263
edits
Changes
Jump to navigation
Jump to search
Line 75:
Line 75: − + − <br><br>+ − + + + Line 84:
Line 86: − + − + − + − + − + − +
→Suggested Action Plan for ITPIN Compliance
* Departmental business units
* Departmental business units
<br>
<br>
3. Provide an up-to-date list of all domain and sub-domains of the publicly-accessible websites and web services to the following website: [https://canada-ca.github.io/pages/submit-institutional-domains.html Submit your institution's domains]. Alternatively, submit the CSV output from the [https://https-everywhere.canada.ca/ HTTPS Dashboard] to ZZTBSCYBERS@tbs-sct.gc.ca, noting additions in <span style="color:green;">green</span>, deletions in <span style="color:red;">red</span>, and modifications (e.g.: ownership) in <span style="color:yellow;background:#AAAAAA;">yellow</span>.
3. Provide an up-to-date list of all domain and sub-domains of the publicly-accessible websites and web services to TBS Cybersecurity.
* Update and send the filtered “compliance.csv” file available from the [https://https-everywhere.canada.ca/ HTTPS Dashboard] for mass updates; or
4. Perform an assessment of the domains and sub-domains to determine the status of the configuration. Tools available to support this activity includes GC HTTPS Dashboard, SSL Labs, Hardenize, etc.
* Use the following website for domain additions: [https://canada-ca.github.io/pages/submit-institutional-domains.html Submit your institution's domains].
<br>
4. Perform an assessment of the domains and sub-domains to determine the status of the configuration. Tools available to support this activity include the GC HTTPS Dashboard, [https://www.ssllabs.com/ SSL Labs], [https://www.hardenize.com/ Hardenize], [https://www.sslshopper.com/ssl-checker.html SSLShopper], etc.
<br><br>
<br><br>
5. Develop a prioritized implementation schedule for each of the affected websites and web services, following the recommended prioritization approach in the ITPIN:
5. Develop a prioritized implementation schedule for each of the affected websites and web services, following the recommended prioritization approach in the ITPIN:
* ''6.2.3 All remaining websites and web services must be accessible through a secure connection, as outlined in Section 6.1, by December 31, 2019.''
* ''6.2.3 All remaining websites and web services must be accessible through a secure connection, as outlined in Section 6.1, by December 31, 2019.''
<br>
<br>
6. Engage the departmental IT group for implementation as appropriate.
6. Engage departmental IT planning groups for implementation as appropriate.
* Where necessary adjust IT Plans and budget estimates for the FY where work is expected.
* Where necessary adjust IT Plans and budget estimates for the FY where work is expected.
* It is recommended that SSC partners contact their SSC Service Delivery Manager to discuss the departmental action plan and required steps to submit a request for change.
* It is recommended that SSC partners contact their SSC Service Delivery Manager to discuss the departmental action plan and required steps to submit a request for change.
* '''An expedited process for HTTPS BRDs has been established - ensure the title of your BRD is "<u>GC HTTPS Initiative - TLS 1.2 Upgrade</u>", ou également: "<u>Initiative du GC relative à HTTPS – Mise à niveau TLS 1.2</u>"
* '''An expedited process for HTTPS BRDs has been established - ensure the title of your BRD is "<u>GC HTTPS Initiative - TLS 1.2 Upgrade</u>", ou également: "<u>Initiative du GC relative à HTTPS – Mise à niveau TLS 1.2</u>"
<br>
<br>
7. Based on the assessment, and using the [http://wiki.gccollab.ca/GC_HTTPS_Everywhere guidance available on GCcollab Wiki], the following activities may be required:
7. Based on the assessment, and using the [https://wiki.gccollab.ca/GC_HTTPS_Everywhere guidance available on GCcollab], the following activities may be required:
* Obtain certificates from a GC-approved certificate source as outlined in the ''Recommendations for TLS Server Certificates for GC Public Facing Web Services''
* Obtain certificates from a GC-approved certificate source as outlined in the [https://wiki.gccollab.ca/images/8/89/Recommendations_for_TLS_Server_Certificates.pdf Recommendations for TLS Server Certificates] for GC Public Facing Web Services
* Obtain the configuration guidance for the appropriate endpoints (e.g. web server, network/security appliances, etc.) and implement recommended configurations to support HTTPS.
* Obtain the [https://wiki.gccollab.ca/GC_HTTPS_Everywhere/Implementation_Guidance configuration guidance] for the appropriate endpoints (e.g. web server, network/security appliances, etc.) and implement recommended configurations to support HTTPS.
<br>
<br>
8. Perform another assessment of the applicable domains and sub-domains to confirm that the configuration has been updated and that HTTPS is enforced in accordance with [https://www.canada.ca/en/treasury-board-secretariat/services/information-technology/policy-implementation-notices/implementing-https-secure-web-connections-itpin.html ITPIN 2018-01].
8. Perform another assessment of the applicable domains and sub-domains to confirm that the configuration has been updated and that all elements are enforced in accordance with [https://www.canada.ca/en/treasury-board-secretariat/services/information-technology/policy-implementation-notices/implementing-https-secure-web-connections-itpin.html ITPIN 2018-01]. Results will appear in the [https://https-everywhere.canada.ca/ HTTPS Dashboard] within 24 hours.
<br>
<br>
