(Back)
Safeguard information and assets hosted in SCMs, from unauthorized access, use, disclosure, modification, disposal, transmission, or destruction throughout their life cycle.
This section contains the Guardrails that address controls in the following contexts:
- Access Control (AC)
- Audit and Accountability (AU)
- Incident Response (IR)
- System and Communications Protection (SC)
Activity | Validation |
---|---|
According to subsection 4.4.3.14 of the Directive on Service and Digital: “Ensuring computing facilities located within the geographic boundaries of Canada or within the premises of a Government of Canada department located abroad, such as a diplomatic or consular mission, be identified and evaluated as a principal delivery option for all sensitive electronic information and data under government control that has been categorized as Protected B, Protected C or is Classified.” |
|
Activity | Validation |
---|---|
Implement an encryption mechanism to protect the confidentiality and integrity of data when data is at rest in storage. |
|
Use cryptographic algorithms and protocols approved by Communications Security Establishment Canada (CSE) in accordance with ITSP.40.111 and ITSP.40.062. |
|
Enforce the use of Pull Request (PR) reviews, and Protected Branches to ensure that code changes are reviewed and approved by at least one other developer before being merged into the main branch. |
|
Plan, develop, and disseminate an information spillage response plan to ensure that data is handled appropriately in the event of a data spillage. |
|
Activity | Validation |
---|---|
When dealing with personal information in cloud-based environments, seek guidance from privacy and access to information officials within institutions. |
|
When available, leverage an appropriate key management system for the cryptographic protection used in cloud-based services, in accordance with the Government of Canada Considerations for the Use of Cryptography in Commercial Cloud Services and the Cyber Centre’s Guidance on Cloud Service Cryptography (ITSP.50.106). |
|
When using Public and Private Repositories, keep them separate |
|
Activity | Validation |
---|---|
Implement data protection mechanisms to protect data in transit. |
|
Regularly backup data and test the restoration process to ensure that data can be recovered in the event of data loss. |
|
Implement secure data disposal procedures to ensure that data is completely removed when no longer needed. |
|
Implement data loss prevention (DLP) mechanisms to prevent unauthorized data exfiltration. |
|
- Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN) 2017-01, subsections 6.2.3 & 6.2.4
- Directive on Service and Digital, subsection 4.4.3.14
- Access to Information Act
- cryptography guidance in Cryptographic Algorithms for Unclassified, Protected A and Protected B Information (ITSP.40.111) and Guidance on Securely Configuring Network Protocols (ITSP.40.062)
- Guidance on Cloud Service Cryptography (ITSP.50.106)
- Guidance on Defence in Depth for Cloud-Based Services (ITSP.50.104), subsection 4.5
- IT Media Sanitization (ITSP.40.006)
AC-6, AC-17(2), AC-22, AU-2, CM-3(6), IR-7, IR-9, IR-9(1), IR-9(2), IR-9(4), SC-12, SC-12(1), SC-12(2), SC-12(3), SC-17