information security
TRANSCRIPT
AT THE END OF THIS MODULE YOU WILL:
• Be aware of your responsibilities with respect to information security.
• Be able to decide what protection or classification is appropriate for your information.
• Understand how to mark sensitive documents.
• Be able to make appropriate choices for the storage of sensitive materials.
• Know the appropriate methods of communication and destruction of sensitive materials.
• Understand the importance of removing or changing the level of protection or classification of information.
GENERAL RESPONSIBILITIES
• You must apply diligence and due care during the: – Creation or collection of sensitive
information; – Use, distribution, storage and retention of
sensitive information; – Declassification/change in classification or
protection of sensitive information; – Disposal or destruction of sensitive
information.
IN OTHER WORDS…
You must apply
diligence and
due care during the
entire life cycle of
sensitive information.Choose Choose Choose Use, distribute,
share, store and retain
Choose
Choose disposal method
appropriate to sensitive material
Establish sensitivity at
point of creation
Remember to change
classification / protection when
appropriate
SPECIFIC RESPONSIBILITIES
As the originator, or recipient, of sensitive documents you must:
1. Decide what level of protection or classification is appropriate;
2. Mark the document(s) from draft to completion;
3. Ensure documents are processed and stored according to the level of protection or classification assigned;
4. Distribute the information to others who are appropriately screened and on a need to know, need to access basis;
5. Remove or change the level of protection/classification of information when required;
6. Ensure the appropriate destruction of sensitive documents.
SECURITY CATEGORIES
There are two main security categories that you would apply, based on a document’s content:
Protected • Protected C • Protected B • Protected A
Classified • Top Secret • Secret • Confidential
CLASSIFIED PROTECTED
Classified refers to information that, if compromised, may cause injury to the national interest.
Protected refers to information that is not related to the national interest, but if compromised, may cause injury to private or other non-national interests.
This information could cause injury to the country.
This information could cause injury to an individual or to a company.
CLASSIFIED PROTECTED
Top Secret extremely sensitive information related to international affairs, law enforcement investigations and intelligence matters(cause exceptionally grave injury)
Secret trade talks, minutes and memos to cabinet, enterprise planning, departmental input to national budget, draft legislation(cause serious injury)
Confidential international affairs, administrative plans, audits, negotiations between departments and partners (cause injury)
Protected C information about police agents and other informants (cause life threatening and/or extremely grave injury)
Protected B law enforcement and medical records, personnel evaluations and investigations, financial records, solicitor-client confidence (particularly sensitive, cause serious injury)
Protected Ahome addresses, dates of birth, SIN numbers, other personal information(low-sensitivity, could cause injury)
This information could cause injury to the country. This information could cause injury
to an individual or to a company.
MARKING SENSITIVE DOCUMENTS
1. You need to mark sensitive information at the time it is created or collected.
MARKING SENSITIVE DOCUMENTS
3. When marking you need to include, where appropriate:
–The sensitivity level (CAPS); –The date of creation; and –The date or event when automatic removal of designation or change in the protection of information is to occur.
Note: Top Secret documents require a copy number and an indication of the total number of copies (e.g. copy 1 of 6). All pages should be numbered and the total number of pages shown on all pages (e.g. 1 of 3).
SECRET
Created: Dec. 4, 1989
Declassify: Dec. 4, 2009
MARKING SENSITIVE DOCUMENTS
4. Indicate who may, or may not, have access to the document. Access should be on a need to know basis.
5. When you create cover letters or transmittal forms you must indicate the highest level of sensitivity of all of the attachments.
REVIEW: MARKING SENSITIVE DOCUMENTS
1. Mark sensitive information at the time it is created or collected.
2. Mark all material used in preparing sensitive documents.
– Markings are to include, where appropriate: – The sensitivity level; – The date of creation;
3. The date or event when automatic removal of designation or change in the protection of information is to occur.
4. Indicate who may, or may not, have access to the document.
5. Cover letters or transmittal forms must indicate the highest level of sensitivity of the attachments.
MARKING ELECTRONIC MEDIA
You should clearly record on the surface of electronic media, the following information:
– Name of the organization
– Highest level of designation or protection
– Subject of the documents
– Team the documents belong to– Custodian’s name.
Responsibility #3
Ensuring that documents are processed and stored according to the level of classification or protection assigned
ELECTRONIC PROCESSING OF SENSITIVE MATERIALS
Non-Sensitive
Process, email, print• Network PC• Stand-alone PC• Laptop• Blackberry/cell
Protected A
Process, email, print• Network PC• Stand-alone PC• Laptop
Protected B
Process, email, print• Network PC• Email (PKI only)• Stand-alone PC• Laptop
Protected C
Process, print (no email)
• Stand-alone PC or Laptop
Confidential
Process, print (no email)•Stand-alone PC or Laptop
Secret
Process, print (no email)•Stand-alone PC or Laptop
Top Secret
Process, print (no email)•Stand-alone PC or Laptop
STORING ELECTRONIC SENSITIVE MATERIALS
Non-sensitive
• RDIMS• Shared drive• Hard drive• Removable media, e.g., CD, jump drive
Protected A
• RDIMS• Shared drive (limit access)
• Removable media, e.g., CD, jump drive (labeled and locked in an approved container, when not in use)
Protected B
• RDIMS• Shared drive (limit access)
• Removable media, e.g., CD, jump drive (labeled and locked in an approved container, when not in use)
Protected C
Removable media, e.g., CD, jump drive (labeled and locked in an approved container, when not in use)
Confidential
Removable media, e.g., CD, jump drive (labeled and locked in an approved container, when not in use)
Secret
Removable media, e.g., CD, jump drive (labeled and locked in an approved container, when not in use)
Top Secret
Removable media, e.g., CD, jump drive (labeled and locked in an approved container, when not in use)
STORING NON-ELECTRONIC CLASSIFIED OR PROTECTED MATERIAL
Protected A
Approved security container, e.g., cabinet with an approved lock in an operational zone
Protected B
Approved security container, e.g., cabinet with an integrated lock in an operational zone
Protected C
Approved security container, e.g., cabinet with an integrated lock in an approved security zone (enclosed office or room with a door that can be locked)
Confidential
Approved security container, e.g., cabinet with an integrated lock in an operational zone
Secret
Dial safe in an approved security zone
Top Secret
Dial safe in an approved security zone
Responsibility #4
Distribute sensitive information to others on a need to know, need to access basis
DISTRIBUTION OF SENSITIVE DOCUMENTS
Access Criteria: – Recipients have a requirement to know; – Recipients hold an appropriate security
clearance.
It is your responsibility to verify that the recipient of your sensitive document meets access criteria.
COMMUNICATION MODES FOR SENSITIVE DOCUMENTS
Non-sensitive
• Regular phone and fax
• Email• Blackberry and cell phone
Protected A
• Regular phone and fax
Protected B
• Regular phone and fax
• Email (PKI only)
Protected C
• Regular phone • Secure fax(No email)
Confidential
• Secure phone • Secure fax(No email)
Secret
• Secure phone • Secure fax(No email)
Top Secret
• Secure phone • Secure fax(No email)
TRANSMITTAL OF SENSITIVE DOCUMENTS
Paper documents that are sensitive should be handled with discretion and common sense applying such principles as:
– Markings and caveats should be used to caution others about the sensitivity of the material;
– Mail should be addressed “to be opened only by…”; – Double envelope with security markings on inner
envelope only – for Secret, Top Secret and Protected C; – Phone ahead when sending sensitive faxes.
OIC NETWORK
Information with a designation higher than Protected B should not be sent via email,
saved on network shared drives or in RDIMS.
Note: Protected B information can be sent over the network using
PKI
Responsibility #5
Removing or changing the level
of protection or classification of information when required
DECLASSIFICATION VERSUS DOWNGRADING
Declassification: removal of sensitivity rating
Downgrading: reducing level of sensitivity rating (e.g. from Secret to Confidential)
Confidential
DECLASSIFICATION AND DOWNGRADING
• Protected information will lose its sensitivity: – over time; or – with the occurrence of specific events (e.g. scientific data
when published loses its protected status).• Declassification or downgrading can be effected through:
– date or special event triggers; – an automatic expiry date; (Note: automatic expiry does not
apply to Top Secret or Protected C) – originating authors; – managers (in originating office).
• You should systematically review your sensitive materials with the intent of declassifying or downgrading them as appropriate.
DESTRUCTION OF SENSITIVE DOCUMENTS
Paper Electronic
Protected A Classified waste disposal or destroy in approved cross-cut shredder
Delete from media
Protected B Classified waste disposal or destroy in approved cross-cut shredder
Delete from media and re-format drive
Protected C Classified waste disposal or destroy in approved cross-cut shredder
Degauss mediaDegauss: A process by which a computer hard drive is unformatted by randomly scrambling the bits on the drive
Confidential, Secret, Top Secret
Destroy in approved cross-cut shredder
Degauss and physically destroy media
REVIEW: INFORMATION SECURITY
As the originator of sensitive documents or the recipient of sensitive documents sent by the public, you must:
1. Decide what level of protection or classification is appropriate;
2. Mark the document(s) from draft to completion; 3. Ensure documents are processed and stored according to
the level of protection or classification assigned; 4. Distribute the information to others who are appropriately
screened and on a need to know, need to access basis; 5. Remove or change the level of protection and classification
of information when required; 6. Ensure the appropriate destruction of sensitive documents.
GUIDING PRINCIPLES OF INFORMATION SECURITY:
• Security classification flows with the information:
– Originator decides on level of security;
– Receiver must accept the assigned classification.
– Note: Information received from the public must be assessed and assigned either a protected or classified level where appropriate.
• When incorporating information into existing classified/protected documents or other media – ensure that the new document is also classified at the level of the highest document in the file or storage device.
GUIDING PRINCIPLES OF INFORMATION SECURITY:
• A package of information is “marked” based on the document with the highest classification.
• Sensitive information should be reviewed periodically with the intent of “declassifying” or “downgrading” when appropriate.
• Over-classification must be avoided – it is costly and it minimizes the potential uses of the information.
CONGRATULATIONS!
• You have just completed Information Security – an IM self-study module. – You may now: – Test your knowledge with the following quiz.
• Review other IM self-study modules in this series: • Information Management 101 • Managing Email Effectively • Records Management and You! • IM and the Departing Employee • Privacy and Personal Information – What Canadians
Expect • Understanding IM Within the Federal Government