Chapter 6: Handling and safeguarding information and assets

Document navigation for "Contract Security Manual"

Use this chapter in conjunction with Annex C: Guidelines for safeguarding information and assets.

On this page

6.1 Overview

When an organization is authorized under Public Services and Procurement Canada's Contract Security Program (CSP) to possess and store protected or classified information and assets (Subsection 3.2.2: Safeguards), it must have an asset security system that:

Access to protected and classified information and assets must be limited to persons who have the appropriate security level and who have a need to know.

These requirements also apply to any foreign classified and North Atlantic Treaty Organization (NATO) classified information, in addition to other NATO requirements (Chapter 10.2: North Atlantic Treaty Organization). The safeguarding principles outlined in this chapter for classified information apply to foreign or domestic government information, as well as to NATO, European Union and European Space Agency classified information.

Improper handling and safeguarding of protected and classified information and assets could result in the suspension or revocation of an organization’s designated organization screening (DOS) or facility security clearance (FSC), or an employee’s reliability status or security clearance, depending on the situation. Revocation or suspension of a DOS or FSC may result in the loss of any government contract requiring the organization to hold a security screening status.

The following sections provide an overview of each requirement for safeguarding protected and classified information and assets. Annex C: Guidelines for safeguarding information and assets provides further details on these requirements and should be read in conjunction with this chapter. These measures apply to any information that is copied or translated, which retains the security categorization level of the original information. Specific instructions on whether information can be copied or translated may be provided in the contract or in bilateral security instruments.

6.2 Secure environment

In an office environment, organizations must use restricted zones to safeguard information and assets. Appropriate security procedures ensure that information and assets are accessed only by persons authorized at the appropriate security level and with a need to know; that it is not left unattended; and that it is recorded, stored and disposed of properly. (Annex C: I. Secure environment)

6.2.1 Security level requirements

The security level determines the requirements for handling, storing, marking and disposing of protected and classified information and assets. Information on the types of security zones is available in Annex B: Guidelines for facility protection.

  1. Secret and Top Secret information and assets must be processed, stored and destroyed in a security zone unless a threat and risk analysis recommends a higher level of security zone
  2. Protected C information and assets must be processed, stored and destroyed in a security zone unless a threat and risk analysis recommends a higher security zone
  3. Confidential information and assets must be processed, stored and destroyed in an operations zone or higher
  4. Protected A and Protected B information and assets should be processed, stored and destroyed in an operations zone or higher

6.3 Records management

Organizations must have a suitable location, called a registry, to receive, distribute and store protected and classified information and assets.

Organizations must keep records of the dates, names and transactions of all classified information and assets indicating the receipt, distribution, creation, reproduction and destruction within the facility.

All records of protected/classified information and assets and all protected/classified information and assets must be available for inspection by the CSP field industrial security officers (FISO).

The use of secure registries and implementing proper procedures protects all information and assets. These procedures include treating the registry as a security zone, implementing measures that prevent unauthorized access, and opening, releasing and marking records with the appropriate level of security. (Annex C: II. Records management)

Organizations must keep records of foreign information and assets unless otherwise stipulated in the contract clauses.

6.3.1 Retaining records

When a bid is not accepted, or when the contract is completed or terminated, protected and classified material and assets must be returned to the client department, destroyed using an approved third party destruction company or be destroyed onsite if the organization has an approved shredder as specified by the CSP (Chapter 6.10: Destruction of records) or as directed by the CSP. Organizations may be authorized to retain such material when approved by the originator through the CSP.

Requests for retention authority must identify the material, the period of time and the justification.

If the organization has been authorized to retain related protected and classified information for a specific period after contract completion, details of this authorization must be included with the retention request.

Unless the retention authority is received in writing, protected and classified information must be disposed of according to Chapter 6.10: Destruction of records and instructions from the CSP.

6.4 Security markings

Protected and classified information must be appropriately marked using specific procedures and markings according to the level of sensitivity and the type of media, including microforms and electronic storage material.

Markings on international documentation is guided by international security memoranda of understanding, agreements or other international standards and guidelines (Annex C: III. Security markings). Contact the CSP by email: tpsgc.dgsssiprojetintl-dobissintlproject.pwgsc@tpsgc-pwgsc.gc.ca for advice and assistance.

6.5 Storage

As a minimum, when located in an approved operations zone, protected and restricted information and assets must be stored in locked containers, such as cabinets, safes, vaults and secure rooms, unless otherwise stipulated in contract clauses. Protected C, Secret and Top Secret information and assets must be stored in an approved security container in a security zone (Chapter 5.2: Physical security), in accordance with the Royal Canadian Mounted Police (RCMP) Security Equipment Guide. Classified information at the Confidential level must be kept in an RCMP container, when located in an approved operations zone. When constructed to the specifications identified in the RCMP’s Secure Storage Rooms Guide and located in the appropriate zones, protected or classified information and assets may be stored on open shelving in a secure room. The FISO will provide advice and must inspect and approve the rooms before use.

Foreign classified information must be stored separate from all other forms of foreign or domestic classified and protected information. Protected and classified information and assets must not be stored in the same container as negotiable or attractive assets.

Organizations are permitted to purchase approved security equipment through the CSP. The company security officer (CSO) or alternate security officer (ACSO) should consult with the FISO by email: tpsgc.ssidie-issiid.pwgsc@tpsgc-pwgsc.gc.ca to determine the required equipment. After the FISO approves the order, the CSP will process the request, although the invoicing and delivery for the equipment is between the purchaser (the CSO) and the supplier. Examples of equipment available through this procedure are listed in Annex C: IV. Storage.

6.6 Use of computers

A computer, including portable computers, used for protected or classified information must not be removed from the organization without written permission from the CSO or ACSO. Computers used for protected or classified information must follow the security procedures for storage established by the organization, as well as transport and transmittal standards if it is removed from the organization. Further information about the informational technology security is available in Chapter 7: Information technology security.

6.7 Packaging and transmitting

When transmitting classified and protected information and assets, organizations must protect its security with proper packaging, maintain a record during transit and of delivery. Contact the CSP by email: tpsgc.ssidie-issiid.pwgsc@tpsgc-pwgsc.gc.ca for information.

Records of distribution, circulation and return within the facility must include receipt by signature of the persons involved. Persons who have access to classified information and assets must be briefed on their responsibilities for protecting it and any special restrictions concerning its use or further distribution.

Protected and classified information and assets must be packaged and transmitted in accordance with the RCMP's standards on transport and transmittal of protected and classified information and approved by the CSP for international transmittal. Hand carrying and/or bulk shipping specific protected and classified information and assets must follow specific procedures; the FISO will provide advice and assistance.

Organizations can submit their screening forms to the CSP by email since it is the organization’s protected information, but if the information is protected in relation to contracts, then the protected information should be encrypted before emailing.

Organizations must have the prior approval of the Canadian Designated Security Authority before internationally transmitting protected or classified information or assets. For more information, contact the CSP by email: tpsgc.dgsssiprojetintl-dobissintlproject.pwgsc@tpsgc-pwgsc.gc.ca.

6.8 Transfer of information and assets

If an organization plans to transfer Protected and/or Classified information/assets from one site to another the organization must ensure the sites are cleared with document safeguarding capability (DSC) and information technology (if applicable) for that specific contract prior to transfer. Note this transfer can only be within Canada and does not include Top Secret, Protected C, communication security (COMSEC) material or NATO and foreign classified information/assets. The organizations CSO and ACSOs must follow a CSP approved method of transportation for the exchange as well as account for and record the change in the document registry.

The CSP must approve removing and transporting of information and assets at Protected C and COMSEC material, as well as all NATO, foreign and Canadian classified information at Confidential or above. For more information, contact the CSP by email: tpsgc.dgsssiprojetintl-dobissintlproject.pwgsc@tpsgc-pwgsc.gc.ca.

6.9 Verbal and message communication

Unprotected telephones or facsimiles cannot be used to communicate information classified above restricted or designated above Protected A. The Communications Security Establishment will provide assistance to coordinate secure telephones or facsimiles.

Classified information can only be discussed in a room that has been constructed to ensure nothing is overheard. Any conference rooms used for discussing classified matters must:

6.10 Destruction of records

As identified in the contract clauses, protected and classified information and assets can either be returned to the client department, destroyed using an approved third party destruction company or the organization can shred onsite if they have an approved shredder. An organization’s shredder will be inspected by the FISO during the DSC inspection if a company indicates that they will be shredding on site. A certificate of destruction is required for classified information.

The CSP does not normally retrieve protected or classified information unless stipulated in the contract, requested to do so or in certain cases where the DSC is being revoked.

All foreign classified Information must be destroyed in accordance with the contract clauses. Always validate with the CSP before destruction of foreign classified information. Foreign Restricted information and assets must also be destroyed in accordance with the requirements established in the contract clauses.

Protected and classified information and assets that have been authorized for destruction must be disposed of with the following requirements:

Note

Destruction of classified information and assets must be recorded on a certificate of destruction form, a copy of which must be forwarded to the CSP by email: tpsgc.dgsssiprojetintl-dobissintlproject.pwgsc@tpsgc-pwgsc.gc.ca.

Document navigation for "Contract Security Manual"

Date modified: