802
edits
Changes
Created page with "<div style="float: right; z-index: 10; position: absolute; right: 0; top: 1;">File:JoinusonGCconnex.png|link=http://gcconnex.gc.ca/groups/profile/2785549/gc-enterprise-secur..."
<div style="float: right; z-index: 10; position: absolute; right: 0; top: 1;">[[File:JoinusonGCconnex.png|link=http://gcconnex.gc.ca/groups/profile/2785549/gc-enterprise-security-architecture-gc-esa]]<br />[[File:ESAcontactus.png|link=mailto:ZZTBSCYBERS@tbs-sct.gc.ca]]</div> [[File:GOC ESA.jpg|center|link=http://www.gcpedia.gc.ca/wiki/Government_of_Canada_Enterprise_Security_Architecture_(ESA)_Program]] <div class="center">
{| style="border: 2px solid #000000; border-image: none;" width="1000px"
|-
! style="background: #e1caf7; color: black" width="20%" scope="col" " width="175px" | [[Government of Canada Enterprise Security Architecture (ESA) Program|ESA Program Overview]]
! style="background: #e1caf7; color: black" width="20%" scope="col" " width="125px" | [[ESA Backgrounder (Strategy)|ESA Foundation]]
! style="background: #e1caf7; color: black" width="20%" scope="col" " width="125px" | [[ESA Requirements|ESA Artifacts]]
! style="background: #C495F0; color: black" width="20%" scope="col" " width="125px" | [[ESA Initiatives|ESA Initiatives]]
! style="background: #e1caf7; color: black" width="20%" scope="col" " width="125px" | [[ ESA Tools and Templates]]
! style="background: #e1caf7; color: black" width="20%" scope="col" " width="125px" | [[GC ESA Artifact Repository|ESA Reference Materials]]
! style="background: #e1caf7; color: black" width="20%" scope="col" " width="100px" | [[ESA Glossary| Glossary]]
|}
{| style="border-bottom: #000000 2px solid; border-left: #000000 2px solid; border-right: #6E6E6E 2px solid" width="1000px"
|-
! style="background: #9a9af8; color: black" width="20%" scope="col" " width="200px" | [[Cloud Security Initiative]]
! style="background: #c2c2fa; color: black" width="20%" scope="col" " width="200px" | [[HTTPS Initiative]]
! style="background: #c2c2fa; color: black" width="20%" scope="col" " width="300px" | [[Data Loss Prevention Initiative]]
! style="background: #c2c2fa; color: black" width="20%" scope="col" " width="400px" | [[Enterprise Vulnerability Management System Initiative]]
! style="background: #c2c2fa; color: black" width="20%" scope="col" " width="400px" | [[DevSecOps Initiative]]
! style="background: #c2c2fa; color: black" width="20%" scope="col" " width="400px" | [[Domain Message Authentication Reporting and Compliance|DMARC Initiative]]
|}
{| style="border-bottom: #000000 2px solid; border-left: #000000 2px solid; border-right: #000000 2px solid" width="1000px"
|-
! style="background: #d7d7d7; color: black" width="50%" scope="col" | [[SPIN 2017-01 | SPIN 2017-01 Implementation Guidance]]
|}
</div>{{TOCright}}
<br>
== SPIN 2017-01: Direction for the Secure Use of Commercial Cloud Services ==
<br>Cloud computing has the potential to provide a flexible means of delivering IT services. However, care must be taken to mitigate risks associated with using cloud services. <br>The [http://intranet.canada.ca/wg-tg/go-sg/sim-gsi/spin-amps/2017/dsu-ous-eng.asp '''Direction for the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice'''] highlights the responsibilities of departments and agencies for effectively managing and using cloud services, including adequately protecting the confidentiality, integrity and availability of information that is stored, processed and transmitted.
The purpose of the SPIN is to:
* support departments in understanding existing TBS security policy requirements in the context of cloud computing
* set out guidance to assist organizations in the secure use of commercial cloud services (cloud services)
This site provides links to material that can help departments when implementing activities in support of the [http://intranet.canada.ca/wg-tg/go-sg/sim-gsi/spin-amps/2017/dsu-ous-eng.asp SPIN 2017-01]. Departments and agencies are encouraged to use this material to support the implementation and secure use of cloud-based solutions and services. The sharing of departmental best practices is also encouraged.
== Risk Management ==
{| class="wikitable" border="1"
|[http://intranet.canada.ca/wg-tg/go-sg/sim-gsi/spin-amps/2017/dsu-ous-eng.asp#toc6-1 6.1]
|''Departments must continuously manage the security risks to their information and IT assets throughout the life of their programs and services. In the context of cloud, risk management is based on a model of shared responsibility. The CSP fulfills some responsibility with respect to risk mitigation, but departments are ultimately accountable for risks. Implementing a risk-based approach:''
* ''supports well-informed decision making''
* ''must be applied before a business owner grants authorization of a cloud-based service to process, store or transmit protected GC information''
|}
<br>The following subsections highlight additional requirements and guidance for securing GC cloud-based services:
* [[SPIN 2017-01 Security Categorization|Security Categorization]]
* [[SPIN 2017-01 Baseline Security Controls|Baseline Security Controls]]
* [[SPIN 2017-01 Third-Party Assurance|Third-Party Assurance]]
* [[SPIN 2017-01 Security Assessment and Authorization|Security Assessment and Authorization]]
* [[SPIN 2017-01 Continuous Monitoring|Continuous Monitoring]]
== Information Assurance and Asset Protection ==
{| class="wikitable" border="1"
|[http://intranet.canada.ca/wg-tg/go-sg/sim-gsi/spin-amps/2017/dsu-ous-eng.asp#toc6-2 6.2]
|''In accordance with Appendix C of the Directive on Departmental Security Management, departments must safeguard their information and assets, including those hosted in CSP environments, from unauthorized access, use, disclosure, modification, disposal, transmission, or destruction throughout their life cycle. These safeguards must:''
* ''protect GC data while in transit, in use and at rest''
* ''be commensurate with the security category of the information and assets''
* ''include an assurance of their appropriate implementation''
''When departments are considering using cloud services for storing personal information, guidance must be sought from [[Cloud and Privacy|privacy]] and access to information officials within their institution.''
|}
<br>The following subsections highlight additional requirements and guidance for securing GC cloud-based services:
* [[SPIN 2017-01 Secure Development and Implementation|Secure Development and Implementation]]
* [[SPIN 2017-01 Data Protection|Data Protection]] and [[SPIN 2017-01 Data Residency|Data Residency]]
* [[SPIN 2017-01 Identity, Credential, and Access Management|Identity, Credential, and Access Management]]
* [[SPIN 2017-01 Network Security|Network Security]]
* [[SPIN 2017-01 Asset and Configuration Management|Asset and Configuration Management]]
* [[SPIN 2017-01 Vulnerability Management|Vulnerability Management]]
* [[SPIN 2017-01 Personnel Security|Personnel Security]]
* [[SPIN 2017-01 Physical Security|Physical Security]]
* [[SPIN 2017-01 Service Continuity|Service Continuity]]
* [[SPIN 2017-01 Secure Acquisition|Secure Acquisition]]
== Security Operations ==
{| class="wikitable" border="1"
|[http://intranet.canada.ca/wg-tg/go-sg/sim-gsi/spin-amps/2017/dsu-ous-eng.asp#toc6-3 6.3]
|''As part of an active defence strategy, departments must ensure that measures are implemented to audit and monitor access to their cloud-based services. Using GC-provided services, such as those from SSC’s Security Operations Centre, can help departments meet requirements for information system monitoring and security incident management.''
|}
<br>The following subsections highlight additional requirements and guidance for securing GC cloud-based services:
* [[SPIN 2017-01 Information System Monitoring|Information System Monitoring]]
* [[SPIN 2017-01 Security Incident Management|Security Incident Management]]
== Enquiries ==
Email your questions to TBS Cyber Security at [mailto:ZZTBSCYBERS@tbs-sct.gc.ca ZZTBSCYBERS@tbs-sct.gc.ca].
<br />
{| style="border: 2px solid #000000; border-image: none;" width="1000px"
|-
! style="background: #e1caf7; color: black" width="20%" scope="col" " width="175px" | [[Government of Canada Enterprise Security Architecture (ESA) Program|ESA Program Overview]]
! style="background: #e1caf7; color: black" width="20%" scope="col" " width="125px" | [[ESA Backgrounder (Strategy)|ESA Foundation]]
! style="background: #e1caf7; color: black" width="20%" scope="col" " width="125px" | [[ESA Requirements|ESA Artifacts]]
! style="background: #C495F0; color: black" width="20%" scope="col" " width="125px" | [[ESA Initiatives|ESA Initiatives]]
! style="background: #e1caf7; color: black" width="20%" scope="col" " width="125px" | [[ ESA Tools and Templates]]
! style="background: #e1caf7; color: black" width="20%" scope="col" " width="125px" | [[GC ESA Artifact Repository|ESA Reference Materials]]
! style="background: #e1caf7; color: black" width="20%" scope="col" " width="100px" | [[ESA Glossary| Glossary]]
|}
{| style="border-bottom: #000000 2px solid; border-left: #000000 2px solid; border-right: #6E6E6E 2px solid" width="1000px"
|-
! style="background: #9a9af8; color: black" width="20%" scope="col" " width="200px" | [[Cloud Security Initiative]]
! style="background: #c2c2fa; color: black" width="20%" scope="col" " width="200px" | [[HTTPS Initiative]]
! style="background: #c2c2fa; color: black" width="20%" scope="col" " width="300px" | [[Data Loss Prevention Initiative]]
! style="background: #c2c2fa; color: black" width="20%" scope="col" " width="400px" | [[Enterprise Vulnerability Management System Initiative]]
! style="background: #c2c2fa; color: black" width="20%" scope="col" " width="400px" | [[DevSecOps Initiative]]
! style="background: #c2c2fa; color: black" width="20%" scope="col" " width="400px" | [[Domain Message Authentication Reporting and Compliance|DMARC Initiative]]
|}
{| style="border-bottom: #000000 2px solid; border-left: #000000 2px solid; border-right: #000000 2px solid" width="1000px"
|-
! style="background: #d7d7d7; color: black" width="50%" scope="col" | [[SPIN 2017-01 | SPIN 2017-01 Implementation Guidance]]
|}
</div>{{TOCright}}
<br>
== SPIN 2017-01: Direction for the Secure Use of Commercial Cloud Services ==
<br>Cloud computing has the potential to provide a flexible means of delivering IT services. However, care must be taken to mitigate risks associated with using cloud services. <br>The [http://intranet.canada.ca/wg-tg/go-sg/sim-gsi/spin-amps/2017/dsu-ous-eng.asp '''Direction for the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice'''] highlights the responsibilities of departments and agencies for effectively managing and using cloud services, including adequately protecting the confidentiality, integrity and availability of information that is stored, processed and transmitted.
The purpose of the SPIN is to:
* support departments in understanding existing TBS security policy requirements in the context of cloud computing
* set out guidance to assist organizations in the secure use of commercial cloud services (cloud services)
This site provides links to material that can help departments when implementing activities in support of the [http://intranet.canada.ca/wg-tg/go-sg/sim-gsi/spin-amps/2017/dsu-ous-eng.asp SPIN 2017-01]. Departments and agencies are encouraged to use this material to support the implementation and secure use of cloud-based solutions and services. The sharing of departmental best practices is also encouraged.
== Risk Management ==
{| class="wikitable" border="1"
|[http://intranet.canada.ca/wg-tg/go-sg/sim-gsi/spin-amps/2017/dsu-ous-eng.asp#toc6-1 6.1]
|''Departments must continuously manage the security risks to their information and IT assets throughout the life of their programs and services. In the context of cloud, risk management is based on a model of shared responsibility. The CSP fulfills some responsibility with respect to risk mitigation, but departments are ultimately accountable for risks. Implementing a risk-based approach:''
* ''supports well-informed decision making''
* ''must be applied before a business owner grants authorization of a cloud-based service to process, store or transmit protected GC information''
|}
<br>The following subsections highlight additional requirements and guidance for securing GC cloud-based services:
* [[SPIN 2017-01 Security Categorization|Security Categorization]]
* [[SPIN 2017-01 Baseline Security Controls|Baseline Security Controls]]
* [[SPIN 2017-01 Third-Party Assurance|Third-Party Assurance]]
* [[SPIN 2017-01 Security Assessment and Authorization|Security Assessment and Authorization]]
* [[SPIN 2017-01 Continuous Monitoring|Continuous Monitoring]]
== Information Assurance and Asset Protection ==
{| class="wikitable" border="1"
|[http://intranet.canada.ca/wg-tg/go-sg/sim-gsi/spin-amps/2017/dsu-ous-eng.asp#toc6-2 6.2]
|''In accordance with Appendix C of the Directive on Departmental Security Management, departments must safeguard their information and assets, including those hosted in CSP environments, from unauthorized access, use, disclosure, modification, disposal, transmission, or destruction throughout their life cycle. These safeguards must:''
* ''protect GC data while in transit, in use and at rest''
* ''be commensurate with the security category of the information and assets''
* ''include an assurance of their appropriate implementation''
''When departments are considering using cloud services for storing personal information, guidance must be sought from [[Cloud and Privacy|privacy]] and access to information officials within their institution.''
|}
<br>The following subsections highlight additional requirements and guidance for securing GC cloud-based services:
* [[SPIN 2017-01 Secure Development and Implementation|Secure Development and Implementation]]
* [[SPIN 2017-01 Data Protection|Data Protection]] and [[SPIN 2017-01 Data Residency|Data Residency]]
* [[SPIN 2017-01 Identity, Credential, and Access Management|Identity, Credential, and Access Management]]
* [[SPIN 2017-01 Network Security|Network Security]]
* [[SPIN 2017-01 Asset and Configuration Management|Asset and Configuration Management]]
* [[SPIN 2017-01 Vulnerability Management|Vulnerability Management]]
* [[SPIN 2017-01 Personnel Security|Personnel Security]]
* [[SPIN 2017-01 Physical Security|Physical Security]]
* [[SPIN 2017-01 Service Continuity|Service Continuity]]
* [[SPIN 2017-01 Secure Acquisition|Secure Acquisition]]
== Security Operations ==
{| class="wikitable" border="1"
|[http://intranet.canada.ca/wg-tg/go-sg/sim-gsi/spin-amps/2017/dsu-ous-eng.asp#toc6-3 6.3]
|''As part of an active defence strategy, departments must ensure that measures are implemented to audit and monitor access to their cloud-based services. Using GC-provided services, such as those from SSC’s Security Operations Centre, can help departments meet requirements for information system monitoring and security incident management.''
|}
<br>The following subsections highlight additional requirements and guidance for securing GC cloud-based services:
* [[SPIN 2017-01 Information System Monitoring|Information System Monitoring]]
* [[SPIN 2017-01 Security Incident Management|Security Incident Management]]
== Enquiries ==
Email your questions to TBS Cyber Security at [mailto:ZZTBSCYBERS@tbs-sct.gc.ca ZZTBSCYBERS@tbs-sct.gc.ca].
<br />