Policy on Government Security

Provides direction to manage government security in support of the trusted delivery of GC programs and services, the protection of information, individuals and assets, and provides assurance to Canadians, partners, oversight bodies and other stakeholders regarding security management in the GC.

Supporting tools

Directive:

• Identity Management, Directive on
• Security Management, Directive on

More information

Terminology:

Topic:

Hierarchy

Archives

This policy replaces:

• Government Security Policy [2009-07-06]
• Government Security, Policy on [2012-03-31]
• Government Security, Policy on [2019-06-28]

Note to reader

The Policy on Government Security took effect on July 1, 2019. It replaced the Policy on Government Security that was in effect from July 1, 2009 to June 30, 2019.

1. Effective date

• 1.1 This policy takes effect on July 1, 2019.
• 1.2 This policy replaces the Policy on Government Security, dated July 1, 2009.
• 1.3 Transitional considerations:
  • 1.3.1 Subsection 4.1.5 of this policy will take effect on July 1, 2019, or on the scheduled date for the renewal of the department’s security plan, whichever is later.

  2. Authorities

  • 2.1 This policy is issued pursuant to section 7 of the Financial Administration Act.
  • 2.2 The Treasury Board has delegated to the President of the Treasury Board the authority to amend and rescind directives related to this policy, including standards, mandatory procedures and other appendices.

  3. Objectives and expected results

  • 3.1 The objectives of this policy are as follows:
    • 3.1.1 To effectively manage government security controls in support of the trusted delivery of Government of Canada programs and services and in support of the protection of information, individuals and assets; and
    • 3.1.2 To provide assurance to Canadians, partners, oversight bodies and other stakeholders regarding security management in the Government of Canada.
    • 3.2.1 Governance of government security controls within departments, with partners and across government will be effective, by fulfilling specified functions and successfully producing the intended result;
    • 3.2.2 Access to advice, guidance and services, including secure internal enterprise services, will be enabled;
    • 3.2.3 Deputy heads and central agencies will have and share information needed for informed decision-making on government security priorities and resources;
    • 3.2.4 Risk-based and standardized security practices and controls will be implemented, monitored and maintained; and
    • 3.2.5 Management of security events will be coordinated to enable adaptation to a dynamic threat environment.

    4. Requirements

    • 4.1 Deputy heads are responsible for the following:
      • 4.1.1 Designating a chief security officer responsible to the deputy head or to the departmental executive committee to provide leadership, coordination and oversight for departmental security management activities;
      • 4.1.2 Establishing the department’s security governance, including responsibilities for security controls and authorities for security risk management decisions;
      • 4.1.3 Ensuring that their authority to deny, revoke or suspend security clearances is not delegated;
      • 4.1.4 Identifying security and identity management requirements for all departmental programs and services, considering potential impacts on internal and external stakeholders;
      • 4.1.5 Approving a three-year departmental security plan that is reviewed annually, sets out strategies for meeting departmental security requirements reflective of and contributing to government-wide security priorities, and addresses the security controls described in Appendix A;
      • 4.1.6 Reviewing any residual security risk that exceeds established authorities for security risk management decisions;
      • 4.1.7 Ensuring that security incidents and other security events are assessed, investigated, documented, acted on and reported to the appropriate authority and to affected stakeholders;
      • 4.1.8 Responding to direction, advice and information requests issued by the Treasury Board of Canada Secretariat and the Privy Council Office regarding security events that require an immediate or coordinated government-wide action;
      • 4.1.9 Establishing a written agreement when the department relies on or supports another department or organization to achieve government security objectives (see subsection 6.3 of this policy for application of this requirement); and
      • 4.1.10 Investigating and acting when significant issues regarding policy compliance arise, and ensuring that appropriate remedial action is taken to address these issues.
      • 4.2.1 Establishing governance, including designating one or more senior officials, to oversee security considerations in the provision of internal enterprise services;
      • 4.2.2 Liaising with client departments and the Treasury Board of Canada Secretariat when identifying security requirements for internal enterprise services;
      • 4.2.3 Examining and acting on issues regarding fulfillment of security requirements with affected stakeholders;
      • 4.2.4 Conducting periodic reviews (every three years at a minimum) to assess the extent to which the services provided meet government-wide security needs; and
      • 4.2.5 Investigating and acting when significant issues regarding policy compliance arise, and ensuring that appropriate remedial action is taken to address these issues.
      • 4.3.1 Designating a senior official or officials to oversee their lead security agency activities under this policy;
      • 4.3.2 Consulting with the government-wide security policy governance when identifying priorities for their lead security agency activities;
      • 4.3.3 Exercising leadership and providing departments with advice and guidance on government security, in accordance with section 5 of this policy and the following general responsibilities:
        • 4.3.3.1 Participating in government-wide security policy governance to assist in setting direction and priorities that align with national security objectives and other government priorities;
        • 4.3.3.2 Providing advice to departments, and developing technical and operational guidance to support departments in policy implementation, in accordance with their mandate and in consultation with the Treasury Board of Canada Secretariat and the government-wide security policy governance;
        • 4.3.3.3 Consulting with the Treasury Board of Canada Secretariat, Global Affairs Canada and other relevant lead security agencies and stakeholders when developing international agreements, treaties or other instruments that could potentially affect government-wide security management practices;
        • 4.3.3.4 Participating in the analysis of threats, vulnerabilities, risks and security events; and sharing related findings with relevant stakeholders; and
        • 4.3.3.5 Providing expertise and support for the development of Government of Canada security awareness and training curricula.
        • 4.4.1 Establishing government-wide security policy governance to set strategic direction and priorities and coordinating security priorities, plans and activities government-wide;
        • 4.4.2 Representing government-wide security needs in security governance for internal enterprise services;
        • 4.4.3 Liaising with deputy heads and other senior officials on security issues, including security events that have potential government-wide impacts;
        • 4.4.4 Liaising with other lead security agencies on matters of national security and emergency management; and
        • 4.4.5 Establishing measures that support the capacity and development of the security functional community.

        5. Roles of other government organizations

        • 5.1 This section identifies key government organizations in relation to this policy. In and of itself, this section does not confer any authority.
        • 5.2 This section identifies lead security agencies and/or internal enterprise service organizations that have a leadership and support role in relation to this policy and contribute to the achievement of government security policy objectives. The responsibilities of each organization are identified, in accordance with its mandate, including the principal internal enterprise services provided.
        • 5.3 The Canadian Security Intelligence Service is responsible for the following:
          • 5.3.1 Providing government-wide services in security screening;
          • 5.3.2 Fulfilling government-wide functions by investigating and analyzing threats to the security of Canada and by providing related reporting and advice to the Government of Canada; and
          • 5.3.3 Maintaining a central registry for the retention of forms that designate persons permanently bound to secrecy under the Security of Information Act.
          • 5.4.1 Serving as the lead technical authority for information technology (IT) security, including the provision of leadership, advice, services and guidance for technical matters related to IT security
          • 5.4.2 Helping to ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada;
          • 5.4.3 Fulfilling the following government-wide functions:
            • 5.4.3.1 Identifying emerging cyber threats;
            • 5.4.3.2 Defending government networks and systems; and
            • 5.4.3.3 Protecting against, and mitigating potential impacts of, cyber security events;
            • 5.5.1 Fulfilling government-wide functions for scientific and technological security research, defence intelligence, and investigation of security threats to military systems;
            • 5.5.2 Providing support to departments in relation to the protection of Government of Canada officials outside Canada, cyber security, and the provision of other security-related services;
            • 5.5.3 Providing support to Public Safety Canada in relation to the continuity of constitutional government and domestic counterterrorism;
            • 5.5.4 Serving as Canada’s National Distribution Authority for NATO (North Atlantic Treaty Organization); and
            • 5.5.5 Serving as Canada’s national authority for Talent-Keyhole (TK) information.
            • 5.6.1 Providing leadership, advice and guidance regarding security at missions abroad, and conducting Canada’s international relations on matters related to government security;
            • 5.6.2 Fulfilling government-wide functions related to security developments abroad, and providing services to departments abroad to ensure security at missions; and
            • 5.6.3 Serving as Canada’s National Security Authority for NATO.
            • 5.7.1 Establishing policy direction for the security of Cabinet confidences;
            • 5.7.2 Fulfilling the following government-wide functions:
              • 5.7.2.1 Ensuring that national security objectives are reflected in government-wide security policy governance;
              • 5.7.2.2 Providing advice and guidance on implementing security readiness levels in emergency and increased threat situations; and
              • 5.7.2.3 Providing strategic leadership to coordinate responses to operational security matters facing the government that are of national, intergovernmental or international importance; and
              • 5.8.1 Providing leadership, technical advice and guidance for matters related to business continuity management;
              • 5.8.2 Providing operational leadership for the coordination, information sharing and situational awareness relating to security events involving multiple Federal Departments or Agencies that may have government-wide, intergovernmental, critical infrastructure or national impacts;
              • 5.8.3 Providing leadership in establishing the necessary arrangements for the continuity of constitutional government in the event of an emergency; and
              • 5.8.4 Leading coordination and strategic policy-making on national security and national cyber security matters.
              • 5.9.1 Providing leadership, advice and guidance for matters related to contract security;
              • 5.9.2 Supporting and fulfilling government-wide functions for issuing personal record identifiers (PRI) to departments and agencies and individual agency numbers (IAN) to agencies outside the federal public service, and maintaining the PRI and IAN systems;
              • 5.9.3 Providing emergency procurement and emergency accommodation, and providing security services to help ensure the protection of sensitive information entrusted to Canadian and foreign industry;
              • 5.9.4 Providing internal enterprise services for contract security, base building security for general-purpose office facilities under its custodial responsibility, and IT security in support of providing and managing certain government-wide applications; and
              • 5.9.5 Serving as the government’s national authority for industrial security, and in this capacity, serving as Canada’s Designated Security Authority for NATO.
              • 5.10.1 Providing leadership, advice and guidance for matters related to physical security;
              • 5.10.2 Fulfilling government-wide functions related to criminal threat intelligence and criminal investigations; and
              • 5.10.3 Providing government-wide services related to security screening, technical surveillance countermeasures, and safeguarding of designated persons.
              • 5.11.1 Planning, designing, building, operating and maintaining effective, efficient and responsive enterprise IT security infrastructure services to secure Government of Canada data and systems under its responsibility.
              • 5.12.1 Establishing and overseeing a whole-of-government approach to Security management as a key component of all management activities by ensuring the conduct of periodic reviews of the effectiveness of security support services, to provide assurance that they continue to meet the needs of the government as a whole;
              • 5.12.2 Providing policy leadership, advice and guidance for all matters related to government Security;
              • 5.12.3 Providing strategic policy oversight and coordination for the management of security events that may affect the government as a whole.

              6. Application

              • 6.1 The Policy on Government Security and its supporting instruments apply to departments as defined in section 2 and entities included in Schedules IV and V of the Financial Administration Act (FAA), unless excluded by specific acts, regulations or orders in council.
              • 6.2 The heads of the following organizations are solely responsible for monitoring and ensuring compliance with this policy within their organizations:
                • Office of the Auditor General of Canada
                • Office of the Chief Electoral Officer
                • Office of the Commissioner of Lobbying of Canada
                • Office of the Commissioner of Official Languages
                • Office of the Information Commissioner of Canada
                • Office of the Privacy Commissioner of Canada
                • Office of the Public Sector Integrity Commissioner of Canada

                7. Consequences of non-compliance

                • 7.1 For an outline of the consequences of non‑compliance, refer to the Framework for Management of Compliance (Appendix C: Consequences for Institutions and Appendix D: Consequences for Individuals).

                8. References

                • 8.1 Legislation
                  • Access to Information Act
                  • Canada Labour Code
                  • Canada Occupational Health and Safety Regulations
                  • Canadian Charter of Rights and Freedoms
                  • Criminal Code
                  • Emergency Management Act
                  • Financial Administration Act
                  • Official Languages Act
                  • Privacy Act
                  • Public Service Employment Act
                  • Federal Public Sector Labour Relations and Employment Board Act
                  • Security of Information Act
                  • Security of Canada Information Sharing Act
                  • Contracting Policy
                  • Foundation Framework for Treasury Board Policies
                  • Framework for the Management of Compliance
                  • Framework for the Management of Risk
                  • Policy on Information Management
                  • Policy on Investment Planning: Assets and Acquired Services
                  • Policy on Management of Information Technology
                  • Policy on Management of Materiel
                  • Policy on the Management of Projects
                  • Policy on Management of Real Property
                  • Policy on Occupational Safety and Health
                  • Policy on Results
                  • Policy on Service
                  • Values and Ethics Code for the Public Sector