Portable Data Storage Requirements

On this page

• 1. Definition
• 2. Physical security
• 3. Encryption
• 4. Storage
• 5. Clearing and disposal
• 6. Additional departmental and agency responsibility

1. Definition

1.1 Devices that are portable and contain storage or memory into which users can store information are considered portable data storage devices.

1.2 Examples of portable data storage devices include:

• 1.2.1 USB devices (for example, memory sticks, external hard drives);
• 1.2.2 eSATA (External Serial Advanced Technology Attachment) devices;
• 1.2.3 Tablets, laptops, smart devices, smartphones (for example, BlackBerry, Android, IOS etc.) and cameras; and
• 1.2.4 Portable media: tapes and optical discs (for example, CDs and DVDs).

2. Physical security

2.1 The primary safeguards for information stored on portable data storage devices are physical security safeguards.

2.2 Portable data storage devices must be properly secured at all times as appropriate to the highest level of security classification of the information stored on it. For Protected A and B information, lock up the device or, if recommended by a threat risk assessment, select an appropriate security container. Protected C and classified information requires storage in an appropriate security container.

2.3 Portable data storage devices must be labelled to indicate the highest classification level of information that has been stored on the device. Departments and agencies should use an indirect coding system that is not immediately recognizable to the general public. Examples of suggested indirect coding are barcodes, colour codes or a numbering scheme.

2.4 Existing guidance remains unchanged when transporting a portable data storage device such as a smartphone or laptop with GC information stored on it. The bearer must keep it under their control and possession at all times.

2.5 Additional physical security safeguards such as a locked carrying case or an approved dispatch case may be required based on a threat risk assessment.

2.6 Specific requirements related to physical security and security containers can be found in:

• 2.6.1 Directive on Security Management, Appendix C: Mandatory Procedures for Physical Security Control; and
• 2.6.2 Royal Canadian Mounted Police (RCMP) guides:
  • 2.6.2.1 G1-001, Security Equipment Guide
  • 2.6.2.2 G1-009, Transport and Transmittal of Protected and Classified Information.

3. Encryption

3.1 All portable data storage devices must be password- or biometric-controlled and the GC information stored on them encrypted.

3.2 Password- or biometric-controlled portable data storage devices and encryption of the GC information stored on portable data storage devices supplements but does not replace physical security procedures.

3.3 Only on an exception basis, according to departmental or agency risk tolerance and with formal departmental or agency approval, may unencrypted GC information be stored on a non-password or non-biometric controlled portable data storage device.

3.4 All GC information stored on portable data storage devices must be encrypted using a Cryptographic Module Validation Program–certified encryption module. Where possible, departments and agencies must use Common Criteria Program–accredited products.

3.5 Encryption methods used by departments and agencies should be configured to follow the methods outlined in the CSEC publication Cryptographic Algorithms for Unclassified, Protected A, and Protected B Information (ITSP.40.111). CSEC’s User Authentication Guidance for Information Technology Systems (ITSP.30.031 v3) should also be taken into account.

4. Storage

4.1 Portable data storage devices are intended for the temporary storage of information only and must not be used as permanent document repositories to store GC information. Only on an exception basis, according to departmental or agency risk tolerance and with formal departmental or agency approval, may GC information be stored permanently on portable media.

5. Clearing and disposal

5.1 Clearing is the process of erasing stored information from portable data storage devices in a manner that allows it to be reused within an equivalent security environment.

5.2 Clearing must be adequate to prevent information recovery using tools normally available on the information system. Simply deleting or erasing the files or reformatting does not clear the portable data storage device, because commands such as undelete or unformat may permit the recovery of the information.

5.3 Additionally, the clearing process is not expected to be proof against “hands-on” recovery methods using specialized IT utilities or laboratory techniques. For this reason, cleared portable data storage devices must be retained within security environments appropriate to the highest level of information that the device once contained, and the device cannot be considered for declassification.

5.4 Disposal is the identification of suitable methods to prepare portable data storage devices for declassification or disposal.

5.5 Individual users must return portable data storage devices to their department or agency for disposal.

5.6 Baseline standards and various methods have been approved by the RCMP and Communications Security Establishment Canada for the disposal of different types of devices. Methods are recommended based on specified levels of data sensitivity within a range of typical GC operating environments.

5.7 Clearing and disposal should be done in accordance with CSEC’s Sanitization and Disposal of Electronic Devices(ITSAP.40.006).

6. Additional departmental and agency responsibility

6.1 Departments and agencies must consider the following as the minimum level of their responsibility regarding the secure use of portable data storage devices.

6.2 Only portable data storage devices issued by departments or agencies are authorized to be used to store GC information.

6.3 All portable data storage devices must be password- or biometric-controlled and the GC information stored on them encrypted.

6.4 All portable data storage devices issued by a department or agency for the storage of Protected C or classified GC information must be recommended by the Canadian Centre for Cyber Security.

6.5 The following exceptions for the use of unauthorized portable data storage devices are permissible according to departmental or agency risk tolerance and with formal departmental or agency approval:

• 6.5.1 connecting an unauthorized device to GC IT networks for the purpose of one-way transfers of information from the device to GC IT networks;
• 6.5.2 storing GC information on an unauthorized device;
• 6.5.3 permanently storing GC information on portable media; and
• 6.5.4 storing unencrypted GC information on a non-password- or non-biometric-controlled portable data storage device.

6.6 Departments and agencies must scan all portable data storage devices for malicious software each time the device is connected to GC IT infrastructure.

6.7 Portable data storage devices used on unclassified, Protected A or Protected B networks must never be connected to a classified (Secret) network. Departments and agencies can request additional information about information transfer solutions using portable data storage devices between networks with different security levels from CSEC.

6.8 Departments and agencies must implement a proper administrative security process throughout the life cycle of portable data storage devices. This process is to include, but is not limited to, ensuring that proper practices are in place related to asset management, including the monitoring of devices, accountability, authorization, storage and handling, data transfer (data loss prevention), and disposal.

6.9 Departments and agencies must maintain records of the portable data storage devices issued within their organization. At a minimum, the record is to contain a unique identifier (such as a serial number) of the portable data storage device, the assignee name, the date of assignment, and the purpose and highest level of security classification of the information that is allowed to be stored on the device.

6.10 Departments and agencies must provide an individual user training program on the proper use of portable data storage devices. The training must be provided prior to the issuance of the portable data storage devices, and individual users must sign a portable data storage device user agreement. This user agreement may be part of an overall IT acceptable use agreement.

6.11 Departments and agencies are responsible for establishing processes and procedures for individual users to report the loss or theft of portable data storage devices.

6.12 Departments and agencies are to report any real or suspected loss or theft of portable data storage devices to:

• 6.12.1 Office of the Chief Information Officer, TBS;
• 6.12.2 Their departmental or agency security and access to information and privacy officials; and
• 6.12.3 The Office of the Privacy Commissioner in accordance with TBS’s Guidelines for Privacy Breaches.

6.13Departments and agencies subject to the Privacy Act must consider the legal requirements of this Act, and should apprise themselves of TBS’s Guidelines for Privacy Breaches. The Act describes GC responsibilities with respect to personal information.

The guidelines:

• 6.13.1 Identify causes of privacy breaches;
• 6.13.2 Provide guidance on how to respond, contain and manage privacy breaches;
• 6.13.3 Delineate roles and responsibilities; and
• 6.13.4 Include links to relevant supporting documentation.

6.14 Departments and agencies may also consult the Office of the Privacy Commissioner’s Key Steps for Organizations in Responding to Privacy Breaches.