Changes

<span style="font-size: 1.5em;">[[GC_Security_and_Privacy_Enterprise_Architecture | 5. Security Architecture and Privacy]]</span> <br><br>

<span style="font-size: 1.5em;">[[GC_Security_and_Privacy_Enterprise_Architecture | 5. Security Architecture and Privacy]]</span> <br><br>

<I><u>

<I><u>

* Perform security categorization to identify and categorize information based on the degree of injury that could be expected to result from a compromise of its confidentiality, integrity and availability.

* Build in security from the outset of design, development, and throughout the system life cycle, across all architectural layers.

* Identify and classify risks associated to the service’s business objectives, goals, and strategy

* Implement appropriate and cost-effective security measures and privacy protections, proportionate to user and business needs. Apply graduated safeguards that are commensurate with the security category of the information and assets.

* Design security measures according to business and user needs, risks identified, and security categorization of the information and assets; integrate security across all architectural layers (BIAT).  

* Protect data while in transit, in use and at rest using appropriate encryption and protocols. (Duplicate D3)

** Maintain focus on users’ ease of use through selection of context-appropriate controls

* Apply a defense in depth approach to reduce exposure to threats and minimize the degree of compromise.  

** Apply an information-centric approach to reduce resources’ exposure to threats, and minimize the opportunity for compromise.  

* Design services that:

** Protect data while in transit, in use and at rest using appropriate encryption and protocols. Ensure effective disposition of data per retention schedules, following service sunset.

** Prioritize ease of use in security design to make security simple for users;

* Design systems that: are not susceptible to common security vulnerabilities; are resilient and can be rebuilt quickly in the event of compromise; and fail secure if the system encounters an error or crashes.  

** Protected from common security vulnerabilities;  

** Are resilient and can be rebuilt quickly to a known clean state in the event that a compromise is detected; and  

** Fail secure even if the system encounters an error or crashes.  

* Reduce human intervention and maximize automation of security tasks and processes.

* Reduce human intervention and maximize automation of security tasks and processes.

<b> Ensure Secure Access to Systems and Services </b>

<b>Ensure Secure Access to Systems and Services</b>

* Identify and authenticate users and devices to an appropriate level of assurance before granting access to information and services.

* Identify and authenticate individuals, processes, and/or devices to an appropriate level of assurance before being granted access to information and services.

* Separate and compartmentalize user responsibilities and privileges; assign the least set of privileges necessary to complete the job.

* Separate and compartmentalise user responsibilities and privileges. Assign the least set of privileges necessary to complete the job.

* Constrain service interfaces to authorized entities (users and devices), with clearly defined roles, and only expose the interfaces necessary to operate the service

* Use GC-approved multi-factor authentication where possible to protect against unauthorized access.

* Make use of modern credential guidance, and use GC-approved multi-factor authentication where required to stop unauthorized access.

 

* Design processes to operate and manage services securely in order to impede, detect or prevent attacks.

* Collect all relevant security events and logs at infrastructure and application levels to support root-cause analysis. Use a trusted time source and protect audit logs from manipulation.

* Continuously monitor system events and performance, and include a security audit log function in all information systems.

* Promptly apply security-related patches and updates to reduce exposure to vulnerabilities. Apply a risk-based mitigations when patches can’t be applied.

* Establish appropriate mechanisms to respond effectively to security incidents. Monitor security advisories and patches.

<b> Privacy by Design </b>

<b> Privacy by Design </b>

* Perform a privacy impact assessment (PIA) to support risk mitigation activities when personal information is involved

* Perform a privacy impact assessment (PIA) to support risk mitigation activities when personal information is involved

* Implement security measures to assure the protection of personal information

* Implement security measures to assure the protection of personal information

* Take into consideration the <b>[https://www.ryerson.ca/pbdce/certification/seven-foundational-principles-of-privacy-by-design/ 7 Foundational Privacy Design Principles] </b> when designing services.

* Take into consideration the <b>[https://www.ryerson.ca/pbdce/certification/seven-foundational-principles-of-privacy-by-design/ 7 Foundational Privacy Design Principles] </b> when designing services.

</I>

</u></I>

|}

|}