Commissioner's Directive 226 - Use of Electronic Resources

Purpose

To ensure the appropriate use of the Correctional Service of Canada’s (CSC’s) electronic resources

Application

Applies to CSC employees as well as any other individuals who have been authorized to use CSC’s electronic resources (referred hereafter as authorized individuals)

Responsibilities

1. The Chief Information Officer will:

   1. establish procedures for authorizing individuals to access CSC's electronic resources
   2. establish a process for ensuring that authorized individuals receive appropriate training and information on the proper use of these resources
   3. establish monitoring procedures and designate individuals who will monitor the use of electronic resources.

2. The Designated Official for Cyber Security will:

   1. provide direction and information on the interpretation of lawful and acceptable use of CSC's electronic resources
   2. ensure that reports of suspected unlawful or unacceptable activity pertaining to the use of CSC’s electronic resources are investigated, pursuant to section 4.1.7 of the Treasury Board Secretariat’s Policy on Government Security.

3. Managers will immediately report all instances of suspected unlawful or unacceptable activities or information technology (IT) security incidents pertaining to the use of CSC's electronic resources to the Designated Official for Cyber Security using the IT security incident reporting procedure.

4. On the direction of the Designated Official for Cyber Security and the Deputy Chief Security Officer, managers will seek legal advice in cases of suspected unlawful or unacceptable uses of CSC's electronic resources.

5. Authorized individuals will:

   1. abide by the laws, government policies, directives and any other instructions published by CSC on the use of electronic resources, as specified in Annex A
   2. take reasonable measures to control the use of their digital identity, computer accounts, and passphrases, including assuming responsibility for any actions or costs arising from the unauthorized use of electronic resources
   3. use IT security protections (e.g., encryption, anti-malware protection) provided by CSC
   4. ensure that their communications using CSC’s electronic resources reflect the values of CSC and the Government of Canada and comply with any policies pertaining to professional conduct and the use of Web 2.0 technology (see CD 227 – Use of Web 2.0 Technology)
   5. report suspected unlawful or unacceptable activities or IT-related incidents pertaining to the use of CSC's electronic resources immediately to the IT Security Division using the IT security incident reporting procedure
   6. seek clarification from the IT Security Division when in doubt as to whether a planned use of electronic resources is acceptable and lawful
   7. use only IT products authorized and installed by CSC Information Management Services personnel
   8. surrender CSC electronic resources to the department upon departure.

PROCEDURES

Authorized Uses of Electronic Resources

Use for Official Business

6. Authorized individuals must use electronic resources for official business. This includes, but is not limited to, creating, accessing, manipulating, storing and transmitting:

   1. electronic messages (e.g., email, collaboration tools)
   2. electronic records or information on CSC-managed electronic resources
   3. information on the CSC Intranet (e.g., Hub, InfoPoint)
   4. information on the Internet.

Personal Use

7. Authorized individuals may use electronic resources for limited personal use under the following circumstances:

   1. during the individual’s personal time within working hours
   2. without incurring any unauthorized additional cost to CSC
   3. observing rules governing professional conduct and prohibitions related to unlawful and unacceptable conduct, as outlined in this policy and elsewhere
   4. not requiring CSC to provide additional privacy protection for personal information stored, transmitted or processed beyond that which is already provided
   5. allowing CSC to read the contents of communications and files and access personal information pursuant to the section Monitoring in this directive.

Offender Access

8. Offender access to CSC electronic resources will be limited to those that:

   1. have been authorized for use by the Designated Official for Cyber Security
   2. are specifically authorized by CSC policy for approved purposes such as educational and work programs, in compliance with applicable rules related to the protection of personal information (see CD 730 – Offender Program Assignments and Inmate Payments)
   3. do not allow access to sensitive information or systems to which the offender does not have a need-to-access (e.g., OMS, CSC email).

Monitoring

Routine Monitoring

9. Routine monitoring of electronic resources will be performed by staff designated by the Chief Information Officer and Shared Services Canada to assess performance, to protect the availability, integrity, confidentiality, value and intent of use of government assets and to ensure compliance with government policy. Routine monitoring may involve, but is not limited to, the following:

   1. identifying the size and type(s) of file(s) suspected of causing problems
   2. identifying patterns of usage
   3. determining the originator, intended recipient, subject line, and content of electronic messages
   4. searching for malicious software and other IT security threats
   5. performing keyword searches on networks, computer systems, electronic storage devices, and other electronic resources
   6. logging the identity of individuals and their activities while on the resource(s)
   7. regularly backing up copies of files, electronic messages, and other digital transmissions (including "draft" records).

Non-Routine Monitoring

10. IT Security staff, when authorized by the Assistant Commissioner, Human Resource Management, the Director General, Security, or the Designated Official for Cyber Security, may monitor the activities and accounts of individual users including, but not limited to, individual login sessions, communications, email and file content.

11. The Assistant Commissioner, Human Resource Management, the Director General, Security, or the Designated Official for Cyber Security will authorize all cases of individual monitoring in advance, except:

    1. when the authorized individual has voluntarily made electronic files or messages accessible to IT Security or to the public
    2. for the cases required by law
    3. when this type of monitoring is necessary to respond to legitimate emergency situations (e.g., cyber attacks).

Monitoring for Unlawful Activity and Unacceptable Conduct

12. IT Security staff may monitor the use of electronic resources, without notice, if there are reasonable grounds to suspect that an authorized individual is misusing electronic resources, under the following circumstances:

    1. it is necessary to do so to protect the integrity, ensure the security and/or eliminate the liability exposure of CSC
    2. there are reasonable grounds to suspect that the authorized individual has utilized CSC’s electronic resources in the commission of a violation of CSC or other government policy
    3. there are reasonable grounds to suspect that the authorized individual is using electronic resources for an unlawful or unacceptable activity
    4. an account appears to be engaged in unusual or unusually-excessive activity, as indicated by the routine monitoring of general activity and usage patterns
    5. upon the receipt of a warrant or other legal instrument from a law enforcement agency.

13. Individuals identified as a part of an investigation who read the content of electronic records must keep the information confidential and use it only for the purposes authorized, as per the Treasury Board Secretariat’s Policy on Government Security.

Enquiries

14. Strategic Policy Division
    National Headquarters
    Email: Gen-NHQPolicy-Politi@csc-scc.gc.ca

Commissioner,
Original signed by:

Anne Kelly