Difference between revisions of "GC HTTPS Everywhere/Strategy"
(12 intermediate revisions by 2 users not shown) | |||
Line 3: | Line 3: | ||
{| class="wikitable" style="align:center; border-top: #000000 2px solid; border-bottom: #000000 2px solid; border-left: #000000 2px solid; border-right: #000000 2px solid" width="1200px" | {| class="wikitable" style="align:center; border-top: #000000 2px solid; border-bottom: #000000 2px solid; border-left: #000000 2px solid; border-right: #000000 2px solid" width="1200px" | ||
|- | |- | ||
− | ! style="background: #dddddd; color: black" width="250px" scope="col" |[https://www.canada.ca/en/ | + | ! style="background: #dddddd; color: black" width="250px" scope="col" |[https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/policy-implementation-notices/implementing-https-secure-web-connections-itpin.html ITPIN 2018-01] |
! style="background: #dddddd; color: black" width="250px" scope="col" |[[../Strategy | Implementation Strategy]] | ! style="background: #dddddd; color: black" width="250px" scope="col" |[[../Strategy | Implementation Strategy]] | ||
! style="background: #dddddd; color: black" width="250px" scope="col" |[[../Implementation Guidance | Implementation Guidance]] | ! style="background: #dddddd; color: black" width="250px" scope="col" |[[../Implementation Guidance | Implementation Guidance]] | ||
Line 21: | Line 21: | ||
== Audience == | == Audience == | ||
This guide is primarily for business owners, web developers, IT and IT security practitioners who are involved in implementing externally-facing GC online services. | This guide is primarily for business owners, web developers, IT and IT security practitioners who are involved in implementing externally-facing GC online services. | ||
+ | |||
+ | '''Note: ITPIN 2018-01 [https://www.canada.ca/en/treasury-board-secretariat/services/information-technology/policy-implementation-notices/implementing-https-secure-web-connections-itpin.html Implementing HTTPS for Secure Web Connections] applies to departments as defined in [https://laws-lois.justice.gc.ca/eng/acts/f-11/page-1.html#h-227972 section 2 of the FAA]:''' | ||
+ | <br><br> | ||
+ | (a) any of the departments named in [https://laws-lois.justice.gc.ca/eng/acts/f-11/page-30.html#h-230472 Schedule I];<br> | ||
+ | (a.1) any of the divisions or branches of the federal public administration set out in column I of [https://laws-lois.justice.gc.ca/eng/acts/f-11/page-31.html#h-230498 Schedule I.1];<br> | ||
+ | (b) a commission under the [https://laws-lois.justice.gc.ca/eng/acts/I-11 Inquiries Act] that is designated by order of the Governor in Council as a department for the purposes of this Act;<br> | ||
+ | (c) the staffs of the Senate, House of Commons, Library of Parliament, office of the Senate Ethics Officer, office of the Conflict of Interest and Ethics Commissioner, Parliamentary Protective Service and office of the Parliamentary Budget Officer; and<br> | ||
+ | (d) any departmental corporation (a corporation named in [https://laws-lois.justice.gc.ca/eng/acts/f-11/page-32.html#h-230507 Schedule II]). | ||
+ | |||
== Strategy Framework == | == Strategy Framework == | ||
The following table provides an overview of the framework for this strategy. | The following table provides an overview of the framework for this strategy. | ||
Line 71: | Line 80: | ||
<br> | <br> | ||
2. Perform an inventory of all departmental domains and subdomains. Sources of information include: | 2. Perform an inventory of all departmental domains and subdomains. Sources of information include: | ||
− | * | + | * [https://https-everywhere.canada.ca/ HTTPS Dashboard] |
* TBS Application Portfolio Management (APM) | * TBS Application Portfolio Management (APM) | ||
* Departmental business units | * Departmental business units | ||
<br> | <br> | ||
− | 3. Provide an up-to-date list of all domain and sub-domains of the publicly-accessible websites and web services to the following website: [https://canada-ca.github.io/pages/submit-institutional-domains.html Submit your institution's domains] | + | 3. Provide an up-to-date list of all domain and sub-domains of the publicly-accessible websites and web services to TBS Cybersecurity. |
− | + | * Update and send the filtered “compliance.csv” file available from the [https://https-everywhere.canada.ca/ HTTPS Dashboard] for mass updates; or | |
− | 4. Perform an assessment of the domains and sub-domains to determine the status of the configuration. Tools available to support this activity | + | * Use the following website for domain additions: [https://canada-ca.github.io/pages/submit-institutional-domains.html Submit your institution's domains]. |
+ | <br> | ||
+ | 4. Perform an assessment of the domains and sub-domains to determine the status of the configuration. Tools available to support this activity include the GC HTTPS Dashboard, [https://www.ssllabs.com/ SSL Labs], [https://www.hardenize.com/ Hardenize], [https://www.sslshopper.com/ssl-checker.html SSLShopper], etc. | ||
<br><br> | <br><br> | ||
5. Develop a prioritized implementation schedule for each of the affected websites and web services, following the recommended prioritization approach in the ITPIN: | 5. Develop a prioritized implementation schedule for each of the affected websites and web services, following the recommended prioritization approach in the ITPIN: | ||
* ''6.2.1 Newly developed websites and web services must adhere to this ITPIN upon launch.'' | * ''6.2.1 Newly developed websites and web services must adhere to this ITPIN upon launch.'' | ||
* ''6.2.2 Websites and web services that involve an exchange of personal information or other sensitive information must receive priority following a risk-based approach, and migrate as soon as possible.'' | * ''6.2.2 Websites and web services that involve an exchange of personal information or other sensitive information must receive priority following a risk-based approach, and migrate as soon as possible.'' | ||
− | * ''6.2.3 All remaining websites and web services must be accessible through a secure connection, as outlined in Section 6.1, by | + | * ''6.2.3 All remaining websites and web services must be accessible through a secure connection, as outlined in Section 6.1, by December 31, 2019.'' |
<br> | <br> | ||
− | 6. Engage | + | 6. Engage departmental IT planning groups for implementation as appropriate. |
* Where necessary adjust IT Plans and budget estimates for the FY where work is expected. | * Where necessary adjust IT Plans and budget estimates for the FY where work is expected. | ||
− | * It is recommended that SSC partners contact their SSC Service Delivery Manager to discuss the departmental action plan and required steps to submit a request for change. '''An expedited process for HTTPS BRDs has been established - ensure the title of your BRD is "<u>GC HTTPS Initiative - TLS 1.2 Upgrade</u>", ou également: "<u>Initiative du GC relative à HTTPS – Mise à niveau TLS 1.2</u>" | + | * It is recommended that SSC partners contact their SSC Service Delivery Manager to discuss the departmental action plan and required steps to submit a request for change. |
+ | * '''An expedited process for HTTPS BRDs has been established - ensure the title of your BRD is "<u>GC HTTPS Initiative - TLS 1.2 Upgrade</u>", ou également: "<u>Initiative du GC relative à HTTPS – Mise à niveau TLS 1.2</u>" | ||
<br> | <br> | ||
− | 7. Based on the assessment, and using the [ | + | 7. Based on the assessment, and using the [https://wiki.gccollab.ca/GC_HTTPS_Everywhere guidance available on GCcollab], the following activities may be required: |
− | * Obtain certificates from a GC-approved certificate source as outlined in the | + | * Obtain certificates from a GC-approved certificate source as outlined in the [https://wiki.gccollab.ca/images/9/92/Recommendations_for_TLS_Server_Certificates_-_14_May_2021.pdf Recommendations for TLS Server Certificates] [https://wiki.gccollab.ca/images/8/8b/Recommendations_for_TLS_Server_Certificates_-_14_May_2021-FR-REV-NG.pdf Recommandations liées aux certificats de serveur TLS] for GC Public Facing Web Services |
− | * Obtain the configuration guidance for the appropriate endpoints (e.g. web server, network/security appliances, etc.) and implement recommended configurations to support HTTPS. | + | * Obtain the [https://wiki.gccollab.ca/GC_HTTPS_Everywhere/Implementation_Guidance configuration guidance] for the appropriate endpoints (e.g. web server, network/security appliances, etc.) and implement recommended configurations to support HTTPS. |
<br> | <br> | ||
− | 8. Perform another assessment of the applicable domains and sub-domains to confirm that the configuration has been updated and that | + | 8. Perform another assessment of the applicable domains and sub-domains to confirm that the configuration has been updated and that all elements are enforced in accordance with [https://www.canada.ca/en/treasury-board-secretariat/services/information-technology/policy-implementation-notices/implementing-https-secure-web-connections-itpin.html ITPIN 2018-01]. Results will appear in the [https://https-everywhere.canada.ca/ HTTPS Dashboard] within 24 hours. |
<br> | <br> | ||
Line 125: | Line 137: | ||
The use of continuous, distributed security analytics and infrastructure monitoring will support advanced awareness and automation, thus improving security of both the network and its users. | The use of continuous, distributed security analytics and infrastructure monitoring will support advanced awareness and automation, thus improving security of both the network and its users. | ||
+ | |||
+ | == Exemption Requests == | ||
+ | |||
+ | Departments who cannot implement all the requirements of the ITPIN must apply to GC Enterprise Architecture Review Board (GC EARB) for an exemption with a rationale to justify the request. | ||
+ | Links to the required GC EARB deck template, which includes direction for all departments who will be unable to meet the requirements of the ITPIN by the end of the calendar year, along with an excel template to provide details are below: | ||
+ | |||
+ | (1.EN) [https://wiki.gccollab.ca/images/6/63/GC_EARB_HTTPS_Exemption.pptx GC EARB HTTPS Exemption Template - EN]<br> | ||
+ | (1.FR) [https://wiki.gccollab.ca/images/c/ca/GC_EARB_HTTPS_Exemption_FR.PPTX GC EARB HTTPS Exemption Template - FR]<br> | ||
+ | (2.EN) [https://wiki.gccollab.ca/images/0/0a/GC_EARB_HTTPS_Exemption_Details.xlsx GC EARB HTTPS Exemption Details - EN]<br> | ||
+ | (2.FR) [https://wiki.gccollab.ca/images/6/6a/GC_EARB_HTTPS_Exemption_Details_FR.xlsx GC EARB HTTPS Exemption Details - FR]<br> | ||
+ | |||
+ | Departments should contact the CIOB-DPPI IT-Division-TI <ZZCIOBDP@tbs-sct.gc.ca> mailbox for further requirements for submitting an exemption request. | ||
== Enquiries == | == Enquiries == |
Latest revision as of 17:21, 5 October 2022
ITPIN 2018-01 | Implementation Strategy | Implementation Guidance | Communication Material |
---|
OverviewThe Government of Canada (GC)’s Strategic Plan for Information Management (IM) and Information Technology (IT) 2017-2021 charts the path forward for IM/IT from a whole-of-government or “enterprise” perspective. The Plan details strategic areas of focus (Service, Manage, Secure, and Community) that specify actions and activities that are underway or that represent new enterprise directions. Secure involves, among other things, protective measures to enable the secure processing and sharing of data and information across government. This includes protecting Canadians and their online transactions while interacting with the government. Unencrypted connections to publicly-available GC websites and web services are vulnerable to manipulation, impersonation, and can expose sensitive user information. PurposeThis document outlines the considerations and activities for an enterprise-wide implementation of the HTTPS everywhere standard within the GC that will support the provision of secure and reliable web services to Canadians. AudienceThis guide is primarily for business owners, web developers, IT and IT security practitioners who are involved in implementing externally-facing GC online services. Note: ITPIN 2018-01 Implementing HTTPS for Secure Web Connections applies to departments as defined in section 2 of the FAA:
Strategy FrameworkThe following table provides an overview of the framework for this strategy.
Suggested Action Plan for ITPIN ComplianceThe following action plan is presented as guidance for project teams undertaking the implementation of HTTPS for a Department or Agency:
Implementation Considerations
Click / cliquez:
The following section describes various considerations related to implementation of the HTTPS everywhere standard for the GC. Technical Considerations
Management Considerations
Performance MeasurementMeasurement of the HTTPS everywhere initiative implementation is essential to ensure program success and lasting security of both GC organizations’ and citizen’s online transactions. Performance of the GC in compliance with the HTTPS everywhere initiative expectations will be measured by the following Key Performance Indicators (KPI):
While not mandatory, the following measurement can be applied to internal websites:
Compliance MonitoringTo monitor compliance to the standard and to measure the KPIs outlined above, the GC will monitor all of its domains for HTTPS support and also monitor how well each domain aligns with HTTPS best practices. The use of public-facing dashboards can help to promote transparency, and identify how well GC organizations are complying with the HTTPS everywhere mandate, in addition to establishing useful alerting and reporting capabilities. The US Government has adopted a similar approach with a publicly accessible dashboard at https://pulse.cio.gov/ [6]. Furthermore, providing tools to assess website configuration (and vulnerabilities), will help to ensure that GC departments and agencies maintain the security posture of their websites. Examples of implementations include the UK Government’s “WebCheck” [7]. Free tools such as Hardenize’s [8] have also been used by other governments like Sweden which makes its dashboard open to the public. This scanning service should help departments and agencies in meeting their obligations to ensure that:
The use of continuous, distributed security analytics and infrastructure monitoring will support advanced awareness and automation, thus improving security of both the network and its users. Exemption RequestsDepartments who cannot implement all the requirements of the ITPIN must apply to GC Enterprise Architecture Review Board (GC EARB) for an exemption with a rationale to justify the request. Links to the required GC EARB deck template, which includes direction for all departments who will be unable to meet the requirements of the ITPIN by the end of the calendar year, along with an excel template to provide details are below: (1.EN) GC EARB HTTPS Exemption Template - EN Departments should contact the CIOB-DPPI IT-Division-TI <ZZCIOBDP@tbs-sct.gc.ca> mailbox for further requirements for submitting an exemption request. EnquiriesEmail your questions to TBS Cyber Security at ZZTBSCYBERS@tbs-sct.gc.ca.
|