MAF 2020 to 2021 Security Management Methodology
On this page
Methodology overview
Canadians have ongoing expectations that government will protect their sensitive and personal information, while effectively delivering services to the public. The extent to which government can ensure its own security directly affects its ability to deliver trusted programs and services that contribute to the health, safety, economic well-being and security of Canadians. In this vein, the Policy on Government Security (PGS) ensures an integrated and holistic approach to security management.
The 2020-2021 Security Management MAF Methodology is aligned with and supports the strategic outcomes outlined in the PGS and will continue to focus on: 1) Effective security planning and reporting; 2) Trusted workforce and partners; 3) Preparedness and effective response to events; 4) Trusted information systems and processes.
In addition, the methodology takes into consideration the extraordinary circumstances related to COVID-19 by including indicators designed to assess temporary measures of effective security planning and reporting processes during the pandemic, as well as the implementation of management practices related to security controls such as security screening, business continuity management, information management, and security event management.
Use of MAF Results
The 2020 to 2021 Management Accountability Framework (MAF) results will provide information to the three key audiences listed below.
Deputy heads:
- An integrated view of the extent to which the organization meets expected results for its security management using a risk-based approach;
- Potential areas for improvement and responsive actions which may be required to ensure security risks to the GC are continuously monitored; and
- Where policy implementation challenges exist, provide an opportunity to course-correct or re-prioritize activities on an as needed basis.
Security community:
- Current state of departmental security controls and management practices;
- Benchmarks and comparative results;
- Leading practices to inform and advance departmental guides, procedures and tools; and,
- Identification of common security needs to drive collective action to further strengthen GC security management.
Treasury Board of Canada Secretariat:
- The level of policy compliance with the PGS and related maturity level of organizations;
- Government-wide risks and systemic issues;
- Leading practices to inform and advance GC wide guides, procedures and tools; and
- Baseline government-wide performance data to inform decision making and policy refinement.
Period of assessment
While the period of assessment for each indicator may vary depending on the information required, the overall timeframe for this year’s assessment falls within the April 1, 2019 to October 31, 2020 timeframe, therefore allowing for the submission of the most up-to-date information possible.
It should also be noted that TBS may refer to internal or external evaluations and audits (including Office of the Auditor General audits), the Application Portfolio Management process and associated Clarity tool, Lead Security Agency/Internal Enterprise Service Organization data, as well as other relevant information to support the MAF security management assessment and reporting.
Impact on Departments
Below is a summary of the impact on departments in terms of the number of questions, and submission of evidence, which illustrates a substantial reduction overall when compared to 2019-20.
| Security Management | 2019-20 | 2020-21 |
|---|---|---|
| Total number of questions | 17 | 6 |
| Total number of questions which require the submission of evidence | 14 | 5 |
- Two core questions have been preserved from 2019-20 to provide trend analysis regarding business continuity planning and IT security;
- There are also four new questions:
- One that advances the maturity of business continuity planning, and three that explore the impacts of COVID-19 on the security posture of departments.
- Of the 6 questions, 5 are department to answer, 1 is TBS to answer
Overall outcomes
The methodology will generate insights into a department’s or agency’s security planning, security control framework and security management practices that contribute to strengthening the overall security posture of the GC. This information is important for validating and informing security management decisions and direction, observing trends and changes, identifying areas of strength and areas that need attention, as well as the sharing of leading security management practices.
MAF 2020-21 Security Management Questionnaire
Question #1 Indicators Preserved from MAF 2019-20
What percentage of the department’s or agency’s critical services have a business continuity plan (BCP) in place?
Note 1: For this response it is recognized that a critical service may have its own BCP, be included within a broader BCP, or be supported by multiple BCPs.
Note 2: For this question, please note TBS is assessing only critical services, not mission critical IT systems.
Note 3: To ensure consistency and alignment in GC Critical Services, the critical services information submitted as evidence for this question will be compared to the GC Critical Services List (COVID-19) your department submitted to TBS in the spring for the purposes of the GC COVID-19 Response as well as your departmental Service Inventory. Any significant differences/discrepancies will be followed up by TBS for clarification with your department.
Rationale
In the event of a disruption, business continuity plans (BCP) provide for the continued availability of services and associated resources and assets that are critical to the health, safety, security or economic well-being of Canadians, or the effective functioning of government. Responses will help inform the extent to which organizations meet the related expected result. Departments, central agencies and senior management benefit by having a departmental view, as well as GC wide, or policy compliance to the PGS requirement of departmental critical services having BCPs in place.
Category
- Policy compliance
- Performance
- Other
Target (where applicable)
100% of the department’s or agency’s critical services have a BCP in place.
Calculation method (where applicable)
Number of critical services with a BCP in place divided by the total number of critical services multiplied by 100.
Evidence source and document limit
TBS to answer
This question applies to the following organizations:
- Large departments and Agencies
Data source: Clarity Tool and/or MAF Portal
Date of data extraction: Day following the date of the MAF submission deadline.
Data collection method: Documentary evidence
Evidence: Business continuity planning fields from the Clarity tool through Services Portfolio Management Module and/or a summary document outlining your critical services and whether a BCP is in place for each via the MAF Portal
Total number of critical services in scope will be determined using the following data fields and criteria:
Field name: Critical Service Impact(s) = all selections except “Non-Critical Service”
Critical services with a BCP in place are determined using:
Field name: Critical Service Impact(s) = all selections except “Non-Critical Service”, and Field name: BCP in place = “Yes”
Document limit: N/A
Period of assessment: March 2020 – Date of extraction
Department or agency to answer
Reference materials
Treasury Board policy reference or Government of Canada priority
Question #2 Indicators Preserved from MAF 2019-20
Does the department or agency have the capacity to detect attempts at circumventing access management on its internally managed IT systems by internal users?
- Yes
- No
Rationale
The IT security posture of departments should continuously be maintained by monitoring threats and vulnerabilities, detecting malicious activity and unauthorized access, and taking both pre-emptive and responsive actions to minimize effects.
Widespread use of VPNs and other remote work technologies have made the government potentially more vulnerable to malicious activities. Additionally, the COVID-19 pandemic has made remote work the ‘new normal’. In this current context, it becomes even more imperative for departments to maintain the capacity to detect any suspicious activities within their networks.
Category
- Policy compliance
- Performance
- Other
Target (where applicable)
80% (This is a government wide target)
Calculation method (where applicable)
Reference Material: Directive on Security Management, Appendix B: Mandatory Procedures for Information Technology Security Control
Evidence source and document limit
TBS to answer
Department or agency to answer
This question applies to the following organizations:
- Large departments and Agencies
Data source: N/A
Date of data extraction: N/A
Data collection method: Documentary evidence
Evidence: Departments are required to submit as evidence a minimum of 1 of the following:
- Documents that demonstrate an IT security program is in place and that controls are defined and monitored to identify unauthorized system access and/or
- Record of IT system logs showing access information including evidence of monitoring. (e.g. procedures specifying which security officials will review system activity, how often, and what type of incident triggers an investigation; audit logs indicating suspicious access attempts (sanitized)
Document limit: 3 documents
Period of assessment: March 1st – October 31st, 2020.
Reference materials
Treasury Board policy reference or Government of Canada priority
- Directive on Security Management, Appendix B: Mandatory Procedures for Information Technology Security Control
- CSE’s “Top 10 IT Security Actions to Protect Internet Connected Networks and Information” (ITSM.10.189)
Question #3 New Indicators for MAF 2020-21
What is the percentage of the department’s or agency’s critical services that have an up to date business impact analysis?
Note 1: To ensure consistency and alignment in GC Critical Services, the critical services submitted in the evidence provided for this question will be compared to the GC Critical Services List (COVID-19) your department submitted to TBS in the spring for the purposes of the GC COVID19 Response, as well as your departmental Service Inventory. TBS will follow up and seek clarfication with organizations if any significant differences/discrepancies are noted.
Rationale
Organizations are expected to define business continuity management requirements for all their services and activities supporting continued availability of services and associated assets that are critical to the health, safety, security or economic well-being of Canadians or to the effective functioning of government.
As part of the COVID-19 response efforts, organizations were expected to identify departmental Critical Services and provide a list to TBS. Critical Services are identified subsequent to the completion of a Business Impact Analysis (BIA) (as set out in the PGS). A BIA also provides departments and agencies the capability to identify their risk environment which leads to the identification of departmental critical services and associated continuity strategies.
