The CRA's controls to protect information from external threats

Protecting the Canada Revenue Agency's (CRA) integrity includes ensuring that we have the proper systems and technologies in place to safeguard the sensitive information that we hold from external threats.

The CRA adheres to the Policy on Government Security and direction provided by lead security agencies like the Communications Security Establishment Canada (CSEC) and Public Safety Canada (PSC). Additionally, the CRA publishes, promotes and monitors its own security policies that guide and support the CRA's culture of integrity.

Ongoing improvements

The CRA's team of highly qualified information technology professionals works in conjunction with other departments such as Shared Services Canada and the Treasury Board Secretariat to identify and mitigate cyber threats and risks to privacy and the security of the data we hold. The CRA follows a continuous improvement security program where the effectiveness of the security tools are continuously evaluated and improved.

As part of our commitment to continual improvement and as a result of the CRA's experience in addressing vulnerabilities to caused by the Heartbleed bug, our security controls and policies are being reinforced and updated to ensure that this or similar types of incidents do not re-occur. The CRA is working closely with Shared Services Canada and the Treasury Board Secretariat to ensure our response to security threats and software vulnerabilities is timely. In addition, more monitoring has been put in place to identify potential vulnerabilities in our environment. With these enhancements the CRA is able to respond even more swiftly in the unlikely event of another incident.

A layered approach to security

As threats to security can occur prior to, during, or after the receipt of electronic data, the CRA employs a layered approach to security.

All communications and transactions with the CRA are protected and are conducted on secure platforms. As phishing scams become more frequent, the CRA is proactive in warning the public about fraudulent communications claiming to be from the CRA.

External services are protected by firewalls and intrusion prevention tools to detect and prevent unauthorized access to CRA systems and block malware. During online transactions we ensure that all sensitive information is encrypted —or scrambled—when it is transmitted between your computer and our Web servers. Controls in place to protect our data from external threats include network and host security systems like corporate firewalls, anti-virus software, intrusion detection and prevention measures, and identity and access management controls.

CRA employees must use approved levels of encryption on all removable devices (such as USB storage media) and when transmitting private information externally to authorized recipients. Personal storage devices are not authorized to be connected to the Agency's network and are not permitted on CRA equipment.

Network components such as servers and routers are stored in secured and locked rooms or cabinets, accessible only to authorized personnel. Agency networks and workstations are equipped with malware and virus detection and removal software which are updated daily and protect the CRA environment from increasing threat of malicious code and viruses. At the CRA employee level, computers are secured with a suite of security products ranging from anti-virus software to host intrusion software. Malicious or potentially malicious internet sites, email (e.g. spam) and email attachments are blocked to ensure the CRA's environment remains secure. All software used by the CRA undergoes a rigorous certification process which must meet our strict standards for security.

For more information about the controls in place at the CRA to protect data from external threats, go to Access online services safely.

Related topics

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: