Line 30: |
Line 30: |
| {{TOCright}} | | {{TOCright}} |
| | | |
− | == Overview ==
| + | {{Delete|reason=Expired Content}} |
− | The [[Media:GC ESA Description Document (ESADD) - ANNEX D OPS.pdf|GC ESA Description Document Annex D - Security Operations (OPS)]] incorporates the Security Policy Compliance Monitoring (PCM) ESA focus area (ESFA) components that are described in the [[Media:GC ESA Definition Document (ESADD) - Main Body.pdf|GC ESA Description Document Main Body]]. The main goal of the OPS ESFA is to describe security and system functions that provide the security capabilities that ensure GC IT/IS services supporting the GC's mission and business objectives are available, confidential, and that the integrity of the information is preserved. In the past, these security capabilities were focused on defensive measures aligned with the Defence in Depth approach to security operations.
| |
− | | |
− | However, the increase in attacks via a stealthy, persistent, and sophisticated adversary, who may have already compromised system components and established a foothold within an organization's systems (i.e. advanced persistent threats), requires the system to be able to continue operations in spite of an attack. Therefore, there is a need to move to a security operations implementation that exhibits cyber resiliency. The goals of cyber resiliency are to continue essential mission/business functions during an attack, restore those functions as soon as possible after the attack, and to adapt to minimize adverse impacts from future attacks.
| |
− | | |
− | The GC enterprise operates in a world of ever-present risk to its mission and business objectives. The [http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=19422 GC Framework for the Management of Risk] identifies principles to effectively manage risk within the GC via a "systematic approach to setting the best course of action under uncertainty by identifying, assessing, understanding, making decision on, and communicating risk issues." As stated in the [http://www.tbs-sct.gc.ca/hgw-cgf/pol/rm-gr/girm-ggir/girm-ggirtb-eng.asp GC Guide to Integrated Risk Management], risk management "cannot be practiced effectively in silos", but must be integrated into the organization in a "continuous, proactive, and systematic process." Security Operations supports this GC Integrated Risk Management approach by providing capabilities to assess, respond to, and monitor risk within the GC Enterprise.
| |
− | | |
− | === ''Components'' ===
| |
− | The image on the below depicts the components used to define the security operations ESFA. The OPS components are intended to represent the superset of functionality required by a wide range of security operations centres. For a table describing the OPS components with the security operations ESFA, please refer to the [[Media:GC ESA Description Document (ESADD) - ANNEX D OPS.pdf|GC ESA Description Document Annex D - Security Operations (OPS)]] document.
| |
− | | |
− | <br>
| |
− | | |
− | [[File:Security Operations (OPS) Components.PNG|centre|thumb|393x393px|Security Operations (OPS) Components]]
| |
− | | |
− | <br>
| |
− | | |
− | Also, please read the [[Media:GC ESA Description Document (ESADD) - ANNEX D OPS.pdf|GC ESA Description Document Annex D - Security Operations (OPS)]] document for more information about the architectural needs that need to be considered and implemented to develop an architecture for secure applications.
| |
− | | |
− | === ''Context'' ===
| |
− | The image on the below shows the contextual view of the OPS ESFA with respect to other ESFAs, direct GC actors, and the external security information feeds required to perform security operations. All ESFAs interface with security operations as OPS components are required to monitor and asses the security state of the GC enterprise. The black hat actor or unknown/compromised devices are positioned to illustrate potential intrusion vectors into the GC enterprise. For a full list and description of GC enterprise actors, please read the [[Media:GC ESA Definition Document (ESADD) - Main Body.pdf|GC ESA Description Document Main Body]]. External interfaces for security operations include threat intelligence and information sharing capabilities across GC security operations and with external partners.
| |
− | | |
− | <br>
| |
− | | |
− | [[File:Security Operations (OPS) Context.PNG|centre|thumb|756x756px|Security Operations (OPS) Context]]
| |
− | | |
− | <br>
| |
− | | |
− | For more information about the interface characteristics between the OPS ESFA and other ESFAs, and security considerations when interfacing with these ESFAs, please read the [[Media:GC ESA Description Document (ESADD) - ANNEX D OPS.pdf|GC ESA Description Document Annex D - Security Operations (OPS)]] document.
| |
− | | |
− | <br>
| |
− | | |
− | == Perspectives ==
| |
− | This section provides contextual information on security operations that supports the target architectural views and information concerning security operations capabilities that provide rational for the security architecture transitions.
| |
− | | |
− | <br>
| |
− | | |
− | The following subsections, which can be expanded by clicking on 'Expand' on the far right, provide contextual information that should be considered for improving security operations.
| |
− | | |
− | <br>
| |
− | | |
− | <div class="toccolours mw-collapsible mw-collapsed" style="width:100%">
| |
− | '''Cyber Resiliency''' <div class="mw-collapsible-content">
| |
− | ---- {{:Security Operations Cyber Resiliency}} </div></div>
| |
− | <div class="toccolours mw-collapsible mw-collapsed" style="width:100%">
| |
− | '''Risk Management''' <div class="mw-collapsible-content">
| |
− | ---- {{:Security Operations Risk Management}} </div></div>
| |
− | <div class="toccolours mw-collapsible mw-collapsed" style="width:100%">
| |
− | '''Operational Environments''' <div class="mw-collapsible-content">
| |
− | ---- {{:Security Operations Operational Environments}} </div></div>
| |
− | <div class="toccolours mw-collapsible mw-collapsed" style="width:100%">
| |
− | '''Classified Environments''' <div class="mw-collapsible-content">
| |
− | ---- {{:Security Operations Classified Environments}} </div></div>
| |
− | <div class="toccolours mw-collapsible mw-collapsed" style="width:100%">
| |
− | '''Shared Situational Awareness and Information Sharing''' <div class="mw-collapsible-content">
| |
− | ---- {{:Security Operations Shared Situational Awareness and Information Sharing}} </div></div>
| |
− | <div class="toccolours mw-collapsible mw-collapsed" style="width:100%">
| |
− | '''Continuous Diagnostics and Mitigation (CDM)''' <div class="mw-collapsible-content">
| |
− | ---- {{:Security Operations Continuous Diagnostics and Mitigation}} </div></div>
| |
− | <div class="toccolours mw-collapsible mw-collapsed" style="width:100%">
| |
− | '''Anomaly Detection and Analysis''' <div class="mw-collapsible-content">
| |
− | ---- {{:Security Operations Anomaly Detection and Analysis}} </div></div>
| |
− | <div class="toccolours mw-collapsible mw-collapsed" style="width:100%">
| |
− | '''OPS Asset and Configuration Management''' <div class="mw-collapsible-content">
| |
− | ---- {{:Security Operations Asset and Configuration Management}} </div></div>
| |
− | <div class="toccolours mw-collapsible mw-collapsed" style="width:100%">
| |
− | '''Proactive Policy Defences''' <div class="mw-collapsible-content">
| |
− | ---- {{:Security Operations Proactive Policy Defences}} </div></div>
| |
− | <div class="toccolours mw-collapsible mw-collapsed" style="width:100%">
| |
− | '''Integrated Threat Intelligence''' <div class="mw-collapsible-content">
| |
− | ---- {{:Security Operations Integrated Threat Intelligence}} </div></div>
| |
− | <div class="toccolours mw-collapsible mw-collapsed" style="width:100%">
| |
− | '''Audit Compliance''' <div class="mw-collapsible-content">
| |
− | ---- {{:Security Operations Audit Compliance}} </div></div>
| |
− | <div class="toccolours mw-collapsible mw-collapsed" style="width:100%">
| |
− | '''Cyber Threat Protection Strategies''' <div class="mw-collapsible-content">
| |
− | ---- {{:Security Operations Cyber Threat Protection Strategies}} </div></div>
| |
− | | |
− | <br>
| |
− | | |
− | For more information, please read the [[Media:GC ESA Description Document (ESADD) - ANNEX D OPS.pdf|GC ESA Description Document Annex D - Security Operations (OPS)]] document.
| |
− | | |
− | <br>
| |
− | | |
− | == Security Operations (OPS) Target Security Architecture ==
| |
− | Two target architecture viewpoints are presented for security operations. The first viewpoint focuses on GC-wide security operations providing shared situational awareness and the sharing of security information and knowledge resources between security operations. Communications between security operation centres are secured by the methods documented in the[[Media:GC ESA ConOps - ANNEX D Secure Enterprise Systems Administration v0.8.pdf| GC ESA ConOps Annex D: Secure Enterprise Systems Administration]] document. The second viewpoint represents a single security operations centre and focuses on the functions and interactions of the OPS components.
| |
− | | |
− | === ''GC-Wide Security Operations'' ===
| |
− | The image below depicts the GC-wide hierarchy of security operations. Each security operations centre has access to the complete set of OPS component functions and security information is shared across all GC security operations. Situational awareness exists at the mission/business level and extends across all security operations creating a GC-wide shared situational awareness capability. Security information sharing includes situational status reports, CDM state data, threat intelligence (alerts, reports, bulletins, and best practices), cloud security monitoring, vulnerability intelligence, and GC policy guidance information.
| |
− | | |
− | <br>
| |
− | | |
− | [[File:GC-Wide Target Security Operations Hierarchy.PNG|centre|thumb|675x675px|GC-Wide Target Security Operations Hierarchy]]
| |
− | | |
− | <br>
| |
− | | |
− | Centralized CDM repositories allow security operation centres to share security state information across GC security operation centres. This provides the GC with the ability to contextually analyze GC security operations states. For example, CDM data can be used to identify assets that have a critical vulnerability. Analysis of this data identifies where and how many of the assets exist, the security settings of the assets, and then directs that these assets are secured.
| |
− | | |
− | === ''Security Operations Instance'' ===
| |
− | The image below depicts an instance of a security operation centre. Each security operation centre has access to all OPS component functions whether they are presented as lightweight interfaces or as complete applications. OPS component interfaces are digital and automated to provide adaptable security workflow automation capabilities. Security operations have access and control of local security data and share relevant security information by reporting CDM state data, threat intelligence, and policy and audit compliance to centralized GC repositories.
| |
− | | |
− | <br>
| |
− | | |
− | [[File:Target Integrated Security Operations.PNG|centre|thumb|663x663px|Target Integrated Security Operations]]
| |
− | | |
− | <br>
| |
− | | |
− | For more information about the target security architecture for security operations and the transition strategy to achieve it, please read the [[:File:GC ESADD - ANNEX D OPS v0.9.pdf|ESADD Annex D: Security Operations (OPS)]] document.<br>
| |
− | | |
− | <br>
| |
− | | |
− | ==ESADD Annex D: Security Operations (OPS) Pattern Diagrams ==
| |
− | For the Pattern Diagrams for Security Operations (OPS) from the [[Media:GC ESA Description Document (ESADD) - ANNEX D OPS.pdf|GC ESA Description Document Annex D - Security Operations (OPS)]] document, please visit the [[ESA Pattern Diagram Repository]].
| |
− | ===''List of ESADD Annex D Pattern Diagrams'' ===
| |
− | *Pattern PN-OPS-001 Asset Discovery
| |
− | | |
− | *Pattern PN-OPS-002 Client Endpoint Configuration Checking
| |
− | *Pattern PN-OPS-003 Backup and Restore
| |
− | *Pattern PN-OPS-004 Anomaly Detection and Resolution
| |
− | *Pattern PN-OPS-005 Vulnerability Identification and Mitigation
| |
− | *Pattern PN-OPS-006 Cyber Security Event
| |
− | | |
− | <br>
| |
− | | |
− | == References ==
| |
− | * [[Media:GC ESADD - ANNEX D OPS v0.9.pdf|GC ESADD Annex D: Security Operations (OPS)]]
| |
− | * [[Media:GC ESA Definition Document (ESADD) - Main Body.pdf|GC ESA Description Document Main Body]]
| |
− | * [http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=19422 GC Framework for the Management of Risk]
| |
− | * [http://www.tbs-sct.gc.ca/hgw-cgf/pol/rm-gr/girm-ggir/girm-ggirtb-eng.asp GC Guide to Integrated Risk Management]
| |
− | * [[Media:GC ESA ConOps - ANNEX D Secure Enterprise Systems Administration v0.8.pdf| GC ESA ConOps Annex D: Secure Enterprise Systems Administration]]
| |
− | | |
− | [[Category:Government of Canada Enterprise Security Architecture (ESA) Program]]
| |
− | [[Category:Enterprise Security Architecture]]
| |
− | [[Category:GC Enterprise Architecture]]
| |