Security requirements for the protection of sensitive information

A. General conditions
B. Procedures
C. Income Tax Act - Sections 239 and 241
D. Excise Tax Act – Sections 295 and 328
E. Security requirements
F. Table – Requirements summary

A. General conditions

1. All information provided and/or produced under this contract is considered to be “Protected A” and/or “Protected B” (Particularly Sensitive).

2. Canada Revenue Agency (CRA) and the contractor will ensure an audit trail of all accesses to the information provided and/or produced under this contract, is maintained, and provided upon request.

3. In cases where the contractor further distributes the information provided under this contract to areas within their jurisdiction, the contractor is responsible for ensuring compliance with the security requirements outlined in this document. Prior to information being distributed, written compliance to the security requirements outlined in this document is to be provided to the CRA security official for review and approval.

B. Procedures

4. Access to information provided and/or produced under this contract is to be controlled and limited to Individuals who:

4.1 Have a job related need to know;
4.2 Have a reliability status;

4.2.1 a reliability check involves:

verification of personal data, educational and professional qualifications, and employment data and reference;
an optional declaration concerning any conviction for a criminal offence for which a pardon has not been granted;
a criminal records name check;
a credit check, when the duties or tasks to be performed requires it or in the event of a criminal record based on the type of offence; and
reliability checks are to be repeated (for update purposes) every 10 years to determine if the status last granted is still valid.

4.3 Have been made aware of the relevant Act(s) and security requirements outlined in this document:

Sections 239 and 241 of the Income Tax Act
Sections 295 and 328 of the Excise Tax Act

5. The contractor is to ensure all information provided by CRA to the contractor is to be safeguarded as per the security requirements outlined in this document and summarized in the attached chart.

6. The contractor is to ensure all information provided by CRA and/or produced under this contract is scheduled, retained and disposed of in accordance with CRA's approved Records Disposition Authorities, and is to provide CRA with the following:

6.1 A record of the information that was destroyed (including certificates of destruction);
6.2 A record of the information, identified by the National Archivist as having historic or archival importance, transferred to the National Archives of Canada, Archive Branch; and
6.3 A record identifying the information returned to CRA, where this information is not longer needed, was not required or was provided in error.

7. The contractor is to ensure all information provided by CRA and/or produced under this contract is destroyed in accordance with the security requirements outlined in this document and summarized in the attached chart.

8. Any actual or suspected loss, or unauthorized disclosure of information provided and/or produced under this contract is to be immediately reported to the CRA security official with the following details:

8.1 Description of the type of information involved;
8.2 The date and place of the incident;
8.3 Circumstances surrounding the incident;
8.4 The extent of known or probable compromise and the identity of unauthorized Individuals who had or are believed to have had access to the information;
8.5 Action taken or contemplated to remedy the situation; and
8.6 Any further details which may assist in assessing the loss or compromise.

9. If the missing information is found after the notification has been sent, the circumstances under which it was found can be relayed by telephone to the CRA security official.

10. A written report describing the incident, as per paragraph 8, is to be forwarded to the CRA security official by the responsible contractor.

11. CRA can request the contractor to conduct an audit to ensure the stated security safeguards are in place for the protection of the information provided to the contractor.

Applicable legislations

C. Income Tax Act - Sections 239 and 241

239 (2.2)

Every person who
(a) contravenes subsection 241(1), or
(b) knowingly contravenes an order made under subsection 241(4.1) is guilty of an offence and liable on summary conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 12 months, or to both.

239 (2.21)

Every person
(a) to whom taxpayer information has been provided for a particular purpose under paragraph 241(4)(b), (c), (e), (h), (k), (n), (o) or (p)
(b) who is an official to whom taxpayer information has been provided for a particular purpose under paragraph 241(4)a), d), f), f.1), or j.1) and who for any other purpose knowingly uses, provides to any person, allows the provision to any person of, or allows any person access to, that information is guilty of an offence and liable on summary conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 12 months, or to both.

241(1)

Except as authorized by this section, no official shall
(a) knowingly provide, or knowingly allow to be provided, to any person any taxpayer information;
(b) knowingly allow any person to have access to any taxpayer information;
or
(c) knowingly use any taxpayer information otherwise than in the course of the administration or enforcement of this Act, the Canada Pension Plan, the Unemployment Insurance Act or the Employment Insurance Act or for the purpose for which it was provided under this section.

241(10)

In this section, "official" means any person who is employed in the service of, who occupies a position of responsibility in the service of, or who is engaged by or on behalf of,
(a) Her Majesty in right of Canada or a province, or
(b) an authority engaged in administering a law of a province similar to the Pension Benefits Standards Act, 1985.
or any person who was formerly so employed, who formerly occupied such a position or who was formerly so engaged.

D. Excise Tax Act – Sections 295 and 328

295(1)

“official” means a person who is employed in the service of, who occupies a position of responsibility in the service of, or who is engaged by or on behalf of, Her Majesty in right of Canada or a province, or a person who was formerly so employed, who formerly occupied such a position or who formerly was so engaged.

295(2)

Except as authorized under this section, no official shall knowingly

provide, or allow to be provided, to any person any confidential information;
allow any person to have access to any confidential information; or
©use any confidential information other than in the course of the administration or enforcement of this Part.

328(1)

Every person who

contravenes subsection 295(2), or
knowingly contravenes an order made under subsection 295(5.1) is guilty of an offence and liable on summary conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding twelve months, or to both.

328(2)

Every person

to whom confidential information has been provided for a particular purpose pursuant to paragraph 295(5)(b), (c), (g), (k) or (l), or
who is an official to whom confidential information has been provided for a particular purpose pursuant to paragraph 295(5)(a),(d),(e) or (h), and who for any other purpose knowingly uses, provides to any person, allows the provision to any person of, or allows any person access to, that information is guilty of an offence and liable on summary conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding twelve months, or to both.

E. Security requirements

The following security requirements are to be implemented when processing, storing, and transmitting sensitive information provided and/or produced under this contract.

The Contractor is to ensure

1. Administrative aecurity

1.1 An audit trail of all accesses (create, view, update and delete) to the information is to be maintained and provided upon request. The data elements required in the audit trail report are the identity of the person, time and date of the access, and type of transaction made.
1.2 Individuals are to be identified by a unique user identification code (User ID) verified by password before being granted access to any “Protected A” and/or “Protected B”(Particularly Sensitive) information processed, stored and transmitted on computer systems.
1.3 Individuals are to be limited to the minimum amount and type of information needed to perform assigned work-related activities (“need-to-know” principle).
1.4 Individuals are not to use their access privileges for personal benefit or curiosity purposes.
1.5 Individuals are not to be granted access privileges allowing them to perform all functions of a critical process (separation of duties).
1.6 Individuals' access privileges are to be kept current, and immediately revoked or suspended when access to perform assigned functions is no longer required.
1.7 Accounts are to be administered, maintained, suspended or deleted only by an authorized person (administrator).
1.8 Accounts having access to “Protected A” and/or “Protected B” (Particularly Sensitive) information are never to be shared, as each person is responsible for all system activities performed under their unique User ID.
1.9 Access to the contractor's system is to be controlled by logical access control techniques (i.e. User ID and password).
1.10 When access to CRA's computer systems is required:

1.10.1 An access to CRA computer systems authorization form (TF469) is to be completed and signed by the user. This form indicates that access to the computer systems and information is needed to perform assigned work-related activities only, and that all accesses are subject to monitoring and reviewing.

1.10.2 Passwords are to be as a minimum of 8 alphanumeric characters, not easily guessed, changed at least every three months or immediately if it is suspected it has been compromised, and never revealed or shared with anyone.

1.10.3 A record of all computer system access privileges (i.e. Internet, profiles, applications, resources, external systems, etc.) is to be created and maintained for each person.

1.10.4 Individuals are to ensure their system access privileges are protected against unauthorized access when leaving their active sessions unattended, and are to terminate all active session(s) when leaving the premises.

2. Personnel security

2.1 Individuals having access to “Protected A” and/or “Protected B”(Particularly Sensitive) information are to have a valid reliability status, and have signed a Security Screening Certificate and Briefing Form (TBS 330-47).
2.2 Individuals having access to “Protected A” and/or “Protected B” (Particularly Sensitive) information are to be aware of the confidentiality requirements contained in the relevant acts included in this document, and receive a security briefing.
2.3 Individuals without a reliability status needing “short term” access to equipment, software or to areas storing “Protected A” and/or “Protected B” (Particularly Sensitive) information may be granted access provided they are escorted and monitored while on the contractor's premises.
2.4 Repair and maintenance of computers, servers and systems processing and storing “Protected A” and/or “Protected B” (Particularly Sensitive) information is to be carried out by qualified and properly screened or supervised personnel only.

3. Physical security

3.1 Physical access to “Protected A” and/or “Protected B (Particularly Sensitive) information is to be controlled at all times. The degree of physical protection may vary as per the following:

3.1.1 Servers or systems (e.g. databases) processing and storing “Protected A” and/or “Protected B” (Particularly Sensitive) information are to be enclosed in locked rooms or secure cabinets, with access limited to authorized individuals with a legitimate need to access;
3.1.2 “Protected A” and/or “Protected B” (Particularly Sensitive) information is to be stored on the server(s) and not on their own computer system. Where this is not possible, the computer system is to be protected by approved access controls and the data encrypted under CRA approved algorithms;
3.1.3 To deter theft, computer systems processing, storing and transmitting “Protected A” and/or “Protected B” (Particularly Sensitive) information are to be secured in offices with access controls such as Unican or cypher locks, card access systems or receptionists during office hours and deadbolts at all other times;
3.1.4 Laptops or Notebooks processing and storing “Protected A” and/or “Protected B” (Particularly Sensitive) information are to be protected by approved access controls and the data encrypted under CRA approved algorithms. To deter theft, laptops and notebooks should be protected by physical locks or cables when taken out of the contractor's premises,
3.1.5 Removable media such as CDs, diskettes, hard disks or tapes, containing “Protected A” and/or “Protected B” (Particularly Sensitive) information are to be stored in locked containers when not being used. The information on removable media may also be encrypted under approved CRA algorithms if available;
3.1.6 Hard copy documents containing “Protected A” and/or “Protected B” (Particularly Sensitive) information are to be stored in locked containers;

3.2 Mailing of hard copy documents and media is to be in accordance with the security requirements summarized in the attached chart.
3.3 All “Protected A” and/or “Protected B (Particularly Sensitive) information (including all copies) is to be destroyed in accordance with the security requirements summarized in the attached chart.

4. Communications security

4.1 LANs and communications cables are to be protected from unauthorized access.
4.2 Transmission of “Protected A” and/or “Protected B” (Particularly Sensitive) information outside of the contractor's premises is to be encrypted under CRA approved algorithms.
4.3 No external communications (modem, Internet) is to be active while processing or storing “Protected A” and/or “Protected B” (Particularly Sensitive) information.

5. Software security

5.1 Only approved/certified software for which CRA has a current valid license, can be used on CRA computer systems, and all software licenses are to be respected.
5.2 Data files and software are to be verified for viruses/malware before they are opened, copied or installed on CRA's computer systems.

6. Operations security

6.1 Media that were used to store “Protected A” and/or “Protected B” (Particularly Sensitive) information are to be properly erased before being re-used for other purposes or discarded according to the security requirements summarized on the attached chart.

Acceptable erasing techniques include:
6.1.1 Overwriting the magnetic media three (3) times by using CRA approved overwrite software;
6.1.2 Bulk erasing magnetic media with a magnet strong enough (with coercivity double the strength of the media) to erase all data stored on the media.

6.2 Where the medium that was used to store “Protected A” and/or “Protected B”(Particularly Sensitive) information cannot be erased, it is to be physically destroyed (it cannot be returned to the vendor for exchange or repair) in accordance with the security requirements summarized on the attached chart.

Acceptable destruction techniques include:
6.2.1 Cutting or breaking the platters into quarters;
6.2.2 Grinding the surface of the platters (hard disks, CD's) to physically destroy them;
6.2.3 Physically destroying hard drives with a hammer or similar instrument, or shredding.

F. Table – Requirements summary

The security standards outlined on this chart represent the handling requirements for the potential types of media that could be used. While it is not normal that an organization would use all the different types of media noted herein; for convenience, the current methods used by CRA are included. The organization will only need to take note of the security standards for the type(s) of media they will be using. For example, if only hardcopy documents and printouts are being used, the remaining electronic media would not be applicable.

For the various types of handling procedures, it is not required to follow each option in every instance – the most applicable option should be chosen dependent upon the organization's circumstances. For example, under Destruction for Removable media, the organization should choose which method best suits their requirements, such as cutting up diskettes into strips. It is not necessary to grind the platter surface of a hard disk and smash with hammer – one of the options is sufficient in order to ensure that no information stored on the hard disk can be retrieved.

Media	Processing	Marking	Storage	Destruction	Erasure	Communication
Documents and printouts	Process ^{Footnote 1}	Mark ^{Footnote 2} in the upper right hand corner on face of cover page	Store in a locked container	Use10 mm strip cut shredder ^{Footnote 3}	Not applicable	Electronic transmission: Not applicable Facsimile: Use secure encryption devices ^{Footnote 5} Mail: ^{Footnote 6} Use two gum-sealed envelopes ^{Footnote 7}
Non-removable hard disks (includes desktop & laptop/ notebook systems)	Process ^{Footnote 1}, ^{Footnote 4}	Mark ^{Footnote 2} on casing and outer container when removed from the computer system	Access controls (User ID and Password) Encrypt ^{Footnote 4} Physical access controls to area	Erase Break/cut in quarters Grind surface of the platter Smash with hammer Approved degausser	Overwrite 3 times ( CRA approved overwrite software)	Electronic transmission: Encrypt ^{Footnote 4} data Facsimile: Not applicable Mail: ^{Footnote 6} Package in a solid container designed for that purpose ^{Footnote 7}
Removable media such as: CDs/DVDs, diskettes; hard disks; zip, jazz or USB (memory sticks) drives; magnetic tapes and cartridges; optical disks;	Process ^{Footnote 1}, ^{Footnote 4}	Mark ^{Footnote 2} on casing and outer container For magnetic media - mark ^{Footnote 2} on cartridge or cassette; diskettes and cd's – mark ^{Footnote 2} on face of surface	Encrypt ^{Footnote 4} Store in a locked container	Erase Break/cut in quarters Diskette cut in ½ inch strips Magnetic tapes and cartridges cut reels in half Grind surface of the platter Smash with hammer Shred Approved degausser	Overwrite 3 times (CRA approved overwrite software)	Electronic transmission: Encrypt ^{Footnote 4} data Facsimile: Not applicable Mail: ^{Footnote 6} Package in a solid container designed for that purpose ^{Footnote 7} For diskettes/DVDs/CDs ^{Footnote 6} use two gum-sealed envelopes ^{Footnote 7} (if possible, use a media mailer as the inner envelope)
Microfilms	Process ^{Footnote 1} Area is to be under continuous monitoring	Mark ^{Footnote 2} on cartridge, reel or cassette - at the beginning (header) and end (trailer) of the film - mark inside and outside of canisters	Store in a locked container	Use micrographic material shredder ^{Footnote 8}	Not applicable	Electronic transmission: Not applicable Facsimile: Not applicable Mail: ^{Footnote 6} Package in a solid container designed for that purpose ^{Footnote 7}
Microfiches	Process ^{Footnote 1} Area is to be under continuous monitoring	Mark ^{Footnote 2} on each fiche/frame - the fiche # and total # of fiche on each fiche/frame - at the header line at the center of the top and bottom of each fiche/ frame	Store in a locked container	Use micrographic material shredder ^{Footnote 8}	Not applicable	Electronic transmission: Not applicable Facsimile: Not applicable Mail: ^{Footnote 6} Use two gum-sealed envelopes ^{Footnote 7}
Smart cards and other card technologies	Process ^{Footnote 1}	Mark ^{Footnote 2} on the outside of the card	Encrypt ^{Footnote 4} Store in lockable containers	Destroy the microchip, mag stripes, optical zones, etc. by smashing, breaking, cutting, grinding the data storage area or shredding Approved degausser	Overwrite 3 times (CRA approved overwrite software)	Electronic transmission: Encrypt ^{Footnote 4} data Facsimile: Not applicable Mail: ^{Footnote 6} Package in a solid container designed for that purpose ^{Footnote 7}
Local area networks (LANs) servers (includes RAID drives)	Process ^{Footnote 1} Area is to be under continuous monitoring	Mark ^{Footnote 2} on casing and outer container when removed from the computer system	Access controls (User ID and Password) Encrypt ^{Footnote 4} Physical access controls for LAN rooms or facilities	Erase Smash with hammer Shred Approved degausser	Overwrite 3 times (CRA approved overwrite software)	Electronic transmission: Encrypt ^{Footnote 4} data Facsimile: Not applicable Mail: ^{Footnote 6} Package in a solid container designed for that purpose ^{Footnote 7}

Footnotes

Footnote 1

Information is to be processed in an area where access is limited only to authorized individuals or properly escorted visitors. These areas are to be monitored on a regular basis. An audit trail of all accesses to client information is to be maintained (data elements: identity of the person, time and date of the access, and type of transaction made).

Return to footnote1 referrer

Footnote 2

The marking "PROTECTED A or B" is to appear on all documents and media containing readable (clear text) data.

Return to footnote2 referrer

Footnote 3

The shredder cut must be fine enough that information cannot be re-pieced back together from the cut pieces.

Return to footnote3 referrer

Footnote 4

Data encrypted under approved CRA algorithms can be treated as non-sensitive. Systems processing/storing the information are to be protected with CRA approved access controls and encryption when removed from the organization's premises. Files being electronically transmitted (i.e. email, FTP) are to be encrypted using approved CRA algorithms. To ensure availability and integrity of data, on and off-site backups should be maintained and physical security protection applied.

Return to footnote4 referrer

Footnote 5

CRA encryption devices on loan to an organization are to be located in areas where access is limited to authorized individuals and under continuous monitoring. The devices are set to a Protected Group number as defined by CRA and are supported and maintained by the Agency. Suspected or actual security incidents are to be immediately reported to the responsible CRA security official.

Return to footnote5 referrer

Footnote 6

Send by priority courier, registered mail, or private courier. Proof of mailing and a record of transit and delivery is to be provided by the courier.

Return to footnote6 referrer

Footnote 7

The address is to appear on both envelopes; the security marking is to appear on the inner envelope only and marked “To be opened by addressee only”; when using solid containers, secure container with plastic or metal ties so it cannot be opened unless it is broken, or with a padlock.

Return to footnote7 referrer

Footnote 8

RCMP Security Equipment Guide: Microfiches& Microfilms shredders: Model : Infostroyer 201 or SEM Model Micro DoD.

Return to footnote8 referrer

Page details

Date modified:: 2013-07-24

Language selection

Search

Sign in