Innovation, Science and Economic Development Canada: Internet and Electronic Network Usage Policy

From: Innovation, Science and Economic Development Canada

The Internet Usage Statement was introduced in 1997 and revised in 2003. Since that time, the Internet has evolved and is now the single most important business tool available to the Innovation, Science and Economic Development Canada's user population.

The revised document is a modernization of the original policy and is different from the 2003 version in that:

• The structure and language of the new document is in-line with current Treasury Board policies.
• The new policy removes reference to the use of specific technologies.
• Roles and responsibilities are clearly defined.
• Expanded to incorporate other practices such as network practices, and wireless usage.
• All links to other policy documents, internal and external, have been updated.

---

Table of Contents

1. 1. Effective Date
2. 2. Application
3. 3. Definitions
4. 4. Context
5. 5. Policy Statement
6. 6. Policy Requirements
7. 7. Monitoring
8. 8. IT Security
9. 9. Managers
10. 10. Investigations
11. 11. Consequences
12. 12. Enquiries
13. Appendix A—Federal Acts
14. Appendix B—Treasury Board Secretariat and ISED Policies

---

1. Effective Date

1. 1.1 This policy takes effect on April 1, 2010.
2. 1.2 It replaces Industry Canada's Internet Usage Statement, dated January 2003.

2. Application

1. 2.1 This policy applies to all Authorized Users of Innovation, Science and Economic Development Canada's electronic networks, including employees, contractors, and any other individuals who have been granted access to an Innovation, Science and Economic Development Canada network.

3. Definitions

1. 3.1 "Access" means gaining entry to the Department's Electronic Networks that Innovation, Science and Economic Development Canada has provided to Authorized Users. Access to the Electronic Networks may be from inside or outside government premises. Access may support telework and remote access situations;
2. 3.2 "Authorized User(s)" or "User(s)" means all persons authorized by Innovation, Science and Economic Development Canada to have access to the Department's Electronic Networks and includes all employees, consultants and contractors who have been authorized by the Department to have access;
3. 3.3 "Electronic Networks" refers to computers, groups of computers and computer systems that can communicate with each other;
4. 3.4 "Laws of Canada or any Province or Territory" refers to all statutes and regulations passed by the Government of Canada or any Provincial or Territorial Government, and shall also include the common law within Canada or any Province or Territory;
5. 3.5 "Logs" refers to a computer file in which a program records events, such as user access or data manipulation as they occur, to serve as an audit trail, diagnostic device, or security measure;
6. 3.6 "Monitoring" means any action that involves the viewing, recording, subsequent analysis of, and preparation of reports on Authorized User activity on, or use of, the Department's Electronic Networks. Examples include recording user accounts, user activities, volume of usage, sites visited, information downloaded and computer resources used to perform a routine analysis of traffic flow on electronic networks, use patterns and sites that certain work groups or individuals have visited or responding to a subpoena or other court process. The information recorded and subject to analysis does not normally involve the contents of individual electronic mail, files, and transmissions but it may require collecting personal information on specific employee use, and preparing reports on this use which include personal information, in order to determine whether there has been unacceptable or unlawful activity.

4. Context

1. 4.1 The Internet is a major part of how individuals conduct government business, carry out research, acquire training, and share ideas. Used properly, the Internet can be a powerful utility. However, users must be aware of the risks associated with accessing the Internet with a government asset (i.e. computer or wireless device) and be mindful of the fact that inappropriate use can adversely affect the Department's reputation and ability to deliver future services;
2. 4.2 The Internet is made accessible through the Innovation, Science and Economic Development Canada electronic network. The statements expressed in this policy apply to all aspects of a user's electronic network usage. This includes, but is not limited to, desktop computers, email, desktop applications, network applications, printing, file storage, and file transfer;
3. 4.3 Links to relevant reference documents can be found in the Appendices of this policy.

5. Policy Statement

1. 5.1 Objective

   The objective of this policy is to enable users to make informed decisions about using the Internet and the department's electronic network by providing a principles-based approach to appropriate and inappropriate use, placing emphasis on the following three elements:

   1. 5.1.1 When accessing the Internet and Electronic network with a government asset, employees must keep in mind how their actions will reflect on the Department and the Government of Canada;
   2. 5.1.2 All Innovation, Science and Economic Development Canada users share the same network infrastructure and Internet connection, and inappropriate use can adversely affect the availability of network resources for others, most notably the Internet;
   3. 5.1.3 Personal use of the Internet, consistent with the parameters of this policy, is acceptable during personal time.

2. 5.2 Expected Results

   The expected results of this policy are:

   1. 5.2.1 Users will use the electronic network and Internet in an appropriate manner. The integrity and availability of ISED's electronic network will be maintained, and Internet connectivity costs will be kept in line with the business requirements of the department;
   2. 5.2.2 The reputation of the Department is paramount, and as such, users will be expected to avoid any inappropriate Internet and electronic network use.

6. Policy Requirements

1. 6.1 A user of the Innovation, Science and Economic Development Canada electronic network Internet must:

   1. 6.1.1 Comply with all laws, and adhere to government policies;
   2. 6.1.2 Familiarize themselves with, and conduct their activities in a manner which is consistent with the Values and Ethics Code for the Public Sector;

   3. 6.1.3 A user must NOT:

      1. 6.1.3.1 Breach, or attempt to breach, the security of any internal or external computer, system, software, or network;
      2. 6.1.3.2 Engage in activities which will or may serve to violate accepted standards of Internet conduct and use including, but not limited to, Denial of Service Attacks; port and network scanning; web page defacement;
      3. 6.1.3.3 Circumvent security safeguards such as, but not limited to, firewalls, proxy servers, browser settings;
      4. 6.1.3.4 Post, transmit, or distribute harmful or disruptive data including, but not limited to, a virus or malicious code;
      5. 6.1.3.5 Deliberately access inappropriate sites including those that contain sexually explicit or pornographic material, gambling activities, or materials that could be considered harassing, degrading, or discriminatory by others;
      6. 6.1.3.6 Post, transmit, or distribute material which is unlawful, harassing, libelous, defamatory, profane, abusive, threatening, harmful, vulgar, obscene, sexually suggestive, hateful, or otherwise objectionable;
      7. 6.1.3.7 Download, distribute or provide access to data or information which is protected by copyright or other intellectual property rights, without attribution to the rights holder;
      8. 6.1.3.8 Engage in any activity that intentionally restricts, disrupts or degrades the Government's ability to deliver a service, including, but not limited to, the transfer of such large amounts of material as to deliberately inhibit the performance of a service;
      9. 6.1.3.9 Provide access to sensitive information belonging to the Department and the Government of Canada without appropriate authorization, or provide access to personal information, as defined in the Privacy Act, except, in accordance with proper authorization pursuant to the legislative provisions within the Act;
      10. 6.1.3.10 Engage in any activity which, regardless of the purpose, constitutes appropriation of another person's identity;
      11. 6.1.3.11 Represent the Department and the Government of Canada without explicit authorization.

7. Monitoring

1. 7.1 The Department shall monitor the use of its Electronic Networks to ensure compliance with the requirements of Treasury Board, to ensure appropriate use and to ensure that confidentiality, integrity and availability of the systems is maintained. In this regard, the Department may need to monitor routine use of the electronic networks and specific employee use;
2. 7.2 The Chief Information Office (CIO) is responsible for the superintendence of the Department's Electronic Networks, providing information to Authorized Users on a regular basis about the care and use of the electronic networks, and monitoring the electronic networks and employee use of the electronic networks in accordance with this Policy;
3. 7.3 All software installed on the Department's Electronic Networks is the property of the Government of Canada. Consequently, the Department, on behalf of the Government of Canada, retains the right to monitor all use of the Electronic Networks to ensure they are being used in compliance with this Policy, the Laws of Canada or the Province or Territory (Appendix "A"), Department and Treasury Board policies (Appendix "B");
4. 7.4 IT Security is authorized by the Department to perform monitoring activities. The information recorded is subject to routine analysis and does not normally involve reading the content of individual electronic mail or files. However, if, as a result of routine analysis, a request by management, by Human Resources Branch, by the Departmental Security Officer, or from a complaint, there are reasonable grounds to suspect that an Authorized User is misusing the Department's Electronic Networks, IT Security will conduct an investigation, including a review of logs, files or user accounts to determine the nature and scope of usage, and whether personal information should be disclosed to the appropriate officials;

5. 7.5 Authorized Users are reminded that:

   1. 7.5.1 The technical systems in operation in the Department, including the firewalls, gateways and other systems, automatically record which Internet sites and which electronic mail addresses are contacted by them. For example, this includes the capacity to capture information which identifies which computer and user visited the Internet or sent e-mail messages;
   2. 7.5.2 The information contained within electronic network logs may be disclosed to applicants under the Access to Information Act and the Privacy Act, subject to the applicable exemptions under these Acts, and to others, including managers, in accordance with these two statutes.

6. 7.6 Role of Chief Information Office (CIO)

   1. 7.6.1 CIO has the primary responsibility to monitor the use of the Department's Electronic Networks for operational reasons to determine whether the electronic networks are operating efficiently, and if they are being used reasonably, in order to isolate and resolve problems and to monitor specific employee use where appropriate in accordance with sections 6 of this Policy. Monitoring may be undertaken for operational reasons, including, but not limited to, checking peak load periods, checking performance against established standards, determining if the volume of files stored on servers exceeds recommended capacity and checking server error reports. In order to isolate and resolve problems CIO may undertake periodic monitoring activities of the Department's Electronic Networks for specific operational needs;
   2. 7.6.2 The monitoring of the Department's Electronic Networks may occur at the initiative of the Chief Information Officer, or a delegate of the Chief Information Officer; the Departmental Security Officer, or the Departmental Security Officer's delegate; or the Director of Labour Relations, or the Director of Labour Relations delegate, or the Director of IT Security, or the Director of IT Security's delegate;
   3. 7.6.3 IT Security shall be responsible for monitoring use of the Department's Electronic Networks in consultation with the Departmental Security Officer, and with the approval of the Chief Information Officer;

   4. 7.6.4 IT Security has the authority, with the approval of the Chief Information Officer, to:

      1. 7.6.4.1 Monitor all uses of the Department's Electronic Networks to determine the volume of use and the nature of such use. This would include monitoring the amount of time an Authorized User is spending on the Internet and identifying the web sites an Authorized User has visited;
      2. 7.6.4.2 Issue periodic reports containing non-identifiable statistical information about the Authorized Users, for managers or other senior officials, as appropriate, to outline the volume of use of the Electronic Networks and the nature of such use;
      3. 7.6.4.3 Issue reports on the specific employee use, where appropriate, in accordance with sections 6 to 10 inclusively of this Policy;
      4. 7.6.4.4 Conduct any necessary reviews of the Department's Electronic Networks to ensure that they are being used efficiently and are functioning properly;
      5. 7.6.4.5 Report any instances or suspected cases of non-compliance with this Policy to the Departmental Security Officer, or to Labour Relations (HRB), or to the Chief Information Officer, if appropriate;
      6. 7.6.4.6 Conduct investigations at the request of appropriate officials, to facilitate the work of the Departmental Security Officer, or Labour Relations, or the Chief Information Officer, to determine if there has been a contravention of this Policy;
      7. 7.6.4.7 Monitor all file server accounts, passwords and firewalls on an ad-hoc basis, as appropriate, and in accordance with the operational needs of the Department;
      8. 7.6.4.8 Review file server logs to ensure that all user accounts are authorized; that accounts for users that have left the Department have been appropriately deleted; that the mechanism in place to ensure that user account passwords are changed every 90 days is being consistently utilized; that accounts are appropriately validated against user names upon logging in to the Electronic Networks and that there is a mechanism in place to verify users' accounts with their related privileges.

7. 7.6.5 The Chief Information Officer may:

   1. 7.6.5.1 Request officials of IT Security to conduct or coordinate any of the activities described in this section on his behalf, including the monitoring of the Department's Electronic Networks.

8. IT Security

1. 8.1 The Director of IT Security is responsible for:

   1. 8.1.1 Conducting the analysis of the content of individual files or electronic mail in instances where an Authorized User is suspected of having used the Department's Electronic Networks in a manner contrary to this Policy, and for identifying to whom information about identifiable individuals may be disclosed;
   2. 8.1.2 Providing information and training on the interpretation of this Policy relating to Security; and
   3. 8.1.3 Conducting investigations of contraventions of this Policy in consultation with the Departmental Security Officer, Labour Relations, and the Chief Information Officer, and where appropriate, at the request of managers or law enforcement authorities.

9. Managers

1. 9.1 Managers have the following responsibilities:

   1. 9.1.1 To ensure that all Authorized Users for which they are responsible receive an electronic or hard copy of, and are aware of, this Policy;
   2. 9.1.2 To ensure that they are using the Internet and the Department's Electronic Networks properly and in accordance with this Policy; and
   3. 9.1.3 To obtain direction from the Chief Information Officer or the Director of IT Security when they need advice or direction in relation to this Policy.

10. Investigations

1. 10.1 The following principles apply during investigations for the possible contravention of the Laws of Canada, listed in Appendix "A", or any Province or Territory.

   1. 10.1.1 IT Security may conduct a review of the Authorized User's Electronic Networks usage where there are reasonable grounds to believe that there has been a violation of this Policy. Where necessary, the Director of IT Security may obtain legal advice relating to the rights and obligations of the Department and of the Authorized User during the course of an investigation;
   2. 10.1.2 IT Security may conduct, as appropriate, a detailed review of the content of all electronic mail messages sent or received, all files stored and all Internet web sites visited by the Authorized User without the knowledge of the Authorized User, as appropriate in order to preserve evidence or the value of the information to the Department or the government during an investigation;
   3. 10.1.3 If, as a result of an investigation, there are reasonable grounds to believe that an Authorized User has made use of the Department's Electronic Networks in violation of the Laws of Canada (Appendix "A") or any Province or Territory, and they are not authorized to have used them in such a manner, IT Security may inform a law enforcement authority, as appropriate. It is the Department's policy to co-operate with any law enforcement authority in any investigation they undertake, including ensuring they comply, and act in accordance with, duly authorized search warrants.

11. Consequences

1. 11.1 The Department may take any disciplinary action it deems appropriate as a result of any contravention of this Policy by an Authorized User. Disciplinary action shall be independent of any criminal or civil proceeding against an Authorized User. Disciplinary measures invoked shall vary depending upon the role of the Authorized User, their group and level, their role in the Department, the seriousness of the violation and whether the Authorized User has previously violated this Policy and may include, but is not limited to, an oral reprimand, written reprimand, limiting access to the Electronic Networks, suspension, demotion, or termination of employment.

12. Enquiries

1. 12.1 Enquiries concerning this policy should be forwarded to one of the following, depending on the nature of the enquiry:

   1. IT Security: IC.ITSEC-SECTI.IC@Canada.ca
   2. HRB: ic.labourrelations-relationsdetravail.ic@canada.ca

---

Appendix A—Federal Acts

• Access to Information Act
• Canada Evidence Act
• Canada Labour Code
• Canada Labour Code Part II – Workplace Safety
• Canadian Charter of Rights and Freedoms
• Canadian Human Rights Act
• Canadian Security Intelligence Service Act
• Criminal Code
• Criminal Records Act
• Defence Production Act
• Department of Foreign Affairs, Trade and Development Act
• Department of Public Security and Emergency Preparedness Act
• Federal Real Property and Federal Immovables Act
• Financial Administration Act
• Interpretation Act
• Library and Archives of Canada Act
• National Defence Act
• Privacy Act
• Public Servants Disclosure Protection Act
• Public Service Employment Act
• Public Service Labour Relations Act
• Royal Canadian Mounted Police Act
• Security of Information Act
• Statistics Act
• Youth Criminal Justice Act

---

Appendix B—Treasury Board Secretariat and ISED Policies

• Directive on Departmental Security Management
• Directive on Identity Management
• Directive on Privacy Impact Assessment
• Operational Security Standard - Management of Information Technology Security (MITS)
• Operational Standard for the Security of Information Act
• Policy on Acceptable Network and Device Use
• Policy on Information Management
• Policy on Government Security
• Values and Ethics Code for the Public Sector
• Departmental Security Policy (only available from within the ISED network)
• Departmental Telework Guidelines (only available from within the ISED network)
• Guidance and Standards on the External Use of Social Media (only available from within the ISED network)
• Guidance on the Use of Social Media for Employees (only available from within the ISED network)
• Guide to the Handling, Storage and Destruction of Protected and Classified Information (only available from within the ISED network)