Mobile Office

  Equipment

• Ensure that any equipment under your control is stored securely at all times
• Never leave your devices unattended in or near public places
• Do not allow any other unauthorized individuals to use your work devices
• Never use unapproved Web applications (e.g. DeepL, Google Translate) to process sensitive information

  Unauthorized Disclosure

• Protect information from individuals in your work area (e.g. establishment staff like a concierge, partner/spouse, children, repair people, guests, etc.)
• Avoid accidental compromise by following all procedures above for sensitive information and keeping a clean desk
• Do not leave information unattended
• If possible, choose an enclosed, lockable, designated room to perform work-related activities
• Do not share your passwords/credentials

  Shoulder Surfing

Shoulder surfing is the act of looking over someone's shoulder from a short or long distance with curious or malicious intent.

If you are working with sensitive information about Canadians or classified departmental information, you need to be careful about how you secure the information.

• Do not place your computer screen in front of a window.
• Avoid leaving your work area unattended or your device unlocked
• Minimise the windows on your screen if someone approaches
• Use a screen protector if you have one
• Hide your keyboard when typing your passwords.

Refer to Are you teleworking? Beware of shoulder surfers! for more information.

  Secure Videoconferencing

• If your team needs to hold a virtual meeting, make sure you use one of the 4 department-approved video conferencing software (Skype, WebEx, Virtual Meeting Room or Microsoft Teams).
• The use of a headset or earbuds is strongly encouraged and is mandatory when surrounded by strangers (such as in a café)
• Remember to keep the sharing of sensitive information limited to those who have a need-to-know (are only accessing the information pertaining to the files they are assigned) and have the required security clearance
• A meeting where sensitive information is being discussed must not be recorded
• Sensitive information must not be added to a chat function or stored in a videoconference system
• Always be mindful of anyone in your surroundings that may be listening, and keep sensitive information to a minimum as much as possible
• Turn off and/or disconnect Google Home, Amazon Alexa and/or other virtual assistant devices within hearing distance to prevent the devices from recording sensitive information
• Discussions of information up to Protected B with external clients, contractors or partners if using Microsoft Teams should include some considerations
• Ensure that the external clients, contractors or partners have the required security clearance (or equivalent) to be able to discuss ESDC Protected B information
• Mention at the start of the discussion that protected information will be discussed and as such, appropriate precautions should be taken (wearing of earbuds or headsets, being mindful of anyone in their surroundings that may be listening, and keeping sensitive information to a minimum as much as possible)

  IT Teleworking Best Practices

Maintain security practices when using IT equipment, departmental networks and systems for remote work or telework by:

• Using only ESDC-assigned connectivity systems (AppGate, VPN) when working on/with Protected information;
• Using only the departmental approved Sensitive Document Collaboration Services for Protected C or above categorization levels of information;
• Protecting all computer equipment and systems from viruses: specifically, not using nor permitting the installation or use of unauthorized hardware and/or software on these systems;
• Not connecting to or allow any unapproved or unauthorized portable/personal devices to department-issued IT equipment; and
• Returning all material, equipment and/or information immediately upon request of the teleworking arrangement.

  Working with Protected A or B Information

It is strongly recommended that you work with Protected B information electronically rather than with paper documents in order to lower the risk of loss, theft or unauthorized disclosure.

• Storing Protected B Paper Documents

  • Lockable cabinets must be used to securely store Protected paper-based information.
  • If you are required to bring Protected B, hard-copy information to your mobile work location as part of your essential duties, you must speak to your manager to determine a way to mitigate the risk
• Transporting protected documents from and to your remote location

  • If you need to physically transport Protected B information to your remote work location, you will need to obtain prior authorization from your manager.
  • Transport all Protected B information in a blue protected file folder and in a secured briefcase, RCMP lock pouches or backpack in accordance with the ESDC Information Categorization Tool;
  • It is not permitted to leave any Protected A or B information unattended at your remote location including inside a locked vehicle. As such, if stopping at a public place before arriving at the telework location, the briefcase/backpack/pouch must stay on you at all times;
  • Create and keep a separate inventory of Protected B information that is being transported. This will assist in identifying affected individuals for privacy breach processes and other reporting should a theft or loss occur.
• Other Security Measures while working with Protected A or B information

  • Do not take screenshots or photos of the personal information displayed on your screen
  • Ensure that any work-related activities are conducted in such a way as to prevent unauthorized individuals from viewing or overhearing protected information.
  • Use a headset or the cellphone itself, not a speakerphone, when discussing with a colleague
  • Close blinds and/or face the monitor away from windows or glass doors to ensure your monitor is not in someone's line of sight
  • Do not discuss personal information in public areas, or in areas perceived as private (e.g., on the balcony or near an open window in your home, in your kitchen while guests are visiting)
  • Turn off and/or disconnect Google Home, Amazon Alexa and/or other virtual assistant devices to prevent the devices from recording your work-related conversations
• Sending Protected B information

  • Employees are not allowed to send Protected A or B information to their personal email address for the purpose of working offline
  • When sending protected information by e-mail, always double-check the recipient(s) you are sending the information to and remember to encrypt your message if you are sending it outside the department
• When sending to an internal (within ESDC) email recipient:

  • Protected B information can be sent using Outlook after ensuring that the recipient is an ESDC employee with a valid reliability security clearance
  • Always double-check that you are sending the information to the correct e-mail address
  • Even when sending Protected B information internally, it is always a best practice to encrypt your e-mail, if possible
• When sending to an external (outside ESDC) email recipient (Effective February 9, 2021)

  • Use Entrust to encrypt emails that include Protected B information and that are being sent outside the departmental firewall. The recipient should also use Entrust to decrypt received email.
  • Always double-check that you are sending the information to the correct e-mail address and that the recipient has the required security clearance.
  • If sending email with encryption is not possible:
    • Transfer all Protected B information into a password-protected document. (The Protected B information being sent externally cannot be in the body of an e-mail, it must always be in a password-protected document) For example, if you were trying to email a PDF, you could copy and paste the PDF into a Microsoft Word Document, then password-protect the Microsoft Word Document.
    • Double-check the e-mail address and send the password to the recipient in a separate e-mail or by phone.
    • Send the password-protected document to the recipient.
    • If you send a high volume of Protected B information externally on a regular basis, you may want to consider using E-Post (information on E-Post can be found as another option in the Information Categorization Tool)

  Working With Highly Sensitive Information

• You are generally not permitted to work with highly sensitive information in a mobile work environment.
• Bringing or storing highly sensitive paper documents (Protected C, Confidential or Secret) at your remote work location requires the approval of your Assistant Deputy Minister and the Chief Security Officer.

  Foreign Telework and Remote Work

Employees should be aware that foreign telework is restricted by ESDC. Any employee working from outside Canada requires a valid Foreign Telework Agreement (FTA). ADM-level approval and consultation with Security, Labour Relations and Occupational Health and Safety must be done prior to leaving Canada. The process should be initiated as early as possible, and requires a minimum of ten working days.

Refer to Foreign Telework Requests - Procedures for more information.

  Reporting Security Incidents

Any loss or theft of  sensitive information in paper format or valuable departmental assets (e.g., telephone, laptop, and tablet) or unauthorized disclosure of  sensitive information must be reported immediately to your manager in accordance with the Security incident reporting procedures.

Note: reporting security incidents is a process to monitor, assess trends and implement mitigation measures; it is not intended as a means to punish employees. The goal of security is to find ways to improve our processes next time. In fact, not reporting a security incident goes against the department's objective of maintaining a strong security culture.