Commissioner's Directive 225 - Information Technology Security

Authorities

Purpose

  • To ensure the protection of the information systems, information services and electronic information used by the Correctional Service of Canada (CSC), the Parole Board of Canada and the Office of the Correctional Investigator, hereafter referred to as serviced agencies
  • To provide a framework for information technology risk management and for the implementation and maintenance of CSC’s information technology security program

Commissioner's Directive

Correctional Service Canada badge

Number: 225

In Effect: 2023-12-18

Related links

Application

Applies to all individuals who have been authorized to use CSC’s information systems, services or electronic information

Content

Responsibilities

  1. The Commissioner will ensure the effective implementation, monitoring and governance of CSC’s departmental security program, including the information technology (IT) security program.

  2. Deputy Commissioners and Assistant Commissioners will designate an individual as a Program or Service Delivery Manager, who will be responsible for each information system used to deliver services in their respective responsibility area.

  3. The Deputy Chief Security Officer will:

    1. ensure the integration of IT security programs and services in the departmental security program
    2. hold regular meetings with the Chief Information Officer and the Designated Official for Cyber Security to ensure the IT security and departmental security programs are aligned, review IT security threats and risks and ensure that strategies with timelines are in place to improve CSC’s security posture
    3. ensure that all cryptographic devices provided to serviced agencies are implemented in accordance with Communications Security Establishment’s and CSC’s policies and standards
    4. provide the Treasury Board Secretariat with evidence of implementation and effectiveness of CSC’s IT security program following consultation with the Designated Official for Cyber Security
    5. validate IT security risks based on recommendations from the Designated Official for Cyber Security
    6. identify the physical security zone for any area in which an information system will be used prior to the deployment
    7. investigate all security incidents and breaches involving loss or theft of IT assets and consult with the Designated Official for Cyber Security on any loss of electronic information.
  4. The Chief Information Officer will:

    1. be the authority for all information systems to operate in CSC
    2. be the designated information system owner for information systems or information services that Information Management Services provides to all users
    3. ensure all information systems and services are in compliance with security policies, standards, and procedures published by the Treasury Board Secretariat and CSC’s Information Management Services
    4. initiate emergency measures to protect CSC’s information systems or electronic information when warranted.
  5. The Director, IT Security, will:

    1. assume the role of the Designated Official for Cyber Security, as defined by the Treasury Board Secretariat’s policies, and serve as CSC’s principal IT security contact
    2. ensure the IT security program core components described in Annex B are addressed and managed
    3. establish and manage:
      1. an IT security risk management program
      2. an IT security contingency planning program
      3. an IT security event management program
      4. the CSC IT security awareness and training program
    4. be the primary point of contact for all communications with respect to IT security event management and response
    5. monitor and evaluate any changes in the threat environment that could have a potential impact on CSC’s information systems
    6. regularly report to the Chief Information Officer and the Deputy Chief Security Officer on IT security-related matters
    7. engage with the Departmental Security Division, as required, to provide IT Security with advice and guidance
    8. ensure all offender-accessed electronic resources are authorized before they are put into service.
  6. Regional Directors and Senior Directors, Information Management Services, are responsible for initiating emergency measures to protect CSC’s regional information systems, services, or electronic information, when warranted, and inform the Designated Official for Cyber Security on the action taken.

  7. Information system owners who have implemented information systems or services to meet their business needs shall:

    1. consult with Information Management Services and the Departmental Security Division as soon as practical for any initiative where IT is a component to ensure all stakeholders are engaged
    2. conduct a Business Impact Analysis for each program within their responsibility area and ensure that any gaps pertaining to information systems or services are addressed
    3. ensure that IT security risks are assessed at the inception of any new information systems and that those risks are periodically reassessed whenever changes are made to the information system
    4. mitigate, accept or transfer any residual IT security risks affecting the information system within their responsibility area, before the information system is used
    5. regularly review access rights to information systems as per conditions outlined in the IT security risk assessment
    6. ensure all vulnerabilities are addressed as soon as practical.

ENQUIRIES

  1. Strategic Policy Division
    National Headquarters
    Email: GEN-NHQPolicy-Politi@csc-scc.gc.ca

Commissioner,
Original signed by:

Anne Kelly

Annex A - Cross-References and Definitions

CROSS-REFERENCES

DEFINITIONS

Assessment: an analysis done on all new information systems and changes to existing systems. Depending on the scope of the change or implementation of new systems, the assessment could include a Threat and Risk Assessment, an impact assessment or a vulnerability assessment.

Information service: a capability delivered by an IT service provider, which directly or indirectly supports one or more business processes or functions.

Information system: a collection of resources and configuration items (such as hardware, software and documentation) that operates as a whole.

Information system owner: position, role or person responsible for the overall procurement, development, integration, modification, operation, maintenance, and retirement of an information system.

Risk assessment: a formal process which assists in the determination of security requirements and recommends risk mitigation strategies.

Serviced agencies: the agencies receiving services from the Information Management Services Branch, i.e., CSC, the Parole Board of Canada and the Office of the Correctional Investigator. 

ANNEX B - IT SECURITY PROGRAM CORE COMPONENTS

TECHNICAL SECURITY

Access control: ability to permit or deny user access to resources within the information system.

Audit and accountability: ability to collect, analyze, and store audit records associated with user operations performed within the information system.

Identification and authentication: unique identification of users and the authentication of these users when attempting to access information system resources.

System and communications protection: protection of the information system itself as well as communications with and within the information system.

OPERATIONAL SECURITY

Awareness and training: education of users with respect to the security of the information system.

Configuration management: management and control of all components of the information system (e.g., hardware, software, and configuration items).

Contingency planning: ensure availability of the information system services in the event of component failure or disaster.

Event management: detection, response, reporting, and management of IT security events within the information system.

Maintenance: maintenance of the information system to ensure its ongoing availability.

Media protection: protection of information system media (e.g., disks, tapes, CDs, DVDs, USBs) throughout their life cycle.

Personnel security: procedures required to ensure that all personnel who have access to the information system have the required authorizations as well as the appropriate security screening levels.

Physical and environmental protection: control of physical access to an information system as well as the protection of the environmental ancillary equipment (e.g., power, air conditioning, and wiring) used for the operation of the information system.

System and information integrity: protection of the integrity of the information system components and the data that it processes.

RISK MANAGEMENT

Information sharing: protection of sensitive information when it is shared with parties outside of the serviced agencies.

Offender access: control offender access to information systems both internal and external to the serviced agencies.

Planning: security planning activities, including privacy impact assessments.

Risk assessment: conduct of risk assessments and vulnerability scanning.

Security assessment and authorization: security assessment and authorization of the information system.

System and services acquisition security: contracting of products and services required to support the implementation and operation of the information system.

Page details

Date modified: