR fax, key in the destination fax machine's telephone number, via the keypad on the fax machine followed by *00 (CLEAR domain) and press Start/Send on the fax machine. The LCD window on the CERTIFAX/ADMIRAL device will display "Clear Transmission to Fax".

Encrypted (Secure) Faxes Within Service Canada (ESDC-EDSC)

The protected domain for all Service Canada's devices is set by default. To send a secure fax to a Service Canada location, key in the destination fax machine's telephone number and press Start/Send on the fax machine.

The LCD window on the CERTIFAX/ADMIRAL device will change from "Select Domain Send" to "Status Transmitting". After about 20 seconds, the LCD window will change to "Secure Transmit to Fax" to indicate that the encrypted data is being transferred.

When you receive a secure fax, the LCD window will change to "Secure Transmit from Fax" to indicate that the encrypted data is being received securely. You will also notice an extra line at the top of the secure fax, i.e. "Facsimile Secured by ADMIRAL or CERTIFAX. From Unit {unit name} On Domain SDC-DSC {Date and Time}" This is your confirmation of a safe and secure reception.

Encrypted (Secure) Faxes Between Service Canada (ESDC-EDSC) & Canada Revenue Agency (CRA-ARC)

To send a secure fax to a CRA office, key in the destination fax machine's telephone number followed by *02 (CRA-SVC domain), via the keypad on the fax machine and press Start/Send on the fax machine.

The LCD window on the Admiral will change from "Select Domain Send" to "Status Transmitting". After about 20 seconds, the LCD window will change to "Secure Transmit to Fax" to indicate that the encrypted data is being transferred.

When you receive a secure fax, the LCD window will change to "Secure Transmit from Fax" to indicate that the encrypted data is being received securely. You will also notice an extra line at the top of the secure fax "Facsimile Secured by ADMIRAL or CERTIFAX from Unit {unit name} On Domain CRA-HRSDC. {Date and Time}" This is your confirmation of a safe and secure reception.

Report any problem to the COMSEC Security Officers at 819-654-4697 or by e-mail to nancy.courtemanche@servicecanada.gc.ca

Viper phone, Secure Terminal Equipment (STE) phone, Sectera BDI Terminal, or Omni Secure Terminal used with Ricoh Secure Fax (COMSEC Equipment)

Transport In Canada

Transport by hand inside the department

Within restricted areas (Operation zone, Security zone, High Security zone):

Protected B information must be transported in a Protected B blue folder inside a single sealed envelope with no security markings appropriately addressed. Commercial briefcase, approved backpack, approved bags (with Arcolock-7) or secure briefcase can replace the envelope. These carrying cases must have departmental-issued tags attached.

In

In

Or

Or

Or

Or

Transport In Canada

Transport by hand inside the department

Outside restricted areas (Reception zone or Public zone):

Protected B information must be transported in a Protected B blue folder inside a single sealed envelope with no security marking and appropriately addressed and with return address. Commercial briefcase, approved backpack, approved bags (with Arcolock-7) or secure briefcase can replace the envelope. These carrying cases must have departmental-issued tags attached.

Note: For the transport of several documents, it is highly recommended completing an inventory of the information being transported by the employee and providing a copy to the manager.

In

In

Or

Or

Or

Or

Electronic format:

Encrypted USB keys and encrypted portable drives issued by the department can be used if permission is granted.

Transport In Canada

Transport outside department – In Canada

Protected B information must be transported in a single sealed envelope with no security markings and appropriately addressed. The use of approved backpacks, approved bags (with Arcolock-7) or secure briefcase is required for all employees who need to transport PROTECTED B (paper or electronic) documents outside the building they work in. These carrying cases must have departmental-issued tags attached.

If traveling by personal motor vehicle, you must place Protected B information in an approved carrying case and lock it in the trunk or out of sight in a locked vehicle. Placement of the approved case is temporary and must be removed at destination. Stopovers are not permitted but if you require a stopover for an urgent matter, the case cannot be left unattended in the vehicle and must be in your possession at all times.

In

In

Or

Or

Or

Electronic format:

Encrypted USB keys and encrypted portable drives issued by the department can be used if permission is granted.

Transport Outside Canada

Transport outside department - Outside Canada

Protected B information must be transported in a single sealed envelope (unless warranted by a Threat and Risk Assessment (TRA) then a double sealed envelope is required) with no security markings on the outer envelope and appropriately addressed. A secure briefcase is required and must have departmental-issued tags attached.

If traveling by personal motor vehicle, you must place Protected B information in an approved carrying case and lock it in the trunk or out of sight in a locked vehicle. Placement of the approved case is temporary and must be removed at destination. Stopovers are not permitted but if you require a stopover for an urgent matter, the case cannot be left unattended in the vehicle and must be in your possession at all times.

In

Or

In

Electronic format:

Encrypted USB keys and encrypted portable drives issued by the department can be used if permission is granted.

Electronic Storage

Electronic copy: Protected B electronic information can be stored on the network drive or on departmental approved encrypted USB portable storage device and must be secured in approved security cabinet. Electronic information cannot be stored on the laptop’s hard drives.

Note: Must be transported, transmitted and stored in the same manner as paper information, commensurate to the level of sensitivity of the information they contain. Any of the following cabinets are approved.

Key locks

Abloy or S&G Padlock

integral lock

Safe

2 or 4 drawer

Locker Safe

Protected B information need to be inserted inside blue file folder, properly marked and secured in a locked cabinet or Open Shelving room in an Operations Zone (see definition below) which implies a work area where workers have a common need-to-know, visitors are properly escorted.

Adequate lock-up storage safeguards within an Operations Zone for Protected B depend on the monitoring and response characteristics of the environment, as well as on the difficulty for an adversary to access the documents. All lockable commercial office furniture, commercial door locks and mobile shelving units are suitable for this application; however bulk (mobile) shelving units are subject to conditions.

Please note that many commercial workstations are sold with low security cam locks with similar or identical keying. In an open office environment this could give some employees access to the desks or containers of other workers in the office. As people move from one location to another, keys tend to be acquired and kept, which may create an opportunity for inappropriate access. Care should be taken to ensure this situation does not arise in the workspace.

Electronic copy:

Store on network drive or department-approved and issued USB storage device in locked cabinet.

Definition:

An Operation Zone is an area where access is limited to personnel who work there and properly escorted visitors. As for example: Typical open office area.

File Folder

Key locks

Abloy or S&G Padlock

integral lock

Safe

2 or 4 drawer

Locker Safe

High density (Mobile) Shelving

Specially modified commercial mobile shelving equipped with additional components for each carriage set ( Hasp, padlock, side astragals, perforated top astragal and backing plate) are approved for the storage of Protected B information if secured with a SEG padlock or commercial padlock meeting ASTM F883-04 in an Operation Zone. Please note there is a fire safety requirement that mobile shelving units maintain at least a 100mm separation between sections when closed. As part of his oversight role, Chief Security Officer (CSO) must assess the security measures in place to ensure these meet the minimum Security Requirements and approve the security measures in place.

Note: For any additional information, please contact your Regional Security Office.

Preparation and processing: In a Reception Zone (Where the transition from a public zone to a restricted-access area is demarcated and controlled).

Every ESDC employee is responsible for ensuring the security of departmental information. Therefore, employees must use the "Secure Print (Print to PIN)" function for printing protected documents. When you select this function from your computer, the document will only start printing when you enter a passcode (PIN) at the printer, preventing others from viewing the document.

Tips for using Secure Print: If you have multiple documents to print and you cannot get to the printer right away, the Secure Print feature lets you send them to print all in one place. These will remain waiting to print, one after the other, in the order of sending, until you have entered your password. You only need to enter your password once and all pending documents will print. Note that documents that are not in print are deleted automatically at the end of each day, so that you will not have to worry about the information being compromised.

This security and protection of departmental information applies equally when scanning documents. Employees must scan and transmit protected documents through email while keeping with policies and directives.

Declassification is the decision, recorded in writing, of the originator of the protected information or an officer authorized by the Deputy Minister to remove the categorization level of the document. Redact (hide) all sensitive information that could identify an individual or have an impact on the Department is required.

Downgrading is the decision, recorded in writing, of the originator of the protected information or an officer authorized by the Deputy Minister to lower the categorization level of the document.

Downgrading at Protected A or Unclassified level: Redact (hide) all information that qualify at Protected B level and the remaining information as required to the requirements of lower levels.

Information is to be identified as protected only for the period of time it requires safeguarding. After this period, the originator or the authorized officer is to have it declassified or downgraded, appropriately marked, and to inform all recipients of this action and its effective date. Whenever possible, originators are to provide, at the time the information is created or collected, a specific date or event at which time declassification or downgrading may occur.

As a minimum, an automatic expiry date of 10 years should apply to the categorization of most information; however, the automatic expiry date would not apply to information classified as Top Secret nor to information identified as particularly sensitive Protected B, (e.g. medical records) or extremely sensitive, Protected C, (e.g. witness protection information).

RCMP Security Shredding Standards (Comparison relative to a 2 inch paper clip).

IT Media Devices

Optical: CD, DVD, Blu-Ray disks:

Reduce or shred the device to pieces, each with maximum area < 40 mm² (1/4 x 1/4 inch).

Solid –State Drives (SSD) and USB Flash Drives

Reduce or shred the device to pieces, each with maximum area < 40 mm² (1/4 x 1/4 inch).

Smartphones and Tablets

Destroy entire device or storage component to pieces < 40 mm² (1/4" x 1/4").

Destruction Facilities and Services

The RCMP Technical Security Branch has a Destruction Equipment Guide, which is a comprehensive and completely revised quide to the selection of destruction equipment and services.  Please contact your local Regional Security Office RSO for guidance and details as Public Services and Procurement Canada (PSPC) need to be contacted for destruction service contracts or equipment purchases.