Changes

no edit summary
Line 169: Line 169:  
   <p>Although DLP protocols and controls have already been implemented into much of SSC’s IT infrastructure, there are some areas in which improvements should be considered. With government-wide strategies around “Open Government” and “cloud computing,” SSC will face increasing need to adapt DLP tools into these platforms as they evolve and expand.</p>
 
   <p>Although DLP protocols and controls have already been implemented into much of SSC’s IT infrastructure, there are some areas in which improvements should be considered. With government-wide strategies around “Open Government” and “cloud computing,” SSC will face increasing need to adapt DLP tools into these platforms as they evolve and expand.</p>
   −
   <p>Once aligned with policies, which may change and evolve as time goes on and technology advances, SSC must be prepared for its DLP controls to change with it. Leading experts in the area of DLP define DLP as a dynamic process, not an end-state. A robust DLP program is an opportunity to work with stakeholders and set the expectation that protocols should change and be adjusted over time. DLP must also be considered when the network architecture and tools change, SSC should evaluate how security checks are integrated into new projects.</p>
+
   <p class="expand mw-collapsible-content">Once aligned with policies, which may change and evolve as time goes on and technology advances, SSC must be prepared for its DLP controls to change with it. Leading experts in the area of DLP define DLP as a dynamic process, not an end-state. A robust DLP program is an opportunity to work with stakeholders and set the expectation that protocols should change and be adjusted over time. DLP must also be considered when the network architecture and tools change, SSC should evaluate how security checks are integrated into new projects.</p>
    
   <p>Furthermore, while SSC will play a main role in procuring DLP tools for departments and delivery these services, the protection of data requires a team effort. Collaboration in terms of monitoring, surveillance, and the granting of access to local or departmental networks and resources will be needed. Also, engaging stakeholders helps to identify vulnerabilities that may otherwise be missed. A mindset of collective responsibility is a best practice for ensuring the most effectiveness of DLP.</p>
 
   <p>Furthermore, while SSC will play a main role in procuring DLP tools for departments and delivery these services, the protection of data requires a team effort. Collaboration in terms of monitoring, surveillance, and the granting of access to local or departmental networks and resources will be needed. Also, engaging stakeholders helps to identify vulnerabilities that may otherwise be missed. A mindset of collective responsibility is a best practice for ensuring the most effectiveness of DLP.</p>
Line 175: Line 175:  
   <p>One way of helping to achieve buy-in around DLP as an ongoing process, as well as creating a culture of collective responsibility, could be for SSC, along with its partner departments in the GC, to establish “Security Champions”. The GC has introduced a national champion, Mr. David Jean, the GC’s Champion of Security, to be the link between departmental security and national security interests, with respect to all forms of threats or safety issues, not only those related to cybersecurity. However, cyber-specific champions could also be introduced at a more local level and advance DLP “on the ground” as suggested in the [https://www.canada.ca/content/dam/ssc-spc/documents/IT-Transformation-Plan-Consultations-Report-2016.pdf Summer-Fall 2016 Consultations: Information technology Transformation Plan – What We Heard Final Report]. Such employees can help promote the importance of security protocols and behaviours, and can be an important part of the DLP framework.</p>
 
   <p>One way of helping to achieve buy-in around DLP as an ongoing process, as well as creating a culture of collective responsibility, could be for SSC, along with its partner departments in the GC, to establish “Security Champions”. The GC has introduced a national champion, Mr. David Jean, the GC’s Champion of Security, to be the link between departmental security and national security interests, with respect to all forms of threats or safety issues, not only those related to cybersecurity. However, cyber-specific champions could also be introduced at a more local level and advance DLP “on the ground” as suggested in the [https://www.canada.ca/content/dam/ssc-spc/documents/IT-Transformation-Plan-Consultations-Report-2016.pdf Summer-Fall 2016 Consultations: Information technology Transformation Plan – What We Heard Final Report]. Such employees can help promote the importance of security protocols and behaviours, and can be an important part of the DLP framework.</p>
   −
   <p>However, DLP tools and processes cannot work in isolation of systems and users. Without proper operationalization, DLP runs the risk of offering a false sense of security and merely becoming a risk generator. [http://myssc-monspc.ssc-spc.gc.ca/en/worktools-processes/integrated-business-planning/CITS#toc251 The SSC Departmental Plan of the Cyber and IT Security] program identifies the following five risks with respect to cybersecurity, of which DLP is a part:</p>
+
   <p class="expand mw-collapsible-content">However, DLP tools and processes cannot work in isolation of systems and users. Without proper operationalization, DLP runs the risk of offering a false sense of security and merely becoming a risk generator. [http://myssc-monspc.ssc-spc.gc.ca/en/worktools-processes/integrated-business-planning/CITS#toc251 The SSC Departmental Plan of the Cyber and IT Security] program identifies the following five risks with respect to cybersecurity, of which DLP is a part:</p>
   −
   <ul>
+
   <ul class="expand mw-collapsible-content">
 
     <li><b>Resource Capacity:</b> SSC may not have the adequate financial and human resources to improve services and to introduce the latest technologies to counteract cyber threats.</li>
 
     <li><b>Resource Capacity:</b> SSC may not have the adequate financial and human resources to improve services and to introduce the latest technologies to counteract cyber threats.</li>
 
     <li><b>Aging IT Systems:</b> Current IT infrastructure is at risk of failing due to its end of life.</li>
 
     <li><b>Aging IT Systems:</b> Current IT infrastructure is at risk of failing due to its end of life.</li>