SPIN 2017-01
| ESA Program Overview | ESA Foundation | ESA Artifacts | ESA Initiatives | ESA Tools and Templates | ESA Reference Materials | Glossary |
|---|
| Cloud Security Initiative | HTTPS Initiative | Data Loss Prevention Initiative | Enterprise Vulnerability Management System Initiative | DevSecOps Initiative | DMARC Initiative |
|---|
| SPIN 2017-01 Implementation Guidance |
|---|
SPIN 2017-01: Direction for the Secure Use of Commercial Cloud Services
Cloud computing has the potential to provide a flexible means of delivering IT services. However, care must be taken to mitigate risks associated with using cloud services.
The Direction for the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice highlights the responsibilities of departments and agencies for effectively managing and using cloud services, including adequately protecting the confidentiality, integrity and availability of information that is stored, processed and transmitted.
The purpose of the SPIN is to:
- support departments in understanding existing TBS security policy requirements in the context of cloud computing
- set out guidance to assist organizations in the secure use of commercial cloud services (cloud services)
This site provides links to material that can help departments when implementing activities in support of the SPIN 2017-01. Departments and agencies are encouraged to use this material to support the implementation and secure use of cloud-based solutions and services. The sharing of departmental best practices is also encouraged.
Risk Management
| 6.1 | Departments must continuously manage the security risks to their information and IT assets throughout the life of their programs and services. In the context of cloud, risk management is based on a model of shared responsibility. The CSP fulfills some responsibility with respect to risk mitigation, but departments are ultimately accountable for risks. Implementing a risk-based approach:
|
The following subsections highlight additional requirements and guidance for securing GC cloud-based services:
- Security Categorization
- Baseline Security Controls
- Third-Party Assurance
- Security Assessment and Authorization
- Continuous Monitoring
Information Assurance and Asset Protection
| 6.2 | In accordance with Appendix C of the Directive on Departmental Security Management, departments must safeguard their information and assets, including those hosted in CSP environments, from unauthorized access, use, disclosure, modification, disposal, transmission, or destruction throughout their life cycle. These safeguards must:
When departments are considering using cloud services for storing personal information, guidance must be sought from privacy and access to information officials within their institution. |
The following subsections highlight additional requirements and guidance for securing GC cloud-based services:
- Secure Development and Implementation
- Data Protection and Data Residency
- Identity, Credential, and Access Management
- Network Security
- Asset and Configuration Management
- Vulnerability Management
- Personnel Security
- Physical Security
- Service Continuity
- Secure Acquisition
Security Operations
| 6.3 | As part of an active defence strategy, departments must ensure that measures are implemented to audit and monitor access to their cloud-based services. Using GC-provided services, such as those from SSC’s Security Operations Centre, can help departments meet requirements for information system monitoring and security incident management. |
The following subsections highlight additional requirements and guidance for securing GC cloud-based services:
Enquiries
Email your questions to TBS Cyber Security at ZZTBSCYBERS@tbs-sct.gc.ca.
