Cyber Security Guidance Canada Government

<article data-history-node-id="6744" about="/en/news-events/threat-detection-sharepoint-vulnerabilities" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-12"> <p>The Canadian Centre for Cyber Security (Cyber Centre) is <strong>actively tracking multiple campaigns exploiting recently disclosed critical vulnerabilities in on-premises Microsoft SharePoint servers</strong>, including CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771. These widespread campaigns leverage an exploit chain known as <strong>ToolShell</strong>.</p> <p>To help defenders combat attacks leveraging these vulnerabilities, the Cyber Centre has compiled a detailed analysis derived from recent investigations. This analysis outlines the <strong>full attack path</strong>, examines the <strong>evolution and use of the ToolShell exploit chain</strong>, and provides an <strong>in-depth characterization of the threat actor’s techniques</strong>, along with critical mitigation and detection guidance.</p> </div> </div> <section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#summary">Executive summary</a></li> <li><a href="#overview">An incident overview</a></li> <li><a href="#analysis">Analysis of the incident</a></li> <li><a href="#indicators">Indicators of compromise and recommendations</a></li> <li><a href="#tools-services">Cyber Centre tools and services</a></li> <li><a href="#acknowledgements">Acknowledgements</a></li> </ul></details></section><section><h2 class="text-info" id="summary">Executive summary</h2> <p>This technical article aims to raise awareness and describe some of the tactics, techniques, and procedures (TTPs) associated with a threat actor seen exploiting the vulnerabilities in on-premises Microsoft SharePoint servers. The Canadian Centre for Cyber Security’s (Cyber Centre) preliminary findings highlight that this threat actor initially exploited a server then used a novel technique with custom .NET payloads to gain and maintain code execution. Subsequent analysis of dozens of custom in-memory payloads provided valuable insight into the extent of the compromise and the threat actor’s intentions and activities.</p> </section><section><h2 class="text-info" id="overview">An incident overview</h2> <p>The events in the timeline below highlight the type of post-exploitation behaviour observed by the Cyber Centre. This incident demonstrates how even well-prepared teams can be affected by issues outside of their control: although the victims in this use case upheld strong security practices and took appropriate precautions, they were impacted by an unforeseeable software defect.</p> <!– Figure 1 –> <section class="panel panel-default col-md-12"><div class="panel-body"> <h3 class="text-center h5" id="fig1"><strong>Figure 1: Timeline of events associated with SharePoint vulnerabilities</strong></h3> <figure><img alt="Figure 1 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig1-e.png" /></figure><details><summary>Long description – Timeline of events associated with SharePoint vulnerabilities</summary><ul class="list-unstyled"><li><strong>Day -12:</strong> Initial access using SharePoint CVE, script execution and data exfiltration (until Day -8)</li> <li><strong>Day -8:</strong> SMB lateral movement and lateral movement to IIS servers</li> <li><strong>Day -10:</strong> SMB lateral movement (until Day -2), lateral movement to IIS servers (until Day -2), script executions (until Day -1), and data exfiltration (until Day -1)</li> <li><strong>Day 0:</strong> CVEs published (CVE-2025-53770 and CVE-2025-53771)</li> <li><strong>Day 2:</strong> Patches released</li> <li><strong>Day 9:</strong> Last known actor activity on network</li> </ul></details></div> </section><p>The Cyber Centre confirmed that activities exploiting the SharePoint vulnerabilities were observed as early as Day -12, consistent with the following recent reports:</p> <ul><li><a href="https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/">Disrupting active exploitation of on-premises SharePoint vulnerabilities (Microsoft)</a></li> <li><a href="https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/">Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Palo Alto’s Unit42)</a></li> </ul><p>However, a key indicator of compromise (IoC) shared by Microsoft in its July 19 <a href="https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/">customer guidance for SharePoint vulnerability CVE-2025-53770</a>—the presence of a file called spinstall0.aspx—was not found during the incident in question. This demonstrates that the threat actor initially exploited the server and then used a novel technique with custom .NET payloads to gain and maintain code execution. Therefore, the spinstall0.aspx file (or variations on it) was not observed as part of the attack path, nor was a PowerShell process spawned by Internet Information Services (IIS).</p> <p>Having established an initial foothold in the network, the threat actor moved to an additional server to perform reconnaissance, solidify their access and establish persistence through discovery and lateral movement. To achieve this, they uploaded several different custom .NET payloads directly into the IIS process memory over a period of several hours. These payloads included:</p> <ul><li>a module to intercept requests for legitimate files on the web server based on certain criteria</li> <li>a module to extract cryptographic configuration values to facilitate subsequent exploitation on the web server</li> <li>a module to read and exfiltrate the host’s Security Account Manager (SAM) password database for offline cracking</li> <li>a Server Message Block (SMB) client to perform reconnaissance on the network</li> <li>a filesystem crawler</li> <li>a Lightweight Directory Access Protocol (LDAP) querying tool</li> </ul><p>These payloads were frequently combined with a privilege escalation exploit and an encryption module.</p> <!– Figure 2 –> <section class="panel panel-default col-md-8 col-md-offset-1"><div class="panel-body"> <h3 class="text-center h5" id="fig2"><strong>Figure 2: Attack path depicting how the threat actor gained access and moved through the environment</strong></h3> <figure><img alt="Figure 2 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig2-e.png" /></figure><details><summary>Long description – Attack path depicting how the threat actor gained access and moved through the environment</summary><p>The image illustrates an attack flow starting with an external threat actor exploiting a SharePoint server in the DMZ (Step 1). From the SharePoint server, the attacker collects information and performs privilege escalation (Step 2). The attacker performs account discovery from the domain controller (Step 3). The attacker moves laterally to an IIS server (Step 4). The attacker shows interest in the internal exchange server (Step 5). The attacker moves laterally into the internal network (Step 6).</p> </details></div> </section><div class="clearfix"> </div> <p>The threat actor used Hypertext Transfer Protocol Secure (HTTPS) externally to access compromised servers and exfiltrate data. They used SMB internally to perform reconnaissance and stage a new web shell on a separate IIS web server that was not running SharePoint. The threat actor leveraged compromised network devices to obfuscate their true origin and access the victims’ network from unpredictable IP addresses. This allowed them to blend in with normal traffic and reduced the usefulness of IP-based IoCs for tracking and discovery.</p> <p>From both beachheads, the threat actor proceeded to connect to multiple devices on the internal network and scrape the domain controller and LDAP servers for information.</p> <p>The last known activity on the network by the threat actor occurred on Day 9, with some subsequent reconnaissance activity touching cloud resources using previously compromised credentials. As of this writing, we continue to observe persistent malicious efforts to access both on-prem and cloud infrastructure using these credentials, which have since been rotated.</p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <!– Section: Analysis of the incident –> <section><h2 class="text-info" id="analysis">Analysis of the incident</h2> <section class="alert alert-info"><p><strong>Disclaimer:</strong> Comments in source code were added as part of reverse-engineering efforts and are not present in the original samples.</p> </section><p>The Cyber Centre analyzed host and network activity by leveraging telemetry from its sensors. The victims also provided snapshots in time of firewall and Hypertext Transfer Protocol (HTTP) access logs, which were crucial in tracing the compromise back to its very beginning. Ultimately, it was the analysis of dozens of custom in-memory payloads that provided the full story.</p> <p>These payloads consisted of dynamic-link libraries (DLL) loaded into memory over a period of several weeks. The Cyber Centre extracted these payloads from running processes on compromised hosts after the common vulnerabilities and exposures (CVEs) were made public and reverse engineered. This provided valuable insight into the extent of the SharePoint compromise and the threat actor’s intent and activities.</p> <h3>MITRE ATT&amp;CK techniques observed during analysis</h3> <p>The information below is based on the attack path outlined in <a href="#fig2">figure 2</a>.</p> <h4 class="text-info">Observation 1</h4> <ul><li>Main techniques <ul><li>Exploit public-facing application (<a href="https://attack.mitre.org/techniques/T1190/">T1190</a>)</li> <li>Server software component: web shell (<a href="https://attack.mitre.org/techniques/T1505/003/">T1505.003</a>)</li> </ul></li> <li>Additional techniques <ul><li>Exfiltration over alternative protocol: exfiltration over symmetric encrypted non-C2 protocol (<a href="https://attack.mitre.org/techniques/T1048/001/">T1048.001</a>)</li> <li>Compromise infrastructure: network devices (<a href="https://attack.mitre.org/techniques/T1584/008/">T1584.008</a>)</li> </ul></li> </ul><h4 class="text-info">Observation 2</h4> <ul><li>Main techniques <ul><li>System information discovery (<a href="https://attack.mitre.org/techniques/T1082/">T1082</a>)</li> <li>Exploitation for privilege escalation (<a href="https://attack.mitre.org/techniques/T1068/">T1068</a>)</li> <li>OS credential dumping: security account manager (<a href="https://attack.mitre.org/techniques/T1003/002/">T1003.002</a>)</li> </ul></li> <li>Additional techniques <ul><li>Data from local system (<a href="https://attack.mitre.org/techniques/T1005/">T1005</a>)</li> <li>Unsecured credentials: credentials in files (<a href="https://attack.mitre.org/techniques/T1552/001/">T1552.001</a>)</li> </ul></li> </ul><h4 class="text-info">Observation 3</h4> <ul><li>Main techniques <ul><li>Account discovery: local account (<a href="https://attack.mitre.org/techniques/T1087/001/">T1087.001</a>)</li> </ul></li> <li>Additional techniques <ul><li>Account discovery: domain account (<a href="https://attack.mitre.org/techniques/T1087/002/">T1087.002</a>)</li> </ul></li> </ul><h4 class="text-info">Observation 4</h4> <ul><li>Main techniques <ul><li>Remote services: SMB/Windows admin shares (<a href="https://attack.mitre.org/techniques/T1021/002/">T1021.002</a>)</li> <li>Server software component: web shell (<a href="https://attack.mitre.org/techniques/T1505/003/">T1505.003</a>)</li> </ul></li> <li>Additional techniques <ul><li>Exfiltration over alternative protocol: exfiltration over symmetric encrypted non-C2 protocol (<a href="https://attack.mitre.org/techniques/T1048/001/">T1048.001</a>)</li> <li>Compromise infrastructure: network devices (<a href="https://attack.mitre.org/techniques/T1584/008/">T1584.008</a>)</li> </ul></li> </ul><h4 class="text-info">Observation 5</h4> <ul><li>Main techniques <ul><li>Email collection (<a href="https://attack.mitre.org/techniques/T1114/">T1114</a>)</li> </ul></li> </ul><h4 class="text-info">Observation 6</h4> <ul><li>Main techniques <ul><li>Remote services: SMB/Windows admin shares (<a href="https://attack.mitre.org/techniques/T1021/002/">T1021.002</a>)</li> </ul></li> <li>Additional techniques <ul><li>Valid accounts: domain accounts (<a href="https://attack.mitre.org/techniques/T1078/002/">T1078.002</a>)</li> <li>Remote services: remote desktop protocol (<a href="https://attack.mitre.org/techniques/T1021/001/">T1021.001</a>)</li> </ul></li> </ul><p>Further analysis revealed that:</p> <ul><li>the initial exploitation dated back to Day -12, almost 2 weeks earlier than the CVEs’ public disclosure on July 19</li> <li>a significant number of malicious activities followed the preliminary compromise, leveraging more than 50 distinct payloads over a period of several weeks</li> <li>the threat actor had a keen interest in acquiring and exfiltrating documents on accessible file shares and used SMB protocol to access them</li> <li>many payloads were dynamically generated and contained hard-coded values such as server names and paths; some of these included occasional typos, which were fixed in subsequent uploads. These dynamically generated payloads limited the usefulness of hash-based IoCs</li> </ul><div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <!–Observed technique 1 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 1: Initial access (TA0001)</h4> <p><strong>Observed technique:</strong> <span class="label label-info">Exploit public-facing application (<a href="https://attack.mitre.org/techniques/T1190/">T1190</a>)</span></p> <p>The threat actor leveraged vulnerabilities to gain remote code execution (RCE) on an Internet-exposed SharePoint server (<a href="https://attack.mitre.org/techniques/T1190/">T1190</a>). Initial access occurred on Day -12, 2 weeks before the public disclosure of vulnerabilities, and was achieved through the exploitation of CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771, an exploit chain also known as ToolShell. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-53770 to its <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">Known Exploited Vulnerabilities Catalog</a> on July 20, followed by CVE-2025-49704 and CVE-2025-49706 on July 22.</p> </div> </div> <!–Observed technique 2 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 2: Persistence (TA0003)</h4> <p><strong>Observed technique:</strong> <span class="label label-info">Server software component: web shell (<a href="https://attack.mitre.org/techniques/T1505/003/">T1505.003</a>)</span></p> <p>The threat actor implemented custom-developed code designed to intercept and manipulate web server requests to legitimate files for tailored processing (<a href="https://attack.mitre.org/techniques/T1505/003/">T1505.003</a>). This code allowed interactions that facilitated the collection of internal system and network information and enabled the exfiltration of sensitive data from the compromised environment. Meanwhile, the chosen endpoint to stage subsequent activity allowed the threat actor to blend their traffic with normal application traffic. In the figure below, ows.js is a legitimate SharePoint file that the threat actor chose to use in an attempt to blend in and should not be considered an IoC.</p> <!– Figure 3 coding –> <h5 class="text-center" id="fig3"><strong>Figure 3: Sample of web shell request handler</strong></h5> <figure><img alt="Figure 3 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig3-e.png" /></figure><details><summary>Long description – Sample of web shell request handler</summary><p>The image contains a snippet of C# code that defines a method named OnPostAuthenticateRequestCurrent, which acts as a custom HTTP request handler. The method intercepts requests to a specific SharePoint JavaScript file (/_layouts/15/ows.js) and processes a custom header (WWW-Authorization) to potentially execute encrypted commands on the server. The code includes a conditional check to ensure the request is a GET method and that the WWW-Authorization header exists and has a length of at least 5 characters.</p> </details></div> </div> <div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <!–Observed technique 3 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 3: Credential access (TA0006)</h4> <p><strong>Observed techniques:</strong> <span class="label label-info">OS credential dumping: security account manager (<a href="https://attack.mitre.org/techniques/T1003/002/">T1003.002</a>); Unsecured credentials: credentials in files (<a href="https://attack.mitre.org/techniques/T1552/001/">T1552.001</a>)</span></p> <p>The threat actor deployed custom code to gather credentials from the operating system (<a href="https://attack.mitre.org/techniques/T1003/002/">T1003.002</a>) and secure access to sensitive information located in configuration files available on the web server (<a href="https://attack.mitre.org/techniques/T1552/001/">T1552.001</a>). Validation and decryption keys for the server were obtained early on, which allowed for subsequent forging of ViewState requests. As per Microsoft guidance, once the keys are compromised, patching alone is not sufficient; attackers can continue to achieve code execution through ViewState deserialization until the keys themselves are rotated and the server is restarted.</p> <!– Figure 4 coding –> <h5 class="text-center" id="fig4"><strong>Figure 4: Sample of exfiltration of cryptographic configuration settings</strong></h5> <figure><img alt="Figure 4 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig4-e.png" /></figure><details><summary>Long description – Sample of exfiltration of cryptographic configuration settings</summary><p>The image shows a C# code snippet that dynamically loads the System.Web assembly and uses reflection to access the MachineKeySection class. It retrieves sensitive configuration details such as validation and decryption keys, as well as compatibility mode, and concatenates them into a string. This information is then added to the HTTP response header under the key "X-TXT-NET," potentially exposing critical security data.</p> </details><div class="clearfix"> </div> <p>The threat actor had also gathered 4 files from the compromised server within a few days of the initial breach (listed in order of occurrence):</p> <ul><li>C:\Windows\System32\config\SAM</li> <li>C:\Windows\System32\config\SYSTEM</li> <li>C:\Windows\System32\config\SECURITY</li> <li>C:\Windows\System32\inetsrv\Config\applicationHost.config</li> </ul><p>This code snippet includes a privilege escalation exploit and a New Technology File System (NTFS) parsing library (NTFSLib) to bypass file locking by leveraging raw disk access. Access to the 4 system resources listed above allows for offline cracking of credentials.</p> <!– Figure 5 –> <h5 class="text-center" id="fig5"><strong>Figure 5: Code snippet used to collect the SYSTEM hive from disk</strong></h5> <figure><img alt="Figure 5 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig5-e.png" /></figure><details><summary>Long description – Code snippet used to collect the SYSTEM hive from disk</summary><p>The image shows a C# code snippet that processes an HTTP request if its content length is not zero. It decodes a Base64-encoded string, splits it into an array using directory separator characters, and extracts a file path. The code then interacts with a custom NTFSWrapper class to access raw disk data and retrieve the parent directory entry of the specified path, potentially indicating malicious or unauthorized file system access.</p> </details></div> </div> <div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <!–Observed technique 4 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 4: Discovery (TA0007)</h4> <p><strong>Observed techniques:</strong> <span class="label label-info">Account discovery: local account (<a href="https://attack.mitre.org/techniques/T1087/001/">T1087.001</a>); Account discovery: domain account (<a href="https://attack.mitre.org/techniques/T1087/002/">T1087.002</a>)</span></p> <p>Over a 2-week period, the domain controller hosting the LDAP service was queried by the threat actor 19 times to collect information on users, service accounts, groups, administrators and user mailboxes.</p> <!– Figure 6 –> <h5 class="text-center" id="fig6"><strong>Figure 6: Sample of LDAP scraping</strong></h5> <figure><img alt="Figure 6 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig6-e.png" /></figure><details><summary>Long description – Sample of LDAP scraping</summary><p>The image shows a C# code snippet that performs an LDAP query on a specified domain to search for directory entries matching a given filter. The results are serialized into JSON format, encrypted using AES with predefined keys, and then encoded in Base64 before being written to the HTTP response. This code appears to facilitate unauthorized access or exfiltration of directory information.</p> </details></div> </div> <div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <!–Observed technique 5 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 5: Collection (TA0009)</h4> <p><strong>Observed techniques:</strong> <span class="label label-info">Data from local system (<a href="https://attack.mitre.org/techniques/T1005/">T1005</a>); Email collection (<a href="https://attack.mitre.org/techniques/T1114/">T1114</a>)</span></p> <p>The threat actor leveraged their access to gather information related to the local system (<a href="https://attack.mitre.org/techniques/T1005/">T1005</a>) and unsuccessfully attempted to pivot to the internal mail server (<a href="https://attack.mitre.org/techniques/T1114/">T1114</a>). The following data collection techniques targeted the filesystem and local storage.</p> <!– Figure 7 –> <h5 class="text-center" id="fig7"><strong>Figure 7: Sample of file collection from the local system</strong></h5> <figure><img alt="Figure 7 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig7-e.png" /></figure><details><summary>Long description – Sample of file collection from the local system</summary><p>The image shows a C# code snippet that appears to enumerate directories and files within a specified path (C:\\users\\) and collects metadata such as last write time, creation time, and file size. The gathered information is processed into a string, encrypted using AES with predefined keys, and potentially sent as part of an HTTP response. This code suggests functionality for unauthorized data collection and exfiltration.</p> </details><div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <p>Of note, the actor attempted to pivot to an internal webmail server proxied through the compromised SharePoint server.</p> <!– Figure 8 –> <h5 class="text-center" id="fig8"><strong>Figure 8: Sample of email collection</strong></h5> <figure><img alt="Figure 8 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig8-e.png" /></figure><details><summary>Long description – Sample of email collection</summary><p>The image shows a C# code snippet configuring an HttpClient to send an HTTP POST request to a specified URL with custom headers and form-encoded data, including placeholders for sensitive credentials (REDACTED_USERNAME and REDACTED_PASSWORD). It sets the security protocol to support SSL3 and TLS12, bypasses SSL certificate validation, and includes a user-agent string mimicking a browser.</p> </details></div> </div> <div class="clearfix"> </div> <!–Observed technique 6 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 6: Privilege escalation (TA0004)</h4> <p><strong>Observed technique:</strong> <span class="label label-info">Exploitation for privilege escalation (<a href="https://attack.mitre.org/techniques/T1068/">T1068</a>)</span></p> <p>The threat actor leveraged open-source tools to escalate their privileges and gain access to files and data beyond the reach of the initial compromise (<a href="https://attack.mitre.org/techniques/T1068/">T1068</a>). Artifacts of the <strong>PrintNotifyPotato</strong> privilege escalation tool were observed in several payloads. These allowed the threat actor access to otherwise restricted files. This technique was leveraged in multiple samples, with portions of code and strings directly matching the GitHub project source code.</p> <!– Figure 9 –> <h5 class="text-center" id="fig9"><strong>Figure 9: Sample of PrintNotifyPotato privilege escalation</strong></h5> <figure><img alt="Figure 9 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig9-e.png" /></figure><details><summary>Long description – Sample of PrintNotifyPotato privilege escalation</summary><p>The image shows a C# code snippet that performs token duplication and thread impersonation using native methods to elevate privileges. It duplicates a SYSTEM token, impersonates it on the current thread, and calls a function (F()) that appears to access sensitive data, such as the Security Account Manager (SAM) file. The code includes error handling and writes diagnostic messages to the HTTP response, indicating potential misuse for privilege escalation and data exfiltration.</p> </details></div> </div> <div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <!–Observed technique 7 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 7: Lateral movement (TA0008)</h4> <p><strong>Observed techniques:</strong> <span class="label label-info">Remote services: SMB/Windows admin shares (<a href="https://attack.mitre.org/techniques/T1021/002/">T1021.002</a>); Remote services: remote desktop protocol (<a href="https://attack.mitre.org/techniques/T1021/001/">T1021.001</a>)</span></p> <p>The threat actor performed reconnaissance and moved laterally in the environment by leveraging SMB connectivity (<a href="https://attack.mitre.org/techniques/T1021/002/">T1021.002</a>). Interestingly, they leveraged both a custom SMB client loaded inside a .NET module as well as the system’s own SMB client while they were active on the network. In addition, unsuccessful attempts to perform Remote Desktop Protocol (RDP) connections further into the network were observed from compromised servers.</p> <!– Figure 10 –> <h5 class="text-center" id="fig10"><strong>Figure 10: Sample of SMB client</strong></h5> <figure><img alt="Figure 10 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig10-e.png" /></figure><details><summary>Long description – Sample of SMB client</summary><p>The image shows a C# code snippet that processes HTTP input to extract user credentials (user, address, and password) and attempts to establish an SMB connection using these details. If the connection succeeds, it serializes and encodes the list of shared resources; otherwise, it encodes a "connection failed" message. The SMB client instance is stored in the application context, suggesting potential misuse for unauthorized access or credential harvesting.</p> </details></div> </div> <div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <h4>SMB commands implemented by the sample</h4> <p>In the sample above, we observed the following SMB commands and associated behaviours:</p> <ul><li><strong>cn:</strong> establishes an SMB connection using a username, password, and IP address specified in the request. It saves the SMB connection to HttpApplication.Application["817FE0AC534D44E49"]</li> <li><strong>li:</strong> lists files in the connected SMB resource</li> <li><strong>re:</strong> reads a file from the connected SMB resource</li> <li><strong>we:</strong> writes, appends or creates a file on the connected SMB resource</li> <li><strong>de:</strong> deletes a file on the connected SMB resource</li> <li><strong>di:</strong> disconnects and cleans up the SMB client</li> </ul><p>The use of a bespoke SMB client inside .NET payloads enabled further detection opportunities by looking for outgoing connections over port 445 from the IIS server process, as opposed to the normal pattern of SMB connections originating from the Windows kernel.</p> <!–Observed technique 8 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 8: Persistence (TA0003)</h4> <p><strong>Observed technique:</strong> <span class="label label-info">Server software component: web shell (<a href="https://attack.mitre.org/techniques/T1505/003/">T1505.003</a>)</span></p> <p>After gaining a foothold in the network, the threat actor pivoted to an additional Internet-exposed IIS server (not SharePoint) within a matter of days, using the lateral movement techniques previously mentioned. This helped them establish a back-up persistent access point into the network (<a href="https://attack.mitre.org/techniques/T1505/003/">T1505.003</a>), solidifying their presence, after which they remained dormant for almost 2 weeks.</p> <p>The compromise of a non-SharePoint server emphasizes the need to look beyond initial <abbr and="" procedures="" techniques="" title="tactics,">TTPs</abbr> for signs of lateral movement once an initial compromise is detected.</p> <p>The threat actor returned briefly on Day 9 by leveraging the above-mentioned access. However, because of the Cyber Centre’s improved understanding of the actor’s <abbr and="" procedures="" techniques="" title="tactics,">TTPs</abbr>, alongside newly deployed capabilities, this new activity was quickly detected and stopped.</p> <!– Figure 11 –> <h5 class="text-center" id="fig11"><strong>Figure 11: Sample of additional web shell path</strong></h5> <figure><img alt="Figure 11 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig11-v2-e.png" /></figure><details><summary>Long description – Sample of additional web shell path</summary><p>The image shows a C# code snippet implementing an HTTP request handler that intercepts POST requests to a specific SharePoint path (/_layouts/15/start.aspx). It processes a Base64-encoded __EVENTVALIDATION parameter, decrypts it using DES, and parses the resulting data to handle specific modes, such as "Get." The code includes functionality for compressing and encoding data, suggesting potential misuse for unauthorized data manipulation or exfiltration.</p> </details></div> </div> <div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <!–Observed technique 9 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 9: Resource development (TA0042)</h4> <p><strong>Observed technique:</strong> <span class="label label-info">Compromise infrastructure: network devices (<a href="https://attack.mitre.org/techniques/T1584/008/">T1584.008</a>)</span></p> <p>Indicators suggest that exploitation and exfiltration activities originated from several compromised network devices, including some with close geographical proximity to the target network. For example, the IP address used for the initial exploitation was not the same one subsequently used for ongoing collection and access development. This flexible choice of source IPs allowed the threat actor to blend in with normal traffic and reduced the usefulness of typical IP-based IoCs for tracking, discovery and blocking.</p> </div> </div> <!–Observed technique 10 –> <div class="panel panel-default"> <div class="panel-body"> <h4 class="mrgn-tp-sm">Observed tactic 10: Exfiltration (TA0010)</h4> <p><strong>Observed technique:</strong> <span class="label label-info">Exfiltration over alternative protocol: exfiltration over symmetric encrypted non-C2 protocol (<a href="https://attack.mitre.org/techniques/T1048/001/">T1048.001</a>)</span></p> <p>The Cyber Centre observed several obfuscation techniques in use during the exfiltration phase related to executing payloads embedded in web server requests. The most commonly observed technique was encrypting the result using a symmetric key (<a href="https://attack.mitre.org/techniques/T1048/001/">T1048.001</a>), encoding that result using Base64, and then returning the Base64-encoded buffer as part of the HTTP response from the web server. This encryption is encapsulated inside the regular Transport Layer Security (TLS) connections observed on normal port 443 traffic for the application.</p> </div> </div> </section><div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <!– Indicators of compromise and recommendations –> <section><h2 class="text-info" id="indicators">Indicators of compromise and recommendations</h2> <p>IoCs were distributed via the Cyber Centre’s automated threat intelligence sharing platform (AVENTAIL) and through alerts and communications by the Canadian Cyber Security Incident Response Team (CSIRT). This ensured that partners across all sectors had the information they needed to act decisively.</p> <p>For up-to-date information on alerts, advisories and guidance relating to the SharePoint vulnerabilities, please refer to the Cyber Centre alert <a href="https://www.cyber.gc.ca/en/alerts-advisories/al25-009-vulnerability-impacting-microsoft-sharepoint-server-cve-2025-53770">Vulnerability Impacting Microsoft SharePoint Server (CVE-2025-53770)</a>.</p> </section><!– Cyber Centre tools and services –><section><h2 class="text-info" id="tools-services">Cyber Centre tools and services</h2> <p>No single tool, service or turnkey solution can reconstruct an incident, trace an attacker’s path or validate a threat on its own. A holistic approach using multiple perspectives is required to conduct a thorough investigation. As such, the Cyber Centre relies on multiple layered telemetry sources to detect threats and protect monitored assets.</p> <p>Active scanning tools helped identify Internet-exposed high-priority servers. <a href="https://www.cyber.gc.ca/en/tools-services/assemblyline">AssemblyLine</a> was used to enable triage at scale, processing hundreds of thousands of files per day. The Cyber Centre made enhancements to its <a href="https://github.com/cybercentrecanada/assemblyline-service-dotnet-decompiler">DotnetDecompiler Service</a> to automate the decompilation of .NET executables. This is now available in the Cyber Centre’s open-source repository, allowing the broader cyber security community the benefit of the same advanced capabilities.</p> <p>In response to this incident, the Cyber Centre also created YARA rules to help with the detection of malicious files related to the threat actor’s activity. Additional YARA rules will be released periodically after an evaluation period to ensure accuracy.</p> <p>The sample YARA rule below implements a detection for the LDAP scraping activity found in payloads extracted from the compromised server.</p> <!– Figure 12 –> <section class="panel panel-default col-md-12"><div class="panel-body"> <h3 class="text-center" id="fig12"><strong>Figure 12: YARA rule for LDAP data collection detection</strong></h3> <figure><img alt="Figure 12 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/cyber-threat-detection-sharepoint-vulnerabilities-fig12-e.png" /></figure><details><summary>Long description – YARA rule for LDAP data collection detection</summary><p>The image shows a YARA rule named WIN_LDAPQuery designed to detect DLL files performing LDAP queries. It includes metadata such as the rule’s purpose, category, and reference to a SharePoint vulnerability advisory. The rule identifies suspicious behaviour by matching specific strings related to LDAP operations, encryption, and token handling, combined with conditions targeting file size and string occurrences.</p> <pre class="prettyprint"> <span class="wb-inv">Code</span> rule win_ldapquery { meta: id = "1vOyulv5H6pIcnCKCQJxyB" fingerprint = "69d05a0633335c9c8c739d33e2af3b9f4be01369d4ccefb83e55d2fe094b0a87" version = "1.0" modified = "2025-08-27" status = "RELEASED" sharing = "TLP:CLEAR" source = "CCCS" author = "reveng@CCCS" description = "Detect a DLL that is performing a LDAP query." category = "MALWARE" malware = "ldapquery" malware_type = "INFOSTEALER" malware_type = "HACKTOOL" report = "TA25-0056" report = "TA25-0057" reference = "https://www.cyber.gc.ca/en/alerts-advisories/al25-009-vulnerability-impacting-microsoft-sharepoint-server-cve-2025-53770" strings: // Detection of classes and function names (latest version). $a1 = "LDir" ascii $a2 = "Explore" ascii $a3 = "Internals" ascii $a4 = "EncryptAes" ascii $a5 = "DecryptAes" ascii $a6 = "Set Token Error" wide $a7 = "AdsDateValue" ascii $a8 = "FindHandle" ascii // Detection of function names (oldest version). $x1 = "JavaScriptSerializer" ascii $x2 = "Serialize" ascii $x3 = "EncryptAes" ascii $x4 = "DecryptAes" ascii $x5 = "DirectorySearcher" ascii // Product and assembly version. $b1 = "0.0.0.0" wide // Guid for Internet Explorer (IE) COM object and strings for writing the HTTP response. $c1 = "9068270B-0939-11D1-8BE1-00C04FD8D503" ascii $c2 = "HttpResponse" ascii $c3 = "HttpContext" ascii $c4 = "ToBase64String" ascii $c5 = "GZipStream" ascii $c6 = "CreateEncryptor" ascii // Dynamic libraries with extern functions for security token escalation. $d1 = "advapi32.dll" ascii $d2 = "ntdll.dll" ascii $d3 = "kernel32.dll" ascii $d4 = "NtQuerySystemInformation" ascii $d5 = "OpenProcessToken" ascii $d6 = "GetTokenInformation" ascii $d7 = "SetThreadToken" ascii $d8 = "GetCurrentThreadToken" ascii $d9 = "Administrator" wide $d10 = "IUSR" wide // LDAP related strings. $e1 = "LDAP://" wide $e2 = "samaccountname=" wide nocase $e3 = "cn=" wide nocase $e4 = "msexchrecipienttypedetails=" wide $e5 = "userprincipalname=" wide $e6 = "mail=" wide condition: uint16(0) == 0x5A4D and ( (5 of ($a*) and 4 of ($d*)) or all of ($x*) ) and $b1 and 4 of ($c*) and 2 of ($e*) and filesize &lt; 2MB } </pre> </details></div> </section></section><div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <!– Cyber Centre tools and services –> <section><h2 class="text-info" id="acknowledgements">Acknowledgments</h2> <p>As a part of the Communications Security Establishment Canada (CSE), the Cyber Centre is a proud member of the Five Eyes, the world’s longest-standing and closest intelligence-sharing alliance. Sharing IoCs and <abbr and="" procedures="" techniques="" title="tactics,">TTPs</abbr> with the cyber community and Five Eyes partners has been instrumental since the SharePoint vulnerabilities were first discovered, and ongoing analytical exchanges have maximized the value of collected data.</p> <p>Further collaboration with organizations such as the Microsoft Threat Intelligence Center (MSTIC) and Palo Alto’s Unit42 has enabled the exchange of detailed malware analysis and technical findings, strengthening collective defences.</p> </section><section class="alert alert-info"><p><strong>Disclaimer:</strong> The Cyber Centre disclaims all liability for any loss, damage, or costs arising from the use of or reliance on the information within this article. Readers are solely responsible for verifying the accuracy and applicability of any information before acting on it.</p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="3435" about="/en/guidance/cyber-security-hygiene-best-practices-your-organization-itsap10102" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–Info across the top under the image–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>September 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.10.102</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>September 2025 | Awareness series</strong></p> </div> </div> <p>Cyber security hygiene refers to the best practices your organization can take to maintain the overall health and security of your <abbr title="information technology">IT</abbr> environment. Your cyber security hygiene helps you better defend your networks, systems and data from threat actors.</p> <p>Threat actors, even in more sophisticated attacks, leverage common vulnerabilities and weaknesses to attack systems and gain initial access. By building a solid cyber security foundation, your organization is better positioned to protect, defend and recover from cyber incidents.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#checklist">Cyber security hygiene checklist</a> <ul><li><a href="#network">Network and endpoint protection</a></li> <li><a href="#system">System protection</a></li> <li><a href="#education">User education and additional protective measures</a></li> </ul></li> </ul><h2 class="text-info" id="checklist">Cyber security hygiene checklist</h2> <p>The following checklist provides actions your organization can take to strengthen your cyber security.</p> <p>While not all actions may be feasible, you should prioritize implementing those that are most impactful and sustainable for your organization. Doing so will enhance your cyber security posture.</p> <h3 id="network">Network and endpoint protection</h3> <ul><li>Protect your network and endpoints with the following tools <ul><li>anti-virus and anti-malware software</li> <li>network protocol inspection tools</li> <li>endpoint detection and response</li> <li>firewalls</li> <li>wireless intrusion detection and prevention systems</li> <li>mobile endpoint threat management solutions and mobile threat defence products</li> </ul></li> <li>Segment your networks to stop traffic from flowing to sensitive or restricted zones</li> <li>Implement a security information and event management system to enable real-time, continuous monitoring to identify anomalies in your <ul><li>network traffic</li> <li>wireless access points</li> <li>mobile device gateways</li> </ul></li> <li>Monitor your security critical components, including the <ul><li>Domain Name System (DNS) server</li> <li>authentication server</li> <li>public key infrastructure</li> </ul></li> <li>Implement protective <abbr title="Domain Name System">DNS</abbr> to prevent users from inadvertently visiting potentially malicious domains on the Internet</li> <li>Regularly renew cryptographic keys to maintain secure communications</li> <li>Document secure baseline configurations for all your <abbr title="information technology">IT</abbr>, operational technology components and cloud infrastructure</li> <li>Establish and maintain a configuration management database</li> <li>Conduct and maintain an inventory of your <abbr title="information technology">IT</abbr> assets</li> <li>Manage and detect unauthorized assets by developing and maintaining <abbr title="information technology">IT</abbr> asset management procedures that ensure proper tagging and labelling of hardware and software assets</li> </ul><h4>Read more</h4> <ul><li><a href="/en/guidance/preventative-security-tools-itsap00058">Preventative security tools (ITSAP.00.058)</a></li> <li><a href="/en/guidance/using-security-information-event-management-tools-manage-cyber-security-risks-itsm80024">Using security information and event management tools to manage cyber security risks (ITSM.80.024)</a></li> <li><a href="/en/guidance/network-security-logging-monitoring-itsap80085">Network security logging and monitoring (ITSAP.80.085) </a></li> <li><a href="/en/guidance/domain-name-system-dns-tampering-itsap40021">Domain Name System (DNS) tampering (ITSAP.40.021)</a></li> <li><a href="/en/guidance/protective-domain-name-system-itsap40019">Protective Domain Name System (ITSAP.40.019)</a></li> </ul><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <h3 id="system">System protection</h3> <ul><li>Enable automatic updates and patches for your firmware, hardware, software and operating systems, especially for Internet-exposed services and systems</li> <li>Patch operating systems and applications promptly after assessing organizational risk and confirming compatibility with your environment</li> <li>Enforce phishing-resistant multi-factor authentication (MFA) for all accounts and systems, especially those with administrative privileges</li> <li>Encourage the use of strong, unique, and confidential passphrases or passwords where <abbr title="multi-factor authentication">MFA</abbr> is not technically feasible</li> <li>Ensure administrators use dedicated workstations that do not allow web browsing or email access</li> <li>Regularly review and update user privileges, such as <ul><li>remove users no longer in your organization</li> <li>edit user privileges if users no longer require access to certain data or systems</li> <li>limit administrative privileges to a small number of users</li> <li>require two-person integrity for administrative privileges</li> <li>conduct administrative functions from a dedicated administrative workstation</li> </ul></li> <li>Apply the principle of least privilege, ensuring users only have the set of privileges that are essential to performing authorized tasks</li> <li>Consider role-based access control</li> <li>Manage mobile devices with unified endpoint management software</li> <li>Implement application allow lists to control what applications and components are allowed on your networks and systems</li> <li>Assess third-party applications to identify and disable unnecessary components or functions or require human intervention before activation (for example, macros)</li> <li>Disable autorun or autoplay on all your operating systems and web browsers to avoid automatic installations of unauthorized software</li> <li>Establish an incident response plan and conduct annual tests to ensure timely restoration of critical functions and effective recovery</li> <li>Categorize your assets to identify those that are most critical to your organization’s operations</li> <li>Regularly backup critical data and systems to offline storage, ensuring backups are isolated from network connections</li> <li>Test your backups periodically to ensure data and systems can be recovered quickly and successfully</li> <li>Proactively manage device lifecycles to address vulnerabilities in end-of-life or end-of-service-life devices, which often remain unpatched and increase security risks</li> </ul><h4>Read more </h4> <ul><li><a href="/en/guidance/top-10-it-security-action-items-no2-patch-operating-systems-and-applications-itsm10096">Top 10 <abbr title="information technology">IT</abbr> security action items: No. 2 patch operating systems and applications (ITSM.10.096) </a></li> <li><a href="/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication (ITSAP.30.030) </a></li> <li><a href="/en/guidance/top-10-it-security-actions-no3-managing-controlling-administrative-privileges-itsm10094">Top 10 <abbr title="information technology">IT</abbr> security actions: No. 3 managing and controlling administrative privileges (ITSM.10.094)</a></li> <li><a href="/en/guidance/security-considerations-mobile-device-deployments-itsap70002">Security considerations for mobile device deployments (ITSAP.70.002) </a></li> <li><a href="/en/guidance/application-allow-list-itsap10095">Application allow list (ITSAP.10.095) </a></li> <li><a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Developing your incident response plan (ITSAP.40.003) </a></li> <li><a href="/en/guidance/tips-backing-your-information-itsap40002">Tips for backing up your information (ITSAP.40.002) </a></li> </ul><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <h3 id="education">User education and additional protective measures</h3> <ul><li>Provide ongoing, tailored cyber security training to ensure your employees know how to respond to suspicious links or emails</li> <li>Provide privacy awareness training to your employees to reduce the risk of privacy breaches</li> <li>Identify and subscribe to relevant security information sources or alert services to stay informed about threats that could impact your organization</li> <li>Develop an internal and external contact list of key stakeholders to alert during cyber threat events</li> </ul><h4>Read more</h4> <ul><li><a href="/en/guidance/offer-tailored-cyber-security-training-your-employees-itsap10093">Offer tailored cyber security training to your employees (ITSAP.10.093)</a></li> <li><a href="/en/guidance/top-measures-enhance-cyber-security-small-and-medium-organizations-itsap10035">Top measures to enhance cyber security for small and medium organizations (ITSAP.10.035) </a></li> <li><a href="/en/guidance/top-10-it-security-actions-protect-internet-connected-networks-and-information-itsm10089">Top 10 <abbr title="information technology">IT</abbr> security actions to protect Internet-connected networks and information (ITSM.10.089) </a></li> <li><a href="/en/cyber-security-readiness/cyber-security-readiness-goals-securing-our-most-critical-systems">Cyber Security Readiness Goals: Securing Our Most Critical Systems</a></li> </ul><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="682" about="/en/guidance/virtualizing-your-infrastructure-itsap70011" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–Info across the top under the image–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>September 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.70.011</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>August 2025 | Awareness series</strong></p> </div> <!–pdf download–> <div class="col-md-12"><!–<div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/cyber/publications/itsap70011.pdf">Virtualizing your infrastructure (ITSAP.70.011) (PDF,&nbsp;807&nbsp;KB)</a></p> </div>–> <p>Virtualization is a method of hardware abstraction that allows the creation of software versions of <abbr title="information technology">IT</abbr> systems and services which are traditionally implemented on separate physical hardware. These software versions, or virtual instances, can dramatically increase efficiency and decrease costs. Virtualization uses hardware to its full capacity by distributing its capabilities among many different services.</p> <p>Before implementing virtualization within your organization, you should understand the associated risks and ensure you protect your network, systems and information. This guidance covers the basics virtualization, how your organization can benefit from it and the potential risks involved.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#virtualization">How virtualization works</a></li> <li><a href="#what-can-virtualization">What virtualization can do for your organization</a></li> <li><a href="#types-of-virtualization">Types of virtualization</a></li> <li><a href="#benefits-of-virtualization">Benefits of virtualization</a></li> <li><a href="#risks-virtualization">Risks of virtualization</a></li> <li><a href="#hypervisor-vendor">What to consider when selecting a hypervisor vendor</a></li> <li><a href="#mitigate-risks-virtualization">How to mitigate the risks of implementing virtual technology</a></li> <li><a href="#learn-more">Learn more</a></li> </ul><h2 class="text-primary text-info" id="virtualization">How does virtualization work?</h2> <p>To run your systems and services virtually there are 3 main components.</p> <h3>Virtual machine</h3> <p>With virtualization, you can run your applications on fewer physical servers. Applications and software run virtually on a simulated computer system called a virtual machine (VM). The <abbr title="virtual machine">VM</abbr> has all the features of a computer server, without needing the physical hardware attached. A hypervisor supports the <abbr title="virtual machine">VM</abbr>.</p> <h3>Hypervisor</h3> <p>The hypervisor provides the layer of abstraction between the underlying hardware and hosted virtual machines. An abstraction layer can hide or show as much detail about your system as you want. The hypervisor allocates resources, such as centralized processing unit access, storage and memory, to multiple <abbr title="virtual machine">VM</abbr>s. This allows them to run concurrently on the same underlying hardware as though they each had their own dedicated hardware.</p> <p>The use of hypervisor technology may allow for quicker builds and snapshots of <abbr title="virtual machine">VM</abbr> images. The administration of the hypervisor should be done using a dedicated administrator workstation (DAW). <abbr title="dedicated administrator workstation">DAW</abbr>s are limited-use workstations that can only be used by those who have privileged access to perform administrative tasks. They are meant to increase the security of your network.</p> <p>There are 2 types of hypervisors:</p> <ul><li>bare-metal hypervisor (also known as Type 1), which runs directly on physical hardware</li> <li>hosted (also known as Type 2), which runs as an application on a host operating system</li> </ul><p>Hypervisor technologies may also provide additional functionality or features such as the use of <abbr title="virtual machine">VM</abbr> snapshots and backups, virtual networking capabilities between <abbr title="virtual machine">VM</abbr>s, <abbr title="virtual machine">VM</abbr> monitoring and more. Note, that the use of a hypervisor may incur additional overhead.</p> <h3>Hardware servers</h3> <p>A single hardware server may support multiple <abbr title="virtual machine">VM</abbr>s. Without virtualization, idle applications have resources that are unused, for example:</p> <ul><li>processing power</li> <li>RAM</li> <li>storage</li> </ul><p>With virtualization, hardware servers can be used at full capacity to offer the hypervisor all the resources necessary to support the <abbr title="virtual machine">VM</abbr>s.</p> <div class="panel panel-default mrgn-tp-lg"> <div class="panel-body"> <figure><figcaption class="mrgn-bttm-md"><strong>Figure 1: Hardware server supporting a virtual machine</strong></figcaption><img alt="Hardware server supporting a virtual machine" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/itsap-70011-virtualizing-your-infrastructure-v2-e.png" /><details class="brdr-tp brdr-rght brdr-bttm brdr-lft mrgn-bttm-sm"><summary>Long description – Figure 1: Hardware server supporting a virtual machine </summary><p>The figure 1, shows how the hardware server supports the hypervisor and the virtual machine. The image shows 3 components, from left to right, the hardware server connects to the hypervisor and then to the virtual machine(s).</p> </details></figure></div> </div> <h2 class="text-primary text-info" id="what-can-virtualization">What virtualization can do for your organization</h2> <p>Using virtualization, your organization can advance the performance of its infrastructure in the following ways:</p> <ul><li>run multiple operating systems on one physical machine</li> <li>divide system resources between <abbr title="virtual machine">VM</abbr>s, also known as load balancing</li> <li>gain advanced resource controls</li> <li>create virtualized security appliances, such as a firewall</li> <li>easily move, copy and save <abbr title="virtual machine">VM</abbr>s to other files and systems</li> <li>run virtual desktop infrastructure in-office and remotely</li> </ul><h2 class="text-primary text-info" id="types-of-virtualization">Types of virtualization</h2> <p>Virtualization can be used to perform several different functions for different needs. Your organization may choose to use all or some of the following types of virtualization.</p> <h3>Server</h3> <p>A physical server is divided up into multiple virtual servers. Each virtual server can run its own operating system. This is effective for deploying <abbr title="information technology">IT</abbr> services within an organization.</p> <h3>Desktop</h3> <p>A workstation is virtualized so that users can access it from anywhere. This includes accessing your organization’s network from a smart device and working remotely. To learn more about workstation virtualization, read our guidance on <a href="https://www.cyber.gc.ca/en/guidance/using-virtual-desktop-home-and-office-itsap70111">using virtual desktop at-home and in-office (ITSAP.70.111)</a>.</p> <h3>Storage</h3> <p>All your physical data storage units are combined to create a large, virtualized unit. This streamlines storage capabilities and creates a central storage console.</p> <h3>Network</h3> <p>A hardware-based network is transformed into a software-based network. This consolidates all the network resources and simplifies administrative control.</p> <h3>Application</h3> <p>Computer programs can run on various operating systems (OS). An application is installed on an underlying <abbr title="Operating System">OS</abbr>, but through virtualization can be accessed and executed on others, such as running a Microsoft application on a Linux <abbr title="Operating System">OS</abbr>. This requires a virtualization layer to be inserted between the <abbr title="Operating System">OS</abbr> and the app.</p> <h3>Cloud computing</h3> <p>While virtualization is closely related to cloud computing, they are not the same concept. However, cloud computing utilizes virtualization to support many of its functions. To learn more about cloud computing, read our guidance <a href="https://www.cyber.gc.ca/en/guidance/thinking-moving-cloud-heres-how-do-it-securely">Thinking of moving to the cloud? Here’s how to do it securely</a>.</p> <h2 class="text-primary text-info" id="benefits-of-virtualization">Benefits of virtualization</h2> <p>Virtualization and the use of <abbr title="virtual machine">VM</abbr>s have several benefits. These examples are not inherent capabilities of virtualization but may be achieved depending on how you use it:</p> <ul><li>lowers costs for high performance <abbr title="information technology">IT</abbr> services</li> <li>increases <abbr title="information technology">IT</abbr> productivity, efficiency and responsiveness</li> <li>accelerates the installation of applications and implementations of resources</li> <li>minimizes network downtime</li> <li>decreases disaster recovery time</li> <li>simplifies data centre management</li> <li>segregates applications and data to enhance security and reliability</li> <li>creates environments to safely test applications</li> </ul><h2 class="text-primary text-info" id="risks-virtualization">Risks of virtualization</h2> <p>Your organization can introduce security vulnerabilities if you do not properly configure or secure virtualization technology. Risks may include the following:</p> <ul><li>vulnerabilities can be introduced by obsolete and unpatched servers (known as <abbr title="virtual machine">VM</abbr> sprawl)</li> <li>sensitive data can be compromised by moving <abbr title="virtual machine">VM</abbr>s</li> <li>entry points, like external access to the device, can be exploited when a <abbr title="virtual machine">VM</abbr> is offline and dormant</li> <li>hardware can be compromised by malware that spreads from <abbr title="virtual machine">VM</abbr>s or hypervisors, such as <abbr title="virtual machine">VM</abbr> escape</li> <li>unauthorized access may be permitted due to virtual separation not offering the required isolation for security baselines, such as privileged access</li> <li>control and visibility can be lost within the virtual environments or networks if traditional security devices are used</li> <li>resources can be exhausted if a hypervisor is compromised or if unauthorized changes are made to configurations</li> <li>protection for each <abbr title="virtual machine">VM</abbr> is more time consuming as each <abbr title="virtual machine">VM</abbr> as <ul><li>each <abbr title="virtual machine">VM</abbr> requires unique considerations and configurations</li> <li>each <abbr title="virtual machine">VM</abbr> runs individually from the core structure</li> </ul></li> <li>denial of service attack that affects one <abbr title="virtual machine">VM</abbr> can affect all connected <abbr title="virtual machine">VM</abbr>s unless quickly isolated</li> </ul><h2 class="text-primary text-info" id="hypervisor-vendor">What to consider when selecting a hypervisor vendor</h2> <p>You should choose a hypervisor vendor that can support your organization’s security requirements. Before selecting a vendor, consider the following factors to help support your decision:</p> <ul><li>whether the data is encrypted when it is in transit and at rest</li> <li>the security controls that the vendor has in place to protect sensitive data</li> <li>whether the vendor uses bare-metal or hosted hypervisors</li> <li>whether the vendor has monitoring and auditing capabilities</li> <li>who has access to the data on the server</li> <li>how administrative privileges are controlled</li> <li>whether the vendor gives advice and guidance on configuring, deploying, and hardening the virtualized environment</li> </ul><h2 class="text-primary text-info" id="mitigate-risks-virtualization">How to mitigate the risks of implementing virtual technology</h2> <p>Your organization can mitigate some of the risks associated with implementing virtual technology by taking the following 15 actions:</p> <ul><li>Select a trustworthy and reliable vendor</li> <li>Update and patch servers frequently</li> <li>Have your <abbr title="information technology">IT</abbr> team separate the different areas of your virtualized environment (e.g. public, storage, management) into network zones for better control</li> <li>Store highly sensitive data on separate physical servers</li> <li>Test high-risk applications in isolated environments</li> <li>Apply the principle of least privilege to ensure users only have enough privilege to carry out their job functions</li> <li>Use separation of duties to break down processes or tasks into a series of steps to reduce the likelihood of mistakes or malicious activity</li> <li>Implement multi-factor authentication for all accounts</li> <li>Train employees on cyber security best practices and provide role-based training</li> <li>Back up your data regularly</li> <li>Use a security information and even management approach to business operations to streamline the security of assets</li> <li>Install antivirus and intrusion detection or prevention systems on your infrastructure to keep all <abbr title="virtual machine">VM</abbr>s secure</li> <li>Manage your assets take stock of all infrastructure being used and regularly audit and remove unused <abbr title="virtual machine">VM</abbr>s</li> <li>Encrypt network traffic and hard drives anywhere sensitive data is stored to protect data in transit and at rest</li> <li>Develop and test an incident response plan</li> </ul><p>We strongly recommend using bare-metal hypervisors where possible for your organization’s virtualized environments. Bare-metal hypervisors have fewer layers and typically allow for more efficient use of hardware and additional functionality and capabilities compared to hosted hypervisors.</p> <h2 class="text-primary text-info" id="learn-more">Learn more</h2> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/cyber-centre-data-centre-virtualization-report-best-practices-data-centre-virtualization">Cyber Centre data centre virtualization report: Best practices for data centre virtualization (ITSP.70.010)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/cyber-security-considerations-consumers-managed-services-itsm50030">Cyber security considerations for consumers of managed services (ITSM.50.030)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/isolating-web-facing-applications-itsap10099">Isolating web-facing applications (ITSAP.10.099)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/top-10-it-security-action-items-no2-patch-operating-systems-and-applications-itsm10096">Top 10 IT security actions items: No.2 patch operating systems and applications (ITSM.10.096)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/protect-information-enterprise-level-itsap10097">Protect information at the enterprise level (ITSAP.10.097)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/using-encryption-keep-your-sensitive-data-secure-itsap40016">Using encryption to keep your sensitive data secure (ITSAP.40.016)</a></li> </ul></div> </div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6751" about="/en/guidance/universal-plug-play-itsap00008" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>September 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.00.008</strong></p> </div> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>September 2025 | Awareness series</strong></p> </div> <p>Universal plug and play (UPnP) is a protocol that allows devices on the same network to automatically discover, connect to and interact with one another. Common examples of devices that use <abbr title="universal plug and play">UPnP</abbr> include:</p> <ul><li>mobile devices</li> <li>smart devices (for example, speakers, televisions and cameras)</li> <li>computers</li> <li>gaming systems</li> <li>printers</li> <li>Wi-Fi devices</li> <li>routers</li> </ul><p>While <abbr title="universal plug and play">UPnP</abbr> services can be convenient for automating device connectivity, it can expose you to several security risks. We therefore recommend disabling <abbr title="universal plug and play">UPnP</abbr>, especially on perimeter devices such as home routers that manage firewalls, switches and Wi-Fi access points for other connected devices. Before you disable <abbr title="universal plug and play">UPnP</abbr>, check what level of security your devices need, since some require the service to work properly.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#use">How universal plug and play is used</a></li> <li><a href="#risks">Related risks</a></li> <li><a href="#secure">How to secure your devices</a></li> <li><a href="#disable">How to disable <abbr title="universal plug and play">UPnP</abbr> on a home router</a></li> <li><a href="#learn">Learn more</a></li> </ul><h2 class="text-info" id="use">How universal plug and play is used</h2> <p><abbr title="universal plug and play">UPnP</abbr> is used to connect devices seamlessly within a local network. It allows you to automatically connect smart devices, gaming consoles and computers, media streaming devices and remote device control. <abbr title="universal plug and play">UPnP</abbr> allows compatible devices to interact and work together within a related network for versatility and convenience. Here are some examples of how <abbr title="universal plug and play">UPnP</abbr> is commonly used.</p> <h3>Smart devices</h3> <p>Smart devices use <abbr title="universal plug and play">UPnP</abbr> to communicate with each other, allowing them to automatically adjust settings or change their environment based on the actions of other devices. For example, smart lighting that changes colour or brightness in response to temperature changes detected by a connected smart thermostat.</p> <h3>Gaming consoles and computers</h3> <p>Gaming consoles can discover and connect with each other to join multiplayer sessions and share game content in real time.</p> <h3>Media streaming</h3> <p>Devices that support media streaming can share and stream videos, music and photos among other <abbr title="universal plug and play">UPnP</abbr>-enabled devices.</p> <h3>Remote access</h3> <p>You can use remote device control from a smartphone or computer to control actions or settings on <abbr title="universal plug and play">UPnP</abbr>-supported devices. For example, <abbr title="universal plug and play">UPnP</abbr> can be used to remotely lock or unlock a smart lock to your house.</p> <h2 class="text-info" id="risks">Related risks</h2> <p>While <abbr title="universal plug and play">UPnP</abbr>-enabled devices are convenient, they also introduce potential security risks because they often operate with minimal authentication or access controls. As a result, devices and networks using <abbr title="universal plug and play">UPnP</abbr> may be exposed to several common threats that can compromise security and privacy.</p> <h3>Malware</h3> <p>Threat actors can compromise <abbr title="universal plug and play">UPnP</abbr>-enabled devices with malware. For example, they may use distributed denial-of-service (DDoS) attacks to configure <abbr title="universal plug and play">UPnP</abbr> devices to be accessible and ready to receive and send data.</p> <h3>Unauthorized access</h3> <p>Any <abbr title="universal plug and play">UPnP</abbr> devices connected to a common network can be compromised by someone who gains access to that network. This could be a threat actor exploiting a device connected to the network or a local user accessing a connected device (for example, an insider threat).</p> <p>The two main ways devices using <abbr title="universal plug and play">UPnP</abbr> on a network can be compromised include:</p> <ul><li>external threats: attackers who gain unauthorized access to your network (for example, by exploiting a vulnerable device) can target <abbr title="universal plug and play">UPnP</abbr>-enabled devices to manipulate device settings, intercept communications, or install malware</li> <li>insider threats: individuals with legitimate access to the local network that tamper with or misuse <abbr title="universal plug and play">UPnP</abbr>-connected devices, including reconfiguring devices, accessing sensitive data or intentionally weakening network security</li> </ul><h3>Network configuration</h3> <p><abbr title="universal plug and play">UPnP</abbr> offers control of network configuration settings, such as port forwarding, which threat actors can leverage to bypass firewalls, change access lists, or modify security measures. This makes it difficult to detect and block malicious traffic. Threat actors can also use a <abbr title="universal plug and play">UPnP</abbr>-connected device to manipulate network configuration to expose router web administration details, redirect traffic to malicious external servers, modify credentials and control internal connections and device activities.</p> <h3>Data sharing</h3> <p>Connected <abbr title="universal plug and play">UPnP</abbr> devices share data that allows them to interact with each other and to action certain activities. This can pose a privacy risk if devices that handle sensitive information connect and share data with other devices on the network.</p> <h2 class="text-info" id="secure">How to secure your devices</h2> <p>The most effective way to protect against <abbr title="universal plug and play">UPnP</abbr>-related attacks is to disable the service entirely. If disabling <abbr title="universal plug and play">UPnP</abbr> is not an option, you can reduce vulnerabilities to your network by:</p> <ul><li>restricting <abbr title="universal plug and play">UPnP</abbr> access by creating a virtual local area network (VLAN) or a separate network zone to isolate <abbr title="universal plug and play">UPnP</abbr>-enabled devices from other devices on your network</li> <li>updating devices regularly and enabling automatic updates where available to further mitigate the risk of threat actors taking control of your devices and leveraging <abbr title="universal plug and play">UPnP</abbr> protocols maliciously</li> <li>logging and regularly monitoring device activity for any irregularities and potential threats</li> <li>regularly reviewing security settings and port-forwarding rules on your router and any other networking devices you own</li> <li>keeping up to date with new and emerging technologies and threats by reading Cyber Centre resources and publications</li> <li>training employees on and spreading awareness of cyber security best practices to identify, understand and manage potential threats to your systems</li> <li>using Canadian Internet Registry Authority (CIRA) tools and services to strengthen security if your router needs to be <abbr title="universal plug and play">UPnP</abbr>-enabled</li> </ul><h2 class="text-info" id="disable">How to disable universal plug and play on a home router</h2> <p>The steps to disable <abbr title="universal plug and play">UPnP</abbr> on your home router will vary depending on the make and model of the router, but generally, you should follow these 3 steps:</p> <ol><li>Log into your router’s administrative or configuration webpage</li> <li>Select the <abbr title="universal plug and play">UPnP</abbr> settings that are often found under the "advanced" or the "<abbr title="Network Address Translation">NAT</abbr> forwarding" configuration options</li> <li>Choose the option to "disable <abbr title="universal plug and play">UPnP</abbr>"</li> </ol><p>If you choose not to disable <abbr title="universal plug and play">UPnP</abbr> on your home router, you can block ports associated with <abbr title="universal plug and play">UPnP</abbr> at the Internet gateway. This helps prevent unauthorized external devices from accessing internal devices using <abbr title="universal plug and play">UPnP</abbr>.</p> <h2 class="text-info" id="learn">Learn more</h2> <ul><li><a href="/en/guidance/how-your-smart-device-listening-you-itsap70013">Security considerations for voice-activated digital assistants (ITSAP.70.013</a>)</li> <li><a href="/en/guidance/protect-your-organization-malware-itsap00057">Protect your organization from malware (ITSAP.00.057)</a></li> <li><a href="/en/guidance/how-updates-secure-your-device-itsap10096">How updates secure your device (ITSAP.10.096)</a></li> <li><a href="/en/guidance/network-security-logging-monitoring-itsap80085">Network security logging and monitoring (ITSAP.80.085)</a></li> <li><a href="/en/guidance/internet-things-iot-security-itsap00012">Internet of Things (IoT) security (ITSAP.00.012)</a></li> <li><a href="/en/guidance/distributed-denial-service-attacks-prevention-and-preparation-itsap80110">Distributed denial of service attacks – prevention and preparation (ITSAP.80.110)</a></li> <li><a href="/en/guidance/cyber-security-home-and-office-secure-your-devices-computers-and-networks-itsap00007">Cyber security at home and in the office: Secure your devices, computers, and networks (ITSAP.00.007)</a></li> <li><a href="/en/guidance/offer-tailored-cyber-security-training-your-employees-itsap10093">Offer tailored cyber security training to your employees (ITSAP.10.093)</a></li> </ul></div> </div> </div> </div> </div> </article>

The joint guidance aims to inform software producers, purchasers and operators of the benefits of integrating SBOM generation, analysis, and sharing into security processes and practices.

This joint advisory warns that PRC state-sponsored threat actors are targeting global networks including: telecommunications, government, transportation, lodging and military infrastructure.

Whether you lead a small or medium business or are an employee, email configuration is a key component to ensuring that your organization is protected against various cyber threats

<article data-history-node-id="6580" about="/en/guidance/quick-guide-email-configuration" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>August 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.60.003</strong></p> </div> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>August 2025 | Awareness series</strong></p> </div> <p>This publication introduces several email configuration concepts, focusing on the available email authentication methods to verify the authenticity of the message.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#spf">Sender Policy Framework</a></li> <li><a href="#dkim">DomainKeys Identified Mail</a></li> <li><a href="#tls">Transport Layer Security encryption</a></li> <li><a href="#dmarc">Domain-based Message Authentication Reporting and Conformance</a></li> <li><a href="#lm">Learn more</a></li> </ul><h2 class="text-info" id="spf">Sender Policy Framework</h2> <p>Sender Policy Framework (SPF) is a TXT record added to your domain’s zone file to be queried by the domain name system (DNS) server associated with your domain. The record states which <abbr title="Internet Protocol">IP</abbr> address(es) are allowed to send email from your domain or on your domain’s behalf. Emails from <abbr title="Internet Protocol">IP</abbr> addresses, <abbr title="Internet Protocol">IP</abbr> ranges, or third-party domains that are not included may be labelled as spam. <abbr title="domain name system">DNS</abbr> translates a human-readable address into a machine-readable address to direct the user to the correct location.</p> <h2 class="text-info" id="dkim">DomainKeys Identified Mail</h2> <p>DomainKeys Identified Mail (DKIM) is generally already configured by large and reputable host email services. Essentially, <abbr title="DomainKeys Identified Mail">DKIM</abbr> places a signature on outgoing emails, which can be verified by a public <abbr title="Domain Name System">DNS</abbr> record to ensure they haven’t been modified. The receiving email address compares the signature key upon receipt and if the <abbr title="DomainKeys Identified Mail">DKIM</abbr> signature is invalid, it will likely be labeled as spam.</p> <h2 class="text-info" id="tls">Transport Layer Security encryption</h2> <p>Transport Layer Security (TLS) encryption is a protocol that encrypts messages between servers so that they don’t get compromised in transit. <abbr title="Transport Layer Security">TLS</abbr> is a core email configuration used to ensure the privacy and integrity of an organization’s communications. However, while <abbr title="Transport Layer Security">TLS</abbr> can secure the initial transfer from the email client to the first server, it doesn’t guarantee that subsequent transfers will also use <abbr title="Transport Layer Security">TLS</abbr> encryption.</p> <h2 class="text-info" id="dmarc">Domain-based Message Authentication Reporting and Conformance</h2> <p>Domain-based Message Authentication Reporting and Conformance (DMARC) is generally already configured by your host email server as it’s an advanced and complex setting. <abbr title="Domain-based Message Authentication Reporting and Conformance">DMARC</abbr> is the recommended protocol that chooses what to do with the information taken from <abbr title="Sender Policy Framework">SPF</abbr> and <abbr title="DomainKeys Identified Mail">DKIM</abbr>. There are three set policies (p=):</p> <ul><li>p=none, in which no action is taken and the message is delivered</li> <li>p=quarantine, in which the message is placed in a spam or junk folder for review</li> <li>p=reject, in which the message is rejected or bounced back to sender</li> </ul><p>There are also policies for subdomains which are labelled as “sp=” but are only applied if subdomains are explicitly defined.</p> <p>While <abbr title="Domain-based Message Authentication Reporting and Conformance">DMARC</abbr> may appear complex to set up, it’s essential in today’s cyber security landscape. You can use a <abbr title="Domain-based Message Authentication Reporting and Conformance">DMARC</abbr> parsing service that will help you translate and understand the <abbr title="Domain-based Message Authentication Reporting and Conformance">DMARC</abbr>’s output response. Third-party <abbr title="Domain-based Message Authentication Reporting and Conformance">DMARC</abbr> auditing protocol services can help by providing you with policy assurances and reporting mechanisms to monitor authentication and potential threats. When implementing <abbr title="Domain-based Message Authentication Reporting and Conformance">DMARC</abbr>, you should review rules periodically to check if important mail is getting blocked.</p> <p>To maintain a reasonable level of protection, you should configure <abbr title="Sender Policy Framework">SPF</abbr>, <abbr title="DomainKeys Identified Mail">DKIM</abbr> and <abbr title="Domain-based Message Authentication Reporting and Conformance">DMARC</abbr>. When choosing an email service provider, ensure that it supports these configurations, offers <abbr title="Transport Layer Security">TLS</abbr> encryption, and has strong anti-spam and threat mitigation features.</p> <div class="well well-sm mrgn-tp-lg"> <h2 class="mrgn-tp-sm" id="rci">Reporting a cyber incident</h2> <p>If your organization is a victim of fraud, contact your local police and file a report online through the <a href="https://antifraudcentre-centreantifraude.ca/report-signalez-eng.htm" rel="external">Canadian Anti-Fraud Centre’s online reporting system</a> or by phone at <a href="tel:1-888-495-8501">1-888-495-8501</a>. Report cyber incidents online via the Cyber Centre’s <a href="https://portal-portail.cyber.gc.ca/en/report/">My Cyber Portal</a>.</p> </div> <h2 class="text-info" id="lm">Learn more</h2> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/implementation-guidance-email-domain-protection">Implementation guidance: email domain protection (ITSP.40.065 v1.1)</a></li> <li><a href="/en/guidance/cyber-security-best-practices-managing-email">Cyber security best practices for email (ITSAP.60.002)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/protective-domain-name-system-itsap40019">Protective domain name system (ITSAP.40.019)</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6685" about="/en/guidance/email-security-best-practices-itsm60002" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>August 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Management series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSM.60.002</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>August 2025 | Management series</strong></p> </div> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/ITSM.60.002-email-security-best-practices-en.pdf">Email security best practices – ITSM.60.002 (PDF, 1007 KB)</a></p> </div> <h2 class="text-info mrgn-tp-0">Foreword</h2> <p>This is an UNCLASSIFIED publication, issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre). For more information or to suggest amendments, email or phone our Contact Centre:</p> <p><span class="glyphicon glyphicon-envelope"></span><span class="wb-inv">email</span> <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a> |<span class="glyphicon glyphicon-phone"></span><span class="wb-inv">Mobile</span> <a href="tel:613-949-7048">613-949-7048</a> or <a href="tel:+1-833-292-3788">1<span>‑</span>833<span>‑</span>CYBER<span>‑</span>88</a></p> <h2 class="text-info">Effective date</h2> <p>This publication takes effect on August 12, 2025</p> <h2 class="text-info">Revision history</h2> <ol><li>First release: August 12, 2025</li> </ol></div> </div> <section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#0">Overview</a></li> <li><a href="#1.1">1.1 Introduction</a></li> <li><a href="#1.2">1.2 Common email threats</a> <ul><li><a href="#1.2.1">1.2.1 Phishing</a></li> <li><a href="#1.2.2">1.2.2 Spoofing</a></li> <li><a href="#1.2.3">1.2.3 Malware</a></li> <li><a href="#1.2.4">1.2.4 Business email compromise</a></li> <li><a href="#1.2.5">1.2.5 Impersonation</a></li> <li><a href="#1.2.6">1.2.6 Data exfiltration</a></li> <li><a href="#1.2.7">1.2.7 Spam</a></li> </ul></li> <li><a href="#1.3">1.3 Email security protocols</a> <ul><li><a href="#1.3.1">1.3.1 Transport layer security</a></li> <li><a href="#1.3.2">1.3.2 Secure/multipurpose internet mail extensions</a></li> <li><a href="#1.3.3">1.3.3 Pretty good privacy and open pretty good privacy</a></li> <li><a href="1.3.4">1.3.4 Secure/multipurpose Internet mail extensions versus pretty good privacy</a></li> <li><a href="#1.3.5">1.3.5 Sender Policy Framework</a></li> <li><a href="#1.3.6">1.3.6 DomainKeys identified mail</a></li> <li><a href="#1.3.7">1.3.7 Domain-based message authentication, reporting, and conformance</a></li> </ul></li> <li><a href="#1.4">1.4 Protecting your email</a> <ul><li><a href="#1.4.1">1.4.1 Email security best practices</a></li> <li><a href="#1.4.2">1.4.2 Implement protocols to validate user identity and server identity</a></li> <li><a href="#1.4.3">1.4.3 Secure the email gateway</a></li> <li><a href="#1.4.4">1.4.4 Create an email security policy</a></li> <li><a href="#1.4.5">1.4.5 Monitor email activities</a></li> <li><a href="#1.4.6">1.4.6 Conduct regular email security audits and testing</a></li> <li><a href="#1.4.7">1.4.7 Keep business and personal emails separate</a></li> <li><a href="#1.4.8">1.4.8 Verify email links before you click on them</a></li> <li><a href="#1.4.9">1.4.9 Block spam and unwanted senders</a></li> </ul></li> <li><a href="#1.5">1.5 Email infrastructure security recommendations</a> <ul><li><a href="#1.5.1">1.5.1 Email servers</a></li> <li><a href="#1.5.2">1.5.2 Database/storage security</a></li> <li><a href="#1.5.3">1.5.3 Physical controls</a></li> <li><a href="#1.5.4">1.5.4 Cloud environment considerations</a></li> </ul></li> <li><a href="#1.6">1.6 Additional cyber security best practices to enhance email protection</a> <ul><li><a href="#1.6.1">1.6.1 Use unique and strong passwords or passphrases</a></li> <li><a href="#1.6.2">1.6.2 Educate and train employees</a></li> <li><a href="#1.6.3">1.6.3 Use multi-factor authentication</a></li> <li><a href="#1.6.4">1.6.4 Keep software and operating systems updated</a></li> <li><a href="#1.6.5">1.6.5 Connect to reliable Wi-Fi networks</a></li> <li><a href="#1.6.6">1.6.6 Create an incident response plan</a></li> <li><a href="#1.6.7">1.6.7 Back up important files</a></li> </ul></li> <li><a href="#1.7">1.7 Engaging with email security experts</a> <ul><li><a href="#1.7.1">1.7.1 Detonation and email sandboxing</a></li> <li><a href="#1.7.2">1.7.2 Content control</a></li> <li><a href="#1.7.3">1.7.3 Authentication systems</a></li> <li><a href="#1.7.4">1.7.4 Email encryption</a></li> <li><a href="#1.7.5">1.7.5 Email security gateways</a></li> <li><a href="#1.7.6">1.7.6 Continuous monitoring</a></li> <li><a href="#1.7.7">1.7.7 Reporting and analytics</a></li> </ul></li> <li><a href="#1.8">1.8 Summary</a></li> </ul></details></section><section><h2 class="text-info" id="0">Overview</h2> <p>In today’s digital landscape, it is vital for your organization to protect sensitive data. Although email is a fundamental means of communication, it is susceptible to various threats. Email serves as a primary channel for exchanging information which means your organization must implement strong security measures to protect data. This publication provides guidance on the key email security practices and protocols your organization should adopt, with the goal of strengthening your defences and upholding the confidentiality, integrity, and availability of your communications and data. This publication will assist your organization in implementing protective measures such as encryption, authentication, and secure gateways. In addition to protective measures, you should also enhance your employees’ awareness of and compliance with cyber security requirements and best practices. Collectively, these measures will enhance your organization’s confidence to navigate the digital landscape, all while ensuring the security and privacy of your sensitive information.</p> </section><section><h2 class="text-info" id="1.1">1.1 Introduction</h2> <p>Email serves as an important communication tool for individuals and organizations and is widely used on various devices. In organizational information technology (IT) operations, email is particularly important for internal and external business communications. Its extensive use makes it a prime target for threat actors aiming to exploit vulnerabilities and compromise sensitive data. Notably, email was not initially designed with security and privacy in mind. The technologies used today that enhance email security, such as encryption and authentication protocols, were added later to help mitigate the risks associated with email communications.</p> <p>With threat actors constantly refining tactics to exploit email vulnerabilities, establishing a strong defence through comprehensive email security measures helps safeguard the confidentiality, privacy, and integrity of your digital communications. Email accounts house a large amount of private information, including personal data, financial details, and confidential business exchanges. Ensuring secure email communications is important to prevent breaches that could compromise the integrity of these exchanges. Email security also protects against malware and phishing attacks, which are frequently initiated via deceptive emails. Additionally, ensuring the availability of email systems is an important aspect of email security. This helps prevent disruptions, downtime, and potential data loss that could occur from attacks on vulnerable systems.</p> <p>For many organizations and businesses, adhering to industry regulations and compliance standards is essential to avoid legal repercussions and to safeguard reputation. By establishing strong email security measures, you can demonstrate compliance and assure customers/clients and partners that the confidentiality, integrity and availability of their sensitive information is handled correctly.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="1.2">1.2 Common email threats</h2> <p>While email is a widely used communication tool, it comes with risks. Email threats are diverse, evolve constantly, and can range from deceptive phishing schemes to harmful malware. In this section, we will explore some of the most prevalent threats that can compromise your organization’s private information and digital security.</p> <h3 id="1.2.1">1.2.1 Phishing</h3> <p>An email phishing attack is a deceptive tactic employed by threat actors who send seemingly legitimate emails to users. It stands out as the most common threat to email security. Although it used to be relatively easy to spot phishing attacks, they have become more sophisticated over time. Due to the advent of artificial intelligence (AI), email content no longer contains poor spelling or common tropes or lures but are now well-crafted messages containing seemingly legitimate content making harder for the reader to detect.</p> <p>Phishing attacks can be generic or targeted. In the case of targeted attacks, also known as spear phishing, threat actors conduct thorough research to craft well-designed emails aimed at specific individuals or groups with special privileges or access to valuable information.</p> <p>Whaling, a specific form of spear phishing, is directed at high-ranking individuals within an organization, with threat actors posing as trusted authorities. The main goal remains consistent: manipulating users into disclosing sensitive information, such as usernames, passwords, and bank account details. Threat actors may also try to get users to click on malicious links, open harmful attachments within the email, or instruct them to make unauthorized changes within a system they have access to. It is essential for you to stay vigilant and understand how phishing attacks evolve to protect your organization from such threats.</p> <p>For more information on phishing attacks and malicious email and how you can avoid, identify, and handle them, read our publications:</p> <ul><li><a href="/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks">Don’t take the bait: Recognize and avoid phishing attacks (ITSAP.00.101)</a></li> <li><a href="/en/guidance/spotting-malicious-email-messages-itsap00100">Spotting malicious email messages (ITSAP.00.100)</a></li> </ul><h3 id="1.2.2">1.2.2 Spoofing</h3> <p>Email spoofing is a deceptive tactic in which threat actors manipulate the sender’s details in an email header, making it look like the email is from a trusted source. The primary objective is to trick recipients into believing the email is legitimate and to entice them to open it and engage with its contents.</p> <p>The inherent danger is that spoofed emails usually contain malware or viruses, as well as malicious links that point to spoofed websites or services. Simply opening the email can expose the recipient’s device to potential threats, making it vulnerable to further exploitation. Spoofing is commonly employed in both phishing attacks and business email compromise (BEC) scams. The ramifications of falling victim to such attacks extend beyond immediate harm. If sensitive information is disclosed in response to a spoofed email, it can result in identity theft.</p> <p>To mitigate the risks associated with email spoofing, get in the habit of always hovering over links in an email before clicking to verify the actual URL, ensuring it matches the expected domain and appears legitimate. Avoid clicking on links that look suspicious or unfamiliar. Always consult with your organization’s <abbr title="information technology">IT</abbr> security department if you have concerns. You should also scrutinize any email that contains unusual requests, such as urgent financial transactions or demands for sensitive information. It is prudent to verify these requests through other communication channels, like a phone call to the sender or manually visiting the website in your browser to confirm the email’s claims.</p> <p>Another important consideration is the potential for homograph attacks, where malicious actors use characters from other alphabets, such as Cyrillic or Greek, that look like Roman letters to create deceptive email addresses or URLs. Pay close attention to subtle differences in characters that might indicate a spoofing attempt. By combining these strategies, you can better protect yourselves from the risks of email spoofing.</p> <h3 id="1.2.3">1.2.3 Malware</h3> <p>Threat actors often use email to deliver several types of malware, such as viruses, worms, ransomware, and spyware. Malware can be directly attached to emails or embedded in shared documents sent as attachments, links, or through cloud-based storage. Once malware infiltrates a user’s device, it can potentially gain unauthorized access to system components, compromise or steal sensitive information, and encrypt files. For information on how to defend against and recover from ransomware, read our publication <a href="/en/guidance/ransomware-playbook-itsm00099">Ransomware playbook (ITSM.00.099)</a>.</p> <h3 id="1.2.4">1.2.4 Business email compromise</h3> <p><abbr title="business email compromise">BEC</abbr> presents a growing concern for organizations of all sizes and across various industries. This sophisticated scheme often targets businesses engaged in wire transfers. Threat actors aim to defraud organizations by posing as executives or business partners to trick employees into transferring funds to fraudulent accounts.</p> <p>These intricately planned and precisely directed attacks involve significant amounts of money, which makes them one of the most financially damaging threats to email security. While <abbr title="business email compromise">BEC</abbr> scammers may exploit and steal data, their primary goal is financial gain, and they focus on deceiving organizations through social engineering tactics like impersonation. For more information on how to protect your organization against social engineering, read our publication <a href="/en/guidance/social-engineering-itsap00166">Social engineering (ITSAP.00.166)</a>.</p> <h3 id="1.2.5">1.2.5 Impersonation</h3> <p>Impersonation is used by threat actors to exploit trust, benefit financially, or access sensitive information through email. For instance, in <abbr title="business email compromise">BEC</abbr>, threat actors pose as trusted individuals, like employees, to steal from companies or their clients and partners. Another example is an attorney impersonation attack, where the attackers pretend to be legal representatives and often target employees who may lack the knowledge or authority to verify the legitimacy of the attackers request. Similarly, threat actors have been known to impersonate authorities, including regulators, government departments, and law enforcement agencies.</p> <p>Another tactic is brand impersonation, where threat actors falsely associate themselves with well-known brands to trick recipients into revealing confidential information. There are many different impersonation techniques, ranging from mimicking internal personnel to committing financial fraud to leveraging the credibility of reputable brands for illicit purposes highlighting the need for vigilant email security practices.</p> <h3 id="1.2.6">1.2.6 Data exfiltration</h3> <p>Data exfiltration involves the unauthorized transfer or removal of sensitive information from an organization’s email system. Threat actors use various techniques, such as phishing, spyware, or malware, to exfiltrate data. This exposes organizations to potential cybercrimes, including extortion and the illicit sale of data on the dark web. In turn, this can have significant business consequences, including costly data breaches and legal repercussions. To learn more on how to protect your data from exfiltration, read our publication <a href="/en/guidance/defending-against-data-exfiltration-threats-itsm40110">Defending against data exfiltration threats (ITSM.40.110)</a>.</p> <h3 id="1.2.7">1.2.7 Spam</h3> <p>Businesses frequently employ spam (unsolicited messaging) as a means of promoting their goods, services, or websites for commercial purposes. Although spam may not be considered as severe as certain other email security threats, spam emails do carry inherent security risks. Email providers generally identify and filter out such messages, but spam is still a potential threat, as some emails that contain malicious links or attachments may be missed by the email provider filter.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="1.3">1.3 Email security protocols</h2> <p>Email security protocols are important for protecting digital communications, as they prevent unauthorized access to email content. These protocols establish rules and standards that govern the transmission, reception, and handling of email messages between servers and clients. By defining precise steps and rules for sending, receiving, storing, and retrieving emails, protocols help establish a secure email communication process.</p> <p>This section provides an overview of several established email security protocols that enhance email security. By integrating these email security protocols and practices, you can create a comprehensive and layered defence against many threats and ensure the confidentiality, integrity, and availability of your email communications. The Cyber Centre’s publication <a href="/en/guidance/implementation-guidance-email-domain-protection">Implementation guidance: email domain protection (ITSP.40.065 v1.1)</a> provides guidance on implementing technical security measures to protect your organization’s domains from email spoofing.</p> <h3 id="1.3.1">1.3.1 Transport layer security</h3> <p>Transport layer security (TLS), which replaces secure sockets layer (SSL), is a cryptographic protocol for establishing a secure communication channel via a ‘handshake’. During a <abbr title="transport layer security">TLS</abbr> handshake, the two communicating sides, typically a client and a server, exchange cryptographic keys and encrypt subsequent data transmissions. While <abbr title="secure sockets layer">SSL</abbr> protocols and older versions of <abbr title="transport layer security">TLS</abbr> are considered insecure, the latest <abbr title="transport layer security">TLS</abbr> protocol version ensures email remains confidential during transit. This means that as an email travels across the internet, it is encrypted and protected from eavesdropping. However, while the email may be encrypted during transmission, the sending and receiving servers can still access the plaintext message. Therefore, <abbr title="transport layer security">TLS</abbr> does not offer end-to-end confidentiality.</p> <p>Additionally, email transmitted over the internet typically undergoes multiple intermediary transfers across various servers before reaching its destination. While <abbr title="transport layer security">TLS</abbr> can secure the initial transfer from the email client to the first server, there is no guarantee that subsequent transfers will employ <abbr title="transport layer security">TLS</abbr> encryption. Consequently, you should not rely solely on <abbr title="transport layer security">TLS</abbr> to protect sensitive information unless you trust the receiving infrastructure and the organization operating the email servers. This is particularly important when considering the difference between securing communication between an email client application and a server and achieving end-to-end confidentiality between 2 individuals — the sender and the recipient of the email.</p> <p>For information on how to configure <abbr title="transport layer security">TLS</abbr>, read our publication <a href="/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Guidance on securely configuring network protocols (ITSP.40.062)</a>.</p> <h3 id="1.3.2">1.3.2 Secure/multipurpose internet mail extensions</h3> <p>Secure/multipurpose internet mail extensions (S/MIME) is a protocol designed to ensure the security of email communication through an end-to-end encryption framework. This protocol leverages public key infrastructure (PKI) with asymmetric cryptography, which involves a pair of mathematically related keys: a public key and a private key. These keys work collaboratively to establish a secure channel for communication.</p> <p><abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> serves a dual purpose of digitally signing and encrypting messages sent over the Internet. Digital signatures authenticate the identity of the sender, while encryption ensures the confidentiality of the email content. In the encryption process, the recipient’s public key is used, and successful decryption requires the corresponding private key held exclusively by the intended recipient. This ensures that the designated recipient can only access sensitive data, provided the private key remains secure. During authentication, a signature is generated using the sender’s private key and can be verified using the corresponding public key. This allows the recipient to check that the source of the message is authentic.</p> <p>One of the primary advantages of <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> is its resilience against malicious activities such as sender impersonation and message interception. <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> establishes a secure framework for sending and receiving messages by requiring email clients to possess a digital certificate to authenticate the identity of the sender and encrypt emails during transmission.</p> <p>While <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> improves email security, it is important to know that email headers remain unencrypted. This means that threat actors could access certain information about the sender and recipient. The Cyber Centre’s publication <a href="/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Guidance on securely configuring network protocols (ITSP.40.062)</a> provides guidance on configuring both <abbr title="transport layer security">TLS</abbr> and <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr>.</p> <h3 id="1.3.3">1.3.3 Pretty good privacy and open pretty good privacy</h3> <p>Pretty good privacy (PGP), including open-source pretty good privacy (OpenPGP), ensures end-to-end encryption for secure plaintext, emails, and files, restricting access to only the intended recipient. It uses digital signatures to verify sender authenticity and relies on public-key cryptography and key management for secure communication. The cost of implementing <abbr title="pretty good privacy">PGP</abbr> is relatively low and there are many free and open-source <abbr title="pretty good privacy">PGP</abbr> software solutions available.</p> <p>However, it should be noted that <abbr title="pretty good privacy">PGP</abbr> requires both the sender and receiver to have compatible software capable of encrypting and decrypting messages for the encryption to work effectively. Additionally, both parties need to exchange and possess each other’s public keys. Older emails that were not originally encrypted with <abbr title="pretty good privacy">PGP</abbr> software remain unencrypted unless they are re-sent using the secure encryption process.</p> <p>Popular email services such as Gmail, Outlook, and Yahoo do not natively support <abbr title="pretty good privacy">PGP</abbr> without additional browser add-ons or supplementary software. This limitation can complicate the seamless integration of <abbr title="pretty good privacy">PGP</abbr> into everyday email usage for many users.</p> <p>Overall, <abbr title="pretty good privacy">PGP</abbr> remains a versatile and cost-effective choice for individuals and small businesses seeking email encryption capabilities, provided they navigate its implementation and compatibility requirements effectively.</p> <h3 id="1.3.4">1.3.4 Secure/multipurpose internet mail extensions versus pretty good privacy</h3> <p><abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> and <abbr title="pretty good privacy">PGP</abbr> are virtually identical mechanisms in terms of what is done to the email message for transport. The main difference is that <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> uses <abbr title="public key infrastructure">PKI</abbr>, with an emphasis on the "I" (infrastructure). <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> requires all users, senders, and recipients to possess certificates issued by a trusted authority or a delegate, which allows users’ identities to be traced back to the authority of the certificate issuer. Certificates in <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> are typically distributed and updated through automated lookup in a corporate directory and require supporting infrastructure.</p> <p>In contrast, <abbr title="pretty good privacy">PGP</abbr> employs self-generated public/private key pairs that must be manually managed and maintained, as well as trust relationships that usually need to be personally verified. For example, one might request another’s <abbr title="pretty good privacy">PGP</abbr> public key and reciprocate by providing their own. However, this exchange could be vulnerable to adversary-in-the-middle (AITM) attacks or spoofing, as it occurs before a trust relationship has been established and before both parties have exchanged keys to message each other.</p> <p>Data at rest is another key aspect of email security for both <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> and <abbr title="pretty good privacy">PGP</abbr>. <abbr title="transport layer security">TLS</abbr>-protected emails are encrypted only during transport. Once a message reaches its destination, it is decrypted and stored as plaintext on the recipient’s system. This means that if someone gains access to your phone, laptop, or server, they can read all the stored messages. However, if the messages were encrypted with <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> or <abbr title="pretty good privacy">PGP</abbr>, they remain encrypted even in storage unless the user opts to decrypt and store them in plaintext.</p> <p>It is recommended that enterprises and organizations use <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> because it enables them to centrally manage accounts. For example, if an employee leaves, you can simply revoke their <abbr title="public key infrastructure">PKI</abbr> credentials. In contrast, with <abbr title="pretty good privacy">PGP</abbr>, you would have to inform all your employees that the employee no longer works there and that they should no longer trust their <abbr title="pretty good privacy">PGP</abbr> credentials as there is no way for anyone other than the individual to revoke those keys. Additionally, <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> allows for security investigations, if required. Organizations can maintain a record of communications exchanged via <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr>, including timestamps and sender/receiver information, which can be important for forensic analysis in security investigations. Furthermore, <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> allows administrators to enforce policies related to message retention and archiving, ensuring compliance with regulatory requirements, and facilitating audits or investigations into potential security breaches or misconduct. By leveraging <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> for email encryption and digital signatures, organizations and businesses can better monitor and investigate suspicious activities, thereby strengthening their overall security posture and regulatory compliance efforts.</p> <h3 id="1.3.5">1.3.5 Sender Policy Framework</h3> <p>Sender Policy Framework (SPF) is a system that uses features of domain name system (DNS) and allows domain owners to specify which servers are authorized to send emails on behalf of their domain. If you receive an email from an IP address that is not specifically permitted by the <abbr title="Sender Policy Framework">SPF</abbr> record, it is likely not legitimate. When an email is sent, the recipient’s mail server checks the <abbr title="Sender Policy Framework">SPF</abbr> record of the sender’s domain to see if the sending mail server is on the authorized list.</p> <p>If the sending mail server is included in the <abbr title="Sender Policy Framework">SPF</abbr> record (a "pass"), the email is considered legitimate and is usually delivered. However, if the sending mail server is not listed in the <abbr title="Sender Policy Framework">SPF</abbr> record (a "fail"), the recipient’s mail server may handle the email cautiously—possibly rejecting it or marking it as spam.</p> <p>To effectively manage <abbr title="Sender Policy Framework">SPF</abbr> policies within an organization, it is recommended to start with a softfail (~all) policy during initial testing. This allows administrators to monitor and correct any potential misconfigurations before fully enforcing a hardfail (-all) policy, which unequivocally rejects emails from unauthorized servers. Additionally, it is important to set non-mail-enabled domains and subdomains to hardfail (-all) for all emails, ensuring comprehensive protection against spoofing attempts across all aspects of the organization’s digital presence.</p> <h3 id="1.3.6">1.3.6 DomainKeys identified mail</h3> <p>DomainKeys identified mail (DKIM) is an email authentication protocol that enhances the security of email messages by allowing the sender to digitally sign them. In the <abbr title="DomainKeys identified mail">DKIM</abbr> process, the email server generates a digital signature using the private key, exclusive to the domain owner, and embeds it in the message header. The recipient’s server then verifies the signature using the sender’s public key retrieved from <abbr title="domain name system">DNS</abbr> records, thereby confirming the integrity of both the sender and the message content. Specifically, a hash computation is performed and compared to ensure the authenticity of the message and sender. Once this verification process confirms the sender’s identity and the message’s integrity, the email is then delivered to the recipient’s inbox.</p> <p><abbr title="DomainKeys identified mail">DKIM</abbr> ensures the integrity of email communication, making sure that emails have not been tampered with. It allows recipient servers to check the message’s authenticity and to confirm it originates from the claimed domain. This helps prevent spoofing and impersonation attempts.</p> <h3 id="1.3.7">1.3.7 Domain-based message authentication, reporting, and conformance</h3> <p>Domain-based message authentication, reporting, and conformance (DMARC) helps prevent email phishing and domain spoofing by allowing domain owners to define protocols for handling unauthorized or suspicious messages. It builds on <abbr title="DomainKeys identified mail">DKIM</abbr> and <abbr title="Sender Policy Framework">SPF</abbr> to ensure emails are authenticated before transmission, guaranteeing that they originated from the intended domain, and are sent to legitimate recipients.</p> <p>A key feature of <abbr title="domain-based message authentication, reporting, and conformance">DMARC</abbr> is that it lets domain owners establish policies for recipient servers. In turn, this allows messages to be handled effectively, even if they come from untrusted sources. This protocol guides the server on what actions to take when messages fail <abbr title="Sender Policy Framework">SPF</abbr> and/or <abbr title="DomainKeys identified mail">DKIM</abbr> checks, for example, reject, quarantine, or accept. Some large email providers, such as Gmail and Microsoft, have implemented strict <abbr title="domain-based message authentication, reporting, and conformance">DMARC</abbr> policies for inbound emails. They require that both <abbr title="Sender Policy Framework">SPF</abbr> and <abbr title="DomainKeys identified mail">DKIM</abbr> authentication checks pass for emails sent from domains that have published <abbr title="domain-based message authentication, reporting, and conformance">DMARC</abbr> policies with a reject or quarantine action. Specifically, for Google, this applies if 5,000 or more messages are sent per domain. Yahoo, on the other hand, requires both <abbr title="Sender Policy Framework">SPF</abbr> and <abbr title="DomainKeys identified mail">DKIM</abbr> to pass regardless of the volume of messages sent. This policy ensures that emails from domains that fail both authentication checks may be rejected or quarantined by these email providers.</p> <p>Unlike some other solutions that rely on a single point of failure, <abbr title="domain-based message authentication, reporting, and conformance">DMARC</abbr> uses a resilient strategy that covers both the source and target sides of email communication. It conducts a comprehensive security check on sender information, recipient details, subject lines, body text, and other message characteristics.</p> <p>Just like <abbr title="Sender Policy Framework">SPF</abbr> and <abbr title="DomainKeys identified mail">DKIM</abbr>, <abbr title="domain-based message authentication, reporting, and conformance">DMARC</abbr> is optional and requires support from both the sending and receiving sides to effectively mitigate spoofing risks. These protocols do not provide additional cryptographic protection but ensure message integrity and the authenticity of the sender.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="1.4">1.4 Protecting your email</h2> <p>It is important for all organizations to secure email since this is essential for protecting sensitive data, including financial information and personally identifiable information. By adopting the recommended best practices listed in this publication and investing in email security tools (and, if needed, third-party email security services), you can strengthen your organization’s overall data privacy strategy, its security, and its resilience.</p> <h3 id="1.4.1">1.4.1 Email security best practices</h3> <p>It is important to implement robust strategies to safeguard your emails and prevent sensitive information from falling into the wrong hands. This section explores essential best practices aimed at enhancing your email security posture, thereby instilling confidence in your email communications.</p> <h4>1.4.1.1 Use email encryption and encrypted connections</h4> <p>Email encryption and encrypted connections play important roles in ensuring robust email security. Together, they safeguard sensitive information throughout the communication process. Email encryption ensures the confidentiality of email content, preventing unauthorized access even if it is intercepted during transmission. It is particularly important to encrypt email when you are transmitting sensitive or confidential information, such as financial details, legal documents, or personal data.</p> <p><abbr title="transport layer security">TLS</abbr> is used for server-to-client transport encryption and only provides security if you trust the email service provider. For instance, when using a public email service provider, such as Outlook or Gmail, <abbr title="transport layer security">TLS</abbr> will protect the email as it transits the internet, but the service provider can access all emails once they reach its servers. In contrast, <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> and <abbr title="pretty good privacy">PGP</abbr> offer end-to-end encryption, ensuring email content remains encrypted even on the server, providing an additional layer of security. These emails can only be read when a recipient downloads them onto their device and enters their decryption key or <abbr title="public key infrastructure">PKI</abbr> credential. It is essential to recognize that <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> and <abbr title="pretty good privacy">PGP</abbr> provide the added benefit of securing emails from potential access by the email service provider. In contrast, <abbr title="transport layer security">TLS</abbr> encryption only protects emails during transit.</p> <p>Depending on the organization’s business structure, it may be more appropriate to use a web portal protected with <abbr title="transport layer security">TLS</abbr>/HTTPS to send and receive sensitive information. This approach can provide a more user-friendly method to securely transfer important documents, rather than relying on end-users to understand and consistently apply <abbr title="pretty good privacy">PGP</abbr> or <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> encryption. In such systems, the data stored at-rest should be encrypted, ensuring security throughout its lifecycle. This hybrid approach leverages <abbr title="transport layer security">TLS</abbr> encryption for secure transmission over the internet and back-end encryption for secure storage, balancing ease of use with strong security measures.</p> <h3 id="1.4.2">1.4.2 Implement protocols to validate user identity and server identity</h3> <p>Implement protocols such as <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> and <abbr title="pretty good privacy">PGP</abbr> to validate user identity and ensure that the sender is indeed who they claim to be. <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> and <abbr title="pretty good privacy">PGP</abbr> offer multipurpose mechanisms for validating user identity, protecting against malicious infrastructure, and ensuring email content confidentiality. <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr> relies on trust in certificate authorities (CAs) for automatic certificate management, while <abbr title="pretty good privacy">PGP</abbr> relies on direct trust relationships. Both methods encrypt and sign email content, preventing tampering. Encrypted emails are decrypted only by the recipient’s private key, ensuring email integrity.</p> <p>You should also implement server identity validation (see sections 3.4, 3.5, and 3.6 for more information) in your email systems, using robust methods beyond relying solely on email addresses or IP addresses, as both are easily spoofed. <abbr title="Sender Policy Framework">SPF</abbr>, <abbr title="DomainKeys identified mail">DKIM</abbr>, and <abbr title="domain-based message authentication, reporting, and conformance">DMARC</abbr> are essential protocols that enhance email security by verifying the authenticity of the sending server, ensuring the integrity of the email content, and providing policies for handling messages that fail authentication checks.</p> <h3 id="1.4.3">1.4.3 Secure the email gateway</h3> <p>Email security gateways serve as inspection points to scrutinize and filter out malware, spam, and phishing attempts. These gateways are essential email security tools and can be deployed in various forms, such as hardware appliances, virtual instances, or cloud-based services. They operate as protective barriers between an organization’s email server and the external email environment, actively inspecting incoming and outgoing emails. By effectively filtering threats like malware and ransomware, these gateways boost overall email security. The deployment flexibility of these gateways makes them adaptable to diverse organizational needs and environments.</p> <p>When deploying a secure email gateway, you should consider the reliability and trustworthiness of third-party vendors. You might leverage the expertise and infrastructure of external providers who specialize in email security. These vendors typically offer 2 deployment models for spam filtering and email security: hybrid and full-cloud approaches. You should evaluate which model best suits your operational needs and security requirements.</p> <h3 id="1.4.4">1.4.4 Create an email security policy</h3> <p>An email security policy serves as a comprehensive guide for managing email communications within your organization. It covers protocols for email usage, data storage, device access, and handling email security threats. These protocols are all aimed at protecting sensitive information and ensuring the integrity of communication channels. Operating as a strategic framework, the policy does not just regulate email practices; it actively promotes a culture of cyber security awareness within the organization. By securing sensitive data and strengthening communication channels, the policy plays a pivotal role in building a resilient defence against cyber threats.</p> <h3 id="1.4.5">1.4.5 Monitor email activities</h3> <p>Organizations should implement monitoring tools to track email activity and detect unusual patterns or suspicious behavior. Regular monitoring is essential in maintaining the security of email systems, as it helps identify potential signs of a security breach. By consistently observing the activities within an email environment, organizations can detect any unusual patterns or behaviours that may indicate a compromise.</p> <p>One effective approach to enhancing email monitoring is to use security information and event management (SIEM) systems. <abbr title="security information and event management">SIEM</abbr>s aggregate and analyze data from various sources, providing real-time insights and alerts for any suspicious activities. By leveraging <abbr title="security information and event management">SIEM</abbr>s, you can quickly identify and respond to potential threats, minimizing the risk of a successful attack.</p> <p>Another important aspect of email security monitoring is reviewing <abbr title="domain-based message authentication, reporting, and conformance">DMARC</abbr> reports. By regularly reviewing <abbr title="domain-based message authentication, reporting, and conformance">DMARC</abbr> reports, you can gain insights into how your email domain is being used and whether any malicious activities are occurring. These reports provide valuable information about the sources of emails claiming to be from your domain and can highlight any unauthorized senders attempting to spoof it.</p> <h3 id="1.4.6">1.4.6 Conduct regular email security audits and testing</h3> <p>Regular email security audits are essential for evaluating and addressing vulnerabilities in email security solutions and for maintaining resilience to cyber threats. This involves periodic reviews to identify weaknesses and implement necessary improvements and updates to enhance overall email security measures. This allows organizations to make prompt and proactive adjustments to maintain a secure email environment.</p> <h3 id="1.4.7">1.4.7 Keep business and personal emails separate</h3> <p>Keeping personal and professional email accounts separate helps protect sensitive business information. Using work email addresses for personal matters can expose an organization to security risks and potentially compromise confidential data. Similarly, using personal email addresses for work-related communications can pose security risks to your organization, as it may violate organizational policies and circumvent standard security measures.</p> <p>To mitigate these risks effectively, organizations should enforce clear policies. These policies should prohibit the use of business email accounts for personal matters and the use of personal email accounts for business activities. It is crucial to communicate these guidelines to all employees to ensure understanding and compliance.</p> <h3 id="1.4.8">1.4.8 Verify email links before you click on them</h3> <p>You should be very careful before you click on any email links or download any attachments, especially if they come from unfamiliar or suspicious sources. Take time to verify the legitimacy of links and assess the credibility of the sender by confirming that the domain name is correct or hovering over the link to see the actual address. This simple yet vital step can help you avoid falling prey to phishing scams or malware attacks and protect your personal and your organization’s information from potential security risks.</p> <h3 id="1.4.9">1.4.9 Block spam and unwanted senders</h3> <p>Blocking spam and unwanted senders is an email security practice that will help mitigate the risks associated with phishing attempts, malware distribution, and other malicious activities. You can enhance your defences by using advanced email filtering tools that analyze content and sender behavior. Update these filters regularly to ensure they are equipped with the latest threat intelligence so that they can block new spam techniques. Customize your security settings by using allow lists and deny lists, which allow trusted emails and automatically block messages from senders on deny lists. Additionally, educate your employees on identifying common spam characteristics. You should also review your blocked emails regularly to identify false positives and report suspicious emails for further investigation.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="1.5">1.5 Email infrastructure security recommendations</h2> <p>The following sections provide guidance on security recommendations for your email infrastructure.</p> <h3 id="1.5.1">1.5.1 Email servers</h3> <p>Ensure email servers are configured according to security best practices, including disabling unnecessary services, using strong encryption for communication channels, and regularly applying security patches. You should also implement robust access controls to restrict who can manage and access the email server. Use multi-factor authentication (MFA) for administrative access.</p> <h3 id="1.5.2">1.5.2 Database/storage security</h3> <p>Encrypt sensitive data at rest using strong encryption algorithms to protect it from unauthorized access. Apply strict access controls to the email database/storage, limiting access to authorized personnel only. Regularly review and update access permissions. Implement regular backups of email data and ensure backups are securely stored and encrypted. Test backup restoration procedures periodically.</p> <h3 id="1.5.3">1.5.3 Physical controls</h3> <p>Secure physical access to servers hosting email infrastructure. Use access control mechanisms such as biometric scanners, security badges, and surveillance systems. Maintain optimal environmental conditions (for example, temperature, humidity) to ensure server reliability and longevity and ensure those systems are also appropriately secured.</p> <h3 id="1.5.4">1.5.4 Cloud environment considerations</h3> <p>When considering a cloud environment for your email services, it is essential to prioritize security measures to protect sensitive information effectively. Start by verifying that your chosen cloud-based email service provider adheres to industry-standard security practices. Review their certifications, such as SOC 2 and ISO 27001, and thoroughly examine their data protection policies to ensure they meet your organization’s security standards.</p> <p>Ensure that all data transmitted to and stored in the cloud is encrypted both in transit and at rest. Understand how encryption keys are managed by the cloud provider and ensure they are adequately protected to prevent unauthorized access.</p> <p>Utilize the access management tools provided by the cloud service to enforce least-privilege access principles. Implement <abbr title="multi-factor authentication">MFA</abbr> for administrative accounts to add an extra layer of security.</p> <p>Regularly audit your cloud environment to ensure compliance with your organization’s security policies and regulatory requirements. Monitor for any changes or incidents that could potentially impact the security of your email data.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="1.6">1.6 Additional cyber security best practices to enhance email protection</h2> <p>While email security measures are vital, strengthening your organization’s cyber security requires a comprehensive approach that extends beyond email-specific strategies. In this section, we explore additional cyber security best practices that complement email protection efforts. By implementing these measures, you can improve your security posture and protect your digital assets from various threats.</p> <h3 id="1.6.1">1.6.1 Use unique and strong passwords or passphrases</h3> <p>Create unique and strong passwords and passphrases for your accounts. Do not repeat or reuse passwords and passphrases for multiple accounts and consider using a password manager to securely store your passwords and passphrases. You should aim to create complex and resilient passwords/passphrases, as attackers frequently exploit weak ones. For more information on best practices for passwords and passphrases, read <a href="/en/guidance/best-practices-passphrases-and-passwords-itsap30032">Best practices for passphrases and passwords (ITSAP.30.032)</a> and <a href="/en/guidance/rethink-your-password-habits-protect-your-accounts-hackers-itsap30036">Rethink your password habits to protect your accounts from hackers (ITSAP.30.036)</a>.</p> <p>For tips on using password managers, consult <a href="/en/guidance/password-managers-security-itsap30025">Password managers: Security tips (ITSAP.30.025)</a>.</p> <h3 id="1.6.2">1.6.2 Educate and train employees</h3> <p>Employee education and security awareness training are essential components of an effective enterprise email security strategy. It is important that employees at all levels understand the value of protecting sensitive data and the repercussions of emails attacks and breaches. Employees are the initial line of defence within organizations, which underscores the need for regular and comprehensive security training to mitigate the risk of human errors. The more knowledgeable your employees are about email security, the less likely they are to fall victim to threat actors’ tactics and to scams.</p> <p>Here are some keys aspects to consider incorporating into your training:</p> <ul><li>techniques to identify and avoid phishing, ransomware, and <abbr title="business email compromise">BEC</abbr> attacks</li> <li>strategies for avoiding security threats like malware, malicious links, and attachments</li> <li>ways to ensure the security of sensitive information</li> <li>data classification and handling procedures</li> <li>tips for protecting passwords</li> <li>guidelines on responding to email account compromises and promptly reporting suspicious emails or security incidents</li> <li>risks associated with phone-number compromise (subscriber identity module (SIM) swapping)</li> <li>reasons why the crossover use of work and personal emails should be prohibited</li> <li>suitable file types for email transmission and secure file-transfer methods</li> <li>techniques for detecting social engineering attempts and for knowing what not to share through email or other communication channels</li> <li>organization-specific email security policies and industry regulations</li> </ul><p>The goal is to empower employees by providing comprehensive information and to improve organizations’ overall email security posture.</p> <h3 id="1.6.3">1.6.3 Use multi-factor authentication</h3> <p>Use <abbr title="multi-factor authentication">MFA</abbr> whenever possible to secure your email account. <abbr title="multi-factor authentication">MFA</abbr> helps prevent unauthorized access to accounts, even if your password has been compromised. While strong passwords are beneficial, <abbr title="multi-factor authentication">MFA</abbr> adds an extra layer of access control since it requires you to provide more than just a password to login. <abbr title="multi-factor authentication">MFA</abbr> requires a user to provide 2 or more different authentication factors to verify their identity during a login process. These authentication factors can be a combination of something the user knows (for example, password or PIN), something the user has (for example, a smart card or a security key), or something the user is (biometric features such as fingerprint or face scan). This makes it harder for threat actors to gain unauthorized access to your accounts, especially email containing sensitive information.</p> <p>Phishing-resistant <abbr title="multi-factor authentication">MFA</abbr> refers to multi-factor authentication methods that are designed to be resilient against phishing attacks. These methods typically do not rely on shared secrets like passwords or codes that can be intercepted or stolen through phishing. Instead, they use cryptographic authentication that does not expose reusable credentials to service providers or attackers.</p> <p>One example of phishing-resistant <abbr title="multi-factor authentication">MFA</abbr> technology is Fast Identity Online (FIDO) based solutions. <abbr title="Fast Identity Online">FIDO</abbr> uses cryptographic login credentials that are unique to each website and are never stored on a server.</p> <p>To learn more about <abbr title="multi-factor authentication">MFA</abbr>, read our publications <a href="/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)</a> and <a href="/en/guidance/steps-effectively-deploying-multi-factor-authentication-mfa-itsap00105">Steps for effectively deploying multi-factor authentication (MFA) (ITSAP.00.105)</a>.</p> <h3 id="1.6.4">1.6.4 Keep software and operating systems updated</h3> <p>Regularly updating your email security software, anti-virus programs, and operating systems (OS) is important to bolster the security of your email system and protect against identified vulnerabilities. Threat actors often capitalize on weaknesses in outdated software to attain unauthorized access, steal data, or damage your computer. Since major operating systems usually have built-in anti-virus software, you should enable automatic updates for the operating system and any supplementary anti-virus tools to ensure you have the latest security patches. For more information on the importance of updates, read our publication <a href="/en/guidance/how-updates-secure-your-device-itsap10096">How updates secure your device (ITSAP.10.096)</a>.</p> <h3 id="1.6.5">1.6.5 Connect to reliable Wi-Fi networks</h3> <p>Whenever possible, you should refrain from using public Wi-Fi for email communication. These networks are enticing targets for hackers, who may try to access or steal sensitive information when you are online. If you must connect to public Wi-Fi, exercise caution to prevent threat actors from intercepting your email data. Be selective about the Wi-Fi networks to which you connect. Prioritize public Wi-Fi connection options to those with secure encryption such as Wi-Fi protected access 3 (WPA3) or, even better, WPA3 with simultaneous authentication of equals-public key (SAE-PK) when possible. If you need to access sensitive email information, use a virtual private network (VPN) to establish a secure connection and protect data. However, you should be aware that not all VPN services offer the same level of trustworthiness. You should choose a VPN provided by a trusted organization rather than relying on publicly available VPN services. For more on Wi-Fi security, read our publications <a href="/en/guidance/wi-fi-security-itsp80002">Wi-Fi security (ITSP.80.002)</a> and <a href="/en/guidance/protecting-your-organization-while-using-wi-fi-itsap80009">Protecting your organization while using Wi-Fi (ITSAP.80.009)</a>.</p> <h3 id="1.6.6">1.6.6 Create an incident response plan</h3> <p>Organizations should develop and regularly update an incident response plan that includes responding to email security incidents. This plan should outline the specific actions to be taken in the event of an email security incident. This includes isolating affected systems to prevent further damage, identifying and mitigating vulnerabilities that may have been exploited, and notifying relevant stakeholders, such as <abbr title="information technology">IT</abbr> teams, management, and possibly even affected users. For information on how to create an incident response plan, read our publication <a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Developing your incident response plan (ITSAP.40.003)</a>.</p> <h3 id="1.6.7">1.6.7 Back up important files</h3> <p>Ensure the security and availability of your emails by routinely backing them up to protect against accidental deletion, hardware failures, or security breaches. Explore cloud-based backup solutions, local backup, or isolated solutions to identify what aligns best with your organization’s needs. Consider backing up critical files in multiple locations and in backup systems isolated from the primary network. This will prevent ransomware or other malware from easily spreading to the backup infrastructure. Conduct regular restoration exercises to verify the integrity and effectiveness of your backup systems. This practice helps identify any potential issues in the backup process and ensures a smooth recovery in the event of a cyber attack. For guidance on backing up your files, read our publication <a href="/en/guidance/tips-backing-your-information-itsap40002">Tips for backing up your information (ITSAP.40.002)</a>.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="1.7">1.7 Engaging with email security experts</h2> <p>Organizations seeking advanced email protection or those that do not have the in-house expertise should consider engaging with a reputable email security expert or adopting a cloud-based solution. Third-party email security service providers can offer a multilayered defence solution with advanced threat intelligence, robust filtering, real-time monitoring, proactive threat detection, and rapid response capabilities. These services can include detailed reporting and analytics to support compliance efforts, identify vulnerabilities, and provide insights into email security trends. For some organizations, outsourcing can help optimize resource allocation, reduce the burden on internal teams, and ensure a comprehensive defence against cyber threats.</p> <p>To ensure that third-party email security services adequately protect your email and sensitive information, apply a supply-chain-integrity analysis. This involves conducting thorough assessments and due diligence on the provider’s security practices, infrastructure, and adherence to industry standards and regulations. Verify the provider’s track record, certifications, and any relevant security audits or assessments. This process ensures that third-party services will sufficiently safeguard your data, reducing risks associated with outsourcing. For more on supply chain integrity, read our publications <a href="/en/guidance/cyber-supply-chain-approach-assessing-risk-itsap10070">Cyber supply chain: An approach to assessing risk (ITSAP.10.070)</a> and <a href="/en/guidance/protecting-your-organization-software-supply-chain-threats-itsm10071">Protecting your organization from software supply chain threats (ITSM.10.071)</a>.</p> <p>Below is a list of the various types of email security services to consider.</p> <h3 id="1.7.1">1.7.1 Detonation and email sandboxing</h3> <p>In the context of email security, detonation involves executing potentially harmful email attachments or links within a controlled environment to analyze their behavior and determine if they pose a threat. This process, also known as email sandboxing, occurs within a secure and isolated environment and allows security professionals to scrutinize suspicious files without risking harm to the organization’s network or systems. By observing the attachment’s actions in this controlled setting, security teams gather valuable intelligence to better understand and mitigate cyber security risks.</p> <h3 id="1.7.2">1.7.2 Content control</h3> <p>Content control in email security services involves the use of advanced technologies like <abbr title="artificial intelligence">AI</abbr> and machine learning (ML) to analyze email content for unsafe patterns. These services can identify and block various types of potentially harmful content. Specifically, image and content control capabilities focus on scanning attached or embedded images and content within emails. By leveraging <abbr title="artificial intelligence">AI</abbr> and ML, these services can detect malware in images and content and prevent their download or execution.</p> <p>Spam and phishing filters are designed to automatically identify and block potentially malicious emails. Third-party services enhance spam and phishing detection by employing advanced algorithms and threat intelligence to analyze email content and sender behavior so that phishing attempts can be identified and blocked before they reach users’ inboxes. These filters also block emails with attachments attempting to access system registries or sensitive folders, as well as those trying to communicate with external IP addresses or download files from external sources. Overall, these measures contribute to a strong defence against spam, phishing, and potential security threats in email communications.</p> <p>In addition to <abbr title="artificial intelligence">AI</abbr>, <abbr title="machine learning">ML</abbr>, and spam and phishing filters, you can leverage the following traditional methods for effective email content filtering and to block or quarantine suspicious attachments or file types:</p> <ul><li>Use email server features to block or quarantine suspicious attachments or file types</li> <li>Implement allow lists to permit only safe file types, thereby enhancing security</li> <li>Automatically convert MS Office documents or other types of documents containing macros to safer formats like PDF to mitigate the risks associated with malicious macros</li> <li>Remove or disable active content to prevent exploitation</li> <li>Deploy anti-virus and anti-malware software to scan email attachments for threats, including archive files like Zip, Rar, and 7zip, which may be quarantined or removed if encrypted</li> <li>Disable macros in MS Office documents if they are allowed, as macros are a common attack vector</li> </ul><h3 id="1.7.3">1.7.3 Authentication systems</h3> <p>Authentication systems are essential for defending against spoofed emails, ensuring the legitimacy of senders, and mitigating various cyber threats.</p> <p>Anti-spoofing tools use email authentication protocols to prevent impersonation attacks and flag or reject suspicious messages. Third-party services support organizations in implementing and managing authentication protocols such as <abbr title="Sender Policy Framework">SPF</abbr>, <abbr title="DomainKeys identified mail">DKIM</abbr>, and <abbr title="domain-based message authentication, reporting, and conformance">DMARC</abbr>. The primary aim is to prevent domain spoofing, flag or reject suspicious messages, and guarantee the authenticity of email communication, thereby reducing the risk of cyber threats.</p> <h3 id="1.7.4">1.7.4 Email encryption</h3> <p>Email encryption is a security measure that uses encryption techniques to effectively mitigate the risk of email interception. Encrypted emails, which can only be read by authorized senders and recipients, play a pivotal role in preventing unauthorized access to and interception of sensitive information.</p> <p>Email security service providers offer strong email encryption solutions to enhance the security of your sensitive information during transmission. These solutions encompass a range of encryption protocols and advanced push-and-pull encryption methods. With push encryption, emails are converted into encrypted files attached to another email, ensuring secure transit and restricting access to authorized recipients. Pull encryption enables secure email retrieval from a designated portal, ensuring access solely for individuals with the appropriate credentials. These measures collectively safeguard your emails from unauthorized access and ensure the confidentiality of your communications.</p> <h3 id="1.7.5">1.7.5 Email security gateways</h3> <p>Email security gateways are another service offered by email security experts. By deploying these gateways, email security experts ensure that all incoming and outgoing emails are thoroughly inspected, blocking malicious content, and safeguarding your communication channels.</p> <h3 id="1.7.6">1.7.6 Continuous monitoring</h3> <p>There are email security services that continuously monitor and gather threat intelligence to help defend against emerging threats and vulnerabilities. These services actively monitor the email landscape, watch for new attack vectors, and adapt quickly to evolving risks. By using threat intelligence, they are better able to deliver timely and effective protection against emerging cyber threats.</p> <h3 id="1.7.7">1.7.7 Reporting and analytics</h3> <p>Email security tools that provide reporting and analytics include features for monitoring email traffic and tracking security incidents. Through these capabilities, organizations acquire valuable insights into potential security threats, which allow them to proactively address vulnerabilities. The tools produce detailed reports that provide a comprehensive view of the email security landscape and help organizations identify patterns, trends, and areas that may need additional attention.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="1.8">1.8 Summary</h2> <p>It is important for your organization to safeguard emails containing sensitive data, including financial records, proprietary information, and customer and employee details. One key way of doing this is to implement comprehensive email security best practices, including elements such as encryption, authentication, secure gateways, monitoring, and regular audits. Adopting these practices not only ensures a robust defence against potential breaches, but also protects the confidentiality of sensitive information during email transmission.</p> <p>Email security protocols, including <abbr title="transport layer security">TLS</abbr>, <abbr title="secure/multipurpose internet mail extensions">S/MIME</abbr>, <abbr title="Sender Policy Framework">SPF</abbr>, <abbr title="DomainKeys identified mail">DKIM</abbr>, and <abbr title="domain-based message authentication, reporting, and conformance">DMARC</abbr>, play pivotal roles in strengthening email communication security. These protocols address diverse aspects of cyber security, such as encryption, authentication, and protection against phishing and spoofing attempts.</p> <p>Adhering to these security protocols and the best practices covered in this document will help your organization establish a trustworthy communication environment, especially in transactions involving sensitive data. Collectively, they can help strengthen your organization’s overall data privacy strategy, improve its security posture, and increase resilience. By prioritizing email security, organizations not only instill confidence in stakeholders but also foster a culture of cyber security awareness and maintain a proactive stance against emerging cyber threats.</p> </section></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6473" about="/en/guidance/hidden/services-tools-catalogue-critical-infrastructure" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) supports a wide range of Canadian industries and sectors to help strengthen their cyber security posture. This page highlights the services and tools offered to these industries and sectors.</p> <h2>On this page</h2> <ul><li><a href="#otsat">Onboarding to services and tools</a> <ul><li><a href="#ccstci">Cyber Centre support to critical infrastructure</a></li> <li><a href="#ropt">Role of Partnerships team</a></li> </ul></li> <li><a href="#csg">Cyber security guidance</a></li> <li><a href="#csr">Cyber security readiness</a></li> <li><a href="#sat">Services and tools</a></li> <li><a href="#eac">Education and community</a></li> <li><a href="#atlp">Appendix: Traffic Light Protocol (<abbr title="Traffic light protocol">TLP</abbr>)</a></li> </ul><h2 id="otsat">Onboarding to services and tools</h2> <p>This section describes the Cyber Centre’s cyber security mandate and the role of the Partnerships team to support Canadian critical infrastructure (CI).</p> <h3 id="ccstci">Cyber Centre support to critical infrastructure</h3> <p>The Cyber Centre is part of the Communications Security Establishment Canada (CSE) and is Canada’s technical authority on cyber security. The Cyber Centre is the single unified source of cyber expert advice, guidance, services and support for Canadians and Canadian organizations.</p> <p>Under Section 17 of the <em><abbr title="Communications Security Establishment Canada ">CSE</abbr> Act</em>, the Cyber Centre is authorized to provide cyber security and information assurance to help protect the electronic information or information infrastructures of federal institutions and designated systems of importance (SOI). <abbr title="Systems of importance">SOI</abbr> refer to Canadian organizations or entities that have been officially designated by the Cyber Centre as providing or supporting <abbr title="critical infrastructure">CI</abbr>.</p> <p>With access to unique foreign intelligence, the Cyber Centre can stay ahead of emerging threats. Their objective is to raise Canada’s cyber security bar so that Canadians can live and work online safely and with confidence.</p> <h3 id="ropt">Role of the Partnerships team</h3> <p>The Partnerships team within the Cyber Centre promotes cyber resilience to Canadian <abbr title="critical infrastructure">CI</abbr> organizations by offering services and tools. Generally, these services and tools can be accessed online without pre-registration. However, certain tools require an onboarding process, which involves:</p> <ul><li>designating a Canadian <abbr title="critical infrastructure">CI</abbr> organization as a <abbr title="system of importance">SOI</abbr></li> <li>enabling access to the services and tools</li> </ul><p>To get onboarded, contact the Partnerships team by email at <a href="mailto:partnerships-partenariats@cyber.gc.ca">partnerships-partenariats@cyber.gc.ca</a>.</p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <h2 id="csg">Cyber security guidance</h2> <p><strong>This service/tool is offered to:</strong> <span class="label label-default">Canadian <abbr title="critical infrastructure">CI</abbr> sectors</span> <span class="label label-info">private industries</span> <span class="label label-success">public organizations</span></p> <p>The Cyber Centre is the central knowledge base and provider of advice and guidance for cyber security best practices, security architecture, emerging technologies and threat assessments. An organization’s cyber security posture can be improved by following the Cyber Centre’s expert advice and guidance.</p> <p>The Cyber Centre publishes relevant advice and guidance on topics that keep <abbr title="critical infrastructure">CI</abbr> partners informed, such as:</p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/how-identify-misinformation-disinformation-and-malinformation-itsap00300">How to identify misinformation, disinformation and malinformation (ITSAP.00.300)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/cyber-threats-elections">Cyber threats to elections</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/cyber-threat-bulletin-cyber-threat-canadas-electricity-sector">Cyber threat bulletin: The cyber threat to Canada’s electricity sector</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/national-cyber-threat-assessments">National Cyber Threat Assessments</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/preparing-your-organization-quantum-threat-cryptography-itsap00017">Preparing your organization for the quantum threat to cryptography (ITSAP.00.017)</a></li> </ul><p>In addition to publications, the Cyber Centre can provide tailored advice and guidance on a wide variety of cyber security topics, for example:</p> <ul><li>cyber security best practices</li> <li>protecting enterprise information</li> <li>security architecture</li> <li>emerging technologies</li> <li>cross-domain solutions</li> <li>security assessment and authorization</li> <li>electronic emissions security</li> <li>cloud security</li> </ul><p>The Cyber Centre may not be able to provide specific, tailored advice for all requests. Instead, organizations will be directed to existing and related advice and guidance from the Cyber Centre or partner agencies.</p> <p>To find publications and subscribe to the web feed, browse the <a href="http://www.cyber.gc.ca/en/guidance">Cyber Centre’s security guidance</a>.</p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <h2 id="csr">Cyber security readiness</h2> <p>The Cyber Centre provides resources to help Canadian organizations and <abbr title="critical infrastructure">CI</abbr> increase their cyber security readiness.</p> <h3>Cyber Security Readiness Goals</h3> <p><strong>This service/tool is offered to:</strong> <span class="label label-default">Canadian <abbr title="critical infrastructure">CI</abbr> sectors</span> <span class="label label-info">private industries</span> <span class="label label-success">public organizations</span></p> <p>Implement foundational cyber security practices to strengthen an organization’s cyber security posture.</p> <p>The cross-sector Cyber Security Readiness Goals (CRGs) consist of 36 foundational, realistic and achievable goals. The <abbr title="Cyber Security Readiness Goals">CRGs</abbr> are intended for use by Canadian organizations regardless of size or sector and can also be leveraged by all <abbr title="critical infrastructure">CI</abbr> operators. Each goal is linked to concrete recommended actions that, if taken, will elevate the cyber security posture of Canadian organizations and <abbr title="critical infrastructure">CI</abbr>.</p> <p>The <abbr title="Cyber Security Readiness Goals">CRGs</abbr> provide a self-assessment toolkit that organizations can use to track their progress to improve their cyber security posture. The <abbr title="Cyber Security Readiness Goals">CRGs</abbr> can help management and executives make informed decisions and prioritize investments in cyber security.</p> <h4>More information</h4> <ul><li><a href="https://www.cyber.gc.ca/en/cyber-security-readiness/cyber-security-readiness-goals-securing-our-most-critical-systems">Cyber Security Readiness Goals</a></li> <li><a href="https://www.cyber.gc.ca/en/cyber-security-readiness/cross-sector-cyber-security-readiness-goals-toolkit">Cross-Sector Cyber Security Readiness Goals Toolkit</a></li> <li><a href="https://www.cyber.gc.ca/en/cyber-security-readiness">Cross-Sector Cyber Security Readiness</a></li> </ul><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <h2 id="sat">Services and tools</h2> <p>The Cyber Centre contributes to improving the cyber security ecosystem by releasing some of its cyber resilience tools to the open-source community.</p> <div class="btn-group mrgn-tp-sm mrgn-bttm-md"><button class="btn btn-primary wb-toggle" data-toggle="{&quot;selector&quot;: &quot;details&quot;, &quot;print&quot;: &quot;on&quot;, &quot;stateOn&quot;: &quot;on&quot;, &quot;stateOff&quot;: &quot;off&quot;, &quot;parent&quot;: &quot;#expands-collapse&quot;}" type="button">Expand | collapse all</button></div> <div id="expands-collapse"> <details><summary><h3>Alerts and advisories</h3> </summary><p><strong>This service/tool is offered to:</strong> <span class="label label-default">Canadian <abbr title="critical infrastructure">CI</abbr> sectors</span> <span class="label label-info">private industries</span> <span class="label label-success">public organizations</span></p> <p>Be informed of cyber vulnerabilities and threats affecting Canada’s <abbr title="critical infrastructure">CI</abbr>. The Cyber Centre issues alerts and advisories on potential, imminent or actual cyber vulnerabilities affecting Canada’s <abbr title="critical infrastructure">CI</abbr>.</p> <p>Alerts raise awareness of recently identified cyber threats that may impact cyber information assets. Alerts also provide additional detection and mitigation advice. An alert can be viewed as an advanced advisory for products that need more amplification because:</p> <ul><li>they are broadly used</li> <li>the impact is critical, or</li> <li>an active exploitation has been reported</li> </ul><p>Advisories are the first level of the Cyber Centre’s cyber threat communications and are the most frequently produced. They are used to communicate information about product vulnerabilities and software security updates. They are published when specific trigger criteria are met to provide a timely report on current vulnerabilities and available updates. All advisories are published on the Cyber Centre’s website. They can also be accessed through <abbr title="really simple syndication">RSS</abbr> web feeds.</p> <p>Browse the <a href="https://www.cyber.gc.ca/en/alerts-advisories">Cyber Centre’s alerts and advisories</a>.</p> </details><details><summary><h3>Automated malware detection and file analysis</h3> </summary><p><strong>This service/tool is offered to:</strong> <span class="label label-default">Canadian <abbr title="critical infrastructure">CI</abbr> sectors</span> <span class="label label-info">private industries</span> <span class="label label-success">public organizations</span></p> <p>Use Cyber Centre resources to automate the detection and analysis of malware. The Cyber Centre provides a free, open-source tool and service called Assemblyline that detects and analyzes malicious files.</p> <h4>Assemblyline</h4> <p>Assemblyline is a tool designed to help cyber defence teams automate the detection and analysis of malicious files. The tool recognizes when a large volume of files is received within the system and can automatically rebalance its workload. Users can add their own analytics, such as antivirus products or custom-built software, into Assemblyline. The tool is designed to be customized by the user and provides a robust interface for security analysts. Organizations can host their own version of Assemblyline to set up a malware sandbox and easily integrate into their existing cyber defence technologies.</p> <h4>Assembyline Malware web portal</h4> <p>Assembyline Malware is the Cyber Centre’s online suspicious binary file analysis service. It is a Cyber Centre implementation of the Assemblyline file and malware analysis system. This service allows partners to disclose and exchange malware samples with the Cyber Centre. It allows for timely and automated results that an organization can integrate into their internal cyber triage processes. The report for a submission (file, URL, or hash) generates a score and alerts the analyst of potentially malicious intent. The detailed report view provides additional details, such as:</p> <ul><li>Internet Protocol (IP) addresses</li> <li>embedded URLs</li> <li>extracted files</li> <li>attributions and other service results if present in the submission</li> </ul><h4>More information</h4> <ul><li><a href="https://www.cyber.gc.ca/en/tools-services/assemblyline">Assemblyline</a></li> <li>Free download <a href="https://github.com/CybercentreCanada/assemblyline-v4-service">GitHub: Cyber Centre Assemblyline </a></li> <li><a href="https://malware.cyber.gc.ca/">Assembyline Malware web portal login </a></li> <li>SANS blog with installation walk-through <a href="https://isc.sans.edu/diary/Assemblyline as a Malware Analysis Sandbox/29510">Assemblyline as a Malware Analysis Sandbox</a></li> </ul></details><details><summary><h3>Automated sharing of indicators of compromise (Aventail)</h3> </summary><p><strong>This service/tool is offered to:</strong> <span class="label label-default">Canadian <abbr title="critical infrastructure">CI</abbr> sectors</span> <span class="label label-info">private industries</span></p> <p>Access Cyber Centre indicators of compromise (IoCs) and automate their intake into your infrastructure.</p> <p>Aventail is a platform for real-time sharing of <abbr title="indicators of compromise">IoCs</abbr> and supplies high-confidence <abbr title="indicators of compromise">IoCs</abbr> discovered by the Cyber Centre that may indicate potential intrusions on a host system or network. This service provides partners with prompt information to identify and prevent cyber attacks. Using a threat intelligence platform, Aventail’s vetted, high-confidence <abbr title="indicators of compromise">IoCs</abbr> may be paired with mitigation actions to automate part of network defence by blocking traffic to or from known malicious sites.</p> <p>Aventail comes in 2 versions:</p> <h4>Machine-to-machine</h4> <p>Machine-to-machine (M2M) is a feed of validated <abbr title="indicators of compromise">IoCs</abbr> shared through standardized cyber threat intelligence sharing protocols, such as Structured Threat Information Expression (STIX), Trusted Automated Exchange of Intelligence Information (TAXII1/2) and Malware Information Sharing Protocol (MISP). The feed is information shared by other government partners, for example, <abbr title="Computer Emergency Response Teams">CERTs</abbr>. Aventail-<abbr title="Machine-to-machine">M2M</abbr> integrates directly with several commercial security products, such as:</p> <ul><li>threat intelligence platforms</li> <li>security information</li> <li>event management platforms</li> <li>firewalls</li> </ul><p>Aventail-<abbr title="Machine-to-machine">M2M</abbr> allows for the automated and secure exchange of <abbr title="indicators of compromise">IoCs</abbr> from the Cyber Centre.</p> <h4>Aventail web platform</h4> <p>The Aventail web platform hosts the same information provided by the automated <abbr title="machine-to-machine">M2M</abbr> service, but in a more user-friendly, visual interface. <abbr title="indicators of compromise">IoCs</abbr> can be exported in a variety of formats and imported directly into commercial security products. The Aventail web platform also gives partners the ability to view and manage their <abbr title="machine-to-machine">M2M</abbr> connections.</p> </details><details><summary><h3>Common criteria</h3> </summary><p><strong>This service/tool is offered to:</strong> <span class="label label-default">Canadian <abbr title="critical infrastructure">CI</abbr> sectors</span> <span class="label label-info">private industries</span> <span class="label label-success">public organizations</span></p> <p>Improve your security posture by deploying certified cyber security products. Certified products have been tested by accredited commercial laboratories against internationally recognized standards.</p> <p>The Cyber Centre operates the Canadian Common Criteria program, which is a member of the international Common Criteria Recognition Arrangement (CCRA). The <abbr title="Common Criteria Recognition Arrangement">CCRA</abbr> is an agreement among more than 30 countries that mutually recognize one another’s certifications, allowing <abbr title="critical infrastructure">CI</abbr> organizations to procure from an extensive list of certified products. Technologies on the list include:</p> <ul><li>firewalls</li> <li>routers</li> <li>printers</li> <li>mobility devices</li> <li>systems, software applications, and more</li> </ul><p>Vendors, working with an independent testing laboratory, have their products evaluated against international standards and detailed security specifications designed by technical communities. These efforts are overseen by a national certification body which publishes the results of the evaluation.</p> <h4>More information</h4> <ul><li><a href="https://www.cyber.gc.ca/en/tools-services/common-criteria">Canadian Common Criteria program</a></li> <li><a href="https://www.commoncriteriaportal.org/index.cfm">The Common Criteria program</a></li> <li>For questions about the Canadian Common Criteria program or products, please email <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a>.</li> </ul></details><details><summary><h3>Cryptographic Module Validation Program</h3> </summary><p><strong>This service/tool is offered to:</strong> <span class="label label-default">Canadian <abbr title="critical infrastructure">CI</abbr> sectors</span> <span class="label label-info">private industries</span> <span class="label label-success">public organizations</span></p> <p>Employ secure cryptography in your organization by selecting products certified by the Cryptographic Module Validation Program (CMVP).</p> <p>The <abbr title="Cryptographic module validation program">CMVP</abbr> is a joint effort between the U.S. National Institute of Standards and Technology (NIST) and the Cyber Centre. The <abbr title="Cryptographic module validation program">CMVP</abbr> validates the cryptography within <abbr title="Information Technology">IT</abbr> products using the 140 series of the Federal Information Processing Standards (FIPS). The <abbr title="Cryptographic module validation program">CMVP</abbr> relies on accredited commercial labs to perform testing against the standards.</p> <p>Procuring and deploying <abbr title="Federal Information Processing Standards">FIPS</abbr>-validated products ensures that organizations are using Cyber Centre–recommended cryptographic algorithms that have been implemented correctly. Deploying <abbr title="Federal Information Processing Standards">FIPS</abbr>-validated products also follows the Cyber Centre’s best practices for cryptography. As part of the effort to ensure that <abbr title="Government of Canada">GC</abbr> networks are quantum-ready, the <abbr title="Cryptographic module validation program">CMVP</abbr> will be validating modules that implement <abbr title="National Institute of Standards and Technology">NIST</abbr>’s quantum-resistant cryptographic standards.</p> <h4>More information</h4> <ul><li><a href="http://www.cyber.gc.ca/en/tools-services/cryptographic-module-validation-program-cmvp">Cryptographic Module Validation Program (CMVP)</a></li> <li>For questions about the <abbr title="Cryptographic module validation program">CMVP</abbr>, please email <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a>.</li> </ul></details><details><summary><h3>Cyber incident handling support</h3> </summary><p><strong>This service/tool is offered to:</strong> <span class="label label-default">Canadian <abbr title="critical infrastructure">CI</abbr> sectors</span> <span class="label label-info">private industries</span> <span class="label label-success">public organizations</span></p> <p>Use Cyber Centre resources for assistance in handling cyber incidents to minimize victim impacts and disruptions to business operations.</p> <p>The Cyber Centre receives reports on cyber incidents from various sources. With permission, the Cyber Centre shares the information, without attribution, to trusted partners and communities. The Cyber Centre offers technical advice and support to help mitigate the impact of the incident, facilitate recovery and strengthen overall cyber security posture. It assists in strategic coordination, ensuring that response efforts are aligned and collaborative. The Cyber Centre also shares critical threat intelligence to prevent further incidents.</p> <p>To report a cyber incident, use <a href="http://www.cyber.gc.ca/en/incident-management">Report a cyber incident</a>.</p> </details><details><summary><h3>Cyber Security Audit Program</h3> </summary><p><strong>This service/tool is offered to:</strong> <span class="label label-default">Canadian <abbr title="critical infrastructure">CI</abbr> sectors</span> <span class="label label-info">private industries</span></p> <p>Assess the extent to which cyber security governance, policy compliance, risk management and protective measures are sufficiently planned and applied to minimize the risk of electronic intrusion.</p> <p>The Cyber Security Audit Program is part of a series of 4 tools for auditors to use to assess the cyber security status of their organizations. The tools were initially developed for government but can be used by all Canadian organizations. No previous <abbr title="Information Technology">IT</abbr> security audit knowledge is required to use the tools, which include:</p> <ul><li>placemat: a one-page overview of cyber security audit criteria and key sub-criteria</li> <li>audit guide: definitions of cyber security terms and an overview of a cyber security audit</li> <li>preliminary survey tool: a tool to assess your organization’s overall cyber security status and determine gaps</li> <li>audit program: a detailed document outlining the audit criteria and sub-criteria for many types of cyber security audits</li> </ul><h4>More information</h4> <ul><li><a href="https://www.cyber.gc.ca/en/tools-services/cyber-security-audit-program">Cyber Security Audit Program</a></li> <li>For questions or access to the tools, please email <a href="mailto:audit@cyber.gc.ca">audit@cyber.gc.ca</a>.</li> </ul></details><details><summary><h3>Cyber threat briefings</h3> </summary><p><strong>This service/tool is offered to:</strong> <span class="label label-default">Canadian <abbr title="critical infrastructure">CI</abbr> sectors</span></p> <p>Receive bi-weekly updates on the cyber threat landscape for <abbr title="critical infrastructure">CI</abbr>.</p> <p>The Cyber Centre threat briefings are a space where <abbr title="Information Technology">IT</abbr> security professionals working in <abbr title="critical infrastructure">CI</abbr> sectors across Canada can learn about recent cyber incidents and the changing threat landscape. <abbr title="critical infrastructure">CI</abbr> organizations can listen to Cyber Centre subject matter experts share their knowledge on a variety of topics and participate in community discussions. The briefings include:</p> <ul><li>a cyber threat review</li> <li>upcoming events</li> <li>community open discussion</li> </ul></details><details><summary><h3>Cyber threat notifications</h3> </summary><p><strong>This service/tool is offered to:</strong> <span class="label label-default">Canadian <abbr title="critical infrastructure">CI</abbr> sectors</span> <span class="label label-info">private industries</span></p> <p>Receive cyber threat notifications for potential infection, misuse and vulnerabilities. Cyber threat notifications also provide situational awareness data and a peer-based comparison to other organizations within the same sector.</p> <p>The Cyber Centre provides the following services for cyber threat notifications:</p> <h4>National Cyber Threat Notification Service</h4> <p>The National Cyber Threat Notification Service (NCTNS) is a service that notifies Canadian organizations, through email or <abbr title="application programming interface">API</abbr>, of:</p> <ul><li>potentially misconfigured services</li> <li>vulnerabilities</li> <li>compromised infrastructure on their external-facing network assets</li> </ul><p>The <abbr title="National Cyber Threat Notification Service">NCTNS</abbr> does not perform a scan of the organization’s network. Instead, it relies on data received from trusted open-source and commercial threat feeds and the Cyber Centre. Compromises that would trigger a notification include:</p> <ul><li>indications of the presence of malware</li> <li>command and control servers</li> <li>misuse of the network</li> </ul><p>Examples of vulnerable services include unencrypted internet exchange protocols and unsecure software and applications. An <abbr title="National Cyber Threat Notification Service">NCTNS</abbr> notification does not confirm a data breach.</p> <h4>CyberPosture scorecards</h4> <p>The CyberPosture scorecards is a monthly report featuring events related to cyber activity and vulnerable services occurring on Canadian <abbr title="Internet Protocol">IP</abbr> addresses owned or used by an organization. The Cyber Centre receives notifications of events in Canada and notifications reported by third parties. The Cyber Centre performs daily deduplication of redundant events and compiles results into the scorecards. The CyberPosture scorecards is a complementary service to the <abbr title="National Cyber Threat Notification Service">NCTNS</abbr>.</p> </details><details><summary><h3>Database of known cyber threats (<abbr title="Behavioural Analysis using Virtualization and Experimental Research">BeAVER</abbr>)</h3> </summary><p><strong>This service/tool is offered to:</strong> <span class="label label-default">Canadian <abbr title="critical infrastructure">CI</abbr> sectors</span> <span class="label label-info">private industries</span></p> <p>Access Cyber Centre databases of cyber threats and use them to understand threats to an organization’s network.</p> <p>Behavioural Analysis using Virtualization and Experimental Research (BeAVER) is an unclassified repository of millions of cyber threat analysis reports gathered by the Cyber Centre. The repository includes cyber threat intelligence, such as:</p> <ul><li>static analysis reports: file hash, entropy, file type</li> <li>heuristic analysis reports: antivirus hits, intrusion detection system signature hits</li> <li>dynamic analysis reports: packet capture, URLs, domains, <abbr title="Internet Protocol">IP</abbr> addresses</li> </ul><p>In addition to the web interface, <abbr title="Behavioural Analysis using Virtualization and Experimental Research">BeAVER</abbr> data is also accessible through a <abbr title="representational state transfer">REST</abbr>ful <abbr title="application programming interface">API</abbr>, allowing machine-speed access to the Cyber Centre’s cyber threat intelligence platform. The <abbr title="application programming interface">API</abbr> is used by partners and Cyber Centre analysts for threat analysis.</p> </details><details><summary><h3>Open-source triage platform (Howler)</h3> </summary><p><strong>This service/tool is offered to:</strong> <span class="label label-default">Canadian <abbr title="critical infrastructure">CI</abbr> sectors</span> <span class="label label-info">private industries</span> <span class="label label-success">public organizations</span></p> <p>Elevate your security operations centre’s efficiency with Howler to efficiently triage alerts.</p> <p>Howler is the Cyber Centre’s open-source triage platform that enables triage analysts to streamline their workflows and enhance alert-handling capabilities. Unlike other open-source products, Howler empowers triage analysts to take control of their entire workflow. It allows detection engineers to generate these alerts independently from analysts’ workflows.</p> <h4>More information</h4> <ul><li><a href="https://www.cyber.gc.ca/en/tools-services/howler">Howler</a></li> <li>Free download <a href="https://github.com/cybercentrecanada/howler">GitHub: Cyber Centre’s Howler</a></li> </ul></details><details><summary><h3>Time-sensitive alerts (cyber flashes)</h3> </summary><p><strong>This service/tool is offered to:</strong> <span class="label label-default">Canadian <abbr title="critical infrastructure">CI</abbr> sectors</span> <span class="label label-info">private industries</span></p> <p>Be informed of active, time-sensitive threats to the <abbr title="Government of Canada">GC</abbr> and Canadian interests.</p> <p>A cyber flash (CF) is a time-sensitive alert that describes an immediate or active security issue believed to be targeting the <abbr title="Government of Canada">GC</abbr> or systems of importance to the <abbr title="Government of Canada">GC</abbr>. Examples of situations that warrant a <abbr title="cyber flash">CF</abbr> include:</p> <ul><li>the public release of an exploit that, is related to a previous advisory or alert</li> <li>rapidly spreading malicious code</li> <li>an imminent threat against the <abbr title="Government of Canada">GC</abbr>, <abbr title="critical infrastructure">CI</abbr> and other related industry networks</li> <li>denial-of-service activity</li> </ul><p><abbr title="cyber flashes">CFs</abbr> often contain indicators of compromise and suggested actions to mitigate threats. <abbr title="cyber flashes">CFs</abbr> are only delivered to registered recipients via email and are marked with an appropriate Traffic Light Protocol (TLP) label. For more information on the <abbr title="traffic light protocol">TLP</abbr>, refer to the <a href="#atlp">Appendix</a> below.</p> </details></div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <h2 id="eac">Education and community</h2> <p>The Cyber Centre contributes directly to the cyber security community by educating Canadians and working directly with partners. By helping Canadians develop and improve their skills and knowledge, the Cyber Centre is helping to build a more cyber-secure Canada.</p> <div class="btn-group mrgn-tp-sm mrgn-bttm-md"><button class="btn btn-primary wb-toggle" data-toggle="{&quot;selector&quot;: &quot;details&quot;, &quot;print&quot;: &quot;on&quot;, &quot;stateOn&quot;: &quot;on&quot;, &quot;stateOff&quot;: &quot;off&quot;, &quot;parent&quot;: &quot;#expands-collapse1&quot;}" type="button">Expand | collapse all</button></div> <div id="expands-collapse1"> <details><summary><h3>Big Dig</h3> </summary><p><strong>This service/tool is offered to:</strong> <span class="label label-default">Canadian <abbr title="critical infrastructure">CI</abbr> sectors</span> <span class="label label-info">private industries</span></p> <p>The Big Dig is an annual, invitation-only, classified conference hosted by the Cyber Centre. It brings together participants from <abbr title="Government of Canada">GC</abbr> departments, Canadian industry, and the Five Eyes community. Over 2 weeks, participants set new standards in cyber innovation through collaboration and exploration. This critical operational initiative plays a vital role in developing cutting-edge cyber security solutions, directly advancing CSE’s mandate to promote a cyber-safe Canada.</p> <p>Each year, the Big Dig ignites creativity, produces groundbreaking technologies and prototypes, and leaves participants inspired, empowered and ready to conquer new challenges in cyber defence.</p> <p>Key points on the Big Dig include:</p> <ul><li>participation from Canada’s Five Eyes partners</li> <li>the event receives over 200 applications and continues to grow each year</li> <li>participants are divided into teams based on expertise and pre-selected interest areas</li> <li><span class="text-uppercase">Top Secret</span> clearance is required to participate</li> </ul><p>At the end of the event, teams present their findings and accomplishments to guests, executives, participants and key stakeholders. A winner is chosen by the audience.</p> <p>Read more about the <a href="https://www.cyber.gc.ca/en/news-events/big-dig">Big Dig</a>.</p> </details><details><summary><h3>Cyber Centre speakers for events</h3> </summary><p><strong>This service/tool is offered to:</strong> <span class="label label-default">Canadian <abbr title="critical infrastructure">CI</abbr> sectors</span> <span class="label label-info">private industries</span></p> <p>Request a speaker from the Cyber Centre to give a presentation.</p> <p>The Cyber Centre makes executives and staff available for speaking engagements, time and schedules permitting. This includes activities such as:</p> <ul><li>keynote speeches</li> <li>panel appearances</li> <li>addresses to company boards of directors</li> <li>cyber security awareness briefings for employees</li> <li>technical talks</li> </ul><h4>More information</h4> <ul><li><a href="https://forms-formulaires.alpha.canada.ca/en/id/clvpb5y1k01uaym81wbr5pal4">Webform to request a speaker</a></li> <li>For questions, please email <a href="mailto:collaboration@cyber.gc.ca">collaboration@cyber.gc.ca</a>.</li> </ul></details><details><summary><h3>GeekWeek</h3> </summary><p><strong>This service/tool is offered to:</strong> <span class="label label-default">Canadian <abbr title="critical infrastructure">CI</abbr> sectors</span> <span class="label label-info">private industries</span></p> <p>Participate in a collaborative, innovative, problem-solving workshop held at the Cyber Centre in Ottawa.</p> <p>GeekWeek is an annual, invitation-only, unclassified, workshop organized by the Cyber Centre. It brings together key players in the field of cyber security from all over the world to generate solutions to vital problems facing the industry. The workshop is an opportunity for teams to collaborate in new ways and improve the overall cyber security landscape. GeekWeek representatives include:</p> <ul><li>critical incident response teams</li> <li>CI partners: government, finance, health, academia</li> <li>international cyber security partners</li> </ul><p>This 10-day workshop starts with meeting new team members and working on specialized projects. The projects are then presented to fellow participants and executives at the closing ceremonies on the last day of the event. Participants receive access to the code that they developed during GeekWeek. Participants may also subscribe to the tools that they used during the workshop.</p> <p>GeekWeek has produced innovations and advances in areas such as:</p> <ul><li>malware detection and analysis</li> <li>spam and log analysis</li> <li>mobile malware analysis systems</li> <li>anti-ransomware</li> <li>information-sharing technologies and standards</li> <li>cyber sovereignty/geographic data flows</li> <li>cyber health and forecasts</li> <li>botnet traffic analysis</li> <li>fly-away kit/laptops</li> </ul><h4>More information</h4> <ul><li><a href="https://www.cyber.gc.ca/en/geekweek">GeekWeek</a></li> <li>For questions, please email <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a>.</li> </ul></details><details><summary><h3>Get Cyber Safe</h3> </summary><p><strong>This service/tool is offered to:</strong> <span class="label label-default">Canadian <abbr title="critical infrastructure">CI</abbr> sectors</span> <span class="label label-info">private industries</span> <span class="label label-success">public organizations</span></p> <p>Get Cyber Safe is the <abbr title="Government of Canada">GC</abbr>’s national public awareness campaign to inform Canadians and small Canadian businesses about cyber security. The campaign lists the simple steps Canadians and small Canadian businesses can take to help protect themselves online. The campaign is led by CSE, with advice and guidance from the Cyber Centre.</p> <p>Get Cyber Safe offers a variety of bilingual and shareable resources on countless cyber security topics. The campaign makes complex cyber security topics easy to understand and uses a variety of eye-catching, humorous and engaging tactics to help all Canadians stay safe online.</p> <p>Get Cyber Safe relies on partnerships to better reach the Canadian population. Organizations can submit partnership and collaboration ideas or requests for specific resources.</p> <h4>More information</h4> <ul><li><a href="https://www.getcybersafe.gc.ca/en">Get Cyber Safe</a></li> <li>For questions, please email <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a>.</li> </ul></details><details><summary><h3>Learning Hub</h3> </summary><p><strong>This service/tool is offered to:</strong> <span class="label label-default">Canadian <abbr title="critical infrastructure">CI</abbr> sectors</span> <span class="label label-info">private industries</span></p> <p>Develop cyber security skills and knowledge in a formal learning environment.</p> <p>The Cyber Centre Learning Hub is a source for leading-edge learning activities and programs for cyber security. The Learning Hub’s services include over 60 courses that can be provided through:</p> <ul><li>instructor-led classroom and virtual sessions</li> <li>free self-paced e-learning</li> <li>blended training</li> </ul><p>Cyber Centre partners can take advantage of courses on topics such as:</p> <ul><li>cyber security fundamentals</li> <li>cyber security for Internet of Things devices</li> <li>supply chain cyber security</li> <li>cyber security considerations for consumers of managed services</li> <li>secure software development</li> </ul><h4>More information</h4> <ul><li><a href="https://www.cyber.gc.ca/en/education-community/learning-hub">Learning Hub</a></li> <li>For questions, please email <a href="mailto:education@cyber.gc.ca">education@cyber.gc.ca</a>.</li> </ul></details><details><summary><h3>Walk-the-talk sessions</h3> </summary><p><strong>This service/tool is offered to:</strong> <span class="label label-default">Canadian <abbr title="critical infrastructure">CI</abbr> sectors</span> <span class="label label-info">private industries</span></p> <p>Enhance understanding of special topics of interest.</p> <p>The Cyber Centre organizes ad hoc walk-the-talk sessions for <abbr title="Information Technology">IT</abbr> security professionals working in <abbr title="critical infrastructure">CI</abbr> sectors. These 30-minute virtual sessions contain actionable information on a topic of interest and are presented by the Cyber Centre or an industry partner. Previous walk-the-talk topics include:</p> <ul><li>securing <abbr title="Information Technology">IT</abbr> and operational technology convergence</li> <li>mitigating cyber threats by leveraging the National Cyber Threat Assessment 2025-2026 and <abbr title="Cyber Security Readiness Goals">CRGs</abbr></li> <li>Royal Canadian Mounted Police National Cybercrime Coordination Centre</li> <li>baseline cyber threat assessment: Cybercrime</li> <li>the quantum threat to cyber security and post-quantum cryptography</li> <li>living off the land and threat hunting</li> </ul></details></div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <h2 id="atlp">Appendix: Traffic Light Protocol (<abbr title="Traffic Light Protocol">TLP</abbr>)</h2> <p><abbr title="Traffic Light Protocol">TLP</abbr> is a set of labels used to indicate the sharing boundaries that recipients apply to ensure responsible sharing of sensitive information. Each <abbr title="Traffic Light Protocol">TLP</abbr> level is described below.</p> <h3><abbr title="Traffic Light Protocol">TLP</abbr>:<span class="text-uppercase">red</span></h3> <p>For the eyes and ears of individual recipients only, no further disclosure.</p> <p>Sources may use <abbr title="Traffic Light Protocol">TLP</abbr>:<span class="text-uppercase">red</span> when information cannot be effectively acted upon without significant risk for the privacy, reputation, or operations of the organizations involved. Recipients may therefore not share <abbr title="Traffic Light Protocol">TLP</abbr>:<span class="text-uppercase">red</span> information with anyone else. In the context of a meeting, for example, <abbr title="Traffic Light Protocol">TLP</abbr>:<span class="text-uppercase">red</span> information is limited to those present at the meeting.</p> <h3><abbr title="Traffic Light Protocol">TLP</abbr>:<span class="text-uppercase">amber</span> + <span class="text-uppercase">strict</span></h3> <p>Limited disclosure, recipients can only spread this on a need-to-know basis within their organization only.</p> <p>Sources may use <abbr title="Traffic Light Protocol">TLP</abbr>:<span class="text-uppercase">amber</span> + <span class="text-uppercase">strict</span> when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may share <abbr title="Traffic Light Protocol">TLP</abbr>:<span class="text-uppercase">amber</span> + <span class="text-uppercase">strict</span> information with members of their own organization only, but only on a need-to-know basis to protect their organization and prevent further harm.</p> <h3><abbr title="Traffic Light Protocol">TLP</abbr>:<span class="text-uppercase">amber</span></h3> <p>Limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients.</p> <p>Sources may use <abbr title="Traffic Light Protocol">TLP</abbr>:<span class="text-uppercase">amber</span> when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may share <abbr title="Traffic Light Protocol">TLP</abbr>:<span class="text-uppercase">amber</span> information with members of their own organization and its clients, but only on a need-to-know basis to protect their organization and its clients and prevent further harm.</p> <h3><abbr title="Traffic Light Protocol">TLP</abbr>:<span class="text-uppercase">green</span></h3> <p>Limited disclosure, recipients can spread this within their community.</p> <p>Sources may use <abbr title="Traffic Light Protocol">TLP</abbr>:<span class="text-uppercase">green</span> when information is useful to increase awareness within their wider community. Recipients may share <abbr title="Traffic Light Protocol">TLP</abbr>:<span class="text-uppercase">green</span> information with peers and partner organizations within their community, but not via publicly accessible channels. <abbr title="Traffic Light Protocol">TLP</abbr>:<span class="text-uppercase">green</span> information may not be shared outside of the community. Note: when “community” is not defined, assume the cybersecurity/defense community.</p> <h3><abbr title="Traffic Light Protocol">TLP</abbr>:<span class="text-uppercase">clear</span></h3> <p>Recipients can spread this to the world, there is no limit on disclosure.</p> <p>Sources may use <abbr title="Traffic Light Protocol">TLP</abbr>:<span class="text-uppercase">clear</span> when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, <abbr title="Traffic Light Protocol">TLP</abbr>:<span class="text-uppercase">clear</span> information may be shared without restriction.</p> <p>For more information on the <abbr title="Traffic Light Protocol">TLP</abbr>, read <a href="http://www.first.org/tlp">Forum of Incident Response and Security Teams: Traffic Light Protocol</a>.</p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6723" about="/en/news-events/joint-guidance-managing-cryptographic-keys-secrets" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) has joined the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and the following international partners in releasing cyber security guidance on managing cryptographic keys and secrets:</p> <ul><li>Australia’s Department of Industry Science and Resources (DISR)</li> <li>Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC)</li> <li>Japan’s National Cybersecurity Office (NCO)</li> <li>New Zealand’s National Cyber Security Centre (NCSC-NZ)</li> <li>United Kingdom’s National Cyber Security Centre (NCSC-UK)</li> </ul><p>Cryptographic keys and secrets are a critical asset of many organizations and an important aspect of cyber security. They require careful management and protection throughout their lifecycle. When an organization’s keys or secrets have been compromised, it can have significant negative impact on its operations, finances and reputation.</p> <p>This joint guidance is intended for security personnel and considers threats to the following types of cryptographic keys and secrets:</p> <ul><li>Asymmetric keys</li> <li>Digital certificates</li> <li>Symmetric keys</li> <li>Secrets</li> </ul><p>This joint guidance aims to help personnel understand the threat environment and the value of implementing secure keys and managing secrets.</p> <p>Read the full joint guidance: <a href="https://www.cyber.gov.au/resources-business-and-government/governance-and-user-education/secure-by-design/managing-cryptographic-keys-and-secrets">Managing Cryptographic Keys and Secrets</a></p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="659" about="/en/guidance/steps-address-data-spillage-cloud-itsap50112" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>August 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.50.112</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>August 2025 | Awareness series</strong></p> </div> </div> <!–pdf download–> <p>In our interconnected digital world, the security of data stored in the cloud is more critical than ever. Data spillage, or the unintended exposure of sensitive information, can have far-reaching consequences for individuals and organizations.</p> <p>Data spillage occurs when sensitive information is placed on information systems that are not authorized to process or store the information. It can also happen when data is made available to an unauthorized individual. For example, a spill occurs if secret data is transferred or made available on an unclassified network.</p> <p>This publication outlines the essential steps your organization should follow to effectively manage and mitigate data spillage incidents in cloud environments. These steps will help you ensure that sensitive data remains secure and private.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#identify">Step 1: Identify the data spill</a></li> <li><a href="#contain">Step 2: Contain the data spill</a></li> <li><a href="#alert">Step 3: Alert your stakeholders of the data spill</a></li> <li><a href="#Remediate">Step 4: Remediate the data spill</a></li> <li><a href="#Considerations">Considerations to enhance your cyber security posture in the cloud</a></li> <li><a href="#Disposal">Appropriate disposal of IT equipment</a></li> </ul><section><h2 class="text-info" id="identify">Step 1: Identify the data spill</h2> <p>Swiftly identifying a data spillage incident is crucial for limiting the potential damage. Recognizing unauthorized data exposure is vital to identifying data spillage. This can occur in various ways, such as misplaced emails, unsecured cloud storage or misplaced physical devices. Early detection is key and is dependent on robust monitoring systems and awareness of data flows within an organization. This allows you to quickly assess the nature, scope, and potential impact of the data spill.</p> <p>Take the following actions to effectively triage and assess the damage caused by a data spill:</p> <ul><li>What information was compromised? <ul><li>Understanding the type of data—whether personal, financial, or confidential—helps determine the severity of the spill</li> </ul></li> <li>Where was the information moved? <ul><li>Identifying the unintended location(s) of the data can guide the containment strategy</li> </ul></li> <li>How was the information moved? <ul><li>Understanding the method of transfer, such as USB or email, can provide insights into the nature and potential spread of the spill</li> </ul></li> <li>Who was the information sent to? <ul><li>Knowing who received the spilled data is essential for containment and remediation efforts</li> </ul></li> <li>Where did the information come from? <ul><li>Tracing the origin of the spilled data helps identify potential vulnerabilities within the system</li> </ul></li> <li>When did the spill occur? <ul><li>Determining the timing of the spill can affect the response strategy and potential impact assessment</li> </ul></li> </ul><p>Early identification depends on a comprehensive understanding of these aspects and allows your organization to respond effectively and mitigate the impacts of data spillage.</p> </section><p><span class="clearfix"> </span></p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="contain">Step 2: Contain the data spill</h2> <p>The immediate containment of a data spill is critical to preventing further unauthorized access or distribution. This step requires your organization to secure the spilled data by removing it from unsecured locations or restricting access to it. In cloud environments, containment may also involve working with cloud service providers (CSPs) to leverage their tools and capabilities for securing data. A rapid response is essential to seal off vulnerabilities and limit data proliferation.</p> <p>To effectively contain a data spill, consider the following:</p> <h3>Utilize platform functions</h3> <p>Employ available cloud platform functions to delete the affected files and any known copies from your system. If the spill involves email, recall the message if possible.</p> <h3>Direct recipients</h3> <p>For all forms of data, including email, contact the recipients directly and instruct them not to forward or access the data. Ask all recipients to delete the spilled information from their environments and to empty their recycle bins.</p> <h3>Challenges containing data in the cloud</h3> <p>Recognize the unique challenges of containing data spillages in cloud environments, including:</p> <ul><li>verifying the complete removal of spilled data post-cleanup</li> <li>determining whether data has been compromised once the spilled data has been exposed</li> </ul><p>These steps underscore the complexity of managing data spillage in cloud services and the importance of swift, strategic actions to mitigate risks effectively.</p> </section><p><span class="clearfix"> </span></p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="alert">Step 3: Alert your stakeholders of the data spill</h2> <p>After the data spillage is identified and contained, it’s crucial to promptly alert the appropriate internal and external stakeholders. Effective communication ensures a coordinated response to the incident and helps mitigate potential damage.</p> <p>To ensure a comprehensive alert protocol, consider the following actions:</p> <h3>Internal reporting</h3> <p>Immediately contact your IT service desk to report the spillage. If the IT service desk is designated as the remediation authority, they will triage the incident following your organization’s security incident management process. If not, it will escalate the incident to the appropriate remediation authority.</p> <h3>Report to management</h3> <p>Inform your management chain of the incident, regardless of the type of breach. They will provide support, direction for the remediation effort and to respond to any inquiries as required.</p> <h3>Secure communication with cloud service providers</h3> <p>When involving <abbr title="cloud service providers">CSP</abbr>s, use secure communication methods. Ensure that cleared <abbr title="cloud service providers">CSP</abbr> personnel have located and deleted all possible copies of the data (if this is included in your service agreement). If secure communication methods and cleared personnel are not readily available, assess the benefits versus the risks of contacting the <abbr title="cloud service providers">CSP</abbr> with your manager.</p> <h3>External notifications</h3> <p>Depending on the nature of the data and the spillage, external notifications may be required. This includes notifying affected individuals, regulatory bodies or other stakeholders as dictated by law, regulation or policy.</p> <h4>Additional information for government departments and critical infrastructure sectors</h4> <p>For Government of Canada departments and critical infrastructure sectors, external notifications involve reporting breaches directly to the Canadian Centre for Cyber Security (Cyber Centre) by phone at 1-833-CYBER-88 (<a href="tel:+1-833-292-3788">1-833-292-3788</a>) or online at <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="6e494caa-d595-4273-ad70-ba2d1543af6e" href="/en/incident-management">Report a cyber incident</a>.</p> <!– –> <h4>Government of Canada departments</h4> <p>In addition to reporting the incident to the Cyber Centre, follow your department’s incident response procedures and the <a href="https://www.canada.ca/en/government/system/digital-government/online-security-privacy/security-identity-management/government-canada-cyber-security-event-management-plan.html">Government of Canada Cyber Security Event Management Plan (GC CSEMP)</a>.</p> <h4>Critical infrastructure sectors</h4> <p>In addition to reporting the incident to the Cyber Centre, consult Public Safety’s action-oriented guidance in <a href="https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/2016-fndmntls-cybr-scrty-cmmnty/index-en.aspx">Fundamentals of Cyber Security for Canada’s CI community</a> for more information.</p> <h4>Privacy</h4> <p>If a data spill impacts or potentially impacts the privacy of Canadians, <a href="https://www.priv.gc.ca/en/report-a-concern/">report the spill to the Office of the Privacy Commissioner</a>.</p> <span class="clearfix"> </span> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h2 class="text-info" id="Remediate">Step 4: Remediate the data spill</h2> <p>After containing the spill and notifying the relevant parties, your focus should shift to remediation. This involves not only addressing the immediate impacts of the spill but also implementing measures to prevent future incidents. Effective remediation depends on a thorough investigation to understand the root causes of the spillage.</p> <p>For a comprehensive remediation process, consider the following actions:</p> <h3>Work with your cloud service provider</h3> <p>Engage with your <abbr title="cloud service providers">CSP</abbr> to ensure the spill is fully contained and to leverage their expertise in cleaning up the spill. This includes utilizing platform functions for data clean-up, such as removing tags and pointers or employing crypto-shredding.</p> <h3>Manage device and cloud space</h3> <p>Recall, destroy, and replace any affected mobile devices, servers or portions of the cloud tenant space that contained the spilled data. Crypto-shredding can be an effective method for ensuring the data is irrecoverable.</p> <h3>Review policies and procedures</h3> <p>Analyze the incident to identify any weaknesses in current policies and procedures. Update these to incorporate lessons learned from the spillage, focusing on improving data management, transfer, and storage practices.</p> <h3>Engage stakeholders</h3> <p>Ensure all stakeholders, including <abbr title="cloud service providers">CSP</abbr>s and any external organizations involved, are informed of the remediation actions and progress. Coordination with these parties is essential for a holistic approach to remediation.</p> </section><p><span class="clearfix"> </span></p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="Considerations">Considerations to enhance your cyber security posture in the cloud</h2> <p>To enhance your overall cyber security posture in the cloud, your organization should consider the following:</p> <h3>Responsibility and collaboration</h3> <p>Understand that the legal responsibility for data security remains with the data owner, even in cloud environments. Effective collaboration with <abbr title="cloud service providers">CSP</abbr>s and clear internal policies are crucial for protecting data.</p> <h3>Awareness and training</h3> <p>Educating personnel on the risks of data spillage and proper data-handling techniques is essential for preventing data spills. Regular training can significantly reduce the likelihood of future incidents. To view the full list of Cyber Centre courses, please visit <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="8835c939-543a-4cde-806c-370702ed4826" href="/en/education-community/learning-hub">The Learning Hub</a>.</p> <h3>Continuous improvement</h3> <p>Adopting a posture of continuous improvement, learning from past incidents, and updating policies accordingly are vital steps in enhancing an organization’s data security measures.</p> </section><section><h2 class="text-info" id="Disposal">Appropriate disposal of IT equipment</h2> <p>Proper disposal reduces the risk of threat actors exploiting residual data that is left on IT equipment with electronic memory or data storage media. This advice is applicable when considering data spillages using cloud services. Consult <a href="/en/guidance/it-media-sanitization-itsp40006">IT media sanitization (ITSP.40.006)</a> for additional advice on properly disposing of IT media.</p> </section></div> </div> </div> </div> </div> </article>

