L’utilisation sécuritaire des outils de collaboration

Revision as of 12:56, 30 March 2020 by Greggory.elton (talk | contribs)


Telework-nobg.png
Overview and User Considerations Technical Considerations Secure Use of Collaboration Tools

Background

La Politique sur l’utilisation acceptable des dispositifs et des réseaux (PUADR) du gouvernement du Canada reconnaît que le libre accès aux outils modernes est essentiel pour transformer la façon dont les fonctionnaires travaillent et servent la population canadienne. Cette Politique exige que les fonctionnaires aient un accès ouvert à Internet, notamment aux sites du GC et aux outils et services externes qui amélioreront la communication et la collaboration numérique, et qui encourageront le partage des connaissances et de l’expertise pour appuyer l’innovation.

Les outils de collaboration permettent aux fonctionnaires de maintenir un dialogue interactif avec les collectivités qu’ils servent. On peut notamment citer à titre d’exemple des sites comme Twitter et LinkedIn; des outils de partage de présentations en ligne comme Prezi ou SlideShare, ou encore des plateformes de discussion en temps réel comme Slack

Considerations

From an IT Security standpoint, connections to external tools and services carry the same risks as other connections to the internet. However, departments should take into account that usage of these sites may require some form of identification of the individual and consequently, their association with an organization (e.g. a GC department or agency).

Departments should consider the following:

  • Posting of information on external tools and web services will likely divulge the origin of the information;
  • All information posted on the internet, regardless of the amount of time it is available, is effectively permanently recorded. There are no control provisions for any information once posted;
  • The nature of external tools and web services like social networking sites makes them appealing targets for malicious exploitation. These sites are inherently prone to malicious users providing links to malware content that can propagate to a department’s infrastructure;
  • Content on external tools such as Trello, Slack etc. may be stored on servers located outside Canada thus the content along with associated user metadata can be monitored by non-Canadian and /or third party products, services or businesses;
  • Everything that is shared using external tools and web services could be subject to Access to Information and Privacy (ATIP). Public servants must ensure that information related to the mandate of the organisation and/or contains decisions on government activities is properly captured and managed, following information management best practices; and
  • Public servants are encouraged to verify data retention requirements when using external tools, in accordance with the TBS Policy on Information Management. Some externally provided tools will retain your information even after you have deactivated your account

Do's and Don'ts

Do's Don'ts
Protect your identity by using privacy settings on all tools and devices, and limit the amount of information you provide on your profile page. Never share protected or sensitive information, unless you have express consent from your departmental information technology group.
Use strong authentication mechanisms (for example, multi-factor authentication) where possible to protect from unauthorized access and enable auto-lock of your device. Open unsolicited links, attachments, or when prompted to install any software. If you don’t know the sender or were not expecting to receive a link or attachment, think twice before opening.
Use unique passwords for every account, especially separate passwords for personal and work accounts. Do not re-use the same passwords that are used for your internal corporate credentials.
Be conscious of what you are sharing and with whom and assume that everything you share could be made public Use caution and avoid using untrusted networks or free Wi-Fi.
Use modern operating systems and web browsers that are maintained with up-to-date software and configured with appropriate hostbased protections. Never post or share passwords or credentials on web services and tools
Report any suspicious activity or security incidents so that your departmental security team can address the issue. Do not ignore SSL certificate errors and unsecure (e.g. HTTP) websites

References