As a result of COVID-19, the risk environment has been significantly altered and an updated list of Critical Services will help facilitate and inform decision-making and resource allocation for managing significant events impacting the delivery of critical services to Canadians. Responses will help assess the extent to which organizations have recently completed a BIA, as per their departmental or agency’s BCM operational policy or directive and compiled an updated list of their departmental critical services to reflect the change in the risk environment.
TBS will be assessing the critical services that are external and internal enterprise services, and whose disruption would result in a high or very high degree of injury to the 1. health, 2. safety, 3. security or, 4. economic well-being of Canadians or, 5. to the effective functioning of the Government of Canada. Business enabling functions do not fall into the definition of a critical service and therefore will not be considered. Our point of reference to determine whether the BIA is up to date is the expectation/requirement outlined in the departmental BCM policy/directive.
Category
- Policy compliance
- Performance
- Other
Target (where applicable)
100% (This is a government wide target)
Calculation method (where applicable)
% of departmental critical services with an up-to-date BIA = ( number of departmental critical services with updated BIA / total number of critical services) x 100
Evidence source and document limit
TBS to answer
This question applies to the following organizations:
- Large departments and Agencies
Data source: N/A
Date of data extraction: Day following the date of the MAF submission deadline.
Data collection method: Documentary evidence
Department or agency to answer
This question applies to the following organizations:
- Large departments and Agencies
Evidence: Departments and Agencies will need to provide; Summary reports outlining critical services, proof of BCP∕BIA renewal schedule as stated in departmental requirements (eg. standard operation procedures, BCM policy/directive) and the date that a BIA was last completed for each critical service.
TBS Data source: Business continuity planning fields from the Clarity tool (including COVID-19 exercise) through the Services Portfolio Management Module.
Document limit: Up to 4 documents
Period of assessment: March 2020 – Date of extraction
Reference materials
Treasury Board policy reference or Government of Canada priority
Question #4 New Indicators for MAF 2020-21
Did the department or agency use the temporary variation to the Standard on Security Screening offered to federal organizations to provide hiring flexibility during the COVID-19 pandemic?
- Yes
- No
If yes, what is the percentage of security screening files identified by the department or agency for further review that are now considered to be complete (having carried out all required security screening activities)?
Rationale
In the context of COVID-19, and, in light of the guidance from the Public Health Agencies in Canada regarding physical distancing, it was not possible for a number of departments and agencies to fully complete all security screening processes when hiring new employees during the Spring and Summer 2020. In May 2020, the President of the Treasury Board approved a temporary variation to the Standard on Security Screening to provide departments with the flexibility to grant “conditional” security screening levels due to physical distancing. Responses will help inform TBS regarding the extent to which departments and agencies have had to use the temporary variation for security screening and the possible implications post-pandemic.
Category
- Policy compliance
- Performance
- Other
Target (where applicable)
N/A
Calculation method (where applicable)
N/A
Evidence source and document limit
TBS to answer
Department or agency to answer
This question applies to the following organizations:
- Large departments and Agencies
Data source: N/A
Date of data extraction: N/A
Data collection method: Documentary evidence
Evidence: Template for reporting on use of the variation to the Standard on Security Screening developed by TBS for departments and agencies to complete.
Document limit: 1 document (Completed template for reporting on use of the variation to the Standard on Security Screening)
Period of assessment: March 1st- August 31, 2020
Reference materials
Treasury Board policy reference or Government of Canada priority
N/A
Question #5 New Indicators for MAF 2020-21
Which of the following did your organization implement and/or provide to its employees working remotely to ensure adherence to security policy requirements throughout the information management life cycle?
(Select all that apply)
- Guidance to employees on the appropriate reporting of security incidents and events
- Guidance to employees on the appropriate handling and classification of information
- Continuous monitoring of information management controls and security events to ensure consistent application
- Other, please specify
- None of the above
Rationale
In the COVID-19 context, remote work has become the ‘new normal’ and this has impacted information management security requirements, practices and controls as well as reinforced the importance of continuous monitoring and reporting of security event and incidents.
TBS will be assessing the extent to which departments have taken action within the COVID-19 context to ensure information management security requirements, practices and controls were defined, documented, implemented, assessed, monitored and maintained throughout all stages of the information life cycle to provide reasonable assurance that information was adequately protected in a manner that respects legal and other obligations and balances the risk of injury and threats with the cost of applying safeguards.
TBS will also be assessing whether departments took actions within the COVID-19 context to ensure security event management practices were defined, documented, implemented and maintained to monitor, respond to and report on threats, vulnerabilities, security incidents and other security events, and ensure that such activities were effectively coordinated within the department, with partners and government-wide, to manage potential impacts, support decision-making and enable the application of corrective actions.
Category
- Policy compliance
- Performance
- Other
Target (where applicable)
N/A
Calculation method (where applicable)
N/A
Evidence source and document limit
TBS to answer
Department or agency to answer
This question applies to the following organizations:
- Large departments and Agencies
Data source: Communication documents such as emails, websites, etc.
Date of data extraction: N/A
Data collection method: Documentary evidence (Via MAF Portal)
Evidence: Please prepare a summary document outlining the activities undertaken by your organization between March 16, 2020 and October 31st, 2020 that aligns with each of the options identified above. For example, please identify any communications to employees from the CSO (or responsible senior official) to remind them of, or sharing procedures to follow for information management security, including those related to the proper classification and handling of information, as well as those for reporting a security event or incident while working remotely during the pandemic. Should you have many activities to report, you may wish to consider using a table format.
Document limit: 3 documents
Period of assessment: March 16, 2020 -October 31, 2020
Reference materials
Treasury Board policy reference or Government of Canada priority
Question #6 New Indicators for MAF 2020-21
Did the department or agency report to the deputy head or senior executive committee on the effectiveness of the Departmental Security Plan (DSP) in consideration of the current evolution of the security risks and associated priorities arising from impacts of the COVID-19 Pandemic?
- Yes
- No
Rationale
Annual reporting of DSP implementation progress and effectiveness supports the organization and the deputy head in responding to implementation challenges and provides the opportunity to course-correct or re-prioritize activities as needed. The COVID-19 pandemic has also provided the opportunity for deputy heads to re-evaluate the effectiveness of their existing DSPs in light of the current environment.
Category
- Policy compliance
- Performance
- Other
Target (where applicable)
100% (This is a government wide target)
Calculation method (where applicable)
N/A
Evidence source and document limit
TBS to answer
Department or agency to answer
This question applies to the following organizations:
- Large departments and Agencies
Data source: N/A
Date of data extraction: N/A
Data collection method: Documentary evidence
Evidence: DSP progress report covering all areas of departmental security activities for fiscal year 2019-20, as well as the overall effectiveness of the plan, with evidence that the progress report was submitted to the deputy head.
Document limit: 3 documents
Period of assessment: April 1, 2019 - October 31st, 2020
Reference materials
Treasury Board policy reference or Government of Canada priority
Glossary
- Administrative investigation:
- A process to conduct an impartial review of security incidents and other security events of significance in a manner that ensures the rights of individuals, the protection of evidence, and does not hinder potential civil or criminal proceedings.
- Administrative privileges:
- The highest level of rights granted to the user of a computer or network.
- Application Portfolio Management:
- Application portfolio management (APM) is a framework for managing enterprise IT software applications and software-based services.
- Chief Security Officer:
- Senior security official designated by the deputy head in accordance with the Policy on Government Security to provide leadership, coordination and oversight for departmental security management activities.
- Clarity tool:
- CA Clarity is the current TBS central system used for the collection of Policy on Government Security (PGS 2019) Critical Service data, via the Services Module. Clarity also support the Application Portfolio Management (APM) and IT Plan modules.
- Contract:
- An agreement between a contracting authority and a person or firm to provide a good, perform a service, construct a work or lease real property for appropriate consideration.
- Contractor:
- An individual who would not fall under sub-section 2(1) of the Public Service Labour Relations Act.
- Critical service:
- is a service whose compromise in terms of availability or integrity would result in a high degree of injury to the health, safety, security or economic well-being of Canadians, or to the effective functioning of the government.
- Critical system:
- information technology system or application that is essential for the delivery of a critical service and for which no alternative method of delivery exists; the systems and applications that would cause the most harm to public servants within Departments and Agencies if they were to become unavailable.
- Deputy Head:
- Deputy Heads are responsible for internal Security governance and security management, and for establishing departmental security priorities through Departmental Security Plans. Furthermore, they are also responsible for ensuring the application of standardized Security controls within their department, commensurate with the risks to departmental information, people and assets, and their respective operating environment.
- Facility:
- a physical setting used to serve a specific purpose. A facility may be part of a building, a whole building, or a building plus its site; or it may be a construction that is not a building. The term encompasses both the physical object and its use (for example, weapons ranges, agriculture fields). (Operational Security Standard on Physical Security, Appendix A)
- Facilities with higher security requirements
- are defined by the departments or agency’s environmental scan (internal and external factors, potential impacts of compromise, the defined threats and current security controls effectiveness) and risk tolerance.
- Governance body:
- A group of officials who draw up the rules that govern the actions and conduct of an organization, and who ensure that these rules are followed.
- Individual:
- An individual is a person employed as an indeterminate, part-time, term or seasonal employee, casual, student or part-time worker in organizations defined in sub-section 2(1) of the Public Service Labour Relations Act.
- Internal enterprise service:
- A service provided by a Government of Canada department to other Government of Canada departments intended on a government-wide basis.
- Internal Enterprise Service Organization:
- A department or organization that provides internal enterprise services to other Government of Canada departments. This includes lead security agencies that deliver government-wide security services.
- Internally managed system:
- an information system that is managed by the department’s (or agency’s) own IT personnel and does not constitute a system that is managed centrally by Shared Services Canada or another Government of Canada organization).
- International travel:
- The term applies to all travel whereby persons arriving in Canada are cleared through CBSA points of entry.
- Internal user:
- Individuals who have direct access to a departmental (or agency) information system, either physically or remotely (e.g., via VPN).
- Lead Security Agency:
- Provides departments with advice, guidance and services related to government security, consistent with their mandated responsibilities, appoints an executive to coordinate and oversee the provision of support services to departments and ensure that the security support services provided help government departments achieve and maintain an acceptable state of security and readiness.
- Security assessment:
- The process of identifying and qualifying security-related threats, vulnerabilities and risks, to support the definition of security requirements and the identification of security controls to reduce risks to an acceptable level.
- Security briefing:
- During a security briefing, individuals are informed of their security responsibilities under the Policy on Government Security and of the access permissions attached to their screening level. Security briefings provide an opportunity for people to ask questions and to develop a better understanding of these responsibilities. A security briefing formalizes the granting of the security status or clearance, as well as the individual's acceptance of and agreement to abide by the security responsibilities. Security briefings are conducted at various times: before an individual takes up his or her duties, when required based on the update cycle, and whenever a change occurs in screening level.
- Security control:
- A legal, administrative, operational or technical measure for satisfying security requirements. This term is synonymous with “safeguard.”
- Security event:
- Any event, act, omission or situation that may be detrimental to government security, including threats, vulnerabilities and security incidents.
- Security incident:
- Any event (or collection of events), act, omission or situation that has resulted in a compromise.
- Security official:
- Individuals designated by the deputy head in the departmental security governance as having overall responsibility for the security aspects of a program, service or activity area or for a security function.
- Senior official:
- For the purposes of the Policy on Government Security, individuals designated by the deputy head in the departmental security governance as having overall responsibility for the security aspects of a program, service or activity area or for a security function. Senior officials may include program officials, chief financial officers, chief audit executives, chief information officers, chief privacy officers and other officials designated pursuant to a statutory requirement, Treasury Board policy or other requirement. Senior officials also include individuals designated by the deputy heads of internal enterprise service organizations to oversee their internal enterprise service activities under the Policy on Government Security.
- Systematic patch management:
- A component of change management, involving the acquiring, testing, and installing of software fixes on an administered IT system.
- Up to date
- is within the departmental timeframe, as established in policy or procedure, for renewing security risk assessments, or 3 years in the absence of an established departmental timeframe.
Acronyms
- APM
- Application Portfolio Management system
- BCM
- Business Continuity Management
- BCP
- Business Continuity plan
- CSO
- Chief Security Officer
- DSP
- Departmental Security Plan
- FY
- Fiscal year
- GC
- Government of Canada
- HTTPS
- Hypertext Transfer Protocol Secure
- IM
- Information Management
- IT
- Information Technology
- ITPIN
- Information Technology Policy Implementation Notice
- IESO
- Internal Enterprise Service Organization
- LSA
- Lead Security Agency
- MAF
- Management Accountability Framework
- PGS
- Policy on Government Security
- SEISP
- Significant Event Information Sharing Protocol
- SPIN
- Security Policy Implementation Notice
- SRCL
- Security Requirements Checklist
- TBS
- Treasury Board of Canada Secretariat
Page details
- Date modified: