Line 89: |
Line 89: |
| '''Q:''' Is my data safe? Can data and applications be securely stored in the Cloud? | | '''Q:''' Is my data safe? Can data and applications be securely stored in the Cloud? |
| | | |
− | '''A:''' Yes. Canadians can rest assured that their data is safe. The Government of Canada has policies in place that enforce where data resides (residency), how it is controlled (sovereignty), and has an extensive set of guidelines that detail departments’ accountability for managing services securely. Cloud service provider infrastructures are thoroughly assessed from the onset as part of the procurement process. | + | '''A:''' Yes. Canadians can rest assured that their data is safe. |
| + | |
| + | The Government of Canada (GC) has policies in place that enforce where data resides (residency), how it is controlled (sovereignty), and has begun to develop guidelines that detail departments’ accountability for managing services securely. |
| + | |
| + | Cloud service provider infrastructures are assessed by the Canadian Industrial Security Directorate (CISD), Canadian Centre for Cyber Security (Cyber Centre), Cloud Service Provider Assessment Program, and the Cyber Centre/Shared Services Canada Supply Chain Integrity (SCI) processes from the onset as part of the procurement process. |
| + | |
| + | The GC takes into account industry benchmarks and certifications as part of the requirements that the Cloud service providers must meet (e.g. SOC2 and ISO27000 series). |
| + | |
| + | The GC will not award contracts unless these requirements are met. |
| | | |
| '''Q:''' How is the security and confidentiality of data protected? | | '''Q:''' How is the security and confidentiality of data protected? |
| | | |
− | '''A:''' Shared Services Canada works continuously with security partners to ensure that Government of Canada (GC) security requirements are implemented to reduce threats to the confidentiality, integrity and availability of infrastructure that supports processes. Compliance to GC security requirements is also continuously monitored to ensure they remain in place. Departments are responsible for the security and confidentiality of the data. | + | '''A:''' The Government of Canada (GC) works with security partners to ensure that the security and confidentiality of data remain intact. The GC continuously monitors any potential cyber threats and has robust measures in place to address them. |
| + | |
| + | To ensure the security of government networks and systems, Shared Services Canada (SSC) and the Canadian Centre for Cyber Security has established a Supply Chain Integrity process, which evaluates the security of goods and services at all stages of the procurement process. This ensures that only trusted equipment, software and managed services are used in the delivery of government services. |
| | | |
| '''Q:''' What is Secure Cloud Enablement and Defense (SCED)? | | '''Q:''' What is Secure Cloud Enablement and Defense (SCED)? |
Line 107: |
Line 117: |
| '''Q:''' Who is responsible for IT/IM security? | | '''Q:''' Who is responsible for IT/IM security? |
| | | |
− | '''A:''' Cloud service providers are responsible for the security of the Cloud; the departments are responsible for Security in the Cloud; and Shared Services Canada provides security "to and from" public Cloud. Cloud security is a shared responsibility between the cloud service provider and the Government of Canada (GC) department. Security controls must be implemented appropriately to allow for the proper hosting of GC data and applications. The Government of Canada Cloud Security Risk Management Approach and Procedures provide advice and more information. | + | '''A:''' Cloud service providers are responsible for the security of the Cloud; the departments are responsible for Security in the Cloud; and Shared Services Canada provides security "to and from" the Cloud. |
| + | |
| + | Cloud security is a shared responsibility between the Cloud service provider, SSC, the Canadian Centre for Cyber Security, and the departments. Security controls must be implemented appropriately to allow for the proper hosting of GC data and applications. |
| + | |
| + | The combination of Treasury Board Secretariat of Canada Cloud directives and the Canadian Centre for Cyber Security Cloud Service Provider (CSP) Assessment Program methodology documentation provide advice and more information. |
| | | |
| '''Q:''' What security certifications do the cloud services hold? | | '''Q:''' What security certifications do the cloud services hold? |
| | | |
− | '''A:''' All services hold ISO27001 and SOC2 security certifications. | + | '''A:''' At a minimum the Government of Canada (GC) has indicated that Cloud Service Provider’s require up to date industry benchmarks and certifications like SOC2 and ISO27000 series to demonstrate compliance to security requirements. Additional evidence or documentation may also be collected and reviewed as necessary. |
| | | |
| === Protected B === | | === Protected B === |