SPIN 2015-01

Following recent incidents and Information Technology (IT) audits, Treasury Board of Canada Secretariat (TBS) has published Security Policy Implementation Notice (SPIN) 2015-01: Priority IT Security Actions on its Publiservice website. This SPIN re-emphasizes existing/foundational requirements from the Operational Security Standard: Management of Information Technology Security that are related to the identified priority security actions, and provides guidance on these requirements.

The SPIN highlights three security management practices, based on recommendations from the Communications Security Establishment’s (CSE’s) Top 10 IT Security Actions to Protect Government of Canada Internet-Connected Networks and Information (CSE Top 10) list, that need reinforcing: patching of operating systems (OSs) and applications, enforcing the management of administrative privileges, and hardening of information systems. Implementing robust practices in these three areas will help to enhance departmental and enterprise IT security postures by minimizing cyber intrusions or the impacts to networks if a successful intrusion occurs. TBS has requested that departments and agencies ensure that their processes address GC requirements and reflect the strong practices that have been identified in the SPIN.

The SPIN and its supporting material are intended to help departments and agencies focus their efforts and prioritize the implementation of security controls to protect GC networks and information systems.

This page provides links to material that can help departments when implementing activities in support of SPIN 2015-01. For each action area identified in the SPIN, this page identifies relevant:

Published GC Guidance – Formally approved guidance documents by TBS or other lead security agencies (LSA). Guidance documents in this section will typically be found on the LSA’s website.

Draft Guidance and Best Practices – Guidance that may not yet be officially approved but which are ready for departmental review or comment; as well as best practices shared by departments.

External/Third-Party Best Practices – Links to best practices or tools that are made available by external organizations and could be adopted by departments (e.g. CIS, NIST, and ISF).

Published GC guidance is generally available in both official languages. Draft guidance and best practices are frequently available in one official language; however, translation may be planned or pending. For ease of reference, links are provided to external/third-party best practices, but availability in both official languages is neither assumed nor assured.

Departments and agencies are encouraged to use this material to enhance their processes and practices. The sharing of departmental best practices is also encouraged.

This page will be updated as new material becomes available.

Published GC Guidance

• [CSE] ITSB-96, Security Vulnerabilities and Patches Explained, provides guidance on assessing known vulnerabilities and patches in order to determine the risk posed to an organization, the relative priority for patch deployment, as well as guidelines on how to deploy patches.

Draft GC Guidance and Best Practices

• None available at this time.

External/Third-Party Best Practices

• US National Institute of Standards and Technology (NIST) 800-40 Revision 3, Guide to Enterprise Patch Management Technologies.

• From the document abstract: “This publication is designed to assist organizations in understanding the basics of enterprise patch management technologies. It explains the importance of patch management and examines the challenges inherent in performing patch management. This publication also provides an overview of enterprise patch management technologies and briefly discusses metrics for measuring the technologies’ effectiveness and for comparing the relative importance of patches.”

• Microsoft Update Management Process (Updated: June 1, 2007).

• This module provides an introduction to update management and explains why update management is essential for enterprise systems. It will introduce security terminology, together with descriptions of common vulnerabilities and types of threat. This module also describes the processes used within Microsoft to develop and release software updates, and shows how these relate to the steps you should take for proactive security update management. Finally, the four-phase approach update management process that Microsoft recommends is introduced, with more details presented in the following modules.
• The purpose of this module is to introduce the key issues for update management in a Microsoft Windows operating system—based environment, and to describe the main tools, technologies, and processes that Microsoft recommends to support this task.

Published GC Guidance

• [CSE] ITSB-94, Managing and Controlling Administrative Privileges Explained, provides high-level guidance on what constitutes managing and controlling administrative privileges as well as how to apply account management effectively.

Draft GC Guidance and Best Practices

• [TBS] GC ESA ConOps Annex D: Secure Enterprise Systems Administration
  • The Secure Enterprise Systems Administration System Concept identifies security issues with the current inconsistent approaches for performing system administration, and recommends improvements to mitigate the identified security concerns as the level of inter-connectivity increases and the GC moves towards a consolidated IT/IS infrastructure. These include improvements to operational processes and technical capabilities. Use of Privileged Access Management (PAM) technologies and separation of management and production interfaces are particularly important technical aspects of improving security.

External/Third-Party Best Practices

• Australian Signals Directorate (ASD), Secure Administration

• This document discusses the importance of secure administration and suggests one method of implementing a secure administration environment.

• Microsoft’s Best Practices for Securing Active Directory

• Contains recommendations to enhance the security of Active Directory installations, discusses common attacks against Active Directory and countermeasures to reduce the attack surface, and offers recommendations for recovery.

Published GC Guidance

• [CSE] ITSB-110, Microsoft Windows 7 Enterprise Edition Hardening Configuration Guidance, provides guidance for deploying Microsoft Windows 7 Enterprise Edition operating system (OS) (i.e., Windows 7) in a manner that will best prevent compromise of GC IT assets and infrastructures in a generic internet-facing Protected B environment.
• [Public Safety – CCIRC] CCIRC Technical Report TR15-501, Using Microsoft Software Restriction Policies to Prevent Malware Execution.

• In collaboration with, and leveraging the knowledge and experience of, its international CSIRT peers, the Canadian Cyber Incident Response Centre developed and shared TR15-501 with its federal, provincial, territorial, municipal and critical infrastructure partners in order to provide practical and effective mitigation advice with a view to reducing the cyber risk faced by Canada and Canadians.

Draft GC Guidance and Best Practices

• None available at this time

External/Third-Party Best Practices

• US National Institute of Standards and Technology (NIST) National Checklist Program Repository

• The National Checklist Program (NCP), defined by the NIST SP 800-70 Rev. 2, is the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications.
• This repository provides a searchable / filterable list of guidance available from multiple sources.
• Searches can be based on: “tier” (degree of automation / Security Content Automation Protocol [SCAP] support); “target product” (application, OS, device/firmware, etc.); “category” (general type of application purpose; e.g. email server, office suite, operating system”); “authority” (issuer: vendors, CIS, DISA, MITRE, NIST, etc.); and “keyword” (searches for specified words across the name, and summary).
• You might choose to use this resource to identify available resources for hardening that are applicable to your specific environment.

• Center for Internet Security (CIS) Security Configuration Benchmarks

• US Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs)

• NIST Security Configuration Checklists

• US National Security Agency (NSA) Security Configuration Guides

• NSA develops and distributes configuration guidance for a wide variety of software, both open source and proprietary. Guidance is available for:

• Applications
• Industrial Control Systems (ICS)
• Operating Systems
• Networks

• Vendors or system / component originators also provide guidance and tools to support their products

• Microsoft Security Configuration Guidance Support (last reviewed: 10/14/2010) briefly identifies and describes some of the sources above (i.e. CIS, NIST, DISA and NSA) as well as potential issues to be aware of with practices described in their hardening guidance;
• Microsoft Security Compliance Manager (SCM) is a free tool from Microsoft that “enables you to quickly configure and manage the computers in your environment and your private cloud using Group Policy and Microsoft System Center Configuration Manager”.

Email your questions to TBS Cyber Security at ZZTBSCYBERS@tbs-sct.gc.ca.