03.01.20
Use of external systems
Control when personal devices, third-party systems, customer systems, contractor tools, and external cloud services can touch specified information.
CPCSC Level 1 Control
03.01.22Access control
CPCSC 03.01.22: Publicly accessible content
Prevent specified information from being accidentally published on websites, social media, proposals, case studies, job postings, or public repositories. This guide separates the formal control language from practical implementation, evidence, auditor questions, and related controls.
Formal Control Language
Official CPCSC Level 1 wording for 03.01.22. Use the Government of Canada page as the source of truth for certification or procurement submissions.
- Authorized individuals are trained to ensure that publicly accessible information does not contain specified information.
- Publicly accessible content is reviewed for specified information.
- Specified information is removed from publicly accessible systems if discovered.
Contains information sourced from Government of Canada material used under the Open Government Licence - Canada.
What This Means In Plain English
People should not accidentally publish sensitive defence, customer, technical, or contract information just because they are writing marketing content or updating a website.
This applies to websites, blogs, pitch decks, public GitHub repositories, job postings, press releases, conference talks, and social media.
For CPCSC Level 1, the useful test is not whether a policy mentions the control. The useful test is whether an owner can show the system setting, record, ticket, review output, or operating routine that proves the answer is true today and can be repeated when the next contract, customer, or assessment request arrives.
How To Implement It
1
Create a short public-content review checklist for any content that mentions customers, contracts, technical architecture, defence work, incident details, or sensitive systems.
2
Name an approval owner for public posts involving in-scope work. In small teams this may be the founder, security owner, legal owner, or delivery lead.
3
Train staff on what specified information looks like and when to escalate content before publishing.
4
Review public repositories, website media folders, sales collateral, and support articles for accidental exposure.
5
Define a takedown process: remove content, notify the owner, assess whether disclosure occurred, preserve a record, and update training if needed.
Evidence Normally Gathered
Public-content review checklist.
Training material or awareness records.
Approval records for public content.
Repository or website review notes.
Takedown or correction tickets.
List of people authorized to publish public content.
Common Auditor Questions
Who is allowed to publish public content?
How are employees trained not to disclose specified information?
Show me how a public article, case study, or repository is reviewed before release.
What happens if sensitive information is found on a public page?
Do you review public source code repositories or marketing assets?