05_Data-Protection.md

Data Protection

(Back)

Objective

Safeguard information and assets hosted in SCMs, from unauthorized access, use, disclosure, modification, disposal, transmission, or destruction throughout their life cycle.

This section contains the Guardrails that address controls in the following contexts:

• Access Control (AC)
• Audit and Accountability (AU)
• Incident Response (IR)
• System and Communications Protection (SC)

Data Location Requirements

Activity

Validation

According to subsection 4.4.3.14 of the Directive on Service and Digital: “Ensuring computing facilities located within the geographic boundaries of Canada or within the premises of a Government of Canada department located abroad, such as a diplomatic or consular mission, be identified and evaluated as a principal delivery option for all sensitive electronic information and data under government control that has been categorized as Protected B, Protected C or is Classified.”

Source code most often contains only Unclassified information. There are a few general exceptions, including: those in the Access to Information Act, code for systems that perform audit and testing tasks, and code for systems that handle financial transactions. Outside of these exceptions, it is expected that code will be properly secured by removing any sensitive information (e.g. secrets) and hold the status of Unclassified.

Mandatory Requirements

Activity	Validation
Implement an encryption mechanism to protect the confidentiality and integrity of data when data is at rest in storage.	For SaaS, confirm that the SCM platform has implemented encryption to protect customer data.
Use cryptographic algorithms and protocols approved by Communications Security Establishment Canada (CSE) in accordance with ITSP.40.111 and ITSP.40.062.	Cryptographic algorithms and protocols configurable by the consumer are in accordance with ITSP.40.111 and ITSP.40.062. For SaaS, confirm that the CSP has implemented algorithms that align with ITSP.40.111 and ITSP.40.062.
Enforce the use of Pull Request (PR) reviews, and Protected Branches to ensure that code changes are reviewed and approved by at least one other developer before being merged into the main branch.	Confirm that PR reviews are enforced for all code changes being merged into the default branch of the repository (often called main, or develop).
Plan, develop, and disseminate an information spillage response plan to ensure that data is handled appropriately in the event of a data spillage.	Provide evidence that an information spillage response plan has been developed and disseminated.

Conditional Requirements

Activity	Validation
When dealing with personal information in cloud-based environments, seek guidance from privacy and access to information officials within institutions.	Confirm that privacy is part of the departmental software development life cycle.
When available, leverage an appropriate key management system for the cryptographic protection used in cloud-based services, in accordance with the Government of Canada Considerations for the Use of Cryptography in Commercial Cloud Services and the Cyber Centre’s Guidance on Cloud Service Cryptography (ITSP.50.106).	Confirm that a key management strategy has been adopted for the SCM platform.
When using Public and Private Repositories, keep them separate	Publicly accessible repositories should be separated from private repositories used for internal development by using different organizations, projects, etc.

Self-hosting considerations

Activity	Validation
Implement data protection mechanisms to protect data in transit.	Use TLS (at least version 1.2) to encrypt data in transit.
Regularly backup data and test the restoration process to ensure that data can be recovered in the event of data loss.	Provide evidence that data is regularly backed up and that the restoration process has been tested.
Implement secure data disposal procedures to ensure that data is completely removed when no longer needed.	Provide evidence that secure data disposal procedures are implemented, according to IT media sanitization (ITSP.40.006)
Implement data loss prevention (DLP) mechanisms to prevent unauthorized data exfiltration.	Provide evidence that DLP mechanisms are implemented to prevent unauthorized data exfiltration.

References

• Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN) 2017-01, subsections 6.2.3 & 6.2.4
• Directive on Service and Digital, subsection 4.4.3.14
• Access to Information Act
• cryptography guidance in Cryptographic Algorithms for Unclassified, Protected A and Protected B Information (ITSP.40.111) and Guidance on Securely Configuring Network Protocols (ITSP.40.062)
• Guidance on Cloud Service Cryptography (ITSP.50.106)
• Guidance on Defence in Depth for Cloud-Based Services (ITSP.50.104), subsection 4.5
• IT Media Sanitization (ITSP.40.006)

Related security controls from ITSG-33

AC-6, AC-17(2), AC-22, AU-2, CM-3(6), IR-7, IR-9, IR-9(1), IR-9(2), IR-9(4), SC-12, SC-12(1), SC-12(2), SC-12(3), SC-17