Changes

<I><u>

<I><u>

<b>Build Security into the System Life Cycle, Across All Architectural Layers</b>

<b>Build Security into the System Life Cycle, Across All Architectural Layers</b>

* Identify and classify risks associated to the service’s business objectives, goals, and strategy

* Identify and [https://www.gcpedia.gc.ca/wiki/Security_Categorization_Tool categorize] information based on the degree of injury that could be expected to result from a compromise of its confidentiality, integrity and availability.

* Design security measures according to business and user needs, risks identified, and security categorization of the information and assets; integrate security across all architectural layers (BIAT)

* Implement a continuous security approach, in alignment with CCCS’s IT Security Risk Management Framework. Perform threat modelling to minimize the attack surface by limiting services exposed and information exchanged to the minimum necessary.

* Use the DevSecOps approach to address security requirements throughout all the stages of the system development life cycle, including using threat modeling to harden systems against cyber threats and vulnerabilities

* Apply proportionate security measures that address business and user needs while adequately protecting data at rest and data in transit.

* Design security mechanisms to support service continuity. This includes designing processes to restore the service, system/data back-ups and contingency plan

* Design systems to be resilient and available in order to support service continuity.

* Design measures to adequately protect data at rest and data in transit, and ensure that data received from external parties is profiled and validated prior to its use

<br>

<br>