Home Office

The home office includes both telework and remote work where you primarily work from your dwelling.

  •   Securing the Home

    Ensure that appropriate door locking mechanisms and window hardware for all access points in your home are in good working order. Engage those locking mechanisms to secure your home (e.g. keep front door closed)

    Activate your alarm system (if equipped with one)

    If feasible, work from an office/space not located on the main floor. Street-level spaces are easier to access by a passerby.

  •   Equipment
  •   Privacy and Personal Safety
    • Remember that your personal security is also important while working from home. If you must use your personal telephone line or cellular device to contact clients, block your number (individual calls or permanently) from appearing on call display features
    • If you do not already know how to use call-blocking features, please contact your service carrier for the exact procedures. You should also be careful not to disclose too much personal information about yourself that may make your home location easily identifiable and refrain from using personal email addresses to contact clients
    • If you must deal with an external client by e-mail, use a generic e-mail account if possible and do not provide your full name.
  •   Unauthorized Disclosure
    • Protect information from individuals in your work area (e.g. partner/spouse, children, repair people, landlords, guests, boarders, homestay students including foreign students, etc.)
    • Avoid accidental compromise by following all procedures above for sensitive information and keeping a clean desk
    • Do not leave information unattended
    • If possible, choose an enclosed, lockable, designated room to perform work-related activities
    • Do not share your passwords/credentials
  •   Working with Protected A or B Information

    Working with Protected A or B Information

    Whenever possible, in a home environment, follow the guidelines in the Information Categorization Tool.

    It is strongly recommended that you work with Protected B information electronically rather than with paper documents in order to lower the risk of loss, theft or unauthorized disclosure.

    • Working with Protected B Paper Documents
      • You can work on Protected B paper documents at your remote work location only if it is an essential part of your work and no other alternatives are available. As such, you require your manager`s approval to work with Protected B paper documents at your telework location;
    • Storing Protected B Paper Documents
      • Lockable cabinets must be used to securely store Protected paper-based information.
      • If you are required to bring Protected B, hard-copy information to your remote work location as part of your essential duties, you must speak to your manager to arrange to have a temporary departmental-approved lockable cabinet provided to you.
    • Transporting protected documents from and to your remote location
      • If you need to physically transport Protected B information to your remote work location, you will need to obtain prior authorization from your manager.
      • Transport all Protected B information in a blue protected file folder and in a secured briefcase, RCMP lock pouches or backpack in accordance with the ESDC Information Categorization Tool;
      • It is not permitted to leave any Protected A or B information unattended at your remote location including inside a locked vehicle. As such, if stopping at a public place before arriving at the telework location, the briefcase/backpack/pouch must stay on you at all times;
      • Create and keep a separate inventory of Protected B information that is being transported. This will assist in identifying affected individuals for privacy breach processes and other reporting should a theft or loss occur.
    • Shredding Protected Documents
      • If, at your remote work location, you need to shred protected information, the preferred approach is to make the necessary arrangements to bring the documents to your designated workplace and using the RCMP-approved shredders in accordance with the Information Categorization Tool.
      • If returning to the designated workplace is not possible, you must speak to your manager to arrange to have a temporary departmental-approved shredder provided to you.
      • Remember that Protected B records must follow the appropriate retention period in accordance with the Records Retention and Disposition Guide
    • Other Security Measures while working with Protected A or B information
      • Do not take screenshots or photos of the personal information displayed on your screen
      • Ensure that any work-related activities are conducted in such a way as to prevent unauthorized individuals from viewing or overhearing protected information/sensitive discussions.
      • Use a headset or the cellphone itself, not a speakerphone, when discussing with a colleague
      • Close your blinds and/or face the monitor away from windows or glass doors to ensure your monitor is not in someone's line of sight.
      • Do not discuss sensitive information in public areas, or in areas perceived as private (e.g., on the balcony or near an open window in your home, in your kitchen while guests are visiting)
      • Turn off and/or disconnect your Google Home, Amazon Alexa and/or other virtual assistant devices to prevent the devices from recording your work-related conversations
    • Sending Protected B information
      • Employees are not allowed to send Protected A or B information to their personal email address for the purpose of working offline
      • When sending protected information by e-mail, always double-check the recipient(s) you are sending the information to and remember to encrypt your message if you are sending it outside the department
    • When sending to an internal (within ESDC) email recipient:
      • Protected B information can be sent using Outlook after ensuring that the recipient is an ESDC employee with a valid reliability security clearance
      • Always double-check that you are sending the information to the correct e-mail address
      • Even when sending Protected B information internally, it is always a best practice to encrypt your e-mail, if possible
    • When sending to an external (outside ESDC) email recipient (Effective February 9, 2021)
      • Use Entrust to encrypt emails that include Protected B information and that are being sent outside the departmental firewall. The recipient should also use Entrust to decrypt received email
      • Always double-check that you are sending the information to the correct e-mail address and that the recipient has the required security clearance
      • If sending email with encryption is not possible:
        • Transfer all Protected B information into a password-protected document. (The Protected B information being sent externally cannot be in the body of an e-mail, it must always be in a password-protected document) For example, if you were trying to email a PDF, you could copy and paste the PDF into a Microsoft Word Document, then password-protect the Microsoft Word Document.
        • Double-check the e-mail address and send the password to the recipient in a separate e-mail or by phone
        • Send the password-protected document to the recipient
        • If you send a high volume of Protected B information externally on a regular basis, you may want to consider using E-Post (information on E-Post can be found as another option in the Information Categorization Tool)
    • Printing Protected Information
      • It is strictly forbidden for employees to print work documents at their telework location
        • If printing of documents at your remote work or telework location is required as an essential part of your duties and the circumstances are such that there are no other alternatives, your manager will need to request an approval from the Chief Security Officer
      • You are not permitted to send departmental information to your personal email address for printing purposes
      • As ESDC employees, we must all protect  sensitive information entrusted to us, including the personal information of employees. However, at times you may wish to send your own personal information (e.g. letters of offer, training authorizations, T4s, pay stubs or other documents) to your personal e-mail accounts in order to print or save this information. When this information is your own personal information only, you are permitted to send the information to your personal e-mail and are responsible to safeguard it as you see fit.
      • Please note: This exemption does not permit any employees to access departmental systems for reasons other than the ones stated above, without authorization or a business-related need-to-know, even if the information is their own personal information.
  •   Working With Highly Sensitive Information
    • All remote work involving highly sensitive information (Protected C, Confidential or Secret) must be done using the EDSC's Sensitive Document Collaboration Service (SDCS) - contact Branch/Regional SDCS Coordinators for access
    • If the use of the SDCS is not possible, please contact Corporate Security nc-csop-smop-gd@hrdc-drhc.net
    • Do not save highly sensitive information on a hard drive, personal or shared drive. Only save this information on department-approved secured USB keys that you will be required to safeguard at all times (exception below when transmitting information)
    • Printing of sensitive information (Protected B and above) at remote work/telework sites is not permitted unless approved by the Chief Security Officer and the DG, IT Security through a request to Corporate Security nc-csop-smop-gd@hrdc-drhc.net
    • Bringing or storing highly sensitive paper documents (Protected C, Confidential or Secret) at your remote work location requires the approval of your Assistant Deputy Minister and the Chief Security Officer
    • To electronically transmit sensitive documents to Government of Canada employees outside of the ESDC network, encrypted email and strong password protection must be used and special care must be taken not to misdirect the email. You may follow this procedure:
      • Ensure the recipient(s) of the encrypted email has a Secret security clearance
      • Download the file to your F: drive
      • If not already done, secure the file, by using the File/Info/Protect option to add a strong password to Word, Excel or PowerPoint files. Passwords must be provided verbally or in a separate encrypted email
      • Attach the file to an email and encrypt the email.
      • Delete the file from your F: drive.
      • Note: The above procedures to electronically transmit sensitive documents do not apply to Cabinet documents. Specific instructions issued by the Privy Council Office must be followed for these.
  •   Shoulder Surfing

    Shoulder surfing is the act of looking over someone's shoulder from a short or long distance with curious or malicious intent.

    If you are working with sensitive information about Canadians or classified departmental information, you need to be careful about how you secure the information.

    • Do not place your computer screen in front of a window.
    • Avoid leaving your work area unattended or your device unlocked
    • Minimise the windows on your screen if someone approaches
    • Use a screen protector if you have one
    • Hide your keyboard when typing your passwords.

    Refer to Are you teleworking? Beware of shoulder surfers! for more information.

  •   Secure Videoconferencing
    • If your team needs to hold a virtual meeting, make sure you use one of the 4 department-approved video conferencing software (Skype, WebEx, Virtual Meeting Room or Microsoft Teams)
    • When holding a meeting using a video conferencing service, remember to always use discretion when discussing any sensitive information (up to Protected B level and up to Secret on an exceptional basis during the pandemic)
    • The use of a headset or earbuds is strongly encouraged
    • Remember to keep the sharing of sensitive information limited to those who have a need-to-know (are only accessing the information pertaining to the files they are assigned) and have the required security clearance
    • A meeting where sensitive information is being discussed must not be recorded
    • Sensitive information must not be added to a chat function or stored in a videoconference system
    • Always be mindful of anyone in your surroundings that may be listening, and keep sensitive discussions/information to a minimum as much as possible
    • Turn off and/or disconnect your Google Home, Amazon Alexa and/or other virtual assistant devices within hearing distance to prevent the devices from recording sensitive information
    • Discussions of sensitive information up to Protected B with external clients, contractors or partners if using Microsoft Teams should include some considerations
    • Ensure that the external clients, contractors or partners have the required security clearance (or equivalent) to be able to discuss ESDC Protected B information
    • Mention at the start of the discussion that  sensitive information will be discussed and as such, appropriate precautions  must be taken (wearing of earbuds or headsets, being mindful of anyone in their surroundings that may be listening, and keeping sensitive information to a minimum as much as possible)
  •   IT Teleworking Best Practices

    Maintain security practices when using IT equipment, departmental networks and systems for remote work or telework by:

    • Using only ESDC-assigned connectivity systems (AppGate, VPN) when working on/with Protected information;
    • Using only the departmental approved Sensitive Document Collaboration Services for Protected C or above categorization levels of information;
    • Protecting all computer equipment and systems from viruses: specifically, not using nor permitting the installation or use of unauthorized hardware and/or software on these systems;
    • Not connecting to or allow any unapproved or unauthorized portable/personal devices to department-issued IT equipment; and
    • Returning all material, equipment and/or information immediately upon request of the teleworking arrangement.
  •   Foreign Telework and Remote Work

    Employees should be aware that foreign telework is restricted by ESDC. Any employee working from outside Canada requires a valid Foreign Telework Agreement (FTA). ADM-level approval and consultation with Security, Labour Relations and Occupational Health and Safety must be done prior to leaving Canada. The process should be initiated as early as possible, and requires a minimum of ten working days.

    Refer to Foreign Telework Requests - Procedures for more information.

  •   Reporting Security Incidents

    Any loss or theft of  sensitive information in paper format or valuable departmental assets (e.g., telephone, laptop, and tablet) or unauthorized disclosure of  sensitive information must be reported immediately to your manager in accordance with the Security incident reporting procedures.

    Note: reporting security incidents is a process to monitor, assess trends and implement mitigation measures; it is not intended as a means to punish employees. The goal of security is to find ways to improve our processes next time. In fact, not reporting a security incident goes against the department's objective of maintaining a strong security culture.

  •   Clean Desk Guidelines
    • Don't let a mess build up in your work area. Keeping a clean desk helps ensure that nothing sensitive is accidentally left exposed.
    • Secure any sensitive information before you step away from your desk, even for a moment. Find out how in the Clean Desk Guidelines.
    • Be conscious of those working around you and make sure your sensitive information is secure (these could be colleagues without a need-to-know, visitors, or family or friends if you are teleworking).
    • Lock your screen when you step away from your computer, even for a moment. Use "Ctrl+Alt+Del+Enter"  or "windows/option key+L"
    • Be conscious of the information you create. If you record sensitive information on flip charts, whiteboards, sticky notes or in a notebook, make sure that information is properly stored or destroyed for its sensitivity level.
    • Don't keep passwords or other important information on sticky notes, stuck to your screen or even under your keyboard (yes, we know that trick).
    • Before you leave a work area, make sure there are no sensitive documents on printers or fax machines.
    • At the end of the day, secure any ESDC devices. Put USB keys and mobile phones into a locked drawer or cabinet. Lock up laptop computers.