Line 83: |
Line 83: |
| ** For what data domains and/or attributes have you developed reference and master data standards? | | ** For what data domains and/or attributes have you developed reference and master data standards? |
| ** For what data domains and/or attributes have you supported the development of enterprise-wide data standards? | | ** For what data domains and/or attributes have you supported the development of enterprise-wide data standards? |
| + | * Ensure that data received from external parties is profiled and validated prior to its use |
| | | |
| <b>Use and share data openly in an ethical and secure manner</b> | | <b>Use and share data openly in an ethical and secure manner</b> |
Line 171: |
Line 172: |
| * Identify and classify risks associated to the service’s business objectives, goals, and strategy | | * Identify and classify risks associated to the service’s business objectives, goals, and strategy |
| * Design security measures according to business and user needs, risks identified, and security categorization of the information and assets; integrate security across all architectural layers (BIAT) | | * Design security measures according to business and user needs, risks identified, and security categorization of the information and assets; integrate security across all architectural layers (BIAT) |
| + | ** Maintain focus on users’ ease of use through selection of context-appropriate controls |
| + | ** Apply an information-centric approach to reduce resources’ exposure to threats, and minimize the opportunity for compromise. |
| + | ** Protect data while in transit, in use and at rest using appropriate encryption and protocols. Ensure effective disposition of data per retention schedules, following service sunset. |
| + | |
| * Design systems to not be susceptible to common security vulnerabilities; resilient and can be rebuilt quickly in the event of compromise; and fail secure if the system encounters an error or crashes | | * Design systems to not be susceptible to common security vulnerabilities; resilient and can be rebuilt quickly in the event of compromise; and fail secure if the system encounters an error or crashes |
− | * Ensure that data received from external parties is profiled and validated prior to its use | + | * Reduce human intervention and maximize automation of security tasks and processes |
| + | ** Integrate and automate security testing to validate code and address vulnerabilities prior to deployments |
| <br> | | <br> |
| | | |
| <b>Ensure Secure Access to Systems and Services</b> | | <b>Ensure Secure Access to Systems and Services</b> |
| * Identify and authenticate individuals, processes and/or devices to an appropriate level of assurance before granting access to information and services | | * Identify and authenticate individuals, processes and/or devices to an appropriate level of assurance before granting access to information and services |
− | * Constrain service interfaces to authorized entities (users and devices), with clearly defined roles | + | * Separate and compartmentalize user responsibilities and privileges; assign the least set of privileges necessary to complete the job |
− | * Make use of modern password guidance, and prioritizing length over complexity, eliminating expiry, and blacklisting common passwords | + | * Constrain service interfaces to authorized entities (users and devices), with clearly defined roles, and only expose the interfaces necessary to operate the service |
| + | * Make use of modern password guidance, and use GC-approved multi-factor authentication where required to stop unauthorized access |
| + | (prioritize length over complexity, eliminating expiry, and blacklisting common passwords) |
| <br> | | <br> |
| | | |
| <b>Maintain Secure Operations</b> | | <b>Maintain Secure Operations</b> |
| * Integrate aggregate outputs from security assessment and authorization activities into security architecture lifecycle processes, to ensure reference artefacts remain relevant and valid | | * Integrate aggregate outputs from security assessment and authorization activities into security architecture lifecycle processes, to ensure reference artefacts remain relevant and valid |
− | * Design processes to operate and manage services securely, and continuously monitor system events and performance in order to detect, prevent, and respond to attacks | + | * Continuously monitor system events and performance in order to detect, prevent, and respond to attacks |
| + | * Design processes to operate and manage services securely, and establish processes and mechanisms to respond effectively to security events |
| + | ** Collect transaction logs at infrastructure and application levels to support automated root-cause analysis and performance tuning |
| + | ** Include an audit function in information systems. Use a trusted time source and protect audit logs from manipulation |
| * Establish processes to monitor security advisories, and apply security-related patches and updates to reduce exposure to vulnerabilities. Apply appropriate risk-based mitigations when patches can’t be applied | | * Establish processes to monitor security advisories, and apply security-related patches and updates to reduce exposure to vulnerabilities. Apply appropriate risk-based mitigations when patches can’t be applied |
| <br> | | <br> |