Canadian Centre for Cyber Security Events

This publication provides guidance on the actions you should take in the critical moments after a compromise is detected to lessen the impact on your organization.

<article data-history-node-id="634" about="/en/guidance/developing-your-it-recovery-plan-itsap40004" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–Info across the top under the image–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>January 2026</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.40.004</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>January 2026 | Awareness series</strong></p> </div> <!–ENGLISH Intro paragraph plus pdf download–> <div class="col-md-12 mrgn-tp-lg"> <p class="mrgn-tp-sm">Unplanned outages, cyber attacks, and natural disasters can happen unexpectedly. Your organization may lose information or experience downtime that disrupts or stops critical business functions. Unplanned downtime is expensive and could have a lasting impact on your business. To ensure continued operations with minimal downtime, your organization should have an <abbr title="information technology">IT</abbr> recovery plan as part of your overall business continuity approach. The <abbr title="information technology">IT</abbr> recovery plan should identify critical data, applications, and processes, and define how your organization will recover <abbr title="information technology">IT</abbr> services that support business operations, products, and services.</p> <section><h2 class="h3 text-info">On this page</h2> <ul><li><a href="#1">Know your business disruption tolerance</a></li> <li><a href="#2">Identify your critical business functions, applications, and data</a></li> <li><a href="#3">Create your <abbr title="information technology">IT</abbr> recovery plan</a></li> <li><a href="#4">Choose your recovery strategy </a></li> <li><a href="#5">Test your <abbr title="information technology">IT</abbr> recovery plan</a></li> <li><a href="#6">Learn more</a></li> </ul></section></div> </div> <div class="clearfix"> </div> <p>Your <abbr title="information technology">IT</abbr> recovery plan should clearly identify and document what needs to be recovered, when, where, and by whom.</p> <p>In general, there are 3 types of plans you should consider developing for your business. These plans take into consideration major events that could cause an unplanned outage and require a recovery response.</p> <ul><li><strong>Incident response plan:</strong> Event-focused plan, specific to a security incident like a cyber attack affecting an organization</li> <li><strong>Business continuity plan:</strong> Specific plan to quickly resume only the most critical operations, as defined by a business impact analysis, in the event of a disaster</li> <li><strong>Disaster recovery plan:</strong> Holistic plan to return your organization to full operations after a disaster</li> </ul><h2 class="text-info" id="1">Know your business disruption tolerance</h2> <p>To develop an effective recovery plan, you should tailor it to address the impact an incident would have on your organization. Your plan should also specify the level of disruption your organization is willing to accept if an incident occurs. There are 3 key measures to consider in your plan:</p> <ul><li><strong>Maximum tolerable downtime:</strong> The total length of time that a process can be unavailable without causing significant harm to your business</li> <li><strong>Recovery point objective:</strong> The measurement of data loss that is tolerable to your organization</li> <li><strong>Recovery time objective:</strong> The planned time and level of service needed to meet the system owner’s minimum expectations</li> </ul><h2 class="text-info" id="2">Identify your critical business functions, applications, and data</h2> <p>Your plan should identify your organization’s critical data, applications, and functions. Critical data may include financial records, proprietary assets, and personal data.</p> <p>Critical applications are the systems that run your key business functions and are imperative to your business. These are the systems that must be restored immediately for business continuity in the event of an unplanned outage.</p> <p>To identify critical business functions, applications, and data, you should conduct a risk assessment to identify threats and vulnerabilities. Run through specific scenarios (such as a cyber attack, significant power outage, or natural disaster) to identify key participants and stakeholders. Reviewing these scenarios will also help you address significant risks, develop mitigation strategies, and identify the recovery time and effort.</p> <p>Conduct a business impact analysis (BIA) to predict how disruptions or incidents will harm your operations, business processes and systems, and finances. During your <abbr title="business impact analysis">BIA</abbr>, you should also assess the data that you collect and the applications that you use to determine their criticality and choose priorities for immediate recovery.</p> <h2 class="text-info" id="3">Create your <abbr title="information technology">IT</abbr> recovery plan</h2> <p>Complete to the following steps when creating your organization’s <abbr title="information technology">IT</abbr> recovery plan.</p> <ol><li>Identify stakeholders, including clients, vendors, business owners, systems owners, and managers</li> <li>Identify your response team members, as well as their roles and responsibilities</li> <li>Take inventory of all your hardware and software assets</li> <li>Identify and prioritize critical business functions, applications, and data</li> <li>Set clear recovery objectives</li> <li>Define back-up and recovery strategies</li> <li>Test your plan regularly</li> <li>Develop a communications plan to inform key stakeholders</li> <li>Develop a training program for employees to ensure that everyone is aware of their roles, responsibilities, and the order of operations during an unplanned outage</li> <li>Engage with managed service providers if required to identify areas in which they can assist you with your recovery efforts</li> </ol><h2 class="text-info" id="4">Choose your recovery strategy</h2> <p>There are several options to consider when implementing your recovery strategy, but you should choose a recovery strategy that meets your business needs and security requirements.</p> <h3>Hot, warm, or cold site</h3> <ul><li><strong>Hot site</strong> <ul><li>back-up site with the same servers and equipment as your primary site</li> <li>functions the same as your primary site and is always kept running in case of downtime</li> <li>data synchronization occurs within minutes to hours, reducing the risk of data loss</li> </ul></li> <li><strong>Warm site</strong> <ul><li>back-up site with network connectivity and some equipment installed</li> <li>requires setup to function at the full capacity of your primary site</li> <li>data synchronization occurs less frequently, which can result in some data loss</li> </ul></li> <li><strong>Cold site</strong> <ul><li>back-up site with little to no equipment</li> <li>requires more time and resources to set up and restore business operations</li> <li>data synchronization can be a difficult and lengthy process as servers need to be migrated from your primary site, resulting in a higher risk of data loss</li> </ul></li> </ul><h3>Storage replication</h3> <p>Storage replication copies your data in real time from one location to another over a Storage Area Network, Local Area Network or a Wide Area Network. Since it is done in real time, it is referred to as synchronous replication. You can also use asynchronous replication, which creates copies of data according to a defined schedule.</p> <h3>Disk mirroring</h3> <p>Disk mirroring replicates data on 2 or more disk hard drives. Disk mirroring automatically switches your critical data to a standby server or network when your main system experiences unplanned downtime. If you are unable to restore your systems, you can use the mirror copy. It is important that the mirrored copy is backed up to a separate server or location that is unaffected by the outage.</p> <h3>Cloud vs. on-premises recovery</h3> <p>With a cloud-based recovery platform, you can connect easily from anywhere with a variety of devices. You can back up your data frequently, and it can be less expensive than purchasing and maintaining an on-premises platform because you pay for the space you need as you need it. Using the cloud can also reduce or eliminate the need for a separate offsite recovery site.</p> <h2 class="text-info" id="5">Test your <abbr title="information technology">IT</abbr> recovery plan</h2> <p>Testing is critical. You can identify inconsistencies and address areas that need revision. Be sure to use a test environment to avoid business interruptions. Some example test strategies include:</p> <ul><li><strong>Checklist:</strong> Read through and explain the steps of the recovery plan</li> <li><strong>Walkthrough:</strong> Walk through the steps without enacting them</li> <li><strong>Simulation:</strong> Use a simulated incident or disaster to familiarize the recovery team with their roles and responsibilities</li> <li><strong>Parallel test:</strong> Set up and test recovery systems to see if they can perform operations to support key processes. You keep your main systems in full production mode</li> <li><strong>Cutover test:</strong> Your recovery systems are set up to assume all your business operations, and you disconnect primary systems. This type of test causes business interruptions and requires additional planning</li> </ul><h2 class="text-info" id="6">Learn more</h2> <ul><li><a href="/en/guidance/tips-backing-your-information-itsap40002">Tips for backing up your information (ITSAP.40.002)</a></li> <li><a href="/en/guidance/have-you-been-hacked-itsap00015">Have you been hacked? (ITSAP.00.015)</a></li> <li><a href="/en/guidance/ransomware-how-prevent-and-recover-itsap00099">Ransomware: How to prevent and recover (ITSAP.00.099)</a></li> <li><a href="/en/guidance/cyber-security-tips-remote-work-itsap10116">Cyber security tips for remote work (ITSAP.10.116)</a></li> <li><a href="/en/guidance/benefits-and-risks-adopting-cloud-based-services-your-organization-itse50060">Benefits and risks of adopting cloud-based services in your organization (ITSE.50.060)</a></li> <li><a href="/en/guidance/cyber-security-considerations-consumers-managed-services-itsm50030">Cyber security considerations for consumers of managed services (ITSM.50.030)</a></li> <li><a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Developing your incident response plan (ITSAP.40.003)</a></li> <li><a href="/en/guidance/developing-your-business-continuity-plan-itsap10005">Business continuity plan (ITSAP.10.005)</a></li> <li><a href="/en/guidance/improving-cyber-security-resilience-through-emergency-preparedness-planning-itsm10014">Improving cyber security resilience through emergency preparedness (ITSM.10.014)</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="7066" about="/en/guidance/improving-cyber-security-resilience-through-emergency-preparedness-planning-itsm10014" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>January 2026</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Management series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSM.10.014</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>January 2025 | Management series</strong></p> </div> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsm.10.014-improving-cyber security-resilience-emergency-preparedness-e.pdf">Improving cyber security resilience through emergency preparedness planning – ITSM.10.014 (PDF, 695 KB)</a></p> </div> <h2 class="text-info mrgn-tp-0">Foreword</h2> <p>This is an <span class="text-uppercase">unclassfied</span>, publication that has been issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre). For more information, contact the Cyber Centre:</p> <p><span class="glyphicon glyphicon-envelope"></span><span class="wb-inv">email</span> <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a> |<span class="glyphicon glyphicon-phone"></span><span class="wb-inv">Mobile</span> <a href="tel:613-949-7048">613-949-7048</a> or <a href="tel:+1-833-292-3788">1<span>‑</span>833<span>‑</span>CYBER<span>‑</span>88</a></p> <h2 class="text-info">Effective date</h2> <p>This publication takes effect on January 2025.</p> <h2 class="text-info">Revision history</h2> <ol><li>First release: January 2025</li> </ol></div> </div> <section><h2 class="text-info">Overview</h2> <p>Cyber emergency preparedness is the practice of ensuring that your organization has a strategy to prevent, respond to, and recover from cyber incidents. Implementing a cyber emergency preparedness strategy requires a collaborative effort from stakeholders across your organization. Your strategy should highlight key aspects of your emergency procedures, such as the steps your organization will take to respond to an incident, who will be contacted in case of an incident, and what resources will be required to carry out your overall plan. A cyber emergency preparedness strategy will help your organization to manage risks and improve resilience in the face of catastrophic events.</p> <p>This publication describes emergency preparedness, related to cyber security, as a strategy that encompasses an incident response plan (IRP), a business continuity plan (BCP), and a disaster recovery plan (DRP). The difference between these 3 plans is detailed in this publication, along with the justification for why your organization should develop and implement all 3 plans to improve your cyber resilience and ability to maintain business operations amid an incident or a major disruption.</p> <p>Your emergency preparedness plan should align with a relevant security risk management framework, such as:</p> <ul><li>the Cyber Centre <a href="/en/guidance/it-security-risk-management-lifecycle-approach-itsg-33"><abbr title="information technology">IT</abbr> Security Risk Management: A Lifecycle Approach (ITSG-33)</a></li> <li>the National Institute of Standards and Technology (NIST) <a href="https://www.nist.gov/cyberframework">Cyber Security Framework</a></li> <li>the International Organization for Standardization (ISO) <a href="https://www.iso.org/standard/75652.html">ISO/IEC 27002:20122 Information security, cybersecurity and privacy protection — Information security controls</a></li> </ul><p>Integrating your emergency preparedness plan into your organization’s security framework will help improve your cyber security resiliency and provide the security assurances of confidentiality, integrity, and availability for your business assets.</p> <p>We recommend that you report cyber incidents to the Cyber Centre using our online reporting tool. We can provide your organization with cyber security advice, guidance, and services to help mitigate the impact of cyber incidents and better protect your organization from future incidents. We also encourage you to report cybercrime activities to law enforcement and fraud to the <a href="https://antifraudcentre-centreantifraude.ca/index-eng.htm">Canadian Anti-Fraud Centre</a>.</p> </section><section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul><li><a href="#emergency-prep">1. Introduction to emergency preparedness</a> <ul><li><a href="#benefits-emergency-prep">1.1 Benefits of an emergency preparedness plan</a></li> <li><a href="#comparing-recovery">1.2 Comparing incident response, business continuity, and disaster recovery</a></li> </ul></li> <li><a href="#incident-response">2. Incident response planning</a> <ul><li><a href="#incident-response-considerations">2.1 What to consider before creating an incident response plan</a></li> <li><a href="#additional-consider-ot">2.2 Additional considerations for operational technology</a></li> <li><a href="#creating-incident-response">2.3 Guidance for creating an incident response plan</a></li> <li><a href="#steps-incident-response">2.4 Main steps in an incident response plan</a></li> </ul></li> <li><a href="#buisness-continuity-planning">3. Business continuity planning</a> <ul><li><a href="#disruptions-organisation">3.1 Main disruptions that can affect your organization</a></li> <li><a href="#buisness-continuity-development">3.2 Steps to developing your business continuity plan</a></li> </ul></li> <li><a href="#disaster-recovery">4. Disaster recovery plan</a> <ul><li><a href="#key-disaster-recovery">4.1 Key elements of a disaster recovery plan</a></li> <li><a href="#disaster-recovery-strategies">4.2 Types of disaster recovery strategies</a></li> </ul></li> <li><a href="#summary">5. Summary</a></li> </ul></details></section><!– Figure or header inclusion? –><section><h2 class="text-info" id="emergency-prep">1 Introduction to emergency preparedness</h2> <p>You should strive to improve your organization’s cyber security posture and resilience by proactively preparing for incidents and disruptions to anticipate and minimize operational downtime, financial losses, and reputational damage.</p> <p>Your cyber emergency preparedness strategy should include 3 comprehensive plans:</p> <ul><li>incident response plan (IRP)</li> <li>business continuity plan (BCP)</li> <li>disaster recovery plan (DRP)</li> </ul><p>This publication focuses on emergency preparedness activities related mainly to the recovery and restoration of tangible and intangible technology assets that are used for business operations and can be adversely affected by a cyber event.</p> <p>Although this publication focuses on cyber security, the recommendations align with Public Safety Canada’s (PSC) <a href="https://www.publicsafety.gc.ca/cnt/mrgnc-mngmnt/index-en.aspx">Emergency Management guidance</a> and <a href="https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/2017-mrgnc-mngmnt-frmwrk/index-en.aspx">Emergency Management Framework for Canada</a>. Through national leadership in the development and implementation of policies, plans, and a range of programs, <abbr title="Public Safety Canada">PSC</abbr>’s emergency management guidance helps Canadians protect themselves from various emergencies and disasters. <abbr title="Public Safety Canada">PSC</abbr>’s approach to emergency management is based on work in 4 related areas:</p> <ul><li>prevention and mitigation</li> <li>emergency preparedness</li> <li>response to emergency events</li> <li>recovery from disasters</li> </ul><p>The <abbr title="Public Safety Canada">PSC</abbr> framework aims to guide and strengthen the way governments and partners assess risks and work together to prevent, mitigate, prepare for, respond to, and recover from the threats and hazards that pose the greatest risk to Canadians. Building on the framework, <abbr title="Public Safety Canada">PSC</abbr>’s <a href="https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/mrgncy-mngmnt-strtgy/index-en.aspx">Emergency Management Strategy for Canada: Toward a Resilient 2030</a> identifies federal, provincial, and territorial priorities that will strengthen Canada’s resilience by 2030. Potential threats include natural disasters, such as forest fires, and human-induced disasters, such as hazardous material spills. We recommend that you develop emergency preparedness strategies for these other types of threats as well.</p> <!– Sub section –> <div> <h3 id="benefits-emergency-prep">1.1 Benefits of an emergency preparedness plan</h3> <p>Disruption due to unforeseen events can have devastating impacts on your organization and its cyber security posture. Having a comprehensive cyber security emergency preparedness plan can:</p> <ul><li>lessen the severity of disruption and damage to business operations and services</li> <li>minimize recovery time and allow for rapid restoration of services</li> <li>improve security</li> <li>minimize the financial impact of the disruption</li> <li>prevent reputational damage</li> <li>potentially prevent regulatory or legal penalties, when an emergency preparedness plan is mandatory</li> <li>offer alternative ways to continue operations</li> <li>train and educate employees on emergency procedures</li> <li>help identify incidents and deploy rapid restoration of services</li> </ul></div> <!– sub section –> <div> <h3 id="comparing-recovery">1.2 Comparing incident response, business continuity, and disaster recovery</h3> <p>The 3 comprehensive plans involved in your cyber emergency preparedness strategy are your <abbr title="incident response plan">IRP</abbr>, <abbr title="business continuity plan">BCP</abbr>, and <abbr title="disaster recovery plan">DRP</abbr>. This section will compare all 3 plans and highlight the differences between each.</p> <div><!– sub sub section –> <h4>1.2.1 Incident response plan</h4> <p>An <abbr title="incident response plan">IRP</abbr> includes the processes, procedures, and documentation related to how your organization detects, responds to, and recovers from a specific incident. The plan will help minimize your organization’s downtime and overall business disruptions when faced with an incident. A robust <abbr title="incident response plan">IRP</abbr> covers various types of incidents that could impact your organization and provides step-by-step guidance on how to handle an incident, mitigate the related risks, and recover quickly. Some examples of cyber incidents that can impact your organization’s cyber security posture include:</p> <ul><li><strong>ransomware:</strong> when a type of malware locks you out of your files or systems and a threat actor demands that you pay a ransom to regain access. Payment does not guarantee you will regain access to your information</li> <li><strong>data theft:</strong> when threat actors steal information stored on servers and devices</li> <li><strong>active exploitation:</strong> when threat actors take advantage of unpatched software, hardware, or other vulnerabilities to gain control of your systems, networks, and devices</li> </ul></div> <div> <h4>1.2.2 Business continuity plan</h4> <p>A <abbr title="business continuity plan">BCP</abbr> is a specific plan to recover services most critical to an organization’s operations as quickly as possible. It is a proactive plan that describes operational procedures to help organizations ensure they can continue business operations despite a disruption. The <abbr title="business continuity plan">BCP</abbr> will identify the main assets, roles, responsibilities, and processes needed to ensure ongoing operations.</p> <p>Your <abbr title="business continuity plan">BCP</abbr> should be based on your organization’s information technology (IT) threat and risk assessment (TRA) and a business impact analysis (BIA). A <abbr title="business impact analysis">BIA</abbr> will identify the potential impact of different scenarios on your business operations. For example, a <abbr title="business impact analysis">BIA</abbr> should address the following questions:</p> <ul><li>What resources and activities are critical to continuing your business operations?</li> <li>How long can you stop operations without causing significant damage to your business?</li> <li>What are the financial implications of these interruptions?</li> </ul><p>A <abbr title="business impact analysis">BIA</abbr> outlines the projected financial costs associated with different disruptions (where applicable) so that you can make informed investments in the prevention and mitigation strategies described in your <abbr title="business continuity plan">BCP</abbr>.</p> </div> <div> <h4>1.2.3 Disaster recovery plan</h4> <p>A <abbr title="disaster recovery plan">DRP</abbr> is a formal document that defines a set of procedures and processes and the specific roles and responsibilities of key members to return the organization to its normal state after a large event.</p> <p>Most <abbr title="disaster recovery plans">DRPs</abbr> include a shift in the physical location of either server-side infrastructure (for example, changing data centres) or client-side endpoints (for example, changing offices), depending on which side suffered the disaster (for example, data centre flood or office evacuation). A <abbr title="disaster recovery plan">DRP</abbr> should also specify recovery objectives for all critical assets and steps to reduce the loss or impact to the organization.</p> <p>A <abbr title="disaster recovery plan">DRP</abbr> encompasses the main principles of an <abbr title="incident response plan">IRP</abbr> and a <abbr title="business continuity plan">BCP</abbr> and can provide guidance on what plan to execute based on the type of disruption or incident.</p> </div> <div> <h4>1.2.4 Main difference between each type of plan</h4> <p><abbr title="incident response plans">IRPs</abbr>, <abbr title="business continuity plans">BCPs</abbr>, and <abbr title="disaster recovery plans">DRPs</abbr> have much in common since they are all meant to improve your organization’s resilience, minimize impact, and keep operations running. However, they do have some key differences.</p> <p>An <strong><abbr title="incident response plan">IRP</abbr></strong> is event focused and specific to a security incident, such as a cyber attack, affecting an organization. It defines the roles and responsibilities and identifies the scope of action required to mitigate an incident (for example, a data breach, a ransomware attack, or a phishing attack). <abbr title="incident response plans">IRPs</abbr> will assist your incident response team in reducing organizational downtime.</p> <p>A <strong><abbr title="business continuity plan">BCP</abbr></strong> is a specific plan to quickly resume only the most critical operations, as defined by the <abbr title="business impact analysis">BIA</abbr>, in the event of a disaster. It will typically address which services to prioritize, identify the critical staff required to run those services, and identify an offsite location from which to set up temporary operations.</p> <p>A <strong><abbr title="disaster recovery plan">DRP</abbr></strong> is a holistic plan to return your organization to full operations after a disaster. It will address various types of disruptions, such as natural hazards, hardware and power outages, and cyber attacks.</p> <p>Each of these 3 plans share the following elements that are essential to successful identification, management, response, and recovery during an event or incident:</p> <ul><li>identifying a designated point of contact and designated team members and their alternates (in case of absences), and listing their specific roles and responsibilities</li> <li>scheduling periodic reviews to identify potential gaps in the plan and areas that need improvement</li> <li>scheduling testing for the plans by performing simulated disruptions to ensure that any gaps are fixed</li> </ul><p>Implementing these 3 plans will enhance your cyber security posture. Ensuring that you implement additional preventative security measures, such as patching and updating your <abbr title="information technology">IT</abbr> assets, will reduce your organization’s vulnerabilities and add to your incident preparedness. These additional security measures can help your organization avoid costly downtime and interruptions to your operations. In addition to developing and updating an <abbr title="incident response plan">IRP</abbr>, <abbr title="business continuity plan">BCP</abbr>, and <abbr title="disaster recovery plan">DRP</abbr>, we encourage you to enhance your cyber security posture in the following ways:</p> <ul><li>segment your networks to stop traffic from flowing to sensitive or restricted zones</li> <li>deploy firewalls to prevent unauthorized outside sources from accessing your system’s resources or moving data from one area of your network to another</li> <li>install anti-virus and anti-malware software to protect your perimeter</li> <li>update and apply patches to operating systems, software, and firmware</li> </ul></div> <!– two divs should close –></div> </section><!– top of page –><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <p><span class="clearfix"></span></p> <section><h2 class="text-info" id="incident-response">2 Incident response planning</h2> <p>Cyber threats can greatly impact your network, systems, and devices. When you have a proper plan, you will be prepared to handle incidents when they happen, mitigate the threats and associated risks, and recover quickly.</p> <p>This section will describe the preliminary elements that will help you better understand what is required to create an <abbr title="incident response plan">IRP</abbr> that is tailored to your organization. We will identify the main steps that you should consider when developing your cyber security <abbr title="incident response plan">IRP</abbr> and reference reputable guidance documentation that can assist you in developing your plan.</p> <!– sub section –> <div> <h3 id="incident-response-considerations">2.1 What to consider before creating an incident response plan</h3> <p>Developing a step-by-step <abbr title="incident response plan">IRP</abbr> can be time consuming and feel overwhelming. Although your plan will be tailored to your organization’s size, business operations, and security requirements, here are some preliminary and standard elements that organizations and businesses of all sizes should consider:</p> <!– sub sub-section –> <div> <h4>2.1.1 Conduct a threat and risk assessment</h4> <p>A <abbr title="threat and risk assessment">TRA</abbr> is a critical tool for understanding the different threats to your <abbr title="information technology">IT</abbr> systems, determining the level of risk these systems are exposed to, and recommending the appropriate level of protection.</p> <p>Before you create an <abbr title="incident response plan">IRP</abbr>, your organization should conduct a <abbr title="threat and risk assessment">TRA</abbr>. The first step to a <abbr title="threat and risk assessment">TRA</abbr> is identifying all your critical assets. Once this has been done, rank the assets according to their importance, value, and risk level. This will allow you to create a budget and identify the tools and resources required to protect your valuable assets.</p> <p>As previously mentioned, there are various types of incidents to consider when developing your <abbr title="incident response plan">IRP</abbr>. Your plan should map out a variety of incident response scenarios to address the different types of threats. Conducting a <abbr title="threat and risk assessment">TRA</abbr> will help you identify the risks and potential threats to your organizational assets, as well as the likelihood and impact of a compromise.</p> </div> <!– closing sub sub-section –> <div> <h4>2.1.2 Create a response team</h4> <p>Identify who has the qualifications to be on your response team and ensure that they understand their roles. Your response team should include employees with various qualifications and have cross-functional support from other business lines. The main goal of the response team is to coordinate resources to minimize the impact of the incident and resume business operations as soon as possible. The response team is responsible for assessing, documenting, and responding to incidents. They are also responsible for restoring your systems, recovering information, and reducing the risk of the incident reoccurring.</p> </div> <!– close sub sub-section –> <div> <h4>2.1.3 Develop policies and procedures</h4> <p>Your incident response activities need to align with your organization’s policy and compliance requirements. Your organization should develop an incident response policy that establishes the authorities, roles, and responsibilities for your incident response processes and procedures. This policy should be approved by your organization’s senior management and executives. Over time, your policies will need to be reviewed and adjusted based on your organization’s business requirements.</p> </div> <!– close sub sub-section –> <div> <h4>2.1.4 Create your communications plan</h4> <p>Your communications plan should detail how, when, and with whom your team communicates. It should also identify who is responsible for these communications. The communications plan should include a central point of contact for employees to report suspected or known incidents, and alternate methods of communication in case the primary method is impacted by the incident. Many organizations prefer to use a designated individual to communicate with the press and public during incident recovery.</p> <p>Your notification procedures are critical to the success of your incident response. Identify the key internal and external stakeholders who need to be notified during an incident. You may need to alert third parties, such as clients, suppliers, vendors, and managed service providers. Depending on the incident, you may also need to contact law enforcement or your regulating body if applicable, or consult with a lawyer for advice.</p> <p>You may also be required to report the incident to the Office of the Privacy Commissioner of Canada (OPC) or the appropriate privacy legislation to which your organization is subject. For example, if your organization is subject to the <abbr title="Office of the Privacy Commissioner of Canada">OPC</abbr>’s <em><a href="https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/">Personal Information Protection and Electronic Documents Act (PIPEDA)</a></em>, you are required to:</p> <ul><li>report to the <abbr title="Office of the Privacy Commissioner of Canada">OPC</abbr> breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals</li> <li>notify affected individuals about those breaches</li> <li>keep records of all breaches</li> </ul><p>The <abbr title="Office of the Privacy Commissioner of Canada">OPC</abbr>’s <a href="/en/privacy-topics/business-privacy/breaches-and-safeguards/privacy-breaches-at-your-business/gd_pb_201810/">What you need to know about mandatory reporting of breaches of security safeguards</a> provides an overview of what you need to know about these obligations.</p> </div> <!– sub sub-section –> <div> <h4>2.1.5 Educate your employees</h4> <p>Update your employees on current incident response planning and execution. Tailor your training programs to your organization’s business needs and requirements, as well as to your employees’ roles and responsibilities. Run a tabletop exercise with the key employees identified in the plan. Your employees’ cooperation can reduce the length of response time and facilitate the implementation of your <abbr title="incident response plan">IRP</abbr>. Employees should also be trained on how to identify and report cyber attacks such as phishing emails, spear phishing attacks, and social engineering efforts.</p> </div> </div> <!– subsection close –> <div> <h3 id="additional-consider-ot">2.2 Additional considerations for operational technology</h3> <p>Organizations that manage operational technology (OT) need to address and mitigate the risks associated with incidents that can lead to unplanned outages and impacts to both their <abbr title="information technology">IT</abbr> systems and their <abbr title="operational technology">OT</abbr> systems.</p> <p><abbr title="operational technology">OT</abbr> and industrial control systems (ICS) can add complexity to the environment and have unique constraints that need to be addressed. For example, many <abbr title="industrial control systems">ICS</abbr> are deployed without robust security controls and must run continuously, even though they use unsecure protocols and architectures. Maintaining older equipment can be challenging and vendors are often unable to provide replacements for vulnerable hardware or software, which can make it difficult to prevent and respond to <abbr title="industrial control systems">ICS</abbr> incidents.</p> <p>The following 3 Cyber Centre publications provide security advice to organizations that manage <abbr title="operational technology">OT</abbr> systems, <abbr title="industrial control systems">ICS</abbr>, and critical infrastructure:</p> <ul><li><a href="/en/guidance/protect-your-operational-technology-itsap00051">Protect your operational technology (ITSAP.00.051)</a></li> <li><a href="/en/guidance/security-considerations-industrial-control-systems-itsap00050">Security considerations for industrial control systems (ITSAP.00.050)</a></li> <li><a href="/en/guidance/security-considerations-critical-infrastructure-itsap10100">Security considerations for critical infrastructure (ITSAP.10.100)</a></li> </ul><p>To learn more, read the additional guidance in PSC’s <a href="https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/dvlpng-ndnt-rspns-pln/index-en.aspx#a1">Developing an Operational Technology and Information Technology Incident Response Plan</a>. This publication provides organizations that operate a component of <abbr title="operational technology">OT</abbr> in their environment with a framework that can be used to develop a joint <abbr title="information technology">IT</abbr>/<abbr title="operational technology">OT</abbr> cyber incident response plan (CIRP). The <abbr title="cyber incident response plan">CIRP</abbr> is intended to be appropriate for organization-specific business needs. The document provides a baseline approach to developing a <abbr title="cyber incident response plan">CIRP</abbr>, with specific factors to consider based on your organization’s size, function, location, and sector.</p> <p>When conducting a <abbr title="threat and risk assessment">TRA</abbr> on <abbr title="operational technology">OT</abbr> systems, it is important to consider the threats to these systems, the impact of systems vulnerabilities, and the types of risks that can cause disruptions to the operating environment.</p> <p>Here are some examples of <abbr title="operational technology">OT</abbr> vulnerabilities to consider:</p> <ul><li><strong>obsolete systems:</strong> systems and components that are no longer supported with updates by the manufacturer</li> <li><strong>unpatched software and firmware:</strong> leaves systems and devices vulnerable to known threats</li> <li><strong>peripherals:</strong> external connected devices that can be exploited to compromise systems and networks</li> </ul><p><abbr title="operational technology">OT</abbr> design typically prioritizes availability and process repeatability and reliability over data security. Compromised <abbr title="operational technology">OT</abbr> systems and devices can put critical processes at risk of failure. <abbr title="operational technology">OT</abbr> compromises can lead to the following impacts on your organization:</p> <ul><li>major accidents and disasters, like injury or loss of life</li> <li>malfunctioning equipment and disrupted processes and deliverables</li> <li>compromised intellectual property and sensitive information</li> <li>lost revenue from disrupted processes, costly repairs, or paid ransom</li> <li>damaged organizational credibility</li> <li>compromised security measures, such as emergency services</li> </ul><p>The failure of an <abbr title="operational technology">OT</abbr> device could impact an entire industrial process and the safety of operators and the wider public. Destruction and loss of services could cause serious damage to high-value systems, processes, and infrastructure.</p> <p>When developing an <abbr title="incident response plan">IRP</abbr>, it is important for organizations that are managing <abbr title="operational technology">OT</abbr> systems to understand the unique implications affecting them. This will allow for better preparation and defence against future <abbr title="information technology">IT</abbr> and <abbr title="operational technology">OT</abbr> incidents and disruptions. Choose a response team that has the capabilities and resources required to address and mitigate the risks associated with <abbr title="operational technology">OT</abbr> incidents.</p> </div> <div> <h3 id="creating-incident-response">2.3 Guidance for creating an incident response plan</h3> <p>This section references trusted resources to help you develop your <abbr title="incident response plan">IRP</abbr>. For an introduction on incident response planning, preliminary requirements, and to understand why it is important for your organization, read the Cyber Centre’s <a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Developing your incident response plan (ITSAP.40.003)</a>.</p> <p>The Cybersecurity and Infrastructure Security Agency’s <a href="https://www.cisa.gov/sites/default/files/2024-08/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf">Cybersecurity Incident &amp; Vulnerability Response Playbooks (PDF)</a> present one playbook for incident response and one for vulnerability response. The playbooks provide a standard set of operating procedures for responding to and recovering from incidents and vulnerabilities affecting systems, data, and networks.</p> <p>For additional guidelines on incident management, read <a href="https://www.iso.org/standard/67851.html">ISO 22320:2018 Security and resilience — Emergency management — Guidelines for incident management</a>. This document is applicable to any organization and provides guidance on how to handle incidents of any type and scale.</p> <p>The 2 most-used incident response frameworks were created by the <abbr title="National Institute of Standards and Technology">NIST</abbr> and SysAdmin, Audit, Network, and Security (SANS) Institute:</p> <ul><li>The <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-61: Computer Security Incident Handling Guide (PDF)</a> is a 4-step process for incident response and it is defined as a cyclical process where ongoing improvements are made to the plan based on lessons learned throughout the incident lifecycle. The <abbr title="National Institute of Standards and Technology">NIST</abbr> incident response steps are: <ul><li>Preparation</li> <li>Detection and analysis</li> <li>Containment, eradication, and recovery</li> <li>Post-incident activity</li> </ul></li> <li>The <a href="https://www.sans.org/white-papers/33901"><abbr title="SysAdmin, Audit, Network, and Security">SANS</abbr> Institute’s Incident Handler’s Handbook</a> provides a structured 6-step process for incident response. It outlines the foundation required for organizations to build upon when developing their own incident response policies, standards, and roles and responsibilities for their response team. The 6 steps for incident response planning described in the handbook are: <ul><li>Preparation</li> <li>Identification</li> <li>Containment</li> <li>Eradication</li> <li>Recovery</li> <li>Lessons learned</li> </ul></li> </ul><p>The main difference between these 2 frameworks is that <abbr title="National Institute of Standards and Technology">NIST</abbr> combines containment, eradication, and recovery into one step, whereas the <abbr title="SysAdmin, Audit, Network, and Security">SANS</abbr> Institute framework separates them into individual steps. The reason for this is that <abbr title="National Institute of Standards and Technology">NIST</abbr> believes these 3 components may sometimes overlap and need to be addressed in conjunction with one another.</p> </div> <div> <h3 id="steps-incident-response">2.4 Main steps in an incident response plan</h3> <p>Having an <abbr title="incident response plan">IRP</abbr> helps your organization handle incidents, mitigate threats and associated risks, and recover quickly. In this section, we will outline the main steps of an <abbr title="incident response plan">IRP</abbr> and specific actions your organization will take to develop your <abbr title="incident response plan">IRP</abbr>.</p> <div> <h4>2.4.1 Preparation</h4> <p>The preparation phase should begin before the incident occurs. This is when you will need to establish the right tools and resources to implement your <abbr title="incident response plan">IRP</abbr>. This phase requires periodic reviewing and updating to address new emerging threats. In this phase, you should:</p> <ul><li>Perform a <abbr title="threat and risk assessment">TRA</abbr> to identify your most valuable assets that are critical to your business operations, including sensitive or proprietary data <ul><li>Define the type of security incidents that your organization is most likely to face and create detailed response steps for these incidents</li> <li>Implement an <abbr title="information technology">IT</abbr> asset management plan and associated policies to inventory and track all your organization’s <abbr title="information technology">IT</abbr> assets and services</li> <li>Include hardware, software, and data, indicating the level of importance, model and serial number, location, cost to replace, manufacturer, and whether it is owned or requires a subscription renewal, such as when using cloud-based software or software as a service</li> </ul></li> <li>Develop and document your security policies, standards, and procedures supporting incident response</li> <li>Develop and implement a backup plan <ul><li>Determine where you will do full, differential, or incremental backups</li> <li>Ensure your backups are stored offline</li> </ul></li> <li>Create your response team and assign roles and responsibilities to each member <ul><li>Establish a clear chain of command from the start</li> <li>Ensure that your employees are properly trained on how to execute their roles and responsibilities</li> </ul></li> <li>Define your communications plan to ensure that the proper members respond to an incident <ul><li>Include criteria for escalation</li> <li>Identify how key stakeholders and management will be informed throughout the lifecycle of the incident</li> </ul></li> <li>Create and run mock incident drills to evaluate your <abbr title="incident response plan">IRP</abbr> <ul><li>Refine and update protocols and procedures</li> <li>Ensure that the response team understands their roles and responsibilities</li> </ul></li> </ul></div> <!– sub subsection close –> <div> <h4>2.4.2 Detection and analysis</h4> <p>This is the phase where you will determine if your organization has been breached or if any of your systems have been compromised. You will need to analyze the incident and identify its type, its origin, and the extent of damaged caused. This is usually the most challenging phase of the incident response process, but it cannot be overlooked. This step is a prerequisite to containing, analyzing, and eradicating the threat.</p> <p>Incident detection can be done using automated security tools, or by receiving a notification and information from people within your organization or from external sources, such as vendors and service providers. You should create a classification system that will help you triage your response to the threat based on urgency. This will make it easier to isolate your most vulnerable systems and those that are most affected by the threat, ultimately minimizing the damage to your organization. Your organization should also verify the incident to ensure there is a true positive.</p> </div> <div> <h4>2.4.3 Containment</h4> <p>The containment step is critical. The goal is to minimize the immediate impact of the incident and to prevent it from spreading and causing further damage to other systems. This is done by isolating or removing the threat; for example, shutting down a system or replacing it completely, disconnecting it from the network, or disabling certain functions. Ensure you have a redundant system backup so that your data is safeguarded from permanent deletion. Your backup will also help you restore your business operations in a timely manner.</p> <p>Containment strategies and procedures will depend on the type of incident, the degree of damage that the incident can cause, and your operational requirements. Incident containment strategies are easier to implement if they are preestablished in the preparation phase, where your acceptable risk level would have already been defined.</p> <p>If a containment plan is delayed, the threat actor could access and compromise other systems, which could lead to further damage to your organization. The containment step should cover short-term and long-term strategies, and system backups.</p> <p>Here are some questions that can help you decide which containment strategy to implement:</p> <ul><li>What damage does this incident pose to your organization?</li> <li>How important is it to preserve the evidence?</li> <li>How much time and resources are required to implement the strategy?</li> <li>How long can you afford to shut down your systems and stop business operations?</li> <li>How effective is your strategy? Will it offer full or partial containment?</li> </ul></div> <div> <h4>2.4.4 Eradication</h4> <p>Once the incident has been contained, you need to conduct a root cause analysis to identify and remove all elements of the incident from the affected systems to prevent future compromises. The eradication phase will improve your defence strategies based on the lessons learned. In this phase, the following activities should be completed:</p> <ul><li>identify all affected systems, hosts, and services</li> <li>remove all malicious content from affected systems</li> <li>scan and wipe your systems and infected devices to prevent risk of reinfection</li> <li>identify and address all residual attack vectors to ensure other systems are not compromised</li> <li>communicate with all stakeholders to ensure they manage the incident appropriately</li> <li>harden, patch, and upgrade all affected systems</li> <li>upgrade or replace legacy systems</li> </ul></div> <div> <h4>2.4.5 Recovery</h4> <p>In the recovery phase, you will restore the affected systems and reintegrate them into your operating environment. To avoid reinfection after a cyber incident, take precautionary measures such as ensuring all malware is removed before restoring your backups. You will need to test, verify, monitor, and validate the affected systems to ensure they are running effectively. Your organization should revise and update policies, procedures, and training initiatives based on the lessons learned.</p> <p>At this phase, you will need to address the following questions:</p> <ul><li>When can systems be reintegrated into the operating environment?</li> <li>How long will the affected systems be monitored for abnormal behaviour?</li> <li>How will you test your compromised systems to ensure that they are clean?</li> <li>What tools will you use to avoid similar attacks from reoccurring?</li> </ul></div> <div> <h4>2.4.6 Post-incident activities and lessons learned</h4> <p>The goal of this phase is to analyze and document everything you know about the incident. It is important to create follow-up reports that will provide a review of what happened throughout the entire incident handling process. The report will serve as a tool to strengthen your organization’s resilience by identifying ways to improve response efforts, security measures, and components of the incident handling process.</p> <p>To help collect all pertinent information needed to generate the report, a meeting with all incident response members should be held shortly incident recovery to discuss important points, such as:</p> <ul><li>When and why did the incident occur? What triggered it?</li> <li>How did the response team perform? Did they know their roles and responsibilities?</li> <li>Does the incident team need to modify its action plan for future incidents?</li> <li>Were the documented procedures followed and were they successful in handling the incident?</li> <li>Did anything happen that may have delayed or inhibited the recovery process?</li> <li>What information or action plan would have been valuable sooner?</li> <li>How can you improve communication and information sharing with third parties?</li> <li>Can employee training be improved?</li> </ul></div> </div> </section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <p><span class="clearfix"></span></p> <section><h2 class="text-info" id="buisness-continuity-planning">3 Business continuity planning</h2> <p>A <abbr title="business continuity plan">BCP</abbr> is often considered a subset of the larger <abbr title="disaster recovery plan">DRP</abbr>. It is a formal document containing detailed guidelines on what your organization will need to do to quickly resume critical business operations following an unplanned disaster. Only critical services are included in the <abbr title="business continuity plan">BCP</abbr>. Non-critical functions can be addressed once the incident is fully resolved.</p> <p>The document <a href="https://www.iso.org/standard/75106.html">ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements (ISO 22301)</a> provides a framework to help organizations plan, implement, and maintain a business continuity management plan. ISO 22301 will ensure that organizations of all sizes are able to respond, recover, and continue operations after various disruptions.</p> <p>The publication <a href="https://csrc.nist.gov/CSRC/media/Events/HIPAA-2010-Safeguarding-Health-Information-Buil/documents/2-2b-contingency-planning-swanson-nist.pdf"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-34 Revision 1 – Contingency Planning Guide for Federal Information Systems (PDF)</a> offers guidance to United States federal agencies to evaluate information systems and operations to determine contingency planning requirements and priorities. The publication covers <abbr title="incident response plans">IRPs</abbr>, <abbr title="business continuity plans">BCPs</abbr>, and <abbr title="disaster recovery plans">DRPs</abbr> and can be used as a reference to help organizations develop their response and recovery strategies and procedures.</p> <!– subsection –> <div> <h3 id="disruptions-organisation">3.1 Main disruptions that can affect your organization</h3> <p>Although your <abbr title="business continuity plan">BCP</abbr> should address all types of incidents, the following threats are the most common business disruptors to consider:</p> <ul><li>natural hazards, such as hurricanes, tornadoes, earthquakes, floods, wildfires, and severe storms</li> <li>building fires</li> <li>cyber threats, such as ransomware attacks, data thefts, and distributed denial of service (DDoS) attacks</li> <li>server or utility outages, such as power outages, communication line outages, or water shutoffs</li> <li>equipment failure that can impact operations such as HVAC systems, office equipment, or manufacturing equipment</li> <li>acts of terrorism</li> <li>global pandemics such as disease outbreaks or public health emergencies such as virus outbreaks</li> <li>decreased supply due to manufacturer and vendor shutdowns or disruptions to distribution across the supply chain</li> </ul></div> <div> <h3 id="buisness-continuity-development">3.2 Steps to developing your business continuity plan</h3> <p>In this section, we will discuss the specific areas your organization will need to address when developing a <abbr title="business continuity plan">BCP</abbr>, as well as how you can ensure your <abbr title="business continuity plan">BCP</abbr> will be effective when enacted. A <abbr title="business continuity plan">BCP</abbr> allows organizations to identify their risk from various threats and the impact they would pose to business operations. A <abbr title="business continuity plan">BCP</abbr> is used to ensure organizational resilience and compliance to regulations, policies, and standards. The goal of a <abbr title="business continuity plan">BCP</abbr> is to identify all the resources and procedures required to help organizations continue critical operations and services in the event of a disaster or other disruption.</p> <p>Business continuity planning is a lifecycle approach and requires ongoing reviewing, testing, and updating. The image below, Figure 1: Business continuity planning lifecycle, depicts the 5 key steps to developing and maintaining a <abbr title="business continuity plan">BCP</abbr>.</p> </div> <div> <h3>Figure 1: Business continuity planning lifecycle</h3> <div class="panel-body"> <figure><figcaption class="text-center">Figure 1: Business continuity planning lifecycle</figcaption><img alt="Figure 1 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/itsm.10.014-business-continuity-planning-lifecycle-850×607.jpg" /></figure><details><summary>Long description – Figure 1: Business continuity planning lifecycle</summary><p>Business continuity planning lifecycle describes the 5 steps in the business continuity planning lifecycle</p> <ul><li>Initiate: Identify your organization’s goals and objectives</li> <li>Analyze: Conduct a <abbr title="threat and risk assessment">TRA</abbr> and a <abbr title="business impact analysis">BIA</abbr></li> <li>Develop and implement: Define the strategy, develop the plan, and implement it</li> <li>Communicate and integrate: Communicate your BCP to employees, stakeholders, and partners and integrate it into your organization’s policies</li> <li>Test and validate: Test your plan regularly to ensure that it remains effective and current</li> </ul></details></div> <!– insert image section, will review image as well –><!– long description write up <p> Business continuity planning lifecycle describes the 5 steps in the business continuity planning lifecycle </p> <ul> <li>Initiate: Identify your organization’s goals and objectives</li> <li>Analyze: Conduct a TRA and a BIA</li> <li>Develop and implement: Define the strategy, develop the plan, and implement it</li> <li>Communicate and integrate: Communicate your <abbr title="business continuity plan">BCP</abbr> to employees, stakeholders, and partners and integrate it into your organization’s policies</li> <li>Test and validate: Test your plan regularly to ensure that it remains effective and current</li> </ul> –> <p>The following section describes the 5 stages of the business continuity planning lifecycle.</p> <!– sub subsection start –> <div> <h4>3.2.1 Initiate: Identify the plan’s objectives, goals and response</h4> <p>The main objective of a <abbr title="business continuity plan">BCP</abbr> is to ensure that there is minimal disruption to critical business functions in the event of a disaster or incident. However, depending on your organization’s unique requirements and resources, you may have different objectives and goals. Once you have identified your objectives and goals, make sure that they are clearly communicated and accepted by your organization’s leaders. Your goals will influence your <abbr title="threat and risk assessment">TRA</abbr>, <abbr title="business impact analysis">BIA</abbr>, <abbr title="business continuity plan">BCP</abbr>, and recovery strategies.</p> <p>You will need to identify the key people and processes that will be required to ensure your goals are met. You will also need a communications plan to share these items. Create a management team with members who are knowledgeable about the different operational areas of your organization to evaluate what potential threats can lead to various levels of risks to your organization. The makeup of your team depends on your business continuity objectives and the size of your organization. There should be a designated leader to ensure that all the actions required to develop, implement, modify, and update the plan are being executed.</p> </div> <!– sub subsection close –> <div> <h4>3.2.2 Analyze: Perform the required assessments</h4> <p>After you have identified your goals and objectives, you will need to conduct a detailed <abbr title="threat and risk assessment">TRA</abbr>. It is important that your organization understands where your risks lie and the different threats that could cause interruptions to your business operations. Having this knowledge can help you determine how to reduce, mitigate, and eliminate these risks.</p> <p>Once your organization has identified possible threats, you should conduct a <abbr title="business impact analysis">BIA</abbr> to identify critical and non-critical business operations and systems and how different threats can impact various business areas. A <abbr title="business impact analysis">BIA</abbr> will identify specific threats that can impact financial and operational performance, employees, supply chains, reputation, and resources. These threats should be analyzed to determine the probability of their occurrence and their level of impact. Mitigation strategies that can reduce the likelihood of occurrence and the severity of impact should also be identified.</p> <p>Collaboration is key when conducting a <abbr title="business impact analysis">BIA</abbr>. Managers, key stakeholders, partners, and employees should all be involved in the discussions. This will give you a greater understanding of how a disaster may impact other business functions within the organization. Involving stakeholders and partners will also help them understand the risks to their business operations and identify mitigation strategies.</p> <p>Document all your findings in the <abbr title="threat and risk assessment">TRA</abbr> and <abbr title="business impact analysis">BIA</abbr> so that you can anticipate the cost and resources that will be needed to recover from a disaster or incident.</p> <p>To help you with your <abbr title="threat and risk assessment">TRA</abbr> and <abbr title="business impact analysis">BIA</abbr>, it is recommended that your organization perform a security categorization of your business activities (for example, business processes and related information assets). This helps establish the relative importance of your business activities. At the information system level, security categories of business activities serve as input for establishing security assurance requirements, selecting and tailoring security controls, and conducting <abbr title="threat and risk assessment">TRA</abbr> activities. Security categorization is a process to determine the expected injuries from threat compromise and the level of these expected injuries with respect to the security objectives of confidentiality, integrity, and availability. The result of this process is a security category for a business activity that expresses the highest levels of expected injury for all 3 <abbr title="information technology">IT</abbr> security objectives. For information and guidance on security categorization, read the Cyber Centre’s <a href="/en/guidance/it-security-risk-management-lifecycle-approach-itsg-33"><abbr title="information technology">IT</abbr> security risk management: A lifecycle approach (ITSG-33)</a>.</p> </div> <div> <h4>3.2.3 Develop and implement: Define the strategy and create the plan</h4> <p>Once you have identified the types of risks, threats, and vulnerabilities applicable to your organization, you can begin to develop an effective <abbr title="business continuity plan">BCP</abbr>. Your plan should focus on mitigation strategies for the identified risks that will allow for the resumption of critical business operations. A comprehensive <abbr title="business continuity plan">BCP</abbr> will take each risk identified in the <abbr title="business impact analysis">BIA</abbr> and develop an appropriate response strategy to either minimize its impact on your organization’s stakeholders, operations, and assets or to mitigate it. Here are some key best practices to consider when developing your <abbr title="business continuity plan">BCP</abbr>:</p> <ul><li>identify the members of the response team and provide detailed description of their roles and responsibilities so that they can react swiftly and efficiently</li> <li>develop communication methods and recovery procedures</li> <li>identify an alternative work site and an employee relocation plan</li> <li>consolidate a list of alternate resources and suppliers</li> <li>establish an <abbr title="information technology">IT</abbr> recovery plan with assistance from the Cyber Centre publication <a href="/en/guidance/developing-your-it-recovery-plan-itsap40004">Developing your <abbr title="information technology">IT</abbr> recovery plan (ITSAP.40.004)</a></li> <li>establish policies to be implemented during a disaster, emergency, or incident</li> <li>determine the budget that will need to be allocated to the various activities in your plan</li> <li>identify timeframes in which services and business operations need to be available</li> <li>identify the resources that will be required to ensure prioritization and a quick and relevant response</li> <li>create reports to share with stakeholders</li> <li>provide staff with awareness training and educate them on the various risks and emergency preparedness and response strategies</li> <li>document the plan, validate it, share it with management and organization leaders, and gain their approval</li> <li>store the documented <abbr title="business continuity plan">BCP</abbr> in a secure location that is accessible if the <abbr title="business continuity plan">BCP</abbr> is enacted</li> </ul></div> <div> <h4>3.2.4 Communicate and integrate: Develop policies and communication protocols</h4> <p>Once your <abbr title="business continuity plan">BCP</abbr> has been developed, it should be communicated to your employees and stakeholders and integrated into your organization’s policies. It should be easily accessible to allow the response team to best coordinate their efforts. You should also develop a detailed communications and external public relations plan to provide guidance on how to communicate with staff, investors, and the media to avoid the spread of misinformation.</p> <p>Your <abbr title="business continuity plan">BCP</abbr> should include effective communication strategies for both internal members and external stakeholders. Clear communication within your organization during a crisis will reassure your employees that you are taking the required steps to respond and recover. Communication with external stakeholders, suppliers, and customers is also vital to minimize reputational damage and to maintain your organization’s integrity.</p> <p>The communication process should include protocols and procedures to ensure that the appropriate protective actions are taken and the right people are being alerted. Pre-drafted messages can facilitate and speed up communication in the event of a crisis.</p> </div> <div> <h4>3.2.5 Test and validate: Periodic testing to validate your plan</h4> <p>The risks to your organization are not static and are likely to change over time. Your business operations and priorities may also change. As a result, your <abbr title="business continuity plan">BCP</abbr> must be re-evaluated and tested regularly so that it remains effective and updated. A robust <abbr title="business continuity plan">BCP</abbr> requires continuous improvement with ongoing analysis, testing, validation, and implementation. You should conduct simulations and live exercises to assess your response team’s level of preparedness and to identify weak points. You can choose from various types of exercises to test your plan, such as seminars, tabletop exercises, and live exercises. Use the lessons learned from your exercises and tests to update your <abbr title="business continuity plan">BCP</abbr>. A checklist to ensure that each part of your plan is working properly is also beneficial.</p> <p>Your <abbr title="business continuity plan">BCP</abbr> testing practices should:</p> <ul><li>evaluate awareness and training information and protocols. Ensure that protocols are current and that regular training sessions are offered to employees and response team members</li> <li>test, evaluate, and validate the technical solutions and steps identified in the <abbr title="business continuity plan">BCP</abbr>. Ensure that solutions and steps are still effective and update them if required</li> <li>test, evaluate, and validate the recovery procedures established in the <abbr title="business continuity plan">BCP</abbr>. Ensure that the procedures are aligned with your organization’s current operational and business requirement and threat landscape</li> </ul></div> </div> </section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <p><span class="clearfix"></span></p> <section><h2 class="text-info" id="disaster-recovery">4 Disaster recovery plan</h2> <p>A <abbr title="disaster recovery plan">DRP</abbr> looks at every aspect of your organization that might be affected, such as assets, infrastructure, human resources, and business partners. Your <abbr title="disaster recovery plan">DRP</abbr> should identify your critical and non-critical business operations. It should include recovery requirements, procedures, and detailed instructions for each critical function. This will ensure the protection of assets and business operations to meet regulatory requirements and minimize downtime.</p> <p>The <abbr title="disaster recovery plan">DRP</abbr> should define strategies to minimize the impact of a disaster and to recover <abbr title="information technology">IT</abbr> assets and services as quickly as possible to ensure continuation of critical operations.</p> <p>A disaster, regardless of its nature, can have devastating impacts on your organization. The longer the recovery time, the greater the potential damage. Therefore, it is important to have a good <abbr title="disaster recovery plan">DRP</abbr> that will ensure a quick recovery, regardless of the type of disaster.</p> <p>A <abbr title="disaster recovery plan">DRP</abbr> should be organized by type of disaster and location and should provide step-by-step instructions that can be easily implemented.</p> <p>The Cyber Centre’s publication Developing your <abbr title="information technology">IT</abbr> recovery plan (ITSAP.40.004) identifies important elements and steps that can assist with the development of your <abbr title="disaster recovery plan">DRP</abbr>. It also describes how a recovery plan can improve your organization’s overall resilience and cyber security posture. Consulting other resources to develop your <abbr title="disaster recovery plan">DRP</abbr>, such as IBM’s <a href="https://www.ibm.com/docs/en/i/7.3.0?topic=system-example-disaster-recovery-plan">Disaster recovery plan template</a> or <a href="https://www.iso.org/standard/27031">SO/IEC 27031:2025 Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity</a> can also be beneficial.</p> <p>In the next section, we will describe the key elements of a <abbr title="disaster recovery plan">DRP</abbr>. As previously mentioned, there are some similarities between an <abbr title="incident response plan">IRP</abbr> and a <abbr title="disaster recovery plan">DRP</abbr>. Although there will be some repetition in the next section, it is important to reiterate these key elements as they shape the <abbr title="disaster recovery plan">DRP</abbr>.</p> <div> <h3 id="key-disaster-recovery">4.1 Key elements of a disaster recovery plan</h3> <p>In this section, we will discuss specific areas that your organization will need to address when developing a <abbr title="disaster recovery plan">DRP</abbr>. These steps will return your organization to full operations after a disaster.</p> <div> <h4>4.1.1 Create a disaster recovery team</h4> <p>The goal of the disaster recovery team is to assess, document, and respond to incidents; restore systems; recover information; and reduce the risk of the incident reoccurring. The plan should clearly identify the name and contact information of the individuals who are responsible for the different areas of the disaster recovery process. This will help streamline communications once recovery efforts are underway.</p> <p>The team members should be well trained on disaster recovery and should understand their respective roles and responsibilities. Members should have various qualifications and cross-functional support from other business lines. Since incidents are unpredictable and require immediate response, designate backup responders to act during any absences when an incident occurs. Critical responsibilities include:</p> <ul><li>identifying a plan owner who will lead the recovery process with the support of organization leaders and managers</li> <li>building a communications plan that addresses key considerations for communicating essential information to key stakeholders and the media</li> <li>implementing systems backup and maintenance to ensure business continuity</li> </ul></div> <div> <h4>4.1.2 Maintain an inventory of all your <abbr title="information technology">IT</abbr> assets and identify the most critical</h4> <p>To have an effective <abbr title="disaster recovery plan">DRP</abbr>, you will need to maintain an accurate and up-to-date inventory of your <abbr title="information technology">IT</abbr> assets. Your inventory should include a list of hardware, software, and information assets, as well as their location. Your assets should be categorized based on their criticality to your business operations. Your most critical assets include sensitive and proprietary data, and assets that are mandatory for your business operations. The criticality should be compared to the risk probability and resiliency of the asset when faced with disasters. This will allow you to better anticipate and manage risks.</p> <p>Your organization should rank assets from most critical to least critical to define the scope of your <abbr title="disaster recovery plan">DRP</abbr>. Ensure that your <abbr title="disaster recovery plan">DRP</abbr> addresses your critical high-risk assets first, including your sensitive data. Sensitive data may be subject to compliance requirements, such as the <a href="https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-privacy-act/"><em>Privacy Act</em></a>, which governs the Government of Canada, or <abbr title="Personal Information Protection and Electronic Documents Act">PIPEDA</abbr>, which covers how private sector organizations handle personal information. Your <abbr title="disaster recovery plan">DRP</abbr> should identify how your sensitive data will be protected and securely backed up.</p> </div> <div> <h4>4.1.3 Understand the risk tolerance of your organization</h4> <p>To support your disaster management and recovery efforts, you should identify and document the potential risks to your organization and your tolerance to these risks. When you understand your risk tolerance, your organization will be better equipped to develop recovery strategies for various disasters. Your <abbr title="disaster recovery plan">DRP</abbr> should include various events, such as natural hazards, power outages, cyber attacks, ransomware, insider threats, and failure of critical equipment.</p> <p>Here are a few key actions to help identify your risks tolerance:</p> <ul><li>list your critical business operations</li> <li>understand your business operations that handle sensitive data</li> <li>identify the assets, including data, that are valuable to your organization</li> <li>know your geographical location and infrastructure; this will help you determine whether you need cloud backup, one or multiple storage sites, and backup servers</li> </ul></div> <div> <h4>4.1.4 Identify critical operations</h4> <p>Your <abbr title="disaster recovery plan">DRP</abbr> should identify what business operations are considered critical to your organization. To help identify your critical operations, consider the following questions:</p> <ul><li>What components of your business are so important that your organization will not survive if immediate access is removed?</li> <li>What sensitive information or data do you store that, if lost or compromised, you would likely face legal repercussions and reputational damage?</li> <li>What patents, intellectual property, or proprietary business information do you need to safeguard to maintain your reputation in the industry and to protect your business?</li> </ul><p>By understanding what is most valuable to your organization, you will be better equipped to implement strategies in your <abbr title="disaster recovery plan">DRP</abbr> that will ensure your organization remains resilient in the event of a disaster.</p> </div> <div> <h4>4.1.5 Develop disaster recovery procedures</h4> <p>A major component of a <abbr title="disaster recovery plan">DRP</abbr> is documented in step-by-step recovery procedures. These procedures will describe how your organization will respond to various disasters. When faced with unexpected catastrophic events, your organization will have very little time to react. Having documented disaster recovery procedures will ensure that your response team knows exactly how to respond to minimize the damage and avoid prolonged downtime. These procedures should cover, at a minimum, the following elements:</p> <ul><li><strong>emergency response procedures</strong> will include the steps required to effectively respond to emergency situations, to help minimize damages to your organization, and to protect your employees</li> <li><strong>business operations backup procedures</strong> will ensure minimal disruption to your organization’s critical business operations</li> <li><strong>procedures identifying disaster recovery actions</strong> will help your organization restore your operating environment, including systems, networks, devices, and important information and data following a disaster</li> </ul></div> <div> <h4>4.1.6 Identifying recovery time objective and recovery point objective</h4> <p>Recovery time objective (RTO) and recovery point objective (RPO) are the metrics used to determine your downtime and data loss tolerance, respectively.</p> <p><abbr title="recovery time objective">RTO</abbr> is the pre-established maximum amount of downtime your organization can tolerate without causing damage. This can be measured in minutes, hours, days, or weeks. <abbr title="recovery time objective">RTO</abbr> is the planned time and level of service needed to meet the system owner’s minimum expectations.</p> <p>You will need to create different <abbr title="recovery time objective">RTO</abbr> categories since some business operations will require shorter recovery time and some may be less critical for the survival of your organization. Important factors to consider when establishing <abbr title="recovery time objective">RTO</abbr> include:</p> <ul><li>cost-benefit analysis related to restoring operations</li> <li>cost for mitigation</li> <li>level of complexity of the recovery process</li> <li>time and resources required to return to normal operations</li> <li>critical asset ranking and risk prioritization for strategic recovery</li> </ul><p><abbr title="recovery point objective">RPO</abbr> is the maximum amount of data your organization can tolerate losing before causing impactful harm. <abbr title="recovery point objective">RPO</abbr> is measured in units of time. It is basically the amount of time from the start of the outage to your last valid data backup.</p> <p>For some organizations, data turnover may be low and an <abbr title="recovery point objective">RPO</abbr> of days or even weeks may be tolerable. For organizations with a high data transaction volume, hours or even minutes of missing data may be intolerable. The <abbr title="recovery point objective">RPO</abbr> can be used as a metric to understand how frequently and where you should be backing up your important data and information. Some transactional databases may be configured to synchronously copy data to disaster recovery sites. This ensures no data is lost, but results in significantly slower transaction speeds and considerable expense.</p> <p>When considering the business impact of a disaster, the sum of the time between the <abbr title="recovery point objective">RPO</abbr> (back in time from the disaster) and the <abbr title="recovery time objective">RTO</abbr> (forward in time from the disaster) gives an idea of how much lost business is designed into the <abbr title="disaster recovery plan">DRP</abbr>. <abbr title="recovery time objectives">RTOs</abbr> and <abbr title="recovery point objectives">RPOs</abbr> should be reviewed and updated regularly since they are likely to change depending on the threat landscape and any changes to your business objectives and operations.</p> </div> <div> <h4>4.1.7 Establish a disaster recovery site</h4> <p>A <abbr title="disaster recovery plan">DRP</abbr> should indicate where your organization’s assets will be relocated if a disaster occurs. Recovery sites are usually in remote locations. They are used to help restore <abbr title="information technology">IT</abbr> infrastructure and other business-critical operations during an incident.</p> <p>It is important that you document the various characteristics of these physical facilities, including location, heating, cooling, power, fire response, and security controls.</p> <p>Establishing a recovery site can be costly. If your organization lacks the financial resources to have its own recovery site, consider engaging a service provider that can host your remote infrastructure, provide a <abbr title="disaster recovery plan">DRP</abbr> in cloud, or provide Disaster Recovery as a Service (DRaaS). We will expand on these options in the next section.</p> <p>There are 3 types of disaster recovery sites to choose from, depending on your business priorities.</p> <!– oh gosh we are really going to level 5 hhh –> <div> <h5>4.1.7.1 Hot sites</h5> <p>A hot site is a fully functional backup site with the same <abbr title="information technology">IT</abbr> infrastructure as your primary site. It functions the same as your primary site and is always kept running in case of downtime. Data synchronization is ongoing to reduce the risk of data loss. The benefit of a hot site is that it can nearly eliminate downtime.</p> </div> <div> <h5>4.1.7.2 Warm sites</h5> <p>A warm site is a back-up site with network connectivity and some equipment installed. A warm site requires setup time before it can function at full capacity. Data synchronization occurs less frequently, which can result in some data loss.</p> </div> <div> <h5>4.1.7.3 Cold sites</h5> <p>A cold site is used to store backups of systems or data, but with little equipment installed. More time and resources will be required to set up and restore business operations. Data synchronization can be a difficult and lengthy process, and there is a higher risk of data loss if servers need to be transferred from your primary site to the cold site.</p> </div> </div> <!– sub subsection –> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <p><span class="clearfix"></span></p> <div> <h4>4.1.8 Test and maintain your disaster recovery plan</h4> <p>Your organization should test your <abbr title="disaster recovery plan">DRP</abbr> regularly to ensure that your documented procedures are effective and up to date. A <abbr title="disaster recovery plan">DRP</abbr> is an ongoing process that must be reviewed continuously to ensure it aligns with changes to your risk environment, business operations, and technologies.</p> <p>By testing your <abbr title="disaster recovery plan">DRP</abbr> regularly, you can ensure that you meet your response goals while identifying any areas that may need improvement. By testing your plan, you can:</p> <ul><li>verify the effectiveness of the recovery documentation and recovery sites</li> <li>provide reassurance that your organization will be able to withstand disasters</li> <li>ensure that your data is being replicated correctly and can be recovered easily from your backups</li> <li>review lessons learned from past incidents and include additional mitigation actions in your <abbr title="disaster recovery plan">DRP</abbr></li> <li>flag areas in the <abbr title="disaster recovery plan">DRP</abbr> that need updating</li> <li>update training requirements for your response team to ensure they are informed of changes and are well prepared to implement the <abbr title="disaster recovery plan">DRP</abbr></li> </ul><p>There are several types of <abbr title="disaster recovery plan">DRP</abbr> tests you can use:</p> <!– level 5 again –> <div> <h5>4.1.8.1 Checklist testing</h5> <p>Checklist testing will ensure that the recovery procedures are comprehensive and account for all the resources and response members that are required to execute each step of the plan.</p> </div> <div> <h5>4.1.8.2 Tabletop testing</h5> <p>The main purpose of a tabletop test is to ensure that your response team understands the processes and procedures in your <abbr title="disaster recovery plan">DRP</abbr> and that they are aware of their responsibilities and roles. Tabletop testing will allow all response team members to meet and discuss a simulated disruption. They can discuss the actions required to manage the fine details of the disaster, including the aftermath. This will help ensure that all necessary resources are available as indicated in the <abbr title="disaster recovery plan">DRP</abbr>. A tabletop test will also determine if your <abbr title="disaster recovery plan">DRP</abbr> is efficient and will reveal strengths and flaws, which will allow you to address any issues with the <abbr title="disaster recovery plan">DRP</abbr> before an actual event occurs.</p> </div> <div> <h5>4.1.8.3 Walkthrough testing</h5> <p>A walkthrough test is a dry run test to help identify any issues. It is a step-by-step review of the <abbr title="disaster recovery plan">DRP</abbr> to ensure that the response team members understand their roles, are aware of all the steps of the plan, and have been updated on any changes to the plan since the last review.</p> </div> <div> <h5>4.1.8.4 Parallel testing</h5> <p>A parallel test is when a recovery system is used to restore a system without interrupting any business operations. This is a step-by-step review of each plan component and will help identify gaps, weaknesses, or overlooked details that might present roadblocks during real execution.</p> </div> <div> <h5>4.1.8.5 Full interruption testing</h5> <p>A full interruption test is the most disruptive test. The main system is taken down and the response team attempts to recover it. This is a more thorough and time-consuming test. It is also risky since it can lead to disruptions to business operations and expensive downtime. In some cases, this type of test may not be feasible due to public safety or regulatory concerns.</p> </div> <div> <h5>4.1.8.6 Simulation testing</h5> <p>A simulation test will help the response team know what to do when a disaster occurs. It involves role-playing the <abbr title="disaster recovery plan">DRP</abbr> based on a specific disaster scenario. It should incorporate all steps in the <abbr title="disaster recovery plan">DRP</abbr> and ensure that the documented procedures are clear with no ambiguity.</p> </div> <!– level 5 end –></div> <!– level 4 end –></div> <!– level 3 close –> <div> <h2 class="text-info" id="disaster-recovery-strategies">4.2 Types of disaster recovery strategies</h2> <p>In the previous section, we discussed setting up disaster recovery sites to help protect your organization’s <abbr title="information technology">IT</abbr> infrastructure and critical operations. We listed the 3 types of disaster recovery sites (hot, warm, and cold) to choose from, based on your business priorities, resources, and risk tolerance. Aside from these options, there are several other disaster recovery strategies to choose from depending on your organization’s <abbr title="information technology">IT</abbr> infrastructure, business operations, resources, budget, and critical assets. Here are some examples of backup and recovery methods you can explore.</p> <div> <h3>4.2.1 Network disaster recovery</h3> <p>Network connectivity is critical for your organization’s external and internal communication, application access, and data sharing. Network disaster recovery procedures specify how network services will be restored in the event of a network disruption, what resources will be required, and how access to backup data and storage sites will be ensured. Depending on your organization’s requirements, your network disaster recovery may include recovery procedures such as:</p> <ul><li>local area networks (LAN)</li> <li>wide area networks (WAN)</li> <li>wireless networks</li> <li>network-based applications and services</li> <li>failed devices that can lead to network interruptions, such as routers, switches, gateways, modems</li> </ul><p>There are various reasons why network disruptions can occur, including human error, natural or physical disasters, and cyber attacks like DDoS.</p> </div> <div> <h3>4.2.2 Virtualized disaster recovery</h3> <p>Your organization can use virtual machines in an offsite location or the cloud to back up certain operations or data, or even to replicate your entire <abbr title="information technology">IT</abbr> infrastructure (servers, storage, operating systems, software, applications, and data). Using virtualization for disaster recovery can offer the following benefits:</p> <ul><li>automate some disaster recovery processes and allow online operations to be restored faster</li> <li>reduce your <abbr title="information technology">IT</abbr> footprint</li> <li>support frequent replication and enable seamless failover</li> <li>allow your infrastructure to operate from any location</li> </ul></div> <div> <h3>4.2.3 Disaster recovery in the cloud</h3> <p>Disaster recovery in the cloud offers services and strategies to store backup data, applications, and other resources in cloud storage rather than in a physical location. Disaster recovery in the cloud can be more than just a backup solution, it can provide automatic workload failover to the cloud platform so that organizations can restore their backups to either on-premises or cloud environments. This enables business continuity and quick recovery when disruption occurs.</p> <p>Disaster recovery in the cloud automates many recovery processes and can be scaled to meet business requirements. It is commonly offered as a software as a service solution and can be a more affordable option for organizations with limited financial resources.</p> <p>Using disaster recovery in the cloud offers the following additional benefits:</p> <ul><li>flexible pricing models, such as on-demand or pay-as-you-go</li> <li>no single point of failure when using the cloud since you can pay to back up data across multiple geographical locations</li> <li>lower disaster recovery capital costs since you will not need to purchase duplicate hardware or software or a physical backup site</li> <li>enhanced compliance with regulatory requirements</li> <li>assurance that your business operations will be restored with minimized data loss, in accordance with your service level agreement (SLA)</li> </ul></div> <div> <h4>4.2.4 Disaster recovery as a service</h4> <p><abbr title="Disaster Recovery as a Service">DRaaS</abbr> is disaster recovery hosted by a third-party service provider or public cloud infrastructure. It is a solution that enables replication and hosting of physical or virtual servers, allowing failover for on-premises or cloud computing environments.</p> <p>Depending on the <abbr title="service level agreement">SLA</abbr> between the <abbr title="Disaster Recovery as a Service">DRaaS</abbr> provider and the customer, the following solutions can be acquired:</p> <ul><li>monitoring, implementing, and managing the entire <abbr title="disaster recovery plan">DRP</abbr> and helping clients recover their <abbr title="information technology">IT</abbr> infrastructure and return to normal business operations</li> <li>ensuring guaranteed recovery times for critical <abbr title="information technology">IT</abbr> resources</li> <li>offering backup and disaster recovery tools to customers who want to set up and implement disaster recovery solutions on site</li> <li>providing an infrastructure as a service solution, which is a type of cloud service that offers essential computing, storage, and networking resources on demand, on a pay-as-you-go basis</li> </ul></div> <div> <h4>4.2.5 Backup as a service</h4> <p>Backup a service is a service offered by a third-party provider and is also known as online backup or cloud backup. The service provider can store your data remotely in the cloud and manage all the backup and recovery infrastructure.</p> </div> <div> <h4>4.2.6 Storage replication</h4> <p>Storage replication copies your data in real time from one location to another over a storage area network, <abbr title="local area networks">LAN</abbr> or <abbr title="wide area networks">WAN</abbr>. Storage replication is referred to as synchronous replication since the replication is done in real time. Your organization can also use asynchronous replication, which creates copies of data according to a defined schedule.</p> </div> </div> </section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <p><span class="clearfix"></span></p> <section><h2 class="text-info" id="summary">5 Summary</h2> <p>The advice provided in this publication is meant to help strengthen your organization’s resilience through emergency preparedness. Your emergency preparedness strategy should encompass an <abbr title="incident response plan">IRP</abbr>, a <abbr title="business continuity plan">BCP</abbr>, and a <abbr title="disaster recovery plan">DRP</abbr>. While the objectives of the 3 plans differ, they all strive to do the following:</p> <ul><li>protect and safeguard your critical assets and business operations</li> <li>respond to incidents</li> <li>recover from disasters as quickly as possible</li> </ul><p>Remember that an <abbr title="incident response plan">IRP</abbr> focuses on a specific incident occurrence and the actions required to respond to the incident, whereas a <abbr title="disaster recovery plan">DRP</abbr> focuses on restoring your organization’s <abbr title="information technology">IT</abbr> infrastructure after a disastrous event occurs. The objective of both plans is to help your organization return to normal business operations as quickly as possible.</p> <p>The main principles of an <abbr title="incident response plan">IRP</abbr> and a <abbr title="disaster recovery plan">DRP</abbr> fall under the umbrella of a <abbr title="business continuity plan">BCP</abbr>. A <abbr title="business continuity plan">BCP</abbr> is a holistic approach to handling disruptions with the objective of maintaining your organization’s operations throughout the event lifecycle.</p> <p>Identifying your organization’s critical assets and business operations will help you identify the requirements and guide the plan development process. Through effective planning and practice, your organization will be well prepared, ready to recover, and able to maintain operations efficiently. This will minimize the impacts, interruptions, costs, and damages of any future disruption, incident, or disaster.</p> </section></div> </div> </div> </div> </div> </article>

<article data-history-node-id="735" about="/en/guidance/developing-your-incident-response-plan-itsap40003" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–Info across the top under the image–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>January 2026</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.40.003</strong></p> </div> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>January 2026 | Awareness series</strong></p> </div> <p>Your incident response plan (IRP) includes the processes, procedures, and documentation related to how your organization detects, responds to, and recovers from a specific incident. Cyber threats, natural disasters, and unplanned outages are examples of incidents that can impact your network, systems, and devices. With a proper plan, you will be prepared to handle incidents when they happen, mitigate the threats and associated risks, and recover quickly. While this publication is written in the context of cyber incidents, its guidance can assist your organization in developing an incident response plan for various types of incidents.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#before">Before creating an incident response plan</a></li> <li><a href="#types">Types of incidents</a></li> <li><a href="#steps">Main steps in your incident response plan</a></li> <li><a href="#services">In-house or professional services</a></li> <li><a href="#learn">Learn more</a></li> </ul><h2 class="text-info" id="before">Before creating an incident response plan</h2> <p>Before you create an <abbr title="incident response plan">IRP</abbr>, identify the information and systems of value to your organization. Determine the types of incidents you might face, such as ransomware or distributed denial of service attacks, and the appropriate responses. Consider who is best qualified to be a member of your response team. You should also determine how you will inform your organization of the plan and the associated policies and procedures.</p> <h3>Conduct a threat and risk assessment</h3> <p>A threat and risk assessment (TRA) is a process that helps you identify your critical assets and how these assets can be compromised. Your <abbr title="threat and risk assessment">TRA</abbr> will assess the level of risk these threats pose to your assets so that you can develop and prioritize your response efforts. Some questions to answer during the <abbr title="threat and risk assessment">TRA</abbr> include:</p> <ul><li>what data is valuable to your organization?</li> <li>which business areas handle sensitive data?</li> <li>what controls do you currently have in place?</li> <li>can this lead to a privacy breach for your organization?</li> </ul><p>For more information on <abbr title="threat and risk assessments">TRAs</abbr>, read <a href="/en/tools-services/harmonized-tra-methodology">Harmonized <abbr title="threat and risk assessment">TRA</abbr> Methodology (TRA-1)</a>.</p> <h3>Create your response team</h3> <p>The purpose of your team is to assess, document, and respond quickly to incidents. The goal is to restore your systems, recover information, and reduce the risk of the incident reoccurring.</p> <p>Your team should include employees with various qualifications and have cross-functional support from other business lines.</p> <p>Roles to consider for your incident response team include:</p> <ul><li>critical path personnel</li> <li>security practitioners</li> <li><abbr title="information technology">IT</abbr> or cyber security specialists</li> <li>project engineers for operational technology (OT) environments</li> <li>legal</li> <li>management</li> </ul><p>Cyber incidents in particular are unpredictable and require immediate response. Ensure your response team has alternate means of contact, such as mobile phones or out of band email. Each member of your team should also have a backup contact in case they cannot be reached or are unavailable.</p> <h3>Develop your policies and procedures</h3> <p>Your incident response activities need to align with your organization’s policy and compliance requirements.</p> <p>Write an incident response policy that establishes the authorities, roles, and responsibilities for your incident response procedures and processes. This policy should be approved by your organization’s senior management.</p> <h3>Educate your employees</h3> <p>Provide training to employees that explains your incident response plan, policies, and procedures. Tailor your training programs to your organization’s business needs and requirements, and to your employees’ roles and responsibilities.</p> <p>Update your employees on current incident response planning and execution. A well-trained and informed workforce can defend against incidents.</p> <h3>Create your communications plan</h3> <p>Your communications plan should detail how, when, and with whom your team communicates. This plan should include a central point of contact for employees to report suspected or known incidents.</p> <p>Your notification procedures are critical to the success of your incident response. Identify the key internal and external stakeholders who will be notified during an incident. You may have to alert third parties, such as clients and managed service providers. Depending on the incident, you may need to contact law enforcement or consider engaging a lawyer for advice. You may also need to contact your media team.</p> <h2 class="text-info" id="types">Types of incidents</h2> <p>Your organization can face many different incidents. Some examples include:</p> <h3>Ransomware</h3> <p>Ransomware is a type of malware that locks you out of files or systems until you pay a ransom to a threat actor. Payment does not guarantee that you will regain access to your information.</p> <h3>Data theft</h3> <p>Data theft occurs when threat actors steal information stored on servers and devices. The data is most commonly accessed using stolen user credentials. Advanced persistent threats (APTs) refer to threat actors that are highly sophisticated and skilled. <abbr title="Advanced persistent threats">APTs</abbr> are able to use advanced techniques to conduct complex and protracted campaigns in pursuit of their goals. The <abbr title="Advanced persistent threat">APT</abbr> designator is usually reserved for nation states or very proficient organized crime groups.</p> <h3>Active exploitation</h3> <p>Active exploitation takes advantage of unpatched software, hardware, or other vulnerabilities to gain control of your systems, networks, and devices. These attacks can go unnoticed before you have the opportunity to apply a patch or update. Your plan should provide instructions for mitigating active exploitation, such as temporarily suspending Internet access or ceasing online activity.</p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <h2 class="text-info" id="steps">Main steps in your incident response plan</h2> <p>Your <abbr title="incident response plan">IRP</abbr> should identify the objectives, stakeholders, responsibilities, communication methods, and escalation processes used throughout the incident response lifecycle. Keep the plan simple and flexible. Test, revisit, and revise your incident response plan annually to keep it effective.</p> <p>Follow the incident response lifecycle steps below to structure your <abbr title="incident response plan">IRP</abbr>.</p> <h3>Preparation</h3> <ol><li>Start with a statement of your management’s commitment to the project. Perform a risk assessment to identify your organization’s most valuable assets that are critical to your business operations</li> <li>Define the security incidents your organization is most likely to face and create detailed response steps for these incidents</li> <li>Lay out the objectives of your incident response strategy, as well as your related policies, standards, and procedures. Your policy should include performance measures, the incident data that you collect over time (for example, the number of incidents and time spent per incident)</li> <li>Define your goals to improve security, visibility, and recovery</li> <li>Develop and implement a reliable backup process to create copies of your data and systems to help you restore them during an outage</li> <li>Have a detailed strategy for updating and patching your software and hardware. Use this strategy to track and fix vulnerabilities and mitigate the occurrence and severity of incidents</li> <li>Create your response team and assign roles and responsibilities to each member</li> <li>Define your communications plan and identify how key stakeholders and management will be informed throughout the incident. You should have multiple communication mechanisms in place, this may be valuable during an incident</li> <li>Develop exercises to test your plan and response. You can revise and improve your plan using your test results</li> </ol><h3>Detection and analysis</h3> <p>Monitor your networks, systems, and connected devices to identify potential threats. Produce reports regularly and document events and potential incidents. Analyze these occurrences and determine whether you need to activate your <abbr title="incident response plan">IRP</abbr>. Determine the frequency and intensity of your monitoring.</p> <p>Although it is impossible to have a step-by-step guide for every incident, you should be prepared to handle incidents that use common attack vectors.</p> <p>In the event of a breach or compromise, analyze the incident, including its type, its origin, and the extent of the damage caused. All facts about the incident should be documented. When an incident is detected, analyzed, and prioritized, your incident response team should notify the appropriate stakeholders so that everyone that needs to be involved is informed.</p> <h3>Containment</h3> <p>Containment is crucial for your organization’s recovery. The primary goal is to minimize business impact.</p> <p>Gain an understanding of the issue so you can contain the threat and apply effective mitigation measures.</p> <p>An effective mitigation measure for an <abbr title="information technology">IT</abbr> environment may include deactivating connectivity to your systems and devices to block the threat actor from causing further damage. It might be necessary to isolate all systems and suspend employee access temporarily to detect and stop further intrusions.</p> <p>Containment strategies and procedures will depend on the type of incident, the degree of damage the incident can cause, and your operational requirements. Refer to your organization’s incident containment strategies, established in the preparation phase.</p> <p>When dealing with an incident, the risk assessment completed in the preparation phase should help you define your acceptable risk so that you can develop your containment strategies accordingly.</p> <h3>Eradication</h3> <p>Conduct a root cause analysis to identify and remove all elements of the incident from the affected systems and complete the following actions:</p> <ul><li>Identify all affected systems, hosts, and services</li> <li>Remove all malicious content from affected systems</li> <li>Scan and wipe your systems and devices</li> <li>Identify and address all residual attack vectors</li> <li>Communicate with stakeholders to ensure appropriate management of the incident</li> <li>Harden, patch, and upgrade all affected systems</li> <li>Upgrade or replace legacy systems</li> </ul><h3>Recovery</h3> <p>Restore and reintegrate the affected systems back into your operating environment.</p> <ul><li>Ensure any malware is removed before restoring your backups</li> <li>Test, verify, monitor, and validate affected systems to ensure they are running effectively</li> <li>Revise and update policies, procedures, and training initiatives</li> </ul><h3>Post-incident activities and lessons learned</h3> <p>Review the root cause of the incident and collaborate with the response team to determine what can be improved. Evaluate your incident response processes and highlight what went well and what areas require improvement. Create a lessons learned document that details how you will adjust and improve your plan for future incidents. The results of the lessons learned should be used to improve detection methods and prevent repeated incidents.</p> <h2 class="text-info" id="services">In-house or professional services</h2> <p>When developing your <abbr title="incident response plan">IRP</abbr>, determine which actions and services you can conduct internally and which actions you will outsource. Professional services can be retained to assist with incident response initiatives, such as developing your plan, determining your backup processes, and monitoring and patching your systems. Outsourcing incident response for <abbr title="operational technology">OT</abbr> incidents or other specialized environments can be costly, and it is important to plan for these scenarios.</p> <h2 class="text-info" id="learn">Learn more</h2> <ul><li><a href="/en/guidance/ransomware-how-prevent-and-recover-itsap00099">Ransomware: How to prevent and recover (ITSAP.00.099)</a></li> <li><a href="/en/guidance/developing-your-it-recovery-plan-itsap40004">Developing your <abbr title="information technology">IT</abbr> recovery plan (ITSAP.40.004)</a></li> <li><a href="/en/guidance/have-you-been-hacked-itsap00015">Have you been hacked? (ITSAP.00.015)</a></li> <li><a href="/en/guidance/preventative-security-tools-itsap00058">Preventative security tools (ITSAP.00.058)</a></li> <li><a href="/en/guidance/tips-backing-your-information-itsap40002">Tips for backing up your information (ITSAP.40.002)</a></li> <li><a href="/en/guidance/offer-tailored-cyber-security-training-your-employees-itsap10093">Offer tailored cyber security training to your employees (ITSAP.10.093)</a></li> <li><a href="/en/guidance/cyber-security-considerations-consumers-managed-services-itsm50030">Cyber security considerations for consumers of managed services (ITSM.50.030)</a></li> <li><a href="/en/guidance/improving-cyber-security-resilience-through-emergency-preparedness-planning-itsm10014">Improving cyber security resilience through emergency preparedness (ITSM.10.014)</a></li> </ul><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> </div> </div> </div> </div> </div> </article>

In the event of a cyber incident or natural disaster, your organization will need a business continuity plan (BCP) to resume its most critical business operations quickly. Your BCP will identify the risks from various threats and the impact they would have on your organization.

This joint guidance outlines the desirable end-states that organizations should achieve when designing connectivity into OT environments. The end-states are intended as goals rather than minimum requirements.

This publication provides some information on the potential risks and mitigation measures associated with generative AI.

Artificial intelligence (AI) uses intelligent computer programs to find patterns in data to make predictions or classifications. AI can be used to perform specific tasks by analyzing data online to replicate human thought processes and decision-making abilities.

<article data-history-node-id="6536" about="/en/news-events/joint-cyber-security-advisory-pro-russia-hacktivists-conducting-opportunistic-attacks-global-critical-infrastructure" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) has joined the United States’ Federal Bureau of Investigation (FBI) and other domestic and international partners in issuing a joint advisory on pro-Russia hacktivist attacks.</p> <p>This joint advisory highlights the unsophisticated and opportunistic tactics, techniques and procedures (TTPs) used by pro-Russia hacktivist groups to target critical infrastructure (CI) globally. These attacks target minimally secured, Internet-facing virtual network computing (VNC) connections to infiltrate (or gain access to) operational technology (OT) control devices within <abbr title="critical infrastructure">CI</abbr> systems.</p> <p><abbr title="operational technology">OT</abbr> owners and operators and <abbr title="critical infrastructure">CI</abbr> entities should implement the following recommendations to reduce the risk of pro-Russia hacktivists targeting control networks through <abbr title="virtual network computing">VNC</abbr> connections:</p> <ul><li>Reduce exposure of <abbr title="operational technology">OT</abbr> assets to the public-facing Internet</li> <li>Implement network segmentation between <abbr title="information technology">IT</abbr> and <abbr title="operational technology">OT</abbr> networks</li> <li>Adopt mature asset management processes, including mapping data flows and access points</li> <li>Ensure that <abbr title="operational technology">OT</abbr> assets are using robust authentication procedures  </li> <li>Enable control system security features that can separate and audit view and control functions</li> <li>Collect and monitor <abbr title="operational technology">OT</abbr> asset and networking device traffic</li> <li>Review configurations for setpoint ranges or tag values to stay within safe ranges and set up alerts for deviations</li> <li>Implement and practice business recovery and disaster recovery plans</li> </ul><p>This joint advisory updates <abbr title="Cybersecurity and Infrastructure Security Agency">CISA</abbr>’s joint fact sheet <a href="https://www.cisa.gov/resources-tools/resources/primary-mitigations-reduce-cyber-threats-operational-technology">Primary mitigations to reduce cyber threats to operational technology</a>.</p> <p>Read the full joint advisory: <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-343a">Pro-Russia hacktivists conduct opportunistic attacks against US and global critical infrastructure</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="557" about="/en/guidance/ransomware" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="col-md-12 row"> <p class="mrgn-tp-lg">Ransomware is the most common cyber threat Canadians face and it is on the rise.</p> <p>During a ransomware attack, cybercriminals use malicious software to encrypt, steal, or delete data, then demand a ransom payment to restore it.</p> <p>Ransomware can have severe impacts including core business downtime, permanent data loss, intellectual property theft, privacy breaches, reputational damage and expensive recovery costs.</p> <p>Basic cyber security practices would prevent the vast majority of ransomware incidents in Canada.</p> <p>This page offers resources from the Cyber Centre to help Canadians and Canadian organizations understand the ransomware threat and take action to protect themselves.</p> </div> <!– TOGGLE Expand | collapse EN–> <div class="btn-group mrgn-tp-sm mrgn-bttm-md"><button class="btn btn-primary wb-toggle" data-toggle="{&quot;selector&quot;: &quot;details&quot;, &quot;print&quot;: &quot;on&quot;, &quot;stateOn&quot;: &quot;on&quot;, &quot;stateOff&quot;: &quot;off&quot;, &quot;parent&quot;: &quot;#expands-collapse&quot;}" type="button">Expand | collapse all</button></div> <!– END TOGGLE Expand | collapse–> <div class="mrgn-tp-md" id="expands-collapse"><!–<div class="col-md-12 mrgn-tp-md">–> <details><summary><h2 class="h3">Reports</h2> </summary><ul><li><a href="/en/guidance/cyber-threat-bulletin-ransomware-threat-2021">The Ransomware threat in 2021 </a></li> <li><a href="/en/guidance/cyber-threat-bulletin-modern-ransomware-and-its-evolution">Modern ransomware and its evolution 2020</a></li> <li><a href="/en/guidance/national-cyber-threat-assessment-2020">National Cyber Threat Assessment 2020</a></li> </ul></details><details><summary><h2 class="h3" id="contigroup">Ransomware case study: the Conti group</h2> </summary><div class="row"> <div class="col-md-12"> <p>This case study describes the typical methods of the Conti ransomware group, one the most prolific cybercriminal groups in operation.</p> <p>Even by ransomware standards, Conti is regarded as one of the most ruthless and damaging gangs, frequently targeting hospitals, medical networks and other critical services.</p> <p>In a typical attack Conti actors steal, encrypt and/or delete files. They also threaten to leak sensitive data if the ransom is not paid, a tactic known as “double extortion.”</p> <p>A typical Conti ransomware attack takes place in four stages: reconnaissance, intrusion, infection and impact.</p> </div> </div> <div class="row"> <div class="panel panel-default col-md-offset-2 col-md-8 mrgn-tp-md "> <div class="panel-body"> <figure class="img-responsive mrgn-bttm-md"><img alt="Long description follows" class="img-responsive " src="/sites/default/files/cyber/conti-stage1-reconnaissance-e.jpg" /></figure><details><summary>Long description – Stage 1: Reconnaissance </summary><p>Conti actors <strong>gather information</strong> to identify high-value targets such as hospitals and other organizations that provide essential services or hold sensitive data. They use Internet searches, system scans and information shared on the Dark Web, such as stolen passwords or login credentials. Conti actors continue to gather information throughout the attack cycle to leverage greater ransoms and to ensure payment is not withheld. <sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup></p> </details></div> </div> <div class="clearfix"> </div> <div class="panel panel-default col-md-offset-2 col-md-8 "> <div class="panel-body"> <figure class="img-responsive center-block mrgn-bttm-md"><img alt="Long description follows" class="img-responsive" src="/sites/default/files/cyber/conti-stage2-intrusion-e.jpg" /></figure><details><summary>Long description – Stage 2: Intrusion </summary><p>Conti actors typically <strong>gain illicit access</strong> to the victim’s system either through stolen credentials or through spear phishing emails containing malicious attachments or links. Unlike generic phishing attempts, spear phishing emails are personalized to the recipient, making them more convincing.</p> <p>Often the malicious attachment appears to be a regular file type, such as Word, Excel or PDF, but when the victim opens it, malware, such as TrickBot, IcedID, or BazarLoader, downloads and executes on their device.</p> </details></div> </div> <div class="clearfix"> </div> <div class="panel panel-default col-md-offset-2 col-md-8 "> <div class="panel-body"> <figure class="img-responsive center-block mrgn-bttm-md"><img alt="Long description follows" class="img-responsive" src="/sites/default/files/cyber/conti-stage3-infection-e.jpg" /></figure><details><summary>Long description – Stage 3: Infection </summary><p>Once the first device is infected with malware, Conti actors will often install Cobalt Strike software as a command and control (C2) mechanism to coordinate the next phase of the attack.</p> <p>They exploit unpatched vulnerabilities and often use tools already available on the victim network to gain persistent access.</p> <p>They use remote execution software (such as PSExec and Remote Desktop Protocol) to move laterally across the victim network, obtaining credentials and escalating privileges without triggering anti-virus software.</p> <p>This process allows them to <strong>spread the infection</strong> to all connected devices on the network.</p> </details></div> </div> <div class="clearfix"> </div> <div class="panel panel-default col-md-offset-2 col-md-8 "> <div class="panel-body"> <figure class="img-responsive mrgn-bttm-md"><img alt="Long description follows" class="img-responsive" src="/sites/default/files/cyber/conti-stage4-impact-e.jpg" /></figure><details><summary>Long description – Stage 4: Impact </summary><p>At this point, the Conti actors deploy the ransomware, exfiltrating (stealing), deleting or encrypting the victim’s sensitive data.</p> <p>They employ a double extortion technique in which they <strong>demand a ransom</strong> to restore the encrypted data, while threatening to leak it publicly if the ransom is not paid. They may in fact have already deleted the data, but the victim does not know that.</p> </details></div> </div> </div> <div class="clearfix"> </div> <div class="row"> <div class="col-md-12"> <h2 class="h3">Facts and figures</h2> <p>Since January 2020 Conti has leaked several hundred gigabytes of data stolen in over 450 cyber attacks against Canadian and international organisations.<sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup> This is based on information from Conti’s own “Ransomware Leak Site”. We assume that many more victims have paid ransom without having their data published online.</p> <p>Conti has publicly claimed to have compromised and stolen data from at least 24 Canadian victims so far in 2021. More than half of those belonged to the machinery, professional services, real estate, and specialty retail sectors.</p> <p>As of September 2021, the Conti group’s average ransom payment is $373,902 USD. <sup id="fn3-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup></p> <h2>Conclusion</h2> <p>The Conti group is one of the most sophisticated ransomware groups in operation. However, at every step of this process, there are cyber security tools and practices that can prevent or mitigate the impact of ransomware attacks.</p> <p>You can find further resources on ransomware, including how to defend against it, on the Cyber Centre’s dedicated <a href="/en/ransomware">ransomware</a> page.</p> </div> </div> <aside class="wb-fnote" role="note"><h2 id="fn">Footnotes</h2> <dl><dt>1</dt> <dd id="fn1"> <p>“<a href="https://www.bleepingcomputer.com/news/security/translated-conti-ransomware-playbook-gives-insight-into-attacks" rel="external">Translated Conti ransomware playbook gives insight into attacks</a>,” Bleeping Computer, 2 September 2021.</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote </span>1<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>2</dt> <dd id="fn2"> <p><a href="https://news.sophos.com/en-us/2021/02/16/what-to-expect-when-youve-been-hit-with-conti-ransomware" rel="external">For the amount of data typically stolen</a></p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote </span>2<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>3</dt> <dd id="fn3"> <p>“<a href="https://www.coveware.com/conti-ransomware" rel="external">Conti Ransomware Recovery, Payment &amp; Decryption Statistics,</a>” Coveware, September 2021</p> <p class="fn-rtn"><a href="#fn3-rf"><span class="wb-inv">Return to footnote </span>3<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></details><details><summary><h2 class="h3">Guidance for organizations</h2> </summary><ul><li><a href="/en/guidance/ransomware-playbook-itsm00099">Ransomware Playbook</a></li> <li><a href="/en/guidance/ransomware-how-prevent-and-recover-itsap00099">Ransomware: How to prevent and recover</a></li> <li><a href="/en/guidance/have-you-been-victim-cybercrime">Have you been a victim of cybercrime?</a></li> <li><a href="/en/guidance/spotting-malicious-email-messages-itsap00100">Spotting malicious email messages</a></li> <li><a href="/en/guidance/top-measures-enhance-cyber-security-small-and-medium-organizations-itsap10035">Top measures to enhance cyber security for small and medium organizations</a></li> </ul></details><details><summary><h2 class="h3">Guidance for all Canadians</h2> </summary><ul><li><a href="/en/ransomware-dont-get-locked-out">Ransomware: Don’t get locked out</a></li> <li><a href="/en/ransomware-how-recover-and-get-back-track">Ransomware: How to recover and get back on track</a></li> <li><a href="/en/guidance/best-practices-passphrases-and-passwords-itsap30032">Best practices for passphrases and passwords</a></li> <li><a href="/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks">Don’t take the bait: recognize and avoid phishing attacks</a></li> <li><a href="/en/guidance/five-practical-ways-make-yourself-cybersafe">Five practical ways to make yourself cybersafe</a></li> </ul></details><details><summary><h2 class="h3">Additional resources</h2> </summary><ul><li><a href="/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations">Baseline cyber security controls for small and medium organizations</a></li> <li><a href="/en/guidance/cyber-security-home-and-office-secure-your-devices-computers-and-networks-itsap00007">Cyber security at home and in the office – secure your devices, computers, and networks (ITSAP.10.00.007)</a></li> <li><a href="/en/guidance/cyber-security-considerations-consumers-managed-services-itsm50030">Cyber security considerations for consumers of managed services (ITSM.50.030)</a></li> <li><a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Developing your incident response plan (ITSAP.40.003)</a></li> <li><a href="/en/guidance/developing-your-it-recovery-plan-itsap40004">Developing your IT recovery plan (ITSAP.40.004)</a></li> <li><a href="/en/guidance/itsp50104-guidance-defence-depth-cloud-based-services">Guidance on Defence in Depth for Cloud-Based Services (ITSP.50.104)</a></li> <li><a href="/en/guidance/have-you-been-hacked-itsap00015">Have you been hacked? (ITSAP.00.015)</a></li> <li><a href="/en/guidance/how-updates-secure-your-device-itsap10096">How updates secure your device (ITSAP.10.096)</a></li> <li><a href="/en/guidance/internet-things-security-small-and-medium-organizations-itsap00012">Internet of Things Security for Small and Medium Organizations (ITSAP.00.012)</a></li> <li><a href="/en/guidance/offer-tailored-cyber-security-training-your-employees-itsap10093">Offer tailored cyber security training to your employees (ITSAP.10.093)</a></li> <li><a href="/en/guidance/preventative-security-tools-itsap00058">Preventative security tools (ITSAP.00.058)</a></li> <li><a href="/en/guidance/protect-your-organization-malware-itsap00057">Protect your organization from malware (ITSAP.00.057)</a></li> <li><a href="/en/guidance/protecting-your-organization-while-using-wi-fi-itsap80009">Protecting your organization when using Wi-Fi (ITSAP.80.009)</a></li> <li><a href="/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)</a></li> <li><a href="/en/guidance/tips-backing-your-information-itsap40002">Tips for backing up your information (ITSAP.40.002)</a></li> <li><a href="/en/guidance/top-10-it-security-actions-protect-internet-connected-networks-and-information-itsm10089">Top 10 IT security actions to protect Internet connected networks and information (ITSM.10.089)</a></li> </ul></details><div class="well mrgn-tp-md row"> <div class="col-md-6 col-xs-12"> <h2 class="mrgn-tp-sm">Report a cyber incident</h2> <div class="col-md-2 pull-left mrgn-lft-0 hidden-sm hidden-xs "><img alt="" class="img-responsive pull-left mrgn-lft-0" src="/sites/default/files/cyber/icons/cccs-icon-colour-0285.png" /></div> <div class="col-md-10 col-sm-12 col-xs-12 row"> <p><a href="/en/incident-management">Reporting a cyber incident</a> helps the Cyber Centre keep Canada and Canadians safe online. Your information will enable us to provide cyber security advice, guidance and services.</p> </div> </div> <div class="col-md-6 col-xs-12"> <h2 class="mrgn-tp-sm">Get Cyber Safe</h2> <p class="mrgn-tp-md"><a href="https://www.getcybersafe.gc.ca/en">Get Cyber Safe</a> is a national public awareness campaign created to inform Canadians about cyber security and the simple steps they can take to protect themselves online.</p> <div class="col-md-7"><img alt="" class="img-responsive" src="/sites/default/files/cyber/gcs-logo_color_en.png" /></div> </div> <div class="clearfix"> </div> </div> </div> </div> </div> </div> </div> </div> </article>

This joint report warns that People’s Republic of China (PRC) state-sponsored threat actors are using Brickstorm malware for long-term persistence on victims’ systems.

<article data-history-node-id="6947" about="/en/guidance/public-content-provenance-organizations-using-content-provenance-improve-audience-trust-organizations-information-online-itsp10005" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–Info across the top under the image–> <div class="col-md-4 col-sm-12 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>December 2025</strong></p> </div> <div class="col-md-4 col-sm-12 hidden-xs hidden-sm"> <p class="text-center"><strong>Practitioner series</strong></p> </div> <div class="col-md-4 col-sm-12 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSP.10.005</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>December 2025 | Practitioner series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsp10005-public-content-provenance-organizations-e.pdf">Public content provenance for organizations – ITSP.10.005 (PDF, 1.0 Mb)</a></p> </div> <section><h2 class="mrgn-tp-xl text-info">Overview</h2> <p>This publication is intended for security and public communications practitioners. It lays the foundation in explaining what public content provenance is and why it’s an important tool for organizations to establish a verifiable historical record of the content they make available online. It provides information about the range of technologies which help to establish trust in digital records along with examples of how they might be used to meet different requirements.</p> <p>This publication has been jointly researched and co-authored by the Canadian Centre for Cyber Security (Cyber Centre) and the United Kingdom’s National Cyber Security Centre (NCSC). The Cyber Centre and the <abbr title="United Kingdom’s National Cyber Security Centre">NCSC</abbr> do not directly endorse the products, services or methodologies in this publication. The tools and standards described are a means to demonstrate how to improve cyber resilience in different contexts using combinations of technologies.</p> </section></div> </div> <section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled mrgn-tp-lg"><li><a href="#public-content-provenance">1. Securing trust in digital content: Why public content provenance matters</a></li> <li><a href="#securing-digital-trust">2. The challenge of securing digital trust in today’s complex information environment</a> <ul><li><a href="#provenance-explained">2.1 Digital content provenance explained</a></li> <li><a href="#provenance-analogy">2.2 Digital content provenance analogy</a></li> <li><a href="#digital-content-trust">2.3 How to earn trust in digital content</a></li> <li><a href="#public-trust-organisation">2.4 How digital content provenance helps enhance public trust in an organization</a></li> </ul></li> <li><a href="#suitable-systems-technologies">3. Provenance: Selecting suitable systems and technologies</a> <ul><li><a href="#consider-provenance-systems">3.1 What to consider when selecting provenance systems</a></li> <li><a href="#consider-provenance-technologies">3.2 What to consider when selecting content provenance technologies</a></li> <li><a href="#not-sutible-public">3.3 Why private provenance systems aren’t suitable for public content</a></li> </ul></li> <li><a href="#depolying-considerations-usecase">4. Deploying public content provenance systems: Considerations and example use cases</a> <ul><li><a href="#points-orgs-consider">4.1 Points for organizations to consider</a></li> <li><a href="#usecase">4.2 Example use cases</a></li> </ul></li> <li><a href="#next-steps">5. Next steps</a></li> </ul></details></section><section><h2 id="public-content-provenance text-info">1. Securing trust in digital content: Why public content provenance matters</h2> <p>In today’s digital age, information on the Internet cannot be relied on consistently as a source of truth. The rapid rise in the volume of available information and the accelerated pace of content generation, particularly through Artificial Intelligence (AI), mean the Internet has become a battleground for interference and malicious cyber activities.</p> <p>In this environment, organizations are finding it increasingly challenging to ensure the authenticity and integrity of their information. As such, they must rethink how they establish and maintain trust with their audiences. As highlighted in the <abbr title="United Kingdom’s National Cyber Security Centre">NCSC</abbr>’s <a href="https://www.ncsc.gov.uk/report/impact-ai-cyber-threat-now-2027">Impact of AI on cyber threat from now to 2027</a> and the Cyber Centre’s <a href="/en/guidance/cyber-threats-canadas-democratic-process-2025-update">Cyber threats to Canada’s democratic process: 2025 update</a>, AI-enabled capabilities continue to proliferate to cyber criminals. States are beginning to integrate AI-enabled technologies into their cyber capabilities. Organizations will therefore need tools to improve their resilience and security to protect the integrity of data and information. A cornerstone of these efforts is the establishment of provenance for digital content.</p> <p>Provenance refers to the place of origin. It is used in the physical world to verify the authenticity of artefacts, but it is also relevant in the online world. Many organizations already employ versioning and logging systems to establish provenance for internal documents. However, these systems are often useful only within the organization. To build stronger trust with external audiences, organizations need to improve how they address the public provenance of their information</p> </section><section><h2 id="securing-digital-trust text-info">2. The challenge of securing digital trust in today’s complex information environment</h2> <p>Today’s information environment comprises a wide variety of forms of communication, ranging from traditional media and social media to telephone conversations and even signs on lampposts. This makes it easy to access large amounts of information quickly. Different processes within this environment collect and reorganize data and metadata to meet the needs of various groups such as information seekers, publishers and advertisers. Additionally, social media platforms enable widespread republishing and the option to add commentary.</p> <p>Although the information environment benefits both content creators and consumers, it also presents challenges. An original piece of content may be collected, reorganized, summarized, aggregated, reformatted, republished and modified throughout its lifecycle. Modifications may be made deliberately or otherwise, and with or without intent to deceive. These modifications can be difficult to detect as the information rarely persists in its original form. This means we cannot be certain that the intended meaning of the content is retained. Or worse, that it has been distorted.</p> <p>For security practitioners, protecting information in this environment poses significant challenges. They have traditionally focused on protecting the confidentiality, integrity and availability of digital data directly controlled by the organization but now must also focus on protecting publicly available information about their content, which is outside of their control. To address this, organizations can use public trust mechanisms to verify the source and history of content.</p> <div class="col-md-8 col-sm-offset-2"> <div class="panel panel-default"> <h3 class="mrgn-lft-md text-center">Figure 1: Communicating an organization’s information in the information environment</h3> <div class="panel-body"> <figure><img alt="Figure 1 – Long description immediately follows" class="img-responsive mrgn-bttm-md" src="/sites/default/files/images/communicating-organisations-information-infoenvironment-e-745×500.jpg" /></figure><details><summary>Long description – Figure 1: Communicating an organization’s information in the information environment</summary><p>To communicate with the public, organizations share their information in the information environment. This environment comprises all forms of communication between the organization and the public audience and can include social media, content aggregation sites, web search services, traditional media such as radio and television, as well as others. Other parties can add to the communications with their own content in the form of comments, selective filtering and so on. The overall message that a member of the public audience receives or accesses may not be what is intended by the originating party. It may not even be accurate.</p> </details></div> </div> </div> <span class="clearfix"></span> <div><!– 2.1 –> <h3 id="provenance-explained text-info">2.1 Digital content provenance explained</h3> <p>The term provenance is defined as the “place of origin” and is used as a guide to the authenticity and quality of a given artefact. It is traditionally used in the context of art and history. In digital environments the concept can be applied in many ways to deal with specific challenges in domains such as Internet content history, supply chain integrity, data management, software certification, scientific process management, financial transactions tracking as well as legal chain of custody management. Each has its own unique requirements.</p> <p>The focus of this publication is public content provenance. Content provenance provides factual information about the history of digital content without making assertions about the value or truth of the content itself. Decisions on the veracity of the content are left to the consumer, but additional verifiable information is provided to aid them in making a final determination. Content provenance can provide different types of verifiable information including, but not limited to the following:</p> <ul><li>individual or entity making a claim about the content</li> <li>date and time of a claim</li> <li>image against its verified thumbnail</li> <li>claims such as location, device or edits made with software</li> <li>statements about whether the work is creative or AI-generated</li> <li>assignment of rights to others (for example, via Creative Commons or other public copyright licenses)</li> </ul><p>By clearly establishing the facts about the history of its public digital content, such as its origin, authenticity and quality, organizations can build better trust with their audiences, customers and stakeholders.</p> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div> <h3 id="provenance-analogy">2.2 Digital content provenance analogy</h3> <p>A good analogy for provenance is that of a <strong>notary</strong>. Many legal systems employ the concept of a notary to witness signatures as part of legal proceedings. The notary is a trusted third-party who performs the witness activity in a way that is acceptable for legal requirements.</p> <p>Members of the public who need documentation for legal requirements visit the notary, who confirms their identity and ensures they are signing willingly. The notary then attests to the content of their documentation, as well as the date and time the attestation was done. This attestation involves a formal declaration that the document is genuine and the signatures are valid. Notarized documents are legally recognized and can be used as evidence in court.</p> <p>In a similar way, digital content owners use an attestation service to verify the details of the content, such as hash or thumbnail image, and establish verifiable evidence such as the location, time, and the notary details. This is done using cryptographic methods rather than paper documents.</p> <p>Additionally, just as notaries maintain a ledger of all notarised documents, attestation services can record their attestation transactions as part of their service. The basic public notary function is illustrated in figure 2 below.</p> <div class="col-md-8 col-sm-offset-2"> <div class="panel panel-default"> <h3 class="mrgn-lft-md text-center">Figure 2: Notary function as analogy for public provenance</h3> <div class="panel-body"> <figure><img alt="Figure 2 – Long description immediately follows" class="img-responsive mrgn-bttm-md" src="/sites/default/files/images/notary-function-analogy-public-provenance-e-500×700.jpg" /></figure><details><summary>Long description -Figure 2: Notary function as analogy for public provenance</summary><p>The notary function serves as an analogy for public provenance. Many jurisdictions employ notaries to act as third-party validators of documents to be used for legal purposes. The requester submits their documents to the notary and indicates their claims. The notary validates the documents as well as the claims and provides a formal record of attestation such as a stamp or document to the requester. The notary records their actions with the requester in a record register. The requester can provide the notary’s record of attestation to any verifier. The verifier, commonly the court, can also check with the notary to validate that the attestation was done. They can also check with the legal professional association as to whether the notary is licenced to perform the notary function.</p> </details></div> </div> </div> <span class="clearfix"></span></div> <div><!– 2.3 –> <h3 id="digital-content-trust">2.3 How to earn trust in digital content</h3> <p>To establish why organizations need to consider public provenance, it is useful to understand the broader digital trust context. The issue of trust on the Internet is not new, and it was an integral part of the development of e-commerce.</p> <p>A major objective for organizations is to establish trust with their audience, customers or stakeholders.</p> <p>The World Economic Forum’s 2022 report describes the following 8 dimensions of trust for digital technology. These factors are important for information assurance more broadly.</p> <ul><li><strong>Cyber security:</strong> mitigating the risks of both malicious and accidental uses of technology</li> <li><strong>Safety:</strong> preventing harm (for example, emotional, physical or psychological) to people or society from technology uses and data processing</li> <li><strong>Transparency:</strong> establishing visibility and clarity around digital operations and uses</li> <li><strong>Interoperability:</strong> ensuring information systems can connect and exchange information for mutual use without undue burden or restriction</li> <li><strong>Auditability:</strong> ensuring that organizations and third parties are able to review and confirm the activities and results of technology, data processing and governance processes</li> <li><strong>Redressability:</strong> providing the possibility of obtaining recourse where individuals, groups or entities have been negatively affected by technological processes, systems or data uses</li> <li><strong>Fairness:</strong> ensuring that an organization’s technology and data processing considers the potential for disparate impact and aims to achieve just and equitable outcomes for all stakeholders, given the relevant circumstances and expectations</li> <li><strong>Privacy:</strong> ensuring that individuals have control over the confidentiality of their personal or personally identifiable information</li> </ul><p>Most organizations today address these 8 dimensions to some degree, but digital trust requirements are evolving as the Internet matures. These requirements are also driven by changes in how people behave on the Internet and advances in AI.</p> </div> <div><!– 2.4 –> <h3 id="public-trust-organisation">2.4 How digital content provenance helps enhance public trust in an organization</h3> <p>Content provenance can help to address and enhance the digital trust in an organization in a number of the above 8 dimensions, including the following:</p> <ul><li><strong>Cyber security:</strong> It helps verify that content is sourced from legitimate and secure origins, which reduces the risk of malicious content. It also helps with maintaining immutable records of content creation and modification to prevent unauthorized alterations.</li> <li><strong>Safety</strong>: It can reduce the impact of inaccurate information about individuals and organizations. The verifiable provenance record can aid in refuting inaccurate online information.</li> <li><strong>Transparency</strong>: It establishes verifiable metadata about the content itself. This metadata helps establish a content item’s history, including creation and handling. The public availability of this information makes the content and related processes more transparent.</li> <li><strong>Auditability</strong>: It establishes a digital content record as well as the means to verify it. This can be used in auditing programs.</li> <li><strong>Fairness</strong>: It establishes a formal verifiable record of information about content. This can include information about the creator, ownership, and rights for digital content. This verifiable information can be used to adjudicate any issues around content rights and validity.</li> </ul><p>Content provenance provides the public with a means of assessing the accuracy of content created by or related to an organization. This can enhance the trust the public has in an organization.</p> </div> </section><div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 id="suitable-systems-technologies text-info">3. Provenance: Selecting suitable systems and technologies</h2> <p>The subject of content provenance isn’t entirely new but advances in technologies, such as generative AI, are driving requirements for it to evolve even faster.</p> <p>Frameworks which offer ways of structuring provenance systems are still being established.</p> <p>There are multiple facets to the provenance challenge which will require different approaches. One approach may not necessarily solve all of an organization’s content provenance requirements. Some examples of the current provenance challenge include synthetic media labelling, provenance of digital source media, deepfake detection, and provenance of aggregated content.</p> <p>Organizations will have to identify a framework relevant to their needs. The key aspects to consider when selecting a framework include:</p> <ul><li>how trust in the provenance record is established – does it use cryptographic methods such as trusted timestamps (see 3.2.1) and cryptographic identities (see 3.2.2) to secure integrity?</li> <li>how members of the public can verify provenance – are the mechanisms simple and understandable by the public in general?</li> </ul><p>Organizations will have their own content provenance requirements but should be mindful of the rapidly evolving requirements and standards in public provenance infrastructure. They should consider standards used in their specific solution to ensure provenance functionality, such as verification work at scale.</p> <p>In addition to choosing a provenance solution which meets its specific objectives, an organization will need to decide which technologies to use. This decision will be driven by organizational objectives as well as the availability of technology solutions.</p> <div><!– 3.1 –> <h3 id="consider-provenance-systems">3.1 What to consider when selecting provenance systems</h3> <p>Provenance systems vary in complexity, cost and effectiveness and organizations will choose their solution to meet their specific objectives. It is also important to consider that digital provenance technologies are in their infancy and that organizational requirements will inevitably evolve. For this reason, an organization may choose to implement partial or iterative solutions.</p> <p>This section provides information on the aspects to consider when choosing provenance methods.</p> <div><!– 3.1.1 –> <h4>3.1.1 Source of trust</h4> <p>What is the source of trust for the content provenance record? Organizations may use internal services but will need to consider ways to mitigate the perception of "self-signing" the provenance record. This challenge can potentially be addressed by using third-party operators or auditors. Organizations will need to consider the reputation and stability of third-party organizations used for establishing the provenance record.</p> </div> <div> <h4>3.1.2 Extent of provenance record</h4> <p>How far back does the provenance record go? At a minimum, it should trace the content back to its publication date, and identify whether the information came from a real-world device or was generated by an AI system. Ideally, the provenance should be traceable all the way back to the creation of the original source material and include provenance information about other components it contains, such as images.</p> </div> <div><!– 3.1.4 –> <h4>3.1.3 Ease of verification</h4> <p>How simple is it to verify the provenance of a content item? In most cases, the verifier will be a member of the general public. The verification mechanism must be simple to use and yield an easily understandable and accurate provenance record.</p> </div> <div> <h4>3.1.4 Cost of providing provenance</h4> <p>How much does it cost to provide the provenance record? The organization must be able to sustain the costs.</p> </div> <div> <h4>3.1.5 Strength of provenance claim</h4> <p>How strong are the provenance claims? Can facts about the identity and time claims stand up to scrutiny? Cryptographic validation by other parties can strengthen the claims and improve public trust in the content’s provenance record.</p> </div> <div> <h4>3.1.6 Duration of the provenance claim</h4> <p>How long will the provenance record need to exist? If it’s in the range of years or decades, then consider the sustainability of both the content store and the verify mechanisms.</p> </div> <div> <h4>3.1.7 Utility of the provenance</h4> <p>How does the provenance mechanism aid in reducing errors or distortion of an organization’s information? Does the mechanism aid the public in making decisions about the organization’s content? Other information correction measures may be more effective for an organization’s specific challenges.</p> </div> <div> <h4>3.1.8 Redress requirements</h4> <p>How is inaccurate information corrected? All countries have established legal mechanisms for responding to at least some inaccurate information claims against organizations in the form of libel laws. Most countries have laws in place to address copyright and trademark infringement issues. These and other laws can be used by organizations to seek redress for inaccurate information about them.</p> <p>In some cases, such as copyright, there are very structured requirements for identifying infringing material and notifying hosting services to remove it, such as labelling and deploying automated processes for submission and response. Existing and potential future legal remedies and processes should be considered, as well as the cost and time required to use the redress mechanisms.</p> </div> <div> <h4>3.1.9 Privacy considerations</h4> <p>Can privacy of individuals be addressed? Identity of actors is an important provenance detail, but it is not always possible to use it such as where there may be risk to life, reputation or other concerns of individuals providing content. In some cases, it may be required by law to shield an individual’s identity.</p> </div> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div><!– 3.2 –> <h3 id="consider-provenance-technologies">3.2 What to consider when selecting content provenance technologies</h3> <p>In addition to choosing a provenance solution which meets its specific objectives, an organization will need to decide which technologies to use. This decision will be driven by organizational objectives as well as the availability of technology solutions.</p> <p>Technologies that may be relevant for an organization include:</p> <ul><li>cryptographic integrity mechanisms, such as public key infrastructure (PKI) identities, hashing and trusted timestamps, which can be used to bind together parts of the provenance solution to ensure the veracity and integrity of provenance records</li> <li>authentication for devices and software, individuals and trust anchors, which is an essential part of establishing accountability in the provenance record</li> <li>decentralised storage, which can help <ul><li>address the continuity challenges with content and records when organizations are eventually disbanded</li> <li>ensure that one party does not have full control over the digital content or ledger records</li> </ul></li> <li>tamper-proof ledgers, which address the challenge of permanence in the provenance record by creating records that are impossible to alter without a record of the alteration and are independent of the content</li> </ul><p>Consideration should also be given to which parties implement the various technologies, to maximise the trust created. Organizations that create or “self-sign” their own provenance record are unlikely to see improvements in the trust of their content.</p> <div><!– 3.2.1 –> <h4>3.2.1 Trusted timestamps</h4> <p>Trusted timestamps are a useful provenance mechanism in that they establish a trusted timestamp for content state. When implemented properly, no one should be able to change a timestamp once it has been recorded. This concept is standardised in the <a href="https://www.ietf.org/rfc/rfc3161.txt">RFC 3161: Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)</a> and <a href="https://blog.ansi.org/ansi/ansi-x9-95-2022-time-stamp-security-management/">American National Standards Institute Accredited Standards Committee X9.95 standard (ANSI ASC X9.95)</a>.</p> <p>The mechanisms use cryptographic methods to calculate a hash of the document and the timestamp. A third-party organization generally performs the timestamping to improve trust in the mechanism. Commercial services are available to perform this function.</p> </div> <div> <h4>3.2.2 Cryptographic identity</h4> <p>Cryptographic identities are part of <abbr title="public key infrastructure">PKI</abbr>. They are bound to a private cryptographic key known only to that entity. The identity can be an individual, an organization, a machine entity such as a device or service, or can be anonymous.</p> <p>Cryptographic identities are commonly anchored in public certificate authorities. They can play an important part in content provenance since they can bind individuals and devices to content and assertions on content. This can strengthen the provenance of the content.</p> </div> <div> <h4>3.2.3 Digital ledgers (Blockchain)</h4> <p>Blockchain is a decentralised digital ledger technology that records transactions in a secure, tamper-proof manner. Each transaction, or block, is cryptographically linked to the previous one, forming a continuous chain. This chain of blocks provides a complete and transparent history of all transactions, making it virtually impossible to alter or manipulate without detection.</p> <p>Blockchains are often implemented in a decentralised file system, meaning that they are not owned by any one individual or organization and they have no single point of failure. Organizations can use public blockchains or they may choose to use a more private implementation, depending on specific provenance needs.</p> <p>The <abbr title="United Kingdom’s National Cyber Security Centre">NCSC</abbr> has published <a href="https://www.ncsc.gov.uk/whitepaper/distributed-ledger-technology">guidance on the use of distributed ledger technology</a> to aid in determining whether distributed ledger is an appropriate technology for a given scenario.</p> </div> <div> <h4>3.2.4 Web archiving</h4> <p>Web archiving refers to the process of collecting and preserving digital content from the World Wide Web so that it will be accessible in the future, even if the content is removed from a website. The primary goal of web archiving is to create a permanent record of web content, capturing website evolutions and online information changes. This process is invaluable for the preservation of digital media provenance because it captures digital assets’ original form, context, and ownership, as well as subsequent versions. The <a href="https://web.archive.org/">Internet Archive Wayback Machine</a> is an example of a general web archiving service.</p> <p>The web archiving approach can be expanded into a more robust provenance mechanism using cryptographic signatures and timestamps. The archived data can be used to verify the authenticity and integrity of digital content and establish its historical context.</p> </div> <div> <h4>3.2.5 Digital watermarking</h4> <p>Digital watermarking is not a provenance mechanism but is included here because it is often considered for addressing digital trust challenges. Digital watermarking can be overt or covert.</p> <p><strong>Overt watermarking</strong> entails adding a visible or easily detectable watermark to content such as images or video. It is often a pattern which the viewer can see. Editing the watermark will result in distortions to the image or video that may be detectable by the end viewer if unsophisticated editing changes are made.</p> <p><strong>Covert watermarking</strong> entails adding a watermark the viewer cannot detect to the content. It will become distorted if the image or video is edited. Distortions will not be readily detectable by viewers but will be detectable by those implementing the watermarks.</p> <p>Overt and covert watermarks may provide a means of detecting some attempts at altering digital content. Many forms of overt watermarks can be removed using modern editing software. Covert watermarks are limited in effectiveness by the small number of parties that can detect changes. These considerations may therefore limit the usefulness of watermarks in addressing digital trust requirements. However, watermarking can still add value as part of a layered defence implementation.</p> </div> <div> <h4>3.2.6 The Coalition for Content Provenance and Authenticity</h4> <p>The <a href="https://c2pa.org/">Coalition for Content Provenance and Authenticity (C2PA)</a> is an industry organization that aims to address the prevalence of misleading online information through technical standards. It has established an open specification for documenting and certifying the source and history of media content.</p> <p>The <a href="https://contentauthenticity.org/">Content Authenticity Initiative (CAI)</a>, which includes major technology and media companies, is responsible for promoting the C2PA standard. C2PA is a relatively new but major standard in the provenance space, and it is still under development.</p> <p>C2PA leverages cryptographic methods to establish provenance on media content. This is organized around a manifest that is stored as part of the content. The manifest can capture information about changes to an item, including the author/editor, timestamp and location, and cryptographically bind it to the content. There can be multiple manifests stored in a manifest store reflecting the history of changes to the content. This manifest store is also known as a Content Credential (represented by the “CR” icon). The standard leverages trusted timestamps and watermarking.</p> </div> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div> <h3 id="not-sutible-public">3.3 Why private provenance systems aren’t suitable for public content</h3> <p>Most organizations have some sort of internal versioning and logging systems to track details of changes to content. These systems are private in the sense that the systems and supporting integrity mechanisms such as <abbr title="public key infrastructure">PKI</abbr> certificate authorities are often internal to the organization.</p> <p>A private provenance infrastructure works well for corporate and some legal requirements but is largely unusable for public provenance requirements. This is mainly because the mechanism is wholly managed by the organization and designed for restricted internal use only. Additionally, private provenance systems rely heavily on separation of duties as the main mechanism for integrity of records.</p> <p>Private provenance systems lack the visibility, transparency and accountability features necessary to make their provenance capability useful for establishing public trust in an organization’s information. To address public requirements, organizations need to reconsider provenance mechanisms for at least some of their content.</p> </div> </section><section><h2 id="depolying-considerations-usecase">4. Deploying public content provenance systems: Considerations and example use cases</h2> <p>Not all organizations will have the same requirements for public provenance of their content. Requirements depend on factors such as the organization’s:</p> <ul><li>particular public information trust challenges</li> <li>overall strategy for addressing public information trust</li> <li>audience</li> <li>volume of content</li> <li>financial resources</li> </ul><p>Specific requirements may evolve quickly given the rapid changes in the information environment driven by cyber criminal and state use of AI.</p> <div><!– 4.1 –> <h3 id="points-orgs-consider">4.1 Points for organizations to consider</h3> <p>When considering deployment of a public content provenance system, there are a number of questions organizations should ask themselves.</p> <div><!– 4.1.1 –> <h4>4.1.1 Strategy to establish public information trust</h4> <p>Public information trust strategies will vary depending on factors such as the subject domain, the audience, and the objectives of actors seeking to use the organization’s public information against them.</p> <p>Many organizations already have some capability for establishing trust in their public information and countering claims made against them. Using public provenance will help establish trust for an organization’s content, but it may not be as effective or have the same return on investment as other strategies.</p> <p>Organizations should decide whether to use provenance as an approach to countering the challenges they face. Those choosing to use provenance technologies will also have to consider how to implement them.</p> </div> <div> <h4>4.1.2 Introduction of provenance in content lifecycle</h4> <p>Organizations can have a lot of content. Some of this content is publicly available. Other content, such as drafts, may not be publicly available now but will become public in the future.</p> <p>The content may be at various stages of update and editing in preparation for publication. It may be distributed across a variety of systems and may be subject to changes by many individuals.</p> <p>Organizations may also have some content that they never intend to make public. Some content may pose challenges or risks to the organization itself. As a result, organizations may choose strong provenance measures only for some types of content. They may also choose to protect content at the point of publication rather than at point of creation.</p> </div> <div> <h4>4.1.3 Timeframe for content verification</h4> <p>The public’s requirements for information verification can vary in timeframe depending on the information context. Some information verification requirements will be aimed at short-term concerns such as elections, while others will be aimed at generational issues such as evidence concerning distant historical events.</p> <p>For short-term events, the organizational risk is that it will take longer to verify the provenance information than the event timeframe requires. Timeframe issues can impact how long provenance records must be maintained, as well as how readily-accessible the records need to be.</p> <h4>4.1.4 Cost</h4> <p>Digital provenance mechanisms are relatively new and have associated implementation, operation and maintenance costs. In most cases, organizations will have to change business processes to make effective use of provenance mechanisms. In addition, provenance technologies are evolving rapidly, and near-term implementations may quickly become obsolete.</p> <p>Organizations may choose to prioritise non-provenance public information trust responses or they may choose to implement interim or partial solutions, for example using public provenance measures only for critical content.</p> </div> <div> <h4>4.1.5 Audience and format</h4> <p>The audience for provenance information may not necessarily be the same as an organization’s core audience. This will depend on an organization’s strategic and tactical response to the use of their information.</p> <p>Formats for provenance information will be different depending on the system used by the specific audience.</p> <p>Media companies have copyright on their information and may be able to use copyright tools to remove infringing material from the Internet. In this case, the audience for provenance evidence are legal professionals, Internet service providers and social media companies. Provenance information would need to be formatted to meet their different evidence requirements. A media company’s implementation of provenance mechanisms will likely differ from that used by organizations whose provenance information audience is the general public.</p> </div> <div> <h4>4.1.6 Maturity of public provenance technologies</h4> <p>Organizations should also consider the maturity of public provenance technologies. Technologies for versioning and logging to meet an organization’s internal provenance requirements are mature. Public provenance technologies are less developed, although some of the related technologies used in private provenance, such as cryptographic hashing, can be used in public systems.</p> <p>Publicly accessible provenance systems have additional requirements, for example, end-point devices such as cameras that can cryptographically sign content, and tamper-proof ledgers. These technologies are developing, but immature.</p> <p>Organizations may choose to do partial and trial implementations. They may also choose to establish architectures that allow newer technologies to be integrated as they become available.</p> </div> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div> <h3 id="usecase">4.2 Example use cases</h3> <p>As we have seen, requirements for public provenance will vary between organizations depending on the challenges they face in communicating facts to their audiences and their public information trust strategy and tactics. These different requirements will shape the provenance infrastructure.</p> <p>Here we provide analysis of 5 different use cases, using the provenance characteristics identified in <a href="#consider-provenance-systems">Section 3.1 What to consider when selecting provenance systems</a>.</p> <div><!– 4.2.1 –> <h4>4.2.1 Use case 1: Organization wants provenance of all its public content</h4> <p>An organization that wishes to establish provenance of its own public content can either:</p> <ul><li>establish an irrefutable provenance record, including date and time at time of publishing</li> <li>create content provenance records for all the intermediate steps of creating the content</li> </ul><p>The provenance record then becomes a tool for the organization’s communications staff, as well as for others who review and provide fact-checking on the content, to validate or refute content veracity claims.</p> <p>The public needs to be able to find and verify content easily. To be useful, the verification mechanisms must be simple, intuitive and reliable.</p> </div> <div> <h4>4.2.2 Use case 2: Organization’s content provenance is only needed for a short time</h4> <p>The required duration of a provenance record can vary depending on its expected use. Like many forms of digital record, some provenance records may only be required for a relatively short period, for example content that is transitory and only has short-term significance, such as event announcements. Provenance on the announcement may have value prior to the event, but the value of any provenance record will rapidly diminish afterwards.</p> <p>Provenance infrastructure that supports short-duration requirements would not need to factor in long-duration requirements, which simplifies implementation and lifecycle considerations.</p> </div> <div> <h4>4.2.3 Use case 3: Organization’s content provenance is needed for a long time</h4> <p>Some organizations will need their provenance records to endure well into the future. First-hand accounts of noteworthy events are one example. Future generations may need to verify the authenticity of today’s digital content. This is especially true in a world where generative AI is increasingly capable.</p> <p>Proving the veracity of recorded testimony in timeframes of over 25 years could be challenging as certification components for identities and timestamps may not endure. The provenance mechanism must therefore address changes in technology, as well as turnover of business entities such as certificate providers and hosting services. The verification mechanism itself must also endure.</p> <p>Maintaining the provenance and verification mechanisms over the long term will likely rely on distributed content stores and ledgers given that, in time, most organizations shut down, as part of normal organizational lifecycle. Such mechanisms are still in the early stages of development and can be expensive to implement and use.</p> </div> <div> <h4>4.2.4 Use case 4: Organization needs content to retain its anonymity and privacy</h4> <p>Some provenance requirements have privacy and anonymity considerations, for example in the field of journalism, where sources working in dangerous environments may need to remain anonymous for their protection. This can be done using trusted anonymous identities for individuals, or trusted capture devices that preserve user anonymity. Although this diminishes the strength of the provenance claim, it can still add value.</p> <p>Other provenance methods such as trusted timestamps and provenance certification by higher level entities (in this case, the journalist organization) can strengthen the provenance record, helping to retain its usefulness.</p> </div> <div> <h4>4.2.5 Use case 5: Copyright and other legal redress</h4> <p>Public content provenance records can potentially be used by organizations in their efforts to redress copyright infringement of their content.</p> <p>The provenance mechanism can be used to identify copyright permissions available to others using the content (for example, Creative Commons licence) in a way which the public can verify.</p> <p>Many jurisdictions are currently developing mechanisms to address other forms of information misuse.</p> <p>Organizations implementing provenance mechanisms for this purpose may need to consider both specialised audiences and legal redress requirements in their systems design.</p> </div> </div> </section><section><h2 id="next-steps text-info">5. Next steps</h2> <p>The content provenance space is rapidly evolving to meet emerging challenges but is still mainly in the development stage. If you are considering content provenance as part of your organization’s trust strategy you should:</p> <ul><li>understand how your information and information about your organization is received by your audience and other parties, and how this impacts your audience’s trust in your organization</li> <li>consider how content provenance technologies might address your organization’s public trust challenges</li> <li>stay abreast of changes in technology and emerging trust threats in the information environment</li> </ul></section><div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </div> </div> </div> </div> </div> </article>

This joint guidance outlines 4 key principles CI owners and operators can follow to leverage the benefits of AI in OT systems while minimizing risk.

<article data-history-node-id="7041" about="/en/news-events/joint-statement-malicious-cyber-activity-targeting-canadian-critical-infrastructure" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> </div> </div> </div> </article>

<article data-history-node-id="7040" about="/en/news-events/backgrounder-malicious-cyber-activity-targeting-canadian-critical-infrastructure" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> </div> </div> </div> </article>