SPIN 2017-01

JoinusonGCconnex.png
ESAcontactus.png
GOC ESA.jpg


SPIN 2017-01: Direction for the Secure Use of Commercial Cloud Services


Cloud computing has the potential to provide a flexible means of delivering IT services. However, care must be taken to mitigate risks associated with using cloud services.
The Direction for the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice highlights the responsibilities of departments and agencies for effectively managing and using cloud services, including adequately protecting the confidentiality, integrity and availability of information that is stored, processed and transmitted.

The purpose of the SPIN is to:

  • support departments in understanding existing TBS security policy requirements in the context of cloud computing
  • set out guidance to assist organizations in the secure use of commercial cloud services (cloud services)

This site provides links to material that can help departments when implementing activities in support of the SPIN 2017-01. Departments and agencies are encouraged to use this material to support the implementation and secure use of cloud-based solutions and services. The sharing of departmental best practices is also encouraged.

Risk Management

6.1 Departments must continuously manage the security risks to their information and IT assets throughout the life of their programs and services. In the context of cloud, risk management is based on a model of shared responsibility. The CSP fulfills some responsibility with respect to risk mitigation, but departments are ultimately accountable for risks. Implementing a risk-based approach:
  • supports well-informed decision making
  • must be applied before a business owner grants authorization of a cloud-based service to process, store or transmit protected GC information


The following subsections highlight additional requirements and guidance for securing GC cloud-based services:

Information Assurance and Asset Protection

6.2 In accordance with Appendix C of the Directive on Departmental Security Management, departments must safeguard their information and assets, including those hosted in CSP environments, from unauthorized access, use, disclosure, modification, disposal, transmission, or destruction throughout their life cycle. These safeguards must:
  • protect GC data while in transit, in use and at rest
  • be commensurate with the security category of the information and assets
  • include an assurance of their appropriate implementation

When departments are considering using cloud services for storing personal information, guidance must be sought from privacy and access to information officials within their institution.


The following subsections highlight additional requirements and guidance for securing GC cloud-based services:

Security Operations

6.3 As part of an active defence strategy, departments must ensure that measures are implemented to audit and monitor access to their cloud-based services. Using GC-provided services, such as those from SSC’s Security Operations Centre, can help departments meet requirements for information system monitoring and security incident management.


The following subsections highlight additional requirements and guidance for securing GC cloud-based services:

Enquiries

Email your questions to TBS Cyber Security at ZZTBSCYBERS@tbs-sct.gc.ca.