06_Network-Security-Services.md

Network Security Services

(Back)

Objective

Establish secure connections, and monitor network traffic.

This section contains the Guardrails that address controls in the following contexts:

• Access Control (AC)
• Authorization (AU)
• Security Assessment and Authorization (CA)

Mandatory Requirements

Activity	Validation
Use HTTPS for all network traffic	Demonstrate that all network traffic to and from the SCM is encrypted.
Perform Regular Audits	Regularly audit the connection security configuration of the SCM to ensure it is in accordance with the organizational security architecture.

Self-hosting considerations

Activity	Validation
Use Network Segmentation	Ensure that the SCM is hosted on a separate network segment from the internal organizational network.
Use Managed Interfaces	Connect to the SCM only through managed interfaces, such as a VPN or a secure API.
Use Boundary Protection	Use firewalls and other boundary protection devices to control access to the SCM.
Perform Regular Audits	Regularly audit the security configuration of the SCM and the boundary protection devices to ensure they are in accordance with the organizational security architecture.
Employ Network monitoring tools	Use network monitoring tools to monitor for: unauthorized use of the information system attacks and indicators of potential attacks in accordance with monitoring objectives consistent with the GC CSEMP. network intrusion
Provide system monitoring information to necessary stakeholders	As detailed in the GC CSEMP, provide system monitoring information to the Canadian Centre for Cyber Security (Cyber Centre) and other departmental monitoring organizations.
Heighten the level of information system monitoring activity whenever there is an indication of increased risk to organizational assets.	Monitor the SCM for suspicious activity and respond to incidents in accordance with the organizational incident response plan.
Obtain a legal opinion with regard to system monitoring	Obtain a legal opinion with regard to system monitoring to ensure that it is in compliance with all applicable Government of Canada legislation, and TBS policies.

References

• Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN) 2017-01, subsection 6.2.4
• Cyber Centre’s top 10 IT security actions, number 1
• network security zoning guidance in Baseline Security Requirements for Network Security Zones (ITSP.80.022) and Network Security Zoning (ITSG-38)
• Guidance on Defence in Depth for Cloud-Based Services (ITSP.50.104), subsection 4.3

Related security controls from ITSG-33

AC-19, AC-20(1) AU-6, CA-3