HRSDC USB STORAGE DEVICES DIRECTIVE

Page created by Eric Peters
Government & Politics
English
 
CONTINUE READING
Page content transcription
If your browser does not render page correctly, please read the page content below
HRSDC USB STORAGE DEVICES DIRECTIVE
HRSDC
USB STORAGE DEVICES
     DIRECTIVE
REVISION HISTORY
VERSION       DATE          AUTHOR              DESCRIPTION
Draft_v.1.0   4 Jan 2013    Jacques Lee - ISP   Initial Draft
Draft_v.1.1   4 Jan 2013    Marc Power          Second Draft
Draft_v.1.2   4 Jan 2013    Jacques Lee         Modification of language and
                                                References
Draft_v.1.4   7 Jan 2013    Lorne Sundby        Addition and modification of content
Draft_v 1.5   8 Jan 2013    Lorne Sundby        Further modification after consultation
                                                with partners
Draft_v 1.6   9 Jan 2013    Lorne Sundby        Modifications after consultation with
                                                CMC
Final         10 Jan 2013   Lorne Sundby        Modifications after consultation with
                                                PISC
Final -       12 Jan 2013   Jacques Lee         Formatting applied to approved
formatted                                       document

                                                                                          2
1. TITLE
HRSDC USB (Universal Serial Bus) Storage Devices Directive

2. EFFECTIVE DATE
This Directive is effective as of January 10, 2013

3. APPLICATION/SCOPE
This Directive applies to all users (herein referred to as “users”) of the HRSDC network, including
but not limited to employees, managers, students and contractors.

“HRSDC” means Human Resources and Skills Development Canada (including Service Canada
and the Labour Program) and is herein referred to as “the Department” or “departmental".

The provisions of this Directive also apply to Shared Services Canada (SSC) users until such time
as they are no longer connected to the HRSDC network.

This Directive applies to all USB storage devices, including but not limited to USB keys (also
called USB drives, flash memory, flash drives, thumb drives, jump drives, and memory sticks) and
portable hard drives.

4. CONTEXT
This Directive is subordinate to Treasury Board Secretariat policies as follows:

      Policy Framework on Information and Technology
       (http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12452)
      Directive on Management of Information Technology
       (http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=15249)
      Policy on Government Security
       (http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=16578)

This Directive supersedes existing policies and directives dealing specifically with USB storage
devices, and is complementary to existing policies and directives related to data handling, data
access, data storage, and data movement

This Directive is focused exclusively on the technical solutions recommended for a given
information-handling task. Notwithstanding the technical solution, or the presence of encryption,
the user is responsible for determining information handling requirements as stipulated by the
Information Classification Guide (http://iservice.prv/eng/is/security/docs/classification_guide.pdf)
and/or by consulting the office of the Departmental Security Officer or the Chief Privacy Officer.

                                                                                                       3
5. DEFINITIONS
Term            Definition
USB             Universal Serial Bus
Bus             A subsystem that transfers data between components inside a computer, or
                between computers
Portable Hard   A storage device of significant capacity which connects externally to the PC or
Drive           laptop by way of a USB cable
USB key         Also called a flash drive, memory stick, memory key, or jump drive. A USB key
                is a small and convenient storage device which connects without a cable,
                directly to the USB port of a PC or laptop.
MP3 player      A commercial/consumer product which is designed to store and replay digitized
                music and video. This class of products includes iPods. MP3 players are not
                authorized for use on the HRSDC network.
Memory card     A stand alone device which connects via the USB port and enables the reading
reader          of SD, MicroSD and similar memory cards ordinarily found in smart phones and
                cameras.
Smart Phone     Includes a class of cellular telephones with enhanced abilities to manage
                information, compute, and store data. HRSDC-issued Blackberries are
                authorized on the HRSDC network. Non-GOC Blackberries, iPhones, and any
                other cellular device including but not limited to those running the Android or
                Windows 7 operating systems are not authorized.

                                                                                                  4
6. DIRECTIVE STATEMENT

6.1 Objective

The objective of this Directive is to:

       Enhance the safeguarding of data that resides within the department’s responsibility;

       Ensure that where data needs to be transferred or shared for business purposes,
        appropriate tools are employed which mitigate the risk of loss or unauthorized access.

       Reduce or eliminate losses of information that may result in injury to citizens’ personal or
        financial integrity, damage to Departmental applications or technology, and/or loss of
        confidence in the Department’s ability to responsibly manage citizens’ private information.

6.2 Expected Results

All users will adhere to the Directive; as a result a range of potential risks will be mitigated or
eliminated:

       Loss: Devices used to transfer or transport work files and/or other sensitive information
        could be lost or stolen.
       Theft: Sensitive departmental data could be deliberately stolen and used or sold by a user.
       Spyware: Spyware or tracking code could enter the network via USB-based devices.
       Malware: Viruses, Trojans, Worms, and other threats could be introduced via USB-based
        devices.
       Compliance: Loss or theft of protected, classified or secret data could expose the
        Department to the risk of non-compliance with privacy laws, or expose its clients to the risk
        of fraud.

7. DIRECTIVE REQUIREMENTS

7.1 Acceptable USB Storage Devices (USB keys)

7.1.1 Two types of departmentally-procured and issued USB keys are approved for use:

       Biometric/encrypted USB keys are suitable where users (principally mobile workers,
        teleworkers, and executives) have a need to store and transport information electronically
        where they are the only user of said information.

       Password/encrypted USB keys are suitable where information needs to be shared between
        users within the department and/or between departments.

                                                                                                       5
7.1.2 Unapproved USB keys are not to be connected to the network. This includes USB keys that
are:
     Procured by the branch/department, but which are not encrypted
     Furnished by vendors, contractors, private sector organizations, or for other similar or
       promotional purposes
     Personal USB keys

7.1.3 Where an unapproved USB key contains data that is necessary to satisfy business
requirements, the user must contact the National Service Desk (1-800-268-0408) for assistance in
transferring the data to the HRSDC network.

7.1.4 Where another government department or agency provides information on a USB key, this
device may be connected to the network solely for the purposes of copying the information to the
HRSDC network, after which it is to be removed and returned to the originator.

7.1.5 All approved USB keys will include an attached coloured tag with the phone number of the
National Service Desk.
     This makes the key more visible when it is plugged into a PC, making it less likely to be
       forgotten or misplaced;
     The tag encourages someone finding the key to call the National Service Desk and
       increases the likelihood it will be returned to the department if misplaced;
     The tag is therefore not to be removed from the key for any reason.

7.1.6 IITB is responsible for procuring all USB keys.
     In order to provide adequate control and assurance that appropriate devices are being
        introduced to the network, branches are not to procure their own USB keys unless
        authorized to do so by the CIO

7.1.7 The DSO (Departmental Security Officer) is responsible for distributing the keys, keeping a
record of who has been assigned one, and recovering keys at separation

7.1.8 USB keys will only be distributed to individual users at the discretion of respective branch
ADMs after consideration of whether such a tool is required to satisfy business requirements.

7.2 Unacceptable USB Storage Devices
7.2.1 Portable hard drives are not permitted on the HRSDC network.

Where there is a business requirement that can only be adequately satisfied by deployment of a
portable drive, such technology may be installed on an exceptional basis:
     The discretion to make this decision rests with the CIO in consultation with the DSO
     The drive in question will be procured, configured, and secured by IITB
     IITB is responsible for ensuring that the necessary technical precautions are in place to
       prevent loss, including but not limited to full disk encryption.
     The user is responsible for physically securing the drive, specifically locking it up when not
       in use.

                                                                                                     6
7.2.2 Other USB Storage Devices

Any USB storage technology not otherwise referred to in this Directive can only be installed and/or
procured at the discretion of and with the prior approval of the CIO or his delegate

7.2.3 Personal Devices

It is forbidden to connect personal equipment or devices to the network, workstations or
laptop computers.
      This includes but is not limited to music players (iPods, MP3s), digital cameras, personal
         cellular & smart phones, and e-readers
      This includes instances where the sole intent is to charge a device; users should bring
         appropriate equipment to charge their personal device directly from an electrical outlet.

7.3 Questions

Where a user has questions regarding the use of a USB storage device or the application of this
Directive they should contact the National Service Desk (1-800-268-0408).

7.4 Monitoring

   IITB will regularly monitor and report on USB devices connected to the network

   Unauthorized devices will be reported to both the DSO and the responsible ADM so that
    appropriate steps can be taken

7.5 Consequences

   Users are responsible for complying with this Directive at all times. Failure to do so could
    place the department and the information for which it is a custodian at considerable risk.

   A breach of this directive may lead to administrative or disciplinary measures being taken, up
    to and including termination of employment. The level of discipline will depend on the severity
    of the breach and the circumstances surrounding it, as well as any mitigating or aggravating
    factors.

                                                                                                     7
8. OTHER REFERENCES and RELATED POLICY INSTRUMENTS

   TBS Policy on the Use of the Electronic Networks (12 February 1998)
     http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/tb_cp/uen_e.asp
   TBS Policy on the Management of Information Technology (April 1, 2009)
     http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/TB_IT/pmit-pgti_e.asp
   TBS Policy on Management of Material (November 1 , 2006)
     http://tbs-sct.gc.ca/pol/doc-eng.aspx?id=12062
   Privacy Act (R.S. 1985, c. P21)
     http://laws.justice.gc.ca
   Treasury Board Privacy and Data Protection – Policies and Guidelines (various)
     http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_128/siglist_e.asp
   Policy on Government Security (1 July 2009)
     http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=16578
   Operational Security Standard: Management of Information Technology Security (MITS)
    (31 May 2004)
     http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_12A/23RECON_e.asp
   The Policy on Department IT Security Management (June 2009)
     http://intracom.hq-ac.prv/iit/en/iit/ats/its-ceo/policy-standards-guidelines-reports.shtml
   HRSDC Policy on the Use of the Electronic Network
    http://intracom.hq-ac.prv/sys/pssc-spcs/poli/t2net_e.shtml
   ITSCOE Policies, Standards, Guidelines and Report
    http://intracom.hq-ac.prv/iit/en/iit/ats/its-ceo/policy-standards-guidelines-reports.shtml

                                                                                                  8
APPENDIX A – APPROVED EXCEPTIONS TO DIRECTIVE

   •   USB keys to approve payments from the Public Works and Government Services
       Canada’s Standard Payment System (SPS).

   •   USB devices used for connectivity - either directly to the Internet such as a Rogers Mobile
       Internet Stick (Rocket Stick), or for a virtual session such as the AppGate Key or G/ON
       device.

   •   Departmentally issued Blackberries. The storage is required for the Blackberry to operate
       and is therefore exempted from the directive. A condition will be added to the Mobile User
       Agreement that dictates that internal storage on these mobile devices must not be used for
       the storage or transfer of sensitive or protected data.

   •   USB connected peripherals such as Audio Recording device, Digital Pen or a Digital
       Camera that present themselves as having a storage capability but present a low risk to
       the department in terms of data loss. Users of such devices will be directed that they are
       not to be used for the storage or transfer of sensitive or protected data.

   •   USB keys to managing licensing information on desktops. These products include
       StreetSweeper ™ and IDEA CaseWare. It is important to note that these USB keys are
       write protected meaning no information can be placed on them.

   •   Shared Services Canada to manage licensing information on servers and network
       switches, and in some cases they back up specific data files on these devices.

Interim exception (until October 31, 2013):
    • Employment Insurance Board of Referees are permitted to use USB Keys to save
        preparatory work and record appeal decisions.

                                                                                                     9
You can also read
NEC Express5800/R320g Configuration Guide - NEC Corporation
NEC Express5800/R320g Configuration Guide - NEC Corporation
PRIVATE PAYERS: TELEMEDICINE AND TELEHEALTH - ASCO
PRIVATE PAYERS: TELEMEDICINE AND TELEHEALTH - ASCO
ICAU1128B Operate a Personal Computer
ICAU1128B Operate a Personal Computer
Maternity and Baby Products - Business Gateway
Maternity and Baby Products - Business Gateway
Reactivate A guide for jobseekers and employers
Reactivate A guide for jobseekers and employers
C@MPUS Application Manual - M.Sc. WASTE - 'Waste', University of Stuttgart
C@MPUS Application Manual - M.Sc. WASTE - 'Waste', University of Stuttgart
Mechanisms for freezing terrorist assets and their using within the operational-search activity
Mechanisms for freezing terrorist assets and their using within the operational-search activity
RIVER MURRAY FLOW REPORT - WATERCONNECT
RIVER MURRAY FLOW REPORT - WATERCONNECT
London Finance & Funding Guide 2020 Entry - Met Film School
London Finance & Funding Guide 2020 Entry - Met Film School
2020 Emerging Jobs Report - UK
2020 Emerging Jobs Report - UK
Realizing the Value of Customer Information: Lessons from Consumer Banking Success Stories
Realizing the Value of Customer Information: Lessons from Consumer Banking Success Stories
Returning to Work During COVID-19: Important Information for Domestic Workers and Their Employers
Returning to Work During COVID-19: Important Information for Domestic Workers and Their Employers
Means-Test Declaration Form
Means-Test Declaration Form
Takeaway Food - Business Gateway
Takeaway Food - Business Gateway
Raffles (SA) - Not-for-profit Law
Raffles (SA) - Not-for-profit Law
"Measurement Olympics" - For further information contact - Polk County Public Schools
"Measurement Olympics" - For further information contact - Polk County Public Schools
Consultation on International Visitor Conservation and Tourism Levy - Submission document - Canterbury Mayoral Forum
Consultation on International Visitor Conservation and Tourism Levy - Submission document - Canterbury Mayoral Forum
Car Rental Insurance Pty Ltd - Financial Service Guide
Car Rental Insurance Pty Ltd - Financial Service Guide
CONSUMER STIMULUS, UNEMPLOYMENT BENEFIT SPENDING & SHOPPING BEHAVIOR - COVID-19 Emerging Point of View - IRi
CONSUMER STIMULUS, UNEMPLOYMENT BENEFIT SPENDING & SHOPPING BEHAVIOR - COVID-19 Emerging Point of View - IRi
NTA Mystery Shops Bus Éireann - Quarter 3 2018 41300195
NTA Mystery Shops Bus Éireann - Quarter 3 2018 41300195
EXCHANGE STUDENT GUIDE (STUDIES) - 2019-2020 San Juan de Dios School of Nursing and Physiotherapy - EUEF
EXCHANGE STUDENT GUIDE (STUDIES) - 2019-2020 San Juan de Dios School of Nursing and Physiotherapy - EUEF
Online Registration Guide - for First Year Undergraduate Students Registry - Academic Records and Registration - NUI Galway
Online Registration Guide - for First Year Undergraduate Students Registry - Academic Records and Registration - NUI Galway
PACIFIC ASSETS TRUST PLC - CHRIS MCGOLDRICK WEBCAST - MARCH 2021
PACIFIC ASSETS TRUST PLC - CHRIS MCGOLDRICK WEBCAST - MARCH 2021
2018 Quick Reference Guide - Budds Subaru
2018 Quick Reference Guide - Budds Subaru
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
APPLICATION OF 4D CAD BIM TECHNOLOGY IN CONSTRUCTION SCHEDULING - irjet
APPLICATION OF 4D CAD BIM TECHNOLOGY IN CONSTRUCTION SCHEDULING - irjet
Surrogacy in Australia and New Zealand - RANZCOG
Surrogacy in Australia and New Zealand - RANZCOG
EMPLOYER SUPER RESOURCE GUIDE 2019/20 - VICSUPER
