This document outlines the IT Security requirements for the Department’s current contract # (enter number) with (company name) for the processing of sensitive data up to and including the level of (enter level). In absence of a formal Threat-Risk Assessment (TRA) and due to the IT portion of the Security clearance being contract specific, the intent of this document is to state the minimum safeguards required in order that the processing of sensitive information be approved by the Department’s IT Security
Security is based upon layers of protection; that is, in order for the requirements of the IT Security (ITS) to effectively safeguard the information, they must be preceded and supported by other aspects of security and the associated policies. The physical, personnel and information security safeguards in accordance with the Policy on Government Security and ITS related Standards must exist prior to the implementation of ITS safeguards.
2. Mandatory Prerequisites
2.1. Public Services and Procurement Canada Validation for Physical Security
The application of the security safeguards listed in this document are based on the mandatory requirement that the physical premises have been inspected, certified and accredited to process and store sensitive information by the Canadian Industrial Security Directorate (CISD), Public Works and Government Services. The Departmental Security Officer’s (DSO) office will validate the certification and notify the ITSC.
A CISD Field Industrial Security Officer (FISO) will perform a bi-annual inspection to ensure that premises PSPC certification is maintained.
2.2. Personnel Security
All personnel who have access to the material being processed must hold valid Government of Canada security clearance at the appropriate level (dictated by the sensitivity of the material) and have the “need to know”.
All (company name) personnel handling (department name) Government of Canada sensitive information must attend a training/briefing session coordinated and delivered by the (department name) DSO and ITSC.
await setupComponentForTest(); fixture.detectChanges(); await Promise.resolve(); // <--- CODE SMELL! fixture.detectChanges();
All hard copy documents and other media formats must be handled and transported in accordance with Government of Canada guidelines. All hard copy documents and other media will be marked with the appropriate security classification as provided by (Department name). Any covering letter, transmittal form or circulation slip will be marked to indicate the highest level of classification of the attachments.
Transportation of information associated with this contract into or out of the physical premises must adhere to RCMP G1-009 “Transport and Transmittal of Protected and Classified Information”. (company name) personnel may only transport documents associated with a (Department name) contract into or out of the security zone with the approval of the (department name) DSO.
2.4. Security Policy Compliance Monitoring
On a frequency to be determined by the Safety, Security and Emergency Management Division (SSEMD), the (Department name) retains the right to conduct inspections of the (company name) facility to ensure compliance with Government of Canada standards and policies with respect to the handling, storage and processing of sensitive information.
3. Minimum Information Technology Security Requirements
3.1. IT Security Policy Compliance and Monitoring
On a frequency to be determined by Technology Services Division/Information Technology Security, the (Department name) retains the right to conduct inspections of the (company name, if known) facility to ensure compliance with Government of Canada standards and policies with respect to prevention, detection, response and recovery requirements in the Operational Security Standard: Management of Information Technology Security.
3.2. Adherence to Government of Canada Policies
All information technology related operations must adhere to the overall requirements outlined in the Operational Security Standard: Management of Information Technology Security. Specifically, sections 16-18 referring to prevention, detection, response and recovery.
Prevention safeguards protect the confidentiality, integrity, and availability of information and IT assets.
184.108.40.206 Physical Security within the Information Technology Security Environment
(Company name, if known) will provide the (department name) ITSC with the list of physical safeguards which are implemented in the facility which is used to process and store sensitive information. All equipment processing sensitive information is to reside in a security zone as (Guide number) Guide to the Application of Physical Security Zones.
The equipment within the security zone, which is used to process the sensitive information, must be either standalone or on an ‘island’ network (self-contained, used for the purposes of processing the information related to the contract and have no external connection to the internet or other network, internal or otherwise).
The island network must only be used for the processing and storage of information related to contracts with the (department name) and no other party.
The use of wireless technology for the processing of sensitive information is prohibited.