Language selection

Government of Canada / Gouvernement du Canada

Search

MAF 2018 to 2019 Security Management methodology

On this page 

Methodology Overview

In this section

Objectives

The Government of Canada (GC) is responsible for ensuring that information, assets and services are protected from compromise. By managing government security proactively and rigorously, federal departments and agencies:

  • adapt to the evolving risk environment
  • ensure timely and coordinated responses to security incidents

The overall objectives of the security management methodology of the Management Accountability Framework (MAF) for the 2018 to 2019 fiscal year are to:

  • assess compliance with key requirements of the Policy on Government Security and monitor their implementation
  • provide deputy heads and security officials with an integrated view of their organization’s practices to manage security
  • strengthen management practices in departments and agencies to drive conversations within departments and agencies and with other organizations

The MAF security management methodology for the 2018 to 2019 fiscal year focuses on practices that contribute to the following five security outcomes:

  1. Effective Departmental Security Planning and Reporting
  2. Trusted Workforce and Partners
  3. Secure Workplace
  4. Preparedness and Effective Response to Events
  5. Trusted Information Systems and Processes

The methodology has indicators to assess the following:

  • aspects of effective security planning and reporting processes
  • the implementation of management practices related to security controls, including:
    • security screening
    • information technology security
    • physical security
    • business continuity management
    • information management
    • security in contracts and other arrangements
    • security event management
    • security awareness and training

Outcome statements and the rationale for the indicators appear for each question in the MAF questionnaire for security management.

The methodology for security management will generate information on performance management to provide insight into a department’s or agency’s security planning, security control framework and security management practices that contribute to improving the overall security posture of the GC. Obtaining this information is important in order to:

  • validate and inform security management decisions and direction
  • observe trends and changes
  • identify areas of strength and areas that need attention
  • share leading security management practices

Use of Management Accountability Framework (MAF) results

MAF results on security management for the 2018 to 2019 fiscal year will provide information to the following three key audiences:

  • deputy heads will use the information to:
    • gain an overview of the extent to which the organization meets expected results for its security management using a risk-based approach
    • identify potential areas for improvement and develop actions to ensure that security risks to the GC are continuously monitored
    • where there are challenges in policy implementation, correct course or re‑prioritize activities as needed
  • the security community will use the information to:
    • develop benchmarks to obtain comparative results
    • develop leading practices to inform and advance departmental and agency guides, procedures and tools
    • determine common security needs and collective actions needed to further strengthen GC security management
  • the Treasury Board of Canada Secretariat (TBS) will use the information to:
    • assess the level of policy compliance and related maturity levels of organizations
    • determine government-wide risks and systemic issues
    • develop leading practices to inform and advance GC-wide guides, procedures and tools
    • examine data to inform decision-making and refine policy

The intent of the security management methodology is to assess the current state of practices and performance. Most questions are from a “point-in-time” perspective to provide the most up-to-date representation possible. The approach is to capture information on security management as strategic priorities evolve. To ensure that the questions used in this security management methodology questionnaire capture pertinent information, previous MAF findings were reviewed and the methodology was refined and re-scoped so that relevant information can be provided to deputy heads on management practices and performance.

Each question indicates the time frame for the information requested. The maximum number of documents to be provided as evidence for each question is also provided. TBS may also refer to the following information in assessing questionnaires:

  • internal or external evaluations and audits, including audits by the Office of the Auditor General
  • information from the Application Portfolio Management process and associated Clarity tool
  • other documents to inform assessment and reporting on MAF security management
This security management methodology has been developed in consultation with the security functional community.

Questionnaire

In this section

Effective Departmental Security Planning and Reporting

Outcome(s): Deputy heads establish effective departmental or agency security planning and reporting in order to gain the information needed for informed decision-making on security to support:

  • the trusted delivery of GC programs and services
  • protection of the GC’s information, people and assets

Question 1: What percentage of activities identified in the Departmental Security Plan (DSP) approved by the deputy head for 2017 to 2018 fiscal year were completed as planned?

Category
  1. Policy compliance
  2. Results or performance
  3. Service standard
  4. Baseline information
  5. Descriptive statistic
Type
  1. Core
  2. Spot-check
Rationale

The DSP details decisions on:

  • managing security risks
  • improving departmental or agency security
  • supporting the DSP’s implementation

The extent to which activities approved by the deputy head and identified in the DSP were completed indicates how successful those activities were in making planned improvements. This information helps identify:

  • areas for improvement
  • actions to ensure that security risks to the organization are continually managed
Target (where applicable)

70% of activities identified in the DSP for completion in the 2017 to 2018 fiscal year were completed as planned

Calculation method

Number of DSP planned activities completed in the 2017 to 2018 fiscal year
÷ Total number of DSP planned activities scheduled for completion in 2017 to 2018 fiscal year
× 100

Evidence source and document limit
TBS to answer

Data source: n/a

Date of data extraction: Portal close date

Department or agency to answer

Evidence: Evidence of activities achieved for the 2017 to 2018 fiscal year may include either of the following:

  • an annex to a recently approved DSP that outlines progress achieved since the previous approval of the DSP
  • a DSP progress report or other document that outlines progress achieved, with evidence that it was submitted to and approved by the deputy head

In addition, the department or agency must submit its DSP for the 2018 to 2019 fiscal year, which must:

  • have the deputy head’s signature that indicates approval of the DSP
  • outline priorities for the 2018 to 2019 fiscal yearFootnote 1

Document limit: 3

Period of assessment: 2017 to 2018 fiscal year

Treasury Board policy reference or Government of Canada priority

Question 2: Did the department or agency report to its deputy head or senior executive committee on the effectiveness of the DSP, including implementation of planned activities for the 2017 to 2018 fiscal year?

  • Yes
  • No
Category
  1. Policy compliance
  2. Results or performance
  3. Service standard
  4. Baseline information
  5. Descriptive statistic
Type
  1. Core
  2. Spot-check
Rationale

Annual reporting on implementation of the DSP and its effectiveness:

  • supports the organization and the deputy head in responding to implementation challenges
  • provides the opportunity to correct course or re-prioritize activities as needed
Target (where applicable)

n/a

Calculation method

n/a

Evidence source and document limit
TBS to answer

Data source: n/a

Date of data extraction: Portal close date

Department or agency to answer

Evidence: The DSP progress report:

  • covers all the department’s or agency’s security activities for the 2017 to 2018 fiscal year
  • evaluates the overall effectiveness of the DSP
  • shows evidence that the progress report was submitted to the deputy head

Document limit: 3

Period of assessment: 2017 to 2018 fiscal year

Treasury Board policy reference or Government of Canada priority

Trusted Workforce and Partners

Outcome(s):Individuals can be trusted to:

  • fulfill their security responsibilities
  • not wilfully or inadvertently compromise security

Contractors and other partners can be relied upon to:

  • safeguard the information and assets entrusted to them
  • reliably fulfill their obligations

Question 3: Security Screening - What is the percentage of security screening files reviewedFootnote 2 that contain all evidence of verifications performed in relation to the level of security screening granted, in accordance with the 2014 Standard on Security Screening?

Category
  1. Policy compliance
  2. Results or performance
  3. Service standard
  4. Baseline information
  5. Descriptive statistic
Type
  1. Core
  2. Spot-check
Rationale

A complete security file includes evidence of all verifications required by the Standard on Security Screening. This measure will:

  • establish a baseline
  • provide an overview of the extent of security screening decisions that are properly documented by evidence

Complete information reduces risks to organizations and enables greater transferability because receiving organizations are able to accept and rely on the security screening file without duplicating previous efforts. Complete information also:

  • contributes to file integrity
  • ensures that security screening in the GC is effective, efficient, rigorous, consistent and fair
Target (where applicable)

Baseline to be obtained from results

Calculation method

Number of files reviewed that contain all evidence of verifications performed in relation to the level of security screening granted in accordance with the 2014 Standard on Security Screening
÷ Total number of files reviewed
× 100

The following information is to be recorded, maintained and updated:

  1. completed original copies of security screening forms and questionnaires
  2. relevant results of all security screening verifications, inquiries and assessments
  3. analysis of results and any advice or recommendations to support decision-making
  4. decisions to grant, grant with a security waiver, deny, revoke, suspend pending investigation, or administratively cancel a security status or clearance
  5. relevant information on any waiver, temporary access, review for cause or investigation, and any ensuing decisions
Evidence source and document limit
TBS to answer

Data source: Data will come from the information and data provided by departments and agencies as part of the Security Screening File Review Initiative led by TBS’s Security Policy Division.

Date of data extraction: Deadline as outlined in the Security Screening File Review Initiative of TBS’s Security Policy Division.

Department or agency to answer

Evidence: n/a

Document limit: n/a

Period of assessment: 2017 to 2018 fiscal year

Treasury Board policy reference or Government of Canada priority

Question 4: Security Screening - What is the percentage of security screening files transferred in and for which additional verifications were required in order to complete the received files?

Each security screening file should contain the information and documentation outlined in the Standard on Security Screening.

Note: For security screening status or clearance granted before the Standard on Security Screening’s implementation in October 2014 (when the financial inquiry section became mandatory for all levels):

  • evidence of financial inquiry may not be on file and should not be considered incomplete for this reason
  • in cases where upgrades to the security status were required, additional verifications related to the upgrade should not be the rationale for considering a file incomplete
  • additional security verifications that were specific to the organization are out of scope

Data from evidence:

  • total number of security screening files transferred in between August 1, 2018, and October 31, 2018
  • number of security screening files transferred in between August 1, 2018, and October 31, 2018, that included evidence of all verifications required, as identified in the Standard on Security Screening
Category
  1. Policy compliance
  2. Results or performance
  3. Service standard
  4. Baseline information
  5. Descriptive statistic
Type
  1. Core
  2. Spot-check
Rationale

A complete security file that includes evidence of all verifications is required by the Standard on Security Screening. Information gained from this question will:

  • establish a baseline to provide a view of the percentage of compliance for security screening files that have been transferred between departments and agencies
  • help security practitioners and decision-makers determine the organization’s performance, including identifying challenges, to:
    • enable greater transferability of security screening between departments and agencies
    • help ensure that security screening in the GC is effective, efficient, rigorous, consistent and fair
Target (where applicable)

None. A baseline indicator may be used to establish future service standards. The goal is for this value to be low, as it is expected that files transferred between departments and agencies contain evidence of all verifications performed, in compliance with the Standard on Security Screening.

Calculation method

For files transferred in between , and , determine the number of files where additional verifications were required, as identified in the Standard on Security Screening.

Number of files where additional were required
÷ Total number of files transferred in
× 100
= Percentage of files transferred in where additional verifications were required

Evidence source and document limit
TBS to answer

Data source: n/a

Date of data extraction: n/a

Department or agency to answer

Evidence: Departments or agencies are to provide a copy of the log or mechanism by which they track transfers of files.

The log or mechanism should specify which verifications were performed to complete the file.

Document limit: 3

Period of assessment: to

Treasury Board policy reference or Government of Canada priority

Question 5: Security Awareness - What percentage of individuals who travelled internationally on government business between August 1, 2018, and October 31, 2018, were provided with a travel security briefing before their departure?

Category
  1. Policy compliance
  2. Results or performance
  3. Service standard
  4. Baseline information
  5. Descriptive statistic
Type
  1. Core
  2. Spot-check
Rationale

Travel security briefings are an important part of a comprehensive security awareness program to ensure that individuals understand their security responsibilities while travelling on government business. A travel briefing sensitizes individuals to:

  • avoiding the potential for compromise of government information
  • protecting government data while on travel
  • being aware of personal safety travel advisories

While on government travel, it is critical that individuals protect GC information from compromise by potential adversaries such as foreign states, criminals and terrorists who seek vulnerabilities in order to gain access to GC information on:

  • how the GC operates
  • trade secrets
  • intellectual property
  • other valuable data

Protection while travelling includes:

  • protecting personal information
  • making travellers aware of personal safety to avoid potential exploitation

Travel briefings are a way for the GC to:

  • fulfill its duty-of-care responsibilities for the personal safety of its employees who are travelling on GC business
  • provide an opportunity to remind employees that their responsibility for protecting government information assets extends while travelling.
Target (where applicable)

n/a

Calculation method

Number of individuals who travelled internationally on government business between , and , who received a travel security briefing prior to departure.
÷ Total number of individuals who travelled internationally on government business between , and
× 100

Evidence source and document limit
TBS to answer

Data source: n/a

Date of data extraction: n/a

Department or agency to answer

Evidence:

  • Department’s or agency’s travel or conference plan or log that identifies the total number of individuals who travelled internationally on government business between , and
  • Department or agency security briefing or other report that identifies the number of travel security briefings conducted for individuals who travelled internationally on government business prior to their departure

Documents must support and validate the reported data fields of:

  • the total number of individuals who travelled internationally on government business between , and , who received a travel security briefing prior to departure
  • the total number of individuals who travelled internationally on government business between , and

Document limit: 3

Period of assessment: to

Treasury Board policy reference or Government of Canada priority

Question 6: Security in Contracts and Other Arrangements - Does the department or agency have a mechanism in place to ensure that all contracts that have security requirements are accompanied by a completed Security Requirements Checklist?

  • Yes
  • No
Category
  1. Policy compliance
  2. Results or performance
  3. Service standard
  4. Baseline information
  5. Descriptive statistic
Type
  1. Core
  2. Spot-check
Rationale

Departments and agencies are responsible for protecting sensitive information and assets under their control. This responsibility applies to:

  • internal government operations
  • all phases of the contracting process, including bidding, negotiating, awarding, performance and termination of contracts

The Security Requirements Checklist:

  • is issued to define the security requirements for contracts
  • should accompany all requisitions and related contractual documents, including subcontracts that contain security requirements

This question will assess whether departments and agencies have implemented measures to ensure they are monitoring compliance with this policy requirement.

Target (where applicable)

n/a

Calculation method

n/a

Evidence source and document limit
TBS to answer

Data source: n/a

Date of data extraction: n/a

Department or agency to answer

Evidence: Departments or agencies are to provide documentation that shows that the mechanism is in place.

Document limit: 3

Period of assessment: Point in time, as of the date of the department’s or agency’s MAF submission.

Treasury Board policy reference or Government of Canada priority

Secure Workplace

Outcome(s): The workplace provides an environment within which people, information and assets are safeguarded from threats.

Question 7: Physical Security - What percentage of the department’s or agency’s facilities that have higher security requirements have an up-to-date security assessment?

Note 1: The scope of the question includes facilities where the department is the custodian or has operations (buildings, floors within a building, space in foreign embassy, agricultural fields, etc.).

Note 2: Facilities that have higher security requirements are defined by the department’s or agency’s environmental scan (internal and external factors, potential impacts of compromise, the defined threats and effectiveness of security controls) and risk tolerance.

Note 3: “Up-to-date” is considered to be either:

  • within the department’s time frame for renewing security risk assessments, as established in policy or procedure
  • three years in the absence of such a time frame
Category
  1. Policy compliance
  2. Results or performance
  3. Service standard
  4. Baseline information
  5. Descriptive statistic
Type
  1. Core
  2. Spot-check
Rationale

Modernization of the workplace and an evolving threat environment necessitate up-to-date assessment of security risks to facilities. Departments’ and agencies’ performance specific to facilities that have higher security requirements provides:

  • a risk-based approach to assessing the relative security posture of facilities
  • a point of reference in terms of the extent to which organizations meet this expected result
Target (where applicable)

n/a

Calculation method

Number of facilities that have higher security requirements that have an up-to-date security assessment
÷ Total number of facilities that have higher security requirements
× 100

