Language selection

Government of Canada / Gouvernement du Canada

Search

MAF 2022 to 2023 Security Management Methodology

AoM Context

The 2022-23 Security Area of Management MAF assessment is focused on strategic security planning and security management practices that contribute to bolstering the overall security posture of the GC. This information remains vital for informing security risk management decisions, identifying trends, and areas of strength, as well as those requiring further attention. The approach recognizes the continued evolution of the dynamic operating environment, while identifying and encouraging the continued sharing of leading security management practices enterprise wide.

The 2022-23 MAF exercise will provide insight into the expected outcomes outlined in the Policy on Government Security (PGS) as it relates to: effective security planning and reporting; trusted workforce and partners; preparedness and effective response to events; and trusted information systems and processes. Results will ensure that the expectations related to the implementation of Treasury Board policy and related management practices with respect to security controls are met, including, departmental security plans, security screening, security in contracts and other arrangements, business continuity management, and information technology security.

Strategic Theme Title

Effective Departmental Security Planning and Reporting

Strategic Theme Overview

Deputy heads establish effective departmental security planning and reporting to support informed decision making and enable enterprise security risk assessment in support of the trusted delivery of Government of Canada programs and services and the protection of its information, people and assets.

Question 1 New

What percentage of security risk mitigation priorities identified in the Departmental Security Plan (DSP) and approved by the deputy head for the fiscal year 2021-22 were addressed as planned?

To answer:

  • TBS to answer
  • Department or Agency to answer
  • Both TBS and Department or Agency to answer

Rationale

A DSP details decisions for managing security risks, and timelines for improving departmental security and supporting implementation. Senior departmental management will be able to gauge their department’s success in managing planned department-wide activities to mitigate the overall risk exposure of the identified security controls. The foundation will depend on how well departments can complete activities approved by the deputy head listed in the DSP Action plan. This result supports identifying potential areas for improvement, and responsive actions that may be required to ensure security risks to the organization are continuously managed. A DSP also provides TBS with identified risks at an aggregate level to inform GC enterprise decision-making.

Category

  • Policy Compliance
  • Performance
  • Baseline

Note: All baseline questions will be included in MAF reporting products.

Expected Results

The target is 100%.

Assessed Organizations

Large departments and Agencies.

Period of Assessment

April 1, 2021 – March 31, 2022

Calculation Method

Organizations are expected to provide a numerator and a denominator:

The number of DSP planned activities addressed in fiscal year 2021-22 (Numerator)

divided by

The total number of DSP planned activities scheduled for completion in fiscal year 2021-22(Denominator)

x100

Assessment Grid

Initial
1-39%		 Developing
40-65%		 Managed
65-94%		 Optimized
95-100%

Presents strong opportunity for development of an effective Departmental Security planning and reporting program in enabling assessing and prioritizing departmental security requirements which are reflective of, and contribute to government-wide security priorities

Practice requires further refinement to support effective security planning and reporting on the delivery of security planning priorities in the organizations Departmental Security Plan (DSP).

Program nearing maturity, improvement needed to consistently apply practice across the organization and advance security risk priorities which remain reflective of, and contribute to government-wide security priorities

Fully matured practice in consideration of an evolving risk environment and the evergreen nature of effective departmental security planning in consideration of novel and emerging security threats and risks.

Evidence Requirements

  • Department to provide evidence
  • TBS to provide evidence
  • Other evidence to be considered (please provide)

Data collection Method

Documentary evidence in the form of the Department/Agency DSP and secondary artifact (e.g. Priority Action Plan, annual DSP report or otherwise) .

Document limit: 2

Government-wide Comparison

  • Yes the results of the indicator will be used for comparison across departments
  • No (please provide an explanation)

Year-Over-Year Analysis

  • Yes
  • No

Departmental Results Framework (DRF) (TBS use only)

Is this indicator used in the TBS DRF?

  • Yes
  • No

Annex A

Guideline on Developing a Departmental Security Plan- Canada.ca

Annex B

Reference materials:

Policy on Government Security, 4.1.5

Directive on Security Management, 4.1.3, 4.1.5

Strategic Theme Title

Trusted Workforce and Partners

Strategic Theme Overview

Individuals can be trusted to fulfil their security responsibilities and to not wilfully or inadvertently compromise security. Contractors and other partners can be relied upon to safeguard the information and assets entrusted to them, and to reliably fulfil their obligations.

Question 2 New

For all individuals¹ working in the public service2 that have entered the organization between November 1, 2021, and October 31, 2022, what is the percentage of security screening files that contain evidence that an initial security briefing was provided to inform individuals of their security responsibilities under the Policy on Government Security as they relate to their screening level?

1 “all individuals” refers to all types of employment status’, excluding contractors/consultants (e.g. students, casuals, employees, etc.).

2 “public service” is applicable to all departments defined in section 2 and any other agency included in Schedules IV and V of the Financial Administration Act.

To answer:

  • TBS to answer
  • Department or Agency to answer
  • Both TBS and Department or Agency to answer

Rationale

The Standard on Security Screening requires that a security briefing be conducted before an individual takes up their duties, when required based on the update cycle, and whenever a change occurs in screening level. A security briefing informs individuals of the decision to grant a security status or clearance and informs them of their security responsibilities. Individuals are required to acknowledge their security responsibilities, and a record of the decision and acknowledgement must be kept on their security screening file.

Category

  • Policy Compliance
  • Performance
  • Baseline

Note: All baseline questions will be included in MAF reporting products.

Expected Results

The target is 100%.

Assessed Organizations

Large departments and Agencies.

Period of Assessment

November 1, 2021 – October 31, 2022

Calculation Method

Organizations are expected to provide a numerator and a denominator:

“Total number of individuals that entered the organization that were provided with an initial security briefing (before start of employment, appointment, or assignment) with evidence* containing on file” (numerator)

divided by

“Total number of individuals that entered the organization (denominator)

X100

*In order to be included in the numerator for this question, the organization must confirm (in the TBS provided tracker, column two (2)) that ALL of the following criteria has been met:

  1. An initial security briefing was provided; and
  2. A signed security screening certificate and briefing form is on file

If the organization cannot confirm that the above criteria are in place, they should record a “no” for this question in column two (2) of the TBS provided tracker.

Assessment Grid

Initial
1-39%		 Developing
40-65%		 Managed
65-94%		 Optimized
95-100%

Presents strong opportunity to develop practice to mitigate GC risk exposure and ensure initial security briefings are carried out for all individuals.

Practice requires further refinement to mitigate GC risk exposure and ensure initial security briefings are carried out and individuals are informed of their security responsibilities and access permissions attached to their screening level.

Practice nearing maturity, opportunities to ensure consistent application of the practice across the organization remain.

Fully mature practice, supporting the assurance that initial security briefings are consistently carried out and all individuals are informed of their security responsibilities and access permissions attached to their screening level.

Evidence Requirements

  • Department to provide evidence
  • TBS to provide evidence
  • Other evidence to be considered (please provide)

Data collection Method

TBS provided tracker: Organizations are required to report, by means of a unique identifier, on all individuals that entered the organization in the prescribed period, informing if an initial security briefing was conducted and indicating whether a signed security screening certificate and briefing form is recorded on the file, using the TBS provided tracker.

Document limit: 2

Government-wide Comparison

  • Yes the results of the indicator will be used for comparison across departments
  • No (please provide an explanation)

Year-Over-Year Analysis

  • Yes
  • No

Departmental Results Framework (DRF) (TBS use only)

Is this indicator used in the TBS DRF?

  • Yes
  • No

Annex A

Annex B

Appendix F – Aftercare, Section 2: Standard on Security Screening

Question 3 Preserved (Question 11 in 2021-22)

For all individuals¹ working in the public service2 that have left the organization between November 1, 2021, and October 31, 2022, what is the percentage of security screening files that contain evidence that a formal debriefing3 was provided to remind individuals of their continuing responsibilities to maintain the confidentiality of the sensitive information to which they had access?

1 “all individuals” refers to all types of employment status’, excluding contractors/consultants (e.g. students, casuals, employees, etc.).

2 “public service” is applicable to all departments defined in section 2 and any other agency included in Schedules IV and V of the Financial Administration Act.

3 “formal debriefing” refers an established departmental debriefing process that is administered and documented for all individuals upon termination of employment, engagement, or assignment with that department.

To answer:

  • TBS to answer
  • Department or Agency to answer
  • Both TBS and Department or Agency to answer

Rationale

The Standard on Security Screening requires that upon termination of employment, engagement or assignment, all individuals must receive a formal debriefing to remind them of their continuing responsibilities to maintain the confidentiality of the sensitive information to which they have had access.

This final step provides assurance that sensitive GC information or assets will not be divulged, discussed, or shared in a manner that could cause injury to an individual, organization, government, or the national interest of Canada if compromised.

Chief Security Officers or delegated officials, in consultation with departmental human resource advisors, must develop procedures and ensure that debriefings and reclamations are scheduled and conducted as a component of the overall separation process.

Category

  • Policy Compliance
  • Performance
  • Baseline

Note: All baseline questions will be included in MAF reporting products.

Expected Results

The target is 100%.

Assessed Organizations

Large departments and Agencies.

Period of Assessment

November 1, 2021 – October 31, 2022

Calculation Method

Organizations are expected to provide a numerator and a denominator:

“Total number of individuals that left the organization that were provided with a formal debriefing with evidence* containing on file” (numerator)

divided by

“Total number of individuals that left the organization (termination of employment, engagement, or assignment)” (denominator)

X100

*In order to be included in the numerator for this question, the organization must confirm (in the TBS provided tracker, column two(2)) that ALL of the following criteria has been met:

  1. A formal debriefing was provided; and
  2. A signed security screening certificate and briefing form is on file;

If the organization cannot confirm that the above criteria are in place, they should record a “no” for this question in column two(2) of the TBS provided tracker.

Assessment Grid

Initial
1-39%		 Developing
40-65%		 Managed
65-94%		 Optimized
95-100%

Presents strong opportunity to develop practice to mitigate GC risk exposure and ensure debriefings are carried out for all individuals.

Practice requires further refinement to mitigate GC risk exposure and ensure debriefings are carried out and individuals are informed of their continued obligations following their departure.

Practice nearing maturity, opportunities to ensure consistent application of the practice across the organization remain.

Fully mature practice, supporting the assurance that debriefings are consistently carried out and all individuals are reminded of their continued obligations following their departure.

Evidence Requirements

  • Department to provide evidence
  • TBS to provide evidence
  • Other evidence to be considered (please provide)

Data collection Method

TBS provided tracker: Organizations are required to report, by means of a unique identifier, on all individuals that left the organization in the prescribed period, informing if a formal security debriefing was conducted, and indicating whether a security screening certificate and briefing form is recorded on the file, using the TBS provided tracker.

Document limit: 2

Government-wide Comparison

  • Yes the results of the indicator will be used for comparison across departments
  • No (please provide an explanation)

Year-Over-Year Analysis

  • Yes
  • No

Departmental Results Framework (DRF) (TBS use only)

Is this indicator used in the TBS DRF?

  • Yes
  • No

Annex A

Annex B

Appendix F – Aftercare, Section 12: Standard on Security Screening

Question 4 Updated (Based on Question 13 in 2021-22)

What percentage of contracts with identified security requirements¹, which have been established and verified for compliance, are monitored for continued compliance throughout the contract or arrangement process?

1 “Security requirements” refer to a requirement that must be satisfied to reduce security risks to an acceptable level and/or to meet statutory, regulatory, policy, contractual and other security obligations

To answer:

  • TBS to answer
  • Department or Agency to answer
  • Both TBS and Department or Agency to answer

Rationale

The Mandatory Procedures defined in Appendix F of the Directive on Security Management (DSM) requires that security requirements associated with contracts be identified and documented, and that associated security controls are implemented and monitored throughout all stages of the contracting process to provide reasonable assurance that information, individuals, assets, sites, and services associated with the contract are adequately protected. Strengthened oversight and monitoring is an integral part of reducing and addressing issues of non-compliance, security incidents, or other security events.

The purpose of this question is to determine if departments monitor and verify continued compliance with security requirements after contract award to provide reasonable assurance that safeguards and requirements to mitigate security risks continue to be adhered to.

Category

  • Policy Compliance
  • Performance
  • Baseline

Note: All baseline questions will be included in MAF reporting products.

Expected Results

The target is 100%.

Assessed Organizations

Large departments and Agencies.

Period of Assessment

November 1, 2021 – October 31, 2022

Calculation Method

Organizations are expected to provide a numerator and a denominator:

“Total number of contracts with security requirements monitored for continued compliance throughout their lifecycle” (numerator)

divided by

“Total number of contracts identified as having security requirements” (denominator)

X100

Assessment Grid

Initial
1-39%		 Developing
40-65%		 Managed
65-94%		 Optimized
95-100%

Presents strong opportunity to develop practice to ensure security requirements are monitored throughout the contract lifecycle.

Practices requires further refinement to ensure minimum monitoring requirements for all contracts are met.

Practice nearing maturity, opportunities to ensure consistent application of monitoring requirements across all contracts remains.

Fully mature practice, supporting consistent and comprehensive application of monitoring requirements across all contracts.

Evidence Requirements

  • Department to provide evidence
  • TBS to provide evidence
  • Other evidence to be considered (please provide)

Data collection Method

Provided tracker + Documentary evidence

  1. TBS provided tracker: Departments are required to report, by means of a unique identifier, on all contracts identified as having security requirements in the prescribed period using the TBS provided tracker.
  2. Sample or description of the internal process used to monitor for continued compliance (e.g. Periodic assessments; reporting and conformity follow-up requirements; active management of user access; monitoring for security incidents/events).

Document limit: 3

Government-wide Comparison

  • Yes the results of the indicator will be used for comparison across departments
  • No (please provide an explanation)

Year-Over-Year Analysis

  • Yes
  • No

Departmental Results Framework (DRF) (TBS use only)

Is this indicator used in the TBS DRF?

  • Yes
  • No

Annex A

Annex B

Directive on Security Management Appendix F: Mandatory Procedures for Security in Contracts and Other Arrangements Control - F.2.5. Monitoring and corrective actions

Strategic Theme Title

Preparedness and Effective Response to Events

Strategic Theme Overview

The impacts of security events are minimized through effective preparation, response, and critical GC programs, services and operations can be maintained during disruptions

Question 5 Preserved (Question 5 in 2021-22)

What is the percentage of the department or agency’s external services and internal enterprise services that have an up-to-date Business Impact Analysis (BIA)?

To answer:

  • TBS to answer
  • Department or Agency to answer
  • Both TBS and Department or Agency to answer

Rationale

Organizations are expected to define business continuity management (BCM) requirements for all their services and related activities supporting continued availability of services that are critical to the health, safety, security or economic well-being of Canadians, and/or to the effective functioning of government.

A BIA also provides departments and agencies the capability to identify the risk environment and defines BCM requirements. It is expected that a BIA be conducted on all departmental internal enterprise services and external services. Critical Services are identified as an outcome of a BIA (as set out in the PGS).

As part of the GC Service Inventory, organizations are expected to identify departmental Critical Services within their departmental Service Inventory, having conducted BIAs on each of their departmental internal enterprise services and external services to make the determination.

Updated BIA information will enable TBS to leverage accurate critical service data to make strategic decisions in current and future emergency situations and gauge the GC’s ability to respond to significant events.

A BIA is considered up to date when it was updated within three years of the MAF extraction date, or as otherwise outlined in the departmental BCM policy/procedures. Threats and associated risks to services, should also be reviewed as a result of significant events which may impact the criticality of services and/or the previously identified continuity strategies and recovery priorities.

Category

  • Policy Compliance
  • Performance
  • Baseline

Note: All baseline questions will be included in MAF reporting products.

Expected Results

The target is 100%.

Assessed Organizations

Large departments and Agencies

Period of Assessment

November 1, 2021 – October 31, 2022

Calculation Method

“Total number of departmental internal enterprise services and external services with updated BIA” (numerator)

divided by

“Total number of internal enterprise services and external services” (denominator)

x100

Assessment Grid

Initial
1-39%		 Developing
40-65%		 Managed
65-94%		 Optimized
95-100%

Presents strong opportunity to assess, prioritize, and categorize services based on its criticality to ensure the continued support and availability of services and its associated assets.

Practice requires further refinement to support BCM requirements and limit potential impacts of disruption to services and associated assets.

Practice nearing maturity, where additional progress is needed to improve preparedness to potential disruptions to services and associated assets.

Fully matured practice in consideration of an evolving risk environment.

Evidence Requirements

  • Department to provide evidence
  • TBS to provide evidence
  • Other evidence to be considered (please provide)

Data collection Method

GC Service Inventory (via GC EPM)

Government-wide Comparison

  • Yes the results of the indicator will be used for comparison across departments
  • No (please provide an explanation)

Year-Over-Year Analysis for Question

  • Yes
  • No

Departmental Results Framework (DRF) (TBS use only)

Is this indicator used in the TBS DRF?

  • Yes
  • No

Annex A

Annex B

Reference Materials:

Directive on Security Management, Appendix D, Mandatory Procedures for Business Continuity Management Control  

Policy on Service and Digital

Question 6 New

What percentage of the department or agency’s identified critical services with an up-to-date business continuity plans were tested or exercised1 within the last two years?

1Testing/exercises may include but not limited to scenarios, simulations, functional exercises and full-scale exercises.

Note: For this response it is recognized that a critical service may have its own BCP, be included within a broader BCP, or be supported by multiple BCPs.

To answer:

  • TBS to answer
  • Department or Agency to answer
  • Both TBS and Department or Agency to answer

Rationale

Organizations are expected to define business continuity management (BCM) requirements for all their services and related activities supporting continued availability of services that are critical to the health, safety, security or economic well-being of Canadians, and/or to the effective functioning of government.

The continuous maintenance of Business Continuity Plans (BCP’s) through regular testing ensures that the strategies are effective in ensuring business continuity.

Organizations’ performance expectations are evaluated to monitor their ability to maintain their BCPs and to remain current with the evolving risk environment, supporting the resiliency of their organization.

Category

  • Policy Compliance
  • Performance
  • Baseline

Note: All baseline questions will be included in MAF reporting products.

Expected Results

The target is 100%.

Assessed Organizations

Large departments and Agencies.

Period of Assessment

November 1, 2020 – October 31, 2022.

Calculation Method

“Total number of Critical Services with an up-to-date BCP tested or exercised in the past two years” (numerator)

divided by

“Total number of Critical Services” (denominator)

x100

Assessment Grid

Initial
1-39%		 Developing
40-65%		 Managed
65-94%		 Optimized
95-100%

Presents a strong opportunity to improve the assessment of the effectiveness of continuity strategies and recovery priorities identified within BCPs.

Testing practices requires further refinement in terms of scope of application to support BCM requirements and recovery priorities identified within BCPs.

Practice is nearing maturity, improvement needed to consistently apply practice across the organization BCPs/Critical Services.

Represents a fully mature approach to BCM Testing in support of assessing the effectiveness of continuity strategies and recovery priorities identified within BCPs.

Evidence Requirements

  • Department to provide evidence
  • TBS to provide evidence
  • Other evidence to be considered (please provide)

Data collection Method

GC Service Inventory (via GC EPM) + Documentary Evidence

Documentary evidence to include after action reports, lessons learned reports, briefing notes, records of discussion from hotwash or other records pertaining to the effectiveness of and/or corrective action resulting from the testing, exercising and/or the activation of business continuity plans, measures, and arrangements.

Document limit: 3

Government-wide Comparison

  • Yes the results of the indicator will be used for comparison across departments
  • No (please provide an explanation)

Year-Over-Year Analysis

  • Yes
  • No

Departmental Results Framework (DRF) (TBS use only)

Is this indicator used in the TBS DRF?

  • Yes
  • No

Annex A

Annex B

Reference Materials:

Directive on Security Management, Appendix D, Mandatory Procedures for Business Continuity Management Control  

Policy on Service and Digital

Strategic Theme Title

Trusted Information Systems and Processes

Strategic Theme Overview

Information systems and processes can be relied upon to protect information and to support trusted program and service delivery.

Question 7 New

What percentage of the department or agency’s production IT systems1 have a valid authority to operate2?

1“Production IT systems” refers to any equipment or system that is used in the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of information or data. For the purposes of the Management Accountability Framework exercise, limit scope to production (i.e., not dev/testing) systems for which the department/agency is the system owner and that support the department/agency’s critical services. For example, a system that is a dependency for the department’s public-facing service, which has a maximum allowable downtime of 4 hours.

**Note, the definition of “active applications” relates to Services and Digital Area of Management and offers greater scope and application (e.g., applicable to the entirety of the Application Portfolio Management catalog), which differs from the Security Area of Management.

2“valid authority to operate” refers to a result from the department’s established IT security assessment and authorization process that has been signed by an appropriate authorizing senior departmental official (e.g., designated official for cyber security, chief security officer, chair of security committee, etc.) and is either

  • without conditions, provided the system has been reviewed or re-assessed within the past 3 years; or
  • with conditions, accompanied by a Plan of Action and Milestones, which is reviewed on a monthly basis.

To answer:

  • TBS to answer
  • Department or Agency to answer
  • Both TBS and Department or Agency to answer

Rationale

This data will be used to assess the implementation of the department or agency’s production IT systems, their intended operation, and achievement of desired outcomes with respect to meeting defined security requirements. The PGS (3.2.4), requires that “risk-based and standardized security practices and controls will be implemented, monitored and maintained”. Further, the Directive on Security Management (DSM) B.2.6 requires organizations to “implement IT security assessment and authorization processes”.

This information will enable Deputy Heads and central agencies to have and share the business intelligence necessary to make informed decisions on government security priorities and resources (PGS 3.2.3) towards assurance that information systems can be trusted to adequately protect information.

It is important to practice IT security control throughout the system’s life cycle to protect information systems, their components, and the information they process. Accountable departmental decision makers must be satisfied that appropriate security controls are in place and that any residual risks are sufficiently understood and accepted by all stakeholders.

Category

  • Policy Compliance
  • Performance
  • Baseline

Note: All baseline questions will be included in MAF reporting products.

Expected Results

The target is 100%.

Assessed Organizations

Large departments and Agencies.

Period of Assessment

November 1, 2021 – October 31, 2022

Calculation Method

Organizations are expected to provide a numerator and a denominator:

The number of department’s internal production IT systems with valid ATO (numerator)

divided by

The total number of the department’s internal production IT systems (Denominator)

x 100 

Assessment Grid

Initial
1-39%		 Developing
40-65%		 Managed
65-94%		 Optimized
95-100%

Presents strong opportunity to improve the scope of departmental or agency practices, where few production IT systems have a valid Authority to Operate (ATO).

Practices requires further refinement with the majority of department or agency's production IT systems have a valid Authority to Operate (ATO) with or without conditions or interim authorities. Opportunity remains to ensure that the majority of department or agency's production IT systems have a valid Authority to Operate (ATO) without conditions or interim authorities.

Practice nearing maturity, with the majority of department or agency's production IT systems having a valid Authority to Operate (ATO) without conditions or interim authorities. Opportunities to ensure all production IT systems have a valid Authority to Operate (ATO) without conditions or interim authorities remains

Represents a mature IT Security program in term of all of department or agency's production IT systems having a valid Authority to Operate (ATO) without conditions or interim authorities.

Evidence Requirements

  • Department to provide evidence
  • TBS to provide evidence
  • Other evidence to be considered (please provide)

Data collection Method

Documentary evidence include:

  • A copy of the department’s security assessment & authorization process or terms of reference for authorizers’ committee (to demonstrate they have the capacity to comply with DSM B.2.6); and
  • One copy of a valid ATO (to demonstrate that the above is put into practice).

Government-wide Comparison

  • Yes the results of the indicator will be used for comparison across departments
  • No (please provide an explanation)

Year-Over-Year Analysis

  • Yes
  • No

Departmental Results Framework (DRF) (TBS use only)

Is this indicator used in the TBS DRF?

  • Yes
  • No

Annex A

Annex B

Reference Materials:

DSM B.2.6.3 (Authorize an information system before putting it into operation through established IT security assessment and authorization processes) 

Page details

Date modified: