Chapter 7: Information technology security
Use this chapter in conjunction with Annex D: Information technology security inspection process.
On this page
7.1 Overview
When organizations are awarded Government of Canada contracts (both prime and sub-contracts) that require them to use their own information technology (IT) system(s) to store/process/create protected or classified information as indicated in the contract’s security requirements checklist (SRCL) (section C.11.D and/or section C.11.E), they must first get authorization from Public Services and Procurement Canada’s (PSPC) Contract Security Program (CSP).
The organization cannot use its IT system to store/process/create protected or classified information until the IT security inspection process, conducted by a CSP IT security inspector, is completed and formalized in an IT written approval letter from PSPC’s CSP.
Organizations must not use an IT system in support of a contract to store/process/create protected or classified information before receiving authorization from PSPC’s CSP; this will constitute a breach of one or more of the terms of the contract.
7.2 Planning
An IT security plan is an important step in safeguarding and controlling an organization’s information system.
7.2.1 Physical security
Protected and classified information in electronic format, as well as protected and classified technology assets, must be physically safeguarded in an equivalent manner to hard-copy information as indicated in Chapter 5: Facility Protection, and Chapter 6: Handling and Safeguarding Information and Assets.
7.2.2 Electronic information security
Organizations must conduct IT security planning for the complete life-cycle of both the protected or classified information that is stored/processed/created and the IT equipment used in support of a contract.
Organizations must maintain an IT security posture that respects and maintains the confidentiality, integrity, and availability of protected or classified electronic information for the duration of the time held.
PSPC’s CSP IT security inspections are based on the policies and guidelines found in the Policy on Government Security, the Policy on Service and Digital, the Directive on Service and Digital, the North Atlantic Treaty Organization Security Policy (PDF) as appropriate, and other guidelines published by the Government of Canada, and on business best practices concepts.
7.3 Inspections
PSPC’s CSP IT security inspections occur after a contract has been awarded with an IT requirement. The organization must first meet the physical security requirements (Chapter 5: Facility protection) and received a document safeguarding capability (DSC) at the level of the contract or higher.
Organizations must not store, process or create protected or classified information on their IT system(s) until PSPC’s CSP has issued an IT written approval letter.
PSPC’s CSP IT security inspections are performed to ensure that the residual risk to Government of Canada protected or classified information is low. Government departments and agencies have authorized PSPC’s CSP, through memoranda of understanding and other means, to approve IT systems for storing/processing/creating protected or classified information where the residual risk, as evaluated by the IT security inspector, is low.
IT security inspections are specific to a particular contract, and only for the levels identified in the contract’s SRCL. The IT written approval letter is only valid for the contract(s) inspected against, and is only valid for the duration of this/these contract(s).
As part of the inspection process, organizations may receive recommendations and/or suggestions for improving their overall IT security posture which, when implemented, will provide IT security inspectors with a level of confidence that the residual risk is low.
For information on how an IT security inspection is performed, see Annex D: Information technology security inspection process.
More information on IT security is available on the Information technology security requirements webpage.