Evidence source and document limit
TBS to answer

Data source: n/a

Date of data extraction: n/a

Department or agency to answer

Evidence: A departmental or agency tracking tool that includes:

  • a list of all facilities
  • identification of facilities that have higher security requirements
  • type of assessment
  • date of last security assessment
  • frequency of assessment cycle

Documents must support and validate the reported data fields of:

  • number of the department’s or agency’s facilities
  • number of facilities that have higher security requirements that have an up-to-date security assessment
  • number of facilities that have higher security requirements

Document limit: 2

Period of assessment: Point in time, as of the date of the department’s or agency’s MAF submission

Treasury Board policy reference or Government of Canada priority

Question 8: Physical Security - Does the department or agency have operational policy instruments or procedures in place for conducting physical security inspections of facilities?

  • Yes
  • No

Note: The scope of the question includes facilities where sensitive information and assets are processed or stored to ensure compliance with departmental security requirements.

Category
  1. Policy compliance
  2. Results or performance
  3. Service standard
  4. Baseline information
  5. Descriptive statistic
Type
  1. Core
  2. Spot-check
Rationale

An evolving threat environment necessitates ongoing monitoring to identify and address potential risks related to the availability and integrity of sensitive information and assets.

This question will assess whether departments and agencies have implemented measures to monitor and ensure compliance with identified security requirements and this policy requirement.

Target (where applicable)

n/a

Calculation method

n/a

Evidence source and document limit
TBS to answer

Data source: n/a

Date of data extraction: n/a

Department or agency to answer

Evidence: A document that describes the department’s or agency’s defined process and timelines for completing security inspections

Document limit: 2

Period of assessment: Point in time, as of the date of the department’s or agency’s MAF submission

Treasury Board policy reference or Government of Canada priority

Preparedness and Effective Response to Events

Outcome(s): The impacts of security events are minimized through effective response, and critical GC programs, services and operations can be maintained during disruptions.

Question 9: Business Continuity Management - What percentage of the department’s or agency’s critical services have a business continuity plan (BCP) in place?

Note: For this response, it is recognized that a critical service may:

  • have its own BCP
  • be included within a broader BCP
  • be supported by multiple BCPs
Category
  1. Policy compliance
  2. Results or performance
  3. Service standard
  4. Baseline information
  5. Descriptive statistic
Type
  1. Core
  2. Spot-check
Rationale

In the event of a disruption, BCPs provide for the continued availability of services and associated resources and assets that are critical to either:

  • the health, safety, security or economic well-being of Canadians
  • the effective functioning of government

Responses will help inform the extent to which organizations meet the related expected result. Departments, central agencies and senior management benefit by having a departmental or agency and GC-wide view of:

  • policy compliance with the Policy on Government Security requirement
  • departments’ and agencies’ critical services that have a BCP in place
Target (where applicable)

100% of the department’s or agency’s critical services have a BCP in place.

Calculation method

Number of critical services that have a BCP in place
÷ Total number of critical services
× 100

Evidence source and document limit
TBS to answer

Data source: BCP fields from the Clarity tool through the Application Portfolio Management (APM) process.

Total number of critical services in scope will be determined using the following data fields and criteria:

  • Field name: Critical Service Impact(s)
    = all selections except “Non-Critical Service”

Critical services that have a BCP in place are determined using:

  • Field name: Critical Service Impact(s)
    = all selections except “Non-Critical Service”
  • Field name: BCP in place = “Yes”

Date of data extraction: Day following the date of the MAF submission deadline in November 2018

Department or agency to answer

Evidence: n/a

Document limit: n/a

Period of assessment: Point in time, as of the date of data extraction

Treasury Board policy reference or Government of Canada priority

Question 10: Business Continuity Management - What percentage of BCPs were tested or exercisedFootnote 3 within the last two years?

Note: For this response, it is recognized that a critical service may:

  • have its own BCP
  • be included within a broader BCP
  • be supported by multiple BCPs
Category
  1. Policy compliance
  2. Results or performance
  3. Service standard
  4. Baseline information
  5. Descriptive statistic
Type
  1. Core
  2. Spot-check
Rationale

Department and agency performance expectations are evaluated within a two-year time frame to:

  • monitor the ability of organizations to maintain their BCPs
  • remain current with the evolving risk environment
  • support the resiliency of their organization
  • Responses will help inform the extent to which organizations meet the related expected result.
Target (where applicable)

100% of critical services that have a BCP were tested or exercised within the last two years.

Calculation method

Number of critical services that have a BCP that were tested or exercised within the last two years
÷ Total number of critical services that have a BCP
× 100

Evidence source and document limit
TBS to answer

Data source: Business continuity planning fields from the Clarity tool through the Application Portfolio Management (APM) process.

Critical services that have a BCP in place are determined using:

  • Field name: Critical Service Impact(s)
    = all selections except “Non-Critical Service”
  • Field name: BCP in place = “Yes”

Critical services that have a BCP in place that has been tested or exercised are determined using:

  • Field name: Critical Service Impact(s)
    = all selections except “Non-Critical Service”
  • Field name: BCP in place = “Yes”
  • Field name: BCP for service tested or exercised? = “Yes”

Date of data extraction: Day following the date of the MAF submission deadline in November 2018.

Department or agency to answer

Evidence: n/a

Document limit: n/a

Period of assessment: Point in time, as of the date of data extraction.

Treasury Board policy reference or Government of Canada priority

Question 11: Business Continuity Management - Does the department’s or agency’s governance body responsible for business continuity planning ensure regular review and testing of BCPs?

  • Yes
  • No
Category
  1. Policy compliance
  2. Results or performance
  3. Service standard
  4. Baseline information
  5. Descriptive statistic
Type
  1. Core
  2. Spot-check
Rationale

It is essential that senior departmental or agency managers:

  • commit to business continuity planning
  • integrate such planning into a strategic planning framework
  • ensure compliance with government policy
  • ensure appropriate departmental or agency expert review (for example, legal, policy, finance, communications, information management and human resource specialists)
  • appoint participants

These activities can be achieved through engagement with a senior management committee (ADM level).

This question will assess whether departments and agencies meet this policy requirement.

Target (where applicable)

A minimum of two engagements per year

Calculation method

n/a

Evidence source and document limit
TBS to answer

Data source: n/a

Date of data extraction: Portal close date

Department or agency to answer

Evidence: Any of the following that demonstrate that the department’s or agency’s BCP governance was involved in decision-making or guidance, at least twice a year, to ensure regular review and testing of BCPs by internal BCP resources or the responsible senior manager for BCP (departmental security officer):

  • records of decisions
  • briefing materials
  • program updates
  • lists of committee membership
  • other evidence

Document limit: 2

Period of assessment: , to .

Treasury Board policy reference or Government of Canada priority

Question 12: Security Event Management - Does the department or agency have operational policy instruments or procedures in place to conduct administrative investigations of security events?

  • Yes
  • No
Category
  1. Policy compliance
  2. Results or performance
  3. Service standard
  4. Baseline information
  5. Descriptive statistic
Type
  1. Core
  2. Spot-check
Rationale

It is important that departments and agencies establish procedures to:

  • conduct, report and review administrative investigations
  • clarify the roles of those involved to ensure procedural fairness, effectiveness and uniformity in reporting and conducting administrative investigations

This question will assess whether departments and agencies meet this policy requirement.

Target (where applicable)

n/a

Calculation method

n/a

Evidence source and document limit
TBS to answer

Data source: n/a

Date of data extraction: n/a

Department or agency to answer

Evidence: Any of the following that document or outline the procedures for conducting administrative investigations of security events, with evidence that the procedures are approvedFootnote 4 and implemented:

  • operational policy documents
  • standard operating procedures
  • other instruments

Document limit: 3

Period of assessment: Point in time, as of the date of the department’s or agency’s MAF submission

Treasury Board policy reference or Government of Canada priority

Trusted Information Systems and Processes

Outcome(s): Information systems and processes can be relied upon to:

  • protect information
  • support trusted program and service delivery

Question 13: Information Technology Security - Does the organization have a documented process in place to enforce the management of administrative privileges?

  • Yes
  • No
Category
  1. Policy compliance
  2. Results or performance
  3. Service standard
  4. Baseline information
  5. Descriptive statistic
Type
  1. Core
  2. Spot-check
Rationale

Administrators can change security settings, install software and hardware, and access all files within a network. Departments and agencies are to ensure that:

  • administrative accounts are used only by staff who absolutely require administrative privileges to perform specific administrative functions
  • the management of administrative changes is enforced

Administrative functions should never be performed using workstatiosn that have internet access. These processes also provide organizations to have hte necessary system information to conduct administrative investigations into unauthorized access.

This question will provide the deputy head, the chief information officer and the IT security coordinator with the opportunity to review and improve current practices.

Target (where applicable)

n/a

Calculation method

n/a

Evidence source and document limit
TBS to answer

Data source: n/a

Date of data extraction: n/a

Department or agency to answer

Evidence: Departmental or agency documentation that outlines the established processes, procedures and capabilities for privileged account management, as outlined in Priority IT Security Actions (2015/16) (SPIN 2015-01)

Document limit: 3

Period of assessment: 2017 to 2018 fiscal year

Treasury Board policy reference or Government of Canada priority

Question 14: Information Management Security - Does the department or agency have an alerting capability in place for unauthorized access of information by internal users within its IT systems?

  • Yes
  • No
Category
  1. Policy compliance
  2. Results or performance
  3. Service standard
  4. Baseline information
  5. Descriptive statistic
Type
  1. Core
  2. Spot-check
Rationale

The IT security posture of departments and agencies is continuously maintained by:

  • monitoring threats and vulnerabilities
  • detecting malicious activity and unauthorized access
  • taking both pre-emptive and response actions to minimize effects

To protect information and ensure service delivery, departments and agencies must continuously monitor IT system performance torapidly detect attempts (failed or successful) to:

  • gain unauthorized access to a system
  • bypass security mechanisms
Target (where applicable)

n/a

Calculation method

n/a

Evidence source and document limit
TBS to answer

Data source: n/a

Date of data extraction: n/a

Department or agency to answer

Evidence: Documents that demonstrate that:

  • an IT security program is in place
  • controls are defined and monitored to identify unauthorized systems access
  • record of IT systems logs that show access information, including evidence of monitoring

Document limit: 3

Period of assessment: Point in time, as of the date of the department’s or agency’s MAF submission

Treasury Board policy reference or Government of Canada priority

Glossary

administrative privileges
The highest level of rights granted to the user of a computer or network.
contract
An agreement between a contracting authority and a person or firm to provide a good, perform a service, construct a work or lease real property for appropriate consideration.
critical service
A service that if compromised in terms of availability or integrity would result in a high degree of injury to either:
  • the health, safety, security or economic well-being of Canadians
  • the effective functioning of the government
facility
A physical setting used to serve a specific purpose. A facility may be part of a building, a whole building, or a building plus its site, or a construction that is not a building. The term encompasses both the physical object and its use (for example, weapons ranges, agriculture fields) (see Operational Security Standard on Physical Security, Appendix A).
facilities that have higher security requirements
Defined by the department’s or agency’s environmental scan (internal and external factors, potential impacts of compromise, defined threats and security controls effectiveness) and risk tolerance.
governance body
A group of officials who:
international travel
Travel whereby persons arriving in Canada are cleared through points of entry of the Canada Border Services Agency.
security assessment
The process of identifying and qualifying security-related threats, vulnerabilities and risks to support:
  • the definition of security requirements
  • the identification of security controls to reduce risks to an acceptable level
up-to-date
Within the departmental or agency time frame, as established in policy or procedure, for renewing security risk assessments, or three years in the absence of an established departmental or agency time frame.

Page details

Date modified: