DAOD 6002-8, Electronic Authentication and Authorization


1. Introduction

Date of Issue: 2013-08-15

Application: This DAOD is a directive that applies to employees of the Department of National Defence (DND employees) and an order that applies to officers and non-commissioned members of the Canadian Armed Forces (CAF members).

Approval Authorities:

  • Assistant Deputy Minister (Finance and Corporate Services) (ADM(Fin CS))
  • Assistant Deputy Minister (Information Management) (ADM(IM))

Enquiries:

  • Director Financial Policy (DFP) for the interpretation of policy requirements for financial transactions using electronic authentication and authorization (EAA); and
  • Director Defence Information Management Planning (DDIMP) for EAA system requirements.

2. Definitions

audit trail (piste de vérification)

Refers to all the elements and evidence involved in tracking a complete process including authentication or authorization. Elements and evidence include delegation of authority matrices, user profiles and any data and files required to reconstruct the sequence of events and transactions processed. (Directive on Electronic Authentication and Authorization of Financial Transactions, Treasury Board)

electronic authentication (authentification électronique)

Is the process by which an individual (a person, an organization or device) is verified as a unique and legitimate user. (Directive on Electronic Authentication and Authorization of Financial Transactions, Treasury Board)

electronic authorization (autorisation électronique)

Is the process by which an authenticated user is granted the capability to render electronic approvals and discharge those authorities in electronic financial transactions. (Directive on Electronic Authentication and Authorization of Financial Transactions, Treasury Board)

electronic signature (signature électronique)

Means a signature that consists of one or more letters, characters, numbers or other symbols in digital form incorporated in, attached to or associated with an electronic document. (Subsection 31(1) of the Personal Information Protection and Electronic Documents Act)

financial transaction (opération financière)

Is any event, request, action or commitment that has a monetary implication such as the acquisition, disposition or use of assets or resources; the increase or reduction in a liability; or the receipt, payment and disbursement of funds. (Directive on Electronic Authentication and Authorization of Financial Transactions, Treasury Board)

identity management (gestion de l'identité)

The set of principles, practices, policies, processes and procedures used to realize an organization's mandate and its objectives related to identity. (Directive on Identity Management, Treasury Board)

integrity of electronic financial transactions (intégrité des opérations financières électroniques)

Means transactions that are appropriately safeguarded against unauthorized access, authority or disclosure, destruction, removal, modification, repudiation, incompleteness and inaccuracy. (Directive on Electronic Authentication and Authorization of Financial Transactions, Treasury Board)

secure electronic signature (signature électronique sécurisée)

Means an electronic signature that results from the application of a technology or process prescribed by regulations made under subsection 48(1) of the Personal Information Protection and Electronic Documents Act. (Subsection 31(1) of the Personal Information Protection and Electronic Documents Act)

user authentication information (information d'authentification de l'utilisateur)

Includes information to support electronic authentication of a user such as passwords, identifiers, biometrics, shared secrets, usage patterns, etc. (Directive on Electronic Authentication and Authorization of Financial Transactions, Treasury Board)

Top of Page

3. Overview

Context

3.1 With the continuing advancement of technology and the importance of making operations as effective and efficient as possible, the need to determine the identity of individuals, systems and institutions is crucial in establishing trust in electronic interactions within government and with external partners and allies. EAA is the electronic process that:

  1. affixes proof of authorization to financial and non-financial transactions;
  2. contributes to the protection of data integrity; and
  3. ensures that the authorizer can be identified.

3.2 The validity of EAA is based on sound identity management practices that are aligned with the Treasury Board Directive on Identity Management.

3.3 Part 2 of the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Secure Electronic Signature Regulations (SESR) provide legal authority for the definition, use and application of electronic signatures (ESs) and secure electronic signatures (SESs) as acceptable alternatives to handwritten signatures within the Government of Canada (GC).

3.4 Treasury Board has established direction on EAA in the Directive on Electronic Authentication and Authorization of Financial Transactions.

3.5 In compliance with the Treasury Board Policy on Financial Management Governance, ADM(Fin CS) has been appointed by the Deputy Minister as the Chief Financial Officer (CFO) for the DND and the CAF.

3.6 Application of EAA for the purpose of financial transactions is subject to ADM(Fin CS) directives, standards and guidance.

3.7 This DAOD is part of the DND and CF IM and IT Policy Framework and should be read in conjunction with other relevant ADM(IM) policies, instructions, directives, standards and guidance.

Objectives

3.8 The objectives of this DAOD are to:

  1. ensure DND and CAF EAA practices conform with applicable GC requirements;
  2. establish the common business functions to which ESs and SESs may be applied; and
  3. ensure the integrity of electronic financial transactions.

Expected Results

3.9 The expected results of this DAOD are the:

  1. mitigation of risks associated with the implementation of EAA;
  2. improved efficiencies in the processing of financial transactions using EAA in support of federal environmental sustainability efforts; and
  3. increased implementation of EAA in DND and CAF business and operational processes.

Top of Page

4. Requirements

Information Resources of Business Value

4.1 All electronic transactions that require EAA, either by ES or SES, are considered information resources of business value, and are therefore subject to DAOD 6001-0, Information Management, and applicable recordkeeping standards and guidance.

ES Uses

4.2 An ES that is not an SES, e.g. an ES used on an email sent on the defence intranet or any networked device, may be used in accordance with the direction of DND and CAF system operational authorities if the enhanced level of assurance provided by SES is not required.

4.3 Subject to the delegated authority of the individual signing the email or otherwise authorizing a request, possible ES uses include:

  1. financial system adjustments in the Defence Resource Management Information System (DRMIS);
  2. expenditure initiation amount changes to electronic procurement requests when a total is higher than the estimate in the original electronic procurement request;
  3. proof of expenditure initiation, e.g. for certain acquisition card transactions or local purchase orders;
  4. commitment and decommitment requests in accordance with Financial Administration Manual (FAM), Chapter 1016-2, Expenditure Planning and Initiation – FAA Section 32;
  5. budget transfers; and
  6. leave, travel and operational expenditures within the area of responsibility of the individual.

SES Uses

4.4 An SES must meet the requirements set out in the PIPEDA and SESR. An SES is:

  1. considered equivalent to a handwritten signature for any authorization related to requirements under the provision of a federal law;
  2. admissible in evidence; and
  3. recognizable and can be accepted by third parties outside of the DND and the CAF.

Electronic Financial Transactions

4.5 DND employees and CAF members who complete financial transactions using EAA, or use electronic financial systems making use of EAA, must comply with:

  1. sections 76 to 81 of the Financial Administration Act (FAA);
  2. the Treasury Board Directive on Losses of Money or Property; and
  3. applicable financial policies issued by the ADM(Fin CS).

Other EAA Uses

4.6 A level one (L1) advisor establishing the use of EAA for a non-financial business function in their assigned functional area or for CAF operations:

  1. must respect the assigned functional areas of other L1 advisors; and
  2. should seek legal advice before applying any ES or SES for that use.

Top of Page

5. Consequences

Consequences of Non-Compliance

5.1 Non-compliance with this DAOD may have consequences for both the DND and the CAF as institutions, and for DND employees and CAF members as individuals. Suspected non-compliance will be investigated. The nature and severity of the consequences resulting from actual non-compliance will be commensurate with the circumstances of the non-compliance. Consequences of non-compliance may include one or more of the following:

  1. the ordering of the completion of appropriate learning, training or professional development;
  2. the entering of observations in individual performance evaluations;
  3. increased reporting and performance monitoring;
  4. the withdrawal of any authority provided under this DAOD to a DND employee or CAF member;
  5. the reporting of suspected offences to responsible law enforcement agencies;
  6. the liability of Her Majesty in right of Canada;
  7. the application of specific consequences as set out in applicable laws, codes of conduct, and DND and CAF policies and instructions; and
  8. other administrative or disciplinary action or both.

Note – In respect of the compliance of DND employees, see the Treasury Board Framework for the Management of Compliance for additional information.

5.2 Wilful failure by a DND employee or CAF member to comply with the FAA may result in charges being laid under that Act or sections 121, 122, 322 and 380 of the Criminal Code.

5.3 A loss of public money or property resulting from the misuse of an EAA by a person may result in the person being liable to pay for the loss.

5.4 Failure by a DND or CAF organization to comply with this DAOD may result in limitations or removal of the organization's authorization to manage public money or property.

Top of Page

6. Responsibilities

Responsibility Table

6.1 The following table identifies the responsibilities associated with this DAOD:

The … is or are responsible for …
CFO
  • leading and coordinating the implementation and maintenance of effective internal control systems to ensure the integrity of electronic financial transactions using EAA;
  • obtaining an appropriate level of assurance that:
    • risks to the integrity of electronic financial transactions using EAA are properly assessed; and
    • appropriate key controls used to mitigate these risks are documented, implemented as designed, and operating effectively in a continuous manner;
  • ensuring access to electronic systems that store or process financial or finance-related transactions is restricted to those who require it to perform their duties;
  • ensuring, at the time of authorization of any financial transaction using EAA, that the identity of the authorizer is authenticated and proof of authorization is linked to every authorized transaction;
  • ensuring user authentication information for electronic financial systems, such as identifiers and passwords, are properly safeguarded and managed;
  • ensuring that audit trails in respect of financial transactions using EAA are maintained and records retention and disposition are managed in accordance with applicable policies, instructions and directives so that the sequence of events and the transactions processed can be reconstructed for the purposes of an audit, investigation or review;
  • ensuring that authorized individuals approving financial transactions using EAA, including those exercising account verification, monitor the accuracy and appropriateness of the transactions and inform authorized users of their accountabilities; and
  • ensuring that the authorization of any financial transaction using EAA is consistent with approved DND and CAF delegation of authorities matrices in place at the time of authorization and appropriate separation of duties.
ADM(IM)
  • ensuring that ESs and SESs meet the requirements of PIPEDA, SESR and related governmental policies, directives, standards and guidelines; and
  • ensuring key information management and information technology internal controls are in place to support the integrity of financial electronic transactions and related electronic authentications and authorizations.
DFP and DGIMTSP
  • notifying their respective L1 advisor of any non-compliance with this DAOD.
L1 advisors
  • ensuring user authentication information for electronic systems within their organizations, e.g. identifiers and passwords, is properly safeguarded and managed.
DND employees and CAF members
  • managing and protecting identity information in a manner that mitigates risks to personal, organizational and national security, and that protects programme integrity;
  • reporting to the appropriate authorities, in accordance with the FAA, any losses of public money or property involving electronic transactions using EAA, resulting from negligence, lack of controls or criminal acts; and
  • complying with all GC, DND and CF policies, instructions, directives and standards in respect of EAA.

7. References

Other References

  • DAOD 5005-2, Delegation of Authorities for Civilian Human Resources Management
  • DAOD 6000-0, Information Management and Information Technology
  • DAOD 6001-0, Information Management
  • DAOD 6002-2, Acceptable Use of the Internet, Defence Intranet, Computers and Other Information Systems
  • DAOD 6003-0, Information Technology Security
  • FAM Chapter 1016-2, Expenditure Planning and Initiation – FAA Section 32
Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: