DAOD 6003-1, Information Technology Security Programme
Table of Contents
1. Introduction
Date of Issue: 2012-04-18
Date of Last Modification: 2015-09-30
Application: This DAOD is a directive that applies to employees of the Department of National Defence (DND employees) and an order that applies to officers and non-commissioned members of the Canadian Armed Forces (CAF members).
Approval Authority: Assistant Deputy Minister (Information Management) (ADM(IM)) / Chief Information Officer (CIO)
Enquiries: Director Information Management Security (DIM Secur)
2. Definitions
information technology (technologies de l'information)
Involves both technology infrastructure and IT applications. Technology infrastructure includes any equipment or system that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data or information. IT applications include all matters concerned with the design, development, installation and implementation of information systems and applications to meet business requirements. (Directive on Management of Information Technology, Treasury Board)
information technology operational personnel (personnel opérationnel des technologies de l'information)
Persons who work as network or system administrators or managers, account managers or help desk personnel, or provide other information technology support. (Defence Terminology Bank record number 47901)
information technology security (sécurité des technologies de l'information)
Safeguards to preserve the confidentiality, integrity, availability, intended use and value of electronically stored, processed or transmitted information. (Operational Security Standard: Management of Information Technology Security (MITS), Treasury Board)
information technology security practitioner (praticien de la sécurité des technologies de l’information)
A person who performs an engineering, implementation, maintenance or other information technology security function to protect the confidentiality, integrity and availability of information technology systems and assets. (Defence Terminology Bank record number 47902)
security authority (autorité de sécurité)
The person who has the authority to identify risk, provide advice and security standards for endorsement by the operational authority and technical authority, and monitor compliance within their area of responsibility. (Defence Terminology Bank record number 43436)
Context
3.1 Information technology (IT) security is a key enabler for the achieving of well-managed information in support of programmes, business priorities and operations. Ensuring the confidentiality, integrity and availability of information is essential to government decision making and the delivery of services. Effective IT security requires a systematic approach that identifies and categorizes information and associated assets, assesses risks, implements appropriate safeguards and establishes clear IT security accountabilities.
3.2 The IT Security Programme in the DND and the CAF was established to manage the security of information, related IT assets and services against compromise. The IT Security Programme employs continuous security risk management to support the effective and efficient delivery of IT services and processes and is consistent with Government of Canada (GC) policies, directives and standards.
3.3 The IT Security Programme requires that DND employees and CAF members work together in a concerted manner, along with the necessary processes and technologies, to achieve a high level of IT security in the DND and the CAF.
3.4 As the IT security coordinator, the DIM Secur is the IT security authority for the DND and the CAF, and has a functional reporting relationship to both the ADM(IM), as the Chief Information Officer, and the Departmental Security Officer, in accordance with the Treasury Board (TB) Operational Security Standard: Management of Information Technology Security (MITS).
3.5 This DAOD should be read in conjunction with the DND and CF IM and IT Policy Framework and other relevant ADM(IM) policies, instructions, directives, standards and guidance.
Objective
3.6 The objective of this DAOD is to establish the roles and responsibilities of DND employees and CAF members in respect of IT security.
Expected Results
3.7 The expected results of this DAOD are:
- increased awareness of IT security by DND employees and CAF members;
- demonstrated accountability over all IT security capabilities that are delivered in support of the DND and the CAF, in and outside Canada;
- integration by programme and service delivery managers of IT security requirements in plans, programmes, activities and services; and
- innovative and improved risk management to support and enable IT programmes and services.
Consequences of Non-Compliance
4.1 Non-compliance with this DAOD may have consequences for both the DND and the CAF as institutions, and for DND employees and CAF members as individuals. Suspected non-compliance may be investigated. The nature and severity of the consequences resulting from actual non-compliance will be commensurate with the circumstances of the non-compliance.
Note – In respect of the compliance of DND employees, see the TB Framework for the Management of Compliance for additional information.
Responsibility Table
5.1 The following table identifies the responsibilities associated with this DAOD:
The … | is or are responsible for … |
---|---|
level one advisors and commanders of commands |
|
DIM Secur |
|
IT security practitioners |
|
IT operational personnel |
|
IT project managers |
|
business continuity planning coordinators |
|
programme and service delivery managers |
|
COMSEC custodians |
|
DND employees and CAF members |
|
Acts, Regulations, Central Agency Policies and Policy DAOD
- Framework for the Management of Compliance, Treasury Board
- Management Accountability Framework, Treasury Board
- Policy on Government Security, Treasury Board
- Policy on Information Management, Treasury Board
- Policy on Management of Information Technology, Treasury Board
- Directive on Departmental Security Management, Treasury Board
- Directive on Management of Information Technology, Treasury Board
- Operational Security Standard - Business Continuity Planning (BCP) Program, Treasury Board
- Operational Security Standard: Management of Information Technology Security (MITS), Treasury Board
- Security Requirements Check List (SRCL),Treasury Board
- DAOD 6003-0, Information Technology Security
Other References
- DAOD 6000-0, Information Management and Information Technology
- DAOD 6001-0, Information Management
- DAOD 6002-0, Information Technology
- DAOD 6002-2, Acceptable Use of the Internet, Defence Intranet, Computers and Other Information Systems
- DND and CF IM and IT Policy Framework
- National Defence Security Orders and Directives
- ITSG-33, IT Security Risk Management: A Lifecycle Approach, Communications Security Establishment
Page details
- Date modified: