Should it be blocked in my department?


If you work for a Government of Canada department, a 2018 TBS policy specifies the following:

“Departments are to enable open access to the Internet for GC electronic networks and devices, including GC and external Web 2.0 tools and services, to authorized individuals, as per Section 6.1.3 of the Policy on Acceptable Network and Device Use (PANDU).

To ensure a consistent user experience government-wide while taking into consideration the departmental risk profile, departments are to reconfigure their web filtering rules to be open by default to the Internet…

Security is more than just locking things down; user experience must also be considered.

Adopting a balanced approach that considers user needs, supported by a pragmatic security program, will result in a more secure environment. Instead of banning access to certain tools and sites, making access open by default and encouraging the secure use of these tools and services will result in risks being better controlled.”

Curious what websites (including online collaboration & productivity tools, videoconferencing, and social media platforms) are available or blocked in each department?

Frequently asked questions

This is unofficial advice; your measures may vary!

What can I do if a website is blocked on my departmental network?

Send a request to your department’s IT helpdesk, and include a link to the TBS policy above. For collaboration tools, you can mention that you need access to collaborate with external (outside of government) partners or colleagues from other departments, or to support business continuity planning for your team.

This template letter is a great example of how to get started.

Can I use these tools with protected or sensitive information?

Generally speaking, no. By default, you should only use these tools with Unclassified information.

If you have information that’s partly unclassified and partly sensitive, one approach is to just put placeholders in (for the sensitive information) when you’re working in an online collaboration tool, then export or download the information back to your department’s protected systems before adding the sensitive information in.

Before you use a new online tool with protected information, it should be assessed by your department’s IT security group. This can take 6-12 months and the process varies by department.

How do I know if information is unclassified or not?

Check your department’s internal procedures or the TBS standard on security classification for details. It comes down to, how likely it is that unauthorized disclosure of the information (e.g. it becoming public information by accident) might cause injury.

Things like social insurance numbers are considered Protected B; contact details like addresses and phone numbers of everyday citizens are usually considered Protected A. Legal advice or budget proposals are typically protected information. Don’t put those on an online tool that hasn’t been assessed. Any other documents you work with on a day to day basis are probably unclassified, unless they’ve already been marked as “protected”.

Public servants have a tendency to “over-classify” information. Fight that urge! If you’re creating a brand new document and it won’t contain any information that could cause injury, mark it as “Unclassified”. Keep as much flexibility as possible to use online tools with it, either now or down the road.

If you’re not sure about a given document or piece of information, check with a colleague or your team before you upload or paste it into an online tool, since it might be stored or backed up somewhere that you can’t necessarily access afterwards.

Do I need special permission to use online collaboration tools (like Slack, Trello, etc.)?

Nope! If you’re working with unclassified data, the TBS policy above gives you all the permission you need. If the tool isn’t blocked on your departmental network, you can use it today. Sign up for your team and give them a try!

Should I use the free version or the paid version of these tools?

When you’re just getting started, the free versions (or “tiers”) of online tools are a good way to try them out. But, using the paid versions of these tools usually adds a number of important security benefits (team management options, multi-factor authentication, audit logs, etc.). If you’re able to, switch to paid accounts as early as you can.

How do I pay for these tools?

Use a departmental acquisition card! Have an executive in your team or branch (with Section 32 financial signing authority) write an email saying that they approve the use of the tool, then have an admin colleague with a departmental acquisition card sign up for the paid plan. Make sure that monthly payment invoices get forwarded to them so that they can do any payment reconciliation processes required by your department.

Unless your team involves hundreds or thousands of people, these monthly purchases will easily fall under the low-dollar-value / sole-source thresholds. Rock and roll.

What if these tools are hosted in the United States?

That’s okay! (It really is!) As long as you’re only using them with unclassified data, there’s no geographic restriction on where a given website or online tool is hosted.

As of April 1, 2020, you no longer need to store information classified as Protected B or above on services geographically located in Canada. Although this was previously required by the TBS Policy on Management of IT, that requirement has been removed from the Directive on Service and Digital that replaced it and is now in effect.

This specifically applies to federal government departments; note that some provinces (namely British Columbia and Ontario) have more strict data residency requirements.

Hosting your information in Canada does not make it more secure. It’s a common myth, though.

Should I back up information in these online tools somewhere?

Yes! Your department’s Information Management people will thank you later. When you’ve got a final version of a document (created in an online collaboration tool), put a copy of it in your department’s official systems for the record. Upload it to GCdocs, email it to your departmental email account, add it to your department’s shared drives, etc.

Any information of business value should be stored according to your department’s IM procedures – but you may want to wait until you’ve finished editing it since this can be a time-consuming process.

Who can I ask for more help?

The TBS Office of the CIO Cybersecurity team is responsible for the policy above, and can answer questions about it. The #GCdigital community on Twitter is a great place to ask questions, especially if you run into any barriers within your department.

Who wrote this?

Me! On a Saturday, inspired by this tweet. This is not formal advice and this is not an official Government of Canada website. Take care out there & wash your hands!

Last updated: June 16, 2020  Version history