Difference between revisions of "HTTPS-Strategy"
m |
m |
||
Line 4: | Line 4: | ||
|- | |- | ||
! style="background: #dddddd; color: black" width="250px" scope="col" |[https://www.canada.ca/en/treasury-board-secretariat/services/information-technology/policy-implementation-notices/implementing-https-secure-web-connections-itpin.html ITPIN 2018-01] | ! style="background: #dddddd; color: black" width="250px" scope="col" |[https://www.canada.ca/en/treasury-board-secretariat/services/information-technology/policy-implementation-notices/implementing-https-secure-web-connections-itpin.html ITPIN 2018-01] | ||
− | ! style="background: #dddddd; color: black" width="250px" scope="col" |[[HTTPS | + | ! style="background: #dddddd; color: black" width="250px" scope="col" |[[GC HTTPS Strategy | Implementation Strategy]] |
− | ! style="background: #dddddd; color: black" width="250px" scope="col" |[[HTTPS Implementation Guidance | Implementation Guidance]] | + | ! style="background: #dddddd; color: black" width="250px" scope="col" |[[GC HTTPS Implementation Guidance | Implementation Guidance]] |
− | ! style="background: #dddddd; color: black" width="250px" scope="col" |[[Communication Material]] | + | ! style="background: #dddddd; color: black" width="250px" scope="col" |[[GC HTTPS Communication Material | Communication Material]] |
|} | |} | ||
Latest revision as of 12:16, 23 October 2018
ITPIN 2018-01 | Implementation Strategy | Implementation Guidance | Communication Material |
---|
OverviewThe Government of Canada (GC)’s Strategic Plan for Information Management (IM) and Information Technology (IT) 2017-2021 charts the path forward for IM/IT from a whole-of-government or “enterprise” perspective. The Plan details strategic areas of focus (Service, Manage, Secure, and Community) that specify actions and activities that are underway or that represent new enterprise directions. Secure involves, among other things, protective measures to enable the secure processing and sharing of data and information across government. This includes protecting Canadians and their online transactions while interacting with the government. Unencrypted connections to publicly-available GC websites and web services are vulnerable to manipulation, impersonation, and can expose sensitive user information. PurposeThis document outlines the considerations and activities for an enterprise-wide implementation of the HTTPS everywhere standard within the GC that will support the provision of secure and reliable web services to Canadians. AudienceThis guide is primarily for business owners, web developers, IT and IT security practitioners who are involved in implementing externally-facing GC online services. Strategy FrameworkThe following table provides an overview of the framework for this strategy.
Suggested Action Plan for ITPIN ComplianceThe following action plan is presented as guidance for project teams undertaking the implementation of HTTPS for a Department or Agency:
Implementation Considerations
Click / cliquez:
Performance MeasurementMeasurement of the HTTPS everywhere initiative implementation is essential to ensure program success and lasting security of both GC organizations’ and citizen’s online transactions. Performance of the GC in compliance with the HTTPS everywhere initiative expectations will be measured by the following Key Performance Indicators (KPI):
While not mandatory, the following measurement can be applied to internal websites:
Compliance MonitoringTo monitor compliance to the standard and to measure the KPIs outlined above, the GC will monitor all of its domains for HTTPS support and also monitor how well each domain aligns with HTTPS best practices. The use of public-facing dashboards can help to promote transparency, and identify how well GC organizations are complying with the HTTPS everywhere mandate, in addition to establishing useful alerting and reporting capabilities. The US Government has adopted a similar approach with a publicly accessible dashboard at https://pulse.cio.gov/ [6]. Furthermore, providing tools to assess website configuration (and vulnerabilities), will help to ensure that GC departments and agencies maintain the security posture of their websites. Examples of implementations include the UK Government’s “WebCheck” [7]. Free tools such as Hardenize’s [8] have also been used by other governments like Sweden which makes its dashboard open to the public. This scanning service should help departments and agencies in meeting their obligations to ensure that:
The use of continuous, distributed security analytics and infrastructure monitoring will support advanced awareness and automation, thus improving security of both the network and its users. EnquiriesEmail your questions to TBS Cyber Security at ZZTBSCYBERS@tbs-sct.gc.ca.
|