The Department of Foreign Affairs and International Trade has a secure computer network known as SIGNET–D. This network is used primarily for unsecured information processing, storage, and management as well as unsecured messaging. The network is nearly 15 years old and has gone through several revisions. SIGNET–D is the network operating environment and related protocols that runs on top of MITNET, which provides a single departmental network infrastructure to support data and voice applications. Where SIGNET–D is a higher–level network environment and provides operating connectivity for users, the MITNET provides the low–level network connectivity protocols and the physical infrastructure. It connects the Local Area Networks (LANs) at Canada's 160 missions in 111 countries, and directly serves more than 10,000 people, of whom more than 6,000 work outside Canada.
A Privacy Impact Assessment (PIA) was developed as part of the Department’s commitment to protection of personal information. It also meets the requirements of the Management of Information Technology Security directive obligating departmental major services to undergo a security and privacy assessment at this point. The PIA provided an insight into possible risks to personal information and recommended appropriate courses of action.
The scope of the PIA was limited to the MITNET, SIGNET–D, and Email Infrastructure and focussed on the network’s operational processes. It is important to note that this privacy assessment assessed personal information collected from the employees of the Department to provide access to the employees to the Departmental network infrastructure and its associated tools and programs. The DFAIT Network Infrastructure consists of MITNET, which is the physical layer as well as low level networking protocols; SIGNET–D, which is the operating layer of the network including higher level networking protocols; and finally the Email system.
While SIGNET–D and the Email system provide the opportunity for departmental programs and services to use this infrastructure to operate their programs, each program is responsible for the management of information collected, including any personal information which may be collected. The infrastructure is the backbone of the Department which allows all programs and services to use the infrastructure to operate their own electronic tools and systems. Each program or service has been given a mandate by the department, and in accordance with its own mandate and through the conduct of day–to–day operations, they may collect and store personal information. Each program is responsible to undertake a privacy assessment and address any potential risks.
DFAIT uses the MITNET/SIGNET–D network for non–classified departmental activities. Examples of the specific types of information transmitted, stored and processed include, but are not limited to, issues regarding political, economic, trade, and social situations in other countries and the sharing of this information with partner departments and allies under specific memoranda of understanding; information pertaining to Canadians living abroad, international crisis and other information in Canada’s national interest.
DFAIT has a requirement to ensure that the MITNET/SIGNET–D’s operation has taken all measures to protect personal information and its possible disclosure. In the course of conducting the programs and activities of the Department, MITNET/SIGNET–D may accumulate personal information. This information often exists in a fragmented manner throughout the system. Selected personal information is stored in directory systems that serve the network supporting DFAIT employees conducting departmental business as well as limited personal business.
The PIA for the MITNET/SIGNET–D network including the Email system found the following risks during the assessment which can be addressed while the network is in operation.
The Department has developed adequate mitigation strategies addressing these risks. Risks are measured based on their severity from low, to medium, to high. Also, risks that have no immediate or direct impact on protection of personal information in association with the system are categorized as “Advisory” level.
Identified Risk: Shared Drives
Risk Level: Advisory
Mitigation Strategy: Personal information on SIGNET–D and the Email system is of three types:
Generally, shared drives and (email) public–folders represent a low level of risk that require additional protection and structured management. These may be achieved by the following elements:
While the network SIGNET–D is designated for Protected “A” information, it has been difficult to enforce the policy in the past. The Information Protection Center (IPC) at DFAIT has developed plans to continually scan the shared drives using special software tools and identify information such as Social Insurance Numbers, and other highly important personal information.
The plan is to issue “cyber infractions” to those users who store high–risk personal information on the shared drives. All information of protected nature “C” must reside on a separate network designated as SIGNET C–5. IPC has consulted with the Departmental legal advisors at Justice, and has received a blessing to proceed with the planned initiative/mitigation.
While there are existing policies which reflect on acceptable use, i.e., Policy on Acceptable Use of E–Mail Facilities by DFAIT Staff, etc., additional steps and enhancements of these current policies may be required to make the employees aware of privacy risks.
The above recommended mitigations approach will ensure that the personal information is collected, stored and managed with significantly lower levels of risks.
Identified Risk: Adequate Privacy Notice Statement
Risk Level: Low
Mitigation Strategy: The department will develop a process by which employees are provided an opportunity to review a Privacy Notice Statement (PNS) prior to providing their personal information to receive proper privileges and accounts on the network.
DFAIT employees using the shared drives to store their own personal information must be advised regarding the nature of the shared drives and potential risks.