Annex D: Information technology security inspection process
Use this annex in conjunction with the Chapter 7: Information technology security of the Contract Security Manual (CSM).
On this page
I. Initiation
During the initiation phase of an information technology (IT) security inspection, Public Services and Procurement Canada’s (PSPC) Contract Security Program (CSP) IT security inspector will contact the organization’s company security officer (CSO) to discuss the upcoming inspection.
As part of the initiation phase, the organization will be expected to complete an IT security inspection checklist describing the IT system(s) it intends to use to store/process/create the protected and/or classified information associated with the contract. This checklist is not a pass/fail exercise, but serves as the key discussion tool for the on-site portion of the inspection. The scope of this document should only include a description of the IT system(s) to be used for storing/processing/creating protected or classified information associated with the contract. The CSO is expected to provide the completed IT security checklist and any supporting documentation to the IT security inspector within 30 days of receiving it.
Additionally, during the initiation phase of the inspection, if there is requirement for an on-site inspection, the IT security inspector will schedule a date and time for the inspection with the CSO.
II. The on-site inspection
During the on-site portion of the inspection, the IT security inspector will meet with the organization and evaluate its IT security posture for storing/processing/creating protected or classified information in support of the contract(s) for which inspections have been assigned.
The CSO or alternative company security officer (ACSO) must attend the on-site IT security inspection. If the CSO or ACSO is not an IT administrator for the IT systems being inspected, PSPC’s CSP highly recommends that the organization has an IT administrator familiar with the system(s) attend the inspection. Additionally, it may be beneficial for the organization and the inspector to have a business expert, knowledgeable of the duties performed in support of the contract, available to answer questions.
During the on-site inspection, the IT security inspector will:
- review the questions and responses provided on the IT security checklist and any supporting material
- validate that any requirements of the contract as described in an IT technical requirements document (if existing within the contract) have been met
- perform a walk-around of the IT system(s) in place for storing/processing/creating protected or classified information
- ask to speak with personnel associated with contractual activities if required
During this inspection, the IT security inspector notes any findings where the organization may not be in compliance with the requirements of the contract, of PSPC’s CSP, or of best business practices. For each finding, the inspector will make one or more recommendations to improve the IT security posture. These recommendations are made to the CSO during the inspection, as well as in a letter of recommendations following the inspection (Section IV. A: Letter of recommendations).
III. Off-site inspections
Where the inspection history and contractual requirements allow, PSPC’s CSP IT security inspectors may perform off-site inspections. These inspections are performed in two ways:
- As a telephone inspection with the requirement for an on-site follow-up, or
- Through an attestation process
A. Telephone inspections
Telephone inspections operate in the same way as an on-site inspection, except that the IT security inspector will not perform a walk-around of the IT system(s) but rely on evidence.
B. Attestation process
If an organization has been inspected at the security level of the current contract within the previous two years and intends to use the same IT system(s), or system(s) configured identically to previously inspected system(s), the CSO will be asked to attest to the following:
- the organization will use IT system(s) that were previously inspected and approved by PSPC’s CSP
- the organization has not made major changes to the IT system(s) since the previous inspection
- there have been no breaches in security related to using the IT system(s) for storing/processing/creating protected or classified information
- if the contract contains an IT security technical document, the organization is aware of this document and compliant with its requirements
The organization must also provide a completed IT security checklist for the current inspection to the IT security inspector.
IV. Post inspection
Two conclusions can result from an IT security inspection:
- The organization is fully compliant with the requirements of the contract and PSPC’s CSP, resulting in an approval letter (Section V. Approval), or
- The organization is not fully compliant and recommendations have been made. Recommendations are made verbally to the CSO during the inspection and followed up with a letter of recommendations
A. Letter of recommendations
The letter of recommendations outlines the recommendations and/or suggestions made by the IT security inspector to the CSO. Upon receipt of the letter of recommendations, the CSO has 30 days to respond to them.
The CSO’s response must describe the actions taken (or to be taken) by the organization to address each of the recommendations/suggestions in the letter. This document must be signed by the CSO and provided to the IT security inspector.
V. Approval
When an inspection has no findings and therefore no recommendations, or when an organization has provided a response to the letter of recommendations indicating its IT security posture has been upgraded to align with the specific contract security requirements, PSPC’s CSP provides an IT approval letter to the organization and to the client department/client organization. The IT approval letter is only valid for the contract(s) inspected against, and is only valid for the duration of this/these contract(s).
The IT approval letter does not authorize the organization to use its IT system(s) for storing/processing/creating protected or classified information for any other contract.
An organization must not use an IT system to store/process/create protected or classified information before receiving authorization from PSPC’s CSP or it will be in breach of one or more of the terms of the contract.
VI. Changes to information technology systems after an information technology security inspection
As noted in the IT approval letter, if an organization makes significant modifications to the inspected IT system(s), PSPC’s CSP may suspend approval of these systems until re-inspected.
Organizations must notify PSPC’s CSP if they intend to significantly modify the inspected IT system(s) over the course of a contract. PSPC’s CSP will evaluate the modifications and determine whether to perform an inspection of the modified system(s).