Changes

   <p>The Government of Canada (GC) has a responsibility to protect not only its data and IT assets but also that of its citizens and the data collected on or about them. Despite this, the GC itself is not free from experiencing data leaks. For example, the Canadian Revenue Agency (CRA) reported 3,763 data breaches in 2013, including incidents where taxpayer’s information were lost, compromised, or accidentally released. In order to prevent such occurrences, as well as those on both smaller and larger scales, there are various DLP protocols in place throughout the GC. Currently, DLP operations are run independently in each department. However, this is in concurrence with federal supporting policies and procedures, some of which also extend to industry.</p>

   <p>The Government of Canada (GC) has a responsibility to protect not only its data and IT assets but also that of its citizens and the data collected on or about them. Despite this, the GC itself is not free from experiencing data leaks. For example, the Canadian Revenue Agency (CRA) reported 3,763 data breaches in 2013, including incidents where taxpayer’s information were lost, compromised, or accidentally released. In order to prevent such occurrences, as well as those on both smaller and larger scales, there are various DLP protocols in place throughout the GC. Currently, DLP operations are run independently in each department. However, this is in concurrence with federal supporting policies and procedures, some of which also extend to industry.</p>

   <p>As of November 1, 2018, private Canadian  businesses and industries, along with the health sector, which are subjected to [https://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html The Personal Information Protection and Electronic Documents Act] (PIPEDA), are required to report all data breaches involving personal information that may harm an individual, hold a record of all data breaches, and notify the affected individuals. The goal of this act is to assure citizens have their personal information protected by appropriate safeguards in accordance to their right to access their personal information. Similarly, the federal Privacy Act stipulates how GC departments can share and provide access to personal information on or about individual Canadian citizens and also mandates reporting of security breaches involving this data.</p>  

   <p>As of November 1, 2018, private Canadian  businesses and industries, along with the health sector, which are subjected to [https://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html The Personal Information Protection and Electronic Documents Act] (PIPEDA), are required to report all data breaches involving personal information that may harm an individual, hold a record of all data breaches, and notify the affected individuals. The goal of this act is to assure citizens have their personal information protected by appropriate safeguards in accordance to their right to access their personal information. Similarly, the federal [https://laws-lois.justice.gc.ca/eng/acts/P-21/ Privacy Act] stipulates how GC departments can share and provide access to personal information on or about individual Canadian citizens and also mandates reporting of security breaches involving this data.</p>  

   <p>Since the GC relies extensively on IT to provide its services, the Operational Security Standard from Management of Information Technology Security (MITS) as well as the Operational Security Standard – Business Continuity (BCP) Program defines a baseline of security requirements which federal departments and agencies must fulfill to ensure the security of information are under their control. Those prevention safeguards include incorporating identification and authentication in all networks and systems, authorization and access control to restrict accessibility on a “need to know” basis, proper cryptographic and encryption protocols, and emanations security methods such as TEMPEST. In the event of a data breach, the Policy on Government Security (PGS) establishes a mechanism to coordinate the response and recovery. Since the data breaches are primarily caused by people, the Canadian Centre for Cyber Security offers up-to-date publications as part of an awareness campaign.</p>

   <p>Since the GC relies extensively on IT to provide its services, the Operational Security Standard from [http://publications.gc.ca/site/archivee-archived.html?url=http://publications.gc.ca/collections/collection_2018/sct-tbs/BT39-20-2004-eng.pdf Management of Information Technology Security (MITS)] as well as the [https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12324 Operational Security Standard – Business Continuity (BCP) Program] defines a baseline of security requirements which federal departments and agencies must fulfill to ensure the security of information are under their control. Those prevention safeguards include incorporating identification and authentication in all networks and systems, authorization and access control to restrict accessibility on a “need to know” basis, proper cryptographic and encryption protocols, and emanations security methods such as TEMPEST. In the event of a data breach, the [https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=16578 Policy on Government Security (PGS)] establishes a mechanism to coordinate the response and recovery. Since the data breaches are primarily caused by people, the Canadian Centre for Cyber Security offers up-to-date publications as part of an awareness campaign.</p>

   <p class="expand mw-collapsible-content">The Government of Canada’s Cloud Adoption Strategy, as well as the Strategic Plan for Information Management and Information Technology 2017 to 2021 outlines a move towards increasing the use of cloud services for data storage and processing. Outsourcing to private clouds presents a certain level of risk if vendors are not vigilant against cyberattacks or if malicious themselves. The GC has developed various strategies, guidelines and best practices in order to mitigate the risks around cloud and Cloud Service Providers (CSPs). For example, the Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice outlines measures such as third-party independent assurances, encryption and cryptographic algorithm, and vulnerability alerts, amongst others, as part of its attempt to minimize risk and heighten data loss prevention.</p>

   <p class="expand mw-collapsible-content">[https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/cloud-services/government-canada-cloud-adoption-strategy.html The Government of Canada’s Cloud Adoption Strategy], as well as the [https://www.canada.ca/en/treasury-board-secretariat/services/information-technology/strategic-plan-2017-2021.html Strategic Plan for Information Management and Information Technology 2017 to 2021] outlines a move towards increasing the use of cloud services for data storage and processing. Outsourcing to private clouds presents a certain level of risk if vendors are not vigilant against cyberattacks or if malicious themselves. The GC has developed various strategies, guidelines and best practices in order to mitigate the risks around cloud and Cloud Service Providers (CSPs). For example, the [https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/direction-secure-use-commercial-cloud-services-spin.html Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice] outlines measures such as third-party independent assurances, encryption and cryptographic algorithm, and vulnerability alerts, amongst others, as part of its attempt to minimize risk and heighten data loss prevention.</p>

   <p class="expand mw-collapsible-content">As with other nations, creating an open, collaborative, and accessible government is of prime importance to the Government of Canada. As described in the Digital Operations and Strategic Plan (DOSP), it holds that sharing data and information with Canadians and businesses with help to grow the economy and allow for more active participation in public life. Open portals and open information can present a more open possibility of breaches and attacks, however. Therefore, moves towards open government must involve DLP controls. Making data and information more open has inherent risks – it exposes networks, systems, devices and data, including personal information, to accidental or malicious breaches. As such, robust IT security protocols in the GC are of paramount importance. A layered security approach, such as the use of trusted access, protected assets, secure protocols by default and continuous monitoring are already in effect and will continue to be implemented in the GC.</p>

   <p class="expand mw-collapsible-content">As with other nations, creating an open, collaborative, and accessible government is of prime importance to the Government of Canada. As described in the [https://www.canada.ca/en/government/system/digital-government/digital-operations-strategic-plan-2018-2022.html#ToC8 Digital Operations and Strategic Plan (DOSP)], it holds that sharing data and information with Canadians and businesses with help to grow the economy and allow for more active participation in public life. Open portals and open information can present a more open possibility of breaches and attacks, however. Therefore, moves towards open government must involve DLP controls. Making data and information more open has inherent risks – it exposes networks, systems, devices and data, including personal information, to accidental or malicious breaches. As such, robust IT security protocols in the GC are of paramount importance. A layered security approach, such as the use of trusted access, protected assets, secure protocols by default and continuous monitoring are already in effect and will continue to be implemented in the GC.</p>

   <h2>Implications for Government Agencies</h2>

   <h2>Implications for Government Agencies</h2>