Line 355: |
Line 355: |
| A lot more information can be found here: | | A lot more information can be found here: |
| * [https://www.gcpedia.gc.ca/wiki/Government_of_Canada_Enterprise_Security_Architecture_(ESA)_Program; Government of Canada Enterprise Security Architecture (ESA) Program and here:] | | * [https://www.gcpedia.gc.ca/wiki/Government_of_Canada_Enterprise_Security_Architecture_(ESA)_Program; Government of Canada Enterprise Security Architecture (ESA) Program and here:] |
− | * [https://www.gcpedia.gc.ca/gcwiki/images/a/ac/GC_ESA_Description_Document_%28ESADD%29_-_Main_Body.pdf GC ESA Description Document Main Body -- Synopsis]<br><br> | + | * [https://www.gcpedia.gc.ca/gcwiki/images/a/ac/GC_ESA_Description_Document_%28ESADD%29_-_Main_Body.pdf GC ESA Description Document Main Body -- Synopsis]<br><br><!-- FOOTER --> |
− | <h4><b>Build Security into the Full System Life Cycle, Across All Architectural Layers</b></h4>
| + | {| width="100%" cellpadding="10" |
− | * Identify and classify risks associated to the service’s business objectives, goals, and strategy
| |
− | * Design security measures according to business and user needs, risks identified, and security categorization of the information and assets; integrate security across all architectural layers (BIAT)
| |
− | ** Maintain focus on users’ ease of use through selection of context-appropriate controls
| |
− | ** Apply an information-centric approach to reduce resources’ exposure to threats, and minimize the opportunity for compromise.
| |
− | ** Protect data while in transit, in use and at rest using appropriate encryption and protocols. Ensure effective disposition of data per retention schedules, following service sunset.
| |
− | | |
− | * Design systems to not be susceptible to common security vulnerabilities; resilient and can be rebuilt quickly in the event of compromise; and fail secure if the system encounters an error or crashes
| |
− | * Reduce human intervention and maximize automation of security tasks and processes
| |
− | ** Integrate and automate security testing to validate code and address vulnerabilities prior to deployments
| |
− | <br>
| |
− | | |
− | <h4><b>Ensure Secure Access to Systems and Services</b></h4>
| |
− | * Identify and authenticate individuals, processes and/or devices to an appropriate level of assurance before granting access to information and services
| |
− | * Separate and compartmentalize user responsibilities and privileges; assign the least set of privileges necessary to complete the job
| |
− | * Constrain service interfaces to authorized entities (users and devices), with clearly defined roles, and only expose the interfaces necessary to operate the service
| |
− | * Make use of modern password guidance, and use GC-approved multi-factor authentication where required to stop unauthorized access
| |
− | (prioritize length over complexity, eliminating expiry, and blacklisting common passwords)
| |
− | <br><br>
| |
− | | |
− | <h4><b>Maintain Secure Operations</b></h4>
| |
− | * Integrate aggregate outputs from security assessment and authorization activities into security architecture lifecycle processes, to ensure reference artefacts remain relevant and valid
| |
− | * Continuously monitor system events and performance in order to detect, prevent, and respond to attacks
| |
− | * Design processes to operate and manage services securely, and establish processes and mechanisms to respond effectively to security events
| |
− | ** Collect transaction logs at infrastructure and application levels to support automated root-cause analysis and performance tuning
| |
− | ** Include an audit function in information systems. Use a trusted time source and protect audit logs from manipulation
| |
− | * Establish processes to monitor security advisories, and apply security-related patches and updates to reduce exposure to vulnerabilities. Apply appropriate risk-based mitigations when patches can’t be applied
| |
− | <br>
| |
− | | |
− | <h4><b> Privacy by Design </b></h4>
| |
− | * Perform a privacy impact assessment (PIA) to support risk mitigation activities when personal information is involved
| |
− | * Perform [https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/responsible-use-ai/algorithmic-impact-assessment.html Algorithmic Impact Assessment (AIA)] to support risk mitigation activities when deploying an automated decision system
| |
− | * Implement security measures to assure the protection of personal information
| |
− | * Take into consideration the <b>[https://www.ryerson.ca/pbdce/certification/seven-foundational-principles-of-privacy-by-design/ 7 Foundational Privacy Design Principles] </b> when designing services
| |
− | | |
− | <!-- FOOTER -->{| width="100%" cellpadding="10" | |
| | | |
| |- valign="top" | | |- valign="top" |