IS Security Orders - CFMWS - SBMFC Web viewThe password is the secret word that identifies the...

CANADIAN FORCES MORALE AND WELFARE

SERVICES

NON-PUBLIC PROPERTY NETWORK

INFORMATION SYSTEMSSECURITY ORDERS

(CFMWS NPPNet IS Security Orders)

05 Apr 2016

Version 2.0

This page is blank intentionally.

CFMWS IS SECUR ORDERSForeword

FOREWORD

1. These orders are issued on the authority of DGMWS and Constitute the Operational Authority for the CFMWS Information Systems (CFMWS IS). The orders provide the security policy requirements and security standards for the CFMWS IS. These orders form the minimum acceptable security standard to ensure confidentiality, integrity, availability and accountability essential for all CFMWS IS information and assets. These orders apply to all users of any unclassified CFMWS IS.

2. The following orders mirror current Government of Canada (GOC) security policy requirements and standards. They are used in conjunction with the references identified herein. Director Information Management & Information Technology Operations (DIR. IM/IT OPS.) is assigned specific responsibility for monitoring the state of Information Systems (IS) security posture, and compliance to policies within the CFMWS. CFMWS IS users shall direct all IS security matters to the CFMWS Information Technology Security Officer, through their normal Chain of Command.

3. While the CFMWS Information Technology Security Officer is assigned specific IS security responsibilities, policy compliance is the responsibility of all personnel, at each level in the organization.

4. The CFMWS Information Systems Security Officer (CFMWS Information Technology Security Officer) is the Office of Primary Interest (OPI) for the CFMWS IS Security Orders and the Security Authority for all CFMWS IS. Queries or suggestions to these orders are encouraged at any time and should be directed to CFMWS Information Technology Security Officer.

Commodore Mark B. Watson, MRCCommodore, RCNDirector General Morale and Welfare Services

OPI: CFMWS Information Technology Security Officer i

CFMWS IS SECUR ORDERSForeword


OPI: CFMWS Information Technology Security Officer ii

CFMWS IS SECUR ORDERSIntroduction

INTRODUCTION

1. BACKGROUNDThe CFMWS IS Security Orders are provided in accordance with the requirements described in Government of Canada Security Policy (GSP). The Non- Public Property Network (NPPNet) is currently working towards accreditation, and operates in a “MULTI-LEVEL” mode of operation where its goal is to be approved for processing, storing, and transmitting up to and including “PROTECTED A” information, and for processing, storage, and transmission of “PROTECTED B” information with the use of PKI technologies.

2. POLICYThe CFMWS IS Security Orders are issued to provide users of the CFMWS IS with information concerning acceptable use of the information systems. Individual policy statements are contained in Chapter One.

3. SCOPEThese orders are applicable to all personnel using any unclassified/designated CFMWS IS. All IS are required to adhere to these orders as a condition of their network accreditation.

4. RESPONSIBILITIESThe CFMWS ISSO is responsible for enforcing the CFMWS IS Security Orders. ISSOs are responsible to ensure that all CFMWS IS users are familiar with these orders. Detailed responsibilities are contained in Chapter Two.

5. DEFINITIONSA detailed list of definitions is contained at Annex B. For the purpose of these Orders, the term “information system (IS)” includes stand-alone PC’s, multi-user systems, a group of systems, a site/facility or any network unless specifically stated otherwise.

6. SANCTIONSAll users of the CFMWS IS are subject to administrative, disciplinary, legal or criminal actions should their activities or negligence in the use, operation, administration or management of the IS result in:

a. Compromise of information or assets;b. Violate any regulations, orders, or laws;c. Any loss of assets or availability; ord. Denial of service.

7. REVIEW DATEThe CFMWS IS Security Orders will be reviewed annually or on change of the CFMWS IS Operational Authority, whichever occurs first.

OPI: CFMWS Information Technology Security Officeri

CFMWS IS SECUR ORDERSIntroduction

8. COORDINATORThe CFMWS Information Technology Security Officer is responsible for the review, distribution, and maintenance of the CFMWS IS Security Orders. The Co-ordinator will ensure that the Orders are made available on appropriate Intranet sites and available in hard copy on request.

OPI: CFMWS Information Technology Security Officerii

CFMWS IS SECUR ORDERSTable of Contents

FOREWORD......................................................................................................................I

INTRODUCTION..............................................................................................................I

1. BACKGROUND......................................................................................................I2. POLICY....................................................................................................................I3. SCOPE......................................................................................................................I4. RESPONSIBILITIES...............................................................................................I5. DEFINITIONS.........................................................................................................I6. SANCTIONS............................................................................................................I7. REVIEW DATE.......................................................................................................I8. COORDINATOR....................................................................................................II

CHAPTER 1 – CFMWS INFORMATION SYSTEMS SECURITY POLICY...........1

1.1 GOVERNMENT SECURITY POLICY.............................................................11.2 ACRONYMS & DEFINITIONS.........................................................................11.3 REFERENCES....................................................................................................11.4 CFMWS IS SECURITY POLICY OBJECTIVES..............................................21.5 CFMWS IS SYSTEM SECURITY POLICY - GENERAL................................2

1.5.1 Individual Accountability.............................................................................21.5.2 Individual Responsibility.............................................................................21.5.3 Controlled Access........................................................................................21.5.4 Least Privilege.............................................................................................21.5.5 Levels of Protection.....................................................................................31.5.6 Redundancy of Protection............................................................................31.5.7 Authorized Use of Network..........................................................................31.5.8 Unlawful and Unacceptable Conduct..........................................................3

1.6 SECURITY AWARENESS AND TRAINING..................................................31.6.1 Awareness Program.....................................................................................31.6.2 Training Aids...............................................................................................4

1.7 AUDITS AND MONITORING..........................................................................41.7.1 Information System Audit Controls.............................................................41.7.2 Monitoring...................................................................................................4

1.8 EXPECTATION OF PRIVACY.........................................................................41.9 CONFIGURATION MANAGEMENT...............................................................5

1.9.1 General........................................................................................................51.9.2 Configuration Control.................................................................................51.9.3 Problem Management..................................................................................5

1.10 REPORTING OF THREATS, BREACHES AND VIOLATIONS....................5

CHAPTER 2 - CFMWS INFORMATION SYSTEM SECURITY RESPONSIBILITIES........................................................................................................1

2.1 IS SECURITY-PRIMARY PARTICIPANTS....................................................12.1.1 DGMWS and CIO........................................................................................12.1.2 CFMWS IS SECURITY AUTHORITY (CFMWS Information Technology Security Officer)...........................................................................................................1

OPI: CFMWS Information Technology Security Officer


2.1.3 OPERATIONAL AUTHORITY (Executive Management/ National Managers)....................................................................................................................22.1.4 SITE INFORMATION SYSTEM SECURITY OFFICER (SITE ISSO).........22.1.5 SYSTEM USERS..........................................................................................3

2.2 IS SECURITY-COLLATERAL PARTICIPANTS............................................32.2.1 SYSTEM ADMINISTRATORS.....................................................................32.2.2 SYSTEM MANAGERS.................................................................................3

CHAPTER 3 - CFMWS INFORMATION SYSTEM OPERATIONAL SECURITY STANDARDS.....................................................................................................................1

3.1 GENERAL...........................................................................................................13.1.1 Standards.....................................................................................................13.1.2 Responsibility...............................................................................................1

3.2 CERTIFICATION AND ACCREDITATION....................................................13.2.1 General........................................................................................................13.2.2 Certification & Accreditation......................................................................13.2.3 Certification.................................................................................................13.2.4 Accreditation................................................................................................23.2.5 Accreditation Authority...............................................................................2

3.3 PERSONNEL SECURITY..................................................................................23.3.1 General........................................................................................................23.3.2 Security Monitoring.....................................................................................3

3.4 INFORMATION SYSTEM SECURITY EDUCATION AND AWARENESS.33.4.1 Security Awareness - General.....................................................................33.4.2 Security Awareness - Content......................................................................33.4.3 Security Awareness - Learning Aid.............................................................33.4.4 Security Briefings.........................................................................................43.4.5 Security Briefings.........................................................................................43.4.6 Training of Personnel..................................................................................43.4.7 Transfer of Personnel..................................................................................4

3.5 PHYSICAL AND ENVIRONMENTAL SECURITY........................................53.5.1 General........................................................................................................53.5.2 Environmental Security...............................................................................53.5.3 IS Facility Access Control...........................................................................53.5.4 Escort Procedures.......................................................................................53.5.5 Sensitive Components/Media.......................................................................53.5.6 Location of IS...............................................................................................5

3.6 GENERAL OFFICE SECURITY.......................................................................53.7 DOCUMENT SECURITY..................................................................................6

3.7.1 General........................................................................................................63.7.2 Manipulation of Documents........................................................................63.7.3 CFMWS Network Sensitivity........................................................................6

3.8 COMPUTER SECURITY...................................................................................63.8.1 Hardware Security – Controls.....................................................................63.8.2 Minimum Hardware Configuration.............................................................63.8.3 Removable USB Storage Devices................................................................63.8.4 Minimum Security Standards Office of Primary Interest (OPI)..................7



3.8.5 Software Security.........................................................................................73.9 SECURITY PROCEDURES FOR REMOTE ACCESS....................................7

3.9.1 General........................................................................................................73.9.2 Granting of Remote Access..........................................................................83.9.3 Rules for Remote Access..............................................................................8

3.10 SECURITY PROCEDURES FOR USERS OF PORTABLE COMPUTERS....83.10.1 General........................................................................................................83.10.2 User Responsibilities...................................................................................83.10.3 User Accountability.....................................................................................93.10.4 Reporting of Incident...................................................................................9

3.11 USE OF PORTABLE COMPUTERS...............................................................103.11.1 General......................................................................................................103.11.2 Rules for Processing Classified/Designated Information..........................10

3.12 USE OF MOBILE DEVICES...........................................................................103.12.1 General......................................................................................................103.12.2 Rules for Mobile Device Acquisition and Use...........................................10

3.13 COMMUNICATIONS SECURITY..................................................................113.13.1 Facsimile (FAX) Machines........................................................................113.13.2 Modems......................................................................................................113.13.3 Network Security........................................................................................113.13.4 A/B or KVM Switches................................................................................123.13.5 Network Security Measures.......................................................................123.13.6 Interim Authority to Process......................................................................123.13.7 Interim Authority to Process - Request Procedures..................................133.13.8 Change Authority (CA) Responsibilities....................................................133.13.9 DIR. IM/IT OPS. Responsibilities..............................................................13

3.14 DISPOSAL OF INFORMATION TECHNOLOGY (IT) MEDIA...................133.15 EMERGENCY DESTRUCTION PLAN..........................................................133.16 DATA INTEGRITY..........................................................................................13

3.16.1 General......................................................................................................133.16.2 Rules for Removable Storage Media.........................................................14

3.17 INFORMATION SYSTEMS - EXCEEDING SECURITY LIMITATIONS...143.18 ELECTRONIC MAIL.......................................................................................14

3.18.1 General......................................................................................................143.18.2 Improper use..............................................................................................15

3.19 PROBLEM REPORTING.................................................................................153.20 OPERATIONS SECURITY..............................................................................15

3.20.1 Separation of Duties – General.................................................................153.20.2 Privileged User Access..............................................................................153.20.3 Separation of ISSO and CA Roles.............................................................163.20.4 System/User Access and Authorization.....................................................16

3.21 MALICIOUS SOFTWARE...............................................................................183.21.1 Description................................................................................................183.21.2 Mechanisms of Infection............................................................................193.21.3 Vulnerabilities............................................................................................193.21.4 Protective Measures..................................................................................19



3.21.5 Malware Incident Handling & Reporting..................................................203.21.6 Malicious Code Incident Handling & Reporting.......................................20

3.22 REPORTING OF SECURITY BREACHES AND VIOLATIONS.................203.22.1 Incidents.....................................................................................................203.22.2 Incident Reporting.....................................................................................203.22.3 Failure to Report.......................................................................................20

3.23 DISASTER RECOVERY AND CONTINGENCY PLANS............................213.23.1 Disaster Recovery and Contingency Planning..........................................213.23.2 Disaster Recovery and Contingency Plan Considerations........................213.23.3 Non CFMWS Facilities Requirements.......................................................213.23.4 Plan Storage..............................................................................................213.23.5 Critical Human Resources.........................................................................223.23.6 Critical Items.............................................................................................223.23.7 Contingency Plan Review Standards.........................................................223.23.8 Evacuation Procedures..............................................................................223.23.9 Back-up Requirements...............................................................................22

ANNEX A - CFMWS ISSO TERMS OF REFERENCE...............................................1

1. GENERAL..................................................................................................................12. QUALIFICATIONS......................................................................................................13. ACCOUNTABILITY.....................................................................................................14. RESPONSIBILITIES.....................................................................................................1

ANNEX B - DEFINITIONS..............................................................................................1

ANNEX C – ACRONYMS................................................................................................1

ANNEX D – CFMWS SITE ISSO TERMS OF REFERENCE....................................1

1. SUMMARY OF RESPONSIBILITIES..................................................................1General 1Qualifications..............................................................................................................1Accountability..............................................................................................................1Authority 1

2. RESPONSABILITIES.............................................................................................12.1 General........................................................................................................12.2 Primary........................................................................................................2

APPENDIX 1 – CFMWS IS SECURITY OFFICE SECURITY AWARENESS BRIEFING FORM............................................................................................................1

APPENDIX 2 – INCIDENT REPORT............................................................................1

APPENDIX 3 – LOCAL IS SECURITY POLICY........................................................7


CFMWS IS SECUR ORDERSChapter 1

CHAPTER 1 – CFMWS INFORMATION SYSTEMS SECURITY POLICY

1.1 GOVERNMENT SECURITY POLICYThe Government Security Policy (GSP) holds each Departmental entity accountable for safeguarding information and assets with which it is entrusted. Specifically since Staff of the Non-Public Funds is listed in Schedule V of the Financial Administration Action all GSP requirements apply. Therefore the Information Security Office is responsible for ensuring that programs and orders are consistent with the GSP and that:

a. an appropriate level of security is applied to all Information Systems; andb. the approved security posture for these systems is maintained.

1.2 ACRONYMS & DEFINITIONSAll acronyms are listed and defined at Annex C. Security relevant terms used in this document are italicized and defined at Annex B. For the purposes of these orders the term “Information System (IS)” includes stand-alone PC’s, multi-user systems, a group of systems, a site/facility or any network unless specifically stated otherwise.

1.3 REFERENCESDirection, standards and requirements provided in these orders are derived from the current GOC and DND policies. The following References are applicable:

A. Government of Canada Security Policy (GSP)B. National Defence- National Capital Region Information Systems Security

Orders (NCR IS SECUR ORDERS)

OPI: CFMWS Information Technology Security Officer1


1.4 CFMWS IS SECURITY POLICY OBJECTIVESThe CFMWS IS Security Policy objectives are to ensure that:

a. IS are safeguarded in a cost-effective manner, consistent with GOC security policies and standards;

b. the identified risk is managed in accordance with the approved procedures; and

c. the approved security posture for an IS is maintained throughout its life cycle.

1.5 CFMWS IS SYSTEM SECURITY POLICY - GENERAL

1.5.1 Individual AccountabilityPersonnel using the CFMWS IS shall be held responsible and accountable for their actions. All IS will provide a means by which individual users can be held individually accountable for their actions through the use of Identification and Authentication.

1.5.2 Individual ResponsibilityUsers of CFMWS IS shall be responsible to ensure that no action is taken which could degrade or compromise:

a. Confidentiality . The measures provided whereby information is not made available or disclosed to unauthorised individuals, entities, or processes;

b. Integrity . The required level of accuracy, completeness and dependability of the programs, services and information being handled by the IS or its assets;

c. Availability . The required level of responsiveness of programs, services and information being provided by the IS to support the stated mission; and

d. Accountability . The property that ensures that the actions of an entity may be traced uniquely to that entity.

1.5.3 Controlled AccessA person or any system component shall be granted access to only that information for which appropriate access authorization(s) and an established need-to-know are approved. Access shall only be granted to those resources necessary to perform the assigned task. Controlled access is normally achieved through a combination of technical, physical and/or procedural means.



1.5.4 Least PrivilegeA person or any system component shall be granted the least access (e.g. read, delete, modify or append) required to complete the task.

1.5.5 Levels of ProtectionThe protection provided should be commensurate with the security levels of the information and assets involved. The protection must also take into consideration the identified vulnerabilities and threats to the Information System.

1.5.6 Redundancy of ProtectionRedundant protective features shall be employed in the safeguarding of information assets. Protection features such as Standard Operation Procedures (SOP) and information back-ups must be tested, and then stored at an offsite location.

1.5.7 Authorized Use of NetworkUsers shall only access and use CFMWS IS including assets, to perform functions related to their duties. Users shall not process, store or communicate private information, or conduct personal affairs/business on any CFMWS IS assets. CFMWS IS assets shall only be used for CFMWS purposes. The Chain of Command that grants personal use must inform the CFMWS Information Technology Security Officer on the level of personal use granted.

1.5.8 Unlawful and Unacceptable ConductAny person having direct or indirect access to an IS shall be held individually accountable for their actions on the system. Pornographic, lewd, racist, sexist, or any other materials which are contrary to Canadian laws and/or CFMWS policies and regulations shall not be introduced onto any CFMWS IS. The Military Police Company (MP Coy) shall investigate any possible breaches of Canadian Law, Acts of Parliament. If such activity is suspected, the CFMWS Information Technology Security Officer shall contact the MP Coy. Personnel are subject to criminal, legal, disciplinary and/or administrative actions when their actions:

a. compromise information or assets; orb. violate Canadian law, Acts of Parliament, or CFMWS

policies/regulations.

If such actions or negligence are discovered or suspected, they are to be reported to the CFMWS Information Technology Security Officer who will initiate appropriate investigative action. Any suspected illegal activity shall be reported to law enforcement authorities.



1.6 SECURITY AWARENESS AND TRAINING

1.6.1 Awareness ProgramA Security Awareness Program shall be established to ensure that personnel at all levels in CFMWS are aware of their IS security responsibilities. All personnel shall be provided with essential training, to effectively carry out their specified security responsibilities. ISSOs are to ensure that individual users sign the appropriate acceptable use agreement in reference to specific CFMWS IS.

Within CFMWS confines two information systems exist:

a. Defence Wide Area Network (DWAN) Systemb. Non-Public Property Network (NPPNet) System

1.6.2 Training AidsThe CFMWS IS Security Office has a website to enhance security awareness.

1.7 AUDITS AND MONITORING

1.7.1 Information System Audit ControlsAutomated and/or manual audit controls shall be implemented on all CFMWS IS and these controls will include effective recording of security relevant activities. Logs are to be kept for all Internet/Intranet activities and are to be retained for a period of 6 months.

1.7.2 MonitoringCFMWS IS Security Office and other authorised persons shall conduct manual and/or electronic security monitoring frequently and sporadically to:

a. detect unauthorized activities and behaviour which could possibly compromise the system’s information or assets; and

b. ensure communications controls have not been compromised or misused.

1.8 EXPECTATION OF PRIVACYCFMWS IS and assets shall only be accessed and used to perform authorised tasks. All users shall be aware that authorised CFMWS personnel monitor Information Systems. There is no assumption of privacy on the network including during personal use. Therefore users should be aware that Internet banking or any other personal use is not excluded from monitoring. CFMWS will not be held responsible for any information compromise/damage caused through personal use/misuse of any CFMWS Information System.



1.9 CONFIGURATION MANAGEMENT

1.9.1 GeneralChanges to the physical and functional characteristics, such as moving or adding terminals to an IS, must be controlled and properly authorised. Unauthorised changes will impact the IS certification and accreditation.

1.9.2 Configuration ControlA minimum level of configuration control shall be implemented throughout the life cycle of each IS in accordance with CFMWS Configuration Management policy and standards. Any system changes must be formally approved via the RFC process prior to implementation.

1.9.3 Problem ManagementFor each IS, procedures shall be developed, documented and implemented for reporting, recording, tracking and resolving IS problems. Priority shall be given to the resolution of hardware, software and data problems that affect security.

1.10 REPORTING OF THREATS, BREACHES AND VIOLATIONSAny incident that violates IS security policy shall be investigated, reported, and corrective action taken as outlined in Chapter 3. All incidents shall be reported to the CFMWS Information Technology Security Officer. The MP Coy shall formally investigate malicious code and virus security incidents that indicate possible/probable criminal act, security breach, and foreign intelligence, terrorist or extremist involvement. If such activity is suspected, the CFMWS Information Technology Security Officer shall contact the MP Coy.



CHAPTER 2 - CFMWS INFORMATION SYSTEM SECURITY RESPONSIBILITIES

2.1 IS SECURITY-PRIMARY PARTICIPANTS

2.1.1 DGMWS and CIO

2.1.1.1 DGMWS As the Operational Authority for the CFMWS IS, the Director General is responsible to the Departmental Security Officer (DSO) to ensure that the conditions of accreditation granted continue to be met. Through adherence to the conditions of accreditation, the Residual Risk (RR) identified is reported to the operational authority. The operational authority reserves the right to assume a higher level of Residual Risk than that granted under accreditation, provided it is identified to the DSO.

2.1.1.2 CIO The CIO is responsible for coordinating the CFMWS certification requirements and to ensure that the security posture of the CFMWS IS is maintained throughout its life cycle. DIR. IM/IT OPS. is also responsible for providing IS support to the CFMWS. The DIR. IM/IT OPS. responsibilities include IS management, operations, maintenance, training, co-ordination of requirements definition, project direction, plans and policy development. IS security requirements are a fundamental part of these responsibilities.

2.1.2 CFMWS IS SECURITY AUTHORITY (CFMWS Information Technology Security Officer)

2.1.2.1 CFMWS IS Security Authority The CFMWS IS Security Authority is the CFMWS Information Technology Security Officer. The CFMWS Information Technology Security Officer is responsible to the Director General to ensure that the conditions of accreditation continue to be met. The principal methods of enforcement are:

a. the CFMWS IS Security Orders;b. the effective conduct of a security awareness program in

conjunction with CFMWS Site ISSOs; andc. the performance of security audits/investigations.

The CFMWS Information Technology Security Officer shall have complete access to the electronic files of all CFMWS IS.

2.1.2.2 CFMWS Information Technology Security Officer The CFMWS Information Technology Security Officer is responsible for providing technical IS security advice or assistance to all personnel



including individual System Managers, System Administrators, System Custodians and Security Officers in the CFMWS. The CFMWS Information Technology Security Officer is also responsible for developing and maintaining the CFMWS security awareness education program, conducting certification inspections, audits, investigations and monitoring compliance with the CFMWS IS Security orders.

2.1.2.3 CFMWS IS Security Officer (ISSO) The CFMWS Information Technology Security Officer is appointed IS Security Officer (ISSO) for the CFMWS NPPNet. The CFMWS Information Technology Security Officer is responsible for, in conjunction with Group/LAN ISSOs, investigating reports of unlawful or unacceptable use by individuals on CFMWS electronic networks. Under the direction of the CFMWS Information Technology Security Officer, the CFMWS IS Security Office section is responsible for analysing logs of electronic networks by individuals as well as content of all files when a report has been received of unlawful or unacceptable use. Members of the CFMWS IS Security Office section must disclose all information to law enforcement authorities when any unlawful activity is suspected.

2.1.3 OPERATIONAL AUTHORITY (Executive Management/ National Managers)Operational Authorities are responsible to ensure that the conditions of accreditation continue to be met, through implementation and compliance of the CFMWS IS Security Orders, for all CFMWS IS within their realm of control. Each Operational Authority shall appoint a LAN/Site ISSO and ensure that all personnel are aware of IS security obligations, specifically, the requirement to follow these orders. Operational Authorities, in consultation with CFMWS Information Technology Security Officer, are also responsible for:

a. identifying the functional security requirements of CFMWS IS supporting their organisations; and

b. ensuring that the security posture of the IS is maintained throughout its life cycle.

2.1.4 SITE INFORMATION SYSTEM SECURITY OFFICER (SITE ISSO)CFMWS Information Technology Security Officer (CFMWS ISSO) or the Operational Authority, as applicable, shall appoint a Site ISSOs to be located within the core buildings in the CFMWS AOR. The Site ISSOs report to the CFMWS ISSO to ensure that personnel comply with the CFMWS IS Security Orders. The Site ISSOs are responsible for preparing system security operating procedures, ensuring security awareness, auditing system security, and monitoring compliance. Terms of Reference (TOR) shall be prepared for the Site ISSO identifying specific security



duties and the relationship to CFMWS Information Technology Security Officer. The CFMWS Information Technology Security Officer will appoint Site ISSOs for each core building within the CFMWS as the first level of contact to CFMWS IS Security Office.

2.1.5 SYSTEM USERSAll users of CFMWS IS are responsible to the applicable Site ISSO for compliance to the CFMWS IS Security Orders. Users are responsible to inform the Site ISSO of any non-compliance with the CFMWS IS Security Orders or any action, which could affect the accreditation of the CFMWS IS. Users are not to make any changes to the electronic networks without applicable ISSO approval.

2.2 IS SECURITY-COLLATERAL PARTICIPANTS

2.2.1 SYSTEM ADMINISTRATORSIn addition to any specific duties contained in the System Administrators Terms of Reference, System Administrators shall contribute to the IS Security Program by:

a. advising the Site ISSO on IS implementation plans;b. maintaining the inventory and architectural diagrams for all

hardware and connections;c. maintaining the inventory of all software and ensuring that

adequate approved anti-viral software is installed on all IS; andd. ensuring that the Site ISSO is apprised of all changes to the

accredited IS.

2.2.2 SYSTEM MANAGERSIn addition to any specific duties contained in the System Managers Terms of Reference, they shall contribute to the IS Security Program by:

a. managing a centralized structure of support to the users;b. conducting weekly (system) backups and daily (incremental)

backups of network drives (therefore users shall make maximum use of network drives for backup as assigned by the system manager under the authority of the Site ISSO);

c. issuing and controlling of all storage media (i.e. Diskettes, CDs, Tapes, USB Removable Storage Devices etc…) issued for the applicable LAN;

d. separate storage of software, backups and data in another bldg. (offsite storage);

e. ensuring backups are tested on a regular basis;f. issuing individual user ID and initial passwords;



g. advising the Site ISSO and sys admin on detailed technical aspects of hardware and software system security; and

h. implementing hardware and software security measures as required.



CHAPTER 3 - CFMWS INFORMATION SYSTEM OPERATIONAL SECURITY STANDARDS

3.1 GENERAL

3.1.1 StandardsThis chapter provides the security standards and procedures for implementing the IS security policy described in these orders.

3.1.2 ResponsibilityCFMWS Information Technology Security Officer has overall responsibility for ensuring compliance with these standards for the CFMWS.

3.2 CERTIFICATION AND ACCREDITATION

3.2.1 GeneralCertification and Accreditation (C&A) are the means used to ensure that an IS is operating within the prescribed security guidelines. All IS attached, or using CFMWS networks are to be certified and accredited. Certification and Accreditation is a formal process that identifies information system (IS) assets and their confidentiality, integrity, accountability, and availability requirements to verify that technical and non-technical safeguards are sufficient. The requirement to perform C&A is explained within CFMWS Security Policy while the methodology for doing C&A is explained within CFMWS C&A Guide. The benefit of C&A to Operational Authorities is that their systems are within an acceptable level of security, formally authorized to operate, and that any residual risk is identified to the Operational Authority of the IS.

3.2.2 Certification & AccreditationC&A is a process that requires a commitment of resources by the Operational Authorities. All information systems connecting to any CFMWS network or a stand-alone LAN shall, without exception, undergo timely C&A. This protects both the connecting system and the CFMWS IS itself (as well as other CFMWS IS users). For new and older systems moving from other locations, C&A is required prior to (re)connection to the network. CFMWS Security Policy requires that C&A be completed on all IS.

3.2.3 CertificationThe comprehensive independent evaluation of the technical and non-technical security features of an information system/network, including all other safeguards that support the accreditation process. The certification process ascertains the extent to which particular



system/network designs and implementations meet a specified set of security requirements. Certification evidence provided must satisfy accreditation requirements and all certification activities must be completed before the accreditation can be finalised. The accreditation requirements should be identified at the earliest opportunity.

3.2.4 AccreditationThe authority required before an IS system may be utilized to store, process, or transmit information from one system to another. The accreditation process transfers the risk from the account manager of the system to the Departmental Security Officer or Operational Authority. It is the official management authorisation to operate an IS or network:

a. for a specified period of time;b. in a particular security mode;c. with a prescribed set of administrative, environmental and

technical security safeguards;d. against a defined threat and with stated vulnerabilities and

countermeasures;e. in a given operational environment;f. under a stated operational concept;g. with stated interconnections to other IS or networks; andh. at an acceptable level of Residual Risk (RR) for which the

Accrediting Authority has formally assumed responsibility.

3.2.5 Accreditation AuthorityThe Accreditation Authority or Operational Authority formally accepts Residual Risk (RR) for an IS or network certifying that “due care” has been taken for security. The Accreditation Authority agrees to assume this risk provided the Operational Authority operates within the conditions stipulated in the accreditation. The responsibility for the system's secure operation rests with the Operational Authority of the IS as delegated by higher authority. The Accrediting Authority formally declares that a specified IS or network will adequately protect sensitive or otherwise valuable information against compromise through the continuous employment of administrative, procedural, physical, personnel and technical security safeguards.

3.3 PERSONNEL SECURITY

3.3.1 GeneralThe Site ISSO shall confirm the authorisation for users requiring access to a CFMWS IS; this duty may however be delegated to appropriate Human Resources staff during on-boarding processes. Before access to the



CFMWS IS is approved the user will be briefed and must sign the aforementioned agreement.

In addition to the above, a yearly IS Security Office Security Awareness Briefing will be conducted to confirm the individual(s) understanding of the published IS Security Orders. At this time the IS Security Office Security Awareness Briefing form (see Appendix 1) will be signed; a copy of the signed form must be provided to the Site ISSO or higher.

Approved manual and/or automated access controls shall be implemented to enforce the following:

a. Need to Know: Restrict access to minimum information and assets for which a need-to-know is essential for the user to carry out assigned functions and duties; and

b. Least Privilege : Limit a user, or any system component acting on behalf of a user, to the most restrictive access privileges needed to perform the tasks.

3.3.2 Security MonitoringFrequent and irregular manual and/or electronic security monitoring of IS and assets will be conducted to detect unauthorised user/system activities which could impact on the security posture of these systems. Dir. IM/IT Ops. and the CFMWS IS Security Office personnel shall carry out such monitoring and investigate any activities that are suspected of degrading accreditation or security of the CFMWS IS.

3.4 INFORMATION SYSTEM SECURITY EDUCATION AND AWARENESS

3.4.1 Security Awareness - GeneralEach ISSO shall ensure that their security awareness program meets specific security requirements of the system for which the ISSO is responsible.

3.4.2 Security Awareness - ContentThe security awareness program will inform personnel of the following:

a. general threats, vulnerabilities and security features of the IS in use;

b. security requirements related to the working environment;c. new security issues;d. security violations; ande. procedures for reporting security breaches, violations or concerns.

3.4.3 Security Awareness - Learning AidThe program should be conducted using such means as:



a. properly documented IS security briefings;b. security notices, pamphlets, posters, and signs; c. informal and formal presentations; andd. security videos.

3.4.4 Security BriefingsSecurity briefings shall be given by the ISSO to all personnel that have access to IS. These briefings will include the following:

a. the access requirements of their position or contract;b. security features, procedures and vulnerabilities specific to the IS

involved;c. their authorised security screening level;d. their responsibilities for safeguarding information and assets;e. their legal responsibilities relating to disclosure and non-disclosure

of information;f. mandatory signing of CFMWS IS Security Office Security

Awareness Briefing form (Appendix 1);g. other relevant security responsibilities specific to their duties; andh. applicable departmental and CFMWS IS security requirements.

3.4.5 Security BriefingsSecurity briefings are given in person and include a written document outlining the contents of the briefing and date it was given (available at Appendix 1). The document is to be signed by the person being briefed and a copy retained on file for future reference by the CFMWS IS Security Office staff.

3.4.6 Training of PersonnelPersonnel must be trained on CFMWS IS security policy requirements. The CFMWS ISSO will ensure that they, and other ISSO personnel within the Group, receive the required training to make sure that they do not jeopardise the CFMWS IS security posture.

3.4.7 Transfer of PersonnelWhen personnel or contractors are transferred by appointment, assignment, deployment, secondment or contract change, Information Technology Support Services shall; under the direction of Dir. IM/IT Ops., review, modify and/or revoke all access privileges to the IS and assets accordingly.



3.5 PHYSICAL AND ENVIRONMENTAL SECURITY

3.5.1 GeneralAll IS shall be physically protected with CFMWS approved security measures, as determined by a Threat Risk Assessment (TRA), to minimise the likelihood of unauthorised access to the system.

3.5.2 Environmental SecurityNormally, an IS will not be located where it is exposed to environmental hazards such as extreme heat, cold, humidity, dust, physical abuse, etc.

3.5.3 IS Facility Access ControlThe DIR. IM/IT OPS. shall ensure that all required physical access controls to the IS facility are always invoked. This includes personnel access lists, intrusion alarms, key/combination controls and visitor logs. Wire Centre/Server room access shall be strictly enforced by the use of an electronic/mechanical access control door and an access control list shall be maintained at all times. A copy of all Wire Centre/Server room access controlled list and any changes made to the list must be forwarded to CFMWS Information Technology Security Officer within five (5) working days.

3.5.4 Escort ProceduresThe DIR. IM/IT OPS. shall ensure that anyone lacking adequate security clearance are escorted/monitored by a technically competent system administrator, and never left unattended, such as:

a. visitors;b. contractors/maintenance personnel; andc. contracted IS maintenance personnel.

3.5.5 Sensitive Components/MediaAll such components/media shall be physically secured to the highest sensitivity level assigned.

3.5.6 Location of ISIS monitors and output devices, such as printers, shall be located where they can be observed/monitored by authorised personnel and not viewed or accessible to unauthorised persons.

3.6 GENERAL OFFICE SECURITYSecurity personnel and appointed IS Security Officers will conduct, without notice, periodic security checks during working and silent hours. These security checks are conducted to ensure compliance with security regulations and that the proper security protection is afforded to CFMWS sensitive assets.



3.7 DOCUMENT SECURITY

3.7.1 GeneralThe IT systems shall be physically protected to minimize the likelihood of unauthorized access to the system entry points, access to information and/or damage to the systems. Designated information is information related to other than the national interest, which because of its sensitivity requires enhanced protection.

3.7.2 Manipulation of DocumentsEach file or database shall have an identifiable origin and use. Its accessibility, maintenance, manipulation, movement and disposition shall be controlled on the basis of need-to-know. Information designated PROTECTED "A" may be private or proprietary and, therefore, requires a greater degree of protection than that given unclassified information.

3.7.3 CFMWS Network SensitivityThere will be no classified information permitted on a network unless it is specifically accredited and certified to that level. The maximum designation level of information stored, processed or communicated on the NPPNet is “PROTECTED A", unless specifically authorized. “PROTECTED B” information shall be stored, processed or communicated using approved GoC standards.

3.8 COMPUTER SECURITY

3.8.1 Hardware Security – ControlsDiagrams of the current hardware configuration, identifying all hardware units and interconnections (e.g. CPU, peripheral devices, channels, controllers, etc.) shall be maintained and reviewed annually by DIR. IM/IT OPS. or when changes are made.

3.8.2 Minimum Hardware ConfigurationWhere availability is a concern, the DIR. IM/IT OPS. shall identify and document the current minimum hardware configuration to support critical applications. DIR. IM/IT OPS. shall keep a current copy of the hardware records (both operational and the critical minimum hardware configurations) at an off-site location.

3.8.3 Removable USB Storage DevicesRemovable Universal Serial Bus (USB) Storage devices are permitted on CFMWS Electronic Networks (CFMWS EN) provided the following procedures are followed:

a. when the USB storage device is used on a Classified IS, or for a designation of PA (PB and above), then it must be afforded the



same storage and handling as that afforded to documents of the same classification/designation. This would mean that the USB storage devices cannot be carried around on a members key chain;

b. they are not used on networks of different classification/designation levels;

c. the acquisition of these devices must be documented and approved through IS Procurement; and

d. the user signs a statement stating that they will follow these established procedures. Organizations may stipulate more stringent restrictions but the above procedures shall be used as a minimum.

3.8.4 Minimum Security Standards Office of Primary Interest (OPI)CFMWS Information Technology Security Officer must be consulted for more details on the minimum security standards to be implemented for systems with confidentiality, integrity, accountability and/or availability concerns.

3.8.5 Software Security

a. Development : To the degree practical and feasible, all acquired software should be examined for viruses, logic bombs or other extraneous malicious codes;

b. Software : Only software that has been acquired or approved by DGMWS or CFMWS IM Configuration Control Board (IMCCB) through Request For Change (RFC) process, shall be used on CFMWS IS;

c. Software License/Copyright : Violations of software licenses can lead to litigation against CFMWS and the person(s) responsible for the violation. Licensed software shall not be copied or used in any other manner than that allowed by the license; and

d. Peer to Peer Software : Peer-to-Peer software is not authorized on any CFMWS IS. Peer-to-Peer software is the source of many incidents of malicious code and spam mail distribution. (Examples of Peer-to-Peer are: Kazaa, Morpheus, LimeWire, Napster, WinMX, iMesh, Gnutella etc…).

3.9 SECURITY PROCEDURES FOR REMOTE ACCESS

3.9.1 GeneralThe requirement for remote access to the network creates unique problems when ensuring that the network is properly protected. The procedures in Para 3.9.2 and 3.9.3 provide the steps for authorized use of remote access to CFMWS IS.



3.9.2 Granting of Remote AccessEmployee remote access shall be provided, however the business must determine where limitation is possible and provide Access Control Lists since Government Security Policy (GSP) holds each department accountable for safeguarding information and assets for which they are entrusted. In addition such a control must be continually updated and reviewed at least once a year to enforce CFMWS IS security.

3.9.3 Rules for Remote AccessOnce authorized for remote access, the user shall abide by the following rules:

a. workstations or laptops designated for remote access to the CFMWS IS must use an authorized network access process; i.e. connect.cfpsa.com;

b. immediately terminate the connection when no longer required;c. use CFMWS approved anti-virus software product shall be

installed and kept up-to-date (weekly updates) on the workstation or laptops;

d. the workstation/laptop must be CFMWS owned and for the sole use of the employee;

e. the user shall not share the remote access capability, nor the passwords, with any other individual;

f. submit the equipment, upon request, for a technical inspection by the ISSO.

3.10 SECURITY PROCEDURES FOR USERS OF PORTABLE COMPUTERS

3.10.1 GeneralAll users who are authorized to have a portable computer for work purposes will adhere to the security procedures. ISSOs will ensure that users have been briefed and have signed a security form.

3.10.2 User ResponsibilitiesThe user must sign for the computer and return when no longer required for CFMWS use. It is the responsibility of that user to act with due care in regards to the safety of the device until it is returned to CFMWS ITSS. This responsibility includes the following:

a. CFMWS ITSS staff will maintain a checkout/check in system that provides a physical record at minimum of the user, serial number and the asset number assigned by the business;

b. the portable computer is an attractive item, it must be physically secured when not in use, regardless of the sensitivity of the data. The computer must be in a locked area when not in the users



possession. Care must be taken at all times to provide proper protection for laptops. Hotel/motel rooms are not considered secure areas and a portable computer should not be left unattended. It shall be locked in luggage, stored in a hotel/motel secure lock-up, or locked with a secure cable;

c. access to laptops and associated media that process classified or designated information, must be secured IAW the highest level being processed;

d. access to laptops must be restricted at all times to authorized users with the appropriate security clearance and a need to know;

e. a portable computer must not be left unattended when in public view and is to be carried by the user at all times. It is never left in a vehicle where it is visible from the outside. Storing the computer in the vehicle trunk is acceptable;

f. a portable computer must not be checked as baggage when travelling by rail, plane or bus;

g. the serial number of the computer must be recorded by the user so that, in the event of theft, a full report may be made to the nearest Military Police Unit, to the local ISSO and, if the theft occurred outside of CFMWS premises, to the nearest local Police;

h. all data files shall be stored on removable media as a backup in case of computer failure. The removable media must be stored in a different location than the computer;

i. only CFMWS owned and authorized software will be used with the computer;

j. prior to returning to the CFMWS ITSS, the hard drive should be purged of all non-essential data files; and

k. when travelling by air, the computer battery must be sufficiently charged to permit a security inspection where required by airport security staff.

3.10.3 User AccountabilityThe user is responsible to comply with the above procedures. If the user is found to have been negligent, then the user will be held accountable.

3.10.4 Reporting of IncidentIn the event of damage to the computer, the circumstances are to be reported as soon as possible to the ISSO who will inform the CFMWS Information Technology Security Officer. Theft and loss of CFMWS owned or leased computers or equipment must be reported to the MP Coy and, if applicable, to the civilian police as soon as discovered, and also reported to the ISSO upon return to usual place of work/duty.



3.11 USE OF PORTABLE (Non – Issued) Devices

3.11.1 GeneralPortable devices (Non-Issued) shall be used as a stand-alone unless authorized to be linked with CFMWS IS through change management. Approved devices will comply to the following;

a. the equipment shall be identified to ITSS;b. the Operating System will be up-to-date;c. Anti-Virus software must be installed and kept current; andd. where required a security review on the device may be performed.

3.11.2 Rules for Processing Classified/Designated InformationPortable computers may be utilized to process classified/designated information provided they are secured when they are not in use according to the requirements for the classified/designated information being processed (i.e. processing "Classified" information requires the hard-drive to be secured when not in use). Portable computers that process classified information cannot connect to the NPF WAN. Portable computers that process classified/designated information cannot connect to the Internet.

3.12 USE OF MOBILE DEVICES

3.12.1 GeneralThe use of palmtops is similar to the acceptable use of laptops that have fixed hard drives. The common weakness of these devices is the lack of assurance that the computer media is adequately clean of undesired software or sensitive information.

3.12.2 Rules for Mobile Device Acquisition and UseISSO's are responsible for the proper control of mobile devices and shall ensure that:

a. the user should have a clear requirement for the device;b. only CFMWS purchased mobile devices shall be used on CFMWS

IS unless previously approved by the Dir. IM/IT Ops;c. access control features shall be activated;d. users shall use random passwords that meet the requirements

defined in the NPP Password Policy unless the specific device is unable; in such a case data confidentiality will be evaluated;

e. communication between a mobile device and a classified workstation/network is strictly forbidden;

f. only UNCLASSIFIED and PROTECTED A information may be processed on mobile devices;



g. users shall not install any freeware, shareware, or evaluation software on any CFMWS issued mobile device. All software must be CFMWS purchased, approved and properly licensed;

h. authorized users of mobile devices shall be identified and documented in a register or an Access Control List;

i. mobile devices shall be labelled appropriately (asset number and designation level commensurate with data sensitivity);

j. anti-virus software must be installed and kept current on supporting devices;

k. two way communication by wire and/or wireless (Bluetooth) between the specified user workstation and the mobile device is authorized;

l. the physical protection of mobile device shall be commensurate with the sensitivity of the information it processes;

m. security incidents will be reported to the CFMWS Information Technology Security Officer for investigations.

3.13 COMMUNICATIONS SECURITY

3.13.1 Facsimile (FAX) MachinesFAX machines are subject to COMSEC standards and policies.

3.13.2 ModemsDial-in/out modems constitute a serious threat to the CFMWS IS. The unauthorised use of a modem can negatively impact the accredited security posture of the system. The use of modems for connections to an IS or assets shall only be authorised in situations where conditions provide a manageable risk. Change Management must approve any request for a modem.

3.13.3 Network SecurityBefore any system connection is made, the security impact of the proposed connection should be appraised through the C&A process. Any security measures implemented must effectively restrict user access to information and assets, for which the user has been screened and has an authorised need-to-know. Any connection (on/off-line) of a system to any of the following systems can result in a potentially serious risk to the approved security posture of that system:

a. Other Systems : The approved security posture of other systems shall be evaluated, and the requisite security measures for the connection in place before any connectivity with CFMWS IS is authorised;

b. Other Canadian Government Systems : In addition to sub-para a, Memorandum of Understanding (MOU) or Memorandum of



Agreement (MOA) must be formalised to address the required security posture of the system, including security responsibilities and accountability. The MOU/MOA must also define responsibilities and procedures for handling security incidents, violations and breaches;

c. Contractor Systems : All on-line/off-line connection requirements must be detailed in the contract document. Security requirements related to the connection must also be fully detailed and shall adhere to the CFMWS IS security policies embodied within the Security Requirements Checklist (SRCL). If sensitive information or assets are involved, then the contractor must have a “security cleared facility” that meets PWGSC industrial security requirements. Even if the requirement is only for the contractor to have remote terminal or on-site access to a CFMWS IS, all security requirements and contractor security responsibilities must be stated in the contract document; and

d. Private/Public Systems: such connections to CFMWS IS may only be permitted when Accreditation approval is granted.

3.13.4 A/B or KVM SwitchesUnless specifically authorised by the CFMWS Information Technology Security Officer, A/B or KVM switches shall not be used to bridge networks. A/B Switches are permitted to share printers on the same network while KVM switches are used to switch Monitor, Keyboard and Mouse between computers/networks. (Note: KVM switches between Unclassified/Designated and Classified Networks must be authorized through the CFMWS Information Technology Security Officer).

3.13.5 Network Security MeasuresThe minimum approved technical and non-technical security measures selected and implemented shall ensure the proper level of confidentiality, integrity, accountability and availability for the information and assets involved. Any technical security measures selected must be approved by the CFMWS Information Technology Security Officer.

3.13.6 Interim Authority to ProcessAn Interim Authority to Process (IAP) is issued by the Accreditation Authority, to electronically link accredited systems to non-accredited environments. The Operational Authority of the accredited system should be consulted before any "Authorisation to Process" is considered, especially since any connection could alter the approved security postures of the accredited system, thus requiring IS "re-accreditation".



3.13.7 Interim Authority to Process - Request ProceduresAny requirement for IS inter-connection, as identified above, must first be approved and submitted by the respective Operational Authority. The Operational Authority for the system involved shall submit the IAP request to the CFMWS IS Security Office.

3.13.8 Change Authority (CA) ResponsibilitiesTo support an IAP request, the system CA requiring the connection shall ensure that the request includes the most current approved system configuration, and any other documentation necessary to establish the system security posture.

3.13.9 DIR. IM/IT OPS. ResponsibilitiesDIR. IM/IT OPS. shall co-ordinate the security requirements and activities related to the IAP request including:

a. liaising with the system’s security staff to which connection is requested;

b. co-ordinating required security approval requests;c. confirming the sensitivity levels of the information and assets

involved;d. conducting a TRA, if necessary, to determine the security impacts

and the residual risk to CFMWS information and assets; ande. ensuring that all system connections are identified and adequately

secured.

3.14 DISPOSAL OF INFORMATION TECHNOLOGY (IT) MEDIAThe disposal of sensitive information technology (IT) media will be carried out in accordance with the CFMWS Security Policy.

3.15 EMERGENCY DESTRUCTION PLANThe Operational Authorities shall ensure that classified and designated IS components and media are identified in the unit/organization Emergency Destruction Plans. Emergency Destruction Plans shall be prepared for all IS handling sensitive information and sensitive assets located in high risk areas.

3.16 DATA INTEGRITY

3.16.1 GeneralTo ensure the required level of accuracy, completeness and dependability of programs, services and information handled by an IS, all data entered in the IS shall have an authorised, identifiable origin and shall be controlled on the basis of assigned privileges (e.g. read, write, append, delete).



3.16.2 Rules for Removable Storage MediaRemovable storage devices (USB, Floppy, CD/DVD) are permitted on CFMWS IS provided users adhere to the following procedures:

a. media must be CFMWS owned and used for CFMWS business only;

b. removable USB storage media (e.g. flash drives, memory sticks, compact flash, smart media etc.) in the control of a user must be secured when not in use. Removable USB storage media should also be labelled to identify their content;

c. the acquisition of these devices must be documented, approved through procurement and the user must agree that they will follow the established procedures; and

d. new technology for storage media is continually being developed. Before any new USB storage media is used on CFMWS IS, it shall be requested through procurement and approved through the Change Management process.

3.17 INFORMATION SYSTEMS - EXCEEDING SECURITY LIMITATIONSThe Operational Authority shall not permit any information/material of higher sensitivity level than that documented level, for that particular network as identified through the C&A process and accepted by the Accreditation Authority.

3.18 ELECTRONIC MAIL

3.18.1 GeneralIn addition to any CFMWS required confidentiality protection measures, all e-mail traffic shall be provided the requisite level of integrity and availability protection, commensurate with its nature and importance to conduct CFMWS business. Unlike signed paper documents, standard e-mail systems provide no legal electronic means for identifying and authenticating the originator, the originator’s authority, the sender, nor the authorised recipient of committal e-mail. All committal e-mail must be authorised and authenticated using Government of Canada approved Electronic Authorization and Authentication (EAA) mechanisms (e.g. digital signature, PKI). Where technological solutions for EAA may be temporarily impracticable, users must implement the following:

a. Authorisation /Authentication : All committal e-mail (as for messages) must be authorised by a designated releasing/approving authority as detailed in Annex A of Information Holdings Directive 1/94 - The Management of Electronic Mail. The releasing/approving authority shall sign a hard copy of the committal e-mail document and forward it to the originator’s Central Registry (CR) for filing and authentication purposes; and



b. Verification of Receipt : The originator of a committal e-mail will make use of the existing e-mail verification capability, (e.g. “return receipt requested” function) normally provided as an e-mail feature. (Users are cautioned that there are known vulnerabilities which makes this capability unreliable).

3.18.2 Improper useUnauthorised access, abuse or misuse, including reading another person’s e-mail, sending jokes, or mass/chain mailing, constitutes improper use of the system and may lead to administrative and/or disciplinary action. The CFMWS IS Security Office will regularly audit e-mail systems to ensure compliance with these orders.

3.19 PROBLEM REPORTINGTo permit trend analysis and impact of specified IS security and functionality, DIR. IM/IT OPS. support staff shall develop, document and implement procedures for reporting, recording, tracking and resolving IS technology problems. Records of problems and their resolutions should be retained for a period of one year. Minimally the time, date and nature of problems shall be recorded. IS hardware, software and any other problems that could affect security shall be immediately reported to the CFMWS Information Technology Security Officer.

3.20 OPERATIONS SECURITY

3.20.1 Separation of Duties – GeneralWhenever practical, IS responsibilities should be separated in such a way that no individual has complete control over related critical IS operations. The following duties shall be assigned to different individuals:

a. programming;b. equipment operation;c. testing;d. production; ande. system management.

If the suggested separation of duties is not practical, a higher risk of system protection will result, and this risk would have to be accepted by the Operational Authority through C&A.

3.20.2 Privileged User AccessUsers with privileged access must have the appropriate skills and have their activities monitored to ensure that the appropriate level of security is maintained during their periods of access. Departmental supervisors shall keep an up-to-date list of all employees with privileged access, and ensure a copy is sent to the CFMWS Information Technology Security Officer.



3.20.3 ISSO Rolesa. Tiers: The following is a brief summary of the individual ISSO

Roles as defined by their purview levels:

a. Site ISSO (Local Purview – Undefined IS)i. physical to the location or has ability to travel to

and from on short noticeb. IS National ISSO (Multisite Purview - Single Defined IS)

i. operates to functionally coordinate security activities where an IS is considered to impact multiple Site ISSOs

c. CFMWS ISSO (Oversight Purview – Multi IS)i. oversees National ISSOs to define IS security

b. Considerations: An ISSO may be considered purview at multiple levels i.e. the CFMWS Information Technology Security Officer serves as the CFMWS ISSO, NPPNet National ISSO and the 4210 Labelle Site ISSO. Although an individual may be a multi-level ISSO the same person for a particular IS shall not hold positions of the any Site, National, CFMWS ISSO and in addition be considered the CA unless supervised. Where locations cannot support an independent Site ISSO due to lack of personnel resources supervision will be provided by a National and/or the CFMWS ISSO in order to confirm that conflict of interest has been addressed.

c. Reporting: ISSOs shall function using the following chain-of-

command (any exception is to be granted by the CFMWS Information Technology Security Office):

a. Each location shall have a designated Site ISSO;b. Site ISSOs shall report to the subject IS National ISSO;c. The IS National ISSOs shall report to the CFMWS ISSO;

d. The CFMWS ISSO is responsible to report to the DGMWS.

3.20.4 System/User Access and Authorizationa. Access Controls : Access to IS shall be enforced by physical

security means, and by the system’s identification and authentication (user ID and password) mechanisms. Everyone accessing CFMWS IS must at a minimum, have an Enhanced Reliability Check (ERC). All CFMWS IS users must also receive an annual security briefing and sign the IS Security Office Security Awareness Briefing form found at Appendix 1;

b. Access Warning : Each System shall display a warning at log-on that informs the user of the following:



(1) the system is subject to security monitoring and audit;(2) the system shall only be used for authorised functions; and(3) any user who conducts unauthorised or unlawful activities

on the system is subject to legal and/or administrative sanctions.

c. Log-on screens : Log-on screens shall not identify the system or its functionality until the user has successfully logged-on. The log-on screens shall not provide any greeting that could be construed as a “right to access”;

d. System Management/Administration Access Authorisation : Privileged users such as custodians, ISSOs and system operators shall be assigned unique, separate accounts and assigned only those privileges needed to carry out their duties;

e. User Access Authorisation : The CA shall only grant access to a system or assets to those users whose privileges and authorised need-to-know have been approved by the Operational Authority. The user must also have, at a minimum, a valid and verified Enhanced Reliability Check (ERC);

f. IS Security Awareness Briefing : Users granted access to any CFMWS IS shall receive yearly IS Security Office Security Awareness Briefings to ensure that CFMWS IS Security Orders are read and understood. The “CFMWS IS Security Office Security Awareness Briefing” form found at Appendix 1 must be signed by all CFMWS IS users and a copy sent to CFMWS IS Security Office section;

g. Guest Users Access : Maintenance and administrative accounts shall be controlled by the CA. Guest users (i.e. contractors and others) shall not be allowed to log-on to these accounts. Access shall be granted through a unique account that allows only those privileges required to perform the authorised duties. Guest access must be authorised by the CA. Guest activities are to be monitored and audited and a record of access shall be maintained. Any Guest is required to have a commensurate security screening level that has been verified by the ISSO or delegate and have signed the appropriate acceptable use agreement;

h. Account Management : All users shall be assigned a unique account, which identifies the user and requires a password to gain access to the IS;

i. Invalid Log-in : Where the capability is available, a user’s login shall be disabled after a maximum of three (3) consecutive failed login attempts;

j. Unattended Workstation: Users must either lock or logoff their workstation whenever leaving the workstation area unattended;



k. Extended Login : All users shall shutdown or logoff at the end of each day;

l. Password Management : All CFMWS IS shall use access control through password and username authentication. The password is the secret word that identifies the person specified by the username. Passwords shall be known only by the user and not shared with anyone for any reason. The password is to be safeguarded as confidential at a minimum; and

m. Password Generation : All CFMWS IS shall use an approved Identification and Authentication capability (I&A). Minimally the password shall:

(1) consist of ten characters (mix of upper & lower case letters, numbers and symbols preferred);

(2) be changeable by the user, and safeguarded as Confidential data;

(3) be changed when the user no longer requires authorised access (posting, job change, release, etc.), or upon suspected/likely compromise of the password, and quarterly;

(4) not be communicated in plain text over the system; (6)not be accessed or used by another user;

(a) Password Override: The system configuration shall be set to permit the custodian or ISSO the capability to override a user password should it become necessary; and

(b) Override Recording: Whenever a user password must be overridden or accessed by a custodianor ISSO, the event shall be logged by the system, or at a minimum - the time, date and reason for the access shall be manually recorded by custodian or ISSO, and a report sent to CFMWS IS Security Office section.

3.21 MALICIOUS SOFTWARE

3.21.1 DescriptionMalicious software (Malware) is any software containing unauthorized code that can intentionally or unintentionally:

a. modify, change, and delete programs or data;b. cause legitimate programs to behave in an unauthorised or

unwanted manner; orc. permit a user-unauthorised access to programs or data.

Malware includes, but is not limited to, hacking/cracking utilities, and malicious code that contains viruses, Trojan horses, and worms.



3.21.2 Mechanisms of InfectionMalware can be introduced to an IS through various methods such as:

a. in shrink wrap software;b. in software downloaded from questionable sources on the Internet;

andc. from public access bulletin boards.

The most common methods of introducing malicious software onto CFMWS systems is through legitimate users and contract maintenance personnel, using unauthorised software (often in the form of games, Peer to Peer Software, Jokes, Chain Mail and Inappropriate Internet Websites) and/or contaminated media.

3.21.3 VulnerabilitiesMalware can have serious detrimental effects on the confidentiality, integrity, and availability of information systems, including system assets. They can be the cause of Distributed Denial of Service (DDOS) attack on our systems as well as attack other systems. Malware is widely used to gain unauthorized and/or illegal access to IS by black hat hackers/crackers.

3.21.4 Protective MeasuresTo reduce the risks of Malware vulnerabilities to IS and assets, the following minimal prevention measures shall be used:

a. system configuration, installation and application software development shall be controlled through the RFC process;

b. only software that has been approved by CFMWS shall be installed on CFMWS IS;

c. software under development or testing shall not be installed on operational systems;

d. current system backups of applications and data shall be maintained and tested to ensure that the system and/or data can be safely restored in a timely manner;

e. each system shall be equipped with an approved anti-virus software and configured at a minimum to scan all files on all fixed disks, including memory areas and boot sectors, and removable storage media;

f. where applicable, OS checksum or integrity checking features shall be activated. These features maintain a binary total of characters in the program files. If a file is changed, the system issues a warning;

g. the CA shall ensure that the CFMWS approved anti-virus software configuration is applied and maintained;



h. users of CFMWS IS shall not use unauthorised software or media on any IS; and

i. users shall be accountable for introducing Malware to an IS.

3.21.5 Malware Incident Handling & ReportingMalware incident, other than malicious code, shall be immediately reported to the CFMWS IS Security Office and Site ISSO. CFMWS IS Security Office will allocate the resources to investigate and resolve the incident, including isolating the system if necessary to prevent further infection. The investigator will report findings to CFMWS Information Technology Security Officer. The MP Coy will assist the CFMWS Information Technology Security Officer in dealing with these incidents.

3.21.6 Malicious Code Incident Handling & ReportingAll malicious code incidents will be reported immediately to ITSS through which the Virus Incident Response Team (VIRT) will be activated. Every incident will be handled by a VIRT Member and reported to the VIRT Leader using the VIR form (see Appendix 2). Further investigation may result from the VIR.

VIRT Leader will provide statistical reports to CFMWS CIRT Critical Incident Response Team (CIRT) through the Chain of Command.

3.22 REPORTING OF SECURITY BREACHES AND VIOLATIONS

3.22.1 IncidentsAll security incidents shall be reported to the CFMWS Service Desk. CFMWS IS Security Office will be informed when it is of a serious nature. The CFMWS Service Desk or CFMWS IS Security Office, with the assistance of the ISM, will investigate and determine what vulnerabilities may have been created by the incident, the threat posed, and corrective action required.

3.22.2 Incident ReportingAll security violations and breaches shall be promptly reported to the ISSO, CFMWS Information Technology Security Officer and the CA. The reporting will facilitate immediate assessment and remedial action required to reduce adverse effects and prevent recurrence. The ISSO shall report the incident to the CFMWS Information Technology Security Officer immediately upon identification of incidents.

3.22.3 Failure to ReportUnreported violations and other incidents or conditions that threaten or potentially threaten the security of CFMWS can be far more dangerous than those that are reported. Failure to report or delays in reporting incidents may result in continued exposure to compromise and aggravate



an already undesirable situation. Failure to report will result in appropriate administrative/disciplinary action.

3.23 DISASTER RECOVERY AND CONTINGENCY PLANS

3.23.1 Disaster Recovery and Contingency PlanningOperational Authorities are responsible for developing, maintaining and testing an overall disaster recovery and contingency plan for their IS. Plans shall be developed, documented and maintained to ensure the essential level of service will be provided following any loss of processing capability or destruction of the facility. A copy of each plan shall be forwarded to the CFMWS Information Technology Security Officer when completed. Plans shall be based on a TRA, to establish an effective response to:

a. the likelihood of a natural, accidental or deliberate threat occurring;

b. the criticality of the services provided by the IS;c. the impact should a disaster occur; andd. essential levels of services required to sustain essential operations

including their priority.

3.23.2 Disaster Recovery and Contingency Plan ConsiderationsPlans shall cover on-site and off-site recovery and minimally consider:

a. recovery from failure to the IS and information resources;b. relocation of system services following destruction of the facility

normally providing those services;c. forced evacuation of the facility;d. public and private sector strikes; ande. loss of critical support systems.

3.23.3 Non CFMWS Facilities RequirementsWhere plans require the use of facilities not under CFMWS control, formal agreements or contracts for the use of such facilities shall be established and reviewed annually. Plans shall include the identification of essential systems, information resources, and personnel. Planned responses to contingencies should not compromise confidentiality or integrity requirements.

3.23.4 Plan StorageCopies of all contingency plans, procedures and agreements shall be maintained in at least two separate geographically locations. A copy will be provided to the CFMWS Information Technology Security Officer when completed and whenever amended.



3.23.5 Critical Human ResourcesThere should be sufficient personnel to ensure the confidentiality, integrity and availability of critical information systems. Up-to-date lists of necessary personnel required to support an essential level of service must be part of the contingency plans and a copy of the list sent to CFMWS Information Technology Security Officer. Personnel identified to take an active role in contingency situations shall receive training in their assigned duties.

3.23.6 Critical ItemsAll critical operational IS data, resources, and assets required to provide the minimum essential level of service (defined in the IS contingency plan) shall be stored at an off-site location. These items should include, but not be limited to:

a. an index of the resources which are stored off-site;b. OS software;c. applications system software;d. utilities;e. data;f. documentation;g. passwords; andh. forms.

3.23.7 Contingency Plan Review StandardsThe operational requirements of the IS contingency plan shall be reviewed annually, to ensure that all-critical operational components, materials and resources have been identified. An index of the resources that are stored off-site should also be reviewed annually and should include, but not be limited to:

a. identification of the resources and data; andb. names of the owners of the data.

3.23.8 Evacuation ProceduresEvacuation procedures for all IS areas shall be developed, documented and disseminated. Procedures shall ensure that appropriate security is maintained throughout the evacuation. The Operational Authority shall ensure that security and emergency measures are compatible and mutually supportive.

3.23.9 Back-up RequirementsThe Dir. IM/IT Ops. shall ensure backup copies of all system software, configurations, applications, and data are tested before they are stored at



the off-site location to minimize the risk of loss. Users shall maintain current back-ups of all data stored on their workstations.


CFMWS IS SECUR ORDERSAnnex A

ANNEX A - CFMWS ISSO TERMS OF REFERENCE

1. GeneralThe CFMWS ISSO is key to effective IS security and essential in the enforcement of CFMWS IS conditions of accreditation. As a condition of accreditation, the DGMWS appoints the CFMWS Information Technology Security Officer as the CFMWS ISSO.

2. QualificationsThe CFMWS ISSO, who is the DG's primary advisor concerning information security, shall be knowledgeable in both system management and the implementation of IS security safeguards.

3. AccountabilityThe CFMWS ISSO is accountable to the DGMWS and responsible to enforce conditions of accreditation for all CFMWS IS.

4. ResponsibilitiesThe CFMWS ISSO is responsible to manage the CFMWS IS security programs by:

a. enforcing, maintaining, updating, and disseminating the CFMWS IS Security Orders.

b. ensuring that users have access to a current copy of the CFMWS IS Security Orders;

c. maintaining CFMWS IS security records, including all Accreditation letters, individual site audit records, and IS Security Change Tracking documents;

d. participating in IS configuration management with Dir. IM/IT Operations to provide advice as required for all changes to the IS;

e. developing, maintaining Disaster Recovery and Contingency Plans with the CFMWS IS support staff;

f. maintaining liaison with all ISSOs to ensure a common IS security posture is maintained;

g. conducting IS security audits of sites with the assistance of local ISSO's as required;

h. conducting security incident investigations on CFMWS IS and advising the Chain of Command as required;

i. remaining knowledgeable in all aspects of IS security, with specific expertise in the C&A guidelines; and

j. coordinating an IS security training and awareness program.


CFMWS IS SECUR ORDERSAnnex A



CFMWS IS SECUR ORDERSAnnex B

ANNEX B - DEFINITIONSMost of the key terms and their definitions used throughout this document have been taken from the GSP, TSB Security Related Policies, and the DND Information Management glossary including relevant allied publications in use within the department.

Accountability: Relationship based on the obligation to answer for the exercise of responsibilities conferred (DGA). The process ensuring that security relevant events in a product are attributable to a user. (CTCPEC)

Accreditation: The management approval to operate an IS. Assurance: The degree of confidence that a product correctly implements its security policy. (CTCPEC). Assurance is established through the evaluation of the product’s security features and capabilities against an approved criterion by a government authorised evaluation agency (e.g. CSE in Canada, NCSC in the USA and the CLEFFs in the UK)

Authorized Users: Are those employees who are approved to access the CFMWS IS.

Authorized Software: Is software that originates from commercial software vendors, contractors, or software developed within CFMWS that is licensed to, and purchased by CFMWS.

Authorization to Communicate: Approval issued by the AA for two or more independent IS, or assets to communicate under specified security conditions. Before authorisation can be granted, the connection must satisfy CFMWS ITSEC connectivity concerns. Such concerns as the connection of two or more independent systems with different security postures or the aggregated sensitivity level of data connecting systems having similar security postures could increase, therefore, affecting the overall security posture of the connected systems.

Availability: The condition of being usable on demand to support business functions. (GSP)

Certification: The technical and non-technical review of the safeguards for an IS. This includes the configuration of a system, cabling, etc. Classified Assets: Is information important to the nation and therefore warrants safeguarding. In this context, the expression "importance to the nation" must be linked to the injury test provided under the definitions for Top Secret, Secret and Confidential. (GSP)

Classified Information: Information related to the national interest that may qualify for an exemption or exclusion under the Access to Information Act and the compromise of which would reasonably be expected to cause injury to the national interest. (GSP)



COMSEC Material: All documents, cryptographic material, aids, devices or equipment associated with securing or authenticating telecommunications.

Communication Security (COMSEC): Communications security concerns protecting information transmitted electronically, and guarding against the detection and interpretation of electromagnetic emanations from information technology equipment. (GSP). Measures include Emission (EMSEC), Transmission (TRANSEC) and Cryptographic (CRYPTOSEC) Security.

Committal e-mail: Any communication of record used for the purpose of committing resources of an organisation or for declaring the position or opinion of an organisation on any subject or issue. This form of correspondence may alternatively be referred to as “formal” or “organisational” correspondence and may include signed letters, memoranda, minutes, formatted messages, and operations orders for the purpose of:

a. command and control;b. operations;c. operations support; and/ord. administration. (Information Holdings Directive 1/94, The Management of

Electronic Mail)

Community of Interest (COI): Community of Interest exists when all users in a user group or user groups accessing an IS are mutually acceptable to each other. (DCID 1/16) Compromise: Unauthorised disclosure, destruction, removal, modification or interruption. (GSP)

Computer forensics: The scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law. The subject matter includes:

a. the secure collection of computer data;b. the examination of suspect data to determine details such as origin and

content;c. the presentation of computer based information to courts of law; andd. the application of a country's laws to computer practice.

Computer Security (COMPUSEC): The protection resulting from measures designed to prevent deliberate or inadvertent unauthorised disclosure, acquisition, manipulation, modification, or loss of information contained in a computer system, as well as measures designed to prevent denial of authorised use of the system. (GSP)

Confidentiality: The sensitivity of information or assets to unauthorised disclosure, recorded as classification or designation, each of which implies a degree of injury should unauthorised disclosure occur. (GSP)



Configuration Management: A discipline applying technical and administrative direction and surveillance to:

a. identify and document the functional and physical characteristics of Configuration Items (CIs);

b. audit the CI’s conformance to specifications, interface documents and other contract requirements;

c. control change to CIs and their related documents; andd. record and report information needed to manage CIs effectively, including the

status of proposed changes and the implementation status of approved changes. (MIL-STD-973, 17 Apr 92)

Data: Refers to information of any type, created, used, maintained or stored by an IS resource, including electronic and magnetic representation of information.

Designated Assets: Assets, other than information, that have been identified by the department as being important to operations by virtue of the function performed, or as being valuable and therefore warrant safeguarding. For example, cash and other negotiable items, and IS that require protection to ensure the integrity and availability of the information stored in them. (GSP)

Designated Information: Information related to other than the national interest that may qualify for an exemption or exclusion under the Access to Information Act. (GSP)

Electronic Authentication: The process by which an electronic authorisation is verified to ensure, before further processing, that the authoriser can be positively identified, that the integrity of the authorised data was preserved and that the data is original.

Electronic Authorisation: The process by which an electronic (digital) signature is linked to a transaction to signify that a person with delegated authority has effectively authorised the further processing of that data.

Handle: Process, store, display and/or communicate data or information.

Information: That which informs or has the potential to inform. Meaning communicated or received. A combination of content or meaning represented by symbols and media or conduit, used or useable in a particular context.

Information System (IS): An assembly of equipment, methods and procedures (which may include personnel) organised to accomplish specific information processing functions. This definition includes stand-alone PCs, multi-user systems, or a group of systems or an IS site/facility or a network with users belonging to the same Community of Interest.



Information Technology (IT): Information Technology is the scientific, technological and engineering disciplines and the management practices used in electronic information handling, communication and processing; the fields of electronic data processing, telecommunications, electronic networks, and their convergence in systems; applications, associated software and equipment together with their interaction with humans and machines. Can also be called Information Systems (IS).

Information Technology Security (ITSEC): The protection resulting from an integrated set of measures designed to ensure confidentiality of information electronically stored, processed or transmitted, the integrity of the information and the availability of systems and services.

Information Technology Security (ITSEC) Measures: ITSEC measures include:

a. Communications Security (COMSEC);b. Computer Security (COMPUSEC);c. Network Security (NETSEC);d. Emissions Security (EMSEC); ande. Transmission Security (TRANSEC)

Integrity: The accuracy and completeness of information and assets and the authenticity of transactions. (GSP)

Interim Authority to Process (IAP): The authority to operate a specific system or network under specific conditions, for a specific period, pending formal accreditation. The authorised Accreditation Authority can grant an IAP. Typical cases where an IAP might be employed are:

a. sensitive operational data must be used for final design and test before initial operational capability;

b. a security survey, or an on-site review based on the most current survey, concludes there is no apparent security problem that would allow unauthorised access to the system/ network. There has been insufficient time or resources however, for required testing of system security mechanisms (e.g. to determine if need-to-know or integrity control mechanisms have been fully implemented) or to complete some of the documentation (e.g. certification documents) required to support an informed decision for final accreditation; and/or

c. configuration of the accredited system has been altered. Initial security evaluation by the security advisor, does not reveal any severe problems, but a full documented evaluation has had schedule delays.

Modification: The alteration of information, data, software or hardware.

Need-to-know: A requirement for a person to receive information to perform assigned duties.



Network Security (NETSEC): The protection of networks and their services from unauthorised modifications, destruction, or disclosure, providing an assurance that the network performs its critical functions correctly and there are no harmful side effects.

Powerful/Privileged Software: Software that will allow a user to bypass, modify, delete or monitor system/application security controls. [Technical Security Standard for Information Technology TSSIT)] Operating system software that is used to manage/configure the system/security resources and controls, and must only be accessible to the authorised custodian or ISSO.

Removal: Loss of information or assets. Loss can be accidental or deliberate.

Residual Risk: The risk remaining after implementation of all security measure on a network. This Residual Risk(RR) must be accepted by the Operational authority.

Risk: The chance of uncertainty vulnerabilities being exploited.

Risk Assessment: An evaluation, based on the effectiveness of existing or proposed security safeguards, of the chance of vulnerabilities being exploited.

Safeguards: Any personnel, physical, information and information technology safeguards applied to mitigate information and assets risks identified by a threat and risk assessment.

Security Architecture: A description of a system and its structure. For each structural component, the various elements (entities), their properties and their inter-relationships are explicitly defined. It is a system-specific set of complementary technical security measures selected and organised in a logical and effective manner to protect the confidentiality, integrity, accountability and availability (CIAA) of information and assets.

Security Breach: A security breach occurs when there has been an actual or likely compromise of classified or designated information or assets. (GSP)

Security Screening: Security clearance or Enhanced Reliability Check.

Security Incident: Any incident that may affect the security posture of an information system.

Security Measures: Any safeguards applied to an IS to protect the CIAA of the information and assets.

Security Violation: Results from the non-observance of security policies or procedures where the compromise of classified or designated information or assets is unlikely.

Sensitive Assets: Classified or designated assets.



Sensitive Information: Classified or designated information.

Sensitivity Level: Classification or Designation level.

Site ISSO: Provides high level IS security services to the assigned core building and includes the building purview.

Statement of Sensitivity: Provides certifiers and accreditation analysts with detailed data sensitivity information related to confidentiality, integrity and availability (CIA), Certification of Strategic Infrastructure Information Technology Systems, summarises the various CIA issues which must be addressed in a Statement of Sensitivity.

Threat/Risk Assessment (TRA): As required by the GSP, the identification, analysis and assessment of risks, select risk-avoidance options, and design and implementation of cost-effective prevention and control measures. It is the organisation responsible for the system, which must initiate a TRA. Less complex systems may only require an initial risk review rather than a full, in-depth assessment.

Universal Serial Bus (USB): A standard bus type for all kinds of devices, including mice, scanners, digital cameras, printers, and others. Hot swappable devices that can be connected and disconnected while computer is on.

Waiver: An indication that the implementation of one or more security requirements is temporarily postponed and that satisfactorily substitutes for the requirement(s) may be used for a specified period of time.


CFMWS IS SECUR ORDERSAnnex C

ANNEX C – ACRONYMS

BIOS Basic Input Output SystemCAR Controlled Access RoomsCAC&A

Change AuthorityCertification and Accreditation

CD Compact DiscCF Canadian ForcesCIO Chief Information OfficerCOMSEC Communications -Electronics SecurityCO Commanding OfficerDDOS Distributed Denial Of ServiceDG Director GeneralDIN Defence Information NetworkDND Department of National DefenceDOS Denial Of ServiceDSO Department Security OfficerDWAN Defence Wide Area NetworkEAA Electronic Authorization and AuthenticationERC Enhanced Reliability CheckGOC Government of CanadaGSP Government Security PolicyIAP Interim Authority to ProcessIMCCB Information Management Configuration Control BoardIS Information SystemISSO Information Systems Security OfficerIT Information TechnologyITSS Information Technology Support ServicesLAN Local Area NetworkLRA Local Registration AuthorityLRC Local Registration CoordinatorMAN Metropolitan Area NetworkOFFICER ManagerMOA Memoranda of AgreementMOU Memoranda of UnderstandingDGMWS Director General Morale and Welfare ServicesDGMWS EN

Director General Morale and Welfare Services Electronic Networks

NDSI National Defence Security InstructionsNDSP National Defence Security Policy OPI Office of Primary Interest


CFMWS IS SECUR ORDERSAnnex C

OS Operating SystemsPC Personal ComputerPKI Public Key InfrastructurePIN Personal Identification NumberPWGSC Public Works and Government Services CanadaRAS Remote Access ServerRFC Request For ChangeRMS Registration Management SystemRR Residual RiskSAMP Security And Military PoliceSRCL Security Requirements Check ListSOP Standard Operating ProceduresTEMPEST Transient Electro-Magnetic Pulse Emanation StandardTDC Test and Development CentreTRA Threat Risk AssessmentURL Uniform Resource LocatorsUSB Universal Serial BusVIRT Virus Incident Response TeamWAN Wide Area Network


CFMWS IS SECUR ORDERSAnnex D

ANNEX D – CFMWS SITE ISSO TERMS OF REFERENCE

1. SUMMARY OF RESPONSIBILITIES

GeneralCFMWS IS Security Office Manager appoints the CFMWS Site ISSO with the authority of the DG. The CFMWS Site ISSO is responsible for providing technical IS security advice or assistance to all personnel including individual System Managers, System Administrators and Security Officers in the CFMWS. The Site ISSO is also responsible to promote a security awareness education program, conduct certification inspections, security audits, incident investigations, and monitor compliance to the CFMWS IS Security orders.

QualificationsThe Site ISSO shall be knowledgeable in both IS administration, management including concepts of IS security safeguards.

AccountabilityThe CFMWS Site ISSO is responsible to the CFMWS Information Technology Security Officer to ensure that the conditions of accreditation continue to be met. The principal methods of enforcement are:

a. the CFMWS IS Security Orders;b. the effective conduct of a security awareness program in

conjunction with CFMWS ISSOs; andc. the performance of security monitoring/audits/investigations.

AuthorityThe Site ISSO is authorized to intercede in the operation of CFMWS IS when the continued operation of the IS will breach the conditions of the accredited IS.

2. RESPONSABILITIES

2.1 GeneralSite ISSOs will provide high level IS security services that satisfy Certification and Accreditation (C&A) requirements within the CFMWS. They will be responsible for the delivery of, but not limited to the following services:

a. development of C&A documentation;b. security awareness training;c. incident response and reporting;


CFMWS IS SECUR ORDERSAnnex D

d. Request For Change (RFC) security assessments and recommendations;

e. regular auditing and monitoring of IS and it’s security posture; and

f. communicate the status of IS security matters to CIO.

2.2 PrimaryThe CFMWS Site ISSO is also responsible to maintain the confidentiality, integrity, accountability and availability of CFMWS IS as follows:

c. provide IS advice and ensure continued IS security awareness amongst users at all levels;

d. ensure that the IS security architecture continually conforms to CFMWS policy and standards;

e. regularly review and amend (as required) the following documents to ensure they are consistent with the accredited CFMWS IS:

(1) IS Security Orders;(2) IS Certification & Accreditation; and(3) IS Standard Operating Procedures.

f. review all changes to the system, re-evaluate the TRA, advise the CFMWS Information Technology Security Officer and CA regarding any impact to the security of the IS and coordinate requests for Certification and Accreditation;

g. brief all IS users regarding the security of the IS and ensure that the IS users have signed as having read and understood the CFMWS IS Security Orders;

h. periodically review the IS audit records and react accordingly to revealed IS security incidents;

i. ensure all IS users meet the personnel security requirements for the information system;

j. monitor the installation and removal of IS equipment and supervise the disposal of all decommissioned IS assets to ensure compliance to IS disposal policy and standards; and

k. immediately forward all reported IS security incidents to the CFMWS Information Technology Security Officer (or higher authority as required) and conduct preliminary IS security incident investigations.


CFMWS IS SECUR ORDERSAppendix 1

APPENDIX 1 – CFMWS IS SECURITY OFFICE SECURITY AWARENESS BRIEFING FORMCFMWS IS SECURITY AWARENESS BRIEFING FORM1. References:

a. Treasury Board Policy on Use of Electronic Networks: http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/tb_cp/uen_e.asp

b. CFMWS IS Security Orders: TBD

2. IAW the above references, I shall comply with the following:

a. I shall use the system and information resources only as authorized at Refs;

b. I shall not do any of the following without explicit authorization:

(1) introduce, delete, produce or modify software, systems and networks,

(2) add, move, change or tamper with any IS equipment, and

(3) remove any hardware/software from CFMWS property without written permission;

c. I shall not:

(1) forward or reply to mass mailings other than that clearly defined as work related,

(2) introduce, forward or reply to chain e-mail and/or e-mail containing games, jokes, chain e-mail, screen savers, non-work related: images, videos and/or audio files,

(3) connect any personal devices (i.e. laptops, PDA’s, USB drives, digital cameras, etc) to CFMWS equipment,

(4) disclose or share password(s),

(5) allow unauthorized persons access to the system resources, and

(6) introduce information to the IS for which it is not certified to process; and

d. I shall respect all copyright and licence agreements.

3. I understand that CFMWS IS may be monitored and there is limited expectation of privacy. I shall report all security incidents to my ISSO and/or to CFMWS IS Security Office chain of command.

4. I understand that failure to comply with the IS rules and regulations may lead to administrative or disciplinary action.

User Name (Print): Date: Signature:

Briefer’s Name (Print): Date: Signature:


http://img.mil.ca/dgimo/76_cg/im_security/documents/secorder_e.htm

http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/tb_cp/uen_e.asp


APPENDIX 2 – INCIDENT REPORT

Date: Local Incident # Ticket # Information Systems Security Office #

REPORT STATUS PRIORITY LEVELInitial Report: Follow-up Report: Final Report: SUBJECT OF INCIDENT REPORTThe subject of this ISSI report is:

1. REPORTED BY

Name: Rank/Appointment:

Job Title/Position:

Tel No. Fax No.

CSN Tel No. CSN Fax No.

Other Internet AccessAvailable: Yes No

2. DATA GATHERING

Command/NDHQ Group Principal/Organization:

Unit/Directorate: Section: Building/Floor/Room No(s) CFMWS Site ISSO Name:

Tel #: Notified? Yes No

Date of Occurrence: Date of Discovery: Discovered by (whom)? Highest Designation/ Classification of the information affected/compromised:

(Classified incidents should be reported via appropriate means)

Has this incident resulted in a security breach or violation?

Yes No

3. INFORMATION SYSTEM SECURITY INCIDENT CATEGORY



Select relevant ISSI Category/Categories that pertain to this ISSI.

CAT I – Unauthorised Access Complete required fields in 3(a). CAT II – Denial of Service Complete required fields in 3(a). CAT III – Malicious Code Complete required fields in 3(b). CAT IV – Poor Security Practice Complete required fields in 3(a). CAT V – Attempted Access or Reconnaissance Complete required fields in 3(a).

(a). Complete this section for Category I, II, IV, and V ISSIs.Number of workstations involved? Affected/Compromised Work Station(s):(Please provide network diagram if available)

User Name: Site: Computer Name: IP Address: Logon Server: Workstation Mode: Image Version:

Hardware configuration?(identify manufacturer, model and version - duplicate for dissimilar hosts)

Software configuration?(duplicate for dissimilar hosts)

Operating System (OS)? COTS packages? Other software?

Number of servers involved? (Please provide network diagram if available, or request assistance from the relevant network ISSO)

Probable source of ISSI (where applicable)?(e.g., USB, DVD, CD, diskette, e-mail, downloaded from Internet/DIN, etc.)

Summary/Chronological Account of the ISSI and response (be sure to include the who, what, where, when, why, and how of the ISSI).

(b). Complete this section for Category III ISSIs only (otherwise, leave blank).

Name, Section & Phone Number of Technician handling malicious code call.

Name: Section: Tel Number:

Malicious Code Name: AntiVirus software application installed?

[Vipre/Symantec]

Version of AntiVirus scan engine and last updated date?



How was the malicious code identified?(e.g., SEP 11, AV Software, etc.)

Number of workstations involved?

Affected/Compromised Work Station(s):(Please provide network diagram if available)

User Name: Site: Computer Name: IP Address: Logon Server: Workstation Mode: Image Version:

Hardware configuration?(identify manufacturer, model and version - duplicate for dissimilar hosts)

Software configuration?(duplicate for dissimilar hosts)

Operating System (OS)? COTS packages? Other software?

Number of servers involved? (Please provide network diagram if available, or request assistance from the relevant network ISSO)

Probable source of incident (where applicable)?(e.g., USB, DVD, CD, diskette, e-mail, downloaded from Internet/DIN, etc.)

Summary/Chronological Account of the ISSI and response (be sure to include who, what, where, when, why, and how of the incident).



4. IMPACT ASSESSMENT

Significance of incident? 1. Insignificant 2. Minor 3. Moderate 4. Major 5. Severe

What is the estimated financial loss? Amount $

What is the estimated IS Staff hours lost?

Communications directly affected/compromised:(Internal to the LAN, MAN, or WAN Interconnections, including gateways, carrier services, etc.).

5. ACTIONS COMPLETED

Who has been notified of this incident? (Check those that apply)

Chain of Command CFMWS Site ISSO Local MPs (where directed by the ISSO) Other (please specify)

Was the originator informed of the incident?

Yes No (Note - You must inform any possible recipients of infected items originating from your location about the potential risk/damage that may result from your traffic.)

Was one or more User Account(s) Deactivated [Provide of a list of deactivated user account (s)].

Yes No

List Deactivated User Account(s): User ID/Name/Rank/Level

Were the logs secured by the relevant ISSO? (describe how)

Yes No

Was there a system shutdown? (additional details as required) Yes No

Was the affected work station(s) disconnected from the network, and any removable media secured?(additional details as required)

Yes No

Was any work station(s) and removable media seized as evidence or sent for further analysis?

Yes No



Actions taken to prevent a recurrence? (describe in detail)

6. LOCAL OPERATIONAL AUTHORITY/CHAIN OF COMMAND COMMENTS (where applicable)Comments:

Name

Rank

Telephone

Signature (original signed by) Position

Date

7. SITE ISSO COMMENTSComments:

Name

Rank

Telephone

Signature (original signed by) Position

Date

8. Additional Comments/Notes



CFMWS Information Technology Security Office

Incident Handling Team

Submission E-MAIL (Provide Completed Form as attachment): [email protected]



APPENDIX 3 – SPECIFIC IS: SECURITY & ACCEPTABLE USE POLICY

(Additional security & acceptable use items not covered by the main document body.)

NON-PUBLIC PROPERTY (NPPNET)INFORMATION SECURITY POLICY

Effective Date: 1 Nov 2012 Revision Date: 3 Oct 2012

1. POLICY STATEMENT1.1. It is the policy of Information Services Division (IS Div) to safeguard information available

within the Non-Public Property Network (NPPNet) to protect both Personal and Business (NPF) information.

2. POLICY OBJECTIVE2.1. To ensure minimum safeguards are in place to mitigate, control and attempt to eliminate

confidentiality, integrity and availability threats while maintaining, expanding and/or decommissioning sections the NPPNet.

3. POLICY APPLICATION 3.1. The scope of this policy includes all custodians of the NPPNet and its resources,

including access to the Internet.

4. POLICY REQUIREMENTS4.2 General4.2.1. Business Responsibility

As the designated responsible party for the NPPNet the IS Division is required to protect information with due diligence. Measures put in place are not only to protect users and the business from external damage but also to curve potential internal abuse and misuse. The following defines the mitigating controls IS Div. uses to reduce the aforementioned threat.

4.2.1.1. Encryption

Where possible the NPPNet custodians are to use appropriate methods of encryption to provide confidentiality to communications publically available. Standard practice is the use of a combination of IPSec protocol and SSL where third party certification is recommended or required.

4.2.1.2. Virus Checking

NPPNet standard practice is to install enterprise capable anti-virus software on all systems controlled by custodians. This includes all user class machines, servers and POS systems.



4.2.1.3. Spam Mitigation

In order to reduce electronic spam NPPNet email systems are to be reinforced with mitigation software that adapts to changing conditions to reduce and attempt to eliminate non-business related garbage e-mail. Although effective it must be understood that as this is an adaptive technology not all illegitimate communication can be stopped.

Compliance to Canada’s Anti-Spam Law

In addition to CFMWS’ responsibility to the end-user in regards of protection from Spam the organization is also responsible for not producing such material. Creation of material can be penalized by fines up to and including criminal charges where the business and individual officers and/or directors may be held responsible.

For clarification regarding the compliance requirements contact the NPPNet National ISSO (Information Systems Security Officer) through ITSS.

4.2.1.4. Intrusion Detection Systems (IDS)

The NPPNet enforces intrusion detection to manage possible threats to the NPPNet. An IDS is designed to monitor Networks and Systems for activity considered abnormal in such cases proper channels will be communicated to for further investigation and/or required action.

4.2.1.5. Secure Virtual Private Network (VPN)

As direct communication to the NPPNet through unprotected means would be considered unsecure and could put information at risk by jeopardizing the confidentiality, integrity and availability. In attempt to mitigate the risk CFMWS has put in place a VPN solution. This can be accessed through connect.cfpsa.com and is available to all users provided an NPPNet account unless specifically stated (on occasion this may be determined by divisional requirements).

4.2.1.6. Web Content Management

IS Division activity manages web content either internally or externally available to the end-user. This is done in the following two ways:

1. Active Management of External Content

a. Though the employment of a web filtering system information considered to be inappropriate for business use is blocked based on predefined Access Control Lists (ACL). Content that has been blocked may be unfiltered under certain circumstances. In addition to the ability to block content CFMWS also has the ability to report on usage history where situations indicate a requirement. In these events the business must justify the investigative action and action shall be warranted by the CFMWS.



2. Management of Approved Internal Content

a. In conjunction with the Strategic Communication Cell internal content is developed and approved for end-user access based on certain predefined criteria supporting CFMWS initiatives.

4.2.1.7. Push Technology

Internally within the NPPNet systems are managed through the use of push technology. This technology allows administrators and custodians to actively update, install and manage systems with a high level of effectiveness and availability to clients while maintaining relative invisibility.

4.2.1.8. Vulnerability Assessment

In an ongoing effort to maintain a high quality of service to end-users IS Division actively assesses application, systems and networks in both production and development for vulnerabilities that could be seen to impact the level of security that is required on the NPPNet. In the event a production vulnerability assessment is required affected divisions will be notified and involved as to limit interruption of duties.

4.2.1.9. Continuity Measures

In an attempt to provide business continuity NPPNet custodians must use measures that include short backup, archival offsite backup and infrastructure redundancy.

4.2.1.10. Access to Information and Privacy Control

When implementing, updating and/or decommission systems all assurances to user privacy defined by both the Web Privacy Policy and the Online Privacy Statement shall remain true unless approved by the ISSO or higher.

It shall be understood that Mailbox (E-Mail) Accounts are owned by CFMWS however since the individual user is given access in such a manner that personal use is granted some level of privacy should be expected. Therefore the business only grants access to assigned security and administrative IM/IT custodians with “need-to-know” who are previously identified on an ACL. The ACL (Access Control List) can be obtained from the ISSO upon request through ITSS.

Data Transfer

In some situations internal information (data) transfers are required; which may include e-mail. These will be approved by the individual requestor’s managerial staff in accompaniment with the expressed permission of the individual user. Transfers require the completion of a Network Account Maintenance Form which must clearly state the requirement. In extreme circumstances where expressed permission is unavailable the approval of CFMWS or representative will be required.



In cases where users with mailboxes are terminated or otherwise leave unexpectedly IS Division will not in any way fulfill a request to forward a mailboxes to another address. Forwarding to other addresses will only be done on expressed permission by the user of the mailbox.

In both cases stated express permission must document approval with a form of signature.

For former employees, request for information or legal requirements CFMWS is obliged to conform to the Access to Information Act and will release information based upon an appropriate approved request through Human Resources.

4.2.1.11. Firewall Technology

CFMWS will use a combination of physical and logical firewalling mechanisms in conjunction with each other to provide preventative measures to protect personal, private and publically available information.

4.2.2 Clarification

Since improper implementation of security mechanisms can place the NPPNet at high risk custodians are advised to request clarification to the ISSO where policy is not understood.

5. USAGE POLICY

The NPP Information Security Policy is in effect at all times when accessing services using the NPPNet and its resources.

6. DELEGATION

6.1. ALL Custodial Users

A. Custodians with access to any NPPNet system, service or asset will adhere to this policy as defined in order to protect the security of business services, information and network infrastructure. In addition they will be responsible for reporting violations to the NPPNet National ISSO.

6.2. Director IM/IT Operations (Change Authority)

A. Enforce the NPP Information Security Policy rules and guidelines as defined for all CFMWS information systems through direction of System Administrators.

6.3. CFMWS Information Technology Security Officer (Security Authority)

A. Conduct periodic or random auditing of the NPPNet to maintain a minimum standing of security.

B. Periodically review the CFMWS Policy to reflect best practices in order to encourage the protection of information systems and services.



7. ACCOUNTABILITY

7.1 As the protection of the NPPNet is critical to business operations IS Div under the supervision of the ISSO monitors compliance with this policy by means of system reviews.

7.2 All NPPNet custodians are expected to be familiar with and comply with this policy. Violations of this policy may lead to revocation of system privileges and disciplinary action, up to and including discharge.

8. ENQUIRES

8.1 For information regarding the interpretation and application of this policy pls. direct questions to the National NPPNet ISSO through ITSS.


IS Security Orders - CFMWS - SBMFC Web viewThe password is the secret word that identifies the...

Documents

Transcript of IS Security Orders - CFMWS - SBMFC Web viewThe password is the secret word that identifies the...