Changes

no edit summary
Line 9: Line 9:  
=== Build security into the system life cycle across all architectural layers ===
 
=== Build security into the system life cycle across all architectural layers ===
 
* identify and <u>[https://www.gcpedia.gc.ca/wiki/Security_Categorization_Tool categorize]</u> information based on the degree of injury that could be expected to result from a compromise of its confidentiality, integrity and availability
 
* identify and <u>[https://www.gcpedia.gc.ca/wiki/Security_Categorization_Tool categorize]</u> information based on the degree of injury that could be expected to result from a compromise of its confidentiality, integrity and availability
 +
    <b>How to achieve:</b>
 +
    * Summarize  how the architecture ensures the confidentiality of the  information based on its categorization and degree of injury
 +
    * Summarize  how the architecture ensures the integrity of the  information based on its categorization and degree of injury
 +
    * Summarize  how the architecture ensures the availability of the  information based on its categorization and degree of injury
 +
 +
 
* implement a continuous security approach, in alignment with <u>[https://cyber.gc.ca/en/guidance/it-security-risk-management-lifecycle-approach-itsg-33 Centre for Cyber Security’s IT Security Risk Management Framework]</u>; perform threat modelling to minimize the attack surface by limiting services exposed and information exchanged to the minimum necessary
 
* implement a continuous security approach, in alignment with <u>[https://cyber.gc.ca/en/guidance/it-security-risk-management-lifecycle-approach-itsg-33 Centre for Cyber Security’s IT Security Risk Management Framework]</u>; perform threat modelling to minimize the attack surface by limiting services exposed and information exchanged to the minimum necessary
 +
    <b>How to achieve:</b>
 +
    * Summarize how the architecture  aligns with the Centre of Cyber Security’s IT Security Risk Management Framework
 +
 +
 
* apply proportionate security measures that address business and user needs while adequately protecting data at rest and data in transit
 
* apply proportionate security measures that address business and user needs while adequately protecting data at rest and data in transit
 +
    <b>How to achieve:</b>
 +
    * Describe the security measures that protect the data at rest while meeting business and users needs
 +
    * Describe the security measures that protect the data in transit while meeting business and users needs
 +
 
* design systems to be resilient and available in order to support service continuity
 
* design systems to be resilient and available in order to support service continuity
 +
    <b>How to achieve:</b>
 +
    * Outline  the architecture’s  resilient  characteristics  support service continuity objectives
 +
    * Outline  the architecture’s availability characteristics  support service continuity objectives
 +
  <b>Tools:</b>
 +
    * Non-functional Requirements
 +
    
=== Ensure secure access to systems and services ===
 
=== Ensure secure access to systems and services ===
 
* identify and authenticate individuals, processes or devices to an appropriate level of assurance, based on clearly defined roles, before granting access to information and services; leverage enterprise services such as Government of Canada trusted digital identity solutions that are supported by the <u>[https://github.com/canada-ca/PCTF-CCP Pan‑Canadian Trust Framework]</u>
 
* identify and authenticate individuals, processes or devices to an appropriate level of assurance, based on clearly defined roles, before granting access to information and services; leverage enterprise services such as Government of Canada trusted digital identity solutions that are supported by the <u>[https://github.com/canada-ca/PCTF-CCP Pan‑Canadian Trust Framework]</u>
 +
    <b>How to achieve:</b>
 +
    * Summarize how the architectures identifies and authenticates:
 +
        * Individuals
 +
        * Processes
 +
        * Devices
 +
    * Summarize the enterprise security services leverage by the architecture
 +
    * Summarize how the architecture aligns to the Pan-Canadian Trust Framework
 +
 +
    <b>Tools:</b>
 +
        * Target State Architecture
 +
        * Interim State Architecture
 +
 
* constrain service interfaces to authorized entities (users and devices), with clearly defined roles; segment and separate information based on sensitivity of information, in alignment with <u>[https://cyber.gc.ca/en/guidance/baseline-security-requirements-network-security-zones-government-canada-itsg-22 ITSG‑22]</u> and <u>[https://cyber.gc.ca/en/guidance/network-security-zoning-design-considerations-placement-services-within-zones-itsg-38 ITSG‑38]</u>. Management interfaces may require increased levels of protection
 
* constrain service interfaces to authorized entities (users and devices), with clearly defined roles; segment and separate information based on sensitivity of information, in alignment with <u>[https://cyber.gc.ca/en/guidance/baseline-security-requirements-network-security-zones-government-canada-itsg-22 ITSG‑22]</u> and <u>[https://cyber.gc.ca/en/guidance/network-security-zoning-design-considerations-placement-services-within-zones-itsg-38 ITSG‑38]</u>. Management interfaces may require increased levels of protection
 +
    <b>How to achieve:</b>
 +
    * Summarize how the architecture constrains service interfaces to authorized entities in compliance to:
 +
        * ITSG-22, and;
 +
        * ITSG-38.
 +
 
* implement <u>[https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/policy-implementation-notices/implementing-https-secure-web-connections-itpin.html HTTPS]</u> for secure web connections and <u>[https://cyber.gc.ca/en/guidance/implementation-guidance-email-domain-protection Domain-based Message Authentication, Reporting and Conformance (DMARC)]</u> for enhanced email security
 
* implement <u>[https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/policy-implementation-notices/implementing-https-secure-web-connections-itpin.html HTTPS]</u> for secure web connections and <u>[https://cyber.gc.ca/en/guidance/implementation-guidance-email-domain-protection Domain-based Message Authentication, Reporting and Conformance (DMARC)]</u> for enhanced email security
 +
    <b>How to achieve:</b>
 +
    * Does the architecture use HTTPS for secure web connections
 +
    * Does the architecture use and Domain-based Message Authentication, Reporting and Conformance (DMARC) for enhanced email security
 +
 +
 
* establish secure interconnections between systems through secure <u>[https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/government-canada-standards-apis.html APIs]</u> or leveraging centrally managed hybrid IT connectivity services
 
* establish secure interconnections between systems through secure <u>[https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/government-canada-standards-apis.html APIs]</u> or leveraging centrally managed hybrid IT connectivity services
 +
    <b>How to achieve:</b>
 +
    * Outline  what (APIs or centrally managed hybrid IT connectivity services )the architectures established secure interconnections between systems
 +
 +
    <b>Tools:</b>
 +
        * Target State Architecture
 +
        * Interim State Architecture
    
=== Maintain secure operations ===
 
=== Maintain secure operations ===
 
* establish processes to maintain visibility of assets and ensure the prompt application of security‑related patches and updates in order to reduce exposure to vulnerabilities, in accordance with GC ''Patch Management Guidance''
 
* establish processes to maintain visibility of assets and ensure the prompt application of security‑related patches and updates in order to reduce exposure to vulnerabilities, in accordance with GC ''Patch Management Guidance''
 +
    <b>How to achieve:</b>
 +
    * Have processes  been established to ensure the prompt application of security related patches and updates?
 +
    * Summarize how the architecture supports these processes
 +
 +
 
* enable event logging, in accordance with GC ''Event Logging Guidance'', and perform monitoring of systems and services in order to detect, prevent, and respond to attacks
 
* enable event logging, in accordance with GC ''Event Logging Guidance'', and perform monitoring of systems and services in order to detect, prevent, and respond to attacks
 +
    <b>How to achieve:</b>
 +
    * Summarize how event logging  within the architecture aligns to  GC Event Logging Guidance  in the areas of:
 +
        * Attack detection
 +
        * Attack prevention
 +
        * Attack respond
 +
 +
 
* establish an incident management plan in alignment with the <u>[https://www.canada.ca/en/government/system/digital-government/online-security-privacy/security-identity-management/government-canada-cyber-security-event-management-plan.html GC Cyber Security Event Management Plan (GC CSEMP)]</u> and report incidents to the <u>[https://cyber.gc.ca/en/contact-us Canadian Centre for Cyber Security]</u>
 
* establish an incident management plan in alignment with the <u>[https://www.canada.ca/en/government/system/digital-government/online-security-privacy/security-identity-management/government-canada-cyber-security-event-management-plan.html GC Cyber Security Event Management Plan (GC CSEMP)]</u> and report incidents to the <u>[https://cyber.gc.ca/en/contact-us Canadian Centre for Cyber Security]</u>
 +
    <b>How to achieve:</b>
 +
    * Describe how incident management plan aligns to GC Cyber Security Event Management
 +
    * Describe how incidents are reported to the Canadian Centre for Cyber Security (CCSB)
     
514

edits