Program management

Table of Contents

On this page

 

TBS, through its policy suite, requires GC departments and agencies to develop, implement, and provide oversight for organization-wide information security and privacy programs to help ensure the confidentiality, integrity, and availability of GC information processed, stored, and transmitted by GC information systems and to protect individual privacy. The program management (PM) controls and activities described in this section are implemented at the organization level and not directed at individual information systems.

PM-01 Information security program plan

Activity

  1. Develop and disseminate an organization-wide information security program plan that
    1. provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements
    2. includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance
    3. reflects the coordination among organizational entities responsible for information security
    4. is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and Canada
  2. Review and update the organization-wide information security program plan [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]
  3. Protect the information security program plan from unauthorized disclosure and modification

Discussion

An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. An information security program plan can be represented in a single document or sets of documents. Privacy program plans and supply chain risk management plans are addressed separately in PM-18 and SR-02, respectively.

An information security program plan documents implementation details about program management and common controls. The plan provides sufficient information about the controls (including specification of parameters for assignment and selection operations, explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plan and a determination of the risk to be incurred if the plan is implemented as intended. Updates to information security program plans include organizational changes, and problems identified during plan implementation or control assessments.

Program management controls may be implemented at the organization, mission, or business process level, and are essential for managing the organization’s information security program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular system. Together, the individual system security plans and the organization-wide information security program plan provide complete coverage for the security controls employed within the organization.

Common controls available for inheritance by organizational systems are documented in an appendix to the organization’s information security program plan unless the controls are included in a separate security plan for a system. The organization-wide information security program plan indicates which separate security plans contain descriptions of common controls.

Events that may precipitate an update to the information security program plan include, but are not limited to, organization-wide assessment or audit findings, security incidents or breaches, or changes in laws, Orders in Council, directives, regulations, policies, standards, and guidelines.

Related controls and activities

PL-02, PM-18, PM-30, RA-09, SI-02, SI-12, SR-02.

Enhancements

None.

References

Top of page 
 

PM-02 Information security program leadership role

Control

Appoint a senior official in the department’s security governance with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.

Discussion

The senior official in the department’s security governance is an organizational official. For federal departments and agencies (as defined by applicable laws, Orders in Council, regulations, directives, policies, and standards), this official is the senior agency information security officer. Organizations may also refer to this official as the senior information security officer or chief information security officer.

Related controls and activities

None.

Enhancements

None.

References

Top of page 
 

PM-03 Information security and privacy resources

Control

  1. Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement
  2. Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, Orders in Council, directives, policies, regulations, standards
  3. Make the planned information security and privacy resources available for expenditure

Discussion

Organizations consider establishing champions for information security and privacy and, as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower a group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process.

Related controls and activities

PM-04, SA-02.

Enhancements: None

References

Top of page 
 

PM-04 Plan of action and milestones process

Activity

  1. Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems
    1. are developed and maintained
    2. document the remedial information security, privacy, and supply chain risk management actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and Canada
    3. are reported in accordance with established reporting requirements
  2. Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions

Discussion

Organizations develop plans of action and milestones with an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple plans of action and milestones corresponding to the information system level, mission/business process level, and organizational/governance level. While plans of action and milestones are required for federal organizations, other types of organizations can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones at the system level is provided in CA-05.

GC discussion

The plan of action and milestones is a key organizational document and is subject to reporting requirements established by the TBS.

Related controls and activities

CA-05, CA-07, PM-03, RA-07, SI-12.

Enhancements

None.

References

TBS Framework for the Management of Risk

Top of page 
 

PM-05 System and program inventory

Control

Develop and update [Assignment: organization-defined frequency] an inventory of organizational systems and programs.

Discussion

System inventory refers to an organization-wide inventory of systems, not system components as described in CM-08.

Related controls and activities

None.

Enhancements

  • (01) System and program inventory: Inventory of personal information
    • Establish, maintain, and update [Assignment: organization-defined frequency] an inventory of all systems, programs, applications, and projects that process personal information.
    • Discussion: An inventory of systems, programs, applications, and projects that handle personal information supports the mapping of data actions, requiring the confirmation of lawful authority for collecting and maintaining accurate personal information, and for limiting the handling of personal information unless it relates directly to an operating program or activity of the organization. Organizations may use this inventory to ensure that systems only handle the personal information required for an institution’s operating programs and services, in compliance with approved retention standards.
    • GC discussion: For GC organizations, personal information intended to be used to make administrative decisions should also be reflected in PIBs. These PIBs can be either institution-specific or standard and should comprehensively reflect every element of personal information. PIBs will also describe the legislative authority for the collection, permissible uses and disclosures of the information, and the retention and disposition standards. They may also describe requirements for individuals who are seeking access to their personal information.
    • Related controls and activities: AC-03, CM-08, CM-12, CM-13, PL-08, PM-22, PT-03, PT-05, SI-12, SI-18.

References

Top of page 
 

PM-06 Measures of performance

Activity

Develop, monitor, and report on the results of information security and privacy measures of performance.

Discussion

Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program. To facilitate security and privacy risk management, organizations consider aligning measures of performance with the organizational risk tolerance as defined in the risk management strategy.

Cyber security performance metrics could include the volume of security breaches, attainment of Cyber Security Readiness Goals (CRGs), robustness, post-incident change implementation, and security investments versus budget for lawsuits, class actions, public relations, and incident recovery. Some factors to consider when assessing privacy measures of performance include the volume of breaches, metrics related to well-founded complaints to the OPC, and the completion of privacy assessment tools for organizational programs and services.

Related controls and activities

CA-07, PM-09.

Enhancements

None.

References

Top of page 
 

PM-07 Enterprise architecture

Activity

Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and Canada.

Discussion

The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development lifecycle and are explicitly related to the organization’s mission and business processes. The process of integrating security and privacy requirements also embeds into the enterprise architecture and the organization’s security and privacy architectures consistent with the organizational risk management strategy.

For PM-07, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For PL-08, the security and privacy architectures are developed at a level that represents an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Cyber Centre Cyber security and privacy risk management: A lifecycle approach series, together with supporting security standards and guidelines.

GC discussion

For GC departments and agencies, security and privacy requirements and control integration are most effectively accomplished by rigorously applying, to the departmental architecture, the Cyber Security and Privacy Risk Management: A Lifecycle Approach series, together with the supporting privacy policy suite requirements issued by TBS and considering the requirements set by legislation, regulations, and jurisprudence.

Related controls and activities

AU-06, PL-02, PL-08, PM-11, RA-02, SA-03, SA-08, SA-17.

Enhancements

  • (01) Enterprise architecture: Offloading
    • Offload [Assignment: organization-defined non-essential functions or services] to other systems, system components, or an external provider.
    • Discussion: Not every function or service that a system provides is essential to organizational mission or business functions. Printing or copying is an example of a non-essential but supporting service for an organization. Whenever feasible, such supportive but non-essential functions or services are not co-located with the functions or services that support essential mission or business functions. Maintaining such functions on the same system or system component increases the attack surface of the organization’s mission-essential functions or services. Moving supportive but non-essential functions to a non-critical system, system component, or external provider can also increase efficiency by putting those functions or services under the control of individuals or providers who are SMEs in the functions or services. If an external provider has access to personal information, it is important to ensure privacy controls and activities are reflected in associated contract vehicles.
    • Related controls and activities: SA-08.

References

Top of page 
 

PM-08 Critical infrastructure plan

Activity

Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.

Discussion

Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, jurisprudence, Orders in Council, directives, policies, regulations, standards, and guidelines.

Related controls and activities

CP-02, CP-04, PE-18, PL-02, PM-09, PM-11, PM-18, RA-03, SI-12.

Enhancements

None.

References

Public Safety Canada Risk Management Guide for Critical Infrastructure Sectors

Top of page 
 

PM-09 Risk management strategy

Activity

  1. Develop a comprehensive strategy to manage the
    1. security risks to organizational operations and assets, individuals, other organizations, and Canada associated with the operation and use of organizational systems
    2. privacy risks to individuals resulting from the authorized handling of personal information
  2. Implement the risk management strategy consistently across the organization
  3. Review and update the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes

Discussion

An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization, security and privacy risk mitigation strategies, acceptable risk assessment methodologies, a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance, and approaches for monitoring risk over time.

The senior accountable official for risk management (head of department or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy across the organization.

The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure that the strategy is broad and comprehensive. The supply chain risk management strategy described in PM-30 can also provide useful inputs to the organization-wide risk management strategy.

Related controls and activities

AC-01, AU-01, AT-01, CA-01, CA-02, CA-05, CA-06, CA-07, CM-01, CP-01, IA-01, IR-01, MA-01, MP-01, PE-01, PL-01, PL-02, PM-02, PM-08, PM-18, PM-28, PM-30, PS-01, PT-01, PT-02, PT-03, RA-01, RA-03, RA-09, SA-01, SA-04, SC-01, SC-38, SI-01, SI-12, SR-01, SR-02.

Enhancements

None.

References

Top of page 
 

PM-10 Authorization process

Control

  1. Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes
  2. Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process
  3. Integrate the authorization processes into an organization-wide risk management program

Discussion

Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The authorization processes for the organization are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and Canada.

Related controls and activities

CA-06, CA-07, PL-02.

Enhancements

None.

References

Top of page 
 

PM-11 Mission and business process definition

Activity

  1. Define organizational mission and business processes with consideration for information security and privacy protection and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and Canada
  2. Determine information protection and personal information handling needs arising from the defined mission and business processes
  3. Review and revise the mission and business processes [Assignment: organization-defined frequency]

Discussion

Protection needs are technology-independent capabilities that are required to counter threats to organizations, individuals, systems, and Canada from the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personal information handling needs are derived from the mission and business needs defined by organizational stakeholders, the mission and business processes designed to meet those needs, and the organizational risk management strategy.

Information protection and personal information handling needs determine the required controls for the organization and the systems. Inherent to defining protection and personal information handling needs is an understanding of the adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations.

Privacy risks to individuals can arise from the compromise of personal information, but they can also arise as unintended consequences or a by-product of the handling of personal information at any stage of the information lifecycle. PIAs are used to identify potential injuries that may arise from the handling of personal information. These impact assessments enable the selection of the required controls. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policies and procedures.

Related controls and activities

CP-02, PL-02, PM-07, PM-08, RA-02, RA-03, RA-09, SA-02.

Enhancements

None.

References

Top of page 
 

PM-12 Insider threat program

Control

Implement an insider threat program that includes a cross-discipline insider threat incident handling team.

Discussion

Insider threat programs can leverage the existence of incident handling teams that organizations may already have in place, such as computer security incident response teams. Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by nontechnical behaviours in the workplace, including ongoing patterns of disgruntled behaviour and conflicts with coworkers and other colleagues. These precursors can guide organizational officials in more focused, targeted monitoring efforts.

However, the use of human resource records could raise significant concerns for privacy and compliance with the Charter of Rights and Freedoms. The participation of a legal team, including consultation with the appropriate privacy senior official or executive, ensures that monitoring activities are performed in accordance with applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines.

GC discussion

In addition, there are specific notice requirements when monitoring GC electronic networks and devices. These additional requirements are reflected in the Policy, Directive and Guidelines on Service and Digital.

Related controls and activities

AC-06, AT-02, AU-06, AU-07, AU-10, AU-12, AU-13, CA-07, IA-04, IR-04, MP-07, PE-02, PM-16, PS-03, PS-04, PS-05, PS-07, PS-08, SC-07, SC-38, SI-04, PM-14.

Enhancements

None.

References

Top of page 
 

PM-13 Security and privacy workforce

Activity

Establish a security and privacy workforce development and improvement program.

Discussion

Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility.

The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals. A capable workforce means that employees have the necessary resources, tools, relationships, training, education, and supervisory support to enable them to apply knowledge and skills in their day-to-day work.

GC discussion

The TBS Guideline on Service and Digital provides non-exhaustive lists of desired knowledge and skills, as well as additional training resources.

Related controls and activities

AT-02, AT-03.

Enhancements

None.

References

Top of page 
 

PM-14 Testing, training, and monitoring

Activity

  1. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems
    1. are developed and maintained
    2. continue to be executed
  2. Review testing, training, and monitoring plans for consistency with the organizational security and privacy risk management strategy and organization-wide priorities for risk response actions

Discussion

A process for organization-wide security and privacy testing, training, and monitoring helps ensure that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the 3 levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments.

Related controls and activities

AT-02, AT-03, CA-07, CP-04, IR-03, PM-12, SI-04.

Enhancements

None.

References

Top of page 
 

PM-15 Security and privacy groups and associations

Activity

Establish and institutionalize contact with selected groups and associations within the security and privacy communities to:

  1. facilitate ongoing security and privacy education and training for organizational personnel
  2. maintain currency with recommended security and privacy practices, techniques, and technologies
  3. share current security and privacy information, including threats, vulnerabilities, and incidents

Discussion

Ongoing contact with security and privacy groups and associations is important in an environment of rapidly changing technologies and threats. Groups and associations include special interest groups, professional associations, forums, news groups, users’ groups, and peer groups of security and privacy professionals in similar organizations. Organizations select security and privacy groups and associations based on mission and business functions. Organizations share threat, vulnerability, and incident information, as well as contextual insights, compliance techniques, and privacy problems consistent with applicable laws, Orders in Council, directives, policies, regulations, standards, and guidelines.

Related controls and activities

SA-11, SI-05.

Enhancements

None.

References

None.

Top of page 
 

PM-16 Threat awareness program

Control

Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence.

Discussion

Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it may be more likely that adversaries can successfully breach or compromise organizational systems. One of the best techniques to address this concern is for organizations to share threat information, including threat events (i.e., tactics, techniques, and procedures) that organizations have experienced, mitigations that organizations have found are effective against certain types of threats, and threat intelligence (i.e., indications and warnings about threats). Threat information sharing may be bilateral or multilateral. Bilateral threat sharing includes government-to-commercial and government-to-government cooperatives. Multilateral threat sharing includes organizations taking part in threat-sharing consortia. Threat information may require special agreements and protection, or it may be freely shared.

Related controls and activities

IR-04, PM-12.

Enhancements

  • (01) Threat awareness program: Automated means for sharing threat intelligence
    • Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information.
    • Discussion: To maximize the effectiveness of monitoring, it is important to know what threat observables and indicators the sensors need to be searching for. By using well-established frameworks, services, and automated tools, organizations improve their ability to rapidly share and feed the relevant threat detection signatures into monitoring tools.
    • Related controls and activities: None.

References

Top of page 
 

PM-17 Protecting controlled information on outsourced external systems

Control

  1. Establish policy and procedures to ensure that requirements for the protection of controlled information that is processed, stored, or transmitted on external systems, are implemented in accordance with applicable laws, Orders in Council, directives, policies, regulations, and standards
  2. Review and update the policy and procedures [Assignment: organization-defined frequency]

Discussion

None.

GC discussion

Controlled information (CI) includes Protected A, Protected B and controlled goods information that is not classified. Protected information is defined by the TBS Directive on Security Management, Appendix J: Standard on Security Categorization along with the safeguarding and dissemination requirements for such information and is codified in the TBS Policy on Privacy Protection. The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes. Chapter 6 of PSPC Contract Security Manual is dedicated to the handling and safeguarding of information and assets and is used in conjunction with Annex C – Guidelines for safeguarding information and assets. Requirements related to information sharing agreements or arrangements are documented in TBS’ Guidance on Preparing Information Sharing Agreements Involving Personal Information.

Related controls and activities

CA-06, PM-10.

Enhancements

None.

References

Top of page 
 

PM-18 Privacy program plan

Activity

  1. Develop and disseminate an organization-wide privacy program plan that provides an overview of the organization’s privacy program, and
    1. includes a description of the structure of the service delivery program for privacy and the resources dedicated to the privacy program
    2. provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements
    3. includes the role of the appropriate privacy senior official or executive, describes the formal delegation of authority from the Deputy Head, and identifies and assigns the roles of other privacy officials and staff and their responsibilities
    4. describes management commitment, compliance requirements, and the strategic goals and objectives of the privacy program
    5. reflects coordination among organizational entities responsible for the different aspects of privacy
    6. is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and Canada
  2. Update the plan [Assignment: organization-defined frequency] and address changes in the application of federal privacy laws based on jurisprudence and policy and organizational changes and problems identified during plan implementation or privacy control assessments
  1. Ensure the privacy program plan is communicated and made available to personnel responsible for implementing the plan

Discussion

A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program, the resources dedicated to the privacy program, the role of the appropriate privacy senior official or executive and other privacy officials and staff, the strategic goals and objectives of the privacy program, and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents.

The appropriate privacy senior official or executive is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection operations explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended.

Program management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. Together, the privacy plans for individual systems and the organization-wide privacy program plan provide complete coverage for the privacy controls employed within the organization.

Common controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls.

Related controls and activities

PM-08, PM-09, PM-19.

Enhancements

None.

References

Top of page 
 

PM-19 Privacy program leadership role

Control

Appoint an appropriate privacy senior official or executive with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program.

Discussion

The privacy officer is an organizational official.

GC discussion

For GC departments and agencies — as defined by applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines — this official is appointed by the head of an institution as the appropriate privacy senior official or executive. Organizations may also refer to this appropriate privacy senior official or executive as the CPO. The appropriate privacy senior official or executive also has roles on the data governance committee (see PM-23) and the committee on data and information (see PM-24).

Related controls and activities

PM-18, PM-20, PM-23, PM-24, PM-27.

Enhancements

None.

References

Top of page 
 

PM-20 Communication of key privacy services

Control

Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy services and that:

  1. ensures that the public has access to a list of programs and services that collect and use personal information via Info Source
  2. ensures that organizational privacy policies, practices and resources are published in the Annual Report to Parliament on the Administration of the Privacy Act
  3. communicates publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices
  1. includes summaries of completed PIAs
  1. includes direction to individuals about how to file a request to access their personal information, how to file a formal records correction and how to file a formal complaint, if they choose to do so

Discussion

None.

GC discussion

For federal departments and agencies, the central webpage with respect to privacy legislation is located at https://laws-lois.justice.gc.ca/. Individual federal departments and agencies typically include contact information for CPOs, summaries of PIAs, publications such as the Annual Report to Parliament on the Administration of the Privacy Act, program activity summaries such as Info Source, and instructions for individuals seeking to file requests to access or correct their personal information as well as complaint procedures.

Related controls and activities

AC-03, PM-19, PT-05, PT-06, PT-07, RA-08.

Enhancements

  • (01) Communication of key privacy services: Privacy policies on websites, applications, and digital services
    • Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, if the privacy of websites visitors could be affected. Ensure that policies:
      1. are written in plain language and organized in a way that is easy to understand and navigate
      2. provide information needed by the public to make an informed decision about whether and how to interact with the organization
      3. are updated whenever the organization makes a substantive change to the practices it describes and includes a time/date stamp to inform the public of the date of the most recent changes
    • Discussion: Organizations post privacy policies on all external-facing websites, mobile applications, and other digital services if the privacy of website visitors could be affected. Organizations post a link to the relevant privacy policy on any known, major entry points to the website, application, or digital service. Organizations may be subject to applicable laws, directives, regulations, or policies that require the provision of specific information to the public. Organizational personnel consult with the appropriate privacy senior official or executive and legal counsel regarding such requirements.
    • Related controls and activities: None.

References

Top of page 
 

PM-21 Maintain a record of disclosures

Control

  1. Establish procedures for and maintain a record of disclosures of, personal information, including the
    1. date and details of the disclosure
    2. position and address, or other contact information of the individual or organization to which the disclosure was made
  2. Keep a record of disclosures for the length of the time the personal information is maintained or as required by the organization’s information management standards
  3. Make the record of disclosure available to the individual to whom the personal information relates, upon request, unless the disclosure meets the exemptions cited in the Privacy Act
  1. Establish a contract, information sharing agreement or information sharing arrangement to document appropriate safeguards prior to any disclosure of personal information to another federal program or to another public or private sector entity

Discussion

The purpose of records of disclosures is to allow individuals to learn to whom their personal information has been disclosed, to provide a basis for subsequently advising recipients of any corrected or annotated personal information, and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures.

PIPEDA generally requires organizations to obtain an individual’s consent before they disclose their personal information. Personal information is either allowed or prohibited to be disclosed depending on the purposes for doing so, as stated in subsection 5(3).

Organizations can use any system for keeping records of disclosures, if they can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personal information is disclosed, including commercial services that provide notifications and alerts. Keeping records of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing the disclosure or dissemination of information and dissemination restrictions.

GC discussion

For GC departments and agencies, keeping records of disclosures is required by applicable legislations, policies, and directives. Institutions should consult with their appropriate privacy senior official or executive, legal counsel and information management officials on this requirement and be aware of the statutory exceptions and TBS guidance relating to the provision.

Related controls and activities

AC-03, AU-02, PT-02.

Enhancements: None.

References

Top of page 
 

PM-22 Personal information quality management

Control

Develop and document organization-wide policies and procedures for:

  1. reviewing for the accuracy, relevance, timeliness, and completeness of personal information across the information lifecycle
  2. implementing records correction process that facilitates correcting or deleting inaccurate or outdated personal information
  3. implementing records correction process that facilitates disseminating notice of corrected personal information when the incorrect information has been disclosed previously
  1. ensuring that collection procedures adhere to the requirements of applicable legislation
  1. documenting any changes or modifications to the information, including the date and sources of the information change

Discussion

Personal information quality management includes steps that organizations take to confirm the accuracy and relevance of personal information throughout the information lifecycle. The personal information lifecycle includes the creation, collection, use, correction, retention, disclosure, and disposition of personal information.

Organizational policies and procedures for personal information quality management are important because inaccurate or outdated personal information maintained by organizations may cause problems for individuals. Organizations consider the quality of personal information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or where the disclosure of the information may cause stigmatization.

In certain circumstances, incorrect personal information can cause problems for individuals that outweigh the benefits of organizations maintaining the personal information. Organizations should consider creating policies and procedures for the removal of such personal information.

The appropriate privacy senior official or executive ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personal information. Processes for correcting or deleting data are clearly defined and publicly available.

Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses should include the reasons for the decisions, a means to record individual objections to the decisions, and a means to file a complaint with the OPC if the individual wishes to pursue the matter further.

Organizations notify individuals or their designated representatives when their personal information is corrected or deleted to provide transparency and confirm the completed action. Due to the complexity of data flows and storage, other entities may need to be informed of the correction or deletion. Notice supports the consistent correction and deletion of personal information across the data ecosystem.

GC discussion

Organizations have an obligation to ensure the accuracy of personal information used in a decision-making process. This obligation includes steps to confirm the accuracy of personal information throughout the information lifecycle. Subsection 6(2) of the Privacy Act requires a government institution to take all reasonable steps to ensure that the collected personal information is accurate, up-to-date and as complete as possible.

The Directive on Privacy Practices provides additional details such as collecting information directly from the individual unless the individual authorizes otherwise or for reasons permitted by subsection 5(1) of the Privacy Act; collecting information from reliable sources; and validating and verifying the information before using the information for a decision-making process, if appropriate. When validating the accuracy of personal information, identify the relevant PIB description the source or technique used, including any data matching, where appropriate.

Organizations ensure that individuals are given the opportunity, whenever possible, to correct inaccurate personal information before any decision is made that could have an impact on them. Organizational policies and procedures to ensure accuracy of personal information are important to ensure the integrity of any administrative decisions made using that information. Inaccurate information may result in adverse decisions or the denial of benefits and services. Organizations need to balance the necessity of holding information versus the invasiveness to the individual. One aspect to consider is the impact of a potential compromise of the information. Organizations should work with Information Management officials to determine an appropriate retention schedule for the personal information.

Organizations publish retention standards in their PIBs to ensure transparency. When information is deleted in accordance with the retention standard, organizations may choose to inform individuals of the completed action.

Related controls and activities

PM-23, SI-18.

Enhancements

None.

References

Top of page 
 

PM-23 Data governance committee

Activity

Establish a data governance committee consisting of [Assignment: organization-defined roles] with [Assignment: organization-defined responsibilities].

Discussion

A data governance committee can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The data governance committee establishes policies, procedures, and standards that facilitate data governance so that data, including personal information, is effectively managed and maintained in accordance with applicable laws, Orders in Council, directives, regulations, policies, standards, and guidance.

Responsibilities can include developing and implementing guidelines that support data modeling, quality, integrity, and the de-identification needs of personal information across the information lifecycle. The data governance committee may oversee the reviewing and approving of applications to release data outside of the organization, the archiving of applications and the released data, and post-release monitoring to ensure that the assumptions made as part of the data release continue to be valid.

The data governance committee may also oversee the use of data, including personal information, in technologies such as advanced analytics, automation and artificial intelligence, perform statistical analyses to identify and mitigate systemic bias in institutional systems and data, analyze the de-identification techniques to ensure ongoing effectiveness, and ensure appropriate accountability mechanisms are in place, updated, understood, and followed.

Members typically include the CIO, the CSO, and appropriate privacy senior official or executive such as a CPO.

Related controls and activities

AT-02, AT-03, PM-19, PM-22, PM-24, PT-07, SI-04, SI-19.

Enhancements

None.

References

None.

Top of page 
 

PM-24 Data integrity board

Activity

Establish a data integrity board to:

  1. review proposals to conduct or participate in a matching program
  2. conduct an annual review of all matching programs in which the organization has participated

Discussion

None.

GC discussion

A data integrity board is the board of senior officials designated by the head of a GC department or agency and is responsible for, among other things, reviewing the organization’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records subject to the Privacy Act or PIPEDA from 2 or more automated systems of records or an automated system of records and automated records maintained by a non-federal organization (or agent thereof).

GC departments and agencies can establish an assistant deputy minister committee on data and information (ADM CDI) to review proposals on all uses of data by the institution, up to and including automation, advanced analytics, and artificial intelligence. At a minimum, the ADM CDI includes the chief data officer (CDO), CIO, CSO, and the appropriate privacy senior official or executive.

Related controls and activities

AC-04, PM-19, PM-23, PT-02, PT-08.

Enhancements

None.

References

Top of page 
 

PM-25 Minimization of personal information used in testing, training, and research

Control

  1. Develop, document, and implement policies and procedures that address the use of personal information for internal testing, training, and research
  2. Limit or minimize the amount of personal information used for internal testing, training, and research purposes
  3. Authorize the use of personal information in internal testing, training, and research when the required result cannot be achieved without the use of the personal information
  4. Review and update policies and procedures [Assignment: organization-defined frequency]
  1. Restrict the disclosure of datasets containing personal information to external contractors, wherever possible

Discussion

The use of personal information in testing, training, and research increases the risk of unauthorized uses and disclosures of such information. Organizations consult with the appropriate privacy senior official or executive and/or legal counsel to ensure that the use of personal information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder (de-identified or anonymized) data to avoid exposure of personal information when conducting testing, training, and research. If the use of personal information cannot be avoided in these environments, then the testing, training or research environments become subject to the same control requirements as the original environment.

GC discussion

GC departments and agencies consult with the appropriate privacy senior official or executive and/or legal counsel to ensure that the use of personal information in testing, training, and research is compatible with the original purpose for which it was collected or permissible under subsection 8(2) of the Privacy Act. Information-sharing agreements for research and statistical purposes are provided for in subsection 8(2)(j) of the Privacy Act. For the use of personal information in training activities, organizations may rely on training as a consistent use of the information, in accordance with subsection 8(2)(a) of the Privacy Act.

When organizations collect personal information for the express purpose of research or program evaluation, institutions should ensure that the collected personal information is reflected in any privacy notice, PIAs, and PIBs relevant to the program.

Related controls and activities

PM-23, PT-03, SA-03, SA-08, SI-12.

Enhancements

None.

References

Top of page 
 

PM-26 Complaint management

Control

Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes:

  1. mechanisms that are easy to use and readily accessible by the public
  2. all information necessary for successfully filing complaints
  3. tracking mechanisms to ensure all complaints received are reviewed and addressed within [Assignment: organization-defined time period]
  4. acknowledgment of receipt of complaints, concerns, or questions from individuals within [Assignment: organization-defined time period]
  5. response, with discretion, to complaints, concerns, or questions from individuals within [Assignment: organization-defined time period]

Discussion

Complaints, concerns, and questions from individuals can serve as valuable sources of input to organizations and ultimately improve operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the appropriate privacy senior official or executive or other official designated to receive complaints. Privacy complaints may also include personal information, which is handled in accordance with relevant policies and processes. Under certain circumstances, the OPC can initiate its own investigation or complaint.

GC discussion: departments and agencies are required to implement a process that acknowledges individuals’ rights to file a complaint related to the collection, retention, or disposal of personal information; the use or disclosure of personal information; and their rights of access to their personal information. Organizations should inform individuals of their right to complain about the handling of their personal information, including both organization contacts and the OPC complaint resolution contact.

When informed of a formal privacy complaint and/or investigation by the OPC, organizations should be prepared to provide a clear description of the relevant facts and circumstances related to the complaint, copies of any documentation relevant to the matter under investigation, a clear statement of the organization’s position concerning the allegations, and specifics of any action taken to date, or planned to be taken.

GC departments and agencies should review trends to assess opportunities to proactively improve privacy practices and report complaint volumes and trends in the organization’s Annual Report to Parliament for the Privacy Act.

Related controls and activities

IR-07, IR-09, PM-22, SI-18.

Enhancements

None.

References

Top of page 
 

PM-27 Privacy reporting

Activity

  1. Develop [Assignment: organization-defined privacy reports] and disseminate to
    1. [Assignment: organization-defined oversight bodies] to demonstrate accountability with statutory, regulatory, and privacy policy mandates
    2. [Assignment: organization-defined officials] and other personnel with responsibility for monitoring privacy program compliance
  2. Review and update privacy reports [Assignment: organization-defined frequency]
  1. Federal departments and agencies are required to report details related to the administration of the Privacy Act to both Parliament and TBS, as per section 72 of the Privacy Act

Discussion

None.

GC discussion

Organizations promote accountability and transparency in organizational privacy operations through internal and external reporting. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. TBS is responsible for the operational policies, directives, and guidelines relating to the Privacy Act and its regulations.

For GC departments and agencies, annual privacy reports are prepared by the head of each institution, reporting on the administration of the Privacy Act. The appropriate privacy senior official or executive consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements.

The Privacy Commissioner of Canada is an Agent of Parliament with the duty of protecting and promoting privacy rights and is responsible for reporting annually to Parliament on activities. The Privacy Commissioner can also report at any time on any important matter within the scope of the Commissioner’s powers, duties and functions

Related controls and activities

IR-09, PM-19.

Enhancements

None.

References

Top of page 
 

PM-28 Risk framing

Activity

  1. Identify and document
    1. assumptions affecting risk assessments, risk responses, and risk monitoring
    2. constraints affecting risk assessments, risk responses, and risk monitoring
    3. priorities and trade-offs considered by the organization for managing risk
    4. organizational risk tolerance
  2. Distribute the results of risk framing activities to [Assignment: organization-defined personnel]
  3. Review and update risk framing considerations [Assignment: organization-defined frequency]

Discussion

Risk framing is most effective when conducted at the organization level and in consultation with stakeholders throughout the organization including mission, business, and system owners. The assumptions, constraints, risk tolerance, priorities, and trade-offs identified as part of the risk framing process inform the risk management strategy, which in turn informs the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results are shared with organizational personnel, including mission and business owners, information owners or stewards, system owners, authorizing officials, the senior agency information security officer, the appropriate privacy senior official or executive, and the senior accountable official for risk management.

Related controls and activities

CA-07, PM-09, RA-03, RA-07.

Enhancements

None.

References

Top of page 
 

PM-29 Risk management program leadership roles

Control

  1. Appoint a senior accountable official for risk management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes
  2. Establish a risk executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization

Discussion

The senior accountable official for risk management leads the risk executive (function) in organization-wide risk management activities.

Related controls and activities

PM-02, PM-19.

Enhancements

None.

References

Top of page 
 

PM-30 Supply chain risk management strategy

Activity

  1. Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services
  2. Implement the supply chain risk management strategy consistently across the organization
  3. Review and update the supply chain risk management strategy on [Assignment: organization-defined frequency] or as required, to address organizational changes

Discussion

An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk appetite and tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk appetite and tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities.

Supply chain risk management includes considerations of the security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform supply chain policies and system-level supply chain risk management plans.

In addition, the use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organization and mission/business levels, whereas the supply chain risk management plan (see SR-02) is implemented at the system level.

Related controls and activities

CM-10, PM-09, SR-01, SR-02, SR-03, SR-04, SR-05, SR-06, SR-07, SR-08, SR-09, SR-11.

Enhancements

  • (01) Supply chain risk management strategy: Suppliers of critical or mission-essential items
    • Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services.
    • Discussion: The identification and prioritization of suppliers of critical or mission-essential technologies, products, and services is paramount to the mission/business success of organizations. The assessment of suppliers is conducted using supplier reviews (see SR-06) and supply chain risk assessment processes (see RA-03(01)). An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required.
    • Related controls and activities: RA-03, SR-06.

References

Top of page 
 

PM-31 Continuous monitoring strategy

Activity

Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:

  1. the establishment of the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics]
  2. the establishment of [Assignment: organization-defined monitoring frequencies] and [Assignment: organization-defined assessment frequencies] for control effectiveness
  3. ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy
  4. correlation and analysis of information generated by control assessments and monitoring
  5. response actions to address results of the analysis of control assessment and monitoring information
  6. reporting on the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]

Discussion

Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms “continuous” and “ongoing” imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions.

Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies.

Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capacity to make effective, timely, and informed risk management decisions, including ongoing authorization decisions. To further facilitate security and privacy risk management, organizations consider aligning organization-defined monitoring metrics with organizational risk tolerance as defined in the risk management strategy.

Monitoring requirements, including the need for monitoring, may be referenced in other controls and control enhancements such as, AC-02G, AC-02(07), AC-02(12)a, AC-02(07)b, AC-02(07)c, AC-17(01), AT-04A, AU-13, AU-13(01), AU-13(02), CA-07, CM-03F, CM-06D, CM-11C, IR-05, MA-02B, MA-03A, MA-04A, PE-03D, PE-06, PE-14B, PE-16, PE-20, PM-06, PM-23, PS-07E, SA-09C, SC-05(03)b, SC-07A, SC-07(24)b, SC-18B, SC-43B, SI-04.

Related controls and activities

AC-02, AC-06, AC-17, AT-04, AU-06, AU-13, CA-02, CA-05, CA-06, CA-07, CM-03, CM-04, CM-06, CM-11, IA-05, IR-05, MA-02, MA-03, MA-04, PE-03, PE-06, PE-14, PE-16, PE-20, PL-02, PM-04, PM-06, PM-09, PM-10, PM-12, PM-14, PM-23, PM-28, PS-07, PT-07, RA-03, RA-05, RA-07, SA-09, SA-11, SC-05, SC-07, SC-18, SC-38, SC-43, SI-03, SI-04, SI-12, SR-02, SR-04.

Enhancements

None.

References

Top of page 
 

PM-32 Purposing

Control

Analyze [Assignment: organization-defined systems or systems components] supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose.

Discussion

Systems are designed to support a specific mission or business function. However, over time, systems and system components may be used to support services and functions that are outside of the scope of the intended mission or business functions. This can result in exposing information resources to unintended environments and uses that can significantly increase threat exposure. In doing so, the systems are more vulnerable to compromise, which can ultimately impact the services and functions for which they were intended. This is especially impactful for mission-essential services and functions. By analyzing resource use, organizations can identify such potential exposures.

Related controls and activities

CA-07, PL-02, RA-03, RA-09.

Enhancements

None.

References

None.

 
Table of Contents
Date modified: