Security requirements for the protection of sensitive information

A. General conditions

1. All information provided and/or produced under this contract is considered to be “Protected A” and/or “Protected B” (Particularly Sensitive).

2. Canada Revenue Agency (CRA) and the contractor will ensure an audit trail of all accesses to the information provided and/or produced under this contract, is maintained, and provided upon request.

3. In cases where the contractor further distributes the information provided under this contract to areas within their jurisdiction, the contractor is responsible for ensuring compliance with the security requirements outlined in this document.  Prior to information being distributed, written compliance to the security requirements outlined in this document is to be provided to the CRA security official for review and approval.

B. Procedures

4. Access to information provided and/or produced under this contract is to be controlled and limited to Individuals who:

4.1 Have a job related need to know;
4.2 Have a reliability status;

4.2.1 a reliability check involves:

  1. verification of personal data, educational and professional qualifications, and employment data and reference;
  2. an optional declaration concerning any conviction for a criminal offence for which a pardon has not been granted;
  3. a criminal records name check;
  4. a credit check, when the duties or tasks to be performed requires it or in the event of a criminal record based on the type of offence; and
  5. reliability checks are to be repeated (for update purposes) every 10 years to determine if the status last granted is still valid.

4.3 Have been made aware of the relevant Act(s) and security requirements outlined in this document:

5. The contractor is to ensure all information provided by CRA to the contractor is to be safeguarded as per the security requirements outlined in this document and summarized in the attached chart.

6. The contractor is to ensure all information provided by CRA and/or produced under this contract is scheduled, retained and disposed of in accordance with CRA's approved Records Disposition Authorities, and is to provide CRA with the following:

6.1 A record of the information that was destroyed (including certificates of destruction);
6.2 A record of the information, identified by the National Archivist as having historic or archival importance, transferred to the National Archives of Canada, Archive Branch; and
6.3 A record identifying the information returned to CRA, where this information is not longer needed, was not required or was provided in error.

7. The contractor is to ensure all information provided by CRA and/or produced under this contract is destroyed in accordance with the security requirements outlined in this document and summarized in the attached chart.

8. Any actual or suspected loss, or unauthorized disclosure of information provided and/or produced under this contract is to be immediately reported to the CRA security official with the following details:

8.1 Description of the type of information involved;
8.2 The date and place of the incident;
8.3 Circumstances surrounding the incident;
8.4 The extent of known or probable compromise and the identity of unauthorized Individuals who had or are believed to have had access to the information;
8.5 Action taken or contemplated to remedy the situation; and
8.6 Any further details which may assist in assessing the loss or compromise.

9. If the missing information is found after the notification has been sent, the circumstances under which it was found can be relayed by telephone to the CRA security official.

10. A written report describing the incident, as per paragraph 8, is to be forwarded to the CRA security official by the responsible contractor.

11. CRA can request the contractor to conduct an audit to ensure the stated security safeguards are in place for the protection of the information provided to the contractor.

Applicable legislations

C. Income Tax Act - Sections 239 and 241

239 (2.2)

Every person who
(a) contravenes subsection 241(1), or
(b) knowingly contravenes an order made under subsection 241(4.1) is guilty of an offence and liable on summary conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 12 months, or to both.

239 (2.21)

Every person
(a) to whom taxpayer information has been provided for a particular purpose under paragraph 241(4)(b), (c), (e), (h), (k), (n), (o) or (p)
(b) who is an official to whom taxpayer information has been provided for a particular purpose under paragraph 241(4)a), d), f), f.1), or j.1) and who for any other purpose knowingly uses, provides to any person, allows the provision to any person of, or allows any person access to, that information is guilty of an offence and liable on summary conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 12 months, or to both.

241(1)

Except as authorized by this section, no official shall
(a) knowingly provide, or knowingly allow to be provided, to any person any taxpayer information;
(b) knowingly allow any person to have access to any taxpayer information;
or
(c) knowingly use any taxpayer information otherwise than in the course of the administration or enforcement of this Act, the Canada Pension Plan, the Unemployment Insurance Act or the Employment Insurance Act or for the purpose for which it was provided under this section.

241(10)

In this section, "official" means any person who is employed in the service of, who occupies a position of responsibility in the service of, or who is engaged by or on behalf of,
(a) Her Majesty in right of Canada or a province, or
(b) an authority engaged in administering a law of a province similar to the Pension Benefits Standards Act, 1985.
or any person who was formerly so employed, who formerly occupied such a position or who was formerly so engaged.

D. Excise Tax Act – Sections 295 and 328

295(1)

“official” means a person who is employed in the service of, who occupies a position of responsibility in the service of, or who is engaged by or on behalf of, Her Majesty in right of Canada or a province, or a person who was formerly so employed, who formerly occupied such a position or who formerly was so engaged.

295(2)

Except as authorized under this section, no official shall knowingly

328(1)

Every person who

328(2)

Every person

E. Security requirements

The following security requirements are to be implemented when processing, storing, and transmitting sensitive information provided and/or produced under this contract.

The Contractor is to ensure

1. Administrative aecurity

1.1 An audit trail of all accesses (create, view, update and delete) to the information is to be maintained and provided upon request.  The data elements required in the audit trail report are the identity of the person, time and date of the access, and type of transaction made.
1.2 Individuals are to be identified by a unique user identification code (User ID) verified by password before being granted access to any “Protected A” and/or “Protected B”(Particularly Sensitive) information processed, stored and transmitted on computer systems.
1.3 Individuals are to be limited to the minimum amount and type of information needed to perform assigned work-related activities (“need-to-know” principle).
1.4 Individuals are not to use their access privileges for personal benefit or curiosity purposes.
1.5 Individuals are not to be granted access privileges allowing them to perform all functions of a critical process (separation of duties).
1.6 Individuals' access privileges are to be kept current, and immediately revoked or suspended when access to perform assigned functions is no longer required.
1.7 Accounts are to be administered, maintained, suspended or deleted only by an authorized person (administrator).
1.8 Accounts having access to “Protected A” and/or “Protected B” (Particularly Sensitive) information are never to be shared, as each person is responsible for all system activities performed under their unique User ID.
1.9 Access to the contractor's system is to be controlled by logical access control techniques (i.e. User ID and password).
1.10 When access to CRA's computer systems is required:

1.10.1 An access to CRA computer systems authorization form (TF469) is to be completed and signed by the user.  This form indicates that access to the computer systems and information is needed to perform assigned work-related activities only, and that all accesses are subject to monitoring and reviewing.

1.10.2 Passwords are to be as a minimum of 8 alphanumeric characters, not easily guessed, changed at least every three months or immediately if it is suspected it has been compromised, and never revealed or shared with anyone.

1.10.3 A record of all computer system access privileges (i.e. Internet, profiles, applications, resources, external systems, etc.) is to be created and maintained for each person.

1.10.4 Individuals are to ensure their system access privileges are protected against unauthorized access when leaving their active sessions unattended, and are to terminate all active session(s) when leaving the premises.

2. Personnel security

2.1 Individuals having access to “Protected A” and/or “Protected B”(Particularly Sensitive) information are to have a valid reliability status, and have signed a Security Screening Certificate and Briefing Form (TBS 330-47).
2.2 Individuals having access to “Protected A” and/or “Protected B” (Particularly Sensitive) information are to be aware of the confidentiality requirements contained in the relevant acts included in this document, and receive a security briefing.
2.3 Individuals without a reliability status needing “short term” access to equipment, software or to areas storing “Protected A” and/or “Protected B” (Particularly Sensitive) information may be granted access provided they are escorted and monitored while on the contractor's premises.
2.4 Repair and maintenance of computers, servers and systems processing and storing “Protected A” and/or “Protected B” (Particularly Sensitive) information is to be carried out by qualified and properly screened or supervised personnel only.

3. Physical security

3.1 Physical access to “Protected A” and/or “Protected B (Particularly Sensitive) information is to be controlled at all times.  The degree of physical protection may vary as per the following:

3.1.1 Servers or systems (e.g. databases) processing and storing “Protected A” and/or “Protected B” (Particularly Sensitive) information are to be enclosed in locked rooms or secure cabinets, with access limited to authorized individuals with a legitimate need to access;
3.1.2 “Protected A” and/or “Protected B” (Particularly Sensitive) information is to be stored on the server(s) and not on their own computer system.  Where this is not possible, the computer system is to be protected by approved access controls and the data encrypted under CRA approved algorithms;
3.1.3 To deter theft, computer systems processing, storing and transmitting “Protected A” and/or “Protected B” (Particularly Sensitive) information are to be secured in offices with access controls such as Unican or cypher locks, card access systems or receptionists during office hours and deadbolts at all other times;
3.1.4 Laptops or Notebooks processing and storing “Protected A” and/or “Protected B” (Particularly Sensitive) information are to be protected by approved access controls and the data encrypted under CRA approved algorithms.  To deter theft, laptops and notebooks should be protected by physical locks or cables when taken out of the contractor's premises,
3.1.5 Removable media such as CDs, diskettes, hard disks or tapes, containing “Protected A” and/or “Protected B” (Particularly Sensitive) information are to be stored in locked containers when not being used. The information on removable media may also be encrypted under approved CRA algorithms if available;
3.1.6 Hard copy documents containing “Protected A” and/or “Protected B” (Particularly Sensitive) information are to be stored in locked containers;

3.2 Mailing of hard copy documents and media is to be in accordance with the security requirements summarized in the attached chart.
3.3 All “Protected A” and/or “Protected B (Particularly Sensitive) information (including all copies) is to be destroyed in accordance with the security requirements summarized in the attached chart.

4. Communications security

4.1 LANs and communications cables are to be protected from unauthorized access.
4.2 Transmission of “Protected A” and/or “Protected B” (Particularly Sensitive) information outside of the contractor's premises is to be encrypted under CRA approved algorithms.
4.3 No external communications (modem, Internet) is to be active while processing or storing “Protected A” and/or “Protected B” (Particularly Sensitive) information.

5. Software security

5.1 Only approved/certified software for which CRA has a current valid license, can be used on CRA computer systems, and all software licenses are to be respected.
5.2 Data files and software are to be verified for viruses/malware before they are opened, copied or installed on CRA's computer systems.

6. Operations security

6.1 Media that were used to store “Protected A” and/or “Protected B” (Particularly Sensitive) information are to be properly erased before being re-used for other purposes or discarded according to the security requirements summarized on the attached chart.

Acceptable erasing techniques include:
6.1.1 Overwriting the magnetic media three (3) times by using CRA approved overwrite software;
6.1.2 Bulk erasing magnetic media with a magnet strong enough (with coercivity double the strength of the media) to erase all data stored on the media.

6.2 Where the medium that was used to store “Protected A” and/or “Protected B”(Particularly Sensitive) information cannot be erased, it is to be physically destroyed (it cannot be returned to the vendor for exchange or repair) in accordance with the security requirements summarized on the attached chart.

Acceptable destruction techniques include:
6.2.1 Cutting or breaking the platters into quarters;
6.2.2 Grinding the surface of the platters (hard disks, CD's) to physically destroy them;
6.2.3 Physically destroying hard drives with a hammer or similar instrument, or shredding.

F. Table – Requirements summary

The security standards outlined on this chart represent the handling requirements for the potential types of media that could be used.  While it is not normal that an organization would use all the different types of media noted herein; for convenience, the current methods used by CRA are included.  The organization will only need to take note of the security standards for the type(s) of media they will be using. For example, if only hardcopy documents and printouts are being used, the remaining electronic media would not be applicable. 

For the various types of handling procedures, it is not required to follow each option in every instance – the most applicable option should be chosen dependent upon the organization's circumstances.  For example, under Destruction for Removable media, the organization should choose which method best suits their requirements, such as cutting up diskettes into strips.  It is not necessary to grind the platter surface of a hard disk and  smash with hammer – one of the options is sufficient in order to ensure that no information stored on the hard disk can be retrieved. 

Media Processing Marking Storage Destruction Erasure Communication
Documents and printouts Process Footnote 1 Mark Footnote 2 in the upper right hand corner on face of cover page Store in a locked container Use10 mm strip cut shredder Footnote 3 Not applicable Electronic transmission: Not applicable
Facsimile: Use secure encryption devices Footnote 5
Mail: Footnote 6 Use two gum-sealed envelopes Footnote 7
Non-removable hard disks (includes desktop & laptop/ notebook systems) Process Footnote 1 , Footnote 4 Mark Footnote 2 on casing and outer container when removed from the computer system
  • Access controls (User ID and Password)
  • Encrypt Footnote 4
  • Physical access controls to area
  • Erase
  • Break/cut in quarters
  • Grind surface of the platter
  • Smash with hammer
  • Approved degausser
Overwrite 3 times ( CRA approved overwrite software) Electronic transmission: Encrypt Footnote 4 data
Facsimile: Not applicable
Mail: Footnote 6 Package in a solid container designed for that purpose Footnote 7
Removable media such as:
CDs/DVDs, diskettes; hard disks; zip, jazz or USB (memory sticks) drives; magnetic tapes and cartridges; optical disks;
Process Footnote 1 , Footnote 4
  • Mark Footnote 2 on casing and outer container
  • For magnetic media - mark Footnote 2 on cartridge or cassette; diskettes and cd's – mark Footnote 2 on face of surface
  • Erase
  • Break/cut in quarters
  • Diskette cut in ½ inch strips
  • Magnetic tapes and cartridges cut reels in half
  • Grind surface of the platter
  • Smash with hammer
  • Shred
  • Approved degausser
  • Overwrite 3 times (CRA approved overwrite software)
Electronic transmission: Encrypt Footnote 4 data
Facsimile: Not applicable
Mail: Footnote 6 Package in a solid container designed for that purpose Footnote 7
For diskettes/DVDs/CDs Footnote 6 use two gum-sealed envelopes Footnote 7 (if possible, use a media mailer as the inner envelope)
Microfilms
  • Process Footnote 1
  • Area is to be under continuous monitoring
Mark Footnote 2 on cartridge, reel or cassette
- at the beginning (header) and end (trailer) of the film
- mark inside and outside of canisters
Store in a locked container Use micrographic material shredder Footnote 8 Not applicable Electronic transmission: Not applicable
Facsimile: Not applicable
Mail: Footnote 6 Package in a solid container designed for that purpose Footnote 7
Microfiches
  • Process Footnote 1
  • Area is to be under continuous monitoring
Mark Footnote 2 on each fiche/frame
- the fiche # and total # of fiche on each fiche/frame
- at the header line at the center of the top and bottom of each fiche/ frame
Store in a locked container Use micrographic material shredder Footnote 8 Not applicable Electronic transmission: Not applicable
Facsimile: Not applicable
Mail: Footnote 6 Use two gum-sealed envelopes Footnote 7
Smart cards and other card
technologies
Process Footnote 1 Mark Footnote 2 on the outside of the card
  • Destroy the microchip, mag stripes, optical zones, etc. by smashing, breaking, cutting, grinding the data storage area or shredding
  • Approved degausser
Overwrite 3 times (CRA approved overwrite software) Electronic transmission: Encrypt Footnote 4 data
Facsimile: Not applicable
Mail: Footnote 6 Package in a solid container designed for that purpose Footnote 7
Local area networks (LANs) servers (includes RAID drives)
  • Process Footnote 1
  • Area is to be under continuous monitoring
Mark Footnote 2 on casing and outer container when removed from the computer system
  • Access controls (User ID and Password)
  • Encrypt Footnote 4
  • Physical access controls for LAN rooms or facilities
  • Erase
  • Smash with hammer
  • Shred
  • Approved degausser
Overwrite 3 times (CRA approved overwrite software) Electronic transmission: Encrypt Footnote 4 data
Facsimile: Not applicable
Mail: Footnote 6 Package in a solid container designed for that purpose Footnote 7

Page details

Date modified: