Line 112: |
Line 112: |
| | | |
| === Build Security into the System Life Cycle, Across All Architectural Layers === | | === Build Security into the System Life Cycle, Across All Architectural Layers === |
− | * Identify and categorize information based on the degree of injury that could be expected to result from a compromise of its confidentiality, integrity and availability. | + | * Identify and [https://www.gcpedia.gc.ca/wiki/Security_Categorization_Tool categorize] information based on the degree of injury that could be expected to result from a compromise of its confidentiality, integrity and availability. |
− | * Implement a continuous security approach, in alignment with CCCS’s IT Security Risk Management Framework. Perform threat modelling to minimize the attack surface by limiting services exposed and information exchanged to the minimum necessary. | + | * Implement a continuous security approach, in alignment with [https://cyber.gc.ca/en/guidance/it-security-risk-management-lifecycle-approach-itsg-33 CCCS’s IT Security Risk Management Framework.] Perform threat modelling to minimize the attack surface by limiting services exposed and information exchanged to the minimum necessary. |
| * Apply proportionate security measures that address business and user needs while adequately protecting data at rest and data in transit. | | * Apply proportionate security measures that address business and user needs while adequately protecting data at rest and data in transit. |
| * Design systems to be resilient and available in order to support service continuity. | | * Design systems to be resilient and available in order to support service continuity. |
| | | |
| === Ensure Secure Access to Systems and Services === | | === Ensure Secure Access to Systems and Services === |
− | * Identify and authenticate individuals, processes and/or devices to an appropriate level of assurance, based on clearly defined roles, before granting access to information and services. Leverage enterprise services such as Government of Canada trusted digital identity solutions that are supported by the Pan-Canadian Trust Framework. | + | * Identify and authenticate individuals, processes and/or devices to an appropriate level of assurance, based on clearly defined roles, before granting access to information and services. Leverage enterprise services such as Government of Canada trusted digital identity solutions that are supported by the [https://github.com/canada-ca/PCTF-CCP Pan-Canadian Trust Framework] |
− | * Constrain service interfaces to authorized entities (users and devices), with clearly defined roles. Segment and separate information based on sensitivity of information, in alignment with ITSG-22 and ITSG-38. Management interfaces may require increased levels of protection. | + | * Constrain service interfaces to authorized entities (users and devices), with clearly defined roles. Segment and separate information based on sensitivity of information, in alignment with [https://cyber.gc.ca/en/guidance/baseline-security-requirements-network-security-zones-government-canada-itsg-22 ITSG-22] and [https://cyber.gc.ca/en/guidance/network-security-zoning-design-considerations-placement-services-within-zones-itsg-38 ITSG-38]. Management interfaces may require increased levels of protection. |
− | * Implement HTTPS for secure web connections and DMARC for enhanced email security. | + | * Implement [https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/policy-implementation-notices/implementing-https-secure-web-connections-itpin.html HTTPS] for secure web connections and [https://cyber.gc.ca/en/guidance/implementation-guidance-email-domain-protection DMARC] for enhanced email security. |
− | * Establish secure interconnections between systems through secure APIs or leveraging centrally managed Hybrid IT connectivity services. | + | * Establish secure interconnections between systems through secure [https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=32604 APIs] or leveraging centrally managed Hybrid IT connectivity services |
| | | |
| === Maintain Secure Operations === | | === Maintain Secure Operations === |
| * Establish processes to maintain visibility of assets and ensure the prompt application of security-related patches and updates in order to reduce exposure to vulnerabilities, in accordance with GC Patch Management Guidance. | | * Establish processes to maintain visibility of assets and ensure the prompt application of security-related patches and updates in order to reduce exposure to vulnerabilities, in accordance with GC Patch Management Guidance. |
| * Enable event logging, in accordance with GC Event Logging Guidance, and perform monitoring of systems and services in order to detect, prevent, and respond to attacks. | | * Enable event logging, in accordance with GC Event Logging Guidance, and perform monitoring of systems and services in order to detect, prevent, and respond to attacks. |
− | * Establish an incident management plan in alignment with the GC Cyber Security Event Management Plan (GC CSEMP) and report incidents to the Canadian Centre for Cyber Security (CCCS). | + | * Establish an incident management plan in alignment with the [https://www.canada.ca/en/treasury-board-secretariat/services/access-information-privacy/security-identity-management/government-canada-cyber-security-event-management-plan.html GC Cyber Security Event Management Plan (GC CSEMP)] and report incidents to the [https://cyber.gc.ca/en/contact-us Canadian Centre for Cyber Security (CCCS).] |
| | | |
| == Status == | | == Status == |