Directive on Security Management
Aims to achieve efficient, effective and accountable management of security within departments and agencies.
Date modified: 2019-07-01
Supporting tools
Mandatory procedures:
Appendix B: Mandatory Procedures for Information Technology Security Control
B.1 Effective Date
- B.1.1These procedures take effect on July 1, 2019.
B.2 Procedures
- B.2.1These procedures provide details on the requirements to support the deputy head accountability.
The procedures and subsections are as follows:
Procedure Subsection Information technology requirements and practices B.2.2 IT security controls B.2.3 Security in IT project management B.2.4 Security in the information system life cycle, and integrity of the IT supply chain B.2.5 IT security assessment and authorization B.2.6 Monitoring and corrective actions B.2.7 - B.2.2Information technology security requirements and practices: Define, document and maintain departmental information technology (IT) security requirements and practices:
- B.2.2.1For all information systems that support departmental programs, services or activities or that hold departmental information or information under the custody or control of the department:
- B.2.2.1.1Identify pertinent physical security, business continuity, disaster recovery and information security requirements;
- B.2.2.1.2Identify and assess threats to which information systems are exposed; and
- B.2.2.1.3Define and document requirements for ensuring the protection of departmental information systems throughout their life cycle, commensurate with identified security requirements and threats, and in accordance with applicable legislation, policies, contracts, agreements and memoranda of understanding; and
- B.2.2.2Define and document departmental security practices for implementing and maintaining IT security controls, including practices for conducting IT security assessment and authorization, in accordance with departmental security requirements.
- B.2.2.1For all information systems that support departmental programs, services or activities or that hold departmental information or information under the custody or control of the department:
- B.2.3IT security controls: Define, document, implement and maintain security controls to meet departmental IT security requirements, in accordance with departmental practices.
- B.2.3.1Identification and authentication management: Implement measures to ensure that individuals and devices are uniquely identified and authenticated to an appropriate level of assurance before being granted access to information in information systems, in accordance with Appendix A: Standard on Identity and Credential Assurance of the Directive on Identity Management.
- B.2.3.2Access management: Implement measures to ensure that access to information (electronic data) and information systems is limited to authorized users who have been security-screened at the appropriate level and who have a need for access:
- B.2.3.2.1Establish approval, notification, monitoring and operational requirements and procedures for the creation, activation, modification, periodic review, and disabling or deletion of information system accounts;
- B.2.3.2.2Define access privileges based on departmental security requirements and the principles of least privilege, segregation of duties, and acceptable use of government information systems;
- B.2.3.2.3Inform authorized users of expectations for acceptable use of government information systems, of monitoring practices being applied, and of the consequences for unacceptable use of those systems;
- B.2.3.2.4Establish measures to control the use of accounts that have administrative privileges, including restricting the number of users who have administrative privileges, and restricting the information systems, networks and applications that can be accessed and the operations that can be performed using privileged accounts;
- B.2.3.2.5Verify that individuals who are authorized to conduct privileged operations, such as setting or changing access privileges and implementing or maintaining other IT security controls, are not permitted to alter records of these operations and have been security-screened commensurate with their access level; and
- B.2.3.6Review access privileges periodically, and remove access when it is no longer required (for example, when an employee leaves or changes responsibilities).
- B.2.3.3Security in IT configuration management: Manage the configuration of information systems to maintain known and approved system and component designs, settings, parameters and attributes:
- B.2.3.3.1Ensure that change management practices consider security impacts that may result from proposed changes;
- B.2.3.3.2Design and configure information systems to provide only required capabilities and to specifically prohibit, disable or restrict the use of unnecessary functions, ports, protocols and services;
- B.2.3.3.3Establish measures to ensure that only authorized applications and application components are installed and executed on information systems and their components; and
- B.2.3.3.4Establish measures to ensure that only authorized hardware and devices are connected to, or have access to, information systems and their components.
- B.2.3.4Secure data storage management: Implement measures to protect information on electronic media and electronic storage devices at rest (for example, in use or in storage), in transit (for example, in transport or in transmittal), and through appropriate sanitization or destruction before reuse or disposal of the equipment, commensurate with the sensitivity of the information and in accordance with departmental practices:
- B.2.3.4.1Identify secure electronic storage, transportation, transmittal, sanitization and destruction devices, methods and services that are authorized for use in the department, including but not limited to portable storage devices; and
- B.2.3.4.2Implement appropriate safeguards where other devices, methods or services are used for operational purposes, subject to approval by an individual who has the required authority.
- B.2.3.5Physical and environmental protection: Implement measures to protect information systems, their components, and the information processed from physical and environmental threats, commensurate with the sensitivity of the information:
- B.2.3.5.1Implement appropriate physical and environmental safeguards in facilities where information systems are developed, operated, maintained or stored;
- B.2.3.5.2Place physical information system components in appropriate physical security zones; and
- B.2.3.5.3Use emanations security or other measures, as required, to protect information systems from information leakage owing to the emanation of electromagnetic signals.
- B.2.3.6System and communications protection: Implement measures to protect information systems and their components, as well as the information they process and transmit, from internal and external network-based threats, such as threats related to the use of public networks, wireless communications and remote access:
- B.2.3.6.1Define and establish security zones to maintain appropriate separation within physical and virtual IT environments, and ensure that information systems (including virtual instances) that reside in these environments are provided with consistent protection levels that are commensurate with the threat type and level, the sensitivity of the information, and other pertinent security considerations, such as criticality of services and activities supported by the information system;
- B.2.3.6.2Restrict the number of discrete external connections to departmental networks to the minimum necessary to meet departmental and government requirements; and
- B.2.3.6.3Use encryption and network safeguards to protect the confidentiality of sensitive data transmitted across public networks, wireless networks or any other network where the data may be at risk of unauthorized access.
- B.2.3.7System and information integrity management: Implement measures to protect information systems, their components and the information they process and transmit against attacks that leverage vulnerabilities in information systems to affect their integrity and that could have an impact on their availability or confidentiality (for example, malicious code):
- B.2.3.7.1Monitor information systems to detect attacks and indicators of potential attacks; unauthorized local, network and remote connections; and unauthorized use of IT resources;
- B.2.3.7.2Identify, document and report vulnerabilities in information systems and their components to the responsible security functional specialist and others, as defined in the department’s security governance and security event management processes;
- B.2.3.7.3Analyze impacts of identified vulnerabilities, and implement corrective actions (for example, apply patches and updates, in accordance with defined timelines and, as required, on an emergency basis);
- B.2.3.7.4Coordinate processes for managing vulnerabilities in information systems with departmental and government-wide security event management processes;
- B.2.3.7.5Use, review and regularly update measures to prevent, detect and eliminate malicious code (for example, viruses) in information systems and their components; and
- B.2.3.7.6Establish source authentication and other mechanisms, where required, to ensure that information (for example, messages and financial transactions) can be attributed to an authorized individual.
- B.2.3.8Information system audit management: Create, protect and retain information system audit logs and records to enable monitoring, reporting, analysis, investigation and implementation of corrective actions, as required, for each system, in accordance with departmental practices:
- B.2.3.8.1Implement measures to enable user activities to be authoritatively audited, to ensure that users are accountable for their activities; and
- B.2.3.8.2Monitor the acceptable use of government information systems, regardless of location of access or system used, and report through appropriate channels potential instances of unacceptable use in the department.
- B.2.3.9Security in IT maintenance: Ensure that the maintenance of information systems and their components is authorized and recorded and that the maintenance conforms to departmental security practices:
- B.2.3.9.1Ensure that individuals performing maintenance have appropriate authorization, access and direction in the performance of their duties.
- B.2.3.10IT continuity management: Establish mechanisms to enable information systems to maintain or return to defined service levels, as applicable:
- B.2.3.10.1Define recovery strategies and restoration priorities for data and information systems, in accordance with departmental business continuity requirements;
- B.2.3.10.2Implement measures to meet identified recovery strategies and restoration priorities; and
- B.2.3.10.3Test IT continuity management mechanisms to ensure an acceptable state of preparedness as an integral element of practices for departmental business continuity management.
- B.2.4Security in IT project management: Integrate security considerations into all phases of IT project management to ensure that the security needs of programs and services are considered and addressed when developing, implementing or upgrading information systems.
- B.2.5Security in the information system life cycle, and integrity of the IT supply chain: Identify and address security requirements, activities and gating requirements throughout all stages of the information system life cycle, including definition, design, development and procurement, operations, maintenance and decommissioning:
- B.2.5.1Integrate system security engineering and security design processes at the appropriate stages of the system development lifecycle process;
- B.2.5.2Implement supply chain security measures to establish and maintain reasonable confidence in the security of sources of information systems and IT components, in accordance with applicable security requirements;
- B.2.5.3Identify and address any risks regarding transmission, processing or storage of data, both internal and external to Canada, when planning for an information system, including the complete life cycle of the system; and
- B.2.5.4For information systems managed for or by another organization, and for information systems shared or interconnected by two or more organizations, establish documented arrangements that define applicable security requirements and respective security responsibilities.
- B.2.6IT security assessment and authorization: Implement IT security assessment and authorization processes to establish and maintain confidence in the security of information systems that are used or managed by the department, while considering stakeholder security requirements:
- B.2.6.1Assess whether security controls are effective and whether applicable security requirements are met;
- B.2.6.2Implement and document risk mitigation measures when security requirements cannot be fully met before putting an information system into operation, subject to approval by an individual who has the required authority;
- B.2.6.3Authorize an information system before putting it into operation through established IT security assessment and authorization processes;
- B.2.6.4Document security assessments and authorization decisions, including the formal acceptance of residual risk by an individual who has the required authority; and
- B.2.6.5Evaluate and maintain authorization throughout the information system’s operational life cycle.
- B.2.7Monitoring and corrective actions: Maintain an effective IT security posture:
- B.2.7.1Monitor threats and vulnerabilities;
- B.2.7.2Analyze information system audit logs and records;
- B.2.7.3Review the results of system monitoring, security assessments, tests and post-event analysis; and
- B.2.7.4Take pre-emptive, reactive and corrective actions to remediate deficiencies and ensure that IT security practices and controls continue to meet the needs of the department.