DAOD 6003-1, Information Technology Security Programme

1. Introduction

Date of Issue: 2012-04-18

Date of Last Modification: 2015-09-30

Application: This DAOD is a directive that applies to employees of the Department of National Defence (DND employees) and an order that applies to officers and non-commissioned members of the Canadian Armed Forces (CAF members).

Approval Authority: Assistant Deputy Minister (Information Management) (ADM(IM))

Enquiries: Director Information Management Security (DIM Secur)

2. Definitions

information technology (technologies de l'information)

Involves both technology infrastructure and IT applications. Technology infrastructure includes any equipment or system that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data or information. IT applications include all matters concerned with the design, development, installation and implementation of information systems and applications to meet business requirements. (Directive on Management of Information Technology, Treasury Board)

information technology operational personnel (personnel opérationnel des technologies de l'information)

Persons who work as network or system administrators or managers, account managers or help desk personnel, or provide other information technology support. (Defence Terminology Bank record number 47901)

information technology security (sécurité des technologies de l'information)

Safeguards to preserve the confidentiality, integrity, availability, intended use and value of electronically stored, processed or transmitted information. (Operational Security Standard: Management of Information Technology Security (MITS), Treasury Board)

information technology security practitioner (praticien de la sécurité des technologies de l’information)

A person who performs an engineering, implementation, maintenance or other information technology security function to protect the confidentiality, integrity and availability of information technology systems and assets. (Defence Terminology Bank record number 47902)

security authority (autorité de sécurité)

The person who has the authority to identify risk, provide advice and security standards for endorsement by the operational authority and technical authority, and monitor compliance within their area of responsibility. (Defence Terminology Bank record number 43436)

3. Overview

Context

3.1 Information technology (IT) security is a key enabler for the achieving of well-managed information in support of programmes, business priorities and operations. Ensuring the confidentiality, integrity and availability of information is essential to government decision making and the delivery of services. Effective IT security requires a systematic approach that identifies and categorizes information and associated assets, assesses risks, implements appropriate safeguards and establishes clear IT security accountabilities.

3.2 The IT Security Programme in the DND and the CAF was established to manage the security of information, related IT assets and services against compromise. The IT Security Programme employs continuous security risk management to support the effective and efficient delivery of IT services and processes and is consistent with Government of Canada (GC) policies, directives and standards.

3.3 The IT Security Programme requires that DND employees and CAF members work together in a concerted manner, along with the necessary processes and technologies, to achieve a high level of IT security in the DND and the CAF.

3.4 As the IT security coordinator, the DIM Secur is the IT security authority for the DND and the CAF, and has a functional reporting relationship to both the ADM(IM), as the Chief Information Officer, and the Departmental Security Officer, in accordance with the Treasury Board (TB) Operational Security Standard: Management of Information Technology Security (MITS).

3.5 This DAOD should be read in conjunction with the DND and CF IM and IT Policy Framework and other relevant ADM(IM) policies, instructions, directives, standards and guidance.

Objective

3.6 The objective of this DAOD is to establish the roles and responsibilities of DND employees and CAF members in respect of IT security.

Expected Results

3.7 The expected results of this DAOD are:

  1. increased awareness of IT security by DND employees and CAF members;
  2. demonstrated accountability over all IT security capabilities that are delivered in support of the DND and the CAF, in and outside Canada;
  3. integration by programme and service delivery managers of IT security requirements in plans, programmes, activities and services; and
  4. innovative and improved risk management to support and enable IT programmes and services.

4. Consequences

Consequences of Non-Compliance

4.1 Non-compliance with this DAOD may have consequences for both the DND and the CAF as institutions, and for DND employees and CAF members as individuals. Suspected non-compliance may be investigated. The nature and severity of the consequences resulting from actual non-compliance will be commensurate with the circumstances of the non-compliance.

Note – In respect of the compliance of DND employees, see the TB Framework for the Management of Compliance for additional information.

5. Responsibilities

Responsibility Table

5.1 The following table identifies the responsibilities associated with this DAOD:

The … is or are responsible for …

level one advisors and commanders of commands

  • addressing IT security requirements in their areas of responsibility when defining DND and CAF priorities, strategic directions, programme objectives, and budget and personnel allocations;
  • ensuring IT security practitioners are trained in accordance with DND and CAF standards; and
  • maintaining IT security in IT projects in accordance with GC, DND and CAF policies, instructions, directives and standards.

DIM Secur

  • developing, reviewing and recommending the approval of DND and CAF IT security policies, instructions, directives and standards;
  • monitoring compliance with GC, DND and CAF IT security policies, instructions, directives and standards;
  • ensuring that appropriate IT security measures are applied to all DND and CAF information management, IT and IT assets, activities and processes;
  • developing, reviewing and recommending the approval of DND and CAF communications security (COMSEC) policies, instructions, directives and standards that align with the COMSEC directives, standards and guides of the Communications Security Establishment;
  • reviewing and recommending the approval of contracts for IT security services;
  • reviewing IT security-related portions of requests for proposals and other contracting documentation, including the TB Security Requirements Check List;
  • working closely with DND and CAF programme and service delivery managers to:
    • ensure IT security needs are met;
    • provide advice on safeguards, the potential impacts of new and existing threats, and the residual risks of programmes and services; and
    • monitor continuous compliance with the IT security assessment and authorization of IT systems, programmes and services;
  • working closely with the GC, the North Atlantic Treaty Organization and allies to ensure that DND and CAF IT security policies, instructions, directives and standards are compatible, consistent and aligned;
  • providing and coordinating IT security training and awareness programmes for the DND and the CAF;
  • promoting IT security in the DND and the CAF; and
  • implementing an effective process to manage IT security incidents.

IT security practitioners

  • ensuring compliance with the IT Security Programme in their areas of responsibility;
  • recommending improvements to DND and CAF IT security policies, instructions, directives and standards;
  • reviewing IT security-related portions of requests for proposals and providing risk assessment within their areas of responsibility;
  • working closely with programme and service delivery managers within their areas of responsibility to:
    • ensure IT security needs are met;
    • provide advice on safeguards, advise on the potential impacts of new and existing threats, and advise on the residual risks of programmes and services; and
    • monitor continuous compliance with the IT security assessment and authorization of IT systems, programmes and services; and
  • promoting IT security awareness within their areas of responsibility.

IT operational personnel

  • complying with DND and CAF IT security policies, instructions, procedures and priorities, and recommending improvements as required;
  • responding to IT security incidents;
  • verifying and applying security patches;
  • maintaining or upgrading security hardware and software;
  • monitoring systems and logs;
  • managing the backup and recovery of information; and
  • managing access privileges and rights.

IT project managers

  • ensuring that IT security requirements for projects are met through the implementation of technical security specifications, throughout the system development life cycle.

business continuity planning coordinators

  • taking IT security into account to ensure a comprehensive approach to continuous service delivery.

programme and service delivery managers

  • ensuring an appropriate level of IT security for their programmes and services;
  • working with IT security practitioners to risk manage their programmes and services throughout the service delivery life cycle;
  • identifying the IT security requirements of their programmes and services with the advice and support of IT security practitioners and the DIM Secur;
  • obtaining the authorization to operate IT systems, programmes and services;
  • maintaining the authorization to operate IT systems, programmes and services; and
  • ensuring that, within their areas of responsibility, the requirements in this DAOD, the TB Policy on Government Security and other related policies, instructions, directives and standards approved by the ADM(IM) are met.

COMSEC custodians

  • accounting for classified cryptographic material and publications in accordance with COMSEC policies, directives, standards and guides.

DND employees and CAF members

  • complying with all GC, DND and CAF policies, instructions, directives and standards in respect of IT security;
  • ensuring that authorized contractors and other personnel under their stewardship comply with all GC, DND and CAF IT security policies, instructions, directives and standards; and
  • reporting real and suspected security incidents to designated security officials.

6. References

Other References

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: