Changes

You must security assess these services. No matter where you buy, departments are ultimately responsible for assessment and risk assessment. When you buy through the SSC Framework Agreement, a portion of the security controls has been assessed by SSC and their security partners, thus accelerating your security assessment.

You must security assess these services. No matter where you buy, departments are ultimately responsible for assessment and risk assessment. When you buy through the SSC Framework Agreement, a portion of the security controls has been assessed by SSC and their security partners, thus accelerating your security assessment.

<br><br>

<br><br>

'''♦''' '''If a Department orders Protected B Azure, does it already follow all the security protocols?  Or do we need to implement them after we get access to Azure?

'''♦''' '''If a Department orders Protected B Cloud, does it already follow all the security protocols?  Or do we need to implement them after we get access?

'''

'''

<br>

<br>

The Cloud Service Provider (CSP) environment has been assessed as part of the issuance of the contract. How the consumer configures and uses the services is the responsibility of the consumer or department. Please refer to the shared responsibility model – see figure 3-3 (https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/cloud-services/cloud-security-risk-management-approach-procedures.html).

The Cloud Service Provider (CSP) environment has been assessed as part of the issuance of the contract. How the consumer configures and uses the services is the responsibility of the consumer or department. Please refer to the shared responsibility model – see figure 3-3 (https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/cloud-services/cloud-security-risk-management-approach-procedures.html).

<br><br>

<br><br>

'''♦''' '''Do Security guardrails are implemented by the vendor directly ie Microsoft?

'''♦''' '''Do Security guardrails are implemented by the vendor directly?

'''<br>

'''<br>

No, departments are responsible for implementing the cloud guardrails. Please also review this site - https://github.com/canada-ca/cloud-guardrails.

No, departments are responsible for implementing the cloud guardrails. Please also review this site - https://github.com/canada-ca/cloud-guardrails.

<br><br>

<br><br>

'''♦''' '''Azure is an IAAS and that we will need to be responsible for User Access/ identity, Data, Applications, and Platform.  Do we have access to the report assessment so that we can run our assessment internally to make sure it is always compliant?'''

'''♦''' '''We will need to be responsible for User Access/ identity, Data, Applications, and Platform in an IaaS.  Do we have access to the report assessment so that we can run our assessment internally to make sure it is always compliant?'''

<br>

<br>

The CCCS CSP IT Security Assessment report is available by contacting contact@cyber.gc.ca. Further, in Azure, the Canadian Federal PBMM Blueprint is available in the Security Center section (https://docs.microsoft.com/en-ca/azure/security-center/update-regulatory-compliance-packages).  

The CCCS CSP IT Security Assessment report is available by contacting contact@cyber.gc.ca. Further, you could consult approved GC Cloud Service Providers' Security Center section for more information.  

<br><br>

<br><br>

'''♦''' Do you have any additional cloud references we can consult?

'''♦''' Do you have any additional cloud references we can consult?

'''If you cannot find your topic or have a question that wasn’t answered, please send us an [[ZZCIOBDP@tbs-sct.gc.ca|email]] to reach our team.'''

'''If you cannot find your topic or have a question that wasn’t answered, please send us an [[ZZCIOBDP@tbs-sct.gc.ca|email]] to reach our team.'''

<br>

<br>

</big>

</big>