Changes

=== Build security into the system life cycle across all architectural layers ===

=== Build security into the system life cycle across all architectural layers ===

* identify and categorize information based on the degree of injury that could be expected to result from a compromise of its confidentiality, integrity and availability

* identify and <u>[https://www.gcpedia.gc.ca/wiki/Security_Categorization_Tool categorize]</u> information based on the degree of injury that could be expected to result from a compromise of its confidentiality, integrity and availability

* implement a continuous security approach, in alignment with Centre for Cyber Security’s IT Security Risk Management Framework; perform threat modelling to minimize the attack surface by limiting services exposed and information exchanged to the minimum necessary

* implement a continuous security approach, in alignment with <u>[https://cyber.gc.ca/en/guidance/it-security-risk-management-lifecycle-approach-itsg-33 Centre for Cyber Security’s IT Security Risk Management Framework]</u>; perform threat modelling to minimize the attack surface by limiting services exposed and information exchanged to the minimum necessary

* apply proportionate security measures that address business and user needs while adequately protecting data at rest and data in transit

* apply proportionate security measures that address business and user needs while adequately protecting data at rest and data in transit

* design systems to be resilient and available in order to support service continuity

* design systems to be resilient and available in order to support service continuity

=== Ensure secure access to systems and services ===

=== Ensure secure access to systems and services ===

* identify and authenticate individuals, processes or devices to an appropriate level of assurance, based on clearly defined roles, before granting access to information and services; leverage enterprise services such as Government of Canada trusted digital identity solutions that are supported by the Pan‑Canadian Trust Framework

* identify and authenticate individuals, processes or devices to an appropriate level of assurance, based on clearly defined roles, before granting access to information and services; leverage enterprise services such as Government of Canada trusted digital identity solutions that are supported by the <u>[https://github.com/canada-ca/PCTF-CCP Pan‑Canadian Trust Framework]</u>

* constrain service interfaces to authorized entities (users and devices), with clearly defined roles; segment and separate information based on sensitivity of information, in alignment with ITSG‑22 and ITSG‑38. Management interfaces may require increased levels of protection

* constrain service interfaces to authorized entities (users and devices), with clearly defined roles; segment and separate information based on sensitivity of information, in alignment with <u>[https://cyber.gc.ca/en/guidance/baseline-security-requirements-network-security-zones-government-canada-itsg-22 ITSG‑22]</u> and <u>[https://cyber.gc.ca/en/guidance/network-security-zoning-design-considerations-placement-services-within-zones-itsg-38 ITSG‑38]</u>. Management interfaces may require increased levels of protection

* implement HTTPS for secure web connections and Domain-based Message Authentication, Reporting and Conformance (DMARC) for enhanced email security

* implement <u>[https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/policy-implementation-notices/implementing-https-secure-web-connections-itpin.html HTTPS]</u> for secure web connections and <u>[https://cyber.gc.ca/en/guidance/implementation-guidance-email-domain-protection Domain-based Message Authentication, Reporting and Conformance (DMARC)]</u> for enhanced email security

* establish secure interconnections between systems through secure APIs or leveraging centrally managed hybrid IT connectivity services

* establish secure interconnections between systems through secure <u>[https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/government-canada-standards-apis.html APIs]</u> or leveraging centrally managed hybrid IT connectivity services

=== Maintain secure operations ===

=== Maintain secure operations ===