Language selection

Government of Canada / Gouvernement du Canada

Search

Sign in

Sign in

Security requirements for the protection of sensitive information

On this page

A. General conditions

  1. All information, assets, and services provided or produced under this contract are considered to be Canada Revenue Agency (CRA) Protected A or Protected B (or both).

  2. For contracts involving Protected C and Classified (Confidential, Secret, or Top Secret) information, assets, and services, security requirements must be evaluated and approved by the Security Branch of the CRA prior to contract award.

  3. The CRA will ensure an audit log, for example create, view, update, and delete of all accesses to the information, assets, and services provided or produced under this contract is maintained and made available upon request. The data elements required in the audit log report are the identity of the person, the time and date of the access, and the type of transaction made.

  4. In cases where the contractor further distributes the information provided under this contract to areas within their jurisdiction, the Contractor is responsible for ensuring compliance with the security requirements outlined in this document. Prior to information being distributed, written compliance to the security requirements outlined in this document is to be provided to the Project Authority, who will submit it to CRA security for review and approval.

B. Procedures

The Contractor is to ensure all information provided by the CRA to the Contractor is to be safeguarded as per the security requirements outlined in this document.

Access to information, access, and services provided or produced under this contract is to be controlled and limited to authorised individuals who:

  1. have a valid security screening, which involves:
Security Screening levels
Level Security Screening activities Validity
Reliability status

·         Verification of identity
·         Verification of 5 years of background information
·         Verification of educational and professional credentials
·         Personal and professional reference checks
·         Financial enquiry (credit check)
·         Criminal Record Check

 

 10 years
Enhanced Reliability status

Pre-requisite of a Reliability status, plus:

·         Internet inquiry
·         Law enforcement records check
·       Security questionnaire or security interview

 

 10 years

C. Security requirements

1. Physical Security requirements

All IT equipment and documents containing Canada Revenue Agency (CRA) Protected A or Protected B information (or both) must be located in a space that meets the requirements of an approved operations zone as described in the table below. Servers must be further segregated into a locked cabinet or room within the approved operations zone.

Operations Zone

Definition
The operations zone is an area where access is limited to appropriately screened personnel who work there, and to escorted visitors.
Examples
Typical open office areas.
Perimeter
Must be indicated by a recognizable perimeter or a secure perimeter.
Monitoring
Monitored periodically to confirm on a regular basis that there has not been a breach of security.

The Contractor:

  1. must, as a minimum, ensure that the CRA Protected A or Protected B information (or both) and assets are located in an approved operations zone and stored in a locked drawer or a security container. Access to the approved operations zone must be limited to those authorised by the Project Authority and screened to a minimum of a Reliability states or as specified in the [SELECT Contract/Work Order/Task Authorization], and to visitors (under escort) with a legitimate work related requirement to be there.

  2. must store CRA Protected A or Protected B waste (or both) in a locked container within the Contractor’s approved operations zone until it is returned to the CRA to be destroyed. If there is a large volume of information to be destroyed and the information cannot be returned to the CRA, the contractor must consult the Project Authority for appropriate methods of destruction.

  3. must immediately report in writing any actual or suspected loss, theft, or unauthorised disclosure of information or assets provided or produced under [SELECT Contract/Work Order/Task Authorization] to the Project Authority by providing the following details:
    1. description of the type of information or asset involved
    2. the date, time, and place of the incident
    3. circumstances surrounding the incident
    4. the extent of known or probable compromise of the information or asset to the CRA
    5. the identity of unauthorised individuals, of known, who had or are believed to have had access to the information or asset
    6. action taken or contemplated to remedy the situation
    7. any further details which may assist in assessing the loss of compromise of the information or asset
      • if the missing information or asset is found after the notification has been sent, the circumstances under which it was found must be communicated to the Project Authority

Information in transit

If the Contractor is transporting CRA Protected A or Protected B information (or both) or assets when traveling, they must ensure that the information and assets are transported and safeguarded in accordance with the following directions.

The Contractor:

  1. must exercise good judgement and ensure that every reasonable effort has been made to minimize any security risks to the CRA Protected A or Protected B information (or both) or assets (for example, laptop) at all times.

  2. must, when transporting CRA Protected A or Protected B information (or both) or assets, ensure they are safeguarded, at a minimum, in a locked carry case.

  3. must ensure the carry case is labeled with a forwarding or return address and phone number of the Contractor’s office.

  4. must, while traveling by vehicle, place the carry case in a locked trunk, or out of sight in a locked vehicle.

  5. Must maintain control of the carry case containing CRA Protected A or Protected B information (or both) or assets at all times and must not expose the material to others, while on public transit systems or in a public location.

2. Information Security requirements

When CRA Protected A or Protected B information (or both) is discussed, displayed on equipment, or viewed in printed format, access to this information must be limited to persons authorised by the Project Authority, screened to a minimum of a Reliability status or as specified in the [SELECT Contract/Work Order/Task Authorization], and with a legitimate work-related requirement to view the information.

Electronic media containing CRA Protected A or Protected B information (or both) must be kept under the control and possession of the contractor at all times.

The Contractor:

  1. Must not auto-forward emails internally or externally.

  2. Must not send CRA Protected A or Protected B information (or both) via fax.

  3. Must ensure that conversations involving CRA Protected A or Protected B information (or both) only take place in areas where they cannot be overheard.

Voice/Audio/Video

The Contractor:

  1. must ensure phones are issued by the Contractor’s organisation, including landline, cell phones (including smart phones), and VoIP, can be used for discussions containing CRA Protected A or Protected B information (or both).
  2. must ensure that personal cell and smart phones are not used to discuss CRA Protected A or Protected B information (or both). Only cell and smart phones which have been issued exclusively for business use may be used to discuss CRA Protected A or Protected B information (or both).

  3. must ensure that collaboration tools used with external partners including, but not limited to, Slack, Zoom, Google Hangouts, Skype, and Cisco WebEx, are restricted to Unclassified conversations only.

  4. must ensure that Microsoft Teams is used for conversations that include CRA Protected A or Protected B information (or both) only when initiated from a CRA device. Contractors with a valid Reliability status may join these calls but may only initiate a call when a CRA user ID, email address, and CRA device has been provided to the Contractor.

CRA Protected A or Protected B information (or both) – Microsoft Teams

The Contractor:

  1. must only share transitory information, or data in motion:
    1. live voice (including captions), video, and live screen sharing are considered transitory information, or data in motion, and are acceptable.

  2. must never use the chat function, recording features, share files, capture screen shots, or any other form of data capture with Teams.

  3. must be aware that anything posted on Microsoft Teams is part of a permanent record (data at rest), even if it is deleted later.

  4. must be aware that content shared within Microsoft Teams can be subject to Access to Information and Privacy (ATIP) requests.

  5. must ensure that CRA Protected A or Protected B information (or both) is not visible to unauthorised individuals, including in photographs, on mobile phone cameras, or in video conference calls. The use of blurred or neutral backgrounds in video conferences is recommended.

  6. must ensure calls are on the CRA tenant (organised from a CRA account). When discussing CRA Protected A or Protected B information (or both), the invitation must originate from the CRA.

Social engineering awareness

The Contractor and its personnel:

  1. must remain vigilant against attempts by social engineers to gain unauthorised access to CRA information and assets. Always be aware of suspicious activities, such as phishing emails or unfamiliar phone calls.

  2. must not disclose that they are providing services through a contract to the CRA on their social media. Always verify links and email sources before clicking on any link. The Contractor and its personnel must be cautious or urgent requests and unsolicited communications

  3. must take care not to inadvertently share CRA Protected A or Protected B information (or both) on social media. Sharing, exchanging, or discussing CRA Protected A or Protected B information (or both) via unapproved tools (social media, private chat applications, etc.) is prohibited.

3. Information Technology (IT) Security requirements

The Contractor:

  1. must immediately report in writing any suspected loss or theft of IT equipment containing CRA Protected A or Protected B information (or both) to the Project Authority.

  2. must ensure that each authorised user accessing equipment containing CRA Protected A or Protected B information (or both) uses their own unique account with user-level (non-administrative) privileges.

  3. must inform all users that login IDs and accounts are not to be shared.

  4. must restrict computer accounts with Administrator-level privileges to only system administration tasks (that is, they are not to be used for general user tasks, such as surfing the Internet, checking email, etc.).

  5. must encrypt all CRA Protected A or Protected B information (or both) in their custody that is stored, processed, or shared electronically with full drive encryption using a product that meets Government of Canada (GC) encryption standards as defined in Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information, and secured by a strong password:
    1. password length must be a minimum of eight characters long, and contain:
      • at least one lower case character (a-z)
      • at least one upper case character (A-Z)
      • at least one numeric character (0-9)
      • at least on symbol character (!, A, #, $, %, ^, &)
    2. passwords must comply with Canadian Center Cyber Security (CCCS) Best practices for passphrases and passwords
  6. must not share passwords and must ensure that they are safeguarded at all times. BitLocker and Windows passwords must be kept confidential.

  7. must enable a password protected screen saver set to 10 minutes or less on all equipment containing CRA Protected A or Protected B information (or both) connected to or including a digital display or monitor.

  8. must lock their screen (Ctrl+Alt+Del) when stepping away from the computer and log off or shut down at the end of the workday. Locking the screen also applies to all ‘smart’ devices, such as cell phones and tablets, when not in use. Screens must not be visible to unauthorised individuals.

  9. must only store all CRA Protected A or Protected B information (or both) and assets in their custody in Canada as per section 4.4.3.14 of the Directive on Service and Digital, which states that storage of CRA Protected A or Protected B information (or both) on any equipment not in the Contractor’s control, or outside of Canada, is prohibited.

  10. must only use Canadian-based cloud storages services that have been formally authorised by the CRA to store CRA Protected A or Protected B information (or both), as all other cloud services are prohibited.

  11. must install modern up-to-date antivirus software on all equipment containing CRA Protected A or Protected B information (or both) with:
    1. automatic on-access scanning enabled
    2. virus definition data updated within 48 hours of update availability
    3. if available, enablement of virus definition auto-update features is recommended
    4.  
  12. must endure vendor support of the operating system (OS) and applications used on equipment containing CRA Protected A or Protected B information (or both) is available, that is:
    1. must ensure current security patches are available from the vendor
    2. the latest security patches must be installed
    3. must ensure the product has not reached end of life (for example, as of January 14, 2020, Windows 7 OS is no longer supported by Microsoft)
       
  13. must enable security event logging on all equipment containing Protected A or Protected B information (or both) and keep these logs for a minimum of one year.

  14. must ensure that all equipment containing CRA Protected A or Protected B information (or both) that is connected to the Internet reside behind a network router that is securely configured using industry best practices, for example, a stateful packet inspection NAT-enabled firewall that is password-protected

  15. must ensure that firewall and router configurations are documented, and security logging enabled, maintained, and reviewed quarterly by cybersecurity.

  16. must securely destroy any CRA Protected A or Protected B information (or both) stored on equipment no longer required to store or process this information in accordance with IT Media Sanitization, including any CRA Protected A or Protected B information (or both) stored on cloud storage services.

  17. must remove and secure internal data storage devices (for example, hard drives) from all IT equipment containing CRA Protected A or Protected B information (or both) prior to the equipment being removed from the Contractor’s premises for service.

  18. must surrender to the Project Authority for destruction all internal data storage devices (for example, hard drive) from equipment (or the equipment itself if the internal storage cannot be removed) containing CRA Protected A or Protected B information (or both) that has been determined to be no longer serviceable.

  19. Must limit viewing of CRA Protected A or Protected B information (or both) displayed on equipment or viewed in printed format to persons authorized by the Project Authority and screened to a minimum of a Reliability status or as specified in the [SELECT Contract/Work Order/Task Authorization], and with a legitimate work-related requirement to view the information.

  20. must restrict all remote access to equipment containing CRA Protected A or Protected B information (or both) from outside of the Contractor’s internal network, as it is prohibited.

  21. must ensure that all equipment containing CRA Protected A or Protected B information (or both), or used to process or access CRA Protected A or Protected B information (or both), must meet the following requirements:
    1. the basic input/output system (BIOS) is protected with a strong password and is configured to allow booting only from the system drive, for example, the C: drive
    2. the system is powered off or hibernated when not in use. Sleep mode and suspension to RAM is prohibited

Definitions

Portable Data Storage Device (PDSD)
Devices that are portable and allow for the storage of information are considered portable data storage devices. Examples of portable data storage devices include:
  • USB devices (for example, memory sticks, external hard drives)<.li>
  • eSATA devices
  • Flash media or cards such as CF, SD, SDHC, SDXC, etc.
  • External media not otherwise described, such as tapes, optical discs (for example, CDs, DVDs, Blu-Ray, magneto-optical), and all other magnetic and optical media
Protected equipment
All Information Technology (IT) equipment and related devices such as, but not limited to, servers, desktop computers, laptop computers, tablet computers, smartphones, USB keys or drives, and other external storage devices that are used to access, store, or process information of CRA Protected A or Protected B (or both) level sensitivity.

D. Applicable legislations

1. Income Tax Act - Sections 239 and 241

239 (2.2)

239 (2.2)

241(1)

241(10)

Excise Tax Act – Sections 295 and 328

295(1)

295(2)

328(1)

328(2)

Page details

2026-01-19