03.01.02
Access enforcement
Make sure approved access rules are actually enforced by systems, permissions, groups, and administrative controls.
CPCSC Level 1 Control
03.01.20Access control
CPCSC 03.01.20: Use of external systems
Control when personal devices, third-party systems, customer systems, contractor tools, and external cloud services can touch specified information. This guide separates the formal control language from practical implementation, evidence, auditor questions, and related controls.
Formal Control Language
Official CPCSC Level 1 wording for 03.01.20. Use the Government of Canada page as the source of truth for certification or procurement submissions.
- Security requirements for external systems are defined.
- External systems are prohibited unless the systems are specifically authorized.
- Security requirements are established before external systems are used or accessed.
- Authorized individuals are permitted to use external systems to access the system or to process, store, or transmit specified information only after verifying that the requirements in the system security plan are satisfied.
- Authorized individuals are permitted to use external systems to access the system or to process, store, or transmit specified information after retaining approved system connection or processing agreements with the organizational entity hosting the external system.
- Use of organization-controlled portable storage devices on external systems is restricted.
Contains information sourced from Government of Canada material used under the Open Government Licence - Canada.
What This Means In Plain English
Do not let specified information wander into personal email, unmanaged laptops, random file sharing tools, or subcontractor systems without approval.
External systems can be legitimate, but the organization needs a clear approved-systems list and a way to say no when a tool is not appropriate.
For CPCSC Level 1, the useful test is not whether a policy mentions the control. The useful test is whether an owner can show the system setting, record, ticket, review output, or operating routine that proves the answer is true today and can be repeated when the next contract, customer, or assessment request arrives.
How To Implement It
1
Create an approved systems list for identity, email, storage, collaboration, development, support, endpoint, backup, and vendor-managed platforms.
2
Define a simple rule for personal devices, personal accounts, unmanaged storage, removable media, and subcontractor systems.
3
Review key vendors and MSPs before they can store, process, support, or remotely access systems containing specified information.
4
Document external connections such as VPN, customer portals, file transfer systems, remote support tools, and cloud integrations.
5
Use technical restrictions where possible: MDM, conditional access, device compliance, DLP, disabled public sharing, and restricted USB use.
Evidence Normally Gathered
Approved systems list.
Vendor or subcontractor review records.
External access and remote support inventory.
Device compliance or MDM screenshots.
Cloud sharing and external collaboration settings.
System connection approvals or agreements.
Portable storage policy and exception records.
Common Auditor Questions
Which external systems are approved to handle specified information?
How do you stop staff from using personal email or personal storage?
What checks happen before a vendor or MSP gets access?
Do any subcontractors process, store, or support this information?
How are removable drives controlled when used with non-company systems?