MITNET / SIGNET–D Infrastructure

Executive Summary

SIGNET Engineering and Maintenance, Infrastructure Operations, Internetworking, Secure Systems Development and Electronic Messaging

The Department of Foreign Affairs and International Trade has a secure computer network known as SIGNET–D. This network is used primarily for unsecured information processing, storage, and management as well as unsecured messaging. The network is nearly 15 years old and has gone through several revisions. SIGNET–D is the network operating environment and related protocols that runs on top of MITNET, which provides a single departmental network infrastructure to support data and voice applications. Where SIGNET–D is a higher–level network environment and provides operating connectivity for users, the MITNET provides the low–level network connectivity protocols and the physical infrastructure. It connects the Local Area Networks (LANs) at Canada's 160 missions in 111 countries, and directly serves more than 10,000 people, of whom more than 6,000 work outside Canada.

A Privacy Impact Assessment (PIA) was developed as part of the Department’s commitment to protection of personal information. It also meets the requirements of the Management of Information Technology Security directive obligating departmental major services to undergo a security and privacy assessment at this point. The PIA provided an insight into possible risks to personal information and recommended appropriate courses of action.

The scope of the PIA was limited to the MITNET, SIGNET–D, and Email Infrastructure and focussed on the network’s operational processes. It is important to note that this privacy assessment assessed personal information collected from the employees of the Department to provide access to the employees to the Departmental network infrastructure and its associated tools and programs. The DFAIT Network Infrastructure consists of MITNET, which is the physical layer as well as low level networking protocols; SIGNET–D, which is the operating layer of the network including higher level networking protocols; and finally the Email system.

While SIGNET–D and the Email system provide the opportunity for departmental programs and services to use this infrastructure to operate their programs, each program is responsible for the management of information collected, including any personal information which may be collected. The infrastructure is the backbone of the Department which allows all programs and services to use the infrastructure to operate their own electronic tools and systems. Each program or service has been given a mandate by the department, and in accordance with its own mandate and through the conduct of day–to–day operations, they may collect and store personal information. Each program is responsible to undertake a privacy assessment and address any potential risks.

DFAIT uses the MITNET/SIGNET–D network for non–classified departmental activities. Examples of the specific types of information transmitted, stored and processed include, but are not limited to, issues regarding political, economic, trade, and social situations in other countries and the sharing of this information with partner departments and allies under specific memoranda of understanding; information pertaining to Canadians living abroad, international crisis and other information in Canada’s national interest.

DFAIT has a requirement to ensure that the MITNET/SIGNET–D’s operation has taken all measures to protect personal information and its possible disclosure. In the course of conducting the programs and activities of the Department, MITNET/SIGNET–D may accumulate personal information. This information often exists in a fragmented manner throughout the system. Selected personal information is stored in directory systems that serve the network supporting DFAIT employees conducting departmental business as well as limited personal business.

Risk Analysis Segment

The PIA for the MITNET/SIGNET–D network including the Email system found the following risks during the assessment which can be addressed while the network is in operation.

The Department has developed adequate mitigation strategies addressing these risks. Risks are measured based on their severity from low, to medium, to high. Also, risks that have no immediate or direct impact on protection of personal information in association with the system are categorized as “Advisory” level.

Principle 1: Accountability for Personal Information

Identified Risk: Shared Drives

Risk Level: Advisory

Mitigation Strategy: Personal information on SIGNET–D and the Email system is of three types:

  1. Employee’s personal information collected for the purpose of network access and authentication, which provides access to corporate network and applications. This information is managed by the network infrastructure in highly secure and regulated manor.
  2. Programs and services collect personal information as part of their operations and mandates. Personal information collected as part of programs each have a specific purpose and management criterion.
  3. Personal information stored by employees, as a result of personal activities. This information is stored on shared drives, personal email folders, or public–folders of email system by employees, for personal purposes and maintained and managed individually.

Generally, shared drives and (email) public–folders represent a low level of risk that require additional protection and structured management. These may be achieved by the following elements:

  • Defining roles and responsibilities
  • Establishing policies and procedures
    • Regularly scheduled privacy risk assessment by various stakeholders
  • Protection of personal information on shared drives
  • Protection of personal information on public and personal folders – email system
  • Management of personal information on shared drives and email system
    • Program related personal information
    • InfoBank related information
    • Employees personal information generated by individual use, non–related or generated by departmental
  • Training and awareness
  • Audit and compliance

While the network SIGNET–D is designated for Protected “A” information, it has been difficult to enforce the policy in the past. The Information Protection Center (IPC) at DFAIT has developed plans to continually scan the shared drives using special software tools and identify information such as Social Insurance Numbers, and other highly important personal information.

The plan is to issue “cyber infractions” to those users who store high–risk personal information on the shared drives. All information of protected nature “C” must reside on a separate network designated as SIGNET C–5. IPC has consulted with the Departmental legal advisors at Justice, and has received a blessing to proceed with the planned initiative/mitigation.

While there are existing policies which reflect on acceptable use, i.e., Policy on Acceptable Use of E–Mail Facilities by DFAIT Staff, etc., additional steps and enhancements of these current policies may be required to make the employees aware of privacy risks.

The above recommended mitigations approach will ensure that the personal information is collected, stored and managed with significantly lower levels of risks.

Principle 2: Collection of Personal Information

Identified Risk: Adequate Privacy Notice Statement

Risk Level: Low

Mitigation Strategy: The department will develop a process by which employees are provided an opportunity to review a Privacy Notice Statement (PNS) prior to providing their personal information to receive proper privileges and accounts on the network.

DFAIT employees using the shared drives to store their own personal information must be advised regarding the nature of the shared drives and potential risks.

The Concept of Operations and the operation manuals are short on details, however, it must be noted that the topic of accountability is not for operational manuals to discuss. Application of privacy policy and protection of personal information has taken shape within the department as the Information Protection Center conducts security and privacy scans over the network. Additional measures need to be developed as part of the management of personal information on SIGNET to reflect existing roles and responsibilities of programs utilizing the network infrastructure. The existing Departmental policy, the Network Acceptable Use Policy (NAUP), requires enhancement as a result of the Privacy Impact Assessment (PIA) and selected others (e.g. Voice Messaging) that recognize that the existing policy has a security focus only. The users of the network need additional information regarding management of their own personal information as well as comprehensive PNS that inform the users of their roles and responsibilities, and accountability. Development of the NAUP is a complex process involving a number of stakeholders and beneficiaries. While the PIA could offer some of the basic building blocks of the PNS, the NAUP is much more than that. The content of the NAUP requires refreshing to reflect the role of the user and the program in the management of personal information over the network infrastructure.