SPIN 2015-01

From wiki
Jump to navigation Jump to search
A noter: une version française de cette page est disponible à: AMOPS 2015-01




Join the discussion on the SPIN 2015-01 Follow-Up Activities on GCconnex.


SPIN 2015-01: Priority IT Security Actions

Following recent incidents and Information Technology (IT) audits, Treasury Board of Canada Secretariat (TBS) has published Security Policy Implementation Notice (SPIN) 2015-01: Priority IT Security Actions on its Publiservice website. This SPIN re-emphasizes existing/foundational requirements from the Operational Security Standard: Management of Information Technology Security that are related to the identified priority security actions, and provides guidance on these requirements.


The SPIN highlights three security management practices, based on recommendations from the Communications Security Establishment’s (CSE’s) Top 10 IT Security Actions to Protect Government of Canada Internet-Connected Networks and Information (CSE Top 10) list, that need reinforcing: patching of operating systems (OSs) and applications, enforcing the management of administrative privileges, and hardening of information systems. Implementing robust practices in these three areas will help to enhance departmental and enterprise IT security postures by minimizing cyber intrusions or the impacts to networks if a successful intrusion occurs. TBS has requested that departments and agencies ensure that their processes address GC requirements and reflect the strong practices that have been identified in the SPIN.


The SPIN and its supporting material are intended to help departments and agencies focus their efforts and prioritize the implementation of security controls to protect GC networks and information systems.


This page provides links to material that can help departments when implementing activities in support of SPIN 2015-01. For each action area identified in the SPIN, this page identifies relevant:


Published GC Guidance – Formally approved guidance documents by TBS or other lead security agencies (LSA). Guidance documents in this section will typically be found on the LSA’s website.
Draft Guidance and Best Practices – Guidance that may not yet be officially approved but which are ready for departmental review or comment; as well as best practices shared by departments.
External/Third-Party Best Practices – Links to best practices or tools that are made available by external organizations and could be adopted by departments (e.g. CIS, NIST, and ISF).


Published GC guidance is generally available in both official languages. Draft guidance and best practices are frequently available in one official language; however, translation may be planned or pending. For ease of reference, links are provided to external/third-party best practices, but availability in both official languages is neither assumed nor assured.


Departments and agencies are encouraged to use this material to enhance their processes and practices. The sharing of departmental best practices is also encouraged.


This page will be updated as new material becomes available.


Patch Management

Published GC Guidance

  • [CSE] ITSB-96, Security Vulnerabilities and Patches Explained, provides guidance on assessing known vulnerabilities and patches in order to determine the risk posed to an organization, the relative priority for patch deployment, as well as guidelines on how to deploy patches.

Draft GC Guidance and Best Practices

  • None available at this time.

External/Third-Party Best Practices

  • From the document abstract: “This publication is designed to assist organizations in understanding the basics of enterprise patch management technologies. It explains the importance of patch management and examines the challenges inherent in performing patch management. This publication also provides an overview of enterprise patch management technologies and briefly discusses metrics for measuring the technologies’ effectiveness and for comparing the relative importance of patches.”
  • This module provides an introduction to update management and explains why update management is essential for enterprise systems. It will introduce security terminology, together with descriptions of common vulnerabilities and types of threat. This module also describes the processes used within Microsoft to develop and release software updates, and shows how these relate to the steps you should take for proactive security update management. Finally, the four-phase approach update management process that Microsoft recommends is introduced, with more details presented in the following modules.
  • The purpose of this module is to introduce the key issues for update management in a Microsoft Windows operating system—based environment, and to describe the main tools, technologies, and processes that Microsoft recommends to support this task.

Privileged Account Management

Published GC Guidance

Draft GC Guidance and Best Practices

  • [TBS] GC ESA ConOps Annex D: Secure Enterprise Systems Administration
    • The Secure Enterprise Systems Administration System Concept identifies security issues with the current inconsistent approaches for performing system administration, and recommends improvements to mitigate the identified security concerns as the level of inter-connectivity increases and the GC moves towards a consolidated IT/IS infrastructure. These include improvements to operational processes and technical capabilities. Use of Privileged Access Management (PAM) technologies and separation of management and production interfaces are particularly important technical aspects of improving security.

External/Third-Party Best Practices

  • This document discusses the importance of secure administration and suggests one method of implementing a secure administration environment.
  • Contains recommendations to enhance the security of Active Directory installations, discusses common attacks against Active Directory and countermeasures to reduce the attack surface, and offers recommendations for recovery.

System Hardening

Published GC Guidance

  • In collaboration with, and leveraging the knowledge and experience of, its international CSIRT peers, the Canadian Cyber Incident Response Centre developed and shared TR15-501 with its federal, provincial, territorial, municipal and critical infrastructure partners in order to provide practical and effective mitigation advice with a view to reducing the cyber risk faced by Canada and Canadians.

Draft GC Guidance and Best Practices

  • None available at this time

External/Third-Party Best Practices

  • The National Checklist Program (NCP), defined by the NIST SP 800-70 Rev. 2, is the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications.
  • This repository provides a searchable / filterable list of guidance available from multiple sources.
  • Searches can be based on: “tier” (degree of automation / Security Content Automation Protocol [SCAP] support); “target product” (application, OS, device/firmware, etc.); “category” (general type of application purpose; e.g. email server, office suite, operating system”); “authority” (issuer: vendors, CIS, DISA, MITRE, NIST, etc.); and “keyword” (searches for specified words across the name, and summary).
  • You might choose to use this resource to identify available resources for hardening that are applicable to your specific environment.
  • NSA develops and distributes configuration guidance for a wide variety of software, both open source and proprietary. Guidance is available for:
  • Vendors or system / component originators also provide guidance and tools to support their products
  • Microsoft Security Configuration Guidance Support (last reviewed: 10/14/2010) briefly identifies and describes some of the sources above (i.e. CIS, NIST, DISA and NSA) as well as potential issues to be aware of with practices described in their hardening guidance;
  • Microsoft Security Compliance Manager (SCM) is a free tool from Microsoft that “enables you to quickly configure and manage the computers in your environment and your private cloud using Group Policy and Microsoft System Center Configuration Manager”.

Additional Information

Email your questions to TBS Cyber Security at ZZTBSCYBERS@tbs-sct.gc.ca.


A noter: une version française de cette page est disponible à: AMOPS 2015-01