Information Security

Your responsibilities as a
Government of Canada employee

AT THE END OF THIS MODULE YOU WILL:
• Be aware of your responsibilities with respect to
information security.
• Be able to decide what protection or classification is
appropriate for your information.
• Understand how to mark sensitive documents.
• Be able to make appropriate choices for the storage of
sensitive materials.
• Know the appropriate methods of communication and
destruction of sensitive materials.
• Understand the importance of removing or changing
the level of protection or classification of information.

GENERAL RESPONSIBILITIES
• You must apply diligence and due care during
the:
– Creation or collection of sensitive
information;
– Use, distribution, storage and retention of
sensitive information;
– Declassification/change in classification or
protection of sensitive information;
– Disposal or destruction of sensitive
information.

IN OTHER WORDS…
You must apply
diligence and
due care during the
entire life cycle of
sensitive information.
ChooseChooseChoose Use, distribute,
share, store and
retain
Choose
Choose disposal
method
appropriate to
sensitive material
Establish
sensitivity at
point of
creation
Remember to
change
classification /
protection when
appropriate

SPECIFIC RESPONSIBILITIES
As the originator, or recipient, of sensitive documents you must:
1. Decide what level of protection or classification is
appropriate;
2. Mark the document(s) from draft to completion;
3. Ensure documents are processed and stored according to
the level of protection or classification assigned;
4. Distribute the information to others who are appropriately
screened and on a need to know, need to access basis;
5. Remove or change the level of protection/classification of
information when required;
6. Ensure the appropriate destruction of sensitive documents.

Responsibility #1
Deciding what level of protection or
classification is appropriate

SECURITY CATEGORIES
There are two main security categories that you
would apply, based on a document’s content:
Protected
• Protected C
• Protected B
• Protected A
Classified
• Top Secret
• Secret
• Confidential

CLASSIFIED PROTECTED
Classified refers to
information that, if
compromised, may cause
injury to the national
interest.
Protected refers to information
that is not related to the national
interest, but if compromised,
may cause injury to private or
other non-national interests.
This information
could cause injury
to the country.
This information could
cause injury to an
individual or to a
company.

CLASSIFIED PROTECTED
Top Secret
extremely sensitive information related to
international affairs, law enforcement
investigations and intelligence matters
(cause exceptionally grave injury)
Secret
trade talks, minutes and memos to
cabinet, enterprise planning, departmental
input to national budget, draft legislation
(cause serious injury)
Confidential
international affairs, administrative plans,
audits, negotiations between departments
and partners (cause injury)
Protected C
information about police agents and other
informants (cause life threatening and/or
extremely grave injury)
Protected B
law enforcement and medical records,
personnel evaluations and investigations,
financial records, solicitor-client
confidence (particularly sensitive, cause
serious injury)
Protected A
home addresses, dates of birth, SIN
numbers, other personal information
(low-sensitivity, could cause injury)
This information could cause injury
to the country. This information could cause injury
to an individual or to a company.

Responsibility #2
Marking your sensitive documents
from draft to completion.

MARKING SENSITIVE DOCUMENTS
1. You need to mark sensitive information at the
time it is created or collected.

2. You need to mark all material used in
preparing sensitive documents.

3. When marking you need to include,
where appropriate:
–The sensitivity level (CAPS);
–The date of creation; and
–The date or event when automatic
removal of designation or change in
the protection of information is to
occur.
Note: Top Secret documents require a
copy number and an indication of the
total number of copies (e.g. copy 1 of
6). All pages should be numbered and
the total number of pages shown on all
pages (e.g. 1 of 3).
SECRET
Created: Dec. 4, 1989
Declassify: Dec. 4, 2009

4. Indicate who may, or may not, have access to
the document. Access should be on a need to
know basis.
5. When you create cover letters or transmittal
forms you must indicate the highest level of
sensitivity of all of the attachments.

At the OIC, use annex B of the IM
Manual: Managing Sensitive
Records.

REVIEW: MARKING SENSITIVE DOCUMENTS
1. Mark sensitive information at the time it is created or
collected.
2. Mark all material used in preparing sensitive documents.
– Markings are to include, where appropriate:
– The sensitivity level;
– The date of creation;
3. The date or event when automatic removal of designation
or change in the protection of information is to occur.
4. Indicate who may, or may not, have access to the
document.
5. Cover letters or transmittal forms must indicate the highest
level of sensitivity of the attachments.

Don’t forget to
mark electronic media!

MARKING ELECTRONIC MEDIA
You should clearly record on the surface of electronic
media, the following information:
– Name of the organization
– Highest level of designation or protection
– Subject of the documents
– Team the documents belong to
– Custodian’s name.

Responsibility #3
Ensuring that documents are processed
and stored according to the level of
classification or protection assigned

ELECTRONIC PROCESSING OF SENSITIVE
MATERIALS
Non-Sensitive
Process, email, print
• Network PC
• Stand-alone PC
• Laptop
• Blackberry/cell
Protected A
• Network PC
• Stand-alone PC
• Laptop
Protected B
• Network PC
• Email (PKI only)
• Stand-alone PC
• Laptop
Protected C
Process, print (no
email)
• Stand-alone PC or
Laptop
Confidential
Process, print (no
email)
•Stand-alone PC or
Laptop
Secret
Process, print (no
email)
Laptop
Top Secret
Process, print (no
email)
Laptop

STORING ELECTRONIC SENSITIVE
MATERIALS
Non-sensitive
• RDIMS
• Shared drive
• Hard drive
• Removable media,
e.g., CD, jump drive
Protected A
• RDIMS
• Shared drive (limit
access)
(labeled and locked in
an approved
container, when not in
use)
Protected B
• RDIMS
• Shared drive (limit
access)
an approved
container, when not in
use)
Protected C
Removable media,
an approved container,
when not in use)
Confidential
Removable media,
when not in use)
Secret
Removable media,
when not in use)
Top Secret
Removable media,
when not in use)

STORING NON-ELECTRONIC CLASSIFIED OR
PROTECTED MATERIAL
Protected A
Approved security
container, e.g., cabinet with
an approved lock in an
operational zone
Protected B
Approved security
an integrated lock in an
operational zone
Protected C
Approved security
approved security zone
(enclosed office or room
with a door that can be
locked)
Confidential
Approved security
operational zone
Secret
Dial safe in an approved
security zone
Top Secret
Dial safe in an approved
security zone

Responsibility #4
Distribute sensitive information to others
on a need to know, need to access basis

DISTRIBUTION OF SENSITIVE
DOCUMENTS
Access Criteria:
– Recipients have a requirement to know;
– Recipients hold an appropriate security
clearance.
It is your responsibility to verify that the
recipient of your sensitive document meets
access criteria.

COMMUNICATION MODES FOR SENSITIVE
DOCUMENTS
Non-sensitive
• Regular phone and
fax
• Email
• Blackberry and cell
phone
Protected A
fax
• Email
Protected B
fax
• Email (PKI only)
Protected C
• Regular phone
• Secure fax
(No email)
Confidential
• Secure phone
• Secure fax
(No email)
Secret
• Secure phone
• Secure fax
(No email)
Top Secret
• Secure phone
• Secure fax
(No email)

TRANSMITTAL OF SENSITIVE DOCUMENTS
Paper documents that are sensitive should be handled with
discretion and common sense applying such principles as:
– Markings and caveats should be used to caution others
about the sensitivity of the material;
– Mail should be addressed “to be opened only by…”;
– Double envelope with security markings on inner
envelope only – for Secret, Top Secret and Protected C;
– Phone ahead when sending sensitive faxes.

OIC NETWORK
Information with a designation higher than
Protected B should not be sent via email,
saved on network shared drives or in RDIMS.
Note: Protected B
information can be sent
over the network using
PKI

Responsibility #5
Removing or changing the level
of protection or classification of
information when required

DECLASSIFICATION VERSUS
DOWNGRADING
Declassification: removal
of sensitivity rating
Downgrading: reducing
level of sensitivity rating
(e.g. from Secret to
Confidential)
Confidential

DECLASSIFICATION AND DOWNGRADING
• Protected information will lose its sensitivity:
– over time; or
– with the occurrence of specific events (e.g. scientific data
when published loses its protected status).
• Declassification or downgrading can be effected through:
– date or special event triggers;
– an automatic expiry date; (Note: automatic expiry does not
apply to Top Secret or Protected C)
– originating authors;
– managers (in originating office).
• You should systematically review your sensitive materials with the
intent of declassifying or downgrading them as appropriate.

Responsibility #6
Ensure the appropriate destruction
of sensitive documents

DESTRUCTION OF SENSITIVE
DOCUMENTS
Paper Electronic
Protected A Classified waste disposal or
destroy in approved cross-
cut shredder
Delete from media
Protected B Classified waste disposal or
cut shredder
Delete from media and
re-format drive
Protected C Classified waste disposal or
cut shredder
Degauss media
Degauss: A process by which a
computer hard drive is
unformatted by randomly
scrambling the bits on the drive
Confidential,
Secret, Top Secret
Destroy in approved cross-
cut shredder
Degauss and physically
destroy media

REVIEW: INFORMATION SECURITY
As the originator of sensitive documents or the recipient of sensitive
documents sent by the public, you must:
1. Decide what level of protection or classification is
appropriate;
2. Mark the document(s) from draft to completion;
3. Ensure documents are processed and stored according to
the level of protection or classification assigned;
4. Distribute the information to others who are appropriately
screened and on a need to know, need to access basis;
5. Remove or change the level of protection and classification
of information when required;
6. Ensure the appropriate destruction of sensitive documents.

In closing…
Some guiding principles
of information security

GUIDING PRINCIPLES OF INFORMATION
SECURITY:
• Security classification flows with the information:
– Originator decides on level of security;
– Receiver must accept the assigned classification.
– Note: Information received from the public must
be assessed and assigned either a protected or
classified level where appropriate.
• When incorporating information into existing
classified/protected documents or other media –
ensure that the new document is also classified at
the level of the highest document in the file or
storage device.

GUIDING PRINCIPLES OF INFORMATION
SECURITY:
• A package of information is “marked” based on
the document with the highest classification.
• Sensitive information should be reviewed
periodically with the intent of “declassifying” or
“downgrading” when appropriate.
• Over-classification must be avoided – it is costly
and it minimizes the potential uses of the
information.

CONGRATULATIONS!
• You have just completed Information Security – an IM self-study
module.
– You may now:
– Test your knowledge with the following quiz.
• Review other IM self-study modules in this series:
• Information Management 101
• Managing Email Effectively
• Records Management and You!
• IM and the Departing Employee
• Privacy and Personal Information – What Canadians
Expect
• Understanding IM Within the Federal Government

Information Security

More Related Content

What's hot

Similar to Information Security

Recently uploaded

Information Security