DND/CAF Security Guide for Teleworking during the COVID-19 Response
March 20, 2020 - Defence Stories
Using alternatives to T-DVPNI to communicate during our COVID-19 response will enable us to maximize our bandwidth potential and reserve Department of National Defence/Canadian Armed Forces (DND/CAF) network access for critical activities only. The practices below will ensure that we maintain our necessary security while working remotely.
Public collaboration platforms for sharing unclassified information
Collaboration platforms on the Internet can help you share information and keep in contact with colleagues and clients. Before using public cloud services to communicate from your personal devices, here are some important security considerations:
- Select a reputable service, such as:
- Microsoft (Teams) [see Defence O365 note below]
- Apple (Facetime)
- Google (Hangouts)
- Share only unclassified* information: No sensitive information (Protected A, B, C or classified) is permitted.
- Respect the privacy of your teammates: Ask for their consent before creating accounts for others or inviting teammates to use a service through their personal email address.
- Be inclusive: Some people may not have Internet access, have accessibility challenges, or have concerns using certain public cloud services. Find ways to ensure everyone can participate.
- Monitor: Monitor your virtual community to ensure that no sensitive information is uploaded. Report security incidents to your local Information System Security Officers (ISSO) or Unit Security Supervisor (USS).
- Preserve and transfer: All information records of business value (IRBV) must be preserved and transferred to a DND/CAF information system as soon as practical, once able to do so.
ADM(IM) is rolling out Defence O365, a Microsoft Office 365 platform including the MS Teams collaboration tool, to the Defence Team. This platform complements the existing T-DVPNI system to work with up to Protected A information and improves the remote work experience for the Defence Team. Defence O365 is the recommended platform for Defence team collaboration.
Personnel who have not been onboarded will be contacted by their L1 representative with instructions on how to create an account, along with contact information to reach support from for your organization’s Power Users.
Careful! Do not fall for phishing emails posing as DND/CAF messages on this onboarding subject and other subjects; your onboarding communications will come from a trusted and secure source, such as a supervisor.
Please report any security issues to your ISSO, USS, or email@example.com.
Other ways to communicate
Call-tree: Every unit has a call-tree with personal contact information. It is the primary means of getting in touch with staff and employees. You can discuss up to Protected B on phone/cellphones systems in North America.
BBM Enterprise (BBMe): Some DND users have access to BBMe on their mobile devices. This application is approved up to Protected B when used with GC Enterprise accounts.
GCCollab: The Treasury Board Secretariat hosts GCCollab, which has a messenger application, forum and WIKI for unclassified information only.
Other: Other options are being developed with improved security and should be communicated soon.
*What is Unclassified Information?
Unclassified information is information that is not injurious to the national interest, or an individual, organization or the government. The National Defence Security Orders Chapter 6 explains how to categorize information. The following are examples of Protected and sensitive information, which is not permitted on public cloud services:
- Third-party business information provided in confidence (Access to Information Act – s.20);
- Unclassified information provided in confidence from another government or international organization (Access to Information Act – s.13 and s.15);
- Defence and Security Information, such as operating instructions for Controlled Goods (Defence Production Act), Unpublished Defence Research Intellectual Property (Access to Information Act – s.18), or Defence Systems vulnerabilities (Access to Information Act – s.16) (see Defence Production Act and Access to Information Act exemptions);
- An individual’s private information without their consent: date of birth, race, national or ethnic origin, colour, religion, age, marital status, academics/test scores, medical or financial information, as examples;
- Any identifying number (including Personal Record Identifier [PRI] or Service Number [SN]), symbol, or other assigned particular, address, fingerprints, or blood type.
For further details, refer to:
- Access to Information Act (PDF, 764 KB)
- Archived - Access to Information Guidelines - Specific Exemptions
Remember that free services are monetized through access to user content. Information shared on these platforms is considered to be in the public domain. Reputable service providers have some level of protection when compliant with regulations such as General Data Protection Regulation (GDPR), or when hosted in Canada or the USA and governed by similar privacy laws.
Using DND equipment at home
You must be diligent in the care of your DND equipment. Laptops and mobile phones should be stored securely and out of sight, when not in use. Your Public Key Infrastructure (PKI) card should also be kept securely, as it is both a sensitive security item and essential for connecting to T-DVPNI.
Stay cyber safe
Currently, cyber criminals are leveraging pandemic themes in phishing emails and malicious sites. For example, a known scam entices users to visit a fake COVID-19 heat map, infecting vulnerable computers. Stay alert and be vigilant:
- Avoid clicking on links in unsolicited emails or text messages and be wary of attachments
- Use trusted sources, such as legitimate government websites, for up-to-date, fact-based information
- Do not reveal personal or financial information in email and do not respond to email solicitations for this information
Visit the Get Cyber Safe site for more information and tips.
Report a problem or mistake on this page
- Date modified: