Line 118: |
Line 118: |
| | | |
| === Build security into the system life cycle across all architectural layers === | | === Build security into the system life cycle across all architectural layers === |
− | * identify and categorize information based on the degree of injury that could be expected to result from a compromise of its confidentiality, integrity and availability | + | * identify and <u>[https://www.gcpedia.gc.ca/wiki/Security_Categorization_Tool categorize]</u> information based on the degree of injury that could be expected to result from a compromise of its confidentiality, integrity and availability |
− | * implement a continuous security approach, in alignment with Centre for Cyber Security’s IT Security Risk Management Framework; perform threat modelling to minimize the attack surface by limiting services exposed and information exchanged to the minimum necessary | + | * implement a continuous security approach, in alignment with <u>[https://cyber.gc.ca/en/guidance/it-security-risk-management-lifecycle-approach-itsg-33 Centre for Cyber Security’s IT Security Risk Management Framework]</u>; perform threat modelling to minimize the attack surface by limiting services exposed and information exchanged to the minimum necessary |
| * apply proportionate security measures that address business and user needs while adequately protecting data at rest and data in transit | | * apply proportionate security measures that address business and user needs while adequately protecting data at rest and data in transit |
| * design systems to be resilient and available in order to support service continuity | | * design systems to be resilient and available in order to support service continuity |
| | | |
| === Ensure secure access to systems and services === | | === Ensure secure access to systems and services === |
− | * identify and authenticate individuals, processes or devices to an appropriate level of assurance, based on clearly defined roles, before granting access to information and services; leverage enterprise services such as Government of Canada trusted digital identity solutions that are supported by the Pan‑Canadian Trust Framework | + | * identify and authenticate individuals, processes or devices to an appropriate level of assurance, based on clearly defined roles, before granting access to information and services; leverage enterprise services such as Government of Canada trusted digital identity solutions that are supported by the <u>[https://github.com/canada-ca/PCTF-CCP Pan‑Canadian Trust Framework]</u> |
− | * constrain service interfaces to authorized entities (users and devices), with clearly defined roles; segment and separate information based on sensitivity of information, in alignment with ITSG‑22 and ITSG‑38. Management interfaces may require increased levels of protection | + | * constrain service interfaces to authorized entities (users and devices), with clearly defined roles; segment and separate information based on sensitivity of information, in alignment with <u>[https://cyber.gc.ca/en/guidance/baseline-security-requirements-network-security-zones-government-canada-itsg-22 ITSG‑22]</u> and <u>[https://cyber.gc.ca/en/guidance/network-security-zoning-design-considerations-placement-services-within-zones-itsg-38 ITSG‑38]</u>. Management interfaces may require increased levels of protection |
− | * implement HTTPS for secure web connections and Domain-based Message Authentication, Reporting and Conformance (DMARC) for enhanced email security | + | * implement <u>[https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/policy-implementation-notices/implementing-https-secure-web-connections-itpin.html HTTPS]</u> for secure web connections and <u>[https://cyber.gc.ca/en/guidance/implementation-guidance-email-domain-protection Domain-based Message Authentication, Reporting and Conformance (DMARC)]</u> for enhanced email security |
− | * establish secure interconnections between systems through secure APIs or leveraging centrally managed hybrid IT connectivity services | + | * establish secure interconnections between systems through secure <u>[https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/government-canada-standards-apis.html APIs]</u> or leveraging centrally managed hybrid IT connectivity services |
| | | |
| === Maintain secure operations === | | === Maintain secure operations === |