Annex D: Information technology security inspection process

On this page

1. Initiation
2. The on-site inspection
3. Off-site inspections
   1. Telephone inspections
   2. Attestation process
4. Post inspection
   1. Letter of recommendations
5. Approval
6. Changes to information technology systems after an information technology security inspection

I. Initiation

During the initiation phase of an information technology (IT) security inspection, Public Services and Procurement Canada’s (PSPC) Contract Security Program (CSP) IT security inspector will contact the organization’s company security officer (CSO) to discuss the upcoming inspection.

As part of the initiation phase, the organization will be expected to complete an IT security inspection checklist describing the IT system(s) it intends to use to store/process/create the protected and/or classified information associated with the contract. This checklist is not a pass/fail exercise, but serves as the key discussion tool for the on-site portion of the inspection. The scope of this document should only include a description of the IT system(s) to be used for storing/processing/creating protected or classified information associated with the contract. The CSO is expected to provide the completed IT security checklist and any supporting documentation to the IT security inspector within 30 days of receiving it.

Additionally, during the initiation phase of the inspection, if there is requirement for an on-site inspection, the IT security inspector will schedule a date and time for the inspection with the CSO.

II. The on-site inspection

During the on-site portion of the inspection, the IT security inspector will meet with the organization and evaluate its IT security posture for storing/processing/creating protected or classified information in support of the contract(s) for which inspections have been assigned.

The CSO or alternative company security officer (ACSO) must attend the on-site IT security inspection. If the CSO or ACSO is not an IT administrator for the IT systems being inspected, PSPC’s CSP highly recommends that the organization has an IT administrator familiar with the system(s) attend the inspection. Additionally, it may be beneficial for the organization and the inspector to have a business expert, knowledgeable of the duties performed in support of the contract, available to answer questions.

During the on-site inspection, the IT security inspector will:

• review the questions and responses provided on the IT security checklist and any supporting material
• validate that any requirements of the contract as described in an IT technical requirements document (if existing within the contract) have been met
• perform a walk-around of the IT system(s) in place for storing/processing/creating protected or classified information
• ask to speak with personnel associated with contractual activities if required

During this inspection, the IT security inspector notes any findings where the organization may not be in compliance with the requirements of the contract, of PSPC’s CSP, or of best business practices. For each finding, the inspector will make one or more recommendations to improve the IT security posture. These recommendations are made to the CSO during the inspection, as well as in a letter of recommendations following the inspection (Section IV. A: Letter of recommendations).

III. Off-site inspections

Where the inspection history and contractual requirements allow, PSPC’s CSP IT security inspectors may perform off-site inspections.  These inspections are performed in two ways:

• As a telephone inspection with the requirement for an on-site follow-up, or
• Through an attestation process

IV. Post inspection

Two conclusions can result from an IT security inspection:

• The organization is fully compliant with the requirements of the contract and PSPC’s CSP, resulting in an approval letter (Section V. Approval), or
• The organization is not fully compliant and recommendations have been made. Recommendations are made verbally to the CSO during the inspection and followed up with a letter of recommendations

V. Approval

When an inspection has no findings and therefore no recommendations, or when an organization has provided a response to the letter of recommendations indicating its IT security posture has been upgraded to align with the specific contract security requirements, PSPC’s CSP provides an IT approval letter to the organization and to the client department/client organization. The IT approval letter is only valid for the contract(s) inspected against, and is only valid for the duration of this/these contract(s).

The IT approval letter does not authorize the organization to use its IT system(s) for storing/processing/creating protected or classified information for any other contract.

An organization must not use an IT system to store/process/create protected or classified information before receiving authorization from PSPC’s CSP or it will be in breach of one or more of the terms of the contract.

VI. Changes to information technology systems after an information technology security inspection

As noted in the IT approval letter, if an organization makes significant modifications to the inspected IT system(s), PSPC’s CSP may suspend approval of these systems until re-inspected.

Organizations must notify PSPC’s CSP if they intend to significantly modify the inspected IT system(s) over the course of a contract. PSPC’s CSP will evaluate the modifications and determine whether to perform an inspection of the modified system(s).