Data Location

Objective

Establish policies to restrict sensitive GC workloads to approved geographic locations.

Applicable Service Models

IaaS, PaaS, SaaS

Mandatory Requirements

Activity

Validation

According to subsection 4.4.3.14 of the Directive on Service and Digital: “Ensuring computing facilities located within the geographic boundaries of Canada or within the premises of a Government of Canada department located abroad, such as a diplomatic or consular mission, be identified and evaluated as a principal delivery option for all sensitive electronic information and data under government control that has been categorized as Protected B, Protected C or is Classified.”

Demonstrate that the service location is within Canada for all Protected B cloud services where configurable, in accordance with the applicable cloud usage profiles.

Additional Considerations

None

References

Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice, SPIN 2017-01, subsection 6.2.3
Directive on Service and Digital, subsection 4.4.3.14

Related security controls from ITSG-33

SA-9(5)