EMPLOYER SUPER RESOURCE GUIDE 2019/20 - VICSUPER
Restaurant, Café and Coffee Shop - Business Gateway
Restaurant, Café and Coffee Shop - Business Gateway
Online Registration Guide - for First Year Undergraduate Students Registry - Academic Records and Registration - NUI Galway
Online Registration Guide - for First Year Undergraduate Students Registry - Academic Records and Registration - NUI Galway
STOP. THINK. SHARE? A Teacher's Guide to Mis- and Disinformation During the Covid-19 Pandemic.
STOP. THINK. SHARE? A Teacher's Guide to Mis- and Disinformation During the Covid-19 Pandemic.
DBS Policy 2019 - Version Date
DBS Policy 2019 - Version Date
Mandatory All-Staff Training program Key messages guide for contractors, volunteers and visitors 2019 - Department of Education
Mandatory All-Staff Training program Key messages guide for contractors, volunteers and visitors 2019 - Department of Education
Your ETFO Employee Life and Health Trust (ELHT) Benefits Plan
Your ETFO Employee Life and Health Trust (ELHT) Benefits Plan
Summary: Maintaining reliable supply to Broken Hill - RIT-T - Project Assessment Draft Report - AEMO
Summary: Maintaining reliable supply to Broken Hill - RIT-T - Project Assessment Draft Report - AEMO
The DC Health and Academic Prep Program 2020 - 2021 SCHOLAR APPLICATION - George ...
The DC Health and Academic Prep Program 2020 - 2021 SCHOLAR APPLICATION - George ...
Temporary tax measures to support Canadian residents and businesses - June 2020 - CIBC Mellon
Temporary tax measures to support Canadian residents and businesses - June 2020 - CIBC Mellon
JUNE 2-4, 2021 - Washington, D.C - Interprofessional Communication Curriculum - City of Hope
JUNE 2-4, 2021 - Washington, D.C - Interprofessional Communication Curriculum - City of Hope
2020 Income Tax Return - General instructions to complete a Belgian income tax return - ULiège
2020 Income Tax Return - General instructions to complete a Belgian income tax return - ULiège
October is Domestic Violence Awareness Month
October is Domestic Violence Awareness Month
DBS Policy 2020 Approved Date Review Date
DBS Policy 2020 Approved Date Review Date
Junior Information Pack 2019 - MORE PASSES, MORE GOALS, MORE FUN - Whangarei Netball Centre
Junior Information Pack 2019 - MORE PASSES, MORE GOALS, MORE FUN - Whangarei Netball Centre
Full Moon Festival Expression of - Dandenong Market
Full Moon Festival Expression of - Dandenong Market
ZODIAC INTEGRATION AND AIRCRAFT INTERIORS RECOVERY - Safran
ZODIAC INTEGRATION AND AIRCRAFT INTERIORS RECOVERY - Safran
Pulling Back the Curtain: Congress Establishes a Beneficial Ownership Registry for U.S. and Foreign Businesses
Pulling Back the Curtain: Congress Establishes a Beneficial Ownership Registry for U.S. and Foreign Businesses
Driving after abdominal surgery including caesarean section - Ranzcog
Driving after abdominal surgery including caesarean section - Ranzcog
Home country bias - Time to do something about it? - The webinar will begin shortly - Russell ...
Home country bias - Time to do something about it? - The webinar will begin shortly - Russell ...
Algorithm of automated annotation of areas of roads with increased accidents
Algorithm of automated annotation of areas of roads with increased accidents
Accessibility Plan 2017 to 2021 - This document is available in alternate forms, upon request - Prince Edward County
Accessibility Plan 2017 to 2021 - This document is available in alternate forms, upon request - Prince Edward County
Pasadena California JANUARY 27-29, 2021 - City of Hope
Pasadena California JANUARY 27-29, 2021 - City of Hope