Changes

<b>Ensure Secure Access to Systems and Services</b>

<b>Ensure Secure Access to Systems and Services</b>

* Identify and authenticate individuals, processes and/or devices to an appropriate level of assurance before granting access to information and services

* Identify and authenticate individuals, processes and/or devices (including Cloud accounts) to an appropriate level of assurance, based on clearly defined roles, before granting access to information and services. Leverage enterprise services such as Government of Canada trusted digital identity solutions that are supported by the Pan-Canadian Trust Framework; where custom authentication services are needed, use modern password guidance from GC Cyber

* Constrain service interfaces to authorized entities (users and devices), with clearly defined roles

* For hybrid Cloud architectures, follow applicable GC cybersecurity and SSC guidance to secure the Cloud-to-ground connectivity.

* Make use of modern password guidance, and prioritizing length over complexity, eliminating expiry, and blacklisting common passwords

* Ensure designs include measures to audit and monitor access to systems and services

<br>

<br>

<b>Maintain Secure Operations</b>

<b>Maintain Secure Operations</b>

* Integrate aggregate outputs from security assessment and authorization activities into security architecture lifecycle processes, to ensure reference artifacts remain relevant and valid

* Integrate aggregate outputs from security assessment and authorization activities into security architecture lifecycle processes, to ensure reference artefacts remain relevant and valid

* Design processes to operate and manage services securely, and continuously monitor system events and performance in order to detect, prevent, and respond to attacks  

* Design processes to operate and manage services securely, and continuously monitor system events and performance in order to detect, prevent, and respond to attacks

* Establish processes to monitor security advisories, and apply security-related patches and updates to reduce exposure to vulnerabilities. Apply appropriate risk-based mitigations when patches can’t be applied

* Establish processes to monitor security advisories, and apply security-related patches and updates to reduce exposure to vulnerabilities. Apply appropriate risk-based mitigations when patches cannot be applied

<br>

<br>