Difference between revisions of "Policy"

From wiki
Jump to navigation Jump to search
 
(9 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
 
{{Cloud Information Centre - Government of Canada}}
 
{{Cloud Information Centre - Government of Canada}}
 +
<b>
 +
</b>
 +
<!-- NAV -->
 +
<!-- Columns -->
 +
 +
{| width="100%" cellpadding="10"
 +
 +
|width="90%" style="color: black;" align="right" |
 +
<!-- COLUMN 1 STARTS: -->
 +
[[Template: Politique|Français]]
 +
<!-- COLUMN 1 ENDS: -->
 +
|width="10%" style="color: black; align=center" |
 +
 +
<!-- COLUMN 2 STARTS: -->
 +
 +
<!-- COLUMN 2 ENDS: -->
 +
 +
<!-- Columns -->
 +
|}
 +
 +
{| width="100%" cellpadding="10"
 +
|-valign="top"
 +
 +
|width="50%" style="color: black;" |
 +
<!-- COLUMN 1 STARTS: -->
 +
[[Image:Governance.jpg|250x250px|center |link=Governance]]
 +
<!-- COLUMN 1 ENDS: -->
 +
|width="50%" style="color: black;" |
 +
<!-- COLUMN 2 STARTS: -->
 +
[[Image:Cic.jpg|center|250x250px |link=GC_Cloud_Infocentre]]
 +
<!-- COLUMN 2 ENDS: -->
 +
|}
 
<span style="font-family: Century Gothic; font-size: 28pt;"><font color="#9F000F;">Policy Instruments</font><span>
 
<span style="font-family: Century Gothic; font-size: 28pt;"><font color="#9F000F;">Policy Instruments</font><span>
 
  
 
<big><big>The Treasury Board Secretariat (TBS) had developed a set of policy instruments that provide the necessary policy guidance to enable smooth cloud adoption across the Government of Canada.
 
<big><big>The Treasury Board Secretariat (TBS) had developed a set of policy instruments that provide the necessary policy guidance to enable smooth cloud adoption across the Government of Canada.
 
+
<br><br>
 
== Strategic Plan ==
 
== Strategic Plan ==
 
* [https://www.canada.ca/en/government/system/digital-government/digital-operations-strategic-plan-2018-2022.html Digital Operations Strategic Plan: 2018-2022]
 
* [https://www.canada.ca/en/government/system/digital-government/digital-operations-strategic-plan-2018-2022.html Digital Operations Strategic Plan: 2018-2022]
Line 38: Line 70:
 
* [https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/cloud-services/cloud-security-risk-management-approach-procedures.html Risk-management for cloud-based services] - Protect cloud services by ensuring that the proper security controls are in place.
 
* [https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/cloud-services/cloud-security-risk-management-approach-procedures.html Risk-management for cloud-based services] - Protect cloud services by ensuring that the proper security controls are in place.
 
* [https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/cloud-services/gc-white-paper-data-sovereignty-public-cloud.html Data sovereignty in cloud environments] - Assessing the risks of foreign governments accessing Canadian data in the cloud.  
 
* [https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/cloud-services/gc-white-paper-data-sovereignty-public-cloud.html Data sovereignty in cloud environments] - Assessing the risks of foreign governments accessing Canadian data in the cloud.  
<br>
 
== Cloud Security Initiative ==
 
<br>
 
=== Overview ===
 
<br>
 
Cloud computing has introduced a fundamental shift in the way IT services are delivered and the Government of Canada (GC) will position itself to use this alternative service delivery model. Cloud adoption will ensure that the GC can continue to sustain IT service excellence during a period of increased demand by Canadians for online services and timely access to accurate information. This developing shift will affect how we procure, secure, and work with IT systems that support GC and departmental programs and services.
 
Under the cloud computing paradigm, the GC will depend on vendors for many aspects of security and privacy, and in doing so, will confer a level of trust onto the cloud service provider (CSP). To establish this trust, the GC requires an IT security risk management approach and procedures that are adapted to cloud computing.
 
For more information about the Cloud Security Initiative, please read the [https://www.gcpedia.gc.ca/gcwiki/images/c/c7/GC_Cloud_Security_Risk_Management_Approach_and_Procedures_-_EN.pdf GC Cloud Security Risk Management Approach and Procedures] document and the Cloud Adoption Strategy.
 
For more information on the GC Cloud Security Initiative consult https://www.gcpedia.gc.ca/wiki/Cloud_Security_Initiative.
 
  
 
== Cloud Security ==
 
== Cloud Security ==
=== Overview and Current Situation in Government of Canada ===
+
 
Cloud computing has made the jump from buzzword to deployed technology. However, many potential cloud customers do not understand the scope of the cloud, how it should be used, and how to address security in the cloud. The image below is a simplified view of an enterprise such as the GC. The goal of the organization is to provide needed services to the citizens of Canada and other public users as well as internal services to allow GC employees and contractors to keep the business of the GC running. Service delivery is the ultimate goal, but there are several foundational elements provided by the people, processes, and technology of the GC. The technical contribution to the foundation is contained in information technology and information systems (IT/IS). As shown in the image on the left, cloud computing is simply an enabling information technology supporting the mission of the business of the enterprise.
+
=== Policies and Standards ===
<br><br>
+
::*    [https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12755 Policy on Management of Information Technology]
The GC IT/IS enterprise is large in scope and geography, yielding a challenging operational, maintenance, and security environment. GC users hail from 400,000+ federal government employees and 100,000+ federal government business enterprise employees. Canada's population is 35 million, representing the pool of potential Canadian citizen public users. GC resources are also accessed by non-Canadian public users, including international visitors to GC sites. The hundreds of GC agencies and departments are spread across the country and around the world, each with independent policies, assets, and resultant security postures.  
+
::* [https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=16578 Policy on Government Security]
<br><br>
+
::* [https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/direction-electronic-data-residency.html Direction for Electronic Data Residency, ITPIN No: 2017-02]
Currently, the GC operates 480+ data centres attached to thousands of stove-piped networks running unique instances of front-office and back-office applications. These data centres consist of purpose built servers racked for each application, resulting in low hardware utilization rates (i.e. 15% or less), long lead times for provisioning (i.e. weeks to months), sub-optimal use of data centre space, power and cooling, and high recurring costs.
+
::* [https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/direction-secure-use-commercial-cloud-services-spin.html Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN)]
<br><br>
+
 
Current use of cloud computing is department-based, deployed internally in department-hosted private data centres and clouds for processing sensitive information and contracted with cloud providers for unclassified and public information sites. This distributed, department-led IT procurement and deployment model leads to a number of enterprise level issues, including: inconsistent application and adoption of new technologies and business processes, standards, and open systems; a lack of ability to adapt to the changing threat environment while increasing the threat surface faster than security mitigations are deployed; incomplete network and element awareness and mapping; independently owned and operated legacy applications (5000+) and associated data and information stores, many without a path to a consolidated infrastructure and modern security protections; limited inter-domain interoperability and inadequate information sharing and access between agencies, departments, and partners. All of these effects perpetuating the expensive, inefficient, and insecure aspects of the current enterprise.  
+
=== Guidance ===
<br><br>
+
::* [https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/cloud-computing/government-canada-security-control-profile-cloud-based-it-services.html Government of Canada Security Control Profile for Cloud-Based GC IT Services]
A contributing aspect to the low penetration of low-cost, high performance solutions enabled by cloud computing is the slow uptake of cloud technology in Canada as a whole. In a white paper published by IT World Canada, the perspective of Canadian CIOs on cloud computing was described as follows:
+
::* [https://cyber.gc.ca/en/guidance/baseline-security-requirements-network-security-zones-government-canada-itsg-22 Government of Canada Cloud Security Risk Management Approach and Procedures]
"Their posture towards the cloud, in other words, could not be more Canadian: optimistic but pragmatic, slow but deliberate, purposeful but not aggressive."
+
::* [https://cyber.gc.ca/en/guidance/baseline-security-requirements-network-security-zones-government-canada-itsg-22 CCCS ITSG-22 Baseline Security Requirements for Network Security Zones in the Government of Canada]
<br><br>
+
::* [https://cyber.gc.ca/en/guidance/network-security-zoning-design-considerations-placement-services-within-zones-itsg-38 CCCS ITSG-38 Network Security Zoning - Design Considerations for Placement of Services within Zones]
In addition to worries about security and reliability, several additional factors contribute to the slow uptake, including data and information security and the protection of personal privacy, loss of control, expected cost and effort to convert to cloud computing, lack of a clear return on investment, change to a different management and contracting paradigm, data and information sovereignty requirements, ramification from the Personal Information and Electronic Documents Acts (PIPEDA) and the US Patriot Act, lack of open cloud and cyber security standards, concerns with vendor lock-in, lack of suitable bandwidth, and the desire to try the technology first or see solid proof of cost savings from other with trusted vendors before deploying to the greater enterprise.  
+
::* [https://cyber.gc.ca/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3 CCCS ITSP.30.031 V2 User Authentication Guidance for Information Technology Systems]
<br><br>
+
::* [https://nam06.safelinks.protection.outlook.com/?url=https://www.cse-cst.gc.ca/en/node/1830/html/26507&data=02|01|Jamie.Hart@microsoft.com|7503434d3e8c4c8cc23808d68d7d1039|72f988bf86f141af91ab2d7cd011db47|1|0|636851965624128440&sdata=TDPmXQvqrn0jGPdERr3KmlsTo0WJVu646TgUe8ZpxNg%3D&reserved=0 CCCS ITSP.40.062 Guidance on Securely Configuring Network Protocols]
The measured rate of adoption places Canada 9th out of 24 countries considered part of the cloud global economy, up from 12th in 2012. Several efforts are pushing Canada toward the cloud. GC's Cloud First campaign is an effort to hasten the adoption of cloud computing in the GC. The Canadian Cloud Council was formed to help push the adoption and thought leadership of Canada in the global cloud economy. Large cloud service providers, such as Amazon, are moving to Canada as the country's appetite for cloud services increases. The ultimate measure of success is the establishment of cloud computing offerings within Canada and subsequent increase in adoption rates by Canadian businesses and governments.  
+
::* [https://cyber.gc.ca/en/guidance/cloud-service-provider-information-technology-security-assessment-process-itsm50100 CCCS ITSM.50.100 Cloud Service Provider Information Technology Security Assessment Process]
<br><br>
+
::* [https://intranet.canada.ca/wg-tg/cagc-angc-eng.asp Guidance on Cloud Authentication for the Government of Canada]
With responsibility for processing and storing large amounts of sensitive data/information (e.g. classified, protected, private), the GC needs to minimize the risk of unauthorized disclosure of data. Adoption of cloud technology provides a wrinkle in the current approach to information security since portions of the information system are out of the direct control of the GC and the department charged with protecting sensitive GC information. <br>
+
::* [https://intranet.canada.ca/wg-tg/rtua-rafu-eng.asp Recommendations for Two-Factor User Authentication Within the Government of Canada Enterprise Domain]
<br>
+
::* [https://www.gcpedia.gc.ca/gcwiki/images/e/e3/GC_Event_Logging_Strategy.pdf GC Event Logging Strategy (Draft)]
For more information, please read the GC ESA ConOps Annex B: Cloud Security document. <br>
+
::* [https://www.gcpedia.gc.ca/gcwiki/images/5/5f/GC_Cloud_Event_Management_Standard_Operating_Procedure.pdf Standard Operating Procedure for GC Cloud Event Management]
 +
::* [https://www.gcpedia.gc.ca/gcwiki/images/a/a8/Security_Playbook_for_Information_System_Solutions.pdf Security Playbook for Information System Solutions]
 +
 
 +
=== Tools & Templates ===
 +
 
 +
::* https://gccode.ssc-spc.gc.ca/GCCloudEnablement
 +
::*    https://github.com/canada-ca/accelerators_accelerateurs-azure
 +
::* https://github.com/canada-ca/accelerators_accelerateurs-aws
 +
 
 
== Cloud Security Initiative ==
 
== Cloud Security Initiative ==
https://www.gcpedia.gc.ca/wiki/Cloud_Security_Initiative
+
Learn recommendations and actions that your Department can implement to protect your networks through the Treasury Board Secretariat’s Cyber Security initiative  [https://www.gcpedia.gc.ca/wiki/Cloud_Security_Initiative Cloud Security Initiative]
 
 
 
</big></big>
 
</big></big>
 
 
{{GC Cloud Information Centre Footer}}
 
{{GC Cloud Information Centre Footer}}
 
__FORCETOC__
 
__FORCETOC__

Latest revision as of 00:19, 8 April 2020


Banne cloud.jpg



Français


Governance.jpg
Cic.jpg

Policy Instruments

The Treasury Board Secretariat (TBS) had developed a set of policy instruments that provide the necessary policy guidance to enable smooth cloud adoption across the Government of Canada.

Strategic Plan

Policy and Directive

Standards and Guidelines

Cloud Security

Policies and Standards

Guidance

Tools & Templates

Cloud Security Initiative

Learn recommendations and actions that your Department can implement to protect your networks through the Treasury Board Secretariat’s Cyber Security initiative Cloud Security Initiative