This joint guidance outlines the process for OT owners and operators to create an asset inventory and OT taxonomy.

<article data-history-node-id="715" about="/en/guidance/introduction-cloud-computing-itsap50110" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>August 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.50.110</strong></p> </div> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>August 2025 | Awareness series</strong></p> </div> <p>Cloud computing is the on-demand delivery of IT resources over the Internet. Think of it as a network of companies that sell computing power, which customers can access online.</p> <p>With cloud computing, users can access technology services, such as computing power and storage, as needed from a cloud service provider (CSP). This reduces the need for organizations to own and maintain physical servers and data centres.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#bcc">Benefits of cloud computing</a></li> <li><a href="#lm">Learn more</a></li> </ul><h2 class="text-info" id="bcc">Benefits of cloud computing</h2> <p>Cloud computing allows for convenient, on demand access to a shared pool of configurable computing resources. Cloud computing offers many benefits to organizations.</p> <h3>Performance</h3> <p><abbr title="cloud service providers">CSPs</abbr> offer scalable resources that adjust to match your business growth and handle peak demand efficiently. They provide optimal computing power to your organization and ensure you have the latest high-performance hardware by regularly updating their systems.</p> <h3>Accessibility and productivity</h3> <p>Leveraging cloud computing can enable users to securely access data and applications anywhere, anytime. Users can access their files, email or applications from anywhere. Documents can be shared among users while remaining in a central location. This improves collaboration across teams in various locations and boosts productivity, leading to more agile and responsive business operations.</p> <h3>Reliability</h3> <p>Cloud computing makes data back-ups, disaster recovery and business continuity easier and less expensive because data can be mirrored at multiple sites on the <abbr title="cloud service provider">CSP</abbr>’s network.</p> <h3>Cost efficiency</h3> <p>Organizations can avoid capital expenses associated with purchasing equipment and software, as well as the operational costs of running an on-premises environment. Cloud computing shifts the financial burden from large, up-front investments to a more manageable, pay-as-you-go model. It aligns the costs with actual usage and business demands.</p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h2 class="mrgn-tp-md text-info" id="lm">Learn more</h2> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/models-cloud-computing-itsap50111">Models of cloud computing (ITSAP.50.111)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/steps-address-data-spillage-cloud-itsap50112">Steps to address data spillage in the cloud (ITSAP.50.112)</a></li> <li><a href="https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/cloud-adoption-strategy-2023-update.html">Treasury Board of Canada Secretariat’s Government of Canada Cloud Computing</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="716" about="/en/guidance/models-cloud-computing-itsap50111" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>August 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.50.111</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>August 2025 | Awareness series</strong></p> </div> <!–pdf download–> <div class="col-md-12"> <p>Cloud service providers (CSPs) offer 3 service models and 4 deployment models. Service models provide customers with options to access a <abbr title="Cloud service providers">CSP</abbr>’s services, while deployment models offer customers different ways of using them. This publication provides an overview of the different models of cloud computing, allowing you to choose the best option for your organization.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#service-model">Service models</a></li> <li><a href="#deployment-model">Deployment models</a></li> <li><a href="#learn-more">Learn more</a></li> </ul><h2 class="mrgn-tp-lg text-info" id="service-model">Service models</h2> <p>Cloud computing has changed how organizations and individuals use technology. The service models offered to customers define the specific types of services provided by <abbr title="Cloud service providers">CSP</abbr>s.</p> <h3>Software as a Service</h3> <p>Software as a Service (SaaS) is a software distribution model in which customers purchase a service to use applications hosted by a <abbr title="Cloud service providers">CSP</abbr>. The service is made available for use over the Internet. Some well-known examples of <abbr title="Software as a Service">SaaS</abbr> include Google Workspace and Microsoft 365.</p> <p><abbr title="Software as a Service">SaaS</abbr> is a popular service model as it:</p> <ul><li>allows access to software from any device with an Internet connection</li> <li>includes <abbr title="Cloud service providers">CSP</abbr> upkeep of the software</li> </ul><h3>Platform as a Service</h3> <p>Platform as a Service (PaaS) provides developers with a cloud platform to build, deploy and manage applications without the complexity of maintaining the underlying infrastructure. This service model enables efficient application development through managed hosting environments. With <abbr title="Platform as a Service">PaaS</abbr>, developers can focus on their application’s functionality rather than its operation.</p> <p>Popular <abbr title="Platform as a Service">PaaS</abbr> examples include Microsoft Azure App Service and Salesforce’s Force.com. These platforms streamline the development and deployment processes, enabling faster and more secure application delivery.</p> <p><abbr title="Platform as a Service">PaaS</abbr> providers perform the following security actions to better secure applications against emerging threats:</p> <ul><li>Security updates</li> <li>Compliance monitoring</li> <li>Threat detection</li> </ul><h3>Infrastructure as a Service</h3> <p>Infrastructure as a Service (IaaS) provides scalable computing resources like servers, storage and networking over the Internet. This service model enables users to develop, run and manage applications on the <abbr title="Cloud service providers">CSP</abbr>’s hardware. Examples of IaaS include Amazon Web Services (AWS) offerings like EC2 and S3.</p> <h2 class="mrgn-tp-md text-info" id="deployment-model">Deployment models</h2> <p>Deployment models describe the access, size, and ownership of the cloud infrastructure.</p> <h3>Public cloud</h3> <p>The public cloud model offers services over the Internet, making the <abbr title="Cloud service providers">CSP</abbr>’s infrastructure and resources accessible to anyone. It’s managed externally and is separated from the customer’s in-house <abbr title="Information Technology">IT</abbr> infrastructure.</p> <h3>Private cloud</h3> <p>The private cloud model provides a dedicated environment for a single entity, ensuring exclusive access and control over the infrastructure. It offers enhanced security and privacy, as it can be hosted and managed either onsite by the customer or offsite by the <abbr title="Cloud service providers">CSP</abbr>. The private cloud is tailored to meet the needs of the customer, allowing greater control over computational resources and customized security measures. This model is ideal for organizations that require strict security and data privacy or that have specific regulatory compliance needs.</p> <h3>Community cloud</h3> <p>The community cloud model is a dedicated environment shared among multiple organizations with similar privacy, security and regulatory needs. It allows organizations to utilize a common infrastructure.</p> <h3>Hybrid cloud</h3> <p>The hybrid cloud combines different cloud types (public, private or community), while maintaining their distinct characteristics. These cloud types are interconnected for seamless data and application mobility. Each member cloud remains a unique entity but is bound to the others through standardized or proprietary technology. This allows applications and data to be transferred easily among members.</p> <h2 class="mrgn-tp-md text-info" id="learn-more">Learn more</h2> <p>For more information on the different service and deployment models, see the <a href="https://csrc.nist.gov/pubs/sp/800/145/final">National Institute of Standards and Technology (NIST) Special Publication 800-145 The NIST Definition of Cloud Computing</a>.</p> <p>To learn more about cloud computing, read the following publications:</p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/what-cloud-computing-itsap50110">Introduction to cloud computing (ITSAP.50.110)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/steps-address-data-spillage-cloud-itsap50112">Steps to address data spillage in the cloud (ITSAP.50.112)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/cloud-network-security-zones-itsp80023">Cloud network security zoning (ITSP.80.023)</a></li> </ul></div> </div> </div> </div> </div> </div> </div> </article>

Scattered Spider is a cyber criminal group that targets large organizations and their contracted information technology help desks.

<article data-history-node-id="680" about="/en/guidance/security-considerations-critical-infrastructure-itsap10100" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–DESKTOP–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>July 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.10.100</strong></p> </div> </div> <!–DESKTOP END–><!–MOBILE –> <div class="hidden-lg hidden-md text-center"> <p><strong>July 2025 | Awareness series</strong></p> </div> <!–MOBILE END –> <p>Critical infrastructure (CI) plays a role in the delivery and support of the necessities of daily life. This includes commonly used utilities and services, such as water, energy and banking. Disruptions to <abbr title="critical infrastructure">CI</abbr> could lead to failure of essential services, endanger public safety or result in loss of life. This publication provides information on how <abbr title="critical infrastructure">CI</abbr> sectors can be compromised and what security measures can be implemented to mitigate the risks.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#sectors">Critical infrastructure sectors</a></li> <li><a href="#impact">How cyber attacks impact critical infrastructure</a></li> <li><a href="#threats">The main threats to critical infrastructure</a></li> <li><a href="#protect">How to protect your sector from cyber attacks</a></li> <li><a href="#learn">Learn more</a></li> </ul><h2 class="text-info" id="sectors">Critical infrastructure sectors</h2> <p><abbr title="critical infrastructure">CI</abbr> refers to processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. <abbr title="critical infrastructure">CI</abbr> is often interconnected and interdependent within and across provinces, territories and national borders.</p> <p>The <a href="https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/srtg-crtcl-nfrstrctr/index-en.aspx">National strategy for critical infrastructure</a> identifies the following 10 <abbr title="critical infrastructure">CI</abbr> sectors:</p> <ul><li>energy and utilities</li> <li>finance</li> <li>food</li> <li>government</li> <li>health</li> <li>information and communication technology</li> <li>manufacturing</li> <li>safety</li> <li>transportation</li> <li>water</li> </ul><h3>Operational technology and industrial control systems as potential threat targets</h3> <p>Operational technology (OT) refers to computing systems used to automate industrial processes and operations in many different sectors. Industrial control systems (ICS) are a major subset within <abbr title="operational technology">OT</abbr> that allows <abbr title="critical infrastructure">CI</abbr> providers to remotely monitor the processes and control the physical devices in their infrastructure.</p> <p><abbr title="operational technology">OT</abbr> systems that have to be connected to the Internet or other networks and systems are attractive targets to threat actors who are focused on <abbr title="operational technology">OT</abbr> disruption.</p> <h2 class="text-info" id="impact">How cyber attacks impact critical infrastructure</h2> <p>Cyber attacks on a <abbr title="critical infrastructure">CI</abbr> can have serious and devastating consequences. Some of the impacts can include:</p> <ul><li>interruption of essential services, such as electricity, water and natural gas</li> <li>disruption in the production and supply of food and medical supplies</li> <li>loss of public trust and confidence in the economy, national security and defence, and the democratic processes</li> <li>damage to environment and risk to public health from chemical spills, toxic waste discharges or hazardous air emissions</li> <li>lost revenue, reputational risks, job losses or legal consequences for companies and employees</li> <li>disruption to hospital operations, or even compromised medical devices, that could lead to loss of life</li> <li>damage to <abbr title="critical infrastructure">CI</abbr> components that could disrupt, destroy or degrade processes and operations</li> </ul><h2 class="text-info" id="threats">The main threats to critical infrastructure</h2> <p>Cyber threats to <abbr title="critical infrastructure">CI</abbr> sectors can involve stealing mission-critical information, locking sensitive files or leaking proprietary or sensitive information. Damage to <abbr title="critical infrastructure">CI</abbr> can threaten national security, public safety and economic stability.</p> <p>Threat actors may target <abbr title="critical infrastructure">CI</abbr> sectors for financial gain. Some <abbr title="critical infrastructure">CI</abbr> sectors, such as healthcare and manufacturing, are popular targets because their owners and operators cannot withstand loss of sensitive information and long-term disruption of essential services. These <abbr title="critical infrastructure">CI</abbr> sectors often have significant financial resources to pay ransom.</p> <p>Insider threat actors may target <abbr title="critical infrastructure">CI</abbr> for personal reasons, such as an act of revenge by disgruntled former employees or customers.</p> <p>State-sponsored cyber threat actors may target <abbr title="critical infrastructure">CI</abbr> sectors to collect information in support of broader strategic goals like influencing public opinion or policy development.</p> <p>The following are some examples of the threats to <abbr title="critical infrastructure">CI</abbr>.</p> <h3>Ransomware</h3> <p>Ransomware is a type of malware that denies users access to systems or data until a sum of money is paid. Other types of malware (for example, wipers and spyware) are used to target <abbr title="critical infrastructure">CI</abbr> by infiltrating or damaging connected systems.</p> <h3>Denial-of-Service attack</h3> <p>A denial-of-service (DoS) attack is any activity that makes a service unavailable for use by legitimate users or that delays system operations and functions. A threat actor could make large parts of a <abbr title="critical infrastructure">CI</abbr> sector unavailable and cause potentially catastrophic failure.</p> <h3>Insider threats</h3> <p>An insider threat is when anyone who has or had knowledge of or access to an organization’s infrastructure and information and uses it, either knowingly or inadvertently, to cause harm. Insider threats can have a significant impact on a <abbr title="critical infrastructure">CI</abbr> sector and its business functions.</p> <p>These threats can cause a temporary or permanent loss of visibility and control within the <abbr title="critical infrastructure">CI</abbr> processes and <abbr title="operational technology">OT</abbr>. Loss of control can prevent operators from being able to issue commands to mitigate malicious interference. This can result in uncontrolled damage and shutdown of system components, requiring hands-on operator intervention on the <abbr title="operational technology">OT</abbr>.</p> <h2 class="text-info" id="protect">How to protect your sector from cyber attacks</h2> <p><abbr title="critical infrastructure">CI</abbr> network operators can reduce their risks of cyber attacks by implementing the following security measures.</p> <h3>Isolate <abbr title="critical infrastructure">CI</abbr> components and services</h3> <p>Implement firewalls, virtual private networks (VPNs) and multi-factor authentication (MFA) for remote access connections with corporate networks. When using <abbr title="operational technology">OT</abbr>, test manual controls to ensure critical functions will remain operable if your network is unavailable or untrusted. Use secure administrative workstations to separate sensitive tasks and accounts from non‑administrative computer uses, such as email and web browsing. Implement network security zones to control and restrict access and data communication flows to certain components and users. <abbr title="operational technology">OT</abbr> systems should be on an isolated network and not connected to the Internet.</p> <h3>Enhance your security posture</h3> <p>Implement offline backups that are tested frequently to ensure you can recover quickly in the event of an incident.</p> <h3>Adopt a risk-based approach with updates</h3> <p>Evaluate your system requirements with vulnerability management to determine necessary updates. Many updates might be unnecessary to implement and could pose potential risks to your <abbr title="operational technology">OT</abbr> environment. Some vendors issue emergency patches to address critical security vulnerabilities, so it is important to keep informed of what your system might require.</p> <h3>Develop an incident response plan</h3> <p>Include the processes, procedures and documentation related to how your organization detects, responds to and recovers from cyber attacks in your incident response plan. Have a plan specifically for <abbr title="operational technology">OT</abbr> and ensure the critical system components can operate safely in manual mode. Test and revise the plan periodically to ensure critical functions and operations continue in case of system disruptions or unexpected downtime.</p> <h3>Train your employees</h3> <p>Educate your employees on the importance of cyber security best practices, such as identifying phishing, using strong passphrases and reporting incidents as soon as they are detected. Have clearly defined standard operating procedures for security practices and acceptable use of process control systems that interface directly with control of systems and environments.</p> <h3>Monitor organizational activities</h3> <p>Collect, analyze and store records that are associated with user actions on information systems. Enable logging to better investigate issues or events. Monitor traffic at your Internet gateways and establish baselines of normal traffic patterns. Highly sophisticated threat actors may influence or coerce employees (for example, using social engineering, bribery, blackmail or intimidation) to help them compromise security. To guard against these actors, enhance your insider threat monitoring and consider implementing a two-person rule when performing critical administrative functions.</p> <p>For more security measures to consider, read the Cyber Centre’s <a href="/en/cyber-security-readiness/cross-sector-cyber-security-readiness-goals-toolkit">Cross-sector cyber security readiness goals toolkit</a>.</p> <h2 class="text-info" id="learn">Learn more</h2> <ul><li><a href="/en/guidance/protect-your-organization-malware-itsap00057">Protect your organization from malware (ITSAP.00.057)</a></li> <li><a href="/en/guidance/top-10-it-security-actions-protect-internet-connected-networks-and-information-itsm10089">Top 10 IT security actions to protect Internet connected networks and information (ITSM.10.089)</a></li> <li><a href="/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication (ITSAP 30.030)</a></li> <li><a href="/en/guidance/offer-tailored-cyber-security-training-your-employees-itsap10093">Offer tailored cyber security training to your employees (ITSAP.10.093)</a></li> <li><a href="/en/guidance/how-protect-your-organization-insider-threats-itsap10003-0">Protect your organization from insider threats (ITSAP.10.003)</a></li> <li><a href="/en/guidance/ransomware-playbook-itsm00099">Ransomware playbook (ITSM.00.099)</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="692" about="/en/guidance/security-considerations-when-developing-and-managing-your-website-itsap60005" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>July 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.60.005</strong></p> </div> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>July 2025 | Awareness series</strong></p> </div> <p>Your website is a critical component of your business. It provides access to your services and visibility for your products. However, cyber threats can compromise your website, harming your business operations, revenue and reputation. To reduce the likelihood and impact of threats, you should develop and maintain your website with security in mind. This publication provides some security and privacy protection measures to get you started.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#ctw">Common threats to websites</a></li> <li><a href="#dmws">Developing and managing your website securely</a></li> <li><a href="#rci">Reporting a cyber incident</a></li> <li><a href="#lm">Learn more</a></li> </ul><h2 class="text-info" id="ctw">Common threats to websites</h2> <p>Beware of the following common threats when developing and maintaining your website.</p> <h3>Injection attack</h3> <p>Injection attack is a general term for any exploitation in which a threat actor presents an untrusted input, such as malicious code, into a system to modify operations or data.</p> <p>Common examples of injection attacks include:</p> <ul><li><strong>Structured query language (SQL) injection:</strong> <abbr title="Structured query language">SQL</abbr> injection occurs when a threat actor inputs malicious code in the SQL statements through web page input. This typically happens when your website asks a user to log in or provide information. <abbr title="Structured query language">SQL</abbr> statements manage the database server and, if successful, the threat actor can bypass authentication measures.</li> <li><strong>Cross-site scripting (XSS):</strong> A threat actor uses <abbr title="Cross-site scripting">XSS</abbr> to compromise a web server and inject malicious code into trusted websites. When users visit the website, their browsers execute the script, putting cookies, session tokens, or sensitive information at risk. <abbr title="Cross-site scripting">XSS</abbr> attacks exploit the trust that a user has in a website.</li> </ul><h3>Cross-site request forgery attack</h3> <p>Cross-site request forgery (CSRF) is an attack that tricks users into executing unwanted actions in their browsers, such as logging out, downloading account information or uploading a site cookie. <abbr title="Cross-site request forgery">CSRF</abbr> attacks exploit the trust that a website has in a user’s browser.</p> <h3>Denial-of-service attack</h3> <p>A denial-of-service attack aims to overwhelm a website with unnecessary traffic. This floods the server and can make services unavailable to actual users. A distributed denial-of-service (DDoS) attack uses multiple bots or botnets on a single target to cause an even greater disruption.</p> <h3>Adversary-in-the-middle attack</h3> <p>Adversary-in-the-middle (AitM) is an attack that intercepts the communication between two systems. This could be between a user and website server. The intention is to steal or change data within that communication. The threat actor can pretend to be one or both legitimate communicating parties to gain access to sensitive information. They can insert themselves between the two parties and alter communications. Use of certificate-based Hypertext Transfer Protocol Secure (HTTPS) will validate your website to users and establish a confidential channel to mitigate <abbr title="Adversary-in-the-middle">AitM</abbr> attacks.</p> <h3>Malware attack</h3> <p>Any attack that distributes malicious software to cause harm, spread infections, or steal sensitive data. Malware can hide and linger on your website unnoticed and can negatively impact any user that visits your site. Examples of malware include viruses, trojans, ransomware and keyloggers.</p> <h3>Credential stuffing attack</h3> <p>A credential stuffing attack happens when threat actors use previously stolen credentials to try to log into an account. They continue their attempts until a match is found.</p> <p>If your website is compromised, your organization is not the only one at risk; threat actors can also target your supply chain, affiliated organizations, and customers. To learn more about risks to supply chains, see <a href="https://www.cyber.gc.ca/en/guidance/supply-chain-security-small-and-medium-sized-organizations-itsap00070">Cyber supply chain security for small and medium-sized organizations (ITSAP.00.070)</a> and <a href="https://www.cyber.gc.ca/en/guidance/cyber-threat-supply-chains">The cyber threat from supply chains</a>.</p> <h3>Brute force attacks</h3> <p>Brute force attacks are when threat actors use excessive login attempts with any number of character combinations to log into a system or network.</p> <div class="clearfix"> </div> <div class="well well-sm"> <h2 class="text-info mrgn-tp-sm">Impact of artificial intelligence</h2> <p>Artificial intelligence (AI) is a fast-growing and complex technology that can increase website functionality but can also complicate and challenge common cyber security measures. <abbr title="Artificial intelligence">AI</abbr> and generative <abbr title="artificial intelligence">AI</abbr> can be used by threat actors to intensify website attacks by quickly creating code, extracting large amounts of data, and spreading malware. However, <abbr title="artificial intelligence">AI</abbr> can also boost security measures against these attacks.</p> <p>This publication does not go into detail about <abbr title="artificial intelligence">AI</abbr>, but it is important to stay well informed about <abbr title="artificial intelligence">AI</abbr>’s development. Consult our guidance on <a href="https://www.cyber.gc.ca/en/guidance/artificial-intelligence-itsap00040">artificial intelligence</a> to learn more.</p> </div> <h2 class="text-info" id="dmws">Developing and managing your website securely</h2> <p>Your website is the gateway between the Internet and your organization. Threat actors can exploit website vulnerabilities and misconfigurations to steal, alter, or delete sensitive data. This includes:</p> <ul><li>vendor portals</li> <li>customer data</li> <li>sales leads</li> <li>operational and financial information</li> </ul><p>Stay one step ahead by reviewing the following aspects of your website. If you’re using a web service, you should discuss each of the topics below with your service provider.</p> <h2 class="text-info">Secure your web architecture</h2> <p>Secure your website’s architecture, including its elements, relationships, selected components and design principles. You should also apply principles like segregation and redundancy.</p> <p>Segregate your web service components. If one component is compromised, the other components are protected because they have been segregated. You should also segregate your application server and database to protect sensitive data.</p> <p>You should design your website to add redundancies in your web service components (replicate them). With redundancies, you can ensure that your operations continue if one component fails.</p> <p>Require the use of <abbr title="Hypertext Transfer Protocol Secure">HTTPS</abbr> by default on your website and configure Transport Layer Security (TLS) to be used between all web service components. This ensures that sensitive data, like authentication data and propriety information, is encrypted in transit. <abbr title="Hypertext Transfer Protocol Secure">HTTPS</abbr> uses the <abbr title="Transport Layer Security">TLS</abbr> protocol to encrypt and authenticate web page visits.</p> <h2 class="text-info">Implement strong authentication</h2> <p>Authentication refers to the mechanisms used to validate a user’s identity.</p> <p>Implement a strong password and passphrase policy that includes multi-factor authentication (MFA) for additional security. Never send passwords in plaintext over the Internet. Instead, use hashes and encryption.</p> <p><strong>Hashing</strong> is a one-way function. It involves converting the data into a unique, fixed-length hash value. Hashing is a key component of cryptographic techniques used by browsers and systems to protect the integrity of transmitted data.</p> <p><strong>Encryption</strong> is scrambling data in a certain way that only someone with the corresponding key can decipher it. This is a two-way function. Encryption makes use of a cipher, a type of algorithm, to scramble the data.</p> <p>After a threshold of unsuccessful login attempts or other suspicious behaviour, lock accounts and delay logins. Ensure you have a secure account recovery process. See <a href="https://www.cyber.gc.ca/en/guidance/developing-your-it-recovery-plan-itsap40004">Developing your IT recovery plan (ITSAP.40.004)</a> to learn more.</p> <h2 class="text-info">Define access control</h2> <p>Access controls define who can access what resources on your website and restrict what information they can see and use. Define specific access controls and implement the principle of least privilege to ensure that users only have the access needed to carry out their authorized functions.</p> <p>Consider all web application access control layers, such as the Open Systems Interconnection (OSI) model’s application and presentation layers, data layer and network layer. Consider using the following types of permissions:</p> <ul><li>URL based</li> <li>file system and server</li> <li>application business logic (what the user can do)</li> </ul><p>Identify access control layers in your coding standards and rigorously test them before deploying your web services.</p> <h2 class="text-info">Assess your service providers</h2> <p>If using a service provider, you may not have access to the infrastructure or control over the associated security functions. However, even when using a service provider, your organization is still legally responsible for protecting the confidentiality and integrity of your data.</p> <p>Before contracting a service provider, review their data security and privacy protection capabilities and policies. Clearly define your organization’s and your service provider’s roles and responsibilities regarding security. You can use the sections in this document to guide your discussion with a service provider on their security capabilities.</p> <h2 class="text-info">Validate inputs</h2> <p>Input validation is the process of verifying that users and applications can only input properly formed data, such as in fields, forms, or queries.</p> <p>All inputs on your website should be considered untrusted. Validate inputs within your web services, including:</p> <ul><li>client browsers</li> <li>web application firewalls</li> <li>web servers</li> <li>databases</li> <li>application business logic</li> </ul><p>You should validate inputs as early as possible during the process to reduce strain on your servers. Test input validation during your development process.</p> <p>Inputs should also be controlled. Enforce expected input lengths to prevent invalid values and limit free-form inputs to minimize the risk of script injection. Hide <abbr title="Structured query language">SQL</abbr> error messages from end users, as these messages contain valuable information about your database.</p> <h2 class="text-info">Review your security configurations</h2> <p>Although vendor recommended security configurations generally provide a good baseline, these defaults may not provide the level of security needed to protect your systems and data from cyber threats. Be sure to review configurations to identify any vulnerabilities such as:</p> <ul><li>unused ports or web services</li> <li>unprotected files</li> <li>unprotected directories</li> </ul><p>You should turn off directory browsing, as it provides insight on your website’s structure. Remove any unnecessary web operation files, such as source code or backup files that could contain passwords.</p> <p>Deactivate browser credential caching. Although credential caching is convenient for users, it can put sensitive information at risk.</p> <p>You should implement configuration management to promote secure coding and maintain baselines across your organization.</p> <h2 class="text-info">Manage your sessions securely</h2> <p>A session is an exchange of information between two or more entities, such as two devices or a user and a web server. Session management is the process of initiating, controlling, maintaining, and ending these exchanges. If sessions aren’t managed securely, threat actors can interrupt or hijack sessions to intercept data or impersonate authenticated users.</p> <p>Randomize your session identifiers to prevent threat actors from inferring session identifier sequences. Session identifiers should have an acceptable minimum length to protect against brute force attacks.</p> <p>Store sensitive session tracking data on web service servers with an appropriate retention period and destroy it at the expiry date. Expire session data when a user logs out or is inactive for a specified time.</p> <p>Session cookies, also known as in-memory cookies, allow users to be recognized while they navigate the website, for example, items will stay in their carts while they’re shopping. Use the secure cookie attribute to prevent cookies from being sent over an unencrypted channel.</p> <h2 class="text-info">Secure your operations</h2> <p>Once your website is running, you need to prevent, identify, and respond to cyber threats and incidents. If possible, you should continuously monitor website activity for anomalous behaviours, such as repeated login or injection attempts. For example, in credential stuffing attacks, threat actors use leaked or stolen credentials and “stuff” them into login pages of other websites until matches are found.</p> <p>To promote the ongoing security and functionality of your web services, implement a patch management process to acquire, test, and install patches and updates on your systems and devices. Be sure to patch underlying systems, content management systems, web applications and plug-ins. Include a security.txt file on your website. It provides a clear and standardized way for security researchers to report vulnerabilities. Security .txt files ensure that critical issues are communicated promptly and securely to your organization. This proactive approach helps protect your users and your organization by facilitating faster responses to potential threats.</p> <p>You should also promote security awareness within your organization and with your customers. By being transparent about the steps that you are taking to protect data, you can foster trust with your partner organizations, supply chain and customers.</p> <div class="well well-sm mrgn-tp-lg"> <h2 class="mrgn-tp-sm" id="rci">Reporting a cyber incident</h2> <p>If your organization is a victim of fraud, contact your local police and file a report online through the <a href="https://antifraudcentre-centreantifraude.ca/report-signalez-eng.htm" rel="external">Canadian Anti-Fraud Centre’s online reporting system</a> or by phone at 1-888-495-8501. Report cyber incidents online via the Cyber Centre’s <a href="https://portal-portail.cyber.gc.ca/en/report/">My Cyber Portal</a>.</p> </div> <h2 class="text-info" id="lm">Learn more</h2> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/security-considerations-your-website-itsm60005">Security considerations for your website (ITSM.60.005)</a></li> <li><a href="https://cyber.gc.ca/en/guidance/website-defacement-itsap00060">Website defacement (ITSAP.00.060)</a></li> <li><a href="https://cyber.gc.ca/en/guidance/managing-and-controlling-administrative-privileges-itsap10094">Managing and controlling administrative privileges (ITSAP.10.094)</a></li> <li><a href="https://cyber.gc.ca/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts with multi-factor authentication (ITSAP.30.030)</a></li> <li><a href="https://cyber.gc.ca/en/guidance/protecting-your-organization-against-denial-service-attacks-itsap80100">Protecting your organization against denial of service attacks (ITSAP.80.100)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/distributed-denial-service-attacks-prevention-and-preparation-itsap80110">Distributed denial-of-service attacks—prevention and preparation (ITSAP.80.110)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/protect-your-organization-malware-itsap00057">Protect your organizations from malware (ITSAP.00.57)</a></li> <li><a href="https://www.cyber.gc.ca/en/identity-credential-and-access-management-icam-itsap30018">Identity, credential, and access management (ICAM) (ITSAP.30.018)</a></li> <li><a href="https://owasp.org/www-project-top-ten/">Top 10 Web Application Security Risks</a> (Open Worldwide Application Security Project)</li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6556" about="/en/news-events/advisory-north-korean-information-technology-workers" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> </div> </div> </div> </article>

<article data-history-node-id="6527" about="/en/guidance/cyber-threat-bulletin-iranian-cyber-threat-canada-israel-iran-conflict" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><h2 class="text-info">Overview of cyber threat to Canada from Iran</h2> <p>On June 13, 2025, the State of Israel (Israel) launched military strikes against the Islamic Republic of Iran (Iran). On June 22, 2025, the United States (U.S.) carried out precision airstrikes on Iranian nuclear facilities.</p> <p>After the U.S. operation against Iran, the U.S. Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, the Department of Defense Cyber Crime Center, the National Security Agency, and the Department of Homeland Security warned of potential retaliatory cyber threat activity against U.S. critical infrastructure and other U.S. entities by Iranian-affiliated cyber actors.<sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup></p> <p>It is very unlikely that Canada’s critical infrastructure and other Canadian networks are a priority target for retaliatory Iranian cyber threat activity. Canada was not a party to the U.S. and Israeli strikes against Iran. However, we assess that Canada would likely be an indirect or collateral victim of Iranian cyber threat activity that is intended to target the U.S. In addition, Iran will likely continue to engage in cyber-enabled transnational repression against individuals in Canada that the Iranian regime considers a threat, especially those advocating for regime change in Iran.</p> <h2 class="text-info">Threat activity</h2> <ul><li>Iranian state-sponsored cyber threat actors conduct disruptive cyber-enabled information operations to further Iran’s geopolitical objectives and the regime’s interests. Iran has developed a network of hacktivist personas and social media channels that exploit these disruptive events to intimidate Iran’s opponents and shape public opinion.<sup id="fn3-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup></li> <li>Iranian state-sponsored cyber threat actors opportunistically target poorly secured critical infrastructure (CI) networks and internet-connected devices around the world, including those associated with the water and energy sectors.<sup id="fn4-rf"><a class="fn-lnk" href="#fn4"><span class="wb-inv">Footnote </span>4</a></sup> Iranian cyber threat actors have performed denial of services attacks, attempted to manipulate industrial control systems, and accessed networks to encrypt, wipe, and leak data.<sup id="fn5-rf"><a class="fn-lnk" href="#fn5"><span class="wb-inv">Footnote </span>5</a></sup></li> <li>Pro-Iran hacktivists conduct cyber threat activity against Iran’s rivals, but often overstate their impact. In response to the U.S. airstrikes on Iranian nuclear sites, pro-Iran hacktivist groups claimed to have conducted distributed denial-of-service (DDoS) attacks against websites associated with the U.S. military, U.S. defence companies and U.S. financial institutions.<sup id="fn6-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup></li> <li>It is very unlikely that Canada’s critical infrastructure and other Canadian networks are a priority target for retaliatory cyber threat activity by Iranian state-sponsored cyber threat actors or pro-Iran hacktivists. However, Canada would likely be an indirect or collateral victim of Iranian cyber threat activity that is intended to target the U.S. This threat is elevated due to North American interconnectivity in key CI sectors, such as energy and transportation.</li> <li>Iranian cyber-enabled transnational repression will likely remain a threat to Canada. Iranian state-sponsored cyber threat actors likely conduct cyber espionage against individuals in Canada that the Iranian regime considers a threat, such as political activists, journalists, and human rights advocates.<sup id="fn7-rf"><a class="fn-lnk" href="#fn7"><span class="wb-inv">Footnote </span>7</a></sup> In the aftermath of the conflict, we assess that Iranian cyber threat actors will likely target opponents abroad, especially those advocating for regime change in Iran.<sup id="fn8-rf"><a class="fn-lnk" href="#fn8"><span class="wb-inv">Footnote </span>8</a></sup></li> </ul><div class="well"><strong>Iranian state-sponsored cyber threat group compromises Israeli-made devices</strong> <p>Between November 2023 and January 2024, an Iranian Revolutionary Guard Corps (IRGC) cyber unit using the persona CyberAv3ngers conducted a global campaign that targeted and defaced poorly secured, Israeli-made devices used in critical infrastructure. One victim was a municipal water authority in the U.S. that used default passwords.<sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup> This activity was likely conducted in response to the Israel-Hamas conflict.</p> </div> <h2 class="text-info">Characteristics of Iranian cyber threat activity</h2> <div> <h3>Compelling social engineering</h3> <p>Iranian cyber threat groups are particularly sophisticated in combining social engineering with spear phishing, using these efforts to target public officials and gain access to government networks and private sector organizations globally.<sup id="fn9-rf"><a class="fn-lnk" href="#fn9"><span class="wb-inv">Footnote </span>9</a></sup> Iranian social engineering efforts focus on using professional interactions on social media platforms to gain information about organizations related to Iran’s political, economic and military interests, particularly in the aerospace, energy, defence, security, and telecommunications sectors. <sup id="fn9a-rf"><a class="fn-lnk" href="#fn9"><span class="wb-inv">Footnote </span>9</a></sup></p> </div> <div> <h3>Exploiting known vulnerabilities</h3> <p>Iranian cyber threat actors exploit known vulnerabilities to gain initial access to systems, and then leverage this access for follow on operations such as data exfiltration or encryption, ransomware, and extortion.<sup id="fn10-rf"><a class="fn-lnk" href="#fn10"><span class="wb-inv">Footnote </span>10</a></sup> Iranian cyber threat actors opportunistically identify targets using publicly available scanning tools to search for internet-exposed systems with vulnerable configurations, for example devices using default or weak passwords and without multi-factor authentication.<sup id="fn11-rf"><a class="fn-lnk" href="#fn11"><span class="wb-inv">Footnote </span>11</a></sup></p> </div> <div> <h3>Disruptive and destructive cyber attacks</h3> <p>Iranian cyber threat actors typically conduct DDoS attacks and website / device defacements to temporarily disrupt target networks. They also deploy ransomware and destructive wiper malware and conduct hack-and-leak operations against compromised targets.<sup id="fn12-rf"><a class="fn-lnk" href="#fn12"><span class="wb-inv">Footnote </span>12</a></sup></p> </div> <h2 class="text-info">Useful resources</h2> <p>Refer to the following online resources for more information and useful advice and guidance.</p> <h3>Reports and advisories</h3> <ul><li>Canada’s threat assessments <ul><li><a href="/en/guidance/national-cyber-threat-assessment-2025-2026">National Cyber Threat Assessment 2025-2026</a></li> </ul></li> <li>Advisories and partner publications <ul><li><a href="/en/guidance/targeted-manipulation-irans-social-engineering-and-spear-phishing-campaigns">Targeted manipulation: Iran’s social engineering and spear phishing campaigns</a></li> <li><a href="https://www.cisa.gov/resources-tools/resources/enhanced-visibility-and-hardening-guidance-communications-infrastructure">Enhanced Visibility and Hardening Guidance for Communications Infrastructure</a></li> </ul></li> </ul><h3>Advice and guidance</h3> <ul><li><a href="/en/cyber-security-readiness/cyber-security-readiness-goals-securing-our-most-critical-systems">Cyber Security Readiness Goals (CRGs): Securing Our Most Critical Systems</a></li> <li><a href="/en/cyber-security-readiness/cross-sector-cyber-security-readiness-goals-toolkit">Cross-Sector Cyber Security Readiness Goals Toolkit</a></li> <li><a href="/en/guidance/security-considerations-edge-devices-itsm80101">Security Considerations for Edge Devices</a></li> <li><a href="/en/guidance/security-considerations-your-website-itsm60005">Security considerations for your website</a></li> <li><a href="/en/guidance/top-10-it-security-actions-protect-internet-connected-networks-and-information-itsm10089">Top 10 IT security actions to protect Internet connected networks and information</a></li> <li><a href="/en/guidance/top-10-it-security-action-items-no2-patch-operating-systems-and-applications-itsm10096">Top 10 IT security action items: No.2 patch operating systems and applications</a></li> <li><a href="/en/guidance/protect-your-organization-malware-itsap00057">Protect your organization from malware</a></li> <li><a href="/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication</a></li> <li><a href="/en/guidance/defending-against-distributed-denial-service-ddos-attacks-itsm80110">Defending against distributed denial of service (DDoS) attacks</a></li> </ul><h2 class="text-info">About this document</h2> <h3>Contact</h3> <p>For follow up questions or issues please Canadian Centre for Cyber Security (Cyber Centre) at <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a>.</p> <h3>Assessment base and methodology</h3> <p>The key judgements in this assessment rely on reporting from multiples sources, both classified and unclassified. The judgements are based on the Cyber Centre’s knowledge and expertise in cyber security. Defending the Government of Canada’s information systems provides the Cyber Centre with a unique perspective to observe trends in the cyber threat environment, which also informs our assessments. CSE’s foreign intelligence mandate provides us with valuable insight into adversary behavior in cyberspace. While we must always protect classified sources and methods, we provide the reader with as much justification as possible for our judgements.</p> <p>Our key judgements are based on an analytical process that includes evaluating the quality of available information, exploring alternative explanations, mitigating biases and using probabilistic language. We use terms such as “we assess” or “we judge” to convey an analytic assessment. We use qualifiers such as “possibly”, “likely”, and “very likely” to convey probability.</p> <p>The contents of this document are based on information available as of June 27, 2025.</p> <div class="panel panel-default col-md-12"> <div class="panel-body"> <figure><figcaption class="mrgn-bttm-md"><strong>Estimative language</strong></figcaption><p class="mrgn-bttm-lg">The chart below matches estimative language with appropriate percentages. these percentages are not derived via statistical analysis, but are based on logic, available information, prior judgements, and methods that increase the accuracy of estimates.</p> <img alt="Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/tarp-language-chart-transparent-e.png" /><details class="brdr-tp brdr-rght brdr-bttm brdr-lft mrgn-bttm-sm"><summary>Long description – Estimative language chart </summary><ul class="list-unstyled mrgn-tp-md"><li>1 to 9%  Almost no chance</li> <li>10 to 24%  Very unlikely/very improbable</li> <li>25 to 39% Unlikely/improbable</li> <li>40 to 59% Roughly even chance</li> <li>60 to 74% Likely/probably</li> <li>75 to 89% Very likely/very probable</li> <li>90 to 99% Almost certainly</li> </ul></details></figure></div> </div> <!–FOOTNOTE SECTION EN–> <aside class="wb-fnote" role="note"><h2 id="reference">References</h2> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p>U.S. Department of Homeland Security, “<a href="https://www.dhs.gov/ntas/advisory/national-terrorism-advisory-system-bulletin-june-22-2025">National Terrorism Advisory System Bulletin – Issued June 22, 2025,</a>” June 22, 2025; Cybersecurity and Infrastructure Security Agency, “<a href="https://www.cisa.gov/resources-tools/resources/iranian-cyber-actors-may-target-vulnerable-us-networks-and-entities-interest">Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest</a>,” June 27, 2025.</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote</span>1<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 2</dt> <dd id="fn2"> <p>Cybersecurity and Infrastructure Security Agency, “<a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a">IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water and Wastewater Systems Facilities</a>,” December 18, 2024; Counter Threat Unite Research Team, “<a href="https://www.secureworks.com/blog/iranian-cyber-av3ngers-compromise-unitronics-systems">Iranian Cyber Av3ngers Compromise Unitronics Systems</a>,” Secureworks, December 7, 2023.</p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote</span>2<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 3</dt> <dd id="fn3"> <p>Canadian Centre for Cyber Security, “<a href="/en/guidance/national-cyber-threat-assessment-2025-2026">National Cyber Threat Assessment 2025-2026</a>,” October 30, 2024.</p> <p class="fn-rtn"><a href="#fn3-rf"><span class="wb-inv">Return to footnote</span>3<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 4</dt> <dd id="fn4"> <p>Cybersecurity and Infrastructure Security Agency, “<a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a">IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water and Wastewater Systems Facilities</a>,” December 18, 2024; U.S. Department of Homeland Security, “<a href="https://www.dhs.gov/ntas/advisory/national-terrorism-advisory-system-bulletin-june-22-2025">National Terrorism Advisory System Bulletin – Issued June 22, 2025</a>,” June 22, 2025; Andy Greenberg, “<a href="https://www.wired.com/story/cyberav3ngers-iran-hacking-water-and-gas-industrial-systems/">CyberAv3ngers: The Iranian Saboteurs Hacking Water and Gas Systems Worldwide</a>,” Wired, April 14, 2025.</p> <p class="fn-rtn"><a href="#fn4-rf"><span class="wb-inv">Return to footnote</span>4<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 5</dt> <dd id="fn5"> <p>Canadian Centre for Cyber Security, “<a href="/en/guidance/national-cyber-threat-assessment-2025-2026">National Cyber Threat Assessment 2025-2026</a>,” October 30, 2024; Cybersecurity and Infrastructure Security Agency, “<a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-264a">Iranian State Actors Conduct Cyber Operations Against the Government of Albania</a>,” September 23, 2022.</p> <p class="fn-rtn"><a href="#fn5-rf"><span class="wb-inv">Return to footnote</span>5<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 6</dt> <dd id="fn6"> <p>Cyble, “<a href="https://cyble.com/blog/hacktivists-launch-ddos-attacks-at-us-iran-bombings/">Hacktivists Launch DDoS Attacks at U.S. Following Iran Bombings</a>,” June 24, 2025.</p> <p class="fn-rtn"><a href="#fn6-rf"><span class="wb-inv">Return to footnote</span>6<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 7</dt> <dd id="fn7"> <p>Canadian Centre for Cyber Security, “<a href="/en/guidance/national-cyber-threat-assessment-2025-2026">National Cyber Threat Assessment 2025-2026</a>,” October 30, 2024.</p> <p class="fn-rtn"><a href="#fn7-rf"><span class="wb-inv">Return to footnote</span>7<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 8</dt> <dd id="fn8"> <p>CBC News, “<a href="https://www.cbc.ca/news/world/iran-internal-crackdown-1.7570782">Iranian government turns to internal crackdown with arrests, executions</a>,” June 25, 2025.</p> <p class="fn-rtn"><a href="#fn8-rf"><span class="wb-inv">Return to footnote</span>8<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 9</dt> <dd id="fn9"> <p>Canadian Centre for Cyber Security, “<a href="/en/guidance/targeted-manipulation-irans-social-engineering-and-spear-phishing-campaigns">Targeted manipulation: Iran’s social engineering and spear phishing campaigns</a>,” December 20, 2024.</p> <p class="fn-rtn"><a href="#fn9-rf"><span class="wb-inv">Return to footnote</span>9<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 10</dt> <dd id="fn10"> <p>Cybersecurity and Infrastructure Security Agency, “<a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a">Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities</a>,” November 19, 2021.</p> <p class="fn-rtn"><a href="#fn10-rf"><span class="wb-inv">Return to footnote</span>10<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 11</dt> <dd id="fn11"> <p>Cybersecurity and Infrastructure Security Agency, “<a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-259a">Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations</a>,” September 14, 2022.</p> <p class="fn-rtn"><a href="#fn11-rf"><span class="wb-inv">Return to footnote</span>11<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 12</dt> <dd id="fn12"> <p>Cybersecurity and Infrastructure Security Agency, “<a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-264a">Iranian State Actors Conduct Cyber Operations Against the Government of Albania</a>,” September 23, 2022.</p> <p class="fn-rtn"><a href="#fn12-rf"><span class="wb-inv">Return to footnote</span>12<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></div> </div> </div> </div> </div> </article>

Process by which a commercial organization may become an approved Common Criteria testing lab

<article data-history-node-id="6471" about="/en/guidance/roadmap-migration-post-quantum-cryptography-government-canada-itsm40001" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>June 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Management series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSM.40.001</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>June 2025 | Management series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsm.40.001-migration-post-quantum-cryptography-government-canada-e.pdf">Roadmap for the migration to post-quantum cryptography for the Government of Canada – ITSM.40.001 (PDF, 635 KB)</a></p> </div> <h2 class="text-info mrgn-tp-0">Foreword</h2> <p>This is an UNCLASSIFIED publication, issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre). For more information or to suggest amendments, email or phone our Contact Centre:</p> <p><span class="glyphicon glyphicon-envelope"></span><span class="wb-inv">email</span> <a href="mailto:cryptography-cryptographie@cyber.gc.ca">cryptography-cryptographie@cyber.gc.ca</a> |<span class="glyphicon glyphicon-phone"></span><span class="wb-inv">Mobile</span> <a href="tel:613-949-7048">613-949-7048</a> or <a href="tel:+1-833-292-3788">1<span>‑</span>833<span>‑</span>CYBER<span>‑</span>88</a></p> <h2 class="text-info">Effective date</h2> <p>This publication takes effect on June 23, 2025</p> <h2 class="text-info">Revision history</h2> <ol><li>First release: June 23, 2025</li> </ol></div> </div> <section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#0">Overview</a></li> <li><a href="#1">1 Introduction</a></li> <li><a href="#2">2 Stakeholders and planning</a></li> <li><a href="#3">3 Execution phases</a> <ul><li><a href="#3.1">3.1 Preparation</a> <ul><li><a href="#3.1.1">3.1.1 Roles and responsibilities</a></li> <li><a href="#3.1.2">3.1.2 Financial planning</a></li> <li><a href="#3.1.3">3.1.3 Education strategy</a></li> <li><a href="#3.1.4">3.1.4 Procurement policies</a></li> <li><a href="#3.1.5">3.1.5 Plan approaches for identification</a></li> </ul></li> <li><a href="#3.2">3.2 Identification</a></li> <li><a href="#3.3">3.3 Transition</a></li> </ul></li> <li><a href="#4">4 Milestones and deliverables</a></li> <li><a href="#5">5 Governance and coordination</a> <ul><li><a href="#5.1">5.1 Relevant Government of Canada governance bodies</a></li> <li><a href="#5.2">5.2 Reporting on progress</a></li> <li><a href="#5.3">5.3 Additional resources and support</a></li> </ul></li> </ul></details></section><section><h2 class="text-info" id="0">Overview</h2> <p>Every organization managing information technology (IT) systems must migrate cyber security components to become quantum-safe. This will help protect against the cryptographic threat of a future quantum computer. The Cyber Centre recommends the adoption of standardized post-quantum cryptography (PQC) to mitigate this threat.</p> <p>This publication outlines the Cyber Centre’s recommended roadmap for the Government of Canada (GC) to migrate non-classified <abbr title="information technology">IT</abbr> systems<sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup> to use <abbr title="post-quantum cryptography">PQC</abbr>, including milestones, deliverables, and guidance for departmental planning and execution.</p> <p>Milestones and deliverables for federal departments and agencies are as follows:</p> <ul><li>April 2026: Develop an initial departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan</li> <li>Beginning April 2026 and annually after: Report on <abbr title="post-quantum cryptography">PQC</abbr> migration progress</li> <li>End of 2031: Completion of <abbr title="post-quantum cryptography">PQC</abbr> migration of high priority systems</li> <li>End of 2035: Completion of <abbr title="post-quantum cryptography">PQC</abbr> migration of remaining systems</li> </ul></section><section><h2 class="text-info" id="1">1 Introduction</h2> <p>The Cyber Centre recommends organizations managing <abbr title="information technology">IT</abbr> systems migrate to use <abbr title="post-quantum cryptography">PQC</abbr> in order to replace public-key cryptography vulnerable to a future quantum computer<sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup>. All instances of public-key cryptography must be migrated to secure <abbr title="Government of Canada">GC</abbr> <abbr title="information technology">IT</abbr> systems and Canadians’ data against this threat.</p> <p>The United States’ National Institute of Standards and Technology (NIST) has worked globally with cryptographic experts to standardize <abbr title="post-quantum cryptography">PQC</abbr> algorithms that can replace existing vulnerable public-key cryptography. Cyber Centre recommendations for <abbr title="post-quantum cryptography">PQC</abbr> algorithms are provided in <a href="https://www.cyber.gc.ca/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information (ITSP 40.111)</a>. As standards for network security protocols support <abbr title="post-quantum cryptography">PQC</abbr> algorithms, the Cyber Centre will update the <a href="https://www.cyber.gc.ca/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Guidance on securely configuring network protocols (ITSP.40.062)</a> publication. Vendors are incorporating <abbr title="post-quantum cryptography">PQC</abbr> in their products to rapidly meet the needs of government and industry.</p> <p>The <abbr title="post-quantum cryptography">PQC</abbr> migration within the <abbr title="Government of Canada">GC</abbr> will require significant commitment and take several years. The Cyber Centre is working with Treasury Board of Canada Secretariat (TBS) and Shared Services Canada (SSC) to prepare necessary updates to <abbr title="Government of Canada">GC</abbr> guidance, support and policy. Departments will need to clearly understand their cryptography usage. <abbr title="information technology">IT</abbr> infrastructure, both hardware and software, and data will need to be analyzed across the entire enterprise. Starting the <abbr title="post-quantum cryptography">PQC</abbr> migration early is important to leverage existing <abbr title="information technology">IT</abbr> lifecycle budgets as much as possible.</p> <p>This publication is the Cyber Centre’s recommended roadmap for the migration of non-classified <abbr title="information technology">IT</abbr> systems within the <abbr title="Government of Canada">GC</abbr> to use <abbr title="post-quantum cryptography">PQC</abbr>. It outlines the stakeholders, execution phases, milestones and governance involved in this <abbr title="Government of Canada">GC</abbr>-wide cyber security activity. The intention is to provide key activities and timelines that will assist in coordination of departmental planning activities for migrating to <abbr title="post-quantum cryptography">PQC</abbr> across the <abbr title="Government of Canada">GC</abbr>. It is aimed at directors and managers of <abbr title="information technology">IT</abbr> systems in federal departments and agencies and decision makers accountable for the migration to <abbr title="post-quantum cryptography">PQC</abbr>.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="2">2 Stakeholder and planning</h2> <p>The Cyber Centre is the lead technical authority for information technology (IT) security in the <abbr title="Government of Canada">GC</abbr><sup id="fn3-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup>. As part of Canada’s cryptologic agency, the Communications Security Establishment Canada, the Cyber Centre:</p> <ul><li>promotes awareness of the quantum computing threat to cryptography to <abbr title="Government of Canada">GC</abbr> departments</li> <li>provides guidance on cryptographic recommendations, such as the use of <abbr title="post-quantum cryptography">PQC</abbr></li> <li>provides recommendations on incorporating cryptography into a strong cyber security posture</li> </ul><p>The Cyber Centre will continue to provide relevant advice and guidance to support <abbr title="Government of Canada">GC</abbr> departments and agencies in the migration to <abbr title="post-quantum cryptography">PQC</abbr>.</p> <p><abbr title="Treasury Board of Canada Secretariat">TBS</abbr> is responsible for establishing and overseeing a whole-of-government approach to security management, including cyber security, through policy leadership, strategic direction, and oversight. In May 2024, <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> published the <a href="https://www.canada.ca/en/government/system/digital-government/online-security-privacy/enterprise-cyber-security-strategy.html">Government of Canada’s Enterprise Cyber Security Strategy</a> identifying a key action to transition <abbr title="Government of Canada">GC</abbr> systems to use standardized <abbr title="post-quantum cryptography">PQC</abbr> to protect <abbr title="Government of Canada">GC</abbr> information and assets from the quantum threat. <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> will issue the necessary policy instruments to require responsible officials to establish a departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan as well as report on progress under existing departmental reporting processes.</p> <p><abbr title="Shared Services Canada">SSC</abbr> manages <abbr title="information technology">IT</abbr> infrastructure and services on behalf of many of the departments and agencies across the <abbr title="Government of Canada">GC</abbr>. Due to its critical role in modernizing <abbr title="Government of Canada">GC</abbr> systems, <abbr title="Shared Services Canada">SSC</abbr> is already engaged in developing a plan for the migration to <abbr title="post-quantum cryptography">PQC</abbr> and is working directly with the Cyber Centre and <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> to advise on the feasibility of implementation.</p> <p>Federal departments and agencies in the <abbr title="Government of Canada">GC</abbr> are accountable for managing cyber security risks in their program areas. Departments and agencies will be responsible for maintaining software hosted on <abbr title="Shared Services Canada">SSC</abbr>-managed <abbr title="information technology">IT</abbr> infrastructure, and any <abbr title="information technology">IT</abbr> infrastructure that is managed separately from <abbr title="Shared Services Canada">SSC</abbr>, including contracted cloud services. Departments and agencies will be required to develop a tailored departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan that covers the migration of systems for which they are responsible to use <abbr title="post-quantum cryptography">PQC</abbr>. Departments and agencies will be responsible for executing that plan, as well as tracking and reporting on progress. This publication contains the initial considerations that can be used to develop a departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan, but additional guidance and support will be provided by <abbr title="Treasury Board of Canada Secretariat">TBS</abbr>, <abbr title="Shared Services Canada">SSC</abbr> and the Cyber Centre.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="3">3 Execution phases</h2> <p>This roadmap outlines 3 recommended phases to implement the <abbr title="post-quantum cryptography">PQC</abbr> migration. These phases will likely overlap.</p> <h3 id="3.1">3.1 Preparation</h3> <p>During the preparation phase, departments and agencies will be responsible for developing a departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan to migrate systems for which they are responsible to use <abbr title="post-quantum cryptography">PQC</abbr>. To develop this plan, we recommend establishing a committee and identify a dedicated migration lead. The committee should consist of stakeholders throughout the organization and should include at least one member from senior management to ensure executive buy in and support. In addition to technical areas responsible for managing <abbr title="information technology">IT</abbr> systems, we recommend the inclusion of stakeholders from non-technical areas such as finance, project management, procurement and asset management.</p> <p>The departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan needs to be continually revised and expanded upon during the execution of the subsequent phases. The initial version of the departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan should establish the individuals responsible for the following:</p> <ul><li>execution of the plan</li> <li>financial planning</li> <li>education strategy to inform staff on the quantum threat and the progress of this migration within the organization</li> <li>procurement policies for new equipment</li> <li>approaches for the identification of vulnerable systems to build an inventory for transition</li> </ul><h4 id="3.1.1">3.1.1 Roles and responsibilities</h4> <p>The departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan must identify individuals responsible for various tasks in the execution of the plan. Ultimately, the Designated Official for Cyber Security (DOCS) is accountable for mitigating the quantum risk to cyber security. We recommend the <abbr title="Designated Official for Cyber Security">DOCS</abbr>, or a delegated executive official, be assigned the role of <abbr title="post-quantum cryptography">PQC</abbr> Migration Executive Lead to provide:</p> <ul><li>oversight</li> <li>accountability</li> <li>executive support for the execution of the departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan</li> </ul><p>The coordination and cross-departmental engagement may be performed by a <abbr title="post-quantum cryptography">PQC</abbr> Migration Technical Lead. The Technical Lead would be responsible for facilitating coordination across the organization which may include service delivery, network management and <abbr title="information technology">IT</abbr> procurement, as well as other areas pertinent to the migration. The committee established to develop the departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan may be repurposed for managing the execution of the plan.</p> <h4 id="3.1.2">3.1.2 Financial planning</h4> <p>Departments and agencies should expect that many existing <abbr title="information technology">IT</abbr> systems may need to be replaced, or new service contracts put into place to support <abbr title="post-quantum cryptography">PQC</abbr>. The execution of the <abbr title="post-quantum cryptography">PQC</abbr> migration will have staffing impacts that may require new hiring, external contractors, or the realignment of roles that could affect other projects or work activities. The departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan must have a cost estimate that includes resource allocation to complete the execution. The initial version of plan will not be comprehensive in its cost estimation, but the financial estimates can be refined as the identification and transition phases proceed.</p> <p>The costs associated with this <abbr title="post-quantum cryptography">PQC</abbr> migration may be reduced by utilizing existing IT equipment lifecycles and system modernization plans. To do so, it is critical to perform the initial phases of this plan quickly to identify where these cost efficiencies can be leveraged. Delays resulting in rushed procurement will increase costs.</p> <h4 id="3.1.3">3.1.3 Education strategy</h4> <p>It is important that staff across the organization are aware of the quantum threat and the impact it may have on the systems they use or are responsible for. The <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> GCxchange platform will be leveraged to share artifacts with departments and agencies, including material produced by the Cyber Centre, such as presentations and publications for a variety of audiences. The Cyber Centre’s Learning Hub will provide course material to educate on the quantum threat to cryptography. Senior executives must be briefed to be aware of the impact the migration to <abbr title="post-quantum cryptography">PQC</abbr> will have on their operations.</p> <p>As the <abbr title="post-quantum cryptography">PQC</abbr> migration progresses, it’s important to keep senior executives informed of developments and progress, including any emerging challenges or roadblocks that teams may face.</p> <h4 id="3.1.4">3.1.4 Procurement policies</h4> <p>To maximize the lifetime of new systems, departments and agencies should ensure new procurements have requirements that support <abbr title="post-quantum cryptography">PQC</abbr>. The Cyber Centre strongly recommends that systems employ established cyber security standards. Following standards provides assurance of independent security review and promotes interoperability to avoid vendor lock-in. Some cyber security standards are still being revised to support <abbr title="post-quantum cryptography">PQC</abbr>. The Cyber Centre is updating Guidance for securely configuring network protocols (ITSP.40.062) as <abbr title="post-quantum cryptography">PQC</abbr> support is finalized in standards. It is expected that support for <abbr title="post-quantum cryptography">PQC</abbr> may not be currently available in some product categories.</p> <p>The Cyber Centre has recommended contract clauses for systems containing cryptographic modules. These are available upon request and will be made more widely available. In general, departments and agencies should consider the following best practices for procurements:</p> <ul><li>contracts have clauses to ensure that the vendor will include support for <abbr title="post-quantum cryptography">PQC</abbr> that is compliant with Cyber Centre recommendations in Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information (ITSP.40.111)</li> <li>cryptographic modules have been certified by the <a href="https://www.cyber.gc.ca/en/tools-services/cryptographic-module-validation-program-cmvp">Cryptographic Module Validation Program</a></li> <li>support for <a href="https://www.cyber.gc.ca/en/guidance/guidance-becoming-cryptographically-agile-itsap40018">cryptographic agility</a> to allow for future configuration changes</li> </ul><p>The earlier <abbr title="post-quantum cryptography">PQC</abbr> is included in procurement clauses, the lower the costs departments will face during the migration.</p> <h4 id="3.1.5">3.1.5 Plan approaches for identification</h4> <p>The next phase in this roadmap is the identification of where cryptography is used in <abbr title="information technology">IT</abbr> systems. Sometimes called cryptographic discovery, this identification is necessary to create an inventory of systems that need to be transitioned. The departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan must include the approaches that will be undertaken to identify systems and build this inventory. More detail on identification is provided in the next section.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h3 id="3.2">3.2 Identification</h3> <p>Identifying where and how cryptography is used is a critical step in the process to migrate to <abbr title="post-quantum cryptography">PQC</abbr>. Systems using cryptography will include:</p> <ul><li>network services</li> <li>operating systems</li> <li>applications</li> <li>code development pipelines</li> <li>all physical <abbr title="information technology">IT</abbr> assets, such as <ul><li>server racks</li> <li>desktops</li> <li>laptops</li> <li>mobile telephones</li> <li>network appliances</li> <li>printers</li> <li>voice over Internet Protocol telephony</li> <li>hardware security modules</li> <li>smart cards</li> <li>hardware tokens</li> </ul></li> </ul><p>These may be hosted on-premises, within contracted <abbr title="information technology">IT</abbr> platforms, or a cloud service provider, or under employee possession. The scope is wide, thus making identification a challenging task.</p> <p>The information gathered in this phase will be used to create an inventory that should include the following information per system:</p> <ul><li>system components employing cryptography</li> <li>vendor and product version for each of the components</li> <li>security controls that rely upon the identified cryptography<sup id="fn4-rf"><a class="fn-lnk" href="#fn4"><span class="wb-inv">Footnote </span>4</a></sup></li> <li>applicable network security zones</li> <li>current cryptographic configurations</li> <li>hosting platform</li> <li>system dependencies</li> <li>relevant service contracts and expiry dates</li> <li>expected refresh year for the system or its components</li> <li>responsible departmental point of contact</li> <li>if the system should be prioritized for migration</li> </ul><p>Other technical information may be relevant to include in the inventory. The Cyber Centre will provide additional guidance to departments as experience grows within the <abbr title="Government of Canada">GC</abbr>.</p> <p>Departments must identify systems that are a high priority for migrating to <abbr title="post-quantum cryptography">PQC</abbr>. Systems protecting the confidentiality of information in transit over public network zones<sup id="fn5-rf"><a class="fn-lnk" href="#fn5"><span class="wb-inv">Footnote </span>5</a></sup> may be at risk earlier than expected due to the harvest now, decrypt later (HNDL) threat. A <abbr title="harvest now, decrypt later">HNDL</abbr> threat is when a threat actor intercepts encrypted information, stores it and then decrypts it in the future, when sufficiently powerful quantum computers exist. It is recommended that any systems susceptible to a <abbr title="harvest now, decrypt later">HNDL</abbr> threat be a high priority for migrating to <abbr title="post-quantum cryptography">PQC</abbr>. Other considerations include the information lifespan, support for cryptographic agility, and the impact of compromise. It may be valuable to complete a risk assessment for the quantum threat to ensure that systems are properly prioritized.</p> <p>Discovery of systems containing vulnerable cryptography should utilize multiple methodologies. Leveraging existing <abbr title="information technology">IT</abbr> service management (ITSM) processes within the organization may be an efficient way to produce an initial departmental inventory. Lifecycle and change management committees should have much of the information needed for an inventory system entry. However, in practice, ITSM maturity may vary across departments.</p> <p>Software tools and services will be necessary to complete cryptographic discovery. This may leverage existing cyber security services, such as security information and event management (SIEM) solutions, network monitoring and inspection, and endpoint detection and response (EDR) technologies. These services may require configuration changes, third-party plugins, or additional filters to identify the use of cryptography. Independent tools for cryptography discovery will employ technology for scanning networks, hosts, log files, or source code. The <a href="https://www.cse-cst.gc.ca/en/accountability/transparency/reports/communications-security-establishment-annual-report-2023-2024#9-1-1">Cyber Centre’s sensors program</a> is a tool expected to assist departments in identification. Additional guidance on cryptographic discovery tools and services will be provided to departments by the <abbr title="information technology">IT</abbr> Security Tripartite, which includes <abbr title="Treasury Board of Canada Secretariat">TBS</abbr>, <abbr title="Shared Services Canada">SSC</abbr>, and the Cyber Centre.</p> <p>It is important to not be overwhelmed in completing the discovery and to begin with an initial, incomplete inventory with actions to iteratively improve the data.</p> <p>During the identification phase, departments should use the inventory to engage relevant <abbr title="information technology">IT</abbr> vendors and contractors to determine their plans to implement <abbr title="post-quantum cryptography">PQC</abbr> in their products and services. Understanding which system components will be eligible for upgrades versus replacement will assist in the next phase of developing a transition plan.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h3 id="3.3">3.3 Transition</h3> <p>The transition phase leverages the inventory created in the identification phase to plan and execute system upgrades, replacement, tunnelling, and/or isolation.</p> <p>In addition to the inventory data, the plan must consider departmental resources for identifying and assessing solutions, performing necessary procurements, testing, and deployment. The plan for each system will typically require multiple stages and should be integrated with existing <abbr title="information technology">IT</abbr> change management processes to ensure proper preparation including:</p> <ul><li>an impact assessment</li> <li>a rollback playbook</li> <li>a staging environment for testing changes</li> <li>monitoring to validate successful operation post-transition</li> </ul><p>For each system, technical teams must identify and assess solutions to incorporate <abbr title="post-quantum cryptography">PQC</abbr> or otherwise mitigate the quantum threat. The availability of <abbr title="post-quantum cryptography">PQC</abbr>-capable products may be limited in the early stages, but vendors are rapidly adopting <abbr title="post-quantum cryptography">PQC</abbr> as updates to protocol standards are completed. Solutions should meet all the procurement requirements established in the Preparation phase (<a href="#3.1.4">Procurement policies 3.1.4</a>).</p> <p>Many systems will need to maintain backwards compatibility to allow for continued operation with non-transitioned systems for a period of time. The first stage for a system transition may be to support the use of <abbr title="post-quantum cryptography">PQC</abbr>, followed by a second stage to disable the vulnerable, legacy cryptography.</p> <p>It may not be feasible to transition some legacy systems to use <abbr title="post-quantum cryptography">PQC</abbr> without a full system replacement. To meet migration milestones, it may be necessary to isolate such systems on the network or to tunnel traffic within a <abbr title="post-quantum cryptography">PQC</abbr>-protected encapsulation layer. Such decisions should be made during the transition phase planning.</p> <p>Early versions of the departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan may offer limited detail on the transition phase; however, this section should be expanded as identification efforts progress.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="4">4 Milestones and deliverables</h2> <p>Milestones and deliverables for federal departments and agencies are as follows:</p> <ul><li>April 2026: Develop an initial departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan</li> <li>Beginning April 2026 and annually after: Report on <abbr title="post-quantum cryptography">PQC</abbr> migration progress</li> <li>End of 2031: Completion of <abbr title="post-quantum cryptography">PQC</abbr> migration of high priority systems</li> <li>End of 2035: Completion of <abbr title="post-quantum cryptography">PQC</abbr> migration of remaining systems</li> </ul><p>These milestones for the completion of migrations implies that quantum-vulnerable algorithms are disabled, isolated or tunnelled. That is, rather than just supporting <abbr title="post-quantum cryptography">PQC</abbr>, the quantum risk has been mitigated. It will be critical for departments and agencies to create, revise and follow their departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan to migrate systems as early as possible to meet the milestone dates.</p> <p>More information on expectations for reporting progress is given in the next section.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="5">5 Governance and coordination</h2> <h3 id="5.1">5.1 Relevant Government of Canada governance bodies</h3> <p>Departments and agencies are accountable for managing cyber security risks in their program areas. However, <abbr title="Government of Canada">GC</abbr>-wide initiatives, such as this migration to <abbr title="post-quantum cryptography">PQC</abbr>, requires a whole-of-government approach managed at the enterprise level in accordance with accountabilities outlined under the <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> policy instruments.</p> <p>The <abbr title="information technology">IT</abbr> Security Tripartite consists of the <abbr title="Treasury Board of Canada Secretariat">TBS</abbr>, <abbr title="Shared Services Canada">SSC</abbr>, and the Cyber Centre. The tripartite is a centralized body that provides advice, guidance, oversight, and direction on <abbr title="Government of Canada">GC</abbr>-wide cyber security initiatives such as the <abbr title="Government of Canada">GC</abbr> migration to <abbr title="post-quantum cryptography">PQC</abbr>. The tripartite supports departments and agencies under <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> authorities.</p> <p>The <abbr title="Government of Canada">GC</abbr> Enterprise Architecture Review Board (<abbr title="Government of Canada">GC</abbr> EARB) provides a governance mechanism to assess if proposed enterprise systems are aligned to the <abbr title="Government of Canada">GC</abbr> Enterprise Architecture Framework. The framework ensures business, information, application, technology, security, and privacy architecture domains meet the <a href="https://www.canada.ca/en/government/system/digital-government/policies-standards/service-digital-target-enterprise-architecture-white-paper.html">Service and Digital Target Enterprise Architecture</a>. Cyber security requirements, such as compliance to the Cyber Centre’s cryptographic recommendations, are part of the <abbr title="Government of Canada">GC</abbr> Target Enterprise Architecture which is aligned with overall <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> strategic direction and <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> policy instruments.</p> <p>The <abbr title="Government of Canada">GC</abbr> has interdepartmental Quantum Science and Technology (S&amp;T) Coordination Committees at senior executive levels to synchronise efforts and maintain Canada’s leadership in quantum S&amp;T. These committees oversee the federal government’s actions supporting <a href="https://ised-isde.canada.ca/site/national-quantum-strategy/en/canadas-national-quantum-strategy">Canada’s National Quantum Strategy</a> (NQS), including the <abbr title="National Quantum Strategy">NQS</abbr> roadmap on quantum communication and post-quantum cryptography.</p> <h3 id="5.2">5.2 Reporting on progress</h3> <p>Monitoring the progress of the <abbr title="Government of Canada">GC</abbr> migration to <abbr title="post-quantum cryptography">PQC</abbr> is essential for effective activity oversight and governance. This ensures accountability and the completion of milestones. <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> oversees compliance to its policy instruments in accordance with the Treasury Board <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=17151">Framework for Management of Compliance</a>. It also tracks progress on the departmental plan on service and digital which includes cyber security, as required under the <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32603">Policy on Service and Digital</a>. Reporting on departmental progress and on the activities needed to complete the migration to <abbr title="post-quantum cryptography">PQC</abbr> will be requested and collected by <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> as part of the annual submissions for the departmental plan on service and digital.</p> <h3 id="5.3">5.3 Additional resources and support</h3> <p>The <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> GCxchange platform will be leveraged to share artifacts with federal departments and agencies to assist in the migration to <abbr title="post-quantum cryptography">PQC</abbr>. The Cyber Centre will continue to publish guidance and recommendations for organizations on the <a href="https://cyber.gc.ca/">Cyber Centre website</a>.</p> <p>Please use the Cyber Centre contact information at the top of this page to request more information on the quantum threat, <abbr title="post-quantum cryptography">PQC</abbr>, or this roadmap.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><!–FOOTNOTE SECTION EN–><aside class="wb-fnote" role="note"><h2 id="reference">References</h2> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p>Non-classified <abbr title="information technology">IT</abbr> systems are those that do not contain, transfer, or otherwise handle classified information. In the Government of Canada, non-classified systems manage UNCLASSIFIED, PROTECTED A, and PROTECTED B information. For classified systems and systems handling PROTECTED C information, departments must contact the Cyber Centre to obtain advice on migrating commercial equipment.</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote</span>1<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 2</dt> <dd id="fn2"> <p>For more information on the quantum computing threat to cryptography, read the publication <a href="https://www.cyber.gc.ca/en/guidance/preparing-your-organization-quantum-threat-cryptography-itsap00017">Preparing your organization for the quantum threat to cryptography (ITSAP.00.017)</a></p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote</span>2<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 3</dt> <dd id="fn3"> <p><a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=16578">Treasury Board Secretariat of Canada’s Policy on Government Security</a></p> <p class="fn-rtn"><a href="#fn3-rf"><span class="wb-inv">Return to footnote</span>3<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 4</dt> <dd id="fn4"> <p><a href="https://www.cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33"><abbr title="information technology">IT</abbr> security risk management (ITSG-33): Annex 3A – Security control catalogue</a></p> <p class="fn-rtn"><a href="#fn4-rf"><span class="wb-inv">Return to footnote</span>4<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 5</dt> <dd id="fn5"> <p><a href="https://www.cyber.gc.ca/en/guidance/baseline-security-requirements-network-security-zones-version-20-itsp80022">Baseline security requirements for network security zones (ITSP.80.022)</a></p> <p class="fn-rtn"><a href="#fn5-rf"><span class="wb-inv">Return to footnote</span>5<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6554" about="/en/news-events/joint-advisory-cyber-officials-warn-canadians-malicious-campaign-impersonate-high-profile-public-figures" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> </div> </div> </div> </article>

The Canadian Centre for Cyber Security (Cyber Centre) and the United States’ Federal Bureau of Investigation (FBI) is warning Canadians of the threat posed by People’s Republic of China (PRC)

<article data-history-node-id="6456" about="/en/news-events/cyber-centre-advice-securing-operational-technology-systems" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) is warning Canadian organizations to defend their operational technology (OT) and industrial control systems (ICS) from malicious cyber actors.</p> <p>The Cyber Centre is aware of ongoing attempts by non-state malicious cyber actors to discover and compromise poorly secured, internet-connected <abbr title="operational technology">OT</abbr> and <abbr title="industrial control systems">ICS</abbr> that provide critical services to Canadians. The motivations of malicious actors vary, including geopolitical reasons, financial gain, notoriety or a combination.</p> <p>Once they have compromised a system, these actors attempt to change device configurations and manipulate system settings. This can affect physical processes such as changing pressurization or disabling alarms and safety controls.</p> <p>This activity demonstrates reckless intent and complete disregard for real-world harm with the potential to impact the health and safety of Canadians. The Cyber Centre calls on all Canadian organizations who operate <abbr title="operational technology">OT</abbr> and <abbr title="industrial control systems">ICS</abbr> to protect their systems.</p> <p>Recent guidance from the United States’ Cybersecurity and Infrastructure Security Agency (CISA) addresses cyber threats to <abbr title="operational technology">OT</abbr> systems. The Cyber Centre strongly recommends critical infrastructure providers take the recommended steps to defend their <abbr title="operational technology">OT</abbr> assets:</p> <ul><li>Remove <abbr title="operational technology">OT</abbr> connections to the internet</li> <li>Change default passwords immediately</li> <li>Secure remote access to <abbr title="operational technology">OT</abbr> networks</li> <li>Segment <abbr title="information technology">IT</abbr> and <abbr title="operational technology">OT</abbr> networks</li> <li>Practice and maintain the ability to operate <abbr title="operational technology">OT</abbr> systems manually</li> </ul><p>Read the full factsheet: <a href="https://www.cisa.gov/resources-tools/resources/primary-mitigations-reduce-cyber-threats-operational-technology">Primary Mitigations to Reduce Cyber Threats to Operational Technology</a>.</p> <p>We encourage any Canadian organizations who believe they may have been targeted by cyber threat activity to contact the Cyber Centre by email at <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a> or by phone <a href="tel:+18332923788">1-833-CYBER-88</a>.</p> <p>For more information, consult the following Cyber Centre guidance: <a href="/en/guidance/security-considerations-critical-infrastructure-itsap10100">Security considerations for critical infrastructure (ITSAP.10.100)</a> and <a href="https://www.cyber.gc.ca/en/cyber-security-readiness">Cyber Security Readiness</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6423" about="/en/news-events/chairs-statement-g7-cybersecurity-working-group-meeting" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>Canada, under the leadership of the Communications Security Establishment Canada (CSE) and Public Safety Canada, hosted the G7 Cybersecurity Working Group (Working Group) from May 12 to 13, 2025, in Ottawa, to discuss shared issues on cyber security and emerging technology.</p> <p>The Working Group was established in 2024 under Italy’s G7 leadership and is composed of the principals in national cyber security agencies or roles across the G7. The Working Group acts as a cyber security community of practice for the G7, and is built on shared values, shared interests and a shared vision for the future of cyberspace.</p> <p>The speed, scale and intensity of current challenges in cyberspace are unparalleled, and coordinated efforts among G7 like-minded nations are needed to meet these challenges, namely through the following objectives:</p> <ul><li>Enhancing cooperation on cyber security, through the exchange of views and information, sharing threat analysis and advancing strategies to address current and emerging challenges, including security for <abbr title="artificial intelligence">AI</abbr> and <abbr title="artificial intelligence">AI</abbr> for cyber security</li> <li>Promoting dialogue on guidelines, standards and approaches that contribute to shaping the best practices for cyber security nationally and internationally</li> <li>Fostering long-term resilience for new and emerging technologies that have an impact on cyber security such as quantum computing</li> </ul><p>During the in-person Working Group meeting in Ottawa, representatives met to discuss a series of workstreams on which the group has agreed to collaborate during Canada’s 2025 G7 presidency. This included:</p> <ul><li>Reflecting the shared vision of the group through the preparation and group endorsement of a <a href="https://www.acn.gov.it/portale/en/w/una-visione-condivisa-del-g7-sull-inventario-dei-software-dell-ia">“Food for Thought” paper on a Software Bill of Materials for Artificial Intelligence (SBOM for AI)</a>. The paper reflects a mutual recognition of the fast-paced nature of this space and the need to consider similar initiatives underway in other fora to avoid duplication.</li> <li>Agreeing to advance an initiative to address the cyber security of Internet of Things (IoT) products, taking into account both the technical and non-technical nature of cyber threats. The working group has since released a <a href="https://www.nisc.go.jp/pdf/press/G7_Statement_on_IoT_Security.pdf">statement on <abbr title="Internet of Things">IoT</abbr> security (PDF, 140 KB)</a>, hosted on Japan’s National Cybersecurity Office website.</li> <li>Renewing a commitment to advocate for a well-planned transition to Post-Quantum Cryptography and to further explore joint technical cyber advisories to leverage the Working Group’s collective voices on cyber security matters.</li> <li>Agreeing to exchange ideas and lessons learned from policy levers for incentivising cyber security.</li> <li>Discussing the need to protect our respective critical infrastructure and improve the collective cyber resilience of essential services and systems. This work is vital to serving citizens, maintaining economic stability and national security. Through these discussions on safeguarding critical infrastructure, the Working Group seeks to mitigate risks, minimize disruptions, and enhance our ability to respond to and recover from cyber threats.</li> <li>Sharing ideas and best practices to build up the cyber security skill set, foster public-private partnerships, and continue to promote secure-by-design principles in various engagements. Developing these skills and engaging in collaboration are crucial to respond effectively to evolving threats, ensuring resilience, and fostering innovation. Further, adopting secure-by-design practices will reduce the attack surface and enhance overall cyber resilience.</li> </ul><p>The Working Group plans to continue these efforts throughout the rest of the Canadian G7 presidency in 2025, including having a second meeting in fall 2025 to review progress and finalize the work prior to transitioning the presidency of the Working Group to France for 2026.</p> <p>Sami Khoury, Principal and Co-Chair<br /> G7 Cybersecurity Working Group<br /> Communications Security Establishment Canada</p> <p>Colin MacSween, Co-Chair<br /> G7 Cybersecurity Working Group<br /> Public Safety Canada</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6366" about="/en/news-events/executive-summary-joint-guidance-security-information-event-management-security-orchestration-automation-response" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) has joined the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) and the following international partners in releasing updated cyber security guidance on security information and event management (SIEM) and security orchestration, automation and response (SOAR):</p> <ul><li>Czech Republic’s National Cyber and Information Security Agency (NÚKIB)</li> <li>Japan’s National Center of Incident Readiness and Strategy for Cyber Security (NISC) and Computer Emergency Response Team Coordination Center (JPCERT/CC)</li> <li>New Zealand’s National Cyber Security Centre (NCSC-NZ)</li> <li>Republic of Korea’s National Intelligence Service (NIS)</li> <li>Singapore’s Cyber Security Agency (CSA)</li> <li>United Kingdom’s National Cyber Security Centre (NCSC-UK)</li> <li>United States’ Federal Bureau of Investigation (FBI)</li> <li>United States’ Cybersecurity and Infrastructure Security Agency (CISA)</li> <li>United States’ National Security Agency (NSA)</li> </ul><p><abbr title="security information and event management">SIEM</abbr> and <abbr title="security orchestration, automation and response">SOAR</abbr> platforms offer many benefits to organizations. Both platforms can enhance an organization’s ability to detect and respond to cyber security risks by collating, analyzing and automating some aspects of an organization’s work. To function effectively, <abbr title="security information and event management">SIEM</abbr> and <abbr title="security orchestration, automation and response">SOAR</abbr> platforms rely on proper deployment and maintenance over time.</p> <p>This series of guidance includes 3 publications.</p> <h2>Executive guidance: Implementing security information and event management and security orchestration, automation and response platforms</h2> <p>This executive summary provides considerations for organizations that are looking to procure <abbr title="security information and event management">SIEM</abbr> and <abbr title="security orchestration, automation and response">SOAR</abbr> platforms. The executive summary:</p> <ul><li>defines <abbr title="security information and event management">SIEM</abbr> and <abbr title="security orchestration, automation and response">SOAR</abbr> platforms</li> <li>outlines the benefits and challenges associated with using <abbr title="security information and event management">SIEM</abbr> and <abbr title="security orchestration, automation and response">SOAR</abbr> platforms</li> <li>identifies best practices for implementing and maintaining <abbr title="security information and event management">SIEM</abbr> and <abbr title="security orchestration, automation and response">SOAR</abbr> platforms</li> </ul><p>Read <a href="https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-monitoring/implementing-siem-and-soar-platforms/implementing-siem-and-soar-platforms-executive-guidance">Executive guidance: Implementing security information and event management and security orchestration, automation and response platforms</a>.</p> <h2>Guidance for practitioners: Implementing security information and event management and security orchestration, automation and response platforms and their implementation</h2> <p>This joint guidance provides high-level direction for cyber security practitioners on <abbr title="security information and event management">SIEM</abbr> and <abbr title="security orchestration, automation and response">SOAR</abbr> platforms. Cyber security practitioners in government and other organizations can leverage this guidance to implement <abbr title="security information and event management">SIEM</abbr> and <abbr title="security orchestration, automation and response">SOAR</abbr> platforms.</p> <p>Read <a href="https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-monitoring/implementing-siem-and-soar-platforms/implementing-siem-and-soar-platforms-practitioner-guidance">Guidance for practitioners: Implementing security information and event management and security orchestration, automation and response platforms and their implementation</a>.</p> <h2>Guidance for practitioners: Priority logs for security information and event management ingestion</h2> <p>This joint guidance is intended for cyber security practitioners. It provides recommendations for logs that should be prioritized for ingestion by a <abbr title="security information and event management">SIEM</abbr> platform, as well as tips on querying the platform.</p> <p>Read <a href="https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-monitoring/implementing-siem-and-soar-platforms/priority-logs-for-siem-ingestion-practitioner-guidance">Guidance for practitioners: Priority logs for security information and event management ingestion</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6340" about="/en/news-events/joint-advisory-russian-cyber-campaign-targeting-logistics-providers-companies" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) has joined the United States’ National Security Agency (NSA) and multiple international partners in issuing the following joint advisory.</p> <p>The advisory concerns Russian state-sponsored cyber activity targeting Western logistics providers and <abbr title="information technology">IT</abbr> companies, particularly those involved in delivering foreign assistance to Ukraine.</p> <p>Known targets include government organizations and commercial entities in <abbr title="North Atlantic Treaty Organization">NATO</abbr> member states and Ukraine as well as international organizations. Target sectors include:</p> <ul><li>the defence industry</li> <li>transportation and transportation hubs, such as ports and airports</li> <li>the maritime sector</li> <li>air traffic management</li> <li><abbr title="information technology">IT</abbr> services</li> </ul><p>The espionage-oriented cyber campaign is attributed to a group (military unit 26165) within the Russian General Staff Main Intelligence Directorate (GRU). This unit is commonly known to the cyber security community as APT28, Fancy Bear, Forest Blizzard or Blue Delta.</p> <p>The campaign uses a mix of tactics, techniques and procedures (TTPs) previously used by unit 26165, including:</p> <ul><li>password spraying</li> <li>spearfishing</li> <li>modification of Microsoft Exchange mailbox permissions</li> </ul><p>The advisory warns executives and network defenders at logistics providers and technology companies to:</p> <ul><li>be aware of the increased threat</li> <li>adjust their cyber security posture with a presumption of targeting</li> <li>increase monitoring and threat-hunting for the <abbr title="tactics, techniques and procedures">TTPs</abbr> and indicators of compromise listed in this advisory</li> <li>take the recommended mitigation actions</li> </ul><p>Read the full joint advisory <a href="https://media.defense.gov/2025/May/21/2003719846/-1/-1/0/CSA_RUSSIAN_GRU_TARGET_LOGISTICS.PDF">Russian <abbr title="General Staff Main Intelligence Directorate">GRU</abbr> Targeting Western Logistics Entities and Technology Companies (PDF)</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="651" about="/en/guidance/security-considerations-voice-activated-digital-assistants-itsap70013" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–Info across the top under the image–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>May 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.70.013</strong></p> </div> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>May 2025 | Awareness series</strong></p> </div> <p>Voice-activated digital assistants are a type of smart device that can control other devices when prompted by a human voice. They can perform a variety of tasks, such as checking the weather, adjusting the thermostat and playing music. Voice-activated digital assistants can connect to the Internet, allowing them to communicate with other smart devices and form a vast network known as the Internet of Things (IoT). Although they can be convenient, it is important to consider the cyber security risks associated with voice-activated digital assistants before integrating them into your network.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#voice-activated">How voice-activated digital assistants work</a></li> <li><a href="#risks-digital-assistants">Risks associated with digital assistants</a></li> <li><a href="#attack-methods">Attack methods</a></li> <li><a href="#selecting-vendor">Considerations for selecting a vendor</a></li> <li><a href="#securing-digital-assistant">Securing your digital assistant</a></li> <li><a href="#steps-address">Steps to address a compromise</a></li> </ul><h2 class="text-info" id="voice-activated">How voice-activated digital assistants work</h2> <p>Voice-activated digital assistants come in various forms, such as smart speakers, smartwatches and smartphone applications. These devices respond to human commands through voice recognition technology. They record and listen for commands or trigger words. Once triggered, the device captures the request and searches the Internet for a suitable response or carries out the requested action. These devices also listen and parse conversation for the purposes of targeted marketing.</p> <p>Voice-activated digital assistants use algorithms and machine learning to improve their performance over time. They create user profiles to identify individuals who issue commands, allowing for more personalized interactions. This involves saving voice recognition data and storing information about the resources and smart devices they use to fulfill your requests. For example, digital assistants may retain data such as websites visited and settings for controlling your home appliances or security cameras. Although digital assistants can create profiles to recognize voice commands from a particular individual, they will record and respond to any voice command they can interpret.</p> <h2 class="text-info" id="risks-digital-assistants">Risks associated with digital assistants</h2> <p>Voice-activated digital assistants are high-value targets for cyber threat actors who want to steal sensitive information. The interconnected nature of these devices means that a vulnerability in one digital assistant or a device connected to it can compromise the security of the entire network.</p> <p>Cyber threat actors can take advantage of these vulnerabilities in various ways, including:</p> <ul><li>accessing personal information, such as <ul><li>usernames</li> <li>passwords</li> <li>other sensitive account details</li> </ul></li> <li>learning whether you are at home or away</li> <li>tampering with other connected smart device controls to compromise security and integrity, such as <ul><li>adjusting temperature settings</li> <li>unlocking doors</li> <li>disabling alarms</li> </ul></li> </ul><p>There are also additional risks tied to some of the features of digital assistants.</p> <h2 class="text-info">Storing voice recognition recordings and transcripts</h2> <p>Devices can retain a voice-to-text transcription when the device sends a recorded voice command to a cloud-based resource. This data could contain confidential information, particularly if the voice service was triggered accidentally. Be aware of vendors’ privacy policies. Vendors often have terms that allow them to retain recordings or transcriptions for quality improvement or to share with partners.</p> <h2 class="text-info">Eavesdropping on sensitive conversations</h2> <p>Voice commands for activities like controlling lights or changing music have a minimal risk of capturing background conversation. However, there are other scenarios where captured background conversations can be risky. For example, connecting a voice assistant to a business platform to dictate the content of your emails could give it access to sensitive conversations. Threat actors can leverage this data to conduct dolphin attacks or make unauthorized purchases. You should turn on confirmation dialogs to minimize the risk of accidental or unauthorized transactions. This will prompt your device to repeat your command and confirm that you want to proceed. Modern devices that have on-device voice recognition can be safer.</p> <h2 class="text-info" id="attack-methods">Attack methods</h2> <p>Cyber threat actors could target your digital assistant through methods such as a "dolphin" attack or malware.</p> <h3>"Dolphin" attack</h3> <p>A "dolphin" attack broadcasts ultrasonic frequency sounds which are inaudible to the human ear but trigger the recording feature in digital assistants. These high-frequency sounds can be embedded into videos, websites or even physical devices enabling threat actors to target digital assistants within range. By emitting these sounds, threat actors can trigger the digital assistant to initiate actions, such as transferring files, making unauthorized purchases and stealing sensitive data.</p> <h3>Malware</h3> <p>Malware is a common method used by cybercriminals to compromise digital assistants. It infects these devices through disguised applications, malicious attachments and links. Malware is very hard to detect and diagnose on digital assistants. Once inside, threat actors can use malware to record your voice and use the recording for other malicious activities, such as bypassing voice recognition authentication on your other devices.</p> <hr /><h2 class="text-info" id="selecting-vendor">Considerations for selecting a vendor</h2> <p>When selecting a vendor for voice-activated digital assistants, ensure you understand the terms and conditions in your vendor’s end-user licence agreement. Consider the following questions when selecting a vendor:</p> <ul><li>Is there an option for a "tap to activate" mode?</li> <li>Is there an option to turn off the listening function to safeguard private events and conversations?</li> <li>What data is sent to their voice processing service?</li> <li>What information is returned in response to a service or application request?</li> <li>Who has access to raw voice or text data?</li> <li>How is retained data used and for how long?</li> <li>Is the data generated by the device encrypted?</li> <li>Where is data stored?</li> <li>Is data shared with any third parties?</li> </ul><p>Review vendors’ privacy policies and security practices. Research reviews and security ratings to determine whether the vendor’s databases have vulnerabilities or if their storage facilities have been breached. Consider products that offer local data storage options, as opposed to cloud-based storage. Storing data locally on the device can reduce the risk of exposure to cloud-based vulnerabilities and breaches.</p> <h2 class="text-info" id="securing-digital-assistant">Securing your digital assistant</h2> <p>When setting up your device or digital assistant, you should identify what potentially sensitive information it can access via your network. Consider isolating your digital assistant on a separate network, such as a guest network, to protect your main network should a compromise occur. You should also consider implementing the following best practices to secure your device.</p> <ul><li>Use a unique, strong password or passphrase for your digital assistant</li> <li>Set a PIN on your digital assistant to prevent unauthorized use of the voice assistant</li> <li>Use multi-factor authentication (MFA) to secure accounts and devices on your network</li> <li>Turn off your digital assistant when discussing personal or sensitive information in its vicinity</li> <li>Verify if your device allows you to turn off active listening features</li> <li>Review the microphone permissions granted to applications on your device</li> <li>Deactivate features that allow the digital assistant to perform security-sensitive operations, such as unlocking doors or controlling cameras</li> <li>Disconnect remote access functions on devices if they are not required</li> <li>Update and patch software and firmware frequently</li> <li>Use a virtual private network (VPN) on the network to which your digital assistant is connected</li> <li>Review permissions on your apps to determine whether or not they require access to your microphone and your conversations</li> <li>Delete your voice request history regularly to ensure that there is no memory bank of your voice profile and the content of your conversations</li> <li>Check your privacy settings and make sure you are not sharing more data than necessary</li> <li>Download apps from official stores only, and avoid third-party apps that may be more likely to contain malware</li> </ul><h2 class="text-info" id="steps-address">Steps to address a compromise</h2> <p>If you suspect malicious activity on your voice-activated digital assistant or other smart devices, you must act quickly to minimize the potential damage. You should take the following steps:</p> <ol><li>Power down the IoT device immediately</li> <li>Contact your mobile service provider to locate the point of intrusion and determine what data has been compromised</li> <li>Perform a factory reset immediately to remove any malicious software or configurations</li> <li>After resetting, update your device with the latest version and relevant security patches</li> <li>Consider both network-based and host-based monitoring solutions on your network</li> <li>Change the passphrases for all affected accounts and devices, ensuring they are strong and unique</li> </ol><p>Learn more about <a href="/en/incident-management">reporting cyber incidents to the Cyber Centre</a>.</p> <h2 class="text-info">Learn more</h2> <ul><li><a href="/en/guidance/protect-your-organization-malware-itsap00057">Protect your organization from malware (ITSAP.00.057)</a></li> <li><a href="/en/guidance/internet-things-iot-security-itsap00012">Internet of Things (IoT) security (ITSAP.00.012)</a></li> <li><a href="/en/guidance/virtual-private-networks-itsap80101">Virtual private network (ITSAP.80.101)</a></li> <li><a href="/en/protecting-your-information-and-data-when-using-applications-itsap40200">Protecting your information and data when using applications (ITSAP.40.200)</a></li> <li><a href="/en/guidance/have-you-been-hacked-itsap00015">Have you been hacked? (ITSAP.00.015)</a></li> <li><a href="/en/guidance/best-practices-passphrases-and-passwords-itsap30032">Best practices for passphrases and passwords (ITSAP.30.032)</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6307" about="/en/guidance/recommended-contract-clauses-security-operations-centre-procurement-itsm00500" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>April 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Management series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSM.00.500</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>April 2025 | Management series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsm.00.500-en.pdf">Recommended contract clauses for security operations centre procurement – ITSM.00.500 (PDF, 552 KB)</a></p> </div> <h2 class="text-info mrgn-tp-0">Foreword</h2> <p>This is an UNCLASSIFIED publication, issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre). For more information or to suggest amendments, email or phone our Contact Centre:</p> <p><span class="glyphicon glyphicon-envelope"></span><span class="wb-inv">email</span><a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a> |<span class="glyphicon glyphicon-phone"></span><span class="wb-inv">Mobile</span> <a href="tel:613-949-7048">613-949-7048</a> or <a href="tel:+1-833-292-3788">1<span>‑</span>833<span>‑</span>CYBER<span>‑</span>88</a></p> <h2 class="text-info">Effective date</h2> <p>This publication takes effect on April 23, 2025</p> <h2 class="text-info">Revision history</h2> <ol><li>First release: April 23, 2025</li> </ol></div> </div> <section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#1">1 Introduction</a> <ul><li><a href="#1-1">1.1 Scope</a></li> <li><a href="#1-2">1.2 Guiding Publications</a> <ul><li><a href="#1-2-1">1.2.1 Government of Canada resources</a></li> <li><a href="#1-2-2">1.2.2 Industry and other resources </a></li> <li><a href="#1-2-3">1.2.3 Recommended nomenclature </a></li> </ul></li> </ul></li> <li><a href="#2">2 Security operations centre provider selection process </a> <ul><li><a href="#2-1">2.1 Main services for consideration in a security operations centre </a> <ul><li><a href="#2-1-1">2.1.1 Security operations, monitoring and reporting</a></li> <li><a href="#2-1-2">2.1.2 Incident support </a></li> <li><a href="#2-1-3">2.1.3 Threat analysis and intelligence </a></li> <li><a href="#2-1-4">2.1.4 Documentation and standard operating procedures </a></li> <li><a href="#2-1-5">2.1.5 Additional capabilities: Advanced incident management support, forensics and malware analysis </a></li> <li><a href="#2-1-6">2.1.6 Security technologies maintenance and operation </a></li> </ul></li> </ul></li> </ul><p><a href="#3">3 Vendor readiness </a><br /><a href="#4">4 Terms and conditions </a><br /><a href="#5">5 Summary </a></p> </details><details class="mrgn-tp-md"><summary><h2 class="h3">Disclaimer</h2> </summary><p>The information provided in this document is provided "as-is", without warrantee or representation of any kind, to be used at the users’ discretion. The users of this information shall have no recourse against any of the authors for any loss, liability, damage or cost that may be suffered or incurred at any time arising for the use of information in this document.</p> </details></section><section><h2 class="text-info" id="overview">Overview</h2> <p>To effectively protect against cyber threats, it’s essential for your organization to have comprehensive visibility and control over its digital infrastructure and activities. Implementing a security operations centre (SOC) is one way to achieve this. To successfully deploy and manage a SOC, it’s critical to establish clear contract clauses and principles when contracting the SOC to a managed security provider (MSP) or managed security service provider (MSSP). This ensures mutual understanding and documentation of expectations.</p> <p>Key components of cyber security services must be outlined in these contracts. These include service-level agreements (SLAs), task orders, and governing standards, among others. Collectively, they form a prescriptive service framework, assuring clients that they will receive the expected services and solutions. This framework also guarantees the security of their data and identities.</p> <p>This publication details the specific services, deliverables and responsibilities expected from an MSP/MSSP, as well as those of the organization procuring these services. The recommendations should be interpreted in the context of both the functional and fiduciary aspects of service contracting with any managed service provider.</p> </section><section><h2 class="text-info" id="1">1 Introduction</h2> <p>As digital threats escalate, organizations increasingly rely on SOC services to monitor information security and manage digital risks effectively. While the specific functions of an SOC can vary, they typically involve centralized monitoring of the overall security posture through the collection of log data from network devices and systems. SOCs also rely on tools such as security information and event management (SIEM) systems, which interpret log data and correlate it with network incidents. Additionally, threat intelligence plays a crucial role in SOC operations by assessing events related to network systems.</p> <p>Given the complexity of building a mature SOC from the ground up, this publication aims to outline fundamental expectations for evaluating SOC contracts and identifying procurement risks. These considerations should be aligned with the main functional and fiduciary aspects of contracting, whether your organization is working with an MSP or an MSSP.</p> <p>While service providers may propose initial foundational service terms and conditions, management is responsible for ensuring that these terms address the organization’s business security needs and remain flexible for future adjustments. The terms and conditions in the service contract should be designed to yield the best business outcomes for your organization. It is crucial for your organization to take proactive steps to guarantee service provisions, including mechanisms for identifying, preventing, detecting, responding to and recovering from security risks.</p> <p>The clauses outlined in this publication are not legal advice but provide context for evaluating SOC services and understanding the terms and conditions from potential service providers.</p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h3 id="1.1">1.1 Scope</h3> <p>This publication provides practical advice and guidance on contracting SOC services from a cyber security perspective. It is relevant for both the consuming organizations and the service providers. While the examples presented here are not exhaustive or definitive best practices, they do offer valuable insights based on successful applications by government and industry partners.</p> <p>Please note that despite the TLP:CLEAR classification, standard copyright rules apply. The contents of this document are protected and should not be reproduced or distributed without proper authorization.</p> <h3 id="1-2">1.2 Guiding publications</h3> <p>In preparing this guidance, the Cyber Centre considered inputs from the following reference publications and frameworks.</p> <h4 id="1-2-1">1.2.1 Government of Canada resources</h4> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/best-practices-setting-security-operations-centre-soc-itsap00500">Best practices for setting up a security operations centre (SOC) (ITSAP.00.500)</a></li> <li><a href="https://buyandsell.gc.ca/cds/public/2018/12/18/53dc132a073954be5c139c9604d11d15/attachment_4.2_supply_chain_integrity_process.pdf">Supply chain integrity (SCI) process and assessment requirements (PDF)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations">Baseline cyber security controls for small and medium organizations</a></li> <li><a href="https://canadabuys.canada.ca/documents/pub/att/2022/03/15/601123b618f63d186d4988c1e06f4a4e/annex_a_-_schedule_1_-_security_obligations_-_en.pdf">Schedule 1 – Security obligations for Tier 2 Software as a Service (SaaS) (PDF)</a></li> <li><a href="https://buyandsell.gc.ca/cds/public/2022/03/15/7247efa8ea946aca0c70ea8726459006/annex_a_-_schedule_2_-_privacy_obligations_-_en.pdf">Schedule 2 – Privacy obligations (PDF)</a></li> </ul><h4 id="1-2-2">1.2.2 Industry and other resources</h4> <ul><li><a href="https://www.fedramp.gov/assets/resources/documents/agency_control_specific_contract_clauses.pdf">Federal Risk and Authorization Management Program (FedRAMP) Control-Specific Contract Clauses version 3.0 (PDF)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/171/a/final">Assessing Security Requirements for Controlled Unclassified Information (NIST SP 800-171)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/172/final">Enhanced Security Requirements for Protecting Controlled Unclassified Information (NIST SP 800-172): A Supplement to NIST Special Publication 800-171</a></li> <li><a href="https://www.ncsc.gov.uk/collection/building-a-security-operations-centre">Building a Security Operations Centre (SOC) (National Cyber Security Centre)</a></li> </ul><h4 id="1-2-3">1.2.3  Recommended nomenclature</h4> <p>This publication highlights key contractual terms pertinent to procuring SOC services, especially those that are cloud-based, from a cyber security perspective. These terms are relevant for both immediate needs and future requirements.</p> <p>Below is a summary of essential clauses to consider, based on the specific SOC services required by an organization:</p> <ul><li>When establishing service contracts, it is crucial to differentiate between mandatory and rated requirements. Mandatory requirements are those that the service provider must meet (related contract clauses stipulate "must have" or "shall provide"). Rated requirements, on the other hand, are more flexible, and use terms like "should", "may", or "consider". These suggest that the provider already possesses these capabilities.</li> <li>For services that are part of a future roadmap or are not yet available, look for terms such as "will" or "capable of achieving". These indicate a provider’s commitment to meeting future expectations.</li> </ul><p>It’s important to recognize that some services might require time for re-engineering to meet specific needs or may include updated features in future roadmaps. Therefore, organizations must balance immediate requirements with those that allow for development and evolution.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h2 class="text-info" id="2">2 Security operations centre provider selection process</h2> <p>Many organizations may consider a SOC from an MSP or MSSP with different subscription models due to resourcing and capabilities of an outsourced SOC. The SOC can be hosted in an MSP or MSSP environment, whereby your organization can send all the logs to the MSP or MSSP within its cloud tenancy. Or you organization can hire an MSP or MSSP service to operate SOC features within its tenancy, on your behalf.</p> <p>When selecting an MSP or MSSP provider, there are many considerations and decisions your organizations should make internally on the approach and services it requires.</p> <ul><li>Service scope and offerings: Understand the range of services provided by the MSP/MSSP and determine if they offer both proactive threat hunting and reactive incident response capabilities</li> <li>Scalability and flexibility: Assess the provider’s ability to scale services up or down based on your organization’s changing needs and evaluate the flexibility of services in response to emerging threats or organizational growth</li> <li>Customization and integration: Ensure that the MSP/MSSP SOC service can be tailored to fit your organization’s specific environment, industry, and existing security infrastructure and check for compatibility with your current systems and tools</li> <li>Data management and protection: <ul><li>Inquire about the tools and technologies used for data collection and analysis</li> <li>Understand what data will be captured, how it will be used, and where it will be stored <ul><li>Understand where and with whom your data may be shared</li> <li>Clarify the approval or permissions process for sharing data</li> </ul></li> <li>Ensure robust measures are in place for protecting sensitive and confidential data</li> </ul></li> <li>Service level agreement (SLA): Examine the SLA for clear definitions of service expectations, deliverables, and response times and understand how the SLA will be measured, monitored, and enforced</li> <li>Compliance and security standards: Verify that the SOC provider follows industry-standard security practices and complies with relevant regulations to mitigate risks, including supply chain vulnerabilities</li> <li>Risk assessment and threat profiling: Perform a comprehensive cyber security risk assessment to identify specific threats and vulnerabilities relevant to your organization <ul><li>Government of Canada departments should refer <a href="/en/guidance/it-security-risk-management-lifecycle-approach-itsg-33">to IT security risk management: A lifecycle approach (ITSG-33)</a></li> <li>Organizations outside the Government of Canada should consult the <a href="https://oasis-open.github.io/cti-documentation/stix/intro.html">Structured Threat Information eXpression (STIX) 2.1 framework</a></li> </ul></li> <li>Contractual clarity and responsibilities: Establish clear contractual terms, outlining the responsibilities of both your organization and the service provider as per the shared responsibility model</li> <li>Key considerations for choosing a SOC provider: Ensure there are provisions for regular reviews, updates, and adjustments to the services as needed</li> </ul><p>For more information, read <a href="/en/guidance/best-practices-setting-security-operations-centre-soc-itsap00500">Best practices for setting up a security operations centre (SOC) (ITSAP.00.500)</a>.</p> <p>Overall, as the organization requesting the services, you must do work upfront to decide on a SOC strategy and scope. This includes identifying which assets, such as systems and data, are sensitive and need to be monitored and protected. For more information on asset inventory and categorization, read <a href="/en/guidance/guidance-security-categorization-cloud-based-services-itsp50103">Guidance on the security categorization of cloud-based services (ITSP.50.103)</a>.</p> <h3 id="2.1">2.1 Main services for consideration in a security operations centre</h3> <p>Below are the key services for an effective SOC, accompanied by examples of contract clauses to help you draft the language and expectations in your service agreements.</p> <p>Consider the following essential services:</p> <ul><li><strong>Security operations, monitoring, and reporting:</strong> Continuous surveillance and analysis of security events, with timely reporting. Example clause: "Provider shall ensure 24/7 security monitoring and near-real time incident reporting."</li> <li><strong>Incident support:</strong> Rapid response and support for security incidents. Example clause: "Provider must offer near-real time incident response services."</li> <li><strong>Threat analysis and intelligence:</strong> Proactive identification and analysis of potential threats. Example clause: "Provider is required to deliver regular threat intelligence updates."</li> <li><strong>Documentation and standard operating procedures (SOPs):</strong> Maintenance of detailed security documentation and SOPs. Example clause: "Provider shall keep comprehensive, up-to-date security documentation and SOPs based on the shared responsibility model."</li> <li><strong>Additional capabilities: Advanced incident management support, forensics and malware analysis: </strong>Specialized support for complex incidents, including forensic analysis. Example clause: "Provider shall offer advanced incident management and forensic analysis capabilities."</li> <li><strong>Ongoing vulnerability assessments and security assurance scans: </strong>Regular assessments to identify and mitigate vulnerabilities. Example clause: "Provider must conduct periodic vulnerability assessments and provide reports."</li> <li><strong>Security technology maintenance and operation: </strong>Ensuring the effective operation and maintenance of security technologies. Example clause: "Provider must operate and maintain the infrastructure and technology supporting the service."</li> </ul><p>Your organization should also consider additional services that may be required upfront or that can be optionally included later, depending on evolving security needs. These could include compliance management, risk assessment, cloud security, and cyber security training initiatives.</p> <h4 id="2-1-1">2.1.1  Security operations, monitoring and reporting</h4> <p>Security operations, monitoring, and reporting are crucial for observing and analyzing data related to events, incidents, or breaches and the status of information systems or networks. The primary objective is to detect unusual or unauthorized activity and to gather security-relevant data to understand system behaviour. This process is essential for mitigating network vulnerabilities and identifying internal and external threats.</p> <h4>Role and functionality of log aggregation tool suites or capabilities such as SIEM tools</h4> <p>The SIEM system is a pivotal tool in this process. SIEM facilitates the centralization of data from various sources, including devices, applications, and endpoints. It enables:</p> <ul><li>real-time and historical event monitoring</li> <li>detailed analysis and correlation of information</li> <li>enhanced threat detection and response capabilities</li> </ul><h4>Key considerations for outsourcing</h4> <p>When considering outsourcing monitoring and reporting within MSP/MSSP, it’s important to assess:</p> <ul><li>the depth and frequency of monitoring services</li> <li>data storage strategies, including data residency considerations and security measures</li> <li>the provider’s certifications, particularly in cyber security and compliance standards</li> <li>the ability of the provider to integrate its services with your existing security infrastructure, in the case where the provider is operating within the organization’s premises</li> </ul><h4>Recommended contract clauses</h4> <p>The Cyber Centre recommends that organizations include specific clauses related to monitoring, reporting, and availability when contracting a SOC to an MSP/MSSP. Below are examples of wording that your organization may wish to include in its contracts.</p> <h4 class="h5">Monitoring</h4> <p>The Contractor must:</p> <ul><li>provide continuous (24/7/year-round) monitoring of security events</li> <li>analyze security event data for incident investigation using system logs and other detection methods</li> <li>review and record audit logs for inappropriate or illegal activity to facilitate event reconstruction during security incidents</li> <li>investigate and accurately identify anomalies detected by security devices or reported by various stakeholders</li> </ul><h4 class="h5">Reporting</h4> <p>The Contractor shall:</p> <ul><li>deliver actionable notifications, escalations and daily summary reports based on threat intelligence and security event analysis</li> <li>document all investigative activities and incident reports to support the organization’s incident response framework</li> <li>provide comprehensive written reports of all security events, adhering to established procedures and reporting protocols</li> <li>provide the organization with the ability to contact the provider and open an investigation when suspicious activities occur</li> </ul><h4 class="h5">Availability</h4> <p>The Contractor shall ensure the continuous availability and operational integrity of all SOC systems and applications.</p> <h4>References</h4> <ul><li><a href="/en/guidance/network-security-logging-monitoring-itsap80085">Network security logging and monitoring (ITSAP.80.085</a>)</li> <li><a href="https://csrc.nist.gov/publications/detail/sp/800-137/final">Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (NIST SP 800-137, Appendix D)</a></li> </ul><h4 id="2-1-2">2.1.2  Incident support</h4> <p>Incident support is a vital component of a SOC-as-a-service (MSP/MSSP) model. Your organization and the MSP/MSSP must collaborate to manage incidents effectively. It is crucial to have an organizational incident response plan, detailing how your organization will detect, respond to, and recover from incidents. This plan should clearly define the SOC’s role, including the extent of its involvement and the responsibilities of your organization’s internal team. The following two scenarios outline the key aspects of incident support, as well as sample contract clauses, for SOCs hosted in an MSP/MSSP environment (hosted outside of your organization’s tenancy) and for SOCs operating within an organization’s tenancy.</p> <p>In both scenarios, it is vital to establish a partnership based on transparency, trust and shared responsibility for security outcomes. The contractual agreement should be detailed and clear, with specific attention to incident response, data protection, compliance, and service levels. This ensures that both the organization and the MSP/MSSP have a common understanding of their respective roles and responsibilities in securing the organization’s digital assets.</p> <h4>Scenario 1: SOC hosted outside your organization’s tenancy</h4> <p>If your SOC is hosted outside your organization’s tenancy, consider the following key aspects related to incident support.</p> <ul><li><strong>Incident detection and notification</strong>: The MSP/MSSP must promptly identify and notify the organization of security incidents. The agreement should specify the timeframe for notification following incident detection</li> <li><strong>Incident analysis and response</strong>: The MSP/MSSP should provide detailed analysis of incidents, including potential impact, and execute agreed-upon response actions</li> <li><strong>Data protection and confidentiality</strong>: The MSP/MSSP must adhere to strict data protection and confidentiality standards, especially since sensitive organizational data will be stored and processed in their environment</li> <li><strong>Access control and audit trails</strong>: The MSP/MSSP must implement robust access control measures and maintain audit trails of all activities related to the SOC services</li> <li><strong>Compliance and regulatory requirements</strong>: The MSP/MSSP must comply with relevant regulatory and compliance requirements and provide necessary documentation and support for compliance audits</li> </ul><h5>Example contract clause for incident support</h5> <p>The Contractor shall:</p> <ul><li>notify the Client within the negotiated or agreed-upon expected timeframe when detecting any security incident, providing detailed information about the nature, scope, and impact of the incident</li> <li>implement and maintain comprehensive data protection measures, in compliance with applicable laws and regulations, to safeguard the Client’s data against unauthorized access, disclosure, alteration, or destruction</li> <li>upon detecting an incident, commit to a [insert specified] uptime SLA and commence remediation actions within [insert specified timeframe]</li> </ul><h4>Scenario 2: SOC operating within your organization’s tenancy</h4> <p>If your SOC is operating within your organization’s tenancy, consider the following key aspects related to incident support.</p> <ul><li><strong>Integration with existing infrastructure</strong>: The MSP/MSSP must seamlessly integrate its SOC services with the organization’s existing infrastructure, ensuring minimal disruption</li> <li><strong>Incident handling procedures</strong>: The MSP/MSSP must define clear procedures for incident escalation, response, and resolution, tailored to the organization’s policies and procedures</li> <li><strong>Training and awareness</strong>: The MSP/MSSP may be required to provide training, knowledge transfer or both to the organization’s staff on security awareness and incident response procedures</li> <li><strong>Performance monitoring and reporting</strong>: Regular performance reviews and reporting are essential to ensure the SOC services meet the organization’s security requirements</li> <li><strong>Continuous improvement</strong>: The contract should include provisions for continuous improvement of the SOC services, including regular updates to security tools and processes</li> </ul><h5>Example contract clause for incident support</h5> <p>The Contractor shall:</p> <ul><li>ensure that SOC services are fully compatible with the Client’s existing systems and infrastructure and shall be responsible for any modifications required for integration</li> <li>adhere<strong> </strong>to the Client’s incident response procedures and timelines, ensuring incidents are resolved in a manner that minimizes impact on the Client’s operations</li> <li>provide<strong> </strong>monthly performance reports detailing incident detection, response times, and resolution outcomes, including any recommendations for improving security posture</li> </ul><p>Refer to <a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Developing your incident response plan (ITSAP.40.003)</a> for more information.</p> <h4 id="2-1-3">2.1.3  Threat analysis and intelligence</h4> <p>Threat analysis and intelligence are critical components of a proactive cyber security portfolio. Accurate and timely intelligence empowers decision makers to make informed, data-driven decisions. The Cyber Centre, along with other resources, offers valuable insights through publications and active services, aiding organizations in their threat intelligence efforts. It’s essential for organizations to ensure their MSP/MSSP stays abreast of emerging and sophisticated cyber threats.</p> <h4>Key elements of threat intelligence</h4> <ul><li><strong>Continuous monitoring:</strong> keeping track of evolving cyber threats and trends</li> <li><strong>Technical analysis:</strong> analyzing incidents in detail to understand attack vectors and methodologies</li> <li><strong>Intelligence sharing:</strong> utilizing shared resources for a more comprehensive threat landscape view</li> </ul><h4>Example contract clauses for threat analysis and intelligence</h4> <p>The Contractor shall:</p> <ul><li>detect, monitor, analyze, and mitigate targeted, highly organized, or sophisticated cyber threats</li> <li>maintain situational awareness of current cyber security activities and risks</li> <li>utilize various intelligence sources to develop insights into cyber threats and conduct advanced technical analyses of incidents on the organization’s networks</li> <li>analyze consolidated threat data from multiple sources to provide early warnings of impending attacks against the organization’s networks</li> <li>report on technical network and host-based attack vectors, emerging cyber threats, new vulnerabilities, and current trends used by malicious actors</li> <li>develop and maintain databases to catalog and track ongoing threats, enhancing the organization’s defensive posture</li> <li>integrate intelligence findings into the organization’s broader cyber security strategies and incident response plans</li> </ul><p>Incorporating comprehensive threat analysis and intelligence into MSP/MSSP offerings is crucial for organizations to stay ahead of cyber threats. The MSP/MSSP’s role extends beyond mere monitoring; it involves deep analysis, continuous learning, and integration of intelligence into the organization’s overall cyber security framework.</p> <h4>References</h4> <ul><li><a href="https://csrc.nist.gov/publications/detail/sp/800-137/final">Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (NIST SP 800-137, Appendix D)</a></li> <li><a href="/en/guidance/baseline-cyber-threat-assessment-cybercrime">Baseline cyber threat assessment: Cybercrime</a></li> <li><a href="/en/guidance/national-cyber-threat-assessments">National Cyber Threat Assessments</a></li> </ul><h4 id="2-1-4">2.1.4  Documentation and standard operating procedures</h4> <p>SOPs and comprehensive documentation are crucial in ensuring that all parties involved in the SOC are aligned on methods and practices. These documents serve as a reference point for consistent and effective operations within the SOC, aiding in training and providing operational clarity.</p> <h4>Key documentation elements</h4> <ul><li><strong>Security deployment diagrams:</strong> providing visual representations of security deployments for reference and to ensure understanding</li> <li><strong>Regular SOP updates:</strong> updating SOPs with operational changes to ensure ongoing relevance</li> <li><strong>Performance and incident reporting:</strong> providing insights into SOC activities, incident handling, and operational efficiency</li> </ul><h4>Example contract clauses for SOPs and documentation</h4> <p>The Contractor shall:</p> <ul><li>create and maintain diagrams for new or revised security deployments, covering all systems and applications related to the SOC</li> <li>develop and regularly update SOC SOPs, particularly following changes in SOC operations or technologies, deliver regular written reports, including:</li> <li>daily, weekly, and monthly summaries of SOC activities</li> <li>performance metrics and status of security incidents</li> <li>actions accomplished and milestones reached during the reporting period</li> <li>submit comprehensive reports, encompassing</li> <li>monthly status updates on progress and developments</li> <li>planned activities, identified problems/issues with proposed solutions</li> <li>anticipated delays and resources utilized during the period</li> </ul><p>It is essential to establish clear and detailed SOPs and documentation protocols to maintain operational excellence in a SOC environment. These documents not only guide daily operations, but also serve as critical tools for training, performance tracking, and strategic planning.</p> <h4 id="2-1-5">2.1.5  Additional capabilities: Advanced incident management support, forensics and malware analysis</h4> <p>In addition to standard incident management support, organizations often require or desire advanced capabilities such as forensics and malware analysis. These services are crucial for thoroughly investigating and resolving sophisticated cyber incidents, understanding attack vectors, and enhancing future security postures.</p> <h4>Key advanced support services</h4> <ul><li><strong>Forensics and malware analysis:</strong> in-depth investigation of incidents to understand the nature and impact of compromises.</li> <li><strong>Reverse engineering and traffic analysis:</strong> detailed examination of malicious software and network traffic to uncover threat methodologies.</li> </ul><h4>Example contract clauses for advanced incident management support</h4> <p>The Contractor must:</p> <ul><li>provide both on-site and remote computer security incident management, response, and recovery support as necessary</li> <li>conduct advanced technical analyses of potentially malicious activities using security event data from the SOC</li> <li>perform detailed endpoint/host-based forensics and memory analysis</li> <li>undertake triage and in-depth analysis of malware, including reverse engineering of Windows software, phishing emails, and other client-side exploits</li> <li>conduct digital forensics on media from compromised hosts to assess intrusion scope and nature</li> <li>reverse engineer the sequence of events in breaches or attacks for comprehensive understanding</li> <li>execute static and dynamic file analysis to identify malware characteristics, intent, and origin</li> <li>recommend countermeasures against malware and other malicious code exploiting the organization’s systems</li> <li>propose changes to policies and procedures based on investigative findings to strengthen malware incident response</li> <li>perform advanced network traffic analysis at the packet level to identify anomalies, trends, and patterns</li> </ul><p>Advanced incident management support, particularly in forensics and malware analysis, is a critical component of a robust MSP/MSSP offering. These services not only aid in resolving current security incidents but also play a key role in refining organizational policies and strengthening the overall cyber security framework.</p> <p>Refer to <a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Developing your incident response plan (ITSAP.40.003)</a> for more information.</p> <h4 id="2-1-6">2.1.6  Security technologies maintenance and operation</h4> <p>In an MSP/MSSP setup, managing key technologies, such as the SIEM system, intrusion detection and prevention systems (IDS/IPS), and data loss prevention (DLP) systems, is paramount. These technologies form the backbone of effective cyber security operations. Contracts should include specific clauses to ensure these tools are operated and maintained effectively, especially as the organization evolves and grows.</p> <h4>Key responsibilities for technology management</h4> <ul><li><strong>System maintenance and tuning:</strong> regularly updating and tuning security systems to ensure accuracy and efficiency</li> <li><strong>Operational effectiveness:</strong> ensuring continuous operation and optimal performance of all security technologies</li> <li><strong>Adaptability to change:</strong> ensuring flexibility to adapt tools and systems to the changing needs and scale of the organization</li> </ul><h4>Example contract clauses for technology management</h4> <p>The Contractor must:</p> <ul><li>effectively maintain the SIEM to aggregate and analyze data from various sources like network sensors, firewalls, antivirus systems, and vulnerability scanners.</li> <li>handle administration, management, and configuration of all SOC tools, including SIEM, IDS/IPS, DLP, and other dedicated security systems</li> <li>develop and update security device signatures, performance reports, and relevant metrics to track system efficiency</li> <li>fine-tune the SIEM and IDS/IPS to minimize false positives and enhance detection accuracy</li> <li>continuously operate, manage, and update all security technologies, ensuring they are configured appropriately for optimal performance</li> <li>ensure that all relevant security feeds are logged and correlated effectively within the SOC’s SIEM system</li> <li>install, update, or modify network security components and tools as needed to maintain comprehensive coverage and optimal performance in line with organizational growth</li> <li>install or modify network security components, tools, and other systems as required to maintain optimal coverage and performance</li> </ul><p>Effective management of key technologies within an MSP/MSSP framework is essential for maintaining a robust cyber security posture. This includes not only the operational maintenance of these tools but also improving and adapting them to meet the evolving needs of the organization.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h2 class="text-info" id="3">3 Vendor readiness</h2> <p>When contracting with an MSP for SOC services, it’s crucial to include specific clauses that ensure the vendor can provide services at the required scale and meet certain standards. These clauses help verify the provider’s experience, compliance with legal requirements, and readiness to handle your organization’s specific needs.</p> <h4>Key contract clauses for vendor readiness</h4> <ul><li><strong>Experience requirements:</strong> The contractor should have a minimum number of years of experience in providing SOC services and engagements of similar size, scale, and complexity</li> <li><strong>Compliance with Canadian laws:</strong> The contractor should have experience in delivering services within Canada and adhering to Canadian privacy and data laws</li> <li><strong>Audit and compliance rights:</strong> The organization reserves the right to perform SOC visits for audit, review, and compliance purposes</li> <li><strong>Business continuity planning:</strong> The contractor must have a robust business continuity plan (BCP) for its SOC to ensure service continuity</li> <li><strong>Certification requirements:</strong> The contractor must meet any industry or sector certification requirements, for example, SOC2 Type2, ISO 27001, CIS CSC, Cloud Security Alliance (CSA) Tier2, ISO 27017</li> <li><strong>Staff clearances and background checks:</strong> The contractor’s personnel should have necessary clearances and background checks (as required)</li> <li><strong>Cyber security controls framework alignment:</strong> Recognized cyber security controls frameworks must be implemented at SOC facilities (DRI Institute, NIST)</li> <li><strong>Liability and compensation:</strong> The contractor should provide clarification on shared responsibilities for breaches and details on the provider’s liability insurance coverage for compensation</li> </ul><p>Including these key clauses in your contract with an MSP for SOC services is essential to ensure that the provider is fully prepared and capable of meeting your organization’s specific requirements. These clauses cover a range of critical areas, from experience and legal compliance to business continuity and cyber security frameworks, ensuring a comprehensive approach to vendor readiness.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h2 class="text-info" id="4">4 Terms and conditions</h2> <p>From a security perspective, contract elements must be prescriptive and conform to recognized frameworks and approaches for the MSP/MSSP to establish how it addresses and maintains the security posture as indicated by an organization. In many cases, relying on a given provider’s terms and conditions, as outlined in a contract or end user licensing agreement (EULA), can be considered acceptable. However, if organizations have specific needs or are bound by regulated authorities, negotiation may be required between legal teams using some of the example clauses provided in this document. If you are concerned about any specific areas, seek legal advice where possible.</p> <p>Organizations should carefully consider and, if necessary, consult with their legal counsel on the following areas when negotiating contracts with service providers:</p> <ul><li><strong>Trade secret protections</strong></li> <li>Inquire how the service provider will separate or secure trade secrets (e.g., patented material, legal branding, etc.) within its system</li> <li>Ensure terms and conditions stipulate that the organization retains ownership and control over its trade secrets, even when placed with the service provider</li> <li><strong>Intellectual property</strong> <ul><li>Discuss measures for tagging, identifying, and securing intellectual property, which may not be officially registered like patents but is crucial to the organization’s operations</li> </ul></li> </ul><p>Clarify in the contract that intellectual property remains the property of the organization, regardless of its placement with the service provider</p> <ul><li><strong>Indemnification/limitation of liability: </strong>Define the level of liability and responsibility in the contract, considering complexities that may arise, especially when multiple service providers are involved</li> <li><strong>Support model considerations</strong> <ul><li>If your organization is subject to regulatory constraints on support locations or resource residency, discuss and agree on support models with the service provider</li> <li>Consider how the provider’s global support model, like a "follow the sun" approach, aligns with regulatory requirements.</li> </ul></li> <li><strong>Data migration policies: </strong>Address potential future needs for data migration, including <ul><li>costs associated with data ingress and egress</li> <li>timeframes and processes for migration activities</li> <li>data retention policies post-migration</li> </ul></li> <li><strong>Conformity with security frameworks</strong>: Ensure that contract elements conform to established cyber security frameworks and best practices</li> <li><strong>EULA versus custom contracts</strong>: While standard terms outlined in an EULA might be acceptable for general purposes, they may not suffice for organizations with specific security needs or those under stringent regulatory requirements.</li> <li><strong>Legal negotiations for custom needs</strong> <ul><li>For organizations with unique requirements or regulatory obligations, negotiations between legal teams are often necessary to tailor the contract appropriately <ul><li>The example clauses provided in this document can guide these negotiations</li> </ul></li> </ul></li> <li><strong>Seeking legal advice</strong> <ul><li>The organization should seek legal counsel, particularly if there are specific areas of concern or if the organization operates under regulated authorities</li> <li>Legal expertise can ensure that contracts are comprehensive, compliant, and tailored to the organization’s unique needs</li> </ul></li> </ul><p>When contracting with a service provider, especially in areas such as MSP/MSSP, organizations must ensure that specific legal and operational considerations are clearly addressed in the contract. This includes retaining ownership of intellectual property and trade secrets, clearly outlining liability terms, understanding support models in the context of regulatory constraints, and preparing for potential data migration. Organizations should consult legal counsel to ensure that these aspects are adequately covered to protect the organization’s interests.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h2 class="text-info" id="5">5 Summary</h2> <p>A SOC combines people processes and technology to improve an organization’s resilience against cyber threats.</p> <p>Whether this is done by an in-house team in a dedicated room within an organization or whether it is fully or partially outsourced to a team of information security professionals, SOCs are a first line of defence that is critical for preventing, detecting, and recovering from cyber attacks.</p> <p>This is especially true given the increase in operational technology, mobile and cloud technology, and industrial control systems. Whether work is in-house, hybrid, or fully remote, your organization will require the same inputs and outputs to your SOC. The guidance included in this document should help your organization write contract clauses that ensure your providers are meeting your expectations. As indicated, this is not to be taken as legal advice.</p> <p>Overall, the key message is that your organization should work with its selected MSP/MSSP provider to ensure common understanding and to also inquire and establish what can be done to meet your organization’s specific needs.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6323" about="/en/news-events/joint-guidance-software-security-code-practice" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) has joined the United Kingdom’s National Cyber Security Centre (NCSC-UK) and Department for Science, Innovation and Technology (DSIT) in releasing a software security code of practice and accompanying guidance for software vendors.</p> <p>Software supply chain attacks and other software resilience incidents can be caused by weaknesses in software development and maintenance practices. This joint guidance aims to improve the security and resilience of software that organizations rely on.</p> <p>The joint guidance includes the 3 publications below.</p> <h2>Software security code of practice</h2> <p>The Software security code of practice outlines 14 principles that software vendors should implement to establish a consistent baseline of software security and resilience. These 14 principles are divided across 4 themes, which include:</p> <ul><li>secure design and development</li> <li>build environment security</li> <li>secure deployment and maintenance</li> <li>communication with customers</li> </ul><p>Read the <a href="https://www.gov.uk/government/publications/software-security-code-of-practice">Software security code of practice</a>.</p> <h2>Software security code of practice: Implementation guidance</h2> <p>The Software security code of practice: Implementation guidance helps organizations that develop and/or sell software understand how they can meet the principles in the Software security code of practice.</p> <p>Read the <a href="https://www.ncsc.gov.uk/collection/software-security-code-of-practice-implementation-guidance">Software security code of practice: Implementation guidance</a>.</p> <h2>Software security code of practice: Assurance principles and claims</h2> <p>The Software security code of practice: Assurance principles and claims guidance helps vendors measure how well they are meeting the themes and principles of the Software security code of practice and suggests remedial actions should they fall short.</p> <p>Read the <a href="https://www.ncsc.gov.uk/guidance/software-security-code-of-practice-assurance-principles-claims">Software security code of practice: Assurance principles and claims</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6222" about="/en/news-events/cyber-centre-welcomes-round-2-nists-additional-digital-signature-scheme-standardization-process" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>In October 2024, the National Institute of Standards and Technology (NIST) in the United States launched round 2 in its ongoing process to standardize additional post-quantum digital signature schemes. Digital signature schemes are used to authenticate data and remote systems to protect against unauthorized access and are an essential part of cyber security solutions. Post-quantum cryptography (PQC), including post-quantum digital signatures, are designed to remain secure even against the emerging threat posed by quantum computers.</p> <p>The first round of <abbr title="National Institute of Standards and Technology">NIST</abbr>’s additional digital signature scheme standardization process began in 2022, with the publication of 40 candidates. For this second round, <abbr title="National Institute of Standards and Technology">NIST</abbr> has reduced the number of candidates to 14. This allows researchers worldwide, including those within the Cyber Centre, to dedicate more time to examining the remaining schemes.</p> <h2>How this initiative contributes to the post-quantum cryptography migration</h2> <p><abbr title="National Institute of Standards and Technology">NIST</abbr> has already published standards for 2 post-quantum digital signature schemes, the <strong>Module-Lattice-Based Digital Signature Algorithm </strong>(ML-DSA) and the <strong>Stateless Hash-Based digital Signature Algorithm </strong>(SLH-DSA). Read our announcement of these <a href="/en/news-events/cyber-centre-celebrates-new-nist-post-quantum-standards">new <abbr title="National Institute of Standards and Technology">NIST</abbr> post-quantum standards</a> to learn more.</p> <p>We expect <abbr title="National Institute of Standards and Technology">NIST</abbr> to release a draft standard for a third digital signature scheme, the <strong>Fast-Fourier transform over NTRU-Lattice-Based Digital Signature Algorithm</strong> (FN-DSA) soon.</p> <p>With so many options already chosen for standardization, practitioners may wonder why <abbr title="National Institute of Standards and Technology">NIST</abbr> is considering the standardization of additional schemes. Both ML-DSA and FN-DSA are based on hard problems over structured lattices. The nearly 30-year history of lattice-based cryptography has given rise to a robust understanding of the security of lattice-based cryptographic schemes. Nonetheless, in order to diversify cryptographic primitives, <abbr title="National Institute of Standards and Technology">NIST</abbr> has indicated that they are primarily interested in additional schemes based on hard problems other than structured lattices.</p> <p>While ML-DSA is intended to replace non-post-quantum digital signing algorithms in nearly all applications, there may be niche cases requiring schemes with alternative performance characteristics. Although SLH-DSA or FN-DSA are expected to cover most of these situations, <abbr title="National Institute of Standards and Technology">NIST</abbr> is particularly interested in finding schemes with small signature sizes and fast verification to support the migration to <abbr title="Post-quantum cryptography">PQC</abbr> in all situations.</p> <h2>Signature schemes under consideration for standardization</h2> <p>Of the 14 remaining schemes:</p> <ul><li>5 are built using multi-party computation (MPC) in-the-head techniques</li> <li>4 are multivariate signatures</li> <li>2 are code-based</li> <li>1 is isogeny-based</li> <li>1 is symmetric-based</li> <li>1 is lattice-based</li> </ul><p>For a review of these categories, see the "Mathematical Families" section of the <a href="/en/news-events/cyber-centres-summary-review-final-candidates-nist-post-quantum-cryptography-standards">Cyber Centre’s summary review of final candidates for <abbr title="National Institute of Standards and Technology">NIST</abbr> Post‑Quantum Cryptography standards</a>. Most of the approaches for building signature schemes have been previously considered in <abbr title="National Institute of Standards and Technology">NIST</abbr> ‘s standardization process.</p> <p>A notable development in the signature on-ramp has been the proliferation of signature schemes using MPC-in-the-head techniques. These signature schemes borrow ideas from multiparty computation to “prove” knowledge of some secret value.</p> <h2>How to prepare for the post-quantum transition</h2> <p>To ensure Canadian organizations are ready to make the transition to <abbr title="Post-quantum cryptography">PQC</abbr> once standardized algorithms are available, practitioners should review the Cyber Centre’s advice in the following publications:</p> <ul><li><a href="/en/guidance/preparing-your-organization-quantum-threat-cryptography-itsap00017">Preparing your organization for the quantum threat to cryptography (ITSAP.00.017)</a></li> <li><a href="/en/guidance/guidance-becoming-cryptographically-agile-itsap40018">Guidance on becoming cryptographically agile (ITSAP.40.018)</a></li> <li><a href="/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Guidance on securely configuring network protocols (ITSP.40.062)</a></li> <li><a href="/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information (ITSP.40.111)</a></li> </ul><p>Our guidance on securely configuring network protocols will be updated once these protocols support standardized <abbr title="Post-quantum cryptography">PQC</abbr> algorithms.</p> <p>The Cyber Centre advises consumers to procure and use cryptographic modules that are tested and validated under the <a href="https://cyber.gc.ca/en/cryptographic-module-validation-program-cmvp">Cryptographic Module Validation Program</a> (CMVP) with algorithm certificates from the <a href="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program">Cryptographic Algorithm Validation Program</a> (CAVP). The Cyber Centre partners with <abbr title="National Institute of Standards and Technology">NIST</abbr> to manage both programs and we work jointly to update them to support the testing of new digital signature schemes that get standardized.</p> <p>The Cyber Centre also recommends that cyber security products be evaluated and certified to meet the <a href="/en/tools-services/common-criteria">Common Criteria</a> standard with a Security Target and Certification Report that includes the desired protocol security requirements. Once protocol standards are updated, Common Criteria Testing Laboratories will need to support testing and evaluation methods for protocols utilizing the new <abbr title="Post-quantum cryptography">PQC</abbr> algorithms.</p> <p>The Cyber Centre is working within the Government of Canada and with critical infrastructure to ensure a smooth and timely transition to <abbr title="Post-quantum cryptography">PQC</abbr> . Contact the Cyber Centre by email at <a href="mailto:cryptography-cryptographie@cyber.gc.ca">cryptography-cryptographie@cyber.gc.ca</a> or by phone at <a href="tel:18332923788">1-888-CYBER-88</a> if you have further questions.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6282" about="/en/news-events/peoples-republic-china-activity-targeting-network-edge-routers-observations-mitigation-strategies" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/csa25-001-en.pdf">People’s Republic of China activity targeting network edge routers: Observations and mitigation strategies (PDF, 411 KB)</a></p> </div> <h2 class="text-info mrgn-tp-2">Foreword</h2> <p>This cyber security advisory is intended for IT professionals and managers within government and all sectors.</p> <h2 class="text-info">Effective date</h2> <p>This publication takes effect on April 15, 2025.</p> <!– <section> <h2 class="text-info">On this page</h2> <ul class="list-unstyled mrgn-tp-md"> <li><a href="#background">1 Background</a></li> <li><a href="#security">2 Security and edge devices</a></li> <li><a href="#avenues">3 Known avenues of exploitation and persistence</a></li> <li><a href="#remediations">4 Remediations</a></li> <li><a href="#References">5 References</a></li> </ul> </section> –> <section><h2 class="text-info">1 Background</h2> <p>A Cyber security advisory is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional mitigation advice to recipients. The Canadian Centre for Cyber Security (Cyber Centre) is able to provide additional assistance regarding the content of this bulletin to recipients as requested.</p> <p>The Cyber Centre has observed increasing levels of the People’s Republic of China threat actor activity, including activity associated to SALT TYPHOON, targeting network edge routers across critical infrastructure sectors. The Cyber Centre and our partners have recently observed repeated compromises of misconfigured and unpatched routing devices.</p> <p>The Cyber Centre is urging the Canadian cybersecurity community to bolster their awareness of threat actor activity targeting network edge routers and to leverage Cyber Centre guidance to protect their networks.</p> </section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> </div> <section><h2 class="text-info">2 Security and edge devices</h2> <p>As we note in the National Cyber Threat Assessment 2025-2026<sup id="fn10-rf"><a class="fn-lnk" href="#fn10"><span class="wb-inv">Footnote </span>10</a></sup>, threat actors are exploiting vulnerabilities in security and network edge routing devices that sit at the perimeter of networks. The Cyber Centre is particularly highlighting that by compromising network edge routers, a threat actor can enter a network, monitor, modify, and exfiltrate network traffic flowing through the device, or possibly move deeper into the victim network.</p> <p>Given their outward facing presence on the Internet, edge routers are easily identifiable by threat actors. Threat actors often compromise network perimeter defenses by exploiting known vulnerabilities in edge devices. These security weaknesses are usually already identified, and patches are available to fix them. However, breaches occur because these patches are not consistently applied or implemented in a timely manner. We strongly recommend following our guidance in the Government of Canada’s Patch Management Guidance publication<sup id="fn3-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup>. In particular, all guidance, manuals and references provided with edge device equipment should be reviewed to ensure organizations adherence to the manufacturer’s security guidance. If that guidance is not clear or available, then organizations should reach out to their vendors as needed for support.</p> <p>The Cyber Centre’s Security considerations for edge devices<sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup> also provides the following factors your organization should consider when evaluating the security of an edge device:</p> <ul><li>how it is made (the responsibility of the manufacturer)</li> <li>how it is configured (a shared responsibility between the manufacturer, through vendor hardening guides and through the organization)</li> <li>when the most recent software, firmware, operating system, and security updates and patches were applied</li> </ul></section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> </div> <section><h2 class="text-info">3 Known avenues of exploitation and persistence</h2> <p>The following are examples of known patterns in threat actors’ exploitation of edge routers.</p> <h3>3.1 Exposed services to the Internet</h3> <p>Devices exposing services of any kind to the Internet will easily and rapidly be detected by adversarial actors through mass scanning campaigns and more targeted reconnaissance activity. Sensitive or administrative services such as management protocols are of particular interest to adversaries seeking to identify and exploit edge routers.</p> <h3>3.2 Poor configuration on device</h3> <p>The Cyber Centre has observed weak cryptography or default security settings configured and not updated that has led to exploitation of those devices. It is important to review manufacturer guidance for hardening edge routers, and to continually review and audit for compliance. Default setting(s) may also include insecure ports or protocols listening on untrusted interfaces. Even though a device is installed and configured properly at the beginning of its lifecycle, as time goes on those configurations can become less secure due to external factors. If a router is compromised, inadequate network segmentation and the absence of Access Control Lists can enable an adversary to more easily move laterally within the network.</p> <h3>3.3 Modifying configuration files</h3> <p>Trusted partners have observed that compromised edge routers often have their configurations altered to enable persistent mechanisms and techniques for lateral movement. This includes the establishment of traffic captures, the creation of new administrative accounts, and the configuration of traffic forwarding. Any configurable allow lists should also be reviewed to ensure that no unauthorized additions have been made. Typically, these modifications are executed using the devices’ inherent functions and capabilities.</p> <h3>3.4 Exfiltrating configuration files</h3> <p>Trusted partners have observed that compromised edge routing devices within Canada have had their configuration files exfiltrated out of their networks by threat actors. By exfiltrating configuration files, threat actors can extract additional sensitive information, perform tests, or identify further vulnerabilities to enable their access. Where configuration files contain credentials and especially those who are not cryptographically secure, threat actors can also use tactics such as offline password cracking to gain further access. Trusted partner reporting indicates that many of the exfiltrated configuration files contained deprecated hashing and password types, such as Type-4 and Type-7<sup id="fn9-rf"><a class="fn-lnk" href="#fn9"><span class="wb-inv">Footnote </span>9</a></sup>.</p> <h3>3.5 Unauthorized commands</h3> <p>Once an edge router has been compromised, threat actors run unauthorized commands to deepen their access or persistence on the host or network. Identifying suspicious or malicious use of successful unauthorized commands can often be a strong starting point for threat hunts and forensic investigations. Some common threat actor tactics include:</p> <ul><li>clearing logs and other records</li> <li>adding new threat actor-controlled accounts to the device</li> <li>brute forcing and abnormal logins</li> <li>making unapproved changes to configuration files</li> </ul><p>The Cyber Centre has observed threat actors modifying the configurations of edge routers. It is important to conduct regular reviews of these configurations to detect any unauthorized changes. Look out for signs of tampering, such as unrecognized IP addresses and newly added accounts, as well as any unusual packet capture settings that may have been introduced.</p> <h3>3.6 Weak credentials</h3> <p>The Cyber Centre has observed many cases where devices were compromised due to the use of default or easily guessable passwords.</p> <ul><li>Do not use easily guessed passwords, passphrases, or PINs, such as "password", "let me in", or "1234". Even if the passwords or passphrases include character substitutions like "p@ssword"</li> <li>Do not use common expressions, song titles or lyrics, movie titles, or quotes</li> <li>Do not use your personal details such as your birthday, hometown, or pet’s name</li> <li>Do not use the passwords assigned by the vendor when installing or enabling new hardware or software</li> <li>Do not use passwords found on known data breaches</li> <li>Do not reuse password across devices or deployments</li> </ul></section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> </div> <section><h2 class="text-info" id="remediations">4 Remediations</h2> <p>The Cyber Centre has published guidance for organizations and has guidance for enhancing the security posture of edge devices <span class="nowrap"><sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup><sup id="fn4-rf"><a class="fn-lnk" href="#fn4"><span class="wb-inv">Footnote </span>4</a></sup><sup id="fn5-rf"><a class="fn-lnk" href="#fn5"><span class="wb-inv">Footnote </span>5</a></sup><sup id="fn6-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup><sup id="fn7-rf"><a class="fn-lnk" href="#fn7"><span class="wb-inv">Footnote </span>7</a></sup><sup id="fn8-rf"><a class="fn-lnk" href="#fn8"><span class="wb-inv">Footnote </span>8</a></sup></span>.</p> <p>In addition to reviewing and implementing that guidance above, the Cyber Centre recommends the following remediations:</p> <ul><li>disable unnecessary services especially unsecured services such as Telnet, HTTP and SNMP versions (v1/v2c)</li> <li>disable any unauthenticated router management protocols or functions</li> <li>ensure that SNMP v3 is configured with encryption and authentication</li> <li>restrict device management to administrators inside secured management networks, avoiding direct internet access to management interfaces</li> <li>use phishing-resistant MFA for all administrative access, preferably using hardware-based PKI or FIDO authentication</li> <li>use secure modern encryption standards, such as AES-256 and ensure TLS v1.3 is utilized with strong cipher suites for secure communications</li> <li>use strong, non default passwords</li> <li>apply secure authentication to protocols and services which support it</li> <li>upgrade deprecated hashing mechanisms and password types</li> <li>ensure that devices are running vendor-recommended firmware versions</li> <li>validate software integrity of images using hash verification against authenticated vendor hashes</li> <li>implement secure, centralized logging with capabilities to analyze large datasets</li> <li>encrypt logging traffic to avoid tampering, store logs off-site, and integrate with SIEM tools for advanced correlation and rapid incident identification</li> <li>establish baselines for normal network behavior and utilize security appliances to alert on deviations</li> <li>investigate any configuration modifications or alterations to network devices outside of the change management process</li> </ul></section><section><aside class="wb-fnote" role="note"><h2 class="text-info" id="references">5 References</h2> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p><a href="/en/news-events/joint-guidance-enhanced-visibility-hardening-communications-infrastructure">Joint guidance on enhanced visibility and hardening for communications infrastructure</a></p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote</span>1<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 2</dt> <dd id="fn2"> <p><a href="/en/guidance/security-considerations-edge-devices-itsm80101">Security considerations for edge devices (ITSM.80.101)</a></p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote</span>2<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 3</dt> <dd id="fn3"> <p><a href="https://www.canada.ca/en/government/system/digital-government/online-security-privacy/patch-management-guidance.html">Patch Management Guidance</a></p> <p class="fn-rtn"><a href="#fn3-rf"><span class="wb-inv">Return to footnote</span>3<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 4</dt> <dd id="fn4"> <p><a href="/en/guidance/rethink-your-password-habits-protect-your-accounts-hackers-itsap30036">Rethink your password habits to protect your accounts from hackers (ITSAP.30.036)</a></p> <p class="fn-rtn"><a href="#fn4-rf"><span class="wb-inv">Return to footnote</span>4<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 5</dt> <dd id="fn5"> <p><a href="/en/guidance/best-practices-passphrases-and-passwords-itsap30032">Best practices for passphrases and passwords (ITSAP.30.032)</a></p> <p class="fn-rtn"><a href="#fn5-rf"><span class="wb-inv">Return to footnote</span>5<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 6</dt> <dd id="fn6"> <p><a href="/en/guidance/top-10-security-actions-no-5-segment-and-separate-information-itsm10092">Top 10 IT security actions: No.5 segment and separate information (ITSM.10.092)</a></p> <p class="fn-rtn"><a href="#fn6-rf"><span class="wb-inv">Return to footnote</span>6<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 7</dt> <dd id="fn7"> <p><a href="/en/guidance/routers-cyber-security-best-practices-itsap80019">Routers cyber security best practices (ITSAP.80.019)</a></p> <p class="fn-rtn"><a href="#fn7-rf"><span class="wb-inv">Return to footnote</span>7<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 8</dt> <dd id="fn8"> <p><a href="/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)</a></p> <p class="fn-rtn"><a href="#fn8-rf"><span class="wb-inv">Return to footnote</span>8<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 9</dt> <dd id="fn9"> <p><a href="https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2938313/nsa-publishes-best-practices-for-selecting-cisco-password-types/">NSA Publishes Best Practices for Selecting Cisco Password Types</a></p> <p class="fn-rtn"><a href="#fn9-rf"><span class="wb-inv">Return to footnote</span>9<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 10</dt> <dd id="fn10"> <p><a href="/en/guidance/national-cyber-threat-assessment-2025-2026">National Cyber Threat Assessment 2025-2026</a></p> <p class="fn-rtn"><a href="#fn10-rf"><span class="wb-inv">Return to footnote</span>10<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></section></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6225" about="/en/guidance/security-guidance-dark-web-leaks-itsap00115" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–DESKTOP STARTS HERE–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>April 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.00.115</strong></p> </div> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>April 2025 | Awareness series</strong></p> </div> <p>Data breaches can be stressful. Finding out that your organization’s credentials were leaked to the dark web can make the situation worse. This publication provides actions to take if you discover the presence of your organization’s credentials on the dark web. The following actions will help your organization reduce the risk of information being leaked to the dark web.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#how">How the dark web works</a></li> <li><a href="#reduce">Reduce the risks of dark web leaks</a></li> <li><a href="#implement">Implement security measures</a></li> <li><a href="#what">What to do when your credentials have been exposed</a></li> <li><a href="#learn">Learn more</a></li> </ul><h2 class="text-info" id="how">How the dark web works</h2> <p>The dark web is a part of the Internet consisting of hidden sites that are not indexed, meaning that the site is not visible by conventional search engines. Instead, the dark web can only be accessed through specific browsers which provide increased privacy and anonymity while browsing the Internet.</p> <p>Using the dark web is legal and there are many benefits to it, including increased security measures and the ability to access ad-free search engines. Despite the increased privacy measures that the Dark Web offers, it can also provide anonymity to users looking to host or spread content with malicious intent.</p> <p>Cyber threat actors may use the dark web to anonymously buy and sell illegal market goods and services, including illegal content, firearms, and personal data. Threat actors often target businesses to steal customer and employee data, as well as proprietary information. If your organization’s compromised data is found on the dark web following a data breach, it may result in substantial risks, including:</p> <ul><li>reputational damage</li> <li>financial losses</li> <li>legal consequences</li> </ul><h2 class="text-info" id="reduce">Reduce the risks of dark web leaks</h2> <p>Any access to the Internet can create vulnerabilities for your organization that may be exploited by threat actors. Promoting cyber security awareness in your organization is crucial for the safety of your network and systems. Among other benefits, it can significantly reduce the risks of stolen credentials.</p> <p>You should provide employees with adequate training on cyber safety and educate them on their role in protecting your organization’s network and information. Your employees should understand account security measures, such as:</p> <ul><li>the importance of maintaining safe password practices</li> <li>the benefits of multi-factor authentication (MFA)</li> <li>how to handle sensitive information</li> <li>using Wi-Fi safe practices</li> </ul><h2 class="text-info" id="implement">Implement cyber security measures</h2> <p>Your organization can take the following actions to reduce the risk of stolen credentials:</p> <ul><li>Use firewalls, antivirus software, and intrusion detection and prevention systems to protect your network and systems</li> <li>Update and patch all software and systems regularly</li> <li>Encrypt sensitive data</li> <li>Implement strong access controls and privilege principles</li> <li>Develop an incident response plan</li> </ul><p>For more information on these and other tips for how to increase your cyber security posture, consult our <a href="/en/guidance/cyber-security-hygiene-best-practices-your-organization-itsap10102">Cyber security hygiene best practices for your organization (ITSAP.10.102)</a>.</p> <h2 class="text-info" id="what">What to do when your credentials have been exposed</h2> <p>It could take your organization several months to find stolen information or credentials on the dark web. If you’re aware that your organization’s credentials have been leaked to the dark web, take the following actions to minimize the impact.</p> <h3>Contact your IT department</h3> <p>They will do a thorough scan for viruses, malware and other tools used by threat actors to evaluate the extent of the breach. They will also look for suspicious activity that may confirm whether the threat actors have maintained access to your network. For additional assistance, contact your relevant service providers.</p> <h3>Protect your assets</h3> <p>Ensure your antivirus software is up to date and perform thorough security scans on all devices. Isolate any compromised devices by:</p> <ul><li>disconnecting them from the Internet</li> <li>turning on airplane mode</li> <li>turning off networking and Bluetooth capabilities</li> <li>revoking access to any third-party applications or services connected to the compromised accounts</li> <li>reviewing and managing application permissions</li> </ul><h3>Change your passwords</h3> <p>Threat actors may use your passwords to gain unauthorized access to other accounts, especially those with administrative privileges. To prevent unauthorized access to your networks and information, all passwords should be changed, and old passwords should never be reused.</p> <p>A password manager can help you create and store complex and accessible passwords and passphrases. However, these tools present some risks to users’ information. We recommend researching different vendors to make an informed choice about which is right for you. You should also consult your IT department to create a recovery plan.</p> <h3>Turn on multi-factor authentication</h3> <p>Authentication adds an extra layer of security to protect your accounts, networks and devices. To provide additional security measures for your accounts, MFA uses a combination of two or more methods of authentication, such as:</p> <ul><li>passwords</li> <li>email</li> <li>text codes</li> <li>fingerprints</li> </ul><h3>Promote internal awareness in your organization</h3> <p>Your organization should ensure that employees are informed of compromised credentials. Employees should change their own credentials to prevent unauthorized access to networks and information.</p> <h3>Review your financial accounts</h3> <p>Carefully review any financial accounts linked to or logged in from your devices. Notify a credit bureau of any unauthorized use and ask them to remove fraudulent items from your credit report. Freeze any compromised accounts to prevent threat actors from opening new accounts or taking out loans.</p> <h3>Report the incident</h3> <p><em>The Privacy Act</em> governs the Government of Canada. However, private sector organizations are governed by the <em>Personal Information Protection and Electronic Documents Act</em> and are required to do the following in the event of a data breach:</p> <ul><li>Report any data breach involving personal information that poses a risk of significant harm to individuals to the Privacy Commissioner of Canada</li> <li>Notify individuals affected by the breach</li> <li>Retain records related to the breach</li> </ul><h2 class="text-info" id="learn">Learn more</h2> <ul><li><a href="/en/guidance/common-employee-it-security-challenges-itsap00005">Common employee IT security challenges (ITSAP.00.005)</a></li> <li><a href="/en/guidance/have-you-been-victim-cybercrime">Have you been a victim of cybercrime? (ITSAP.00.037)</a></li> <li><a href="/en/guidance/steps-effectively-deploying-multi-factor-authentication-mfa-itsap00105">Steps for effectively deploying multi-factor authentication (MFA) (ITSAP.00.105)</a></li> <li><a href="/en/guidance/foundational-cyber-security-actions-small-organizations-itsap10300">Foundational cyber security actions for small organizations (ITSAP.10.300)</a></li> <li><a href="/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)</a></li> <li><a href="/en/guidance/best-practices-passphrases-and-passwords-itsap30032">Best practices for passphrases and passwords (ITSAP.30.032)</a></li> <li><a href="/en/guidance/password-managers-security-itsap30025">Password managers: Security tips (ITSAP.30.025)</a></li> <li><a href="/en/guidance/application-allow-list-itsap10095">Application allow list (ITSAP.10.095)</a></li> <li><a href="/en/guidance/protecting-your-organization-while-using-wi-fi-itsap80009">Protecting your organization while using Wi-Fi (ITSAP.80.009)</a></li> <li><a href="/en/guidance/wi-fi-security-itsp80002">Wi-Fi security (ITSP.80.002)</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6227" about="/en/guidance/search-engine-optimization-poisoning-itsap00013" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–DESKTOP STARTS HERE–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>April 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.00.013</strong></p> </div> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>April 2025 | Awareness series</strong></p> </div> <p>Search engines are the go-to tool for searching the Internet. Users often click on the first link in their results and trust the site is legitimate. Threat actors are aware of this user behaviour and try to exploit it.</p> <p>While the links at the top of your search results look legitimate, they can be spam or link to malicious sites. Threat actors can promote these malicious sites in your search engine using search engine optimization (SEO) poisoning. This publication will explain what <abbr title="search engine optimization">SEO</abbr> is and how you can protect yourself and your organization from potential compromises.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#search">Search engine optimization</a></li> <li><a href="#poisoning">Search engine optimization poisoning as an attack vector</a></li> <li><a href="#look">What to look out for</a></li> <li><a href="#yourself">How to protect yourself</a></li> <li><a href="#website">How to protect your website</a></li> <li><a href="#learn">Learn more</a></li> </ul><h2 class="text-info" id="search">Search engine optimization</h2> <p><abbr title="search engine optimization">SEO</abbr> is a series of techniques that marketers and website owners use to increase site traffic and the visibility of their product or service. <abbr title="search engine optimization">SEO</abbr> attempts to make a website seem more relevant to a search query so it will be ranked as a top result by search engines. <abbr title="search engine optimization">SEO</abbr> allows search engines to categorize your content to provide more tailored search results.</p> <p>The following <abbr title="search engine optimization">SEO</abbr> techniques can be used to influence search results in various ways.</p> <h3>Meta tags</h3> <p>Meta tags provide data on a webpage’s content and structure. These tags are helpful to both users and search engines. There are many different types of meta tags, such as those that indicate important page content and descriptive text for images.</p> <h3>Backlinks</h3> <p>Backlinks are links from other sites that direct users to your site. These can act as an endorsement of credibility. High-quality backlinks, from reputable sources, help rank your website higher in search engine results. However, beware of low quality or toxic backlinks from disreputable sources, as they can:</p> <ul><li>harm your site’s reputation or ranking</li> <li>lower your ranking in search engine results</li> <li>associate your website with low-quality or unsolicited commercial (spam) content</li> </ul><h3>Keywords and keyphrases</h3> <p>These are popular search terms used in search engines. Associating commonly used and relevant keywords on your website will help users find your content.</p> <h3>Descriptive URLs</h3> <p>Search engines use your URLs to crawl and index sites. By ensuring your URLs are short, descriptive and on-topic, you will help search engines better understand your content.</p> <h3>Semantic HTML</h3> <p>Semantic HTML is a markup language that consists of tags that add meaning to your website’s content. It also helps a search engine interpret your site’s content. Your HTML is the structure of your website. By giving sections meaning, you allow the website to be categorized by search engines.</p> <h3>Breadcrumbs</h3> <p>Breadcrumbs present a text path that shows the user where they are on the site. These breadcrumbs allow search engines to easily understand how your site is organized.</p> <h2 class="text-info" id="poisoning">Search engine optimization poisoning as an attack vector</h2> <p>An attack vector refers to a method that a threat actor uses to gain access to a system, network or application. <abbr title="search engine optimization">SEO</abbr> poisoning is an effective attack vector for threat actors. They can manipulate search results to target anyone using a search engine. <abbr title="search engine optimization">SEO</abbr> poisoning is effective due to the widespread trust users have in search engines. Many users have widespread trust in search engines and assume they display the most relevant, vetted and legitimate links first.</p> <p>Threat actors take advantage of these user assumptions and alter the weight or bias of search results seen by users. Threat actors can use <abbr title="search engine optimization">SEO</abbr> poisoning to manipulate search results and rank their malicious sites higher than legitimate sites. For example, they may use popular and trending search terms to raise their ranking, misleading users into clicking on harmful links.</p> <p>Threat actors can also exploit vulnerabilities in already established websites to hijack and spread their malicious content. This can occur whether it’s through malicious downloads or by linking to other spam websites. This technique can also have the following negative impacts on legitimate websites that are being spoofed:</p> <ul><li>Lower search engine ranking</li> <li>Reduced site traffic</li> <li>Damage to brand integrity and reputation</li> </ul><p>Any links or files that you click on or download from malicious sites can jeopardize your computer. Accessing a webpage without the appropriate firewalls and plug-ins could put your system at risk, even if you just click on a link.</p> <p>These malicious codes and attacks can:</p> <ul><li>distribute malware or ransomware</li> <li>steal personal information with the intent to sell it or use it maliciously</li> <li>urge you to call a false helpline number to allow access to your device or to transfer funds</li> </ul><p>They can pose as any type of website, whether it be a news site, streaming site, retail store or technical help desk.</p> <p>Along with the above-mentioned <abbr title="search engine optimization">SEO</abbr> techniques, threat actors can also use the following actions to assist in <abbr title="search engine optimization">SEO</abbr> poisoning.</p> <h3>Script spoofing</h3> <p>Threat actors use script spoofing to trick users by impersonating legitimate websites or email addresses. They use similar URLs that contain incorrect characters or domain names.</p> <h3>Keyword stuffing</h3> <p>Keyword stuffing occurs when threat actors fill webpages with keywords to increase their ranking. The keywords are repeated often and make the content of the site illogical. You may see many keywords combined with irrelevant words that will not make much sense when read. These are meant to be read by machines that recognize the keywords.</p> <h3>Typo squatting</h3> <p>Threat actors register domains that are similar to popular websites but with intentional typos or misspellings. They may design the website to look like the intended site the user wanted to visit. This may further trick the user into spending more time on the malicious site and clicking on links.</p> <h3>Link farms</h3> <p>Link farms are groups of websites that all link to one another. The more links or backlinks you have from other sites, the higher your search engine rating may be. Spam link farms manipulate the search algorithms by increasing their backlinks to automated link farms to increase their rating.</p> <h2 class="text-info" id="look">What to look out for</h2> <p>When searching the web or inputting a query into a search engine, always be aware that any link may contain malicious content. Use the following clues to avoid being compromised:</p> <ul><li>Check URLs for misspelled words</li> <li>Confirm the link’s content is related to the search query</li> <li>Be aware of unprofessional designs or cluttered webpages (if already on the website)</li> <li>Look out for fonts that seem out of place</li> <li>Use caution if links look too good to be true or are unrelated to the webpage</li> <li>Check to see if link extensions match the description</li> <li>Look for the padlock HTTPS symbol in the address bar, but always proceed with caution as some malicious sites may still show this symbol</li> </ul><h2 class="text-info" id="yourself">How to protect yourself</h2> <p>Use the following tips and techniques to proactively protect your computer from malicious websites.</p> <ul><li>Ensure the default script editor is set to block all scripts by default <ul><li>Doing so helps prevent automatic execution of potentially malicious scripts</li> <li>This can help keep your personal data private and your system safe from malware</li> </ul></li> <li>Install firewalls on your device which can warn you and block malicious sites</li> <li>Keep browsers and anti-virus software up to date</li> <li>Avoid clicking on suspicious links</li> <li>Avoid providing personal information unless you’re certain the site is legitimate and secure</li> <li>Always double-check the URL before clicking</li> <li>Instead of searching and clicking on a link, type the known address into the address bar and confirm you have not made any typos before hitting enter</li> <li>Allow for file extensions to be shown and verify that the type of file being downloaded matches its advertised intent</li> </ul><h2 class="text-info" id="website">How to protect your website</h2> <p>If you are a website owner or administrator, consider the following actions to secure your online presence. Many of these can be done by an IT professional.</p> <ul><li>Employ secure coding practices <ul><li>Practices such as input validation and proper error handling can help prevent various attacks</li> <li>For an in-depth look, see <a href="https://csrc.nist.gov/pubs/ir/8397/final">Guidelines on minimum standards for developers verification of <span>software (NISTIR 8397) </span></a></li> </ul></li> <li>Update information on your site regularly</li> <li>Apply web application firewalls</li> <li>Use reputable content management systems</li> <li>Perform regular security audits and review files, settings, and website codes</li> <li>Employ strong authentication methods for website administrators, such as multi-factor authentication</li> <li>Be aware of unexpected spikes and drops in website traffic, which may indicate that your site has been hacked</li> </ul><h2 class="text-info" id="Learn">Learn more</h2> <ul><li><a href="/en/guidance/protect-your-organization-malware-itsap00057">Protect your organization from malware (ITSAP.00.057)</a></li> <li><a href="/en/guidance/ransomware-how-prevent-and-recover-itsap00099">Ransomware: How to prevent and recover (ITSAP.00.099)</a></li> <li><a href="/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks">Don’t take the bait: Recognize and avoid phishing attacks (ITSAP.00.101)</a></li> <li><a href="/en/guidance/security-considerations-when-developing-and-managing-your-website-itsap60005">Security consideration when developing and managing your website (ITSAP.60.005)</a></li> <li><a href="/en/guidance/how-shop-online-safely-itsap00071">How to shop online safely (ITSAP.00.071)</a></li> <li><a href="/en/guidance/website-defacement-itsap00060">Website defacement (ITSAP.00.060)</a></li> <li><a href="/en/guidance/domain-name-system-dns-tampering-itsap40021">Domain name system (DNS) tampering (ITSAP.40.021)</a></li> <li><a href="https://www.getcybersafe.gc.ca/en/blogs/script-spoofing-protect-yourself">Script spoofing: What it is and how you can protect yourself</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="5758" about="/en/cyber-security-readiness" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>Canadian organizations are confronted with an evolving threat landscape as malicious cyber activities increase in scale and sophistication. Critical Infrastructure (CI) operators and owners are especially at risk. Cyber attacks on <abbr title="critical infrastructure">CI, </abbr> can have devastating consequences on Canada’s economy, safety and national security.</p> <p>This page provides resources from the Cyber Centre to help Canadian organizations and critical infrastructure increase their cyber security readiness. This includes information on current cyber threats, steps to protect against them and ways respond to and recover from incidents.</p> <h2>Cyber Security Readiness Goals</h2> <p>The Cross-Sector Cyber Security Readiness Goals (CRGs) provide Canadian organizations with 36 foundational, realistic and achievable goals to strengthen their cyber security. Each goal is linked to concrete recommended actions that, if taken, will elevate the cyber security posture of Canadian organizations and <abbr title="critical infrastructure">CI </abbr>.</p> <p class="mrgn-tp-md"><a class="btn btn-success btn-lg" href="/en/cyber-security-readiness/cross-sector-cyber-security-readiness-goals-toolkit">Consult the Cross-Sector Cyber Security Readiness Goals Toolkit</a></p> <p>To accompany these goals, the Cyber Centre has published <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="f552f117-1c52-46d4-a56a-0d2181223d8f" href="/en/cyber-security-readiness/cyber-security-readiness-goals-securing-our-most-critical-systems">Cyber Security Readiness Goals: Securing Our Most Critical Systems</a> which provides an overview of the cyber threat landscape and explains how the <abbr title="Cross-Sector Cyber Security Readiness Goals">CRGs </abbr> came to be. This publication also highlights the <abbr title="Cross-Sector Cyber Security Readiness Goals">CRGs </abbr>’ alignment with international frameworks and other Government of Canada publications and tools.</p> <p>The <abbr title="Cross-Sector Cyber Security Readiness Goals">CRGs </abbr> are a tool for self-assessment that any organization can use to track their progress and improve their cyber security posture. They will be updated regularly to support organizations in effectively mitigating emerging cyber threats.</p> <h2>Additional resources</h2> <ul><li><a href="/en/guidance/security-considerations-critical-infrastructure-itsap10100">Security considerations for critical infrastructure (ITSAP.10.100)</a></li> <li><a href="/en/guidance/cyber-threat-bulletin-cyber-centre-reminds-canadian-critical-infrastructure-operators">Cyber threat bulletin: Cyber Centre reminds Canadian critical infrastructure operators to raise awareness and take mitigations against known Russian-backed cyber threat activity</a></li> <li><a href="/en/guidance/cyber-threat-bulletin-cyber-centre-urges-canadian-critical-infrastructure-operators-raise">Cyber threat bulletin: Cyber Centre urges Canadian critical infrastructure operators to raise awareness and take mitigations against known Russian-backed cyber threat activity</a></li> <li><a href="/en/guidance/national-cyber-threat-assessments">National Cyber Threat Assessments</a></li> <li><a href="/en/guidance/state-sponsored-espionage-and-threats-critical-infrastructure">State-sponsored espionage and threats to critical infrastructure</a></li> <li><a href="/en/guidance/it-security-risk-management-lifecycle-approach-itsg-33">IT security risk management: A lifecycle approach (ITSG-33)</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6252" about="/en/news-events/joint-guidance-badbazaar-moonshine" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) has joined the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the following international partners in releasing 2 cyber security guidance publications on BADBAZAAR and MOONSHINE:</p> <ul><li>Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC)</li> <li>Germany’s Federal Intelligence Service (BND)</li> <li>Germany’s Federal Office for the Protection of the Constitution (BfV)</li> <li>New Zealand’s National Cyber Security Centre (NCSC-NZ)</li> <li>United States’ Federal Bureau of Investigation (FBI)</li> <li>United States’ National Security Agency (NSA)</li> </ul><p>The joint guidance provides new information and mitigation measures for those at high risk from 2 spyware variants: BADBAZAAR and MOONSHINE.</p> <h2>BADBAZAAR and MOONSHINE: Spyware targeting Uyghur, Taiwanese and Tibetan groups and civil society actors</h2> <p>This publication raises awareness of the threat that malicious cyber actors pose to individuals connected to topics the People’s Republic of China (PRC) considers to be a threat to its domestic authority, ambitions and global reputation, including:</p> <ul><li>Taiwan</li> <li>Tibet</li> <li>Xinjiang Uyghur autonomous region</li> <li>democracy movements</li> <li>Falun Gong</li> </ul><p>The publication includes 2 case studies that detail the techniques employed by malicious cyber actors using BADBAZAAR and MOONSHINE to target data on mobile devices. The publication’s guidance also includes mitigation measures that individuals can use to help protect:</p> <ul><li>themselves</li> <li>their devices</li> <li>their data</li> </ul><p>Read the full joint guidance <a href="https://www.ncsc.gov.uk/files/NCSC-Advisory-BADBAZAAR-and-MOONSHINE-guidance.pdf">BADBAZAAR and MOONSHINE: Spyware targeting Uyghur, Taiwanese and Tibetan groups and civil society actors (PDF)</a>.</p> <h2>BADBAZAAR and MOONSHINE: Technical analysis and mitigations</h2> <p>This joint guidance provides new and collated threat intelligence on the spyware variants BADBAZAAR and MOONSHINE. It includes advice for app store operators, developers and social media companies to help keep their users safe.</p> <p>Read the full joint guidance <a href="https://www.ncsc.gov.uk/files/NCSC-Advisory-BADBAZAAR-and-MOONSHINE-technical-analysis-and-mitigations.pdf">BADBAZAAR and MOONSHINE: Technical analysis and mitigations (PDF)</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6223" about="/en/guidance/private-5g-networks-itsap80117" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–DESKTOP STARTS HERE–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>April 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.80.117</strong></p> </div> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>April 2025 | Awareness series</strong></p> </div> <!–pdf download–> <p>Private 5G (P5G) networks are dedicated, purpose-built networks designed for private use. They are a key driver of industrial development that integrates digital technologies, also known as Industry 4.0. They provide secure, high-performance wireless connectivity and support technologies, such as:</p> <ul><li>industrial robots</li> <li>automated guided vehicles (AGVs)</li> <li>smart grids</li> <li>autonomous (driverless) haulage systems (AHS)</li> <li>Internet of medical things (IoMT)</li> </ul><p>They are used in a range of industries and sectors, including:</p> <ul><li>logistics and warehousing</li> <li>transportation</li> <li>energy and utilities</li> <li>mining and oil</li> <li>healthcare</li> </ul><h2 class="text-info">On this page</h2> <ul><li><a href="#benefits">Benefits of using private 5G networks</a></li> <li><a href="#deployment">Deployment models</a></li> <li><a href="#risks">Risks and challenges of private 5G networks</a></li> <li><a href="#security">Security best practices for 5G networks</a></li> <li><a href="#learn">Learn more</a></li> </ul><h2 class="text-info" id="benefits">Benefits of using private 5G networks</h2> <p>There are several potential technical and business reasons your organization may consider deploying P5G networks rather than 4G/LTE, Wi-Fi, or other technologies, such as:</p> <ul><li>faster deployment times</li> <li>lower initial and operational costs</li> <li>stronger security mechanisms and improved control</li> <li>more flexibility</li> <li>better coverage and performance (lower network latency, higher transmission rates and more bandwidth)</li> </ul><h2 class="text-info" id="deployment">Deployment models</h2> <p>P5G networks can be deployed in complete isolation, integrated with public networks, or deployed as a virtual network slice depending on an organization’s requirements. Generally, there are four main deployment models.</p> <h3>Standalone</h3> <p>Standalone P5G networks are fully isolated and controlled by the organization, including the radio access network (RAN) and core functions. The organization deploys, owns and operates the network, while overseeing subscriber management, provisioning and authentication mechanisms. This deployment model can provide complete isolation from public networks, making it the most secure option. As such, we recommend this model for high-security applications and critical infrastructure. A standalone P5G network is also suitable for large organizations with resources and expertise that want complete control.</p> <h3>Shared RAN</h3> <p>Shared RAN P5G networks combine elements of private and public 5G networks. Organizations that adopt this model use the existing RAN infrastructure of a mobile network operator (MNO) while keeping control of core functions and user plane traffic. This model is ideal for large-scale deployments, such as utility metre connectivity, emergency services and mobile devices requiring seamless roaming. This model is suitable for organizations looking to balance control and cost.</p> <h3>Shared RAN and control plane</h3> <p>In this model, organizations use the MNOs’ RAN infrastructure, control plane and core functions while retaining the user plane. This simplified model reduces network operations and management efforts, allowing organizations to focus on the functional and operational aspects of their business. The RAN and control sharing model is suitable for organizations looking to balance control and cost.</p> <h3>Network slicing</h3> <p>Network slicing allows organizations to create isolated virtual networks within a public 5G infrastructure. This means organizations can have their own dedicated "slice" of the 5G network. This model is suitable for organizations focused on developing multiple types of applications or on providing services with distinct performance requirements. For example, it could support low latency for robotics and high bandwidth for video streaming. Network slicing is a low-cost option with the quickest time to market.</p> <h2 class="text-info" id="risks">Risks and challenges of private 5G networks</h2> <p>P5G networks enhance security by reducing exposure to external cyber threats through additional layers of isolation. They also allow organizations to implement stronger and tailored security controls. However, even isolated networks remain vulnerable to determined actors looking to exploit misconfigurations or vulnerabilities in the P5G infrastructure.</p> <p>P5G can introduce new and complex technologies to organizations that may not have experience operating 5G networks or defending against mobile network threats. Organizations considering P5G must be aware that the following risks and challenges could invalidate some of its security benefits:</p> <ul><li>lack of technical personnel with adequate P5G knowledge during the planning, deployment and operational phases</li> <li>added complexity due to IT requirements to support the P5G deployment, such as cloud and virtualization infrastructure</li> <li>inadequate supply chain assurance activities performed before and after acquiring equipment, such as: <ul><li>failure to assess a supplier’s cyber maturity, including adherence to secure-by-design principles</li> <li>insufficient testing of P5G equipment using an industry-accepted security framework</li> </ul></li> <li>inadequate security controls at interconnection points between the private and public 5G domains</li> <li>insufficient isolation of P5G users, equipment, and end devices by type, vendor and security requirements</li> <li>inadequate separation and security controls between P5G and other IT domains within the organization (enterprise, management, Internet)</li> </ul><h2 class="text-info" id="security">Security best practices for private 5G networks</h2> <p>When deploying P5G, your organization should take steps to protect against some of the associated risks. To strengthen your organization’s security and align with the zero-trust model, we recommend the following cyber security best practices:</p> <ul><li><strong>Enforce strong access controls:</strong> <ul><li>Implement security policies that mandate strict role-based access control</li> <li>Use diverse identity management solutions</li> <li>Do not allow credentials to be reused between general IT and P5G networks</li> </ul></li> <li><strong>Segment the network:</strong> <ul><li>Divide your network into isolated segments</li> <li>Implement adequate network access controls between security zones</li> <li>Isolate users, equipment and end devices by type, vendor and security requirements</li> </ul></li> <li><strong>Perform regular security audits:</strong> <ul><li>Conduct periodic assessments of your network and equipment to identify and address vulnerabilities</li> </ul></li> <li><strong>Train employees:</strong> <ul><li>Provide continuous training to technical and front-end personnel on security best practices and the risks of social engineering attacks</li> </ul></li> <li><strong>Define an incident response plan:</strong> <ul><li>Develop a comprehensive incident response plan (IRP) to effectively address security incidents</li> <li>Include backup capabilities and procedures to operate safely on degraded capabilities until normal operations resume</li> <li>Retain the ability to take over operations and disable traffic to vendors, managed service providers and remote operators</li> </ul></li> <li><strong>Manage supply chain threats:</strong> <ul><li>Assess suppliers’ cyber maturity and product development processes</li> <li>Implement supply chain best practices for network equipment and end devices</li> <li>Avoid using end-of-life products</li> <li>Use products that have an active support contract with the manufacturer</li> </ul></li> <li><strong>Perform cyber defense activities:</strong> <ul><li>Implement robust monitoring to detect anomalies, identify potential threats and block unwanted traffic</li> </ul></li> <li><strong>Adopt cyber security best practices for 5G networks:</strong> <ul><li>Adhere to industry standards and participate in security initiatives to enhance your organization’s cyber maturity</li> </ul></li> <li><strong>Implement adequate physical security controls:</strong> <ul><li>Adhere to industry best practices for physical security of telecommunications and network equipment</li> </ul></li> </ul><h2 class="text-info" id="learn">Learn more</h2> <ul><li><a href="/en/guidance/top-10-it-security-actions">Top 10 IT security actions</a></li> <li><a href="/en/guidance/cyber-security-considerations-5g-networks-itsap80116">Cyber security considerations for 5G networks (ITSAP.80.116)</a></li> <li><a href="/en/guidance/supply-chain-security-small-and-medium-sized-organizations-itsap00070">Supply chain security for small and medium-sized organizations (ITSAP.00.070)</a></li> <li><a href="/en/guidance/contracting-clauses-telecommunications-equipment-and-services-tscg-01l">Contracting clauses for telecommunications equipment and services (TSCG-01L)</a></li> <li><a href="/en/guidance/cyber-centre-data-centre-virtualization-report-best-practices-data">Best practices for data centre virtualization (ITSP.70.010)</a></li> <li><a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Developing your incident response plan (ITSAP.40.003)</a></li> <li><a href="/en/guidance/social-engineering-itsap00166">Social engineering (ITSAP.00.166)</a></li> <li><a href="/en/guidance/zero-trust-security-model-itsap10008">Zero Trust security model (ITSAP.10.008)</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="745" about="/en/guidance/cyber-security-advice-political-candidates" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><section><div class="row"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-lg"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/cyber_security_advice_for_political_candidates.pdf">Cyber security advice for political candidates (PDF, 708 KB)</a></p> </div> <ul><li>Secure your accounts</li> <li>Secure your devices</li> <li>Secure your data and information</li> <li>Secure your online connections</li> <li>Secure staff and volunteers</li> <li>Secure your social media presence</li> </ul><section><h2 class="text-info">Why cyber security matters</h2> <p>Foreign cyber threat activity continues to target Canada’s democratic process.</p> <p>Threat actors target Canadian elections to influence decisions on key global issues or to exploit data and disrupt the democratic process.</p> <p>Foreign threat actors can launch cyber attacks to disrupt election infrastructure, influence voters and spread disinformation. They can target political candidates by:</p> <ul><li>hijacking accounts and online identities to spread false information</li> <li>disrupting campaign websites and infrastructure using distributed denial of service (DDoS) attacks</li> <li>hacking systems to leak sensitive (personal or campaign) data and embarrass, discredit or undermine a political</li> <li>candidate</li> <li>using ransomware attacks to disrupt campaign infrastructure and demand ransom payments</li> <li>creating content with artificial intelligence (AI), specifically generative <abbr title="artificial intelligence">AI</abbr>, to spread disinformation</li> </ul><p>The following guidance includes cyber security measures to best secure your data, devices and online presence, and what preventative measures you should take to protect your assets and information.</p> <h2 class="text-info">How to secure your campaign</h2> <p>Consider the following security measures to protect your campaign from cyber threats:</p> <section><div class="well"><img alt="" class="img-responsive pull-right col-md-2 col-sm-3 col-xs-3" src="/sites/default/files/cyber/inline-images/icon-01.png" /><h3>Secure accounts</h3> <ul><li>use strong and unique passphrases or passwords</li> <li>avoid reusing passwords across accounts</li> <li>use multi-factor authentication (MFA) to add another line of defence against someone hijacking your account</li> <li>do not share access to accounts and systems unless necessary</li> <li>limit the use of “remember me” features on websites and mobile applications</li> <li>use a password manager to help create and secure credentials</li> <li>deactivate and remove accounts and profiles that are no longer in use</li> <li>regularly review your account security and recovery settings</li> </ul></div> </section><section><div class="well"><img alt="" class="img-responsive pull-right col-md-2 col-sm-3 col-xs-3" src="/sites/default/files/cyber/inline-images/icon-02.png" /><h3>Secure devices</h3> <ul><li>install anti-virus, anti-malware and anti-phishing software on devices</li> <li>secure access to your mobile device with a passcode or other forms of strong authentication</li> <li>update your devices’ software, firmware and operating systems regularly</li> <li>enforce clear guidelines on handling campaign accounts and data on personal devices</li> <li>limit access to sensitive data on personal devices</li> <li>restart your devices regularly</li> </ul></div> </section><section><div class="well"><img alt="" class="img-responsive pull-right col-md-2 col-sm-3 col-xs-3" src="/sites/default/files/cyber/inline-images/icon-03.png" /><h3>Secure data and information</h3> <ul><li>encrypt sensitive data by using device and verified application encryption</li> <li>transport information securely using an encrypted USB or a secure storage container</li> <li>back up information regularly</li> <li>keep backups stored and encrypted offline to better protect against ransomware</li> <li>limit access to accounts and information by practicing the principle of least privilege (for example, only authorized individuals can handle sensitive information)</li> <li>verify and validate messages and information before engaging and responding</li> </ul></div> </section><section><div class="well"><img alt="" class="img-responsive pull-right col-md-2 col-sm-3 col-xs-3" src="/sites/default/files/cyber/inline-images/icon-11.png" /><h3>Secure online connections</h3> <ul><li>avoid connecting to public Wi-Fi where possible</li> <li>use cellular data or a secure Wi-Fi network to handle sensitive information</li> <li>change the default name and password of your router and Wi-Fi connection</li> <li>install Canadian Internet Registration Authority’s (CIRA) Canadian Shield protective domain name service (DNS) on your router and personal devices</li> <li>confirm firewalls are enabled by checking the status in your device or system settings or with your service provider</li> <li>use only trusted mobile app stores and avoid unverified third-party apps</li> </ul></div> </section><section><div class="well"><img alt="" class="img-responsive pull-right col-md-2 col-sm-3 col-xs-3" src="/sites/default/files/cyber/icons/cccs-icon-colour-0563.png" /><h3>Secure staff and volunteers</h3> <ul><li>keep staff members informed about current potential cyber threats and vulnerabilities</li> <li>conduct awareness training to assist volunteers and new and existing staff to understand their roles and responsibilities</li> <li>consider background checks for campaign staff and volunteers</li> </ul></div> </section><section><div class="well"><img alt="" class="img-responsive pull-right col-md-2 col-sm-3 col-xs-3" src="/sites/default/files/cyber/inline-images/icon-05_0.png" /><h3>Secure your social media presence</h3> <ul><li>strengthen account settings to protect your personal information</li> <li>use fact-checking tools to validate sources before interacting with their content and platform</li> <li>review and sanitize content, images and videos to remove sensitive data before posting publicly</li> <li>restrict third-party app access to your social media profile</li> <li>educate your team on tips for spotting <abbr title="artificial intelligence">AI</abbr>, deepfakes and disinformation</li> <li>avoid opening files and links contained in unsolicited text messages or emails</li> <li>report any suspicious activity to your <abbr title="information technology">IT</abbr> security and security incident response team, if applicable</li> </ul></div> </section></section><div class="mrgn-bttm-md well"> <h2 class="mrgn-tp-sm h3">Related links:</h2> <ul><li><a href="/en/guidance/cyber-threats-elections">Cyber threats to elections</a></li> <li><a href="/en/guidance/best-practices-passphrases-and-passwords-itsap30032">Best practices for passphrases and passwords</a></li> <li><a href="/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication</a></li> <li><a href="/en/guidance/how-updates-secure-your-device-itsap10096">How updates secure your device</a></li> <li><a href="/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks">Don’t take the bait: Recognize and avoid phishing attacks</a></li> <li><a href="/en/guidance/tips-backing-your-information-itsap40002">Tips for backing up your information</a></li> </ul></div> </div> </section></div> </div> </div> </div> </div> </article>

Fast flux is a technique used by threat actors to obfuscate the locations of malicious servers. Threat actors do this by rapidly changing domain name system (DNS) records associated with a domain name. The use of fast flux poses a significant threat to national security. The fast flux technique allows threat actors to create resilient and highly available command and control infrastructure and conceal their malicious activities.

<article data-history-node-id="6144" about="/en/guidance/protecting-controlled-information-non-government-canada-systems-and-organizations-itsp10171" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>April 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Practitioner series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSP.10.171</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>April 2025 | Practitioner series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsp.10.171-e_1.pdf">Protecting controlled information in non-Government of Canada systems and organizations – ITSP.10.171 (PDF, 2.5 MB)</a></p> </div> <h2 class="text-info">Foreword</h2> <p>This is an unclassified publication issued under the authority of the Head, Canadian Centre for Cyber Security (Cyber Centre). For more information or to suggest amendments, email or phone our Contact Centre at <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a>, <a href="tel:+16139497048">(613) 949-7048</a> or <span class="nowrap"><a href="tel:+18332923788">1-833-CYBER-88</a></span>.</p> <h2 class="text-info">Effective date</h2> <p>This publication takes effect on April 2, 2025.</p> <h2 class="text-info">Revision history</h2> <ol><li><strong>First release:</strong> April 2, 2025</li> </ol><section><h2 class="text-info">Table of contents</h2> <ul class="list-unstyled lst-spcd"><li><a href="#1">1 Introduction</a> <ul class="lst-none"><li><a href="#1-1">1.1 Purpose</a></li> <li><a href="#1-2">1.2 Audience</a></li> <li><a href="#1-3">1.3 Publication organization</a></li> </ul></li> <li><a href="#2">2 Fundamentals</a> <ul class="lst-none"><li><a href="#2-1">2.1 Security requirements assumptions</a></li> <li><a href="#2-2">2.2 Security requirement development methodology</a></li> </ul></li> <li><a href="#3">3 Requirements</a> <ul class="lst-none"><li><a href="#3-1">3.1 Access control</a></li> <li><a href="#3-2">3.2 Awareness and training</a></li> <li><a href="#3-3">3.3 Audit and accountability</a></li> <li><a href="#3-4">3.4 Configuration management</a></li> <li><a href="#3-5">3.5 Identification and authentication</a></li> <li><a href="#3-6">3.6 Incident response</a></li> <li><a href="#3-7">3.7 Maintenance</a></li> <li><a href="#3-8">3.8 Media protection</a></li> <li><a href="#3-9">3.9 Personnel security</a></li> <li><a href="#3-10">3.10 Physical protection</a></li> <li><a href="#3-11">3.11 Risk assessment</a></li> <li><a href="#3-12">3.12 Security assessment and monitoring</a></li> <li><a href="#3-13">3.13 System and communications protection</a></li> <li><a href="#3-14">3.14 System and information integrity</a></li> <li><a href="#3-15">3.15 Planning</a></li> <li><a href="#3-16">3.16 System and services acquisition</a></li> <li><a href="#3-17">3.17 Supply chain risk management</a></li> </ul></li> <li><a href="#AA">Annex A Tailoring criteria</a></li> <li><a href="#AB">Annex B Organization-defined parameters</a></li> </ul></section><section><h2 class="text-info">Overview</h2> <p>Protecting Controlled Information (CI) is of paramount importance to Government of Canada (GC) departments and agencies and can directly impact the <abbr title="Government of Canada">GC</abbr>’s ability to successfully conduct its essential missions and functions. This publication provides <abbr title="Government of Canada">GC</abbr> departments and agencies with recommended security requirements for protecting the confidentiality of <abbr title="controlled information">CI</abbr> when the information resides in non-<abbr title="Government of Canada">GC</abbr> systems and organizations. These requirements apply to the components of non-<abbr title="Government of Canada">GC</abbr> systems that handle, process, store or transmit <abbr title="controlled information">CI</abbr>, or that provide protection for such components. The security requirements are intended for use by <abbr title="Government of Canada">GC</abbr> departments and agencies in contractual vehicles or other agreements established between those departments and agencies and non-<abbr title="Government of Canada">GC</abbr> organizations.</p> <p>This publication is a Canadian version of the National Institute of Standards and Technology <a href="https://csrc.nist.gov/pubs/sp/800/171/r3/final">NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations</a>. The Cyber Centre will produce a companion publication to use in conjunction with this publication, based on <a href="https://csrc.nist.gov/pubs/sp/800/171/a/r3/final">NIST SP 800-171A Assessing Security Requirements for Controlled Unclassified Information</a>. That publication will provide a comprehensive set of procedures to assess the security requirements. In the interim, NIST SP 800-171A can be used as a reference.</p> <p><strong>Disclaimer:</strong> This publication is iterative, and the Canadian Program for Cyber Security Certification (CPCSC) program will continue to work with industry partners regarding the application and effectiveness of this new standard.</p> <h2 class="text-info">Acknowledgments</h2> <p>The Cyber Centre wishes to acknowledge and thank Dr. Ron Ross and Victoria Pillitteri from the Computer Security Division at <abbr title="National Institute of Standards and Technology">NIST</abbr> for allowing the Cyber Security Guidance (CSG) team to use their guidance and modify it to the Canadian context.</p> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="1">1 Introduction</h2> <p>This publication is a Canadian version of <a href="https://csrc.nist.gov/pubs/sp/800/171/r3/final">NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations</a>. There are no substantial technical changes between this publication and NIST SP 800-171. The primary modifications arise from differences in laws, policies, directives, standards and guidelines. In other words, the changes reflect the distinct Canadian regulatory and compliance landscape; there are no changes to the underlying technical context.</p> <p>The controls are aligned with Security and privacy controls and assurance activities catalogue (ITSP.10.033), which is a version of <a href="https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final">NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations</a> adapted to the Canadian context.</p> <p><strong>Controlled information (CI)</strong> includes Protected A, Protected B, and controlled goods information that is not classified. Protected information, as well as the safeguarding and dissemination requirements for such information, is defined by the Treasury Board of Canada Secretariat <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32614"><abbr title="Treasury Board Secretariat">TBS</abbr> Directive on Security Management, Appendix J: Standard on Security Categorization</a> and is codified in the <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=12510"><abbr title="Treasury Board Secretariat">TBS</abbr> Policy on Privacy Protection</a>. We use the term “controlled information” in place of “controlled unclassified information” (CUI) which is used in the US document.</p> <p>GC departments and agencies are required to follow the policies and directives published by <abbr title="Treasury Board Secretariat">TBS</abbr> when using federal systems to handle, process, store, or transmit information<sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <p>The responsibility of <abbr title="Government of Canada">GC</abbr> departments and agencies to protect <abbr title="controlled information">CI</abbr> remains the same when sharing <abbr title="controlled information">CI</abbr> with non-<abbr title="Government of Canada">GC</abbr> organizations. Therefore, a similar level of protection is needed when non-<abbr title="Government of Canada">GC</abbr> organizations using non-<abbr title="Government of Canada">GC</abbr> systems handle, process, store or transmit <abbr title="controlled information">CI</abbr>. To maintain a consistent level of protection, the security requirements for safeguarding <abbr title="controlled information">CI</abbr> in non-<abbr title="Government of Canada">GC</abbr> systems and organizations must comply with the <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=16578"><abbr title="Treasury Board Secretariat">TBS</abbr> Policy on Government Security</a>, <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32603"><abbr title="Treasury Board Secretariat">TBS</abbr> Policy on Service and Digital</a>, and <abbr title="Treasury Board Secretariat">TBS</abbr> Policy on Privacy Protection.</p> <p>The cyber security controls and activities presented in this publication outline requirements for federal contracting.</p> <p>This publication does not contain the complete set of privacy-related controls and activities described in ITSP.10.033. Rather, it contains a subset of privacy-related controls that are shared with confidentiality-related controls.</p> <h3 class="h2 mrgn-tp-lg" id="1-1">1.1 Purpose</h3> <p>This publication provides <abbr title="Government of Canada">GC</abbr> departments and agencies with recommended security requirements for protecting the confidentiality of <abbr title="controlled information">CI</abbr> when this information resides in non-<abbr title="Government of Canada">GC</abbr> systems and organizations and where there are no specific safeguarding requirements prescribed by the authorizing law, regulation, or government-wide policy for the <abbr title="controlled information">CI</abbr> category, and that ITSP.10.171 may not be sufficient. The requirements do not apply to non-<abbr title="Government of Canada">GC</abbr> organizations that are collecting or maintaining information on behalf of a <abbr title="Government of Canada">GC</abbr> department or agency or using or operating a system on their behalf.</p> <p>The security requirements in this publication are only applicable to components<sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup> of non-<abbr title="Government of Canada">GC</abbr> systems that handle, process, store, or transmit <abbr title="controlled information">CI</abbr> or that provide protection for such components. The requirements are intended to be used by <abbr title="Government of Canada">GC</abbr> departments and agencies in contractual vehicles or other agreements established with non-<abbr title="Government of Canada">GC</abbr> organizations.</p> <p>It is important that non-<abbr title="Government of Canada">GC</abbr> organizations scope requirements appropriately when making protection-related investment decisions and managing security risks. By designating system components for handling, processing, storing or transmitting <abbr title="controlled information">CI</abbr>, non-<abbr title="Government of Canada">GC</abbr> organizations can limit the scope of the security requirements by isolating the system components in a separate security domain. Isolation can be achieved by applying architectural and design concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices and using information flow control mechanisms). Security domains can use physical separation, logical separation, or a combination of both. This approach can provide adequate security for <abbr title="controlled information">CI</abbr> and avoid increasing the non-<abbr title="Government of Canada">GC</abbr> organization’s security posture beyond what it requires for protecting its missions, operations and assets.</p> <h3 class="h2 mrgn-tp-lg" id="1-2">1.2 Audience</h3> <p>This publication is intended for various individuals and organizations in the public and private sectors, including:</p> <ul><li><abbr title="Government of Canada">GC</abbr> departments and agencies responsible for managing and protecting CI</li> <li>non-<abbr title="Government of Canada">GC</abbr> organizations responsible for protecting <abbr title="controlled information">CI</abbr></li> <li>individuals with system development lifecycle (SDLC) responsibilities</li> <li>individuals with acquisition or procurement responsibilities</li> <li>individuals with system, security, privacy or risk management and oversight responsibilities</li> <li>individuals with security or privacy assessment and monitoring responsibilities</li> </ul><h3 class="h2 mrgn-tp-lg" id="1-3">1.3 Publication organization</h3> <p>The remainder of this publication is organized as follows:</p> <ul><li><a href="#2">Section 2 Fundamentals</a> describes the assumptions and methodology used to develop the security requirements for protecting the confidentiality of <abbr title="controlled information">CI</abbr>, the format of the requirements, and the tailoring criteria applied to the Cyber Centre guidelines to obtain the requirements</li> <li><a href="#3">Section 3 Requirements</a> lists the security requirements for protecting the confidentiality of <abbr title="controlled information">CI</abbr> in non-<abbr title="Government of Canada">GC</abbr> systems and organizations</li> </ul><p>The following sections provide additional information to support the protection of <abbr title="controlled information">CI</abbr>:</p> <ul><li><a href="#AA">Annex A: Tailoring criteria</a></li> <li><a href="#AB">Annex B: Organization-defined parameters</a></li> </ul></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="2">2 Fundamentals</h2> <p>This section describes the assumptions and methodology used to develop the requirements to protect the confidentiality of <abbr title="controlled information">CI</abbr> in non-<abbr title="Government of Canada">GC</abbr> systems and organizations. It also includes the tailoring criteria applied to the controls in ITSP.10.033.</p> <h3 class="h2 mrgn-tp-lg" id="2-1">2.1 Security requirements assumptions</h3> <p>The security requirements in this publication are based on the following assumptions:</p> <ul><li><abbr title="Government of Canada">GC</abbr> information designated as <abbr title="controlled information">CI</abbr> has the same value regardless of whether such information resides in a <abbr title="Government of Canada">GC</abbr> or a non-<abbr title="Government of Canada">GC</abbr> system or organization</li> <li>statutory and regulatory requirements for the protection of <abbr title="controlled information">CI</abbr> are consistent in <abbr title="Government of Canada">GC</abbr> and non-<abbr title="Government of Canada">GC</abbr> systems and organizations</li> <li>safeguards implemented to protect <abbr title="controlled information">CI</abbr> are consistent in <abbr title="Government of Canada">GC</abbr> and non-<abbr title="Government of Canada">GC</abbr> systems and organizations</li> <li>the confidentiality impact value for <abbr title="controlled information">CI</abbr> is no less than low (Protected A), but will be medium (Protected B) for most large <abbr title="Government of Canada">GC</abbr> datasets</li> <li>non-<abbr title="Government of Canada">GC</abbr> organizations can directly implement a variety of potential security solutions or use external service providers to satisfy security requirements</li> </ul><h3 class="h2 mrgn-tp-lg" id="2-2">2.2 Security requirement development methodology</h3> <p>Starting with the ITSP.10.033 controls in the ITSP.10.033-01 Medium impact profile, the controls are tailored to eliminate selected controls or parts of controls that are:</p> <ul><li>primarily the responsibility of the <abbr title="Government of Canada">GC</abbr></li> <li>not directly related to protecting the confidentiality of <abbr title="controlled information">CI</abbr></li> <li>adequately addressed by other related controls</li> <li>not applicable</li> </ul><p>ITSP.10.171 security requirements represent a subset of the controls that are necessary to protect the confidentiality of <abbr title="controlled information">CI</abbr>. The security requirements are organized into 17 families, as illustrated in Table 1. Each family contains the requirements related to its general security topic. Certain families from ITSP.10.033 are not included because they do not directly contribute to confidentiality. For example, the Personal information handling and transparency (PT) family is not included because it is about handling personal information (PI), not about the confidentiality of the <abbr title="personal information">PI</abbr>. The Program management (PM) family is not included because it is not related to confidentiality. Finally, the Contingency planning (CP) family is not included because it addresses availability.</p> <p>The following are the security requirements families:</p> <ul><li>Access control</li> <li>Awareness and training</li> <li>Audit and accountability</li> <li>Configuration management</li> <li>Identification and authentication</li> <li>Incident response</li> <li>Maintenance</li> <li>Media protection</li> <li>Personnel security</li> <li>Physical protection</li> <li>Risk assessment</li> <li>Security assessment and monitoring</li> <li>System and communications protection</li> <li>System and information integrity</li> <li>Planning</li> <li>System and services acquisition</li> <li>Supply chain risk management</li> </ul><p>Organization-defined parameters (ODPs) are included in certain security requirements. <abbr title="organization-defined parameter">ODP</abbr>s provide flexibility through the use of assignment and selection operations to allow <abbr title="Government of Canada">GC</abbr> departments and agencies and non-<abbr title="Government of Canada">GC</abbr> organizations to specify values for the designated parameters in the requirements. Assignment and selection operations allow security requirements to be customized based on specific protection needs. The determination of <abbr title="organization-defined parameter">ODP</abbr> values can be guided and informed by laws, Orders in Council, directives, regulations, policies, standards, guidance, or mission and business needs. Once specified, <abbr title="organization-defined parameter">ODP</abbr> values become part of the requirement. When present in a control or activity statement, the square brackets indicate that there is an <abbr title="organization-defined parameter">ODP</abbr> that needs to be inserted by the reader in order for an organization to tailor the control to their context.</p> <p><abbr title="organization-defined parameter">ODP</abbr>s are an important part of specifying a security requirement. <abbr title="organization-defined parameter">ODP</abbr>s provide both the flexibility and the specificity needed by organizations to clearly define their <abbr title="controlled information">CI</abbr> security requirements according to their particular missions, business functions, operational environments and risk tolerance. In addition, <abbr title="organization-defined parameter">ODP</abbr>s support consistent security assessments to determine if specified security requirements have been satisfied. If a <abbr title="Government of Canada">GC</abbr> department or agency, or a group of departments or agencies, does not specify a particular value or range of values for an <abbr title="organization-defined parameter">ODP</abbr>, non-<abbr title="Government of Canada">GC</abbr> organizations must assign the value or values to complete the security requirement.</p> <p>Each requirement includes a discussion section, derived from the control discussion sections in NIST SP 800-53. These sections provide additional information to facilitate the implementation and assessment of the requirements. They are informative, not normative. The discussion sections are not intended to extend the scope of a requirement or to influence the solutions that organizations may use to satisfy a requirement. Examples provided are notional, not exhaustive, and do not reflect all the potential options available to organizations. The “References” section provides the source controls or assurance activities from ITSP.10.033, and a list of relevant publications with additional information on the topic described in the requirement.</p> <p>Because this is the first iteration of the Canadian publication, controls that were withdrawn in NIST SP 800-171 Revision 3 have been labelled as “not allocated” to keep the same numbering for interoperability purposes.</p> <p>The structure and content of a typical security requirement is provided in the example below.</p> <p>The term “organization” is used in many security requirements, and its meaning depends on context. For example, in a security requirement with an <abbr title="organization-defined parameter">ODP</abbr>, an organization can refer to either the <abbr title="Government of Canada">GC</abbr> department or agency or to the non-<abbr title="Government of Canada">GC</abbr> organization establishing the parameter values for the requirement.</p> <p>Annex A describes the security control tailoring criteria used to develop the security requirements and the results of the tailoring process. It provides a list of controls and activities from ITSP.10.033 that support the requirements and the controls and activities that have been eliminated from the Medium impact profile in accordance with the tailoring criteria.</p> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="3">3 Requirements</h2> <p>This section describes 17 families of security requirements for protecting the confidentiality of <abbr title="controlled information">CI</abbr> in non-<abbr title="Government of Canada">GC</abbr> systems and organizations. In this section, the term “system” refers to non-<abbr title="Government of Canada">GC</abbr> systems or system components that handle, process, store or transmit <abbr title="controlled information">CI</abbr>, or that provide protection for such systems or components. Not all security requirements mention <abbr title="controlled information">CI</abbr> explicitly. Requirements that do not mention <abbr title="controlled information">CI</abbr> explicitly are included because they directly affect the protection of <abbr title="controlled information">CI</abbr> during its processing, storage or transmission.</p> <p>There may be limitations to how some systems, including specialized systems (e.g., industrial/process control systems, medical devices, or computer numerical control machines) can apply certain security requirements. To accommodate such issues, the system security plan — as reflected in requirement <a href="#03-15-02">System security plan 03.15.02</a> — is used to describe any enduring exceptions to the security requirements. Plans of action and milestones are used to manage individual, isolated or temporary deficiencies, as reflected in requirement <a href="#03-12-02">Plan of action and milestones 03.12.02</a>.</p> <p>The security requirements in this section are only applicable to components of non-<abbr title="Government of Canada">GC</abbr> systems that process, store or transmit <abbr title="controlled information">CI</abbr> or that provide protection for such components.</p> <section><h3 class="h2 mrgn-tp-lg" id="3-1">3.1 Access control</h3> <p>The controls in the Access control family support the ability to permit or deny user access to resources within the system.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-01-01">03.01.01 Account management</a></li> <li><a href="#03-01-02">03.01.02 Access enforcement</a></li> <li><a href="#03-01-03">03.01.03 Information flow enforcement</a></li> <li><a href="#03-01-04">03.01.04 Separation of duties</a></li> <li><a href="#03-01-05">03.01.05 Least privilege</a></li> <li><a href="#03-01-06">03.01.06 Least privilege&nbsp;– privileged accounts</a></li> <li><a href="#03-01-07">03.01.07 Least privilege&nbsp;– privileged functions</a></li> <li><a href="#03-01-08">03.01.08 Unsuccessful logon attempts</a></li> <li><a href="#03-01-09">03.01.09 System use notification</a></li> <li><a href="#03-01-10">03.01.10 Device lock</a></li> <li><a href="#03-01-11">03.01.11 Session termination</a></li> <li><a href="#03-01-12">03.01.12 Remote access</a></li> <li><a href="#03-01-13">03.01.13 Not allocated</a></li> <li><a href="#03-01-14">03.01.14 Not allocated</a></li> <li><a href="#03-01-15">03.01.15 Not allocated</a></li> <li><a href="#03-01-16">03.01.16 Wireless access</a></li> <li><a href="#03-01-17">03.01.17 Not allocated</a></li> <li><a href="#03-01-18">03.01.18 Access control for mobile devices</a></li> <li><a href="#03-01-19">03.01.19 Not allocated</a></li> <li><a href="#03-01-20">03.01.20 Use of external systems</a></li> <li><a href="#03-01-21">03.01.21 Not allocated</a></li> <li><a href="#03-01-22">03.01.22 Publicly accessible content</a></li> </ul> </section>–> <details><summary><h4 id="03-01-01">03.01.01 Account management</h4> </summary><ol class="lst-upr-alph"><li>Define the types of system accounts allowed and prohibited.</li> <li>Create, enable, modify, disable, and remove system accounts in accordance with organizational policy, procedures, prerequisites, and criteria.</li> <li>Specify: <ol><li>authorized users of the system</li> <li>group and role membership</li> <li>access authorizations (i.e., privileges) for each account</li> </ol></li> <li>Authorize access to the system based on: <ol><li>a valid access authorization</li> <li>intended system usage</li> </ol></li> <li>Monitor the use of system accounts</li> <li>Disable system accounts when: <ol><li>the accounts have expired</li> <li>the accounts have been inactive for [Assignment: organization-defined time period]</li> <li>the accounts are no longer associated with a user or individual</li> <li>the accounts are in violation of organizational policy</li> <li>significant risks associated with individuals are discovered</li> </ol></li> <li>Notify account managers and designated personnel or roles within: <ol><li>[Assignment: organization-defined time period] when accounts are no longer required</li> <li>[Assignment: organization-defined time period] when users are terminated or transferred</li> <li>[Assignment: organization-defined time period] when system usage or the need-to-know changes for an individual</li> </ol></li> <li>Require that users log out of the system after [Assignment: organization-defined time period] of expected inactivity or when [Assignment: organization-defined circumstances]</li> </ol><h5>Discussion</h5> <p>This requirement focuses on account management for systems and applications. The definition and enforcement of access authorizations other than those determined by account type (e.g., privileged access or non-privileged access) are addressed in <a href="#03-01-02">Access enforcement 03.01.02</a>. System account types include individual, group, temporary, system, guest, anonymous, emergency, developer, and service accounts. Users who require administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access. Types of accounts that organizations may prohibit due to increased risk include group, emergency, guest, anonymous, and temporary accounts.</p> <p>Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of both. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point of origin. In defining other account attributes, organizations consider system requirements (e.g., system upgrades, scheduled maintenance) and mission and business requirements (e.g., time zone differences, remote access to facilitate travel requirements).</p> <p>Users who pose a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to the system to cause harm or that adversaries will cause harm through them. Close coordination among human resource managers, mission/business owners, system administrators, and legal staff is essential when disabling system accounts for high-risk individuals. Time periods for the notification of organizational personnel or roles may vary.</p> <p>Inactivity logout is behaviour- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by <a href="#03-01-10">Device lock 03.01.10</a>.</p> <h5>References</h5> <p>Source controls: AC-02, AC-02(03), AC-02(05), AC-02(13)<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/managing-and-controlling-administrative-privileges-itsap10094">Cyber Centre Managing and controlling administrative privileges (ITSAP.10.094) </a></li> <li><a href="/en/guidance/how-protect-your-organization-insider-threats-itsap10003-0">Cyber Centre How to protect your organization from insider threats (ITSAP.10.003) </a></li> </ul></details><details><summary><h4 id="03-01-02">03.01.02 Access enforcement</h4> </summary><p>Enforce approved authorizations for logical access to <abbr title="controlled information">CI</abbr> and system resources in accordance with applicable access control policies.</p> <h5>Discussion</h5> <p>Access control policies control access between active entities or subjects (i.e., users or system processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, and domains) in organizational systems. Types of system access include remote access and access to systems that communicate through external networks, such as the Internet. Access enforcement mechanisms can also be employed at the application and service levels to provide increased protection for <abbr title="controlled information">CI</abbr>. This recognizes that the system can host many applications and services in support of mission and business functions. Access control policies are defined in Policy and procedures 03.15.01.</p> <h5>References</h5> <p>Source control: AC-03<br /> Supporting publications: <a href="/en/guidance/managing-and-controlling-administrative-privileges-itsap10094">Cyber Centre Managing and controlling administrative privileges (ITSAP.10.094)</a></p> </details><details><summary><h4 id="03-01-03">03.01.03 Information flow enforcement</h4> </summary><p>Enforce approved authorizations for controlling the flow of <abbr title="controlled information">CI</abbr> within the system and between connected systems.</p> <h5>Discussion</h5> <p>Information flow control regulates where <abbr title="controlled information">CI</abbr> can transit within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include keeping <abbr title="controlled information">CI</abbr> from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting requests to the Internet that are not from the internal web proxy server, and limiting <abbr title="controlled information">CI</abbr> transfers between organizations based on data structures and content.</p> <p>Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of <abbr title="controlled information">CI</abbr> between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., encrypted tunnels, routers, gateways, and firewalls) that use rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement.</p> <p>Transferring <abbr title="controlled information">CI</abbr> between organizations may require an agreement that specifies how the information flow is enforced (see <a href="#03-12-05">Information exchange 03.12.05</a>). Transferring <abbr title="controlled information">CI</abbr> between systems that represent different security domains with different security policies introduces the risk that such transfers may violate one or more domain security policies. In such situations, information custodians provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes prohibiting <abbr title="controlled information">CI</abbr> transfers between interconnected systems (i.e., allowing information access only), employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security attributes and security labels.</p> <h5>References</h5> <p>Source control: AC-04<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/baseline-security-requirements-network-security-zones-version-20-itsp80022">Cyber Centre Baseline Security Requirements for Network Security Zones (ITSP.80.022) </a></li> <li><a href="/en/guidance/it-media-sanitization-itsp40006">Cyber Centre <abbr title="information technology">IT</abbr> media sanitization (ITSP.40.006) </a></li> </ul></details><details><summary><h4 id="03-01-04">03.01.04 Separation of duties</h4> </summary><ol class="lst-upr-alph"><li>Identify the duties of individuals requiring separation.</li> <li>Define system access authorizations to support separation of duties.</li> </ol><h5>Discussion</h5> <p>Separation of duties addresses the potential for abuse of authorized privileges and reduces the risk of malicious activity without collusion. Separation of duties includes dividing mission functions and support functions among different individuals or roles, conducting system support functions with different individuals or roles (e.g., quality assurance, configuration management, system management, assessments, programming, and network security), and ensuring that personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of their systems and system components when developing policies on separation of duties. This requirement is enforced by <a href="#03-01-02">Access enforcement 03.01.02</a>.</p> <h5>References</h5> <p>Source control: AC-05<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/162/upd2/final">NIST SP 800-162 Guide to Attribute Based Access Control (ABAC) Definition and Considerations </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/178/final">NIST SP 800-178 A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC) </a></li> </ul></details><details><summary><h4 id="03-01-05">03.01.05 Least privilege</h4> </summary><ol class="lst-upr-alph"><li>Allow only the authorized system access for users (or processes acting on behalf of users) that is necessary to accomplish assigned organizational tasks.</li> <li>Authorize access to [Assignment: organization-defined security functions] and [Assignment: organization-defined security-relevant information].</li> <li>Review the privileges assigned to roles or classes of users [Assignment: organization-defined frequency] to validate the need for such privileges.</li> <li>Reassign or remove privileges, as necessary.</li> </ol><h5>Discussion</h5> <p>Organizations employ the principle of least privilege for specific duties and authorized access for users and system processes. Least privilege is applied to the development, implementation, and operation of the system. Organizations consider creating additional processes, roles, and system accounts to achieve least privilege. Security functions include establishing system accounts and assigning privileges, installing software, configuring access authorizations, configuring settings for events to be audited, establishing vulnerability scanning parameters, establishing intrusion detection parameters, and managing audit information. Security-relevant information includes threat and vulnerability information, filtering rules for routers or firewalls, configuration parameters for security services, security architecture, cryptographic key management information, access control lists, and audit information.</p> <h5>References</h5> <p>Source controls: AC-06, AC-06(01), AC-06(07), AU-09(04)<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-01-06">03.01.06 Least privilege – privileged accounts</h4> </summary><ol class="lst-upr-alph"><li>Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles].</li> <li>Require that users (or roles) with privileged accounts use non-privileged accounts when accessing non-security functions or non-security information.</li> <li>Require any administrative or superuser actions to be performed from a physical workstation which is dedicated to those specific tasks and isolated from all other functions and networks, especially any form of Internet access.</li> </ol><h5>Discussion</h5> <p>Privileged accounts refer to accounts that are granted elevated privileges to access resources (including security functions or security-relevant information) that are otherwise restricted for non-privileged accounts. These accounts are typically described as system administrator or super-user accounts. For example, a privileged account is often required in order to perform privileged functions such as executing commands that could modify system behaviour. Restricting privileged accounts to specific personnel or roles prevents non-privileged users from accessing security functions or security-relevant information. Requiring the use of non-privileged accounts when accessing non-security functions or non-security information limits exposure when operating from within privileged accounts.</p> <p>A dedicated administration workstation (DAW) is typically comprised of a user terminal with a very small selection of software designed for interfacing with the target system. For the purpose of this control, workstation is meant as the system from which you are performing the administration, as opposed to the target system of administration.</p> <h5>References</h5> <p>Source controls: AC-06(02), AC-06(05), SI-400<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-01-07">03.01.07 Least privilege – privileged functions</h4> </summary><ol class="lst-upr-alph"><li>Prevent non-privileged users from executing privileged functions.</li> <li>Log the execution of privileged functions.</li> </ol><h5>Discussion</h5> <p>Privileged functions include establishing system accounts, performing system integrity checks, conducting patching operations, or administering cryptographic key management activities. Non-privileged users do not possess the authorizations to execute privileged functions. Bypassing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. This requirement represents a condition to be achieved by the definition of authorized privileges in <a href="#03-01-01">Account management 03.01.01</a> and privilege enforcement in <a href="#03-01-02">Access enforcement 03.01.02</a>.</p> <p>The misuse of privileged functions – whether intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts – is a serious and ongoing concern that can have significant adverse impacts on organizations. Logging the use of privileged functions is one way to detect such misuse and mitigate the risks from advanced persistent threats and insider threats.</p> <h5>References</h5> <p>Source controls: AC-06(09), AC-06(10)<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-01-08">03.01.08 Unsuccessful logon attempts</h4> </summary><ol class="lst-upr-alph"><li>Limit the number of consecutive invalid logon attempts to [Assignment: organization-defined number] in [Assignment: organization-defined time period].</li> <li>Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt; notify system administrator; take other action] when the maximum number of unsuccessful attempts is exceeded.</li> </ol><h5>Discussion</h5> <p>Due to the potential for denial of service, automatic system lockouts are, in most cases, temporary and automatically release after a predetermined period established by the organization (i.e., using a delay algorithm). Organizations may employ different delay algorithms for different system components based on the capabilities of the respective components. Responses to unsuccessful system logon attempts may be implemented at the system and application levels.</p> <p>Organization-defined actions that may be taken include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of a full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles, such as location, time of day, IP address, device, or Media Access Control (MAC) address.</p> <h5>References</h5> <p>Source control: AC-07<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/124/r2/final">NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise </a></li> </ul></details><details><summary><h4 id="03-01-09">03.01.09 System use notification</h4> </summary><p>Display a system use notification message with privacy and security notices consistent with applicable <abbr title="controlled information">CI</abbr> rules before granting access to the system.</p> <h5>Discussion</h5> <p>System use notifications can be implemented using warning or banner messages. The messages are displayed before individuals log in to the system. System use notifications are used for access via logon interfaces with human users and are not required when human interfaces do not exist. Organizations consider whether a secondary use notification is needed to access applications or other system resources after the initial network logon. Posters or other printed materials may be used in lieu of an automated system message. This requirement is related to <a href="#03-15-03">Rules of behaviour 03.15.03</a>.</p> <h5>References</h5> <p>Source control: AC-08<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-01-10">03.01.10 Device lock</h4> </summary><ol class="lst-upr-alph"><li>Prevent access to the system by [Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended].</li> <li>Retain the device lock until the user re-establishes access using established identification and authentication procedures.</li> <li>Conceal, via the device lock, information previously visible on the display with a publicly viewable image.</li> </ol><h5>Discussion</h5> <p>Device locks are temporary actions taken to prevent access to the system when users depart from the immediate vicinity of the system but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or application level. User-initiated device locking is behaviour- or policy-based and requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of the system (e.g., when organizations require users to log out at the end of workdays). Publicly viewable images can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen with the caveat that controlled unclassified information is not displayed.</p> <h5>References</h5> <p>Source controls: AC-11, AC-11(01)<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-01-11">03.01.11 Session termination</h4> </summary><p>Terminate a user session automatically after [Assignment: organization-defined conditions or trigger events requiring session disconnect].</p> <h5>Discussion</h5> <p>This requirement addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., disconnecting from the network) in <a href="03-13-09">Network disconnect 03.13.09</a>. A logical session is initiated whenever a user (or processes acting on behalf of a user) accesses a system. Logical sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination ends all system processes associated with a user’s logical session except those processes that are created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic session termination can include organization-defined periods of user inactivity, time-of-day restrictions on system use, and targeted responses to certain types of incidents.</p> <h5>References</h5> <p>Source control: AC-12<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-01-12">03.01.12 Remote access</h4> </summary><ol class="lst-upr-alph"><li>Establish usage restrictions, configuration requirements, and connection requirements for each type of allowable remote system access.</li> <li>Authorize each type of remote system access prior to establishing such connections.</li> <li>Route remote access to the system through authorized and managed access control points.</li> <li>Authorize remote execution of privileged commands and remote access to security-relevant information.</li> </ol><h5>Discussion</h5> <p>Remote access is access to systems (or processes acting on behalf of users) that communicate through external networks, such as the Internet. Monitoring and controlling remote access methods allows organizations to detect attacks and ensure compliance with remote access policies. Routing remote access through managed access control points enhances explicit control over such connections and reduces susceptibility to unauthorized access to the system, which could result in the unauthorized disclosure of <abbr title="controlled information">CI</abbr>.</p> <p>Remote access to the system represents a significant potential vulnerability that can be exploited by adversaries. Restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and its susceptibility to threats by adversaries. A privileged command is a human-initiated command executed on a system that involves the control, monitoring, or administration of the system, including security functions and security-relevant information. Security-relevant information is information that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Privileged commands give individuals the ability to execute sensitive, security-critical, or security-relevant system functions.</p> <h5>References</h5> <p>Source controls: AC-17, AC-17(03), AC-17(04)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/46/r2/final">NIST SP 800-46 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/77/r1/final">NIST SP 800-77 Guide to IPsec <abbr title="virtual private network">VPN</abbr>s</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/113/final">NIST SP 800-113 Guide to SSL <abbr title="virtual private network">VPN</abbr>s</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/114/r1/final">NIST SP 800-114 User’s Guide to Telework and Bring Your Own Device (BYOD) Security</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/121/r2/upd1/final">NIST SP 800-121 Guide to Bluetooth Security</a></li> </ul></details><h4 id="03-01-13">03.01.13 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-01-14">03.01.14 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-01-15">03.01.15 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-01-16">03.01.16 Wireless access</h4> </summary><ol class="lst-upr-alph"><li>Establish usage restrictions, configuration requirements, and connection requirements for each type of wireless access to the system</li> <li>Authorize each type of wireless access to the system prior to establishing such connections</li> <li>Disable, when not intended for use, wireless networking capabilities prior to issuance and deployment</li> <li>Protect wireless access to the system using authentication and encryption</li> </ol><h5>Discussion</h5> <p>Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. Establishing usage restrictions, configuration requirements, and connection requirements for wireless access to the system provides criteria to support access authorization decisions. These restrictions and requirements reduce susceptibility to unauthorized system access through wireless technologies. Wireless networks use authentication protocols that provide credential protection and mutual authentication. Organizations authenticate individuals and devices to protect wireless access to the system. Special attention is given to the variety of devices with potential wireless access to the system, including small form factor mobile devices (e.g., smart phones, tablets, smart watches). Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Strong authentication of users and devices, strong encryption, and disabling wireless capabilities that are not needed for essential missions or business functions can reduce susceptibility to threats by adversaries involving wireless technologies.</p> <h5>References</h5> <p>Source controls: AC-18, AC-18(01), AC-18(03)<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/security-requirements-wireless-local-area-networks-itsg-41">Cyber Centre Security Requirements for Wireless Local Area Networks (ITSG-41) </a></li> <li><a href="/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Cyber Centre Guidance on Securely Configuring Network Protocols (ITSP.40.062) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/94/final">NIST SP 800-94 Guide to Intrusion Detection and Prevention Systems (IDPS) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/124/r2/final">NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise </a></li> </ul></details><h4 id="03-01-17">03.01.17 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-01-18">03.01.18 Access control for mobile devices</h4> </summary><ol class="lst-upr-alph"><li>Establish usage restrictions, configuration requirements, and connection requirements for mobile devices</li> <li>Authorize the connection of mobile devices to the system</li> <li>Implement full-device or container-based encryption to protect the confidentiality of <abbr title="controlled information">CI</abbr> on mobile devices</li> </ol><h5>Discussion</h5> <p>A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable, or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, smart watches, and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capabilities of mobile devices may be comparable to or a subset of notebook or desktop systems, depending on the nature and intended purpose of the device. The protection and control of mobile devices are behaviour- or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which the organization provides physical or procedural controls to meet the requirements established for protecting <abbr title="controlled information">CI</abbr>.</p> <p>Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions, configuration requirements, and connection requirements for mobile devices include configuration management, device identification and authentication, implementing mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system and possibly other software integrity checks, and disabling unnecessary hardware. On mobile devices, secure containers provide software-based data isolation designed to segment enterprise applications and information from personal apps and data. Containers may present multiple user interfaces, one of the most common being a mobile application that acts as a portal to a suite of business productivity apps, such as email, contacts, and calendar. Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of <abbr title="controlled information">CI</abbr> on mobile devices.</p> <h5>References</h5> <p>Source controls: AC-19, AC-19(05)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/46/r2/final">NIST SP 800-46 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/124/r2/final">NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/114/r1/final">NIST SP 800-114 User’s Guide to Telework and Bring Your Own Device (BYOD) Security </a></li> </ul></details><h4 id="03-01-19">03.01.19 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-01-20">03.01.20 Use of external systems</h4> </summary><ol class="lst-upr-alph"><li>Prohibit the use of external systems unless they are specifically authorized</li> <li>Establish the following terms, conditions, and security requirements to be satisfied on external systems prior to allowing use of or access to those systems by authorized individuals: [Assignment: organization-defined security requirements]</li> <li>Permit authorized individuals to use an external system to access the organization’s system or to process, store, or transmit <abbr title="controlled information">CI</abbr> only after: <ol><li>verifying that the security requirements on the external system as specified in the organization’s system security and privacy plans have been satisfied</li> <li>retaining approved system connection or processing agreements with the organizational entities hosting the external systems</li> </ol></li> <li>Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems</li> </ol><h5>Discussion</h5> <p>External systems are systems that are used by but are not part of the organization. These systems include personally owned systems, system components, or devices; privately owned computing and communication devices in commercial or public facilities; systems owned or controlled by non-federal organizations; and systems managed by contractors. Organizations have the option to prohibit the use of any type of external system or specified types of external systems, (e.g., prohibit the use of external systems that are not organization-owned). Terms and conditions are consistent with the trust relationships established with the entities that own, operate, or maintain external systems and include descriptions of shared responsibilities.</p> <p>Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to the organizational system and over whom the organization has the authority to impose specific rules of behaviour regarding system access. Restrictions that organizations impose on authorized individuals may vary depending on the trust relationships between the organization and external entities. Organizations need assurance that the external systems satisfy the necessary security requirements so as not to compromise, damage, or harm the system. This requirement is related to <a href="#03-16-03">External system services 03.16.03</a>.</p> <h5>References</h5> <p>Source controls: AC-20, AC-20(01), AC-20(02)<br /> Supporting publications: None</p> </details><h4 id="03-01-21">03.01.21 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-01-22">03.01.22 Publicly accessible content</h4> </summary><ol class="lst-upr-alph"><li>Train authorized individuals to ensure that publicly accessible information does not contain <abbr title="controlled information">CI</abbr></li> <li>Review the content on publicly accessible systems for <abbr title="controlled information">CI</abbr> periodically and remove such information, if discovered</li> </ol><h5>Discussion</h5> <p>In accordance with applicable laws, Orders in Council, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to non-public information, including <abbr title="controlled information">CI</abbr>.</p> <h5>References</h5> <p>Source control: AC-22<br /> Supporting publications: None</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-2">3.2 Awareness and training</h3> <p>The Awareness and training controls deal with the education of users with respect to the security of the system.</p> <!– <section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-02-01">03.02.01 Literacy training and awareness</a></li> <li><a href="#03-02-02">03.02.02 Role-based training</a></li> <li><a href="#03-02-03">03.02.03 Not allocated</a></li> </ul> </section> –> <details><summary><h4 id="03-02-01">03.02.01 Literacy training and awareness</h4> </summary><ol class="lst-upr-alph"><li>Provide security and privacy literacy training to system users: <ol><li>as part of initial training for new users and [Assignment: organization-defined frequency] thereafter</li> <li>when required by system changes or following [Assignment: organization-defined events]</li> <li>on recognizing and reporting indicators of insider threat, social engineering, and social mining</li> </ol></li> <li>Update security and privacy literacy training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]</li> </ol><h5>Discussion</h5> <p>Organizations provide basic and advanced levels of security and privacy literacy training to system users (including managers, senior executives, system administrators, and contractors) and measures to test the knowledge level of users. Organizations determine the content of literacy training based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and the actions required of users to maintain security and to respond to incidents. The content also addresses the need for operations security and the handling of <abbr title="controlled information">CI</abbr>.</p> <p>Security and privacy awareness techniques include displaying posters, offering supplies inscribed with security reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events using podcasts, videos, and webinars. Security and privacy literacy training is conducted at a frequency consistent with applicable laws, directives, regulations, and policies. Updating literacy training content on a regular basis ensures that the content remains relevant. Events that may precipitate an update to literacy training content include assessment or audit findings, security incidents or breaches, or changes in applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines.</p> <p>Potential indicators and possible precursors of insider threats include behaviours such as inordinate, long-term job dissatisfaction; attempts to gain access to information that is not required for job performance; unexplained access to financial resources; sexual harassment or bullying of fellow employees; workplace violence; and other serious violations of the policies, procedures, rules, directives, or practices of organizations. Organizations may consider tailoring insider threat awareness topics to the role (e.g., training for managers may be focused on specific changes in the behaviour of team members, while training for employees may be focused on more general observations).</p> <p>Social engineering is an attempt to deceive an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, threadjacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Security and privacy literacy training includes how to communicate employee and management concerns regarding potential indicators of insider threat and potential and actual instances of social engineering and data mining through appropriate organizational channels in accordance with established policies and procedures.</p> <h5>References</h5> <p>Source controls: AT-02, AT-02(02), AT-02(03)<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/offer-tailored-cyber-security-training-your-employees-itsap10093">Cyber Centre Offer tailored cyber security training to your employees (ITSAP.10.093) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/160/v2/r1/final">NIST SP 800-160-2 Developing Cyber-Resilient Systems: A Systems Security Engineering Approach </a></li> </ul></details><details><summary><h4 id="03-02-02">03.02.02 Role-based training</h4> </summary><ol class="lst-upr-alph"><li>Provide role-based security and privacy training to organizational personnel: <ol><li>before authorizing access to the system or <abbr title="controlled information">CI</abbr>, before performing assigned duties, and [Assignment: organization-defined frequency] thereafter</li> <li>when required by system changes or following [Assignment: organization-defined events]</li> </ol></li> <li>Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]</li> </ol><h5>Discussion</h5> <p>Organizations determine the content and frequency of security and privacy training based on the assigned duties, roles, and responsibilities of individuals and the security and privacy requirements of the systems to which personnel have authorized access. In addition, organizations provide system developers, enterprise architects, security architects, privacy officers, software developers, systems integrators, acquisition/procurement officials, system and network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation, security assessors, and personnel with access to system-level software with security-related technical training specifically tailored for their assigned duties.</p> <p>Comprehensive role-based training addresses management, operational, and technical roles and responsibilities that cover physical, personnel, and technical controls. Such training can include policies, procedures, tools, and artifacts for the security and privacy roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs.</p> <h5>References</h5> <p>Source control: AT-03<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/161/r1/final">NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/181/r1/final">NIST SP 800-181 Workforce Framework for Cybersecurity (NICE Framework) </a></li> </ul></details><h4 id="03-02-03">03.02.03 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-3">3.3 Audit and accountability</h3> <p>The Audit and accountability controls support the ability to collect, analyze, and store audit records associated with user operations performed within the system.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-03-01">03.03.01 Event logging</a></li> <li><a href="#03-03-02">03.03.02 Audit record content</a></li> <li><a href="#03-03-03">03.03.03 Audit record generation</a></li> <li><a href="#03-03-04">03.03.04 Response to audit logging process failures</a></li> <li><a href="#03-03-05">03.03.05 Audit record review, analysis, and reporting</a></li> <li><a href="#03-03-06">03.03.06 Audit record reduction and report generation</a></li> <li><a href="#03-03-07">03.03.07 Time stamps</a></li> <li><a href="#03-03-08">03.03.08 Protection of audit information</a></li> <li><a href="#03-03-09">03.03.09 Not allocated</a></li> </ul> </section>–> <details><summary><h4 id="03-03-01">03.03.01 Event logging</h4> </summary><ol class="lst-upr-alph"><li>Specify the following event types selected for logging within the system: [Assignment: organization-defined event types]</li> <li>Review and update the event types selected for logging [Assignment: organization-defined frequency]</li> </ol><h5>Discussion</h5> <p>An event is any observable occurrence in a system, including unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed. This includes events that are relevant to the security of systems, the privacy of individuals, and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, the execution of privileged functions, failed logons or accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the system monitoring and auditing that are appropriate for each of the security requirements. When defining event types, organizations consider the logging necessary to cover related events, such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloud-based architectures.</p> <p>Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access, both successful and unsuccessful, but only activate that capability under specific circumstances due to the potential burden on system performance. The event types that are logged by organizations may change over time. Reviewing and updating the set of logged event types is necessary to ensure that the current set remains relevant.</p> <h5>References</h5> <p>Source control: AU-02<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/network-security-logging-monitoring-itsap80085">Cyber Centre Network security logging and monitoring (ITSAP.80.085) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/92/final">NIST SP 800-92 Guide to Computer Security Log Management </a></li> </ul></details><details><summary><h4 id="03-03-02">03.03.02 Audit record content</h4> </summary><ol class="lst-upr-alph"><li>Include the following content in audit records: <ol><li>what type of event occurred</li> <li>when the event occurred</li> <li>where the event occurred</li> <li>source of the event</li> <li>outcome of the event</li> <li>identity of individuals, subjects, objects, or entities associated with the event</li> </ol></li> <li>Provide additional information for audit records, as needed</li> </ol><h5>Discussion</h5> <p>Audit record content that may be necessary to support the auditing function includes time stamps, source and destination addresses, user or process identifiers, event descriptions, file names, and the access control or flow control rules that are invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records may include a full text recording of privileged commands or the individual identities of group account users.</p> <h5>References</h5> <p>Source controls: AU-03, AU-03(01)<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-03-03">03.03.03 Audit record generation</h4> </summary><ol class="lst-upr-alph"><li>Generate audit records for the selected event types and audit record content specified in <a href="#03-03-01">Event logging 03.03.01</a> and <a href="#03-03-02">Audit record content 03.03.02</a></li> <li>Retain audit records for a time period consistent with records retention policy</li> </ol><h5>Discussion</h5> <p>Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records, including the access control or flow control rules invoked and the individual identities of group account users. Organizations may also consider limiting additional audit record information to only information that is explicitly needed for audit requirements. If records generated for the audit process contain personal information that is not required for the audit process, that personal information should be removed or redacted prior to retention.</p> <p>If audit records rely on personal information and that information is used to make an administrative decision, the minimum retention standard is at least two years following the last time the personal information was used for an administrative purpose unless the individual consents to its disposal.</p> <h5>References</h5> <p>Source controls: AU-11, AU-12<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/sp/800/92/final">NIST SP 800-92 Guide to Computer Security Log Management</a></p> </details><details><summary><h4 id="03-03-04">03.03.04 Response to audit logging process failures</h4> </summary><ol class="lst-upr-alph"><li>Alert organizational personnel or roles within [Assignment: organization-defined time period] in the event of an audit logging process failure</li> <li>Take the following additional actions: [Assignment: organization-defined additional actions]</li> </ol><h5>Discussion</h5> <p>Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Response actions include overwriting the oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type, location, and severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel.</p> <h5>References</h5> <p>Source control: AU-05<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-03-05">03.03.05 Audit record review, analysis, and reporting</h4> </summary><ol class="lst-upr-alph"><li>Review and analyze system audit records [Assignment: organization-defined frequency] for indications and potential impact of inappropriate or unusual activity</li> <li>Report findings to organizational personnel or roles</li> <li>Analyze and correlate audit records across different repositories to gain organization-wide situational awareness</li> </ol><h5>Discussion</h5> <p>Audit record review, analysis, and reporting cover information security- and privacy-related logging performed by organizations and can include logging that results from the monitoring of account usage, remote access, wireless connectivity, configuration settings, the use of maintenance tools and non-local maintenance, system component inventory, mobile device connection, equipment delivery and removal, physical access, temperature and humidity, communications at system interfaces, and the use of mobile code. Findings can be reported to organizational entities, such as the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The scope, frequency, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received. Correlating audit record review, analysis, and reporting processes helps to ensure that they collectively create a more complete view of events.</p> <h5>References</h5> <p>Source controls: AU-06, AU-06(03)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/86/final">NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/101/r1/final">NIST SP 800-101 Guidelines on Mobile Device Forensics </a></li> </ul></details><details><summary><h4 id="03-03-06">03.03.06 Audit record reduction and report generation</h4> </summary><ol class="lst-upr-alph"><li>Implement an audit record reduction and report generation capability that supports audit record review, analysis, reporting requirements, and after-the-fact investigations of incidents</li> <li>Preserve the original content and time ordering of audit records</li> </ol><h5>Discussion</h5> <p>Audit records are generated in <a href="#03-03-03">Audit record generation 03.03.03</a>. Audit record reduction and report generation occur after audit record generation. Audit record reduction is a process that manipulates collected audit information and organizes it in a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always come from the same system or organizational entities that conduct auditing activities. An audit record reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behaviour in audit records. The report generation capability provided by the system can help generate customizable reports. The time ordering of audit records can be a significant issue if the granularity of the time stamp in the record is insufficient.</p> <h5>References</h5> <p>Source control: AU-07<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-03-07">03.03.07 Time stamps</h4> </summary><ol class="lst-upr-alph"><li>Use internal system clocks to generate time stamps for audit records</li> <li>Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time (UTC), have a fixed local time offset from <abbr title="Coordinated Universal Time">UTC</abbr>, or include the local time offset as part of the time stamp</li> </ol><h5>Discussion</h5> <p>Time stamps generated by the system include the date and time. Time is commonly expressed in <abbr title="Coordinated Universal Time">UTC</abbr> or local time with an offset from <abbr title="Coordinated Universal Time">UTC</abbr>. The granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds or tens of milliseconds). Organizations may define different time granularities for system components. Time service can be critical to other security capabilities (e.g., access control, and identification and authentication), depending on the nature of the mechanisms used to support those capabilities.</p> <h5>References</h5> <p>Source control: AU-08<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-03-08">03.03.08 Protection of audit information</h4> </summary><ol class="lst-upr-alph"><li>Protect audit information and audit logging tools from unauthorized access, modification, and deletion</li> <li>Authorize access to management of audit logging functionality to only a subset of privileged users or roles</li> </ol><h5>Discussion</h5> <p>Audit information includes the information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personal information. Audit logging tools are programs and devices used to conduct audit and logging activities. The protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. The physical protection of audit information is addressed by media and physical protection requirements.</p> <p>Individuals or roles with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges limits the number of users or roles with audit-related privileges.</p> <h5>References</h5> <p>Source controls: AU-09, AU-09(04)<br /> Supporting publications: None</p> </details><h4 id="03-03-09">03.03.09 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-4">3.4 Configuration management</h3> <p>The Configuration management controls support the management and control of all components of the system such as hardware, software, and configuration items.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-04-01">03.04.01 Baseline configuration</a></li> <li><a href="#03-04-02">03.04.02 Configuration settings</a></li> <li><a href="#03-04-03">03.04.03 Configuration change control</a></li> <li><a href="#03-04-04">03.04.04 Impact analyses</a></li> <li><a href="#03-04-05">03.04.05 Access restrictions for change</a></li> <li><a href="#03-04-06">03.04.06 Least functionality</a></li> <li><a href="#03-04-07">03.04.07 Not allocated</a></li> <li><a href="#03-04-08">03.04.08 Authorized software&nbsp;– allow by exception</a></li> <li><a href="#03-04-09">03.04.09 Not allocated</a></li> <li><a href="#03-04-10">03.04.10 System component inventory</a></li> <li><a href="#03-04-11">03.04.11 Information location</a></li> <li><a href="#03-04-12">03.04.12 System and component configuration for high-risk areas</a></li> </ul> </section>–> <details><summary><h4 id="03-04-01">03.04.01 Baseline configuration</h4> </summary><ol class="lst-upr-alph"><li>Develop and maintain under configuration control, a current baseline configuration of the system</li> <li>Review and update the baseline configuration of the system [Assignment: organization-defined frequency] and when system components are installed or modified</li> </ol><h5>Discussion</h5> <p>Baseline configurations for the system and system components include aspects of connectivity, operation, and communications. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for the system or configuration items within it. Baseline configurations serve as a basis for future builds, releases, or changes to the system and include information about system components, operational procedures, network topology, and the placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as the system changes over time. Baseline configurations of the system reflect the current enterprise architecture. If the system facilitates the collection or use of personal information, baseline configurations should include providing privacy notice to users.</p> <h5>References</h5> <p>Source control: CM-02<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/124/r2/final">NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/128/upd1/final">NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems </a></li> </ul></details><details><summary><h4 id="03-04-02">03.04.02 Configuration settings</h4> </summary><ol class="lst-upr-alph"><li>Establish, document, and implement the following configuration settings for the system that reflect the most restrictive mode consistent with operational requirements: [Assignment: organization-defined configuration settings].</li> <li>Identify, document, and approve any deviations from established configuration settings.</li> </ol><h5>Discussion</h5> <p>Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system which affect the security and privacy posture or functionality of the system. Security-related configuration settings can be defined for systems (e.g., servers, workstations), input and output devices (e.g., scanners, copiers, printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications.</p> <p>Security parameters are those that impact the security state of the system, including the parameters required to satisfy other security requirements. Security parameters include registry settings; account, file, and directory permission settings (i.e., privileges); and settings for functions, ports, protocols, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including those required to satisfy other privacy controls. Privacy parameters include settings for access controls, personal information, data accuracy requirements, data manipulation capabilities, data processing preferences, and information handling and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for the system. The established settings become part of the system’s configuration baseline.</p> <p>Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, and security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific <abbr title="information technology">IT</abbr> platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including <abbr title="information technology">IT</abbr> product developers, manufacturers, vendors, consortia, academia, industry, federal departments and agencies, and other organizations in the public and private sectors.</p> <h5>References</h5> <p>Source control: CM-06<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/baseline-security-requirements-network-security-zones-version-20-itsp80022">Cyber Centre Baseline Security Requirements for Network Security Zones (ITSP.80.022) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/70/r4/final">NIST SP 800-70 National Checklist Program for <abbr title="information technology">IT</abbr> Products: Guidelines for Checklist Users and Developers </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/126/r3/final">NIST SP 800-126 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3 </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/128/upd1/final">NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems</a></li> </ul></details><details><summary><h4 id="03-04-03">03.04.03 Configuration change control</h4> </summary><ol class="lst-upr-alph"><li>Define the types of changes to the system that are configuration-controlled.</li> <li>Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security impacts.</li> <li>Implement and document approved configuration-controlled changes to the system.</li> <li>Monitor and review activities associated with configuration-controlled changes to the system.</li> </ol><h5>Discussion</h5> <p>Configuration change control refers to tracking, reviewing, approving or disapproving, and logging changes to the system. Specifically, it involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the system, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for system components (e.g., operating systems, applications, firewalls, routers, mobile devices) and configuration items of the system, changes to configuration settings, unscheduled and unauthorized changes, and changes to remediate vulnerabilities. This requirement is related to <a href="#03-04-04">Impact analyses 03.04.04</a>.</p> <h5>References</h5> <p>Source control: CM-03<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/124/r2/final">NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/128/upd1/final">NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems </a></li> </ul></details><details><summary><h4 id="03-04-04">03.04.04 Impact analyses</h4> </summary><ol class="lst-upr-alph"><li>Analyze the security and privacy impacts of changes to the system prior to implementation.</li> <li>Verify that the security requirements for the system continue to be satisfied after the system changes have been implemented.</li> </ol><h5>Discussion</h5> <p>Organizational personnel with security or privacy responsibilities conduct impact analyses that include reviewing security and privacy plans, policies, and procedures to understand security and privacy requirements; reviewing system design documentation and operational procedures to understand how system changes might affect the security and privacy state of the system; reviewing the impacts of changes on supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals, and the ability to mitigate those risks. Impact analyses also include risk assessments to understand the impacts of changes and to determine whether additional security or privacy requirements are needed. Changes to the system may affect the safeguards and countermeasures previously implemented. This requirement is related to <a href="#03-04-03">Configuration change control 03.04.03</a>. Not all changes to the system are configuration controlled.</p> <h5>References</h5> <p>Source controls: CM-04, CM-04(02)<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/sp/800/128/upd1/final">NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems</a></p> </details><details><summary><h4 id="03-04-05">03.04.05 Access restrictions for change</h4> </summary><p>Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.</p> <h5>Discussion</h5> <p>Changes to the hardware, software, or firmware components of the system or the operational procedures related to the system can have potentially significant effects on the security of the system or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access the system for the purpose of initiating changes. Access restrictions include physical and logical access controls, software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into the system), and change windows (i.e., changes occur only during specified times).</p> <h5>References</h5> <p>Source control: CM-05<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/fips/140-3/final">NIST FIPS 140-3 Security Requirements for Cryptographic Modules </a></li> <li><a href="https://csrc.nist.gov/pubs/fips/186-5/final">NIST FIPS 186-5 Digital Signature Standard (DSS) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/128/upd1/final">NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems </a></li> </ul></details><details><summary><h4 id="03-04-06">03.04.06 Least functionality</h4> </summary><ol class="lst-upr-alph"><li>Configure the system to provide only mission-essential capabilities.</li> <li>Prohibit or restrict use of the following functions, ports, protocols, connections, and services: [Assignment: organization-defined functions, ports, protocols, connections, and services].</li> <li>Review the system [Assignment: organization-defined frequency] to identify unnecessary or nonsecure functions, ports, protocols, connections, and services.</li> <li>Disable or remove functions, ports, protocols, connections, and services that are unnecessary or nonsecure.</li> </ol><h5>Discussion</h5> <p>Systems can provide a variety of functions and services. Some functions and services that are routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. It may be convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit functionality to a single function per component.</p> <p>Organizations review the functions and services provided by the system or system components to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent the unauthorized connection of devices, transfer of information, and tunneling. Organizations can employ network scanning tools, intrusion detection and prevention systems, and endpoint protection systems (e.g., firewalls and host-based intrusion detection systems) to identify and prevent the use of prohibited functions, ports, protocols, system connections, and services. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of the types of protocols that organizations consider eliminating, restricting, or disabling.</p> <h5>References</h5> <p>Source controls: CM-07, CM-07(01)<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/application-allow-list-itsap10095">Cyber Centre Application Allow Lists (ITSAP.10.095) </a></li> <li><a href="/en/top-top-10-it-security-action-items-no-10-implement-application-allow-lists-itsm10095">Cyber Centre Top 10 <abbr title="information technology">IT</abbr> security action items: No. 10 Implement application allow lists (ITSM.10.095) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final">NIST SP 800-160-1 Engineering Trustworthy Secure Systems </a></li> <li>Cyber Centre System lifecycle cyber security and privacy risk management activities (ITSP.10.037)</li> </ul></details><h4 id="03-04-07">03.04.07 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-04-08">03.04.08 Authorized software – allow by exception</h4> </summary><ol class="lst-upr-alph"><li>Identify software programs authorized to execute on the system.</li> <li>Implement a deny-all, allow-by-exception policy for the execution of software programs on the system.</li> <li>Review and update the list of authorized software programs [Assignment: organization-defined frequency].</li> </ol><h5>Discussion</h5> <p>If provided with the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved “app stores.” The policies selected for governing user-installed software are organization-developed or provided by an external entity. Policy enforcement methods can include procedural methods and automated methods.</p> <p>Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection against attacks that bypass application-level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries.</p> <h5>References</h5> <p>Source control: CM-07(05)<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/application-allow-list-itsap10095">Cyber Centre Application Allow Lists (ITSAP.10.095) </a></li> <li><a href="/en/top-top-10-it-security-action-items-no-10-implement-application-allow-lists-itsm10095">Cyber Centre Top 10 <abbr title="information technology">IT</abbr> security action items: No. 10 Implement application allow lists (ITSM.10.095) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final">NIST SP 800-160-1 Engineering Trustworthy Secure Systems </a></li> </ul></details><h4 id="03-04-09">03.04.09 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-04-10">03.04.10 System component inventory</h4> </summary><ol class="lst-upr-alph"><li>Develop and document an inventory of system components.</li> <li>Review and update the system component inventory [Assignment: organization-defined frequency].</li> <li>Update the system component inventory as part of installations, removals, and system updates.</li> </ol><h5>Discussion</h5> <p>System components are discrete, identifiable assets (i.e., hardware, software, and firmware elements) that compose a system. Organizations may implement centralized system component inventories that include components from all systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information — and for networked components — the machine names and network addresses for all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include component type, physical location, date of receipt, manufacturer, cost, model, serial number, and supplier information.</p> <h5>References</h5> <p>Source controls: CM-08, CM-08(01)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/124/r2/final">NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/128/upd1/final">NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems </a></li> </ul></details><details><summary><h4 id="03-04-11">03.04.11 Information location</h4> </summary><ol class="lst-upr-alph"><li>Identify and document the location of <abbr title="controlled information">CI</abbr> and the system components on which the information is processed and stored.</li> <li>Document changes to the system or system component location where <abbr title="controlled information">CI</abbr> is processed and stored.</li> </ol><h5>Discussion</h5> <p>Information location addresses the need to understand the specific system components where <abbr title="controlled information">CI</abbr> is being processed and stored and the users who have access to <abbr title="controlled information">CI</abbr> so that appropriate protection mechanisms can be provided, including information flow controls, access controls, and information management.</p> <h5>References</h5> <p>Source control: CM-12<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-04-12">03.04.12 System and component configuration for high-risk areas</h4> </summary><ol class="lst-upr-alph"><li>Issue systems or system components with the following configurations to individuals traveling to high-risk locations: [Assignment: organization-defined system configurations].</li> <li>Apply the following security requirements to the system or system components when the individuals return from travel: [Assignment: organization-defined security requirements].</li> </ol><h5>Discussion</h5> <p>When it is known that a system or a specific system component will be in a high-risk area, additional security requirements may be needed to counter the increased threat. Organizations can implement protective measures on systems or system components used by individuals departing on and returning from travel. Actions include determining locations of concern, defining the required configurations for the components, ensuring that the components are configured as intended before travel is initiated, and taking additional actions after travel is completed. For example, systems going into high-risk areas can be configured with sanitized hard drives, limited applications, and more stringent configuration settings. Actions applied to mobile devices upon return from travel include examining the device for signs of physical tampering and purging and reimaging the device storage.</p> <h5>References</h5> <p>Source control: CM-02(07)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/124/r2/final">NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/128/upd1/final">NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems </a></li> </ul></details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-5">3.5 Identification and authentication</h3> <p>The Identification and authentication controls support the unique identification of users, processes acting on behalf of users and devices. They also support the authentication or verification of the identities of those users, processes or devices as a prerequisite to allowing access to organizational systems.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-05-01">03.05.01 User identification, authentication, and re-authentication</a></li> <li><a href="#03-05-02">03.05.02 Device identification and authentication</a></li> <li><a href="#03-05-03">03.05.03 Multi-factor authentication</a></li> <li><a href="#03-05-04">03.05.04 Replay-resistant authentication</a></li> <li><a href="#03-05-05">03.05.05 Identifier management</a></li> <li><a href="#03-05-06">03.05.06 Not allocated</a></li> <li><a href="#03-05-07">03.05.07 Password management</a></li> <li><a href="#03-05-08">03.05.08 Not allocated</a></li> <li><a href="#03-05-09">03.05.09 Not allocated</a></li> <li><a href="#03-05-10">03.05.10 Not allocated</a></li> <li><a href="#03-05-11">03.05.11 Authentication feedback</a></li> <li><a href="#03-05-12">03.05.12 Authenticator management</a></li> </ul> </section>–> <details><summary><h4 id="03-05-01">03.05.01 User identification, authentication, and re-authentication</h4> </summary><ol class="lst-upr-alph"><li>Uniquely identify and authenticate system users and associate that unique identification with processes acting on behalf of those users.</li> <li>Re-authenticate users when [Assignment: organization-defined circumstances or situations requiring re-authentication].</li> </ol><h5>Discussion</h5> <p>System users include individuals (or system processes acting on behalf of individuals) who are authorized to access a system. Typically, individual identifiers are the usernames associated with the system accounts assigned to those individuals. Since system processes execute on behalf of groups and roles, organizations may require the unique identification of individuals in group accounts or accountability of individual activity. The unique identification and authentication of users applies to all system accesses. Organizations employ passwords, physical authenticators, biometrics, or some combination thereof to authenticate user identities. Organizations may re-authenticate individuals in certain situations, including when roles, authenticators, or credentials change; when the execution of privileged functions occurs; after a fixed time period; or periodically.</p> <h5>References</h5> <p>Source controls: IA-02, IA-11<br /> Supporting publications: <a href="https://www.cyber.gc.ca/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031)</a></p> </details><details><summary><h4 id="03-05-02">03.05.02 Device identification and authentication</h4> </summary><p>Uniquely identify and authenticate [Assignment: organization-defined devices or types of devices] before establishing a system connection.</p> <h5>Discussion</h5> <p>Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers [IEEE] 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Public Key Infrastructure (PKI) and certificate revocation checking for the certificates exchanged can also be included as part of device authentication.</p> <h5>References</h5> <p>Source control: IA-03<br /> Supporting publications: <a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031) </a></p> </details><details><summary><h4 id="03-05-03">03.05.03 Multi-factor authentication</h4> </summary><p>Implement strong multi-factor authentication (MFA) for access to privileged and non-privileged accounts.</p> <h5>Discussion</h5> <p>This requirement applies to user accounts. Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator, such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level to provide increased information security.</p> <h5>References</h5> <p>Source controls: IA-02(01), IA-02(02)<br /> Supporting publications: <a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031)</a></p> </details><details><summary><h4 id="03-05-04">03.05.04 Replay-resistant authentication</h4> </summary><p>Implement replay-resistant authentication mechanisms for access to privileged and non-privileged accounts.</p> <h5>Discussion</h5> <p>Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges, such as time synchronous or challenge-response one-time authenticators.</p> <h5>References</h5> <p>Source control: IA-02(08)<br /> Supporting publications: <a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031)</a></p> </details><details><summary><h4 id="03-05-05">03.05.05 Identifier management</h4> </summary><ol class="lst-upr-alph"><li>Receive authorization from organizational personnel or roles to assign an individual, group, role, service, or device identifier.</li> <li>Select and assign an identifier that identifies an individual, group, role, service, or device.</li> <li>Prevent reuse of identifiers for [Assignment: organization-defined time period].</li> <li>Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status].</li> </ol><h5>Discussion</h5> <p>Identifiers are provided for users, processes acting on behalf of users, and devices. Prohibiting the reuse of identifiers prevents the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices.</p> <p>Characteristics that identify the status of individuals include contractors, foreign nationals, and non-organizational users. Identifying the status of individuals by these characteristics provides information about the people with whom organizational personnel are communicating. For example, it is useful for an employee to know that one of the individuals on an email message is a contractor.</p> <h5>References</h5> <p>Source controls: IA-04, IA-04(04)<br /> Supporting publications: <a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031)</a></p> </details><h4 id="03-05-06">03.05.06 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-05-07">03.05.07 Password management</h4> </summary><ol class="lst-upr-alph"><li>Maintain a list of commonly used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised.</li> <li>Verify that passwords are not found on the list of commonly used, expected, or compromised passwords when users create or update passwords.</li> <li>Transmit passwords only over cryptographically protected channels.</li> <li>Store passwords in a cryptographically protected form.</li> <li>Select a new password upon first use after account recovery.</li> <li>Enforce the following composition and complexity rules for passwords: [Assignment: organization-defined composition and complexity rules].</li> </ol><h5>Discussion</h5> <p>Password-based authentication applies to passwords used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable to shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish and enforce certain rules for password generation (e.g., minimum character length) under certain circumstances. For example, account recovery can occur when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof. Changing temporary passwords to permanent passwords immediately after system logon ensures that the necessary strength of the authentication mechanism is implemented at the earliest opportunity and reduces the susceptibility to authenticator compromises. Long passwords and passphrases can be used to increase the complexity of passwords.</p> <h5>References</h5> <p>Source control: IA-05(01)<br /> Supporting publications: <a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031)</a></p> </details><h4 id="03-05-08">03.05.08 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-05-09">03.05.09 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-05-10">03.05.10 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-05-11">03.05.11 Authentication feedback</h4> </summary><p>Obscure feedback of authentication information during the authentication process.</p> <h5>Discussion</h5> <p>Authentication feedback does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For example, for desktop or notebook computers with relatively large monitors, the threat may be significant (commonly referred to as shoulder surfing). For mobile devices with small displays, this threat may be less significant and is balanced against the increased likelihood of input errors due to small keyboards. Therefore, the means for obscuring the authentication feedback is selected accordingly. Obscuring feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a limited time before fully obscuring it.</p> <h5>References</h5> <p>Source control: IA-06<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-05-12">03.05.12 Authenticator management</h4> </summary><ol class="lst-upr-alph"><li>Verify the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution.</li> <li>Establish initial authenticator content for any authenticators issued by the organization.</li> <li>Establish and implement administrative procedures for initial authenticator distribution, for lost, compromised, or damaged authenticators, and for revoking authenticators.</li> <li>Change default authenticators at first use.</li> <li>Change or refresh authenticators [Assignment: organization-defined frequency] or when the following events occur: [Assignment: organization-defined events].</li> <li>Protect authenticator content from unauthorized disclosure and modification.</li> </ol><h5>Discussion</h5> <p>Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. The initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, requirements for authenticator content contain specific characteristics. Authenticator management is supported by organization-defined settings and restrictions for various authenticator characteristics (e.g., password complexity and composition rules, validation time window for time synchronous one-time tokens, and the number of allowed rejections during the verification stage of biometric authentication).</p> <p>The requirement to protect individual authenticators may be implemented by <a href="#03-15-03">Rules of behaviour 03.15.03</a> for authenticators in the possession of individuals and by <a href="#03-01-01">Account management 03.01.01</a>, <a href="#03-01-01">Access enforcement 03.01.02</a>, <a href="#03-01-05">Least privilege 03.01.05</a>, and <a href="#03-13-08">Transmission and storage confidentiality 03.13.08</a> for authenticators stored in organizational systems. This includes passwords stored in hashed or encrypted formats or files that contain encrypted or hashed passwords accessible with administrator privileges. Actions can be taken to protect authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators.</p> <p>Developers may deliver system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well-known, easily discoverable, and present a significant risk. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed. The use of long passwords or passphrases may obviate the need to periodically change authenticators.</p> <h5>References</h5> <p>Source control: IA-05<br /> Supporting publications: <a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031)</a></p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-6">3.6 Incident response</h3> <p>The Incident response controls support the establishment of an operational incident handling capability for organizational systems that includes adequate preparation, monitoring, detection, analysis, containment, recovery, and response. Incidents are monitored, documented, and reported to appropriate organizational officials and authorities.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-06-01">03.06.01 Incident handling</a></li> <li><a href="#03-06-02">03.06.02 Incident monitoring, reporting, and response assistance</a></li> <li><a href="#03-06-03">03.06.03 Incident response testing</a></li> <li><a href="#03-06-04">03.06.04 Incident response training</a></li> <li><a href="#03-06-05">03.06.05 Incident response plan</a></li> </ul> </section>–> <details><summary><h4 id="03-06-01">03.06.01 Incident handling</h4> </summary><p>Implement an incident-handling capability that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery</p> <h5>Discussion</h5> <p>Incident-related information can be obtained from a variety of sources, including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. An effective incident handling capability involves coordination among many organizational entities, including mission and business owners, system owners, human resources offices, physical and personnel security offices, legal departments, operations personnel, and procurement offices.</p> <p>An incident that involves personal information is considered a privacy breach. A privacy breach results in the loss of control, compromise, unauthorized disclosure, unpermitted use, unlawful collection, improper retention or disposal, or a similar occurrence where a person other than an authorized user accesses or potentially accesses or an authorized user accesses or potentially accesses such information for other than authorized purposes.</p> <p>If the incident involves the breach of personal information, notification to the contract owner is mandatory.</p> <h5>References</h5> <p>Source control: IR-04<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Cyber Centre Developing your incident response plan (ITSAP.40.003)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/61/r2/final">NIST SP 800-61 Computer Security Incident Handling Guide </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/161/r1/final">NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations</a></li> </ul></details><details><summary><h4 id="03-06-02">03.06.02 Incident monitoring, reporting, and response assistance</h4> </summary><ol class="lst-upr-alph"><li>Track and document system security incidents.</li> <li>Report suspected incidents to the organizational incident response capability within [Assignment: organization-defined time period].</li> <li>Report incident information to [Assignment: organization-defined authorities].</li> <li>Provide an incident response support resource that offers advice and assistance to system users for the handling and reporting of incidents.</li> </ol><h5>Discussion</h5> <p>Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from many sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. <a href="#03-06-01">Incident handling 03.06.01</a> provides information on the types of incidents that are appropriate for monitoring. The types of incidents reported, the content and timeliness of the reports, and the reporting authorities reflect applicable laws, jurisprudence, Orders in Council, directives, regulations, policies, standards, and guidelines. Incident information informs risk assessments, the effectiveness of security and privacy assessments, the security requirements for acquisitions, and the selection criteria for technology products. Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensic services or consumer redress services, when required.</p> <h5>References</h5> <p>Source controls: IR-05, IR-06, IR-07<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/61/r2/final">NIST SP 800-61 Computer Security Incident Handling Guide</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/86/final">NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response</a></li> <li><a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Cyber Centre Developing your incident response plan (ITSAP.40.003)</a></li> </ul></details><details><summary><h4 id="03-06-03">03.06.03 Incident response testing</h4> </summary><p>Test the effectiveness of the incident response capability [Assignment: organization-defined frequency].</p> <h5>Discussion</h5> <p>Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations. Incident response testing can include a determination of the effects of incident response on organizational operations, organizational assets, and individuals. Qualitative and quantitative data can help determine the effectiveness of incident response processes.</p> <h5>References</h5> <p>Source control: IR-03<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/sp/800/84/final">NIST SP 800-84 Guide to Test, Training, and Exercise Programs for <abbr title="information technology">IT</abbr> Plans and Capabilities</a></p> </details><details><summary><h4 id="03-06-04">03.06.04 Incident response training</h4> </summary><ol class="lst-upr-alph"><li>Provide incident response training to system users consistent with assigned roles and responsibilities: <ol><li>within [Assignment: organization-defined time period] of assuming an incident response role or responsibility or acquiring system access</li> <li>when required by system changes</li> <li>[Assignment: organization-defined frequency] thereafter</li> </ol></li> <li>Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].</li> </ol><h5>Discussion</h5> <p>Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know whom to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of <a href="#03-02-02">Role-based training 03.02.02</a>. Events that may cause an update to incident response training content include incident response plan testing, response to an actual incident, audit or assessment findings, or changes in applicable laws, jurisprudence, Orders in Council, policies, directives, regulations, standards, and guidelines.</p> <h5>References</h5> <p>Source control: IR-02<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/86/final">NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/137/final">NIST SP 800-137 Information Security Continuous Monitoring (ISCM)</a></li> </ul></details><details><summary><h4 id="03-06-05">03.06.05 Incident response plan</h4> </summary><ol class="lst-upr-alph"><li>Develop an incident response plan that: <ol><li>provides the organization with a roadmap for implementing its incident response capability</li> <li>describes the structure and organization of the incident response capability</li> <li>provides a high-level approach for how the incident response capability fits into the overall organization</li> <li>defines reportable incidents</li> <li>addresses the sharing of incident information</li> <li>designates responsibilities to organizational entities, personnel, or roles</li> </ol></li> <li>Distribute copies of the incident response plan to designated incident response personnel (identified by name and/or by role) and organizational elements.</li> <li>Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing.</li> <li>Protect the incident response plan from unauthorized disclosure.</li> </ol><h5>Discussion</h5> <p>It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain.</p> <h5>References</h5> <p>Source control: IR-08<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Cyber Centre Developing your incident response plan (ITSAP.40.003) </a></li> <li><a href="https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/dvlpng-ndnt-rspns-pln/index-en.aspx">Public Safety Canada Developing an Operational Technology and Information Technology Incident Response Plan </a></li> <li><a href="https://laws-lois.justice.gc.ca/eng/regulations/SOR-2018-64/index.html">Breach of Security Safeguards Regulations SOR/2018-64 </a></li> </ul></details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-7">3.7 Maintenance</h3> <p>The Maintenance controls support periodic and timely maintenance on organizational systems and provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance to ensure its ongoing availability.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-07-01">03.07.01 Not allocated</a></li> <li><a href="#03-07-02">03.07.02 Not allocated</a></li> <li><a href="#03-07-03">03.07.03 Not allocated</a></li> <li><a href="#03-07-04">03.07.04 Maintenance tools</a></li> <li><a href="#03-07-05">03.07.05 Non-local maintenance</a></li> <li><a href="#03-07-06">03.07.06 Maintenance personnel</a></li> </ul> </section>–> <h4 id="03-07-01">03.07.01 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-07-02">03.07.02 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-07-03">03.07.03 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-07-04">03.07.04 Maintenance tools</h4> </summary><ol class="lst-upr-alph"><li>Approve, control, and monitor the use of system maintenance tools.</li> <li>Check media containing diagnostic and test programs for malicious code before the media are used in the system.</li> <li>Prevent the removal of system maintenance equipment containing <abbr title="controlled information">CI</abbr> by verifying that there is no <abbr title="controlled information">CI</abbr> on the equipment, sanitizing or destroying the equipment, or retaining the equipment within the facility.</li> </ol><h5>Discussion</h5> <p>Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with the tools that are used for diagnostic and repair actions on the system. Maintenance tools can include hardware and software diagnostic and test equipment as well as packet sniffers. The tools may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Diagnostic and test programs are potential vehicles for transporting malicious code into the system, either intentionally or unintentionally. Examples of media inspection include checking the cryptographic hash or digital signatures of diagnostic and test programs and media.</p> <p>If organizations inspect media that contain diagnostic and test programs and determine that the media also contains malicious code, the incident is handled consistent with incident handling policies and procedures. A periodic review of maintenance tools can result in the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools do not address the hardware and software components that support maintenance and are considered a part of the system.</p> <h5>References</h5> <p>Source controls: MA-03, MA-03(01), MA-03(02), MA-03(03)<br /> Supporting publications: <a href="https://www.cyber.gc.ca/en/guidance/it-media-sanitization-itsp40006">Cyber Centre <abbr title="information technology">IT</abbr> media sanitization (ITSP.40.006)</a></p> </details><details><summary><h4 id="03-07-05">03.07.05 Non-local maintenance</h4> </summary><ol class="lst-upr-alph"><li>Approve and monitor non-local maintenance and diagnostic activities.</li> <li>Implement multi-factor authentication and replay resistance in the establishment of non-local maintenance and diagnostic sessions.</li> <li>Terminate session and network connections when non-local maintenance is completed.</li> </ol><h5>Discussion</h5> <p>Non-local maintenance and diagnostic activities are conducted by individuals who communicate through an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish non-local maintenance and diagnostic sessions reflect the requirements in <a href="#03-05-01">User identification, authentication, and re-authentication 03.05.01</a>.</p> <h5>References</h5> <p>Source control: MA-04<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031) </a></li> <li><a href="/en/guidance/it-media-sanitization-itsp40006">Cyber Centre <abbr title="information technology">IT</abbr> media sanitization (ITSP.40.006) </a></li> <li><a href="/en/identity-credential-and-access-management-icam-itsap30018">Cyber Centre Identity, Credential, and Access Management (ICAM) (ITSAP.30.018) </a></li> </ul></details><details><summary><h4 id="03-07-06">03.07.06 Maintenance personnel</h4> </summary><ol class="lst-upr-alph"><li>Establish a process for maintenance personnel authorization.</li> <li>Maintain a list of authorized maintenance organizations or personnel.</li> <li>Verify that non-escorted personnel who perform maintenance on the system possess the required access authorizations.</li> <li>Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.</li> </ol><h5>Discussion</h5> <p>Maintenance personnel refers to individuals who perform hardware or software maintenance on the system, while <a href="#03-10-01">Physical access authorizations 03.10.01</a> addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the system. The technical competence of supervising individuals relates to the maintenance performed on the system, while having required access authorizations refers to maintenance on and near the system. Individuals who have not been previously identified as authorized maintenance personnel (e.g., manufacturers, consultants, systems integrators, and vendors) may require privileged access to the system, such as when they are required to conduct maintenance with little or no notice. Organizations may choose to issue temporary credentials to these individuals based on their risk assessments. Temporary credentials may be for one-time use or for very limited time periods.</p> <h5>References</h5> <p>Source control: MA-05<br /> Supporting publications: None</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-8">3.8 Media protection</h3> <p>Physically control and securely store system media containing <abbr title="controlled information">CI</abbr>.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-08-01">03.08.01 Media storage</a></li> <li><a href="#03-08-02">03.08.02 Media access</a></li> <li><a href="#03-08-03">03.08.03 Media sanitization</a></li> <li><a href="#03-08-04">03.08.04 Media marking</a></li> <li><a href="#03-08-05">03.08.05 Media transport</a></li> <li><a href="#03-08-06">03.08.06 Not allocated</a></li> <li><a href="#03-08-07">03.08.07 Media use</a></li> <li><a href="#03-08-08">03.08.08 Not allocated</a></li> <li><a href="#03-08-09">03.08.09 System backup&nbsp;– cryptographic protection</a></li> </ul> </section>–> <details><summary><h4 id="03-08-01">03.08.01 Media storage</h4> </summary><p>Physically control and securely store system media containing <abbr title="controlled information">CI</abbr>.</p> <h5>Discussion</h5> <p>System media includes digital and non-digital media. Digital media includes diskettes, flash drives, magnetic tapes, external or removable solid state or magnetic drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, establishing procedures to allow individuals to check out and return media to libraries, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. Controlled areas provide physical and procedural controls to meet the requirements established for protecting information and systems. Sanitization techniques (e.g., cryptographically erasing, destroying, clearing, and purging) prevent the disclosure of <abbr title="controlled information">CI</abbr> to unauthorized individuals. The sanitization process removes <abbr title="controlled information">CI</abbr> from media such that the information cannot be retrieved or reconstructed.</p> <h5>References</h5> <p>Source control: MP-04<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/111/final">NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices </a></li> <li><a href="/en/guidance/it-media-sanitization-itsp40006">Cyber Centre <abbr title="information technology">IT</abbr> media sanitization (ITSP.40.006) </a></li> </ul></details><details><summary><h4 id="03-08-02">03.08.02 Media access</h4> </summary><p>Restrict access to <abbr title="controlled information">CI</abbr> on system media to authorized personnel or roles.</p> <h5>Discussion</h5> <p>System media includes digital and non-digital media. Access to <abbr title="controlled information">CI</abbr> on system media can be restricted by physically controlling such media. This includes conducting inventories, ensuring that procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for stored media. For digital media, access to <abbr title="controlled information">CI</abbr> can be restricted by using cryptographic means. Encrypting data in storage or at rest is addressed in <a href="#03-13-08">Transmission and storage confidentiality 03.13.08</a>.</p> <h5>References</h5> <p>Source control: MP-02<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/sp/800/111/final">NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices</a></p> </details><details><summary><h4 id="03-08-03">03.08.03 Media sanitization</h4> </summary><p>Sanitize system media containing <abbr title="controlled information">CI</abbr> prior to disposal, release out of organizational control, or release for reuse.</p> <h5>Discussion</h5> <p>Media sanitization applies to digital and non-digital media subject to disposal or reuse, whether or not the media are considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, mobile devices, network components, and non-digital media. The sanitization process removes <abbr title="controlled information">CI</abbr> from media such that the information cannot be retrieved or reconstructed. Sanitization techniques (e.g., cryptographically erasing, clearing, purging, and destroying) prevent the disclosure of <abbr title="controlled information">CI</abbr> to unauthorized individuals when such media is reused or released for disposal. Cyber Centre and <abbr title="Royal Canadian Mounted Police">RCMP</abbr> endorsed standards control the sanitization process for media containing <abbr title="controlled information">CI</abbr> and may require destruction when other methods cannot be applied to the media.</p> <h5>References</h5> <p>Source control: MP-06<br /> Supporting publications:</p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/it-media-sanitization-itsp40006">Cyber Centre <abbr title="information technology">IT</abbr> media sanitization (ITSP.40.006) </a></li> <li><a href="https://www.rcmp-grc.gc.ca/physec-secmat/res-lim/pubs/seg/html/home_e.htm"><abbr title="Royal Canadian Mounted Police">RCMP</abbr> G1-001 Security Equipment Guide (restricted to <abbr title="Government of Canada">GC</abbr>)</a></li> </ul></details><details><summary><h4 id="03-08-04">03.08.04 Media marking</h4> </summary><p>Mark system media containing <abbr title="controlled information">CI</abbr> to indicate distribution limitations, handling caveats, and applicable <abbr title="controlled information">CI</abbr> markings.</p> <h5>Discussion</h5> <p>System media includes digital and non-digital media. Marking refers to the use or application of human-readable security attributes. Labeling refers to the use of security attributes for internal system data structures. Digital media includes diskettes, magnetic tapes, external or removable solid state or magnetic drives, flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. <abbr title="controlled information">CI</abbr> includes Protected A, Protected B and controlled goods information that is not classified. Protected information is defined by the <abbr title="Treasury Board Secretariat">TBS</abbr> <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32614">Directive on Security Management, Appendix J: Standard on Security Categorization</a> along with marking, safeguarding, and dissemination requirements for such information.</p> <h5>References</h5> <p>Source control: MP-03<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-08-05">03.08.05 Media transport</h4> </summary><ol class="lst-upr-alph"><li>Protect and control system media that contain <abbr title="controlled information">CI</abbr> during transport outside of controlled areas.</li> <li>Maintain accountability of system media that contain <abbr title="controlled information">CI</abbr> during transport outside of controlled areas.</li> <li>Document activities associated with the transport of system media that contain <abbr title="controlled information">CI</abbr>.</li> </ol><h5>Discussion</h5> <p>System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable solid state or magnetic drives, compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural measures to meet the requirements established for protecting <abbr title="controlled information">CI</abbr> and systems. Media protection during transport can include cryptography and/or locked containers. Activities associated with media transport include releasing media for transport, ensuring that media enter the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking or obtaining records of transport activities as the media move through the transportation system to prevent and detect loss, destruction, or tampering. This requirement is related to <a href="#03-13-08">Transmission and storage confidentiality 03.13.08</a> and <a href="#03-13-11">Cryptographic protection 03.13.11</a>.</p> <h5>References</h5> <p>Source controls: MP-05, SC-28<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/sp/800/111/final">NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices</a></p> </details><h4 id="03-08-06">03.08.06 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-08-07">03.08.07 Media use</h4> </summary><ol class="lst-upr-alph"><li>Restrict or prohibit the use of [Assignment: organization-defined types of system media].</li> <li>Prohibit the use of removable system media without an identifiable owner.</li> </ol><h5>Discussion</h5> <p>In contrast to requirement <a href="#03-08-01">Media storage 03.08.01</a>, which restricts user access to media, this requirement restricts or prohibits the use of certain types of media, such as external hard drives, flash drives, or smart displays. Organizations can use technical and non-technical measures (e.g., policies, procedures, and rules of behaviour) to control the use of system media. For example, organizations may control the use of portable storage devices by using physical cages on workstations to prohibit access to external ports or disabling or removing the ability to insert, read, or write to devices.</p> <p>Organizations may limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Organizations may also control the use of portable storage devices based on the type of device — prohibiting the use of writeable, portable devices — and implement this restriction by disabling or removing the capability to write to such devices. Limits on the use of organization-controlled system media in external systems include restrictions on how the media may be used and under what conditions. Requiring identifiable owners (e.g., individuals, organizations, or projects) for removable system media reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the media (e.g., insertion of malicious code).</p> <h5>References</h5> <p>Source control: MP-07<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/sp/800/111/final">NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices</a></p> </details><h4 id="03-08-08">03.08.08 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-08-09">03.08.09 System backup – cryptographic protection</h4> </summary><ol class="lst-upr-alph"><li>Protect the confidentiality of backup information.</li> <li>Implement cryptographic mechanisms to prevent the unauthorized disclosure of <abbr title="controlled information">CI</abbr> at backup storage locations.</li> </ol><h5>Discussion</h5> <p>The selection of cryptographic mechanisms is based on the need to protect the confidentiality of backup information. Hardware security module (HSM) devices safeguard and manage cryptographic keys and provide cryptographic processing. Cryptographic operations (e.g., encryption, decryption, and signature generation and verification) are typically hosted on the <abbr title="hardware security module">HSM</abbr> device, and many implementations provide hardware-accelerated mechanisms for cryptographic operations. This requirement is related to <a href="#03-13-11">Cryptographic protection 03.13.11</a>.</p> <h5>References</h5> <p>Source controls: CP-09, CP-09(08)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/34/r1/upd1/final">NIST SP 800-34 Contingency Planning Guide for Federal Information Systems</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/130/final">NIST SP 800-130 A Framework for Designing Cryptographic Key Management Systems</a></li> </ul></details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-9">3.9 Personnel security</h3> <p>The Personnel security controls support the procedures required to ensure that all personnel who have access to systems have the necessary authorizations as well as appropriate security screening levels. They ensure that organizational information and systems are protected during and after personnel actions such as terminations and transfers.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-09-01">03.09.01 Personnel screening</a></li> <li><a href="#03-09-02">03.09.02 Personnel termination and transfer</a></li> </ul> </section>–> <details><summary><h4 id="03-09-01">03.09.01 Personnel screening</h4> </summary><ol class="lst-upr-alph"><li>Screen individuals prior to authorizing access to the system.</li> <li>Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening].</li> </ol><h5>Discussion</h5> <p>Personnel security screening activities involve the assessment of the conduct, integrity, judgment, loyalty, reliability, and stability of an individual (i.e., the individual’s trustworthiness) prior to authorizing access to the system or when elevating system access. The screening and rescreening activities reflect applicable federal laws, Orders in Council, directives, policies, regulations, and criteria established for the level of access required for the assigned positions.</p> <h5>References</h5> <p>Source control: PS-03<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/181/r1/final">NIST SP 800-181 Workforce Framework for Cybersecurity (NICE Framework) </a></li> <li><a href="https://www.tpsgc-pwgsc.gc.ca/esc-src/msc-csm/index-eng.html">PSPC Contract Security Manual </a></li> </ul></details><details><summary><h4 id="03-09-02">03.09.02 Personnel termination and transfer</h4> </summary><ol class="lst-upr-alph"><li>When individual employment is terminated: <ol><li>disable system access within [Assignment: organization-defined time period]</li> <li>terminate or revoke authenticators and credentials associated with the individual</li> <li>retrieve security-related system property</li> </ol></li> <li>When individuals are reassigned or transferred to other positions in the organization: <ol><li>review and confirm the ongoing operational need for current logical and physical access authorizations to the system and facility</li> <li>modify access authorization to correspond with any changes in operational need</li> </ol></li> </ol><h5>Discussion</h5> <p>Security-related system property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that accountability is achieved for the organizational property. Security topics at exit interviews include reminding individuals of potential limitations on future employment and nondisclosure agreements. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment.</p> <p>The timely execution of termination actions is essential for individuals who have been terminated for cause. Organizations may consider disabling the accounts of individuals who are being terminated prior to the individuals being notified. This requirement applies to the reassignment or transfer of individuals when the personnel action is permanent or of such extended duration as to require protection. Protections that may be required for transfers or reassignments to other positions within organizations include returning old and issuing new identification cards, keys, and building passes; changing system access authorizations (i.e., privileges); closing system accounts and establishing new accounts; and providing access to official records to which individuals had access at previous work locations in previous system accounts.</p> <h5>References</h5> <p>Source controls: PS-04, PS-05<br /> Supporting publications: None</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-10">3.10 Physical protection</h3> <p>The Physical protection controls support the control of physical access to systems, equipment, and the respective operating environments to authorized individuals. They facilitate the protection of the physical plant and support infrastructure for systems, the protection of systems against environmental hazards, and provide appropriate environmental controls in facilities containing systems.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-10-01">03.10.01 Physical access authorizations</a></li> <li><a href="#03-10-02">03.10.02 Monitoring physical access</a></li> <li><a href="#03-10-03">03.10.03 Not allocated</a></li> <li><a href="#03-10-04">03.10.04 Not allocated</a></li> <li><a href="#03-10-05">03.10.05 Not allocated</a></li> <li><a href="#03-10-06">03.10.06 Alternate work site</a></li> <li><a href="#03-10-07">03.10.07 Physical access control</a></li> <li><a href="#03-10-08">03.10.08 Access control for transmission</a></li> </ul> </section>–> <details><summary><h4 id="03-10-01">03.10.01 Physical access authorizations</h4> </summary><ol class="lst-upr-alph"><li>Develop, approve, and maintain a list of individuals with authorized access to the physical location where the system resides.</li> <li>Issue authorization credentials for physical access.</li> <li>Review the physical access list [Assignment: organization-defined frequency].</li> <li>Remove individuals from the physical access list when access is no longer required.</li> </ol><h5>Discussion</h5> <p>A facility can include one or more physical locations containing systems or system components that process, store, or transmit <abbr title="controlled information">CI</abbr>. Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include identification badges, identification cards, and smart cards. Organizations determine the strength of the authorization credentials consistent with applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible.</p> <h5>References</h5> <p>Source control: PE-02<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-10-02">03.10.02 Monitoring physical access</h4> </summary><ol class="lst-upr-alph"><li>Monitor physical access to the facility where the system resides to detect and respond to physical security incidents.</li> <li>Review physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events].</li> </ol><h5>Discussion</h5> <p>A facility can include one or more physical locations containing systems or system components that process, store, or transmit <abbr title="controlled information">CI</abbr>. Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls if the access logs are part of an automated system. Incident response capabilities include investigations of physical security incidents and responses to those incidents. Incidents include security violations or suspicious physical access activities, such as access outside of normal work hours, repeated access to areas not normally accessed, access for unusual lengths of time, and out-of-sequence access.</p> <h5>References</h5> <p>Source control: PE-06<br /> Supporting publications: None</p> </details><h4 id="03-10-03">03.10.03 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-10-04">03.10.04 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-10-05">03.10.05 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-10-06">03.10.06 Alternate work site</h4> </summary><ol class="lst-upr-alph"><li>Determine alternate work sites allowed for use by employees.</li> <li>Employ the following security requirements at alternate work sites: [Assignment: organization-defined security requirements].</li> </ol><h5>Discussion</h5> <p>Alternate work sites include the private residences of employees or other facilities designated by the organization. Alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different security requirements for specific alternate work sites or types of sites, depending on the work-related activities conducted at the sites. Assessing the effectiveness of the requirements and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations.</p> <h5>References</h5> <p>Source control: PE-17<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/end-user-device-security-bring-your-own-device-byod-deployment-models-itsm70003">Cyber Centre End user device security for Bring-Your-Own-Device (BYOD) deployment models (ITSM.70.003) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/46/r2/final">NIST SP 800-46 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/114/r1/final">NIST SP 800-114 User’s Guide to Telework and Bring Your Own Device (BYOD) Security</a></li> </ul></details><details><summary><h4 id="03-10-07">03.10.07 Physical access control</h4> </summary><ol class="lst-upr-alph"><li>Enforce physical access authorizations at entry and exit points to the facility where the system resides by: <ol><li>verifying individual physical access authorizations before granting access to the facility</li> <li>controlling ingress and egress with physical access control systems, devices or guards</li> </ol></li> <li>Maintain physical access audit logs for entry or exit points.</li> <li>Escort visitors and control visitor activity.</li> <li>Secure keys, combinations, and other physical access devices.</li> <li>Control physical access to output devices to prevent unauthorized individuals from obtaining access to <abbr title="controlled information">CI</abbr>.</li> </ol><h5>Discussion</h5> <p>This requirement addresses physical locations containing systems or system components that process, store, or transmit <abbr title="controlled information">CI</abbr>. Organizations determine the types of guards needed, including professional security staff or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, Orders in Council, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include exterior access points, interior access points to systems that require supplemental access controls, or both. Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors.</p> <p>Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and only allowing access to authorized individuals, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, facsimile machines, audio devices, and copiers.</p> <h5>References</h5> <p>Source controls: PE-03, PE-05<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-10-08">03.10.08 Access control for transmission</h4> </summary><p>Control physical access to system distribution and transmission lines in organizational facilities.</p> <h5>Discussion</h5> <p>Safeguarding measures applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such measures may also be necessary to prevent eavesdropping or the modification of unencrypted transmissions. Safeguarding measures used to control physical access to system distribution and transmission lines include disconnected or locked spare jacks, locked wiring closets, protecting cabling with conduit or cable trays, and wiretapping sensors.</p> <h5>References</h5> <p>Source control: PE-04<br /> Supporting publications: None</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-11">3.11 Risk assessment</h3> <p>The Risk assessment controls deal with the periodic conduct of risk assessments, including privacy impact assessments, resulting from the operation of organizational systems and associated handling, storage, or transmission of data and information.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-11-01">03.11.01 Risk assessment</a></li> <li><a href="#03-11-02">03.11.02 Vulnerability monitoring and scanning</a></li> <li><a href="#03-11-03">03.11.03 Not allocated</a></li> <li><a href="#03-11-04">03.11.04 Risk response</a></li> </ul> </section>–> <details><summary><h4 id="03-11-01">03.11.01 Risk assessment</h4> </summary><ol class="lst-upr-alph"><li>Assess the risk (including supply chain risk) of unauthorized disclosure resulting from the handling, processing, storage, or transmission of <abbr title="controlled information">CI</abbr>.</li> <li>Update risk assessments [Assignment: organization-defined frequency].</li> </ol><h5>Discussion</h5> <p>Establishing the system boundary is a prerequisite to assessing the risk of unauthorized disclosure of <abbr title="controlled information">CI</abbr>. Risk assessments consider threats, vulnerabilities, likelihood, and adverse impacts to organizational operations and assets based on the operation and use of the system and the unauthorized disclosure of <abbr title="controlled information">CI</abbr>. Risk assessments also consider risks from external parties (e.g., contractors operating systems on behalf of the organization, service providers, individuals accessing systems, and outsourcing entities). Risk assessments can be conducted at the organization level, the mission or business process level, or the system level and at any phase in the system development life cycle. Risk assessments include supply chain-related risks associated with suppliers or contractors and the system, system component, or system service that they provide.</p> <h5>References</h5> <p>Source controls: RA-03, RA-03(01), SR-06<br /> Supporting publications:</p> <ul><li><a href="/en/tools-services/harmonized-tra-methodology">CSE-<abbr title="Royal Canadian Mounted Police">RCMP</abbr> Harmonized Threat and Risk Assessment Methodology (TRA-1)</a></li> <li><a href="/en/guidance/cyber-supply-chain-approach-assessing-risk-itsap10070">Cyber Centre Cyber supply chain: An approach to assessing risk (ITSAP.10.070)</a></li> <li><a href="/en/guidance/supply-chain-security-small-and-medium-sized-organizations-itsap00070">Cyber Centre Supply chain security for small and medium-sized organizations (ITSAP.00.070)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/30/r1/final">NIST SP 800-30 Guide for Conducting Risk Assessments</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/161/r1/final">NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations</a></li> </ul></details><details><summary><h4 id="03-11-02">03.11.02 Vulnerability monitoring and scanning</h4> </summary><ol class="lst-upr-alph"><li>Monitor and scan for vulnerabilities in the system [Assignment: organization-defined frequency] and when new vulnerabilities affecting the system are identified.</li> <li>Remediate system vulnerabilities within [Assignment: organization-defined response times].</li> <li>Update system vulnerabilities to be scanned [Assignment: organization-defined frequency] and when new vulnerabilities are identified and reported.</li> </ol><h5>Discussion</h5> <p>Organizations determine the required vulnerability scanning for system components and ensure that potential sources of vulnerabilities (e.g., networked printers, scanners, and copiers) are not overlooked. Vulnerability analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, or binary analysis. Organizations can use these approaches in source code reviews and tools (e.g., static analysis tools, web-based application scanners, binary analyzers). Vulnerability scanning includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating flow control mechanisms.</p> <p>To facilitate interoperability, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention. Sources for vulnerability information also include the Common Weakness Enumeration (CWE) listing, the National Vulnerability Database (NVD), and the Common Vulnerability Scoring System (CVSS).</p> <h5>References</h5> <p>Source controls: RA-05, RA-05(02)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/40/r4/final">NIST SP 800-40 Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/53/a/r5/final">NIST SP 800-53A Assessing Security and Privacy Controls in Information Systems and Organizations</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/70/r4/final">NIST SP 800-70 National Checklist Program for <abbr title="information technology">IT</abbr> Products: Guidelines for Checklist Users and Developers</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/115/final">NIST SP 800-115 Technical Guide to Information Security Testing and Assessment</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/126/r3/final">NIST SP 800-126 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3</a></li> <li><a href="/en/guidance/top-10-it-security-action-items-no2-patch-operating-systems-and-applications-itsm10096">Cyber Centre Top 10 <abbr title="information technology">IT</abbr> security actions: No.2 patch operating systems and applications (ITSM.10.096)</a></li> </ul></details><h4 id="03-11-03">03.11.03 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-11-04">03.11.04 Risk response</h4> </summary><p>Respond to findings from security assessments, monitoring, and audits.</p> <h5>Discussion</h5> <p>This requirement addresses the need to determine an appropriate response to risk before generating a plan of action and milestones (POAM) entry. It may be possible to mitigate the risk immediately so that a <abbr title="plan of action and milestones">POAM</abbr> entry is not needed. However, a <abbr title="plan of action and milestones">POAM</abbr> entry is generated if the risk response is to mitigate the identified risk and the mitigation cannot be completed immediately.</p> <h5>References</h5> <p>Source control: RA-07<br /> Supporting publications:</p> <ul><li>Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</li> <li>Cyber Centre System lifecycle cyber security and privacy risk management activities (ITSP.10.037)</li> <li><a href="https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final">NIST SP 800-160-1 Engineering Trustworthy Secure Systems </a></li> </ul></details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-12">3.12 Security assessment and monitoring</h3> <p>The Security assessment and monitoring controls deal with the security assessment and monitoring of the system.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-12-01">03.12.01 Security assessment</a></li> <li><a href="#03-12-02">03.12.02 Plan of action and milestones</a></li> <li><a href="#03-12-03">03.12.03 Continuous monitoring</a></li> <li><a href="#03-12-04">03.12.04 Not allocated</a></li> <li><a href="#03-12-05">03.12.05 Information exchange</a></li> </ul> </section>–> <details><summary><h4 id="03-12-01">03.12.01 Security assessment</h4> </summary><p>Assess the security and privacy requirements for the system and its environment of operation [Assignment: organization-defined frequency] to determine if the requirements have been satisfied.</p> <h5>Discussion</h5> <p>By assessing the security and privacy requirements, organizations determine whether the necessary safeguards and countermeasures are implemented correctly, operating as intended, and producing the desired outcome. Security assessments identify weaknesses and deficiencies in the system and provide the essential information needed to make risk-based decisions. Security and privacy assessment reports document assessment results in sufficient detail as deemed necessary by the organization to determine the accuracy and completeness of the reports. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted.</p> <h5>References</h5> <p>Source control: CA-02<br /> Supporting publications:</p> <ul><li>Cyber Centre Security and privacy controls and assurance activities catalogue (ITSP.10.033)</li> <li>Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</li> <li>Cyber Centre System lifecycle cyber security and privacy risk management activities (ITSP.10.037)</li> <li><a href="https://www.cyber.gc.ca/en/tools-services/harmonized-tra-methodology">CSE-<abbr title="Royal Canadian Mounted Police">RCMP</abbr> Harmonized Threat and Risk Assessment Methodology (TRA-1)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/115/final">NIST SP 800-115 Technical Guide to Information Security Testing and Assessment</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/53/a/r5/final">NIST SP 800-53A Assessing Security and Privacy Controls in Information Systems and Organizations</a></li> </ul></details><details><summary><h4 id="03-12-02">03.12.02 Plan of action and milestones</h4> </summary><ol class="lst-upr-alph"><li>Develop a plan of action and milestones (POAMs) for the system to: <ol><li>document the planned remediation actions to correct weaknesses or deficiencies noted during security assessments</li> <li>reduce or eliminate known system vulnerabilities</li> </ol></li> <li>Update the existing <abbr title="plan of action and milestones">POAM</abbr>s based on the findings from: <ol><li>security assessments</li> <li>audits or reviews</li> <li>continuous monitoring activities</li> </ol></li> </ol><h5>Discussion</h5> <p><abbr title="plan of action and milestones">POAM</abbr>s are important documents in organizational security and privacy programs. Organizations use <abbr title="plan of action and milestones">POAM</abbr>s to describe how unsatisfied security requirements will be met and how planned mitigations will be implemented. Organizations can document system security plans and <abbr title="plan of action and milestones">POAM</abbr>s as separate or combined documents and in any format.</p> <h5>References</h5> <p>Source control: CA-05<br /> Supporting publications: Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</p> </details><details><summary><h4 id="03-12-03">03.12.03 Continuous monitoring</h4> </summary><p>Develop and implement a system-level continuous monitoring strategy that includes ongoing monitoring and security assessments.</p> <h5>Discussion</h5> <p>Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support risk management decisions. The terms "continuous" and "ongoing" imply that organizations assess and monitor their systems at a frequency that is sufficient to support risk-based decisions. Different types of security and privacy requirements may require different monitoring frequencies.</p> <h5>References</h5> <p>Source control: CA-07<br /> Supporting publications:</p> <ul><li>Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</li> <li><a href="https://csrc.nist.gov/pubs/sp/800/115/final">NIST SP 800-115 Technical Guide to Information Security Testing and Assessment</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/137/final">NIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/53/a/r5/final">NIST SP 800-53A Assessing Security and Privacy Controls in Information Systems and Organizations</a></li> </ul></details><h4 id="03-12-04">03.12.04 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-12-05">03.12.05 Information exchange</h4> </summary><ol class="lst-upr-alph"><li>Approve and manage the exchange of <abbr title="controlled information">CI</abbr> between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; information sharing arrangements; service level agreements; user agreements; nondisclosure agreements].</li> <li>Document, as part of the exchange agreements, interface characteristics, security and privacy requirements, and responsibilities for each system.</li> <li>Review and update the exchange agreements [Assignment: organization-defined frequency].</li> </ol><h5>Discussion</h5> <p>Information exchange applies to information exchanges between two or more systems, both internal and external to the organization. Organizations consider the risks related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security requirements or policies. The types of agreements selected are based on factors such as the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual) and the level of access to the organizational system by users of the other system. The types of agreements can include information exchange security agreements, interconnection security agreements, memoranda of understanding or agreement, information sharing arrangements, service-level agreements, or other types of agreements.</p> <p>Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal departments and agencies and non-federal organizations (e.g., service providers, contractors, system developers, and system integrators). The types of information contained in exchange agreements include the interface characteristics, security and privacy requirements, controls, and responsibilities for each system.</p> <h5>References</h5> <p>Source control: CA-03<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/baseline-security-requirements-network-security-zones-version-20-itsp80022">Cyber Centre Baseline Security Requirements for Network Security Zones (ITSP.80.022) </a></li> <li><a href="/en/guidance/network-security-zoning-design-considerations-placement-services-within-zones-itsg-38">Cyber Centre Network security zoning – Design considerations for placement of services within zones (ITSG-38) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/47/r1/final">NIST SP 800-47 Managing the Security of Information Exchanges </a></li> </ul></details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-13">3.13 System and communications protection</h3> <p>The System and communications protection controls support the monitoring, control and protection of the systems themselves and of the communications between and within the systems.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-13-01">03.13.01 Boundary protection</a></li> <li><a href="#03-13-02">03.13.02 Not allocated</a></li> <li><a href="#03-13-03">03.13.03 Not allocated</a></li> <li><a href="#03-13-04">03.13.04 Information in shared system resources</a></li> <li><a href="#03-13-05">03.13.05 Not allocated</a></li> <li><a href="#03-13-06">03.13.06 Network communications&nbsp;– deny by default&nbsp;– allow by exception</a></li> <li><a href="#03-13-07">03.13.07 Not allocated</a></li> <li><a href="#03-13-08">03.13.08 Transmission and storage confidentiality</a></li> <li><a href="#03-13-09">03.13.09 Network disconnect</a></li> <li><a href="#03-13-10">03.13.10 Cryptographic key establishment and management</a></li> <li><a href="#03-13-11">03.13.11 Cryptographic protection</a></li> <li><a href="#03-13-12">03.13.12 Collaborative computing devices and applications</a></li> <li><a href="#03-13-13">03.13.13 Mobile code</a></li> <li><a href="#03-13-14">03.13.14 Not allocated</a></li> <li><a href="#03-13-15">03.13.15 Session authenticity</a></li> <li><a href="#03-13-16">03.13.16 Not allocated</a></li> </ul> </section>–> <details><summary><h4 id="03-13-01">03.13.01 Boundary protection</h4> </summary><ol class="lst-upr-alph"><li>Monitor and control communications at the external managed interfaces to the system and key internal managed interfaces within the system.</li> <li>Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.</li> <li>Connect to external systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.</li> </ol><h5>Discussion</h5> <p>Managed interfaces include gateways, routers, firewalls, network-based malicious code analysis, virtualization systems, and encrypted tunnels implemented within a security architecture. Subnetworks that are either physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting both internal and external address spoofing for protocols crossing the boundary.</p> <h5>References</h5> <p>Source control: SC-07<br /> Supporting publications:</p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/baseline-security-requirements-network-security-zones-version-20-itsp80022">Cyber Centre Baseline Security Requirements for Network Security Zones (ITSP.80.022)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/network-security-zoning-design-considerations-placement-services-within-zones-itsg-38">Cyber Centre Network security zoning – Design considerations for placement of services within zones (ITSG-38)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Cyber Centre Guidance on Securely Configuring Network Protocols (ITSP.40.062)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/189/final">NIST SP 800-189 Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/41/r1/final">NIST SP 800-41 Guidelines on Firewalls and Firewall Policy</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final">NIST SP 800-160-1 Engineering Trustworthy Secure Systems</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/125/b/final">NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) Protection</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/207/final">NIST SP 800-207 Zero Trust Architecture</a></li> </ul></details><h4 id="03-13-02">03.13.02 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-13-03">03.13.03 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-13-04">03.13.04 Information in shared system resources</h4> </summary><p>Prevent unauthorized and unintended information transfer via shared system resources.</p> <h5>Discussion</h5> <p>Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. Information in shared system resources also applies to encrypted representations of information. In other contexts, the control of information in shared system resources is referred to as object reuse and residual information protection. Information in shared system resources does not address information remanence, which refers to the residual representation of data that has been nominally deleted, covert channels (including storage and timing channels) in which shared system resources are manipulated to violate information flow restrictions, or components within systems for which there are only single users or roles.</p> <h5>References</h5> <p>Source control: SC-04<br /> Supporting publications: None</p> </details><h4 id="03-13-05">03.13.05 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-13-06">03.13.06 Network communications – deny by default – allow by exception</h4> </summary><p>Deny network communications traffic by default and allow network communications traffic by exception.</p> <h5>Discussion</h5> <p>This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, allow-by-exception network communications traffic policy ensures that only essential and approved connections are allowed.</p> <h5>References</h5> <p>Source control: SC-07(05)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/41/r1/final">NIST SP 800-41 Guidelines on Firewalls and Firewall Policy</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/77/r1/final">NIST SP 800-77 Guide to IPsec <abbr title="virtual private network">VPN</abbr>s</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/189/final">NIST SP 800-189 Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation</a></li> </ul></details><h4 id="03-13-07">03.13.07 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-13-08">03.13.08 Transmission and storage confidentiality</h4> </summary><p>Implement cryptographic mechanisms to prevent the unauthorized disclosure of <abbr title="controlled information">CI</abbr> during transmission and while in storage.</p> <h5>Discussion</h5> <p>This requirement applies to internal and external networks and any system components that can transmit <abbr title="controlled information">CI</abbr>, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are susceptible to interception and modification. Encryption protects <abbr title="controlled information">CI</abbr> from unauthorized disclosure during transmission and while in storage. Cryptographic mechanisms that protect the confidentiality of <abbr title="controlled information">CI</abbr> during transmission include <abbr title="Transport Layer Security">TLS</abbr> and IPsec. Information in storage (i.e., information at rest) refers to the state of <abbr title="controlled information">CI</abbr> when it is not in process or in transit and resides on internal or external storage devices, storage area network devices, and databases. Protecting <abbr title="controlled information">CI</abbr> in storage does not focus on the type of storage device or the frequency of access to that device but rather on the state of the information. This requirement relates to <a href="#03-13-11">Cryptographic protection 03.13.11</a>.</p> <h5>References</h5> <p>Source controls: SC-08, SC-08(01), SC-28, SC-28(01)<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cyber Centre Cryptographic Algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B Information (ITSP.40.111)</a></li> <li><a href="/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Cyber Centre Guidance on Securely Configuring Network Protocols (ITSP.40.062)</a></li> <li><a href="https://csrc.nist.gov/pubs/fips/140-3/final">NIST FIPS 140-3 Security Requirements for Cryptographic Modules</a></li> <li><a href="https://csrc.nist.gov/pubs/fips/197/final">NIST FIPS 197 Advanced Encryption Standard</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/46/r2/final">NIST SP 800-46 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/52/r2/final">NIST SP 800-52 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/56/a/r3/final">NIST SP 800-56A Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/56/b/r2/final">NIST SP 800-56B Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/56/c/r2/final">NIST SP 800-56C Recommendation for Key-Derivation Methods in Key-Establishment Schemes</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final">NIST SP 800-57-1 Recommendation for Key Management: Part 1 – General</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/57/pt2/r1/final">NIST SP 800-57-2 Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/57/pt3/r1/final">NIST SP 800-57-3 Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/77/r1/final">NIST SP 800-77 Guide to IPsec <abbr title="virtual private network">VPN</abbr>s</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/111/final">NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/113/final">NIST SP 800-113 Guide to SSL <abbr title="virtual private network">VPN</abbr>s</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/114/r1/final">NIST SP 800-114 User’s Guide to Telework and Bring Your Own Device (BYOD) Security</a></li> <li><a href="/en/guidance/end-user-device-security-bring-your-own-device-byod-deployment-models-itsm70003">Cyber Centre End user device security for Bring-Your-Own-Device (BYOD) deployment models (ITSM.70.003)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/121/r2/upd1/final">NIST SP 800-121 Guide to Bluetooth Security</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/124/r2/final">NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/177/r1/final">NIST SP 800-177 Trustworthy Email</a></li> </ul></details><details><summary><h4 id="03-13-09">03.13.09 Network disconnect</h4> </summary><p>Terminate network connections associated with communications sessions at the end of the sessions or after [Assignment: organization-defined time period] of inactivity.</p> <h5>Discussion</h5> <p>This requirement applies to internal and external networks. Terminating network connections associated with communications sessions includes deallocating <abbr title="Transmission Control Protocol/Internet Protocol">TCP/IP</abbr> addresses or port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single network connection. Time periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses.</p> <h5>References</h5> <p>Source control: SC-10<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-13-10">03.13.10 Cryptographic key establishment and management</h4> </summary><p>Establish and manage cryptographic keys in the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].</p> <h5>Discussion</h5> <p>Cryptographic keys can be established and managed using either manual procedures or automated mechanisms supported by manual procedures. Organizations satisfy key establishment and management requirements in accordance with applicable federal laws, Orders in Council, policies, directives, regulations, and standards that specify appropriate options, levels, and parameters. This requirement is related to <a href="#03-13-11">Cryptographic protection 03.13.11</a>.</p> <h5>References</h5> <p>Source control: SC-12<br /> Supporting publications:</p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Cyber Centre Guidance on Securely Configuring Network Protocols (ITSP.40.062)</a></li> <li><a href="https://csrc.nist.gov/pubs/fips/140-3/final">NIST FIPS 140-3 Security Requirements for Cryptographic Modules</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/56/a/r3/final">NIST SP 800-56A Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/56/b/r2/final">NIST SP 800-56B Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/56/c/r2/final">NIST SP 800-56C Recommendation for Key-Derivation Methods in Key-Establishment Schemes</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final">NIST SP 800-57-1 Recommendation for Key Management: Part 1 – General</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/57/pt2/r1/final">NIST SP 800-57-2 Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/57/pt3/r1/final">NIST SP 800-57-3 Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance</a></li> </ul></details><details><summary><h4 id="03-13-11">03.13.11 Cryptographic protection</h4> </summary><p>Implement the following types of cryptography when used to protect the confidentiality of <abbr title="controlled information">CI</abbr>: [Assignment: organization-defined types of cryptography].</p> <h5>Discussion</h5> <p>Cryptography is implemented in accordance with applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines. Federal information processing standard (FIPS)-validated cryptography is recommended for the protection of <abbr title="controlled information">CI</abbr>.</p> <h5>References</h5> <p>Source control: SC-13<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/fips/140-3/final">NIST FIPS 140-3 Security Requirements for Cryptographic Modules</a></p> </details><details><summary><h4 id="03-13-12">03.13.12 Collaborative computing devices and applications</h4> </summary><ol class="lst-upr-alph"><li>Prohibit remote activation of collaborative computing devices and applications with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed].</li> <li>Provide an explicit indication of use to users physically present at the devices.</li> </ol><h5>Discussion</h5> <p>Collaborative computing devices include white boards, microphones, and cameras. Notebook computers, smartphones, display monitors, and tablets containing cameras and microphones are considered part of collaborative computing devices when conferencing software is in use. Indication of use includes notifying users (e.g., a pop-up menu stating that recording is in progress, or that the microphone has been turned on) when collaborative computing devices are activated. Dedicated video conferencing systems, which typically rely on one of the participants calling or connecting to the other party to activate the video conference, are excluded. Solutions to prevent device usage include webcam covers and buttons to disable microphones.</p> <h5>References</h5> <p>Source control: SC-15<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-13-13">03.13.13 Mobile code</h4> </summary><ol class="lst-upr-alph"><li>Define acceptable mobile code and mobile code technologies.</li> <li>Authorize, monitor, and control the use of mobile code.</li> </ol><h5>Discussion</h5> <p>Mobile code includes software programs or parts of programs that are obtained from remote systems, transmitted across a network, and executed on a local system without explicit installation or execution by the recipient. Decisions regarding the use of mobile code are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies include Java applets, JavaScript, HTML5, VBScript, and WebGL. Usage restrictions and implementation guidelines apply to the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers, smart phones, and smart devices. Mobile code policies and procedures address the actions taken to prevent the development, acquisition, and use of unacceptable mobile code within the system, including requiring mobile code to be digitally signed by a trusted source.</p> <h5>References</h5> <p>Source control: SC-18<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/sp/800/28/ver2/final">NIST SP 800-28 Guidelines on Active Content and Mobile Code</a></p> </details><h4 id="03-13-14">03.13.14 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-13-15">03.13.15 Session authenticity</h4> </summary><p>Protect the authenticity of communications sessions.</p> <h5>Discussion</h5> <p>Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of the communications sessions in the ongoing identities of other parties and the validity of the transmitted information. Authenticity protection includes protecting against adversary-in-the-middle attacks, session hijacking, and the insertion of false information into sessions.</p> <h5>References</h5> <p>Source control: SC-23<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Cyber Centre Guidance on Securely Configuring Network Protocols (ITSP.40.062)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/52/r2/final">NIST SP 800-52 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/77/r1/final">NIST SP 800-77 Guide to IPsec <abbr title="virtual private network">VPN</abbr>s</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/95/final">NIST SP 800-95 Guide to Secure Web Services</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/113/final">NIST SP 800-113 Guide to SSL <abbr title="virtual private network">VPN</abbr>s</a></li> </ul><h4 id="03-13-16">03.13.16 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-14">3.14 System and information integrity</h3> <p>The System and information integrity controls support the protection of the integrity of the system components and the data that it processes. They allow an organization to identify, report and correct data and system flaws in a timely manner, to provide protection against malicious code, and to monitor system security alerts and advisories, and to take appropriate actions in response.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-14-01">03.14.01 Flaw remediation</a></li> <li><a href="#03-14-02">03.14.02 Malicious code protection</a></li> <li><a href="#03-14-03">03.14.03 Security alerts, advisories, and directives</a></li> <li><a href="#03-14-04">03.14.04 Not allocated</a></li> <li><a href="#03-14-05">03.14.05 Not allocated</a></li> <li><a href="#03-14-06">03.14.06 System monitoring</a></li> <li><a href="#03-14-07">03.14.07 Not allocated</a></li> <li><a href="#03-14-08">03.14.08 Information management and retention</a></li> <li><a href="#03-14-09">03.14.09 Dedicated administration workstation</a></li> </ul> </section>–> <details><summary><h4 id="03-14-01">03.14.01 Flaw remediation</h4> </summary><ol class="lst-upr-alph"><li>Identify, report, and correct system flaws.</li> <li>Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates.</li> </ol><h5>Discussion</h5> <p>Organizations identify systems that are affected by announced software and firmware flaws, including potential vulnerabilities that result from those flaws, and report this information to designated personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address the flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources (e.g., <abbr title="Common Weakness Enumeration">CWE</abbr> or <abbr title="Common Vulnerabilities and Exposures">CVE</abbr> databases) when remediating system flaws. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors, including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types.</p> <h5>References</h5> <p>Source control: SI-02<br /> Supporting publications:</p> <ul><li>Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</li> <li><a href="https://csrc.nist.gov/pubs/sp/800/40/r4/final">NIST SP 800-40 Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/128/upd1/final">NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems </a></li> </ul></details><details><summary><h4 id="03-14-02">03.14.02 Malicious code protection</h4> </summary><ol class="lst-upr-alph"><li>Implement malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.</li> <li>Update malicious code protection mechanisms as new releases are available in accordance with configuration management policies and procedures.</li> <li>Configure malicious code protection mechanisms to: <ol><li>perform scans of the system [assignment: organization-defined frequency] and real-time scans of files from external sources at endpoints or system entry and exit points as the files are downloaded, opened, or executed</li> <li>block or quarantine malicious code, or take other mitigation actions in response to malicious code detection</li> </ol></li> </ol><h5>Discussion</h5> <p>Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code can be inserted into the system in a variety of ways, including email, the Internet, and portable storage devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats, contained in compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code may be present in commercial off-the-shelf software and custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions. Periodic scans of the system and real-time scans of files from external sources as files are downloaded, opened, or executed can detect malicious code. Malicious code protection mechanisms can also monitor systems for anomalous or unexpected behaviours and take appropriate actions.</p> <p>Malicious code protection mechanisms include signature- and non-signature-based technologies. Non-signature-based detection mechanisms include artificial intelligence (AI) techniques that use heuristics to detect, analyze, and describe the characteristics or behaviour of malicious code. They also provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Non-signature-based mechanisms include reputation-based technologies. Pervasive configuration management, anti-exploitation software, and software integrity controls may also be effective in preventing unauthorized code execution.</p> <p>If malicious code cannot be detected by detection methods or technologies, organizations can rely on secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that the software only performs intended functions. Organizations may determine that different actions are warranted in response to the detection of malicious code. For example, organizations can define actions to be taken in response to the detection of malicious code during scans, malicious downloads, or malicious activity when attempting to open or execute files.</p> <h5>References</h5> <p>Source control: SI-03<br /> Supporting publications:</p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/protect-your-organization-malware-itsap00057">Cyber Centre Protect your organization from malware (ITSAP.00.057)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/spotting-malicious-email-messages-itsap00100">Cyber Centre Spotting malicious email messages (ITSAP.00.100)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/83/r1/final">NIST SP 800-83 Guide to Malware Incident Prevention and Handling for Desktops and Laptops</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/125/b/final">NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) Protection</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/177/r1/final">NIST SP 800-177 Trustworthy Email</a></li> </ul></details><details><summary><h4 id="03-14-03">03.14.03 Security alerts, advisories, and directives</h4> </summary><ol class="lst-upr-alph"><li>Receive system security alerts, advisories, and directives from external organizations on an ongoing basis.</li> <li>Generate and disseminate internal system security alerts, advisories, and directives, as necessary.</li> </ol><h5>Discussion</h5> <p>There are many publicly available sources of system security alerts and advisories. For example, the Canadian Centre for Cyber Security (Cyber Centre) generates security alerts and advisories to maintain situational awareness across the <abbr title="Government of Canada">GC</abbr> and in non-<abbr title="Government of Canada">GC</abbr> organizations. Software vendors, subscription services, and industry Information Sharing and Analysis Centres (ISACs) may also provide security alerts and advisories. Compliance with security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and Canada should the directives not be implemented in a timely manner.</p> <h5>References</h5> <p>Source control: SI-05<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/sp/800/161/r1/final">NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations</a></p> </details><h4 id="03-14-04">03.14.04 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-14-05">03.14.05 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-14-06">03.14.06 System monitoring</h4> </summary><ol class="lst-upr-alph"><li>Monitor the system to detect: <ol><li>attacks and indicators of potential attacks</li> <li>unauthorized connections</li> </ol></li> <li>Identify unauthorized use of the system.</li> <li>Monitor inbound and outbound communications traffic to detect unusual or unauthorized activities or conditions.</li> </ol><h5>Discussion</h5> <p>System monitoring involves external and internal monitoring. Internal monitoring includes the observation of events that occur within the system. External monitoring includes the observation of events that occur at the system boundary. Organizations can monitor the system by observing audit record activities in real time or by observing other system aspects, such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events.</p> <p>A system monitoring capability is achieved through a variety of tools and techniques (e.g., audit record monitoring software, intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms that support critical applications with such devices being employed at managed system interfaces. The granularity of monitoring the information collected is based on organizational monitoring objectives and the capability of the system to support such objectives.</p> <p>Systems connections can be network, remote, or local. A network connection is any connection with a device that communicates through a network (e.g., local area network, the Internet). A remote connection is any connection with a device that communicates through an external network (e.g., the Internet). Network, remote, and local connections can be either wired or wireless.</p> <p>Unusual or unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in the system or propagating among system components, the unauthorized export of information, or signaling to external systems. Evidence of malicious code is used to identify a potentially compromised system. System monitoring requirements, including the need for types of system monitoring, may be referenced in other requirements.</p> <h5>References</h5> <p>Source controls: SI-04, SI-04(04)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/61/r2/final">NIST SP 800-61 Computer Security Incident Handling Guide</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/83/r1/final">NIST SP 800-83 Guide to Malware Incident Prevention and Handling for Desktops and Laptops</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/92/final">NIST SP 800-92 Guide to Computer Security Log Management</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/94/final">NIST SP 800-94 Guide to Intrusion Detection and Prevention Systems (IDPS)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/137/final">NIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/177/r1/final">NIST SP 800-177 Trustworthy Email</a></li> </ul></details><h4 id="03-14-07">03.14.07 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-14-08">03.14.08 Information management and retention</h4> </summary><p>Manage and retain <abbr title="controlled information">CI</abbr> within the system and <abbr title="controlled information">CI</abbr> output from the system in accordance with applicable laws, Orders in Council, directives, regulations, policies, standards, guidelines, and operational requirements.</p> <h5>Discussion</h5> <p>Federal departments and agencies consider data retention requirements for non-federal organizations. Retaining <abbr title="controlled information">CI</abbr> on non-federal systems after contracts or agreements have concluded increases the attack surface for those systems and the risk of the information being compromised. The Library and Archives Canada provides federal policy and guidance on records retention and schedules.</p> <h5>References</h5> <p>Source control: SI-12<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-14-09">03.14.09 Dedicated administration workstation</h4> </summary><ol class="lst-upr-alph"><li>Require any administrative or superuser actions to be performed from a physical workstation which is dedicated to those specific tasks and isolated from all other functions and networks, and especially from any form of internet access.</li> <li>Remote connection of a <abbr title="dedicated administration workstation">DAW</abbr> to a target network is to use carrier private networks (e.g., virtual private LAN service (VPLS) or multiprotocol label switching (MPLS)) with <abbr title="virtual private network">VPN</abbr> encryption.</li> <li>Use a dedicated and hardened single-purpose physical workstation or thin client as the <abbr title="dedicated administration workstation">DAW</abbr>, that is not shared between security realms.</li> </ol><h5>Discussion</h5> <p>A dedicated administration workstation (DAW) is typically comprised of a user terminal with a very small selection of software designed for interfacing with the target system. For the purpose of this control, workstation means the system from which you are performing the administration, as opposed to the target system of administration. The <abbr title="dedicated administration workstation">DAW</abbr> must be hardened for the role, in order to minimize the likelihood that a superuser’s or administrator’s endpoint may be compromised by any threat actor (which would logically lead to the compromise of the target system). Typical office productivity tools are not required on the <abbr title="dedicated administration workstation">DAW</abbr>. All non-essential applications and services are removed. <abbr title="dedicated administration workstation">DAW</abbr>s are not domain-joined, cannot download patches from the internet, and cannot update documentation in networked applications.</p> <p>Removing public Internet access from administrative workstations substantially reduces risk of compromise. Internet-exposed <abbr title="virtual private network">VPN</abbr> gateways are not preferred for remote administration, private carriers provide better protection, but still require <abbr title="virtual private network">VPN</abbr> encryption within that network. The <abbr title="dedicated administration workstation">DAW</abbr> must not become a means of moving laterally between security realms.</p> <h5>References</h5> <p>Source controls: SI-400, SI-400(02), SI-400(05)<br /> Supporting publications: None</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-15">3.15 Planning</h3> <p>The Planning controls and assurance activities deal with the development, documentation, update, and implementation of security and privacy plans for organizational systems. Those plans describe the security and privacy controls and assurance activities in place or planned for the systems, and the rules of behaviour for individuals accessing the systems.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-15-01">03.15.01 Policy and procedures</a></li> <li><a href="#03-15-02">03.15.02 System security plan</a></li> <li><a href="#03-15-03">03.15.03 Rules of behaviour</a></li> </ul> </section>–> <details><summary><h4 id="03-15-01">03.15.01 Policy and procedures</h4> </summary><ol class="lst-upr-alph"><li>Develop, document, and disseminate to organizational personnel or roles, policies and procedures needed to satisfy the security requirements for the protection of <abbr title="controlled information">CI</abbr>.</li> <li>Review and update policies and procedures [Assignment: organization-defined frequency].</li> </ol><h5>Discussion</h5> <p>This requirement addresses policies and procedures for the protection of <abbr title="controlled information">CI</abbr>. Policies and procedures contribute to security assurance and should address each family of the <abbr title="controlled information">CI</abbr> security requirements. Policies can be included as part of the organizational security policy or be represented by separate policies that address each family of requirements. Procedures describe how policies are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security plans or in one or more separate documents.</p> <h5>References</h5> <p>Source controls: AC-01, AT-01, AU-01, CA-01, CM-01, IA-01, IR-01, MA-01, MP-01, PE-01, PL-01, PS-01, RA-01, SA-01, SC-01, SI-01, SR-01<br /> Supporting publications:</p> <ul><li>Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</li> <li><a href="https://csrc.nist.gov/pubs/sp/800/12/r1/final">NIST SP 800-12 An Introduction to Information Security</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/100/upd1/final">NIST SP 800-100 Information Security Handbook</a></li> </ul></details><details><summary><h4 id="03-15-02">03.15.02 System security plan</h4> </summary><ol class="lst-upr-alph"><li>Develop a system security and privacy plan that: <ol><li>defines the constituent system components</li> <li>identifies the information types processed, stored, and transmitted by the system</li> <li>describes specific threats to the system that are of concern to the organization</li> <li>describes the operational environment for the system and any dependencies on or connections to other systems or system components</li> <li>provides an overview of the security requirements for the system</li> <li>describes the safeguards in place or planned for meeting the security requirements</li> <li>identifies individuals that fulfill system roles and responsibilities</li> <li>includes other relevant information necessary for the protection of CI</li> </ol></li> <li>Review and update the system security plan [Assignment: organization-defined frequency].</li> <li>Protect the system security plan from unauthorized disclosure.</li> </ol><h5>Discussion</h5> <p>System security and privacy plans provide key characteristics of the system that is processing, storing, and transmitting <abbr title="controlled information">CI</abbr> and how the system and information are protected. System security and privacy plans contain sufficient information to facilitate a design and implementation that are unambiguously compliant with the intent of the plans and the subsequent determinations of risk if the plan is implemented as intended. System security and privacy plans can be a collection of documents, including documents that already exist. Effective system security plans make use of references to policies, procedures, and additional documents (e.g., design specifications) where detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security information in other established management or operational areas related to enterprise architecture, the system development life cycle, systems engineering, and acquisition.</p> <h5>References</h5> <p>Source control: PL-02<br /> Supporting publications:</p> <ul><li>Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</li> <li><a href="https://csrc.nist.gov/pubs/sp/800/18/r1/final">NIST SP 800-18 Guide for Developing Security Plans for Federal Information Systems</a></li> </ul></details><details><summary><h4 id="03-15-03">03.15.03 Rules of behaviour</h4> </summary><ol class="lst-upr-alph"><li>Establish, rules that describe the responsibilities and expected behaviour for system usage and protecting <abbr title="controlled information">CI</abbr>.</li> <li>Provide rules to individuals who require access to the system.</li> <li>Receive a documented acknowledgement from individuals indicating that they have read, understand, and agree to abide by the rules of behaviour before authorizing access to <abbr title="controlled information">CI</abbr> and the system.</li> <li>Review and update the rules of behaviour [Assignment: organization-defined frequency].</li> </ol><h5>Discussion</h5> <p>Rules of behaviour represent a type of access agreement for system users. Organizations consider rules of behaviour for the handling of <abbr title="controlled information">CI</abbr> based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users.</p> <h5>References</h5> <p>Source control: PL-04<br /> Supporting publications:</p> <ul><li>Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</li> <li><a href="https://csrc.nist.gov/pubs/sp/800/18/r1/final">NIST SP 800-18 Guide for Developing Security Plans for Federal Information Systems</a></li> </ul></details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-16">3.16 System and services acquisition</h3> <p>The System and services acquisition controls deal with the contracting of products and services required to support the implementation and operation of organizational systems. They ensure that sufficient resources are allocated for the protection of organizational systems, and they support system development lifecycle processes that incorporate security considerations.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-16-01">03.16.01 Security engineering principles</a></li> <li><a href="#03-16-02">03.16.02 Unsupported system components</a></li> <li><a href="#03-16-03">03.16.03 External system services</a></li> </ul> </section>–> <details><summary><h4 id="03-16-01">03.16.01 Security engineering principles</h4> </summary><p>Apply the following systems security engineering principles to the development or modification of the system and system components: [Assignment: organization-defined systems security engineering principles].</p> <h5>Discussion</h5> <p>Organizations apply systems security engineering principles to new development systems. For legacy systems, organizations apply systems security engineering principles to system modifications to the extent feasible, given the current state of hardware, software, and firmware components. The application of systems security engineering principles helps to develop trustworthy, secure, and resilient systems and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples include developing layered protections; establishing security policies, architectures, and controls as the foundation for system design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build trustworthy secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risks to acceptable levels; and make informed risk-management decisions.</p> <h5>References</h5> <p>Source control: SA-08<br /> Supporting publications:</p> <ul><li>Cyber Centre System lifecycle cyber security and privacy risk management activities (ITSP.10.037)</li> <li><a href="https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final">NIST SP 800-160-1 Engineering Trustworthy Secure Systems</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/160/v2/r1/final">NIST SP 800-160-2 Developing Cyber-Resilient Systems: A Systems Security Engineering Approach</a></li> </ul></details><details><summary><h4 id="03-16-02">03.16.02 Unsupported system components</h4> </summary><ol class="lst-upr-alph"><li>Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer.</li> <li>Provide options for risk mitigation or alternative sources for continued support for unsupported components if components cannot be replaced.</li> </ol><h5>Discussion</h5> <p>Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in opportunities for adversaries to exploit weaknesses or deficiencies in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities when newer technologies are unavailable or when the systems are so isolated that installing replacement components is not an option.</p> <p>Alternative sources of support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or obtain the services of external providers who provide ongoing support for unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated by prohibiting the connection of such components to public or uncontrolled networks or implementing other forms of isolation.</p> <h5>References</h5> <p>Source control: SA-22<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-16-03">03.16.03 External system services</h4> </summary><ol class="lst-upr-alph"><li>Require the providers of external system services used for the processing, storage, or transmission of <abbr title="controlled information">CI</abbr>, to comply with the following security requirements: [Assignment: organization-defined security requirements].</li> <li>Define and document user roles and responsibilities with regard to external system services including shared responsibilities with external service providers.</li> <li>Implement processes, methods, and techniques to monitor security requirement compliance by external service providers on an ongoing basis.</li> </ol><h5>Discussion</h5> <p>External system services are provided by external service providers. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with the organization charged with protecting <abbr title="controlled information">CI</abbr>. Service-level agreements define expectations of performance, describe measurable outcomes, and identify remedies, mitigations, and response requirements for instances of noncompliance. Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when there is a need to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols. This requirement is related to <a href="#03-01-20">Use of external systems 03.01.20</a>.</p> <h5>References</h5> <p>Source control: SA-09<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final">NIST SP 800-160-1 Engineering Trustworthy Secure Systems </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/161/r1/final">NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations </a></li> </ul></details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-17">3.17 Supply chain risk management</h3> <p>The Supply chain risk management controls support the mitigation of cyber security risks throughout all phases of the supply chain.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-17-01">03.17.01 Supply chain risk management plan</a></li> <li><a href="#03-17-02">03.17.02 Acquisition strategies, tools, and methods</a></li> <li><a href="#03-17-03">03.17.03 Supply chain requirements and processes</a></li> </ul> </section>–> <details><summary><h4 id="03-17-01">03.17.01 Supply chain risk management plan</h4> </summary><ol class="lst-upr-alph"><li>Develop a plan for managing supply chain risks associated with the research, development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of the system, system components, or system services.</li> <li>Review and update the supply chain risk management plan [Assignment: organization-defined frequency].</li> <li>Protect the supply chain risk management plan from unauthorized disclosure.</li> </ol><h5>Discussion</h5> <p>Dependence on the products, systems, and services of external providers and the nature of the relationships with those providers present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, poor manufacturing and development practices in the supply chain, theft, and the insertion of malicious software, firmware, and hardware. Supply chain risks can be endemic or systemic within a system, component, or service. Managing supply chain risks is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders.</p> <p>Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing <abbr title="supply chain risk management">SCRM</abbr> plans to document response actions, and monitoring performance against the plans. The system-level <abbr title="supply chain risk management">SCRM</abbr> plan is implementation-specific and provides policy implementation, requirements, constraints, and implications. It can either be stand-alone or incorporated into system security and privacy plans. The <abbr title="supply chain risk management">SCRM</abbr> plan addresses the management, implementation, and monitoring of <abbr title="supply chain risk management">SCRM</abbr> controls and the development or sustainment of systems across the system development life cycle to support mission and business functions. Because supply chains can differ significantly across and within organizations, <abbr title="supply chain risk management">SCRM</abbr> plans are tailored to individual program, organizational, and operational contexts.</p> <h5>References</h5> <p>Source control: SR-02<br /> Supporting publications:</p> <ul><li><a href="https://www.cyber.gc.ca/en/tools-services/harmonized-tra-methodology">CSE-<abbr title="Royal Canadian Mounted Police">RCMP</abbr> Harmonized Threat and Risk Assessment Methodology (TRA-1)</a></li> <li>Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</li> <li><a href="https://www.cyber.gc.ca/en/guidance/protecting-your-organization-software-supply-chain-threats-itsm10071">Cyber Centre Protecting your organization from software supply chain threats (ITSM.10.071)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/cyber-supply-chain-approach-assessing-risk-itsap10070">Cyber Centre Cyber supply chain: An approach to assessing risk (ITSAP.10.070)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/supply-chain-security-small-and-medium-sized-organizations-itsap00070">Cyber Centre Supply chain security for small and medium-sized organizations (ITSAP.00.070)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final">NIST SP 800-160-1 Engineering Trustworthy Secure Systems</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/181/r1/final">NIST SP 800-181 Workforce Framework for Cybersecurity (NICE Framework)</a></li> </ul></details><details><summary><h4 id="03-17-02">03.17.02 Acquisition strategies, tools, and methods</h4> </summary><p>Develop and implement acquisition strategies, contract tools, and procurement methods to identify, protect against, and mitigate supply chain risks.</p> <h5>Discussion</h5> <p>The acquisition process provides an important vehicle for protecting the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind purchases, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, the insertion of counterfeits, the insertion of malicious software or backdoors, and poor development practices throughout the system life cycle.</p> <p>Organizations also consider providing incentives for suppliers to implement controls, promote transparency in their processes and security practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risks, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security requirements of the organization. Contracts may specify documentation protection requirements.</p> <h5>References</h5> <p>Source control: SR-05<br /> Supporting publications:</p> <ul><li><a href="https://www.cyber.gc.ca/en/tools-services/harmonized-tra-methodology">CSE-<abbr title="Royal Canadian Mounted Police">RCMP</abbr> Harmonized Threat and Risk Assessment Methodology (TRA-1) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/161/r1/final">NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations </a></li> </ul></details><details><summary><h4 id="03-17-03">03.17.03 Supply chain requirements and processes</h4> </summary><ol class="lst-upr-alph"><li>Establish a process for identifying and addressing weaknesses or deficiencies in the supply chain elements and processes.</li> <li>Enforce the following security requirements to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined security requirements].</li> </ol><h5>Discussion</h5> <p>Supply chain elements include organizations, entities, or tools that are employed for the research, development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, firmware, and systems development processes; shipping and handling procedures; physical security programs; personnel security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance, and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to harm the organization and affect its ability to carry out its core missions or business functions.</p> <h5>References</h5> <p>Source control: SR-03<br /> Supporting publications:</p> <ul><li><a href="https://www.cyber.gc.ca/en/tools-services/harmonized-tra-methodology">CSE-<abbr title="Royal Canadian Mounted Police">RCMP</abbr> Harmonized Threat and Risk Assessment Methodology (TRA-1) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/161/r1/final">NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations </a></li> </ul></details></section></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="AA">Annex A Tailoring criteria</h2> <section><h3>In this section</h3> <ul class="list-unstyled"><li><a href="#tab1">Table 1: Access control (AC)</a></li> <li><a href="#tab2">Table 2: Awareness and training (AT)</a></li> <li><a href="#tab3">Table 3: Audit and accountability (AU)</a></li> <li><a href="#tab4">Table 4: Assessment, authorization, and monitoring (CA)</a></li> <li><a href="#tab5">Table 5: Configuration management (CM)</a></li> <li><a href="#tab6">Table 6: Contingency planning (CP)</a></li> <li><a href="#tab7">Table 7: Identification and Authentication (IA)</a></li> <li><a href="#tab8">Table 8: Incident Response (IR)</a></li> <li><a href="#tab9">Table 9: Maintenance (MA)</a></li> <li><a href="#tab10">Table 10: Media protection (MP)</a></li> <li><a href="#tab11">Table 11: Physical and environmental protection (PE)</a></li> <li><a href="#tab12">Table 12: Planning (PL)</a></li> <li><a href="#tab13">Table 13: Program management (PM)</a></li> <li><a href="#tab14">Table 14: Personnel security (PS)</a></li> <li><a href="#tab15">Table 15: Personal information handling and transparency (PT)</a></li> <li><a href="#tab16">Table 16: Risk assessment (RA)</a></li> <li><a href="#tab17">Table 17: System and services acquisition (SA)</a></li> <li><a href="#tab18">Table 18: System and communications protection (SC)</a></li> <li><a href="#tab19">Table 19: System and information integrity (SI)</a></li> <li><a href="#tab20">Table 20: Supply chain risk management (SR)</a></li> </ul></section><p>This appendix describes the security control tailoring criteria used to develop the <abbr title="controlled information">CI</abbr> security requirements. Table 1 through Table 20 specify the tailoring actions applied to the controls in the ITSP.10.033-01 medium impact baseline to obtain the security requirements in section 3. The controls, assurances activities and enhancements are hyperlinked to their corresponding entry in ITSP.10.033<!–when published–>.</p> <p>The security control tailoring criteria are the following:</p> <ul><li>NCO: the control is not directly related to protecting the confidentiality of <abbr title="controlled information">CI</abbr></li> <li><abbr title="Government of Canada">GC:</abbr> the control is primarily the responsibility of the Government of Canada</li> <li>ORC: the outcome of the control related to protecting the confidentiality of <abbr title="controlled information">CI</abbr> is adequately covered by other related controls</li> <li>N/A: the control is not applicable</li> <li><abbr title="controlled information">CI</abbr>: the control is directly related to protecting the confidentiality of <abbr title="controlled information">CI</abbr></li> </ul><div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab1"><caption>Table 1: Access control (AC)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>AC-01</td> <td>Access control policy and procedures </td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>AC-02</td> <td>Account management</td> <td>CI</td> <td><a href="#03-01-01">Account management 03.01.01</a></td> </tr><tr><td>AC-02(01)</td> <td>Account management: Automated system account management</td> <td>NCO</td> <td>none</td> </tr><tr><td>AC-02(02)</td> <td>Account management: Automated temporary and emergency account management</td> <td>NCO</td> <td>none</td> </tr><tr><td>AC-02(03)</td> <td>Account management: Disable accounts</td> <td>CI</td> <td><a href="#03-01-01">Account management 03.01.01</a></td> </tr><tr><td>AC-02(04)</td> <td>Account management: Automated audit actions</td> <td>NCO</td> <td>none</td> </tr><tr><td>AC-02(05)</td> <td>Account management: Inactivity logout</td> <td>CI</td> <td><a href="#03-01-01">Account management 03.01.01</a></td> </tr><tr><td>AC-02(07)</td> <td>Account management: Privileged user accounts</td> <td>NCO</td> <td>none</td> </tr><tr><td>AC-02(13)</td> <td>Account management: Disable accounts for high-risk individuals</td> <td>CI</td> <td><a href="#03-01-01">Account management 03.01.01</a></td> </tr><tr><td>AC-03</td> <td>Access enforcement</td> <td>CI</td> <td><a href="#03-01-02">Access enforcement 03.01.02</a></td> </tr><tr><td>AC-03(02)</td> <td>Access enforcement: Dual authorization</td> <td>NCO</td> <td>none</td> </tr><tr><td>AC-03(04)</td> <td>Access enforcement: Discretionary access control</td> <td>ORC</td> <td>none</td> </tr><tr><td>AC-03(09)</td> <td>Access enforcement: Controlled release</td> <td>ORC</td> <td>none</td> </tr><tr><td>AC-04</td> <td>Information flow enforcement</td> <td>CI</td> <td><a href="#03-01-03">Information flow enforcement 03.01.03</a></td> </tr><tr><td>AC-05</td> <td>Separation of duties</td> <td>CI</td> <td><a href="#03-01-04">Separation of duties 03.01.04</a></td> </tr><tr><td>AC-06</td> <td>Least privilege</td> <td>CI</td> <td><a href="#03-01-05">Least privilege 03.01.05</a></td> </tr><tr><td>AC-06(01)</td> <td>Least privilege: Authorize access to security functions</td> <td>CI</td> <td><a href="#03-01-05">Least privilege 03.01.05</a></td> </tr><tr><td>AC-06(02)</td> <td>Least privilege: Non-privileged access for non-security functions</td> <td>CI</td> <td><a href="#03-01-06">Least privilege – privileged accounts 03.01.06</a></td> </tr><tr><td>AC-06(05)</td> <td>Least privilege: Privileged accounts</td> <td>CI</td> <td><a href="#03-01-06">Least privilege – privileged accounts 03.01.06</a></td> </tr><tr><td>AC-06(07)</td> <td>Least privilege: Review of user privileges</td> <td>CI</td> <td><a href="#03-01-05">Least privilege 03.01.05</a></td> </tr><tr><td>AC-06(09)</td> <td>Least privilege: Log use of privileged functions</td> <td>CI</td> <td><a href="#03-01-07">Privileged accounts – privileged functions 03.01.07</a></td> </tr><tr><td>AC-06(10)</td> <td>Least privilege: Prohibit non-privileged users from executing privileged functions</td> <td>CI</td> <td><a href="#03-01-07">Privileged accounts – privileged functions 03.01.07</a></td> </tr><tr><td>AC-07</td> <td>Unsuccessful logon attempts</td> <td>CI</td> <td><a href="#03-01-08">Unsuccessful logon attempts 03.01.08</a></td> </tr><tr><td>AC-08</td> <td>System use notification</td> <td>CI</td> <td><a href="#03-01-09">System use notification 03.01.09</a></td> </tr><tr><td>AC-11</td> <td>Device lock</td> <td>CI</td> <td><a href="#03-01-10">Device lock 03.01.10</a></td> </tr><tr><td>AC-11(01)</td> <td>Device lock: Pattern-hiding displays</td> <td>CI</td> <td><a href="#03-01-10">Device lock 03.01.10</a></td> </tr><tr><td>AC-12</td> <td>Session termination</td> <td>CI</td> <td><a href="#03-01-11">Session termination 03.01.11</a></td> </tr><tr><td>AC-14</td> <td>Permitted actions without identification or authentication</td> <td>GC</td> <td>none</td> </tr><tr><td>AC-16</td> <td>Security and privacy attributes</td> <td>ORC</td> <td>none</td> </tr><tr><td>AC-16(02)</td> <td>Security and privacy attributes: Attribute value changes by authorized individuals</td> <td>ORC</td> <td>none</td> </tr><tr><td>AC-16(05)</td> <td>Security and privacy attributes: Attribute displays on objects to be output</td> <td>ORC</td> <td>none</td> </tr><tr><td>AC-17</td> <td>Remote access</td> <td>CI</td> <td><a href="#03-01-02">Access enforcement 03.01.02</a></td> </tr><tr><td>AC-17(01)</td> <td>Remote access: Monitoring and control</td> <td>NCO</td> <td>none</td> </tr><tr><td>AC-17(02)</td> <td>Remote access: Protection of confidentiality and integrity using encryption</td> <td>CI</td> <td><a href="#03-13-08">Transmission and storage confidentiality 03.13.08</a></td> </tr><tr><td>AC-17(03)</td> <td>Remote access: Managed access control points</td> <td>CI</td> <td><a href="#03-01-12">Remote access 03.01.12</a></td> </tr><tr><td>AC-17(04)</td> <td>Remote access: Privileged commands and access</td> <td>CI</td> <td><a href="#03-01-12">Remote access 03.01.12</a></td> </tr><tr><td>AC-17(400)</td> <td>Remote access: Privileged accounts remote access</td> <td>ORC</td> <td>none</td> </tr><tr><td>AC-18</td> <td>Wireless access</td> <td>CI</td> <td><a href="#03-01-16">Wireless access 03.01.16</a></td> </tr><tr><td>AC-18(01)</td> <td>Wireless access: Authentication and encryption</td> <td>CI</td> <td><a href="#03-01-16">Wireless access 03.01.16</a></td> </tr><tr><td>AC-18(03)</td> <td>Wireless access: Disable wireless networking</td> <td>CI</td> <td><a href="#03-01-16">Wireless access 03.01.16</a></td> </tr><tr><td>AC-18(04)</td> <td>Wireless access: Restrict configurations by users</td> <td>ORC</td> <td>none</td> </tr><tr><td>AC-19</td> <td>Access control for mobile devices</td> <td>CI</td> <td><a href="#03-01-18">Access control for mobile devices 03.01.18</a></td> </tr><tr><td>AC-19(05)</td> <td>Access control for mobile devices: Full device or container-based encryption</td> <td>CI</td> <td><a href="#03-01-18">Access control for mobile devices 03.01.18</a></td> </tr><tr><td>AC-20</td> <td>Use of external systems</td> <td>CI</td> <td><a href="#03-01-20">Use of external systems 03.01.20</a></td> </tr><tr><td>AC-20(01)</td> <td>Use of external systems: Limits on authorized use</td> <td>CI</td> <td><a href="#03-01-20">Use of external systems 03.01.20</a></td> </tr><tr><td>AC-20(02)</td> <td>Use of external systems: Portable storage devices – restricted use</td> <td>CI</td> <td><a href="#03-01-20">Use of external systems 03.01.20</a></td> </tr><tr><td>AC-20(04)</td> <td>Use of external systems: Network accessible storage devices – restricted use</td> <td>ORC</td> <td>none</td> </tr><tr><td>AC-21</td> <td>Information sharing</td> <td>GC</td> <td>none</td> </tr><tr><td>AC-21(400)</td> <td>Information sharing: Information sharing agreement</td> <td>GC</td> <td>none</td> </tr><tr><td>AC-21(401)</td> <td>Information sharing: Information sharing arrangement</td> <td>GC</td> <td>none</td> </tr><tr><td>AC-22</td> <td>Publicly accessible content</td> <td>CI</td> <td><a href="#03-01-22">Publicly accessible content 03.01.22</a></td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab2"><caption>Table 2: Awareness and training</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>AT-01</td> <td>Awareness and training policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>AT-02</td> <td>Literacy training and awareness</td> <td>CI</td> <td><a href="#03-02-01">Literacy training and awareness 03.02.01</a></td> </tr><tr><td>AT-02(02)</td> <td>Literacy training and awareness: Insider threat</td> <td>CI</td> <td><a href="#03-02-01">Literacy training and awareness 03.02.01</a></td> </tr><tr><td>AT-02(03)</td> <td>Literacy training and awareness: Social engineering and mining</td> <td>CI</td> <td><a href="#03-02-01">Literacy training and awareness 03.02.01</a></td> </tr><tr><td>AT-03</td> <td>Role-based training</td> <td>CI</td> <td><a href="#03-02-02">Role-based training 03.02.02</a></td> </tr><tr><td>AT-04</td> <td>Training records</td> <td>NCO</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab3"><caption>Table 3: Audit and accountability</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>AU-01</td> <td>Audit and accountability policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>AU-02</td> <td>Event logging</td> <td>CI</td> <td><a href="#03-03-01">Event logging 03.03.01</a></td> </tr><tr><td>AU-03</td> <td>Content of audit records</td> <td>CI</td> <td><a href="#03-03-02">Audit record content 03.03.02</a></td> </tr><tr><td>AU-03(01)</td> <td>Additional audit information</td> <td>CI</td> <td><a href="#03-03-02">Audit record content 03.03.02</a></td> </tr><tr><td>AU-04</td> <td>Audit log storage capacity</td> <td>NCO</td> <td>none</td> </tr><tr><td>AU-04(01)</td> <td>Audit log storage capacity: Transfer to alternate storage</td> <td>NCO</td> <td>none</td> </tr><tr><td>AU-05</td> <td>Response to audit logging process failures</td> <td>CI</td> <td><a href="#03-03-04">Response to audit logging process failures 03.03.04</a></td> </tr><tr><td>AU-05(01)</td> <td>Response to audit logging process failures: Storage capacity warning</td> <td>NCO</td> <td>none</td> </tr><tr><td>AU-06</td> <td>Audit record review, analysis, and reporting</td> <td>CI</td> <td><a href="#03-03-05">Audit record review, analysis, and reporting 03.03.05</a></td> </tr><tr><td>AU-06(01)</td> <td>Audit record review, analysis, and reporting: Automated process integration</td> <td>NCO</td> <td>none</td> </tr><tr><td>AU-06(03)</td> <td>Audit record review, analysis, and reporting: Correlate audit record repositories</td> <td>CI</td> <td><a href="#03-03-05">Audit record review, analysis, and reporting 03.03.05</a></td> </tr><tr><td>AU-06(04)</td> <td>Audit record review, analysis, and reporting: Central review and analysis</td> <td>NCO</td> <td>none</td> </tr><tr><td>AU-07</td> <td>Audit record reduction and report generation</td> <td>CI</td> <td><a href="#03-03-06">Audit record reduction and report generation 03.03.06</a></td> </tr><tr><td>AU-07(01)</td> <td>Audit record reduction and report generation: Automatic processing</td> <td>NCO</td> <td>none</td> </tr><tr><td>AU-08</td> <td>Time stamps</td> <td>CI</td> <td><a href="#03-03-07">Time stamps 03.03.07</a></td> </tr><tr><td>AU-09</td> <td>Protection of audit information</td> <td>CI</td> <td><a href="#03-03-08">Protection of audit information 03.03.08</a></td> </tr><tr><td>AU-09(02)</td> <td>Protection of audit information: Store on separate physical system or component</td> <td>NCO</td> <td>none</td> </tr><tr><td>AU-09(04)</td> <td>Protection of audit information: Access by subset of privileged users</td> <td>CI</td> <td><a href="#03-03-08">Protection of audit information 03.03.08</a></td> </tr><tr><td>AU-09(06)</td> <td>Protection of audit information: Read-only access</td> <td>NCO</td> <td>none</td> </tr><tr><td>AU-11</td> <td>Audit record retention</td> <td>CI</td> <td><a href="#03-03-03">Audit record generation 03.03.03</a></td> </tr><tr><td>AU-12</td> <td>Audit record generation</td> <td>CI</td> <td><a href="#03-03-03">Audit record generation 03.03.03</a></td> </tr><tr><td>AU-12(01)</td> <td>Audit record generation: System-wide and time-correlated audit trail</td> <td>NCO</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab4"><caption>Table 4: Assessment, authorization, and monitoring (CA)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">TSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>CA-01</td> <td>Assessment, authorization, and monitoring policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>CA-02</td> <td>Control assessments</td> <td>CI</td> <td><a href="#03-12-01">Security assessment 03.12.01</a></td> </tr><tr><td>CA-02(01)</td> <td>Control assessments: Independent assessors</td> <td>NCO</td> <td>none</td> </tr><tr><td>CA-03</td> <td>Information exchange</td> <td>CI</td> <td><a href="#03-12-05">Information exchange 03.12.05</a></td> </tr><tr><td>CA-05</td> <td>Plan of action and milestones</td> <td>CI</td> <td><a href="#03-12-02">Plan of action and milestones 03.12.02</a></td> </tr><tr><td>CA-06</td> <td>Authorization</td> <td>GC</td> <td>none</td> </tr><tr><td>CA-07</td> <td>Continuous monitoring</td> <td>CI</td> <td><a href="#03-12-03">Continuous monitoring 03.12.03</a></td> </tr><tr><td>CA-07(01)</td> <td>Continuous monitoring: Independent assessment</td> <td>NCO</td> <td>none</td> </tr><tr><td>CA-07(04)</td> <td>Continuous monitoring: Risk monitoring</td> <td>NCO</td> <td>none</td> </tr><tr><td>CA-09</td> <td>Internal system connections</td> <td>NCO</td> <td>none</td> </tr><tr><td>CA-09(01)</td> <td>Internal system connections: Compliance checks</td> <td>ORC</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab5"><caption>Table 5: Configuration management (CM)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>CM-01</td> <td>Configuration management policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>CM-02</td> <td>Baseline configuration</td> <td>CI</td> <td><a href="#03-04-01">Baseline configuration 03.04.01</a></td> </tr><tr><td>CM-02(02)</td> <td>Baseline configuration: Automation support for accuracy and currency</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-02(03)</td> <td>Baseline configuration: Retention of previous configurations</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-02(06)</td> <td>Baseline configuration: Development and test environments</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-02(07)</td> <td>Baseline configuration: Configure systems and components for high-risk areas</td> <td>CI</td> <td><a href="#03-04-12">System and component configuration for high-risk areas 03.04.12</a></td> </tr><tr><td>CM-03</td> <td>Configuration change control</td> <td>CI</td> <td><a href="#03-04-03">Configuration change control 03.04.03</a></td> </tr><tr><td>CM-03(02)</td> <td>Configuration change control: Testing, validation, and documentation of changes</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-03(04)</td> <td>Configuration change control: Security and privacy representatives</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-04</td> <td>Impact analyses</td> <td>CI</td> <td><a href="#03-04-04">Impact analyses 03.04.04</a></td> </tr><tr><td>CM-04(01)</td> <td>Impact analyses: Separate test environments</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-04(02)</td> <td>Impact analyses: Verification of controls</td> <td>CI</td> <td><a href="#03-04-04">Impact analyses 03.04.04</a></td> </tr><tr><td>CM-05</td> <td>Access restrictions for change</td> <td>CI</td> <td><a href="#03-04-05">Access restrictions for change 03.04.05</a></td> </tr><tr><td>CM-06</td> <td>Configuration settings</td> <td>CI</td> <td><a href="#03-04-02">Configuration settings 03.04.02</a></td> </tr><tr><td>CM-07</td> <td>Least functionality</td> <td>CI</td> <td><a href="#03-04-06">Least functionality 03.04.06</a></td> </tr><tr><td>CM-07(01)</td> <td>Least functionality: Periodic review</td> <td>CI</td> <td><a href="#03-04-06">Least functionality 03.04.06</a></td> </tr><tr><td>CM-07(02)</td> <td>Least functionality: Prevent program execution</td> <td>ORC</td> <td>none</td> </tr><tr><td>CM-07(05)</td> <td>Least functionality: Authorized software – allow by exception</td> <td>CI</td> <td><a href="#03-04-08">Authorized software – allow by exception 03.04.08</a></td> </tr><tr><td>CM-08</td> <td>System component inventory</td> <td>CI</td> <td><a href="#03-04-10">System component inventory 03.04.10</a></td> </tr><tr><td>CM-08(01)</td> <td>System component inventory: Updates during installation and removal</td> <td>CI</td> <td><a href="#03-04-10">System component inventory 03.04.10</a></td> </tr><tr><td>CM-08(03)</td> <td>System component inventory: Automated unauthorized component detection</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-08(04)</td> <td>System component inventory: Accountability information</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-08(06)</td> <td>System component inventory: Assessed configurations and approved deviations</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-09</td> <td>Configuration management plan</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-10</td> <td>Software usage restrictions</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-11</td> <td>User-installed software</td> <td>ORC</td> <td>none</td> </tr><tr><td>CM-11(02)</td> <td>User-installed software: Software installation with privileged status</td> <td>ORC</td> <td>none</td> </tr><tr><td>CM-12</td> <td>Information location</td> <td>CI</td> <td><a href="#03-04-11">Information location 03.04.11</a></td> </tr><tr><td>CM-12(01)</td> <td>Information location: Automated tools to support information location</td> <td>NCO</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab6"><caption>Table 6: Contingency planning (CP)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>CP-01</td> <td>Contingency planning policy and procedures</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-02</td> <td>Contingency plan</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-02(01)</td> <td>Contingency plan: Coordinate with related plans</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-02(02)</td> <td>Contingency plan: Capacity planning</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-02(03)</td> <td>Contingency plan: Resume mission and business functions</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-02(08)</td> <td>Contingency plan: Identify critical assets</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-03</td> <td>Contingency training</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-04</td> <td>Contingency plan testing</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-04(01)</td> <td>Contingency plan testing: Coordinate related plans</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-06</td> <td>Alternate storage site</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-06(01)</td> <td>Alternate storage site: Separation of primary site</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-06(03)</td> <td>Alternate storage site: Accessibility</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-07</td> <td>Alternate processing site</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-07(01)</td> <td>Alternate processing site: Separation of primary site</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-07(02)</td> <td>Alternate processing site: Accessibility</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-07(03)</td> <td>Alternate processing site: Priority of service</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-07(04)</td> <td>Alternate processing site: Preparation for use</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-07(06)</td> <td>Alternate processing site: Inability to return to primary site</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-08</td> <td>Telecommunications services</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-08(01)</td> <td>Telecommunications services: Priority of service provisions</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-08(02)</td> <td>Telecommunications services: Single points of failure</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-08(03)</td> <td>Telecommunications services: Separation of primary and alternate providers</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-08(05)</td> <td>Telecommunications services: Alternate telecommunication service testing</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-09</td> <td>System backup</td> <td>CI</td> <td><a href="#03-08-09">System backup – cryptographic protection 03.08.09</a></td> </tr><tr><td>CP-09(01)</td> <td>System backup: Testing for reliability and integrity</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-09(03)</td> <td>System backup: Separate storage for critical information</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-09(05)</td> <td>System backup: Transfer to alternate storage site</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-09(07)</td> <td>System backup: Dual authorization for deletion or destruction</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-09(08)</td> <td>System backup: Cryptographic protection</td> <td>CI</td> <td><a href="#03-08-09">System backup – cryptographic protection 03.08.09</a></td> </tr><tr><td>CP-10</td> <td>System recovery and reconstitution</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-10(02)</td> <td>System recovery and reconstitution: Transaction recovery</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-10(04)</td> <td>System recovery and reconstitution: Restore within time period</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-10(06)</td> <td>System recovery and reconstitution: Component protection</td> <td>NCO</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab7"><caption>Table 7: Identification and Authentication (IA)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>IA-01</td> <td>Identification and authentication policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>IA-02</td> <td>Identification and authentication (organizational users)</td> <td>CI</td> <td><a href="#03-05-01">User identification, authentication, and re-authentication 03.05.01</a></td> </tr><tr><td>IA-02(01)</td> <td>Identification and authentication (organizational users): Multi-factor authentication to privileged accounts</td> <td>CI</td> <td><a href="#03-05-03">Multi-factor authentication 03.05.03</a></td> </tr><tr><td>IA-02(02)</td> <td>Identification and authentication (organizational users): Multi-factor authentication to non-privileged accounts</td> <td>CI</td> <td><a href="#03-05-03">Multi-factor authentication 03.05.03</a></td> </tr><tr><td>IA-02(08)</td> <td>Identification and authentication (organizational users): Access to accounts – replay resistant</td> <td>CI</td> <td><a href="#03-05-04">Replay-resistant authentication 03.05.04</a></td> </tr><tr><td>IA-02(10)</td> <td>Identification and authentication (organizational users): Single sign-on</td> <td>NCO</td> <td>none</td> </tr><tr><td>IA-02(12)</td> <td>Identification and authentication (organizational users): Use of hardware token <abbr title="Government of Canada">GC</abbr>-issued <abbr title="Public Key Infrastructure">PKI</abbr>-based credentials</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-03</td> <td>Device identification and authentication</td> <td>CI</td> <td><a href="#03-05-02">Device identification and authentication 03.05.02</a></td> </tr><tr><td>IA-04</td> <td>Identifier management</td> <td>CI</td> <td><a href="#03-05-05">Identifier management 03.05.05</a></td> </tr><tr><td>IA-04(04)</td> <td>Identifier management: Identify user status</td> <td>CI</td> <td><a href="#03-05-05">Identifier management 03.05.05</a></td> </tr><tr><td>IA-05</td> <td>Authenticator management</td> <td>CI</td> <td><a href="#03-05-12">Authenticator management 03.05.12</a></td> </tr><tr><td>IA-05(01)</td> <td>Authenticator management: Password-based authentication</td> <td>CI</td> <td><a href="#03-05-07">Password management 03.05.07</a></td> </tr><tr><td>IA-05(02)</td> <td>Authenticator management: Public key-based authentication</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-05(06)</td> <td>Authenticator management: Protection of authenticators</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-05(07)</td> <td>Authenticator management: No embedded unencrypted static authenticators</td> <td>NCO</td> <td>none</td> </tr><tr><td>IA-05(08)</td> <td>Authenticator management: Multiple system accounts</td> <td>NCO</td> <td>none</td> </tr><tr><td>IA-05(09)</td> <td>Authenticator management: Federated credential management</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-05(13)</td> <td>Authenticator management: Expiration of cached authenticators</td> <td>ORC</td> <td>none</td> </tr><tr><td>IA-05(14)</td> <td>Authenticator management: Managing content of <abbr title="Public Key Infrastructure">PKI</abbr> trust stores</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-06</td> <td>Authentication feedback</td> <td>CI</td> <td><a href="#03-05-11">Authentication feedback 03.05.11</a></td> </tr><tr><td>IA-07</td> <td>Cryptographic module authentication</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-08</td> <td>Identification and authentication (non-organizational users)</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-08(01)</td> <td>Identification and authentication (non-organizational users): Acceptance of <abbr title="Public Key Infrastructure">PKI</abbr>-based credentials from other agencies</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-08(02)</td> <td>Identification and authentication (non-organizational users): Acceptance of external authenticators</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-08(04)</td> <td>Identification and authentication (non-organizational users): Use of defined profiles</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-11</td> <td>Re-authentication</td> <td>CI</td> <td><a href="#03-05-01">User identification, authentication, and re-authentication 03.05.01</a></td> </tr><tr><td>IA-12</td> <td>Identity proofing</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-12(02)</td> <td>Identity proofing: Identity evidence</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-12(03)</td> <td>Identity proofing: Identity evidence validation and verification</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-12(04)</td> <td>Identity proofing: In-person validation and verification</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-12(05)</td> <td>Identity proofing: Address confirmation</td> <td>GC</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab8"><caption>Table 8: Incident Response (IR)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>IR-01</td> <td>Incident response policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>IR-02</td> <td>Incident response training</td> <td>CI</td> <td><a href="#03-06-04">Incident response training 03.06.04</a></td> </tr><tr><td>IR-03</td> <td>Incident response testing</td> <td>CI</td> <td><a href="#03-06-03">Incident response testing 03.06.03</a></td> </tr><tr><td>IR-03(02)</td> <td>Incident response testing: Coordinate with related plans</td> <td>NCO</td> <td>none</td> </tr><tr><td>IR-04</td> <td>Incident handling</td> <td>CI</td> <td><a href="#03-06-01">Incident handling 03.06.01</a></td> </tr><tr><td>IR-04(03)</td> <td>Incident handling: Continuity of operations</td> <td>NCO</td> <td>none</td> </tr><tr><td>IR-04(08)</td> <td>Incident handling: Correlation with external organizations</td> <td>NCO</td> <td>none</td> </tr><tr><td>IR-04(09)</td> <td>Incident handling: Dynamic response capability</td> <td>NCO</td> <td>none</td> </tr><tr><td>IR-05</td> <td>Incident monitoring</td> <td>CI</td> <td><a href="#03-06-02">Incident monitoring, reporting, and response assistance 03.06.02</a></td> </tr><tr><td>IR-06</td> <td>Incident reporting</td> <td>CI</td> <td><a href="#03-06-02">Incident monitoring, reporting, and response assistance 03.06.02</a></td> </tr><tr><td>IR-06(01)</td> <td>Incident reporting: Automated reporting</td> <td>NCO</td> <td>none</td> </tr><tr><td>IR-06(02)</td> <td>Incident reporting: Vulnerabilities related to incidents</td> <td>NCO</td> <td>none</td> </tr><tr><td>IR-06(03)</td> <td>Incident reporting: Supply chain coordination</td> <td>NCO</td> <td>none</td> </tr><tr><td>IR-07</td> <td>Incident response assistance</td> <td>CI</td> <td><a href="#03-06-02">Incident monitoring, reporting, and response assistance 03.06.02</a></td> </tr><tr><td>IR-07(01)</td> <td>Incident response assistance: Automation support for availability of information and support</td> <td>NCO</td> <td>none</td> </tr><tr><td>IR-08</td> <td>Incident response plan</td> <td>CI</td> <td><a href="#03-06-05">Incident response plan 03.06.05</a></td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab9"><caption>Table 9: Maintenance (MA)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>MA-01</td> <td>System maintenance policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>MA-02</td> <td>Controlled maintenance</td> <td>NCO</td> <td>none</td> </tr><tr><td>MA-03</td> <td>Maintenance tools</td> <td>CI</td> <td><a href="#03-07-04">Maintenance tools 03.07.04</a></td> </tr><tr><td>MA-03(01)</td> <td>Maintenance tools: Inspect tools</td> <td>CI</td> <td><a href="#03-07-04">Maintenance tools 03.07.04</a></td> </tr><tr><td>MA-03(02)</td> <td>Maintenance tools: Inspect media</td> <td>CI</td> <td><a href="#03-07-04">Maintenance tools 03.07.04</a></td> </tr><tr><td>MA-03(03)</td> <td>Maintenance tools: Prevent unauthorized removal</td> <td>CI</td> <td><a href="#03-07-04">Maintenance tools 03.07.04</a></td> </tr><tr><td>MA-04</td> <td>Non-local maintenance</td> <td>CI</td> <td><a href="#03-07-05">Non-local maintenance 03.07.05</a></td> </tr><tr><td>MA-04(01)</td> <td>Non-local maintenance: Logging and review</td> <td>NCO</td> <td>none</td> </tr><tr><td>MA-04(03)</td> <td>Non-local maintenance: Comparable security and sanitization</td> <td>ORC</td> <td>none</td> </tr><tr><td>MA-04(04)</td> <td>Non-local maintenance: Authentication and separation of maintenance sessions</td> <td>ORC</td> <td>none</td> </tr><tr><td>MA-04(05)</td> <td>Non-local maintenance: Approvals and notifications</td> <td>ORC</td> <td>none</td> </tr><tr><td>MA-04(06)</td> <td>Non-local maintenance: Cryptographic protection</td> <td>ORC</td> <td>none</td> </tr><tr><td>MA-05</td> <td>Maintenance personnel</td> <td>CI</td> <td><a href="#03-07-06">Maintenance personnel 03.07.06</a></td> </tr><tr><td>MA-05(01)</td> <td>Maintenance personnel: Individuals without appropriate access</td> <td>ORC</td> <td>none</td> </tr><tr><td>MA-06</td> <td>Timely maintenance</td> <td>NCO</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab10"><caption>Table 10: Media protection (MP)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>MP-01</td> <td>Media protection policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>MP-02</td> <td>Media access</td> <td>CI</td> <td><a href="#03-08-02">Media access 03.08.02</a></td> </tr><tr><td>MP-03</td> <td>Media marking</td> <td>CI</td> <td><a href="#03-08-04">Media marking 03.08.04</a></td> </tr><tr><td>MP-04</td> <td>Media storage</td> <td>CI</td> <td><a href="#03-08-01">Media storage 03.08.01</a></td> </tr><tr><td>MP-05</td> <td>Media transport</td> <td>CI</td> <td><a href="#03-08-05">Media transport 03.08.05</a></td> </tr><tr><td>MP-06</td> <td>Media sanitization</td> <td>CI</td> <td><a href="#03-08-03">Media sanitization 03.08.03</a></td> </tr><tr><td>MP-06(03)</td> <td>Media sanitization: Non-destructive techniques</td> <td>ORC</td> <td>none</td> </tr><tr><td>MP-06(08)</td> <td>Media sanitization: Remote purging or wiping of information</td> <td>ORC</td> <td>none</td> </tr><tr><td>MP-07</td> <td>Media use</td> <td>CI</td> <td><a href="#03-08-07">Media use 03.08.07</a></td> </tr><tr><td>MP-08</td> <td>Media downgrading</td> <td>ORC</td> <td>none</td> </tr><tr><td>MP-08(03)</td> <td>Media downgrading: Protected information</td> <td>ORC</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab11"><caption>Table 11: Physical and environmental protection (PE)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>PE-01</td> <td>Physical and environmental protection policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>PE-02</td> <td>Physical access authorizations</td> <td>CI</td> <td><a href="#03-10-01">Physical access authorizations 03.10.01</a></td> </tr><tr><td>PE-02(400)</td> <td>Physical access authorizations: Identification cards requirements</td> <td>GC</td> <td>none</td> </tr><tr><td>PE-03</td> <td>Physical access control</td> <td>CI</td> <td><a href="#03-10-07">Physical access control 03.10.07</a></td> </tr><tr><td>PE-03(400)</td> <td>Physical access control: Security inspections</td> <td>GC</td> <td>none</td> </tr><tr><td>PE-04</td> <td>Access control for transmission</td> <td>CI</td> <td><a href="#03-10-08">Access control for transmission 03.10.08</a></td> </tr><tr><td>PE-05</td> <td>Access control for output devices</td> <td>CI</td> <td><a href="#03-10-07">Physical access control 03.10.07</a></td> </tr><tr><td>PE-06</td> <td>Monitoring physical access</td> <td>CI</td> <td><a href="#03-10-02">Monitoring physical access 03.10.02</a></td> </tr><tr><td>PE-06(01)</td> <td>Monitoring physical access: Intrusion alarms and surveillance equipment</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-08</td> <td>Visitor access records</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-09</td> <td>Power equipment and cabling</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-10</td> <td>Emergency shutoff</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-11</td> <td>Emergency power</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-12</td> <td>Emergency lighting</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-13</td> <td>Fire protection</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-13(01)</td> <td>Fire protection: Detection systems – automatic activation and notification</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-13(04)</td> <td>Fire protection: Inspections</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-13(400)</td> <td>Fire protection: Emergency services</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-14</td> <td>Environmental controls</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-15</td> <td>Water damage protection</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-16</td> <td>Delivery and removal</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-17</td> <td>Alternate work site</td> <td>CI</td> <td><a href="#03-10-06">Alternate work site 03.10.06</a></td> </tr><tr><td>PE-400</td> <td>Remote and telework environments</td> <td>GC</td> <td>none</td> </tr><tr><td>PE-400(01)</td> <td>Remote and telework environments: Physical information and assets storage</td> <td>GC</td> <td>none</td> </tr><tr><td>PE-400(02)</td> <td>Remote and telework environments: International remote/telework</td> <td>GC</td> <td>none</td> </tr><tr><td>PE-401</td> <td>Security operations centre</td> <td>NCO</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab12"><caption>Table 12: Planning (PL)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>PL-01</td> <td>Planning policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>PL-02</td> <td>System security and privacy plans</td> <td>CI</td> <td><a href="#03-15-02">System security plan 03.15.02</a></td> </tr><tr><td>PL-04</td> <td>Rules of behaviour</td> <td>CI</td> <td><a href="#03-15-03">Rules of behaviour 03.15.03</a></td> </tr><tr><td>PL-04(01)</td> <td>Rules of behaviour: Social media and external site/application usage restrictions</td> <td>NCO</td> <td>none</td> </tr><tr><td>PL-08</td> <td>Security and privacy architectures</td> <td>NCO</td> <td>none</td> </tr><tr><td>PL-10</td> <td>Baseline selection</td> <td>GC</td> <td>none</td> </tr><tr><td>PL-11</td> <td>Baseline tailoring</td> <td>GC</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab13"><caption>Table 13: Program management (PM)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>PM-01</td> <td>Information security program plan</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-02</td> <td>Information security program leadership role</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-03</td> <td>Information security and privacy resources</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-04</td> <td>Plan of action and milestones process</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-05</td> <td>System and program inventory</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-05(01)</td> <td>System inventory: Inventory of personal information</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-06</td> <td>Measures of performance</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-07</td> <td>Enterprise architecture</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-07(01)</td> <td>Enterprise architecture: Offloading</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-08</td> <td>Critical infrastructure plan</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-09</td> <td>Risk management strategy</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-10</td> <td>Authorization process</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-11</td> <td>Mission and business process definition</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-12</td> <td>Insider threat program</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-13</td> <td>Security and privacy workforce</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-14</td> <td>Testing, training, and monitoring</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-15</td> <td>Security and privacy groups and associations</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-16</td> <td>Threat awareness program</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-16(01)</td> <td>Threat awareness program: Automated means for sharing threat intelligence</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-17</td> <td>Protecting controlled information on outsourced external systems</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-18</td> <td>Privacy program plan</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-19</td> <td>Privacy program leadership role</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-20</td> <td>Communication of key privacy services</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-20(01)</td> <td>Communication of key privacy services: Privacy policies on websites, applications, and digital services</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-21</td> <td>Maintain a record of disclosures</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-22</td> <td>Personal information quality management</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-23</td> <td>Data governance committee</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-24</td> <td>Data integrity board</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-25</td> <td>Minimization of personal information used in testing, training, and research</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-26</td> <td>Complaint management</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-27</td> <td>Privacy reporting</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-28</td> <td>Risk framing</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-29</td> <td>Risk management program leadership roles</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-30</td> <td>Supply chain risk management strategy</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-30(01)</td> <td>Supply chain risk management strategy: Suppliers of critical or mission-essential items</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-31</td> <td>Continuous monitoring strategy</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-32</td> <td>Purposing</td> <td>N/A</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab14"><caption>Table 14: Personnel security (PS)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>PS-01</td> <td>Personnel security policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>PS-02</td> <td>Position security analysis</td> <td>GC</td> <td>none</td> </tr><tr><td>PS-03</td> <td>Personnel screening</td> <td>CI</td> <td><a href="#03-09-01">Personnel screening 03.09.01</a></td> </tr><tr><td>PS-04</td> <td>Personnel termination</td> <td>CI</td> <td><a href="#03-09-02">Personnel termination and transfer 03.09.02</a></td> </tr><tr><td>PS-05</td> <td>Personnel transfer</td> <td>CI</td> <td><a href="#03-09-02">Personnel termination and transfer 03.09.02</a></td> </tr><tr><td>PS-06</td> <td>Access agreements</td> <td>NCO</td> <td>none</td> </tr><tr><td>PS-07</td> <td>External personnel security</td> <td>NCO</td> <td>none</td> </tr><tr><td>PS-08</td> <td>Personnel sanctions</td> <td>NCO</td> <td>none</td> </tr><tr><td>PS-09</td> <td>Position descriptions</td> <td>GC</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab15"><caption>Table 15: Personal information handling and transparency (PT)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>PT-01</td> <td>Personal information handling and transparency policy and procedures</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-02</td> <td>Authority to collect and use personal information</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-02(01)</td> <td>Authority to collect and use personal information: Data tagging</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-02(02)</td> <td>Authority to collect and use personal information: Automation</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-03</td> <td>Personal information handling uses and disclosures</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-03(01)</td> <td>Personal information handling uses and disclosures: Data tagging</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-03(02)</td> <td>Personal information handling uses and disclosures: Automation</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-04</td> <td>Consent</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-04(01)</td> <td>Consent: Tailored consent Government of Canada</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-04(02)</td> <td>Consent: Timely consent</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-04(03)</td> <td>Consent: Revocation</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-04(400)</td> <td>Consent: Tailored consent privatesector</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-05</td> <td>Privacy notice</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-05(01)</td> <td>Privacy notice: Timely privacy notice statements</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-05(02)</td> <td>Privacy notice: Privacy notice statements</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-06</td> <td>Personal information banks</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-06(01)</td> <td>Personal information banks: Consistent uses and disclosures</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-06(02)</td> <td>Personal information banks: Exempt banks</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-07</td> <td>Particularly sensitive personal information</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-07(01)</td> <td>Particularly sensitive personal information: Social insurance numbers</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-07(02)</td> <td>Particularly sensitive personal information: <em>Canadian Charter of Rights and Freedoms</em></td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-07(400)</td> <td>Particularly sensitive personal information: Private sector</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-08</td> <td>Data matching requirements</td> <td>N/A</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab16"><caption>Table 16: Risk assessment (RA)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>RA-01</td> <td>Risk assessment policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>RA-02</td> <td>Security categorization</td> <td>GC</td> <td>none</td> </tr><tr><td>RA-03</td> <td>Risk assessment</td> <td>CI</td> <td><a href="#03-11-01">Risk assessment 03.11.01</a></td> </tr><tr><td>RA-03(01)</td> <td>Risk assessment: Supply chain risk assessment</td> <td>CI</td> <td><a href="#03-11-01">Risk assessment 03.11.01</a></td> </tr><tr><td>RA-05</td> <td>Vulnerability monitoring and scanning</td> <td>CI</td> <td><a href="#03-11-02">Vulnerability monitoring and scanning 03.11.02</a></td> </tr><tr><td>RA-05(02)</td> <td>Vulnerability monitoring and scanning: Update vulnerabilities to be scanned</td> <td>CI</td> <td><a href="#03-11-02">Vulnerability monitoring and scanning 03.11.02</a></td> </tr><tr><td>RA-05(05)</td> <td>Vulnerability monitoring and scanning: Privileged access</td> <td>ORC</td> <td>none</td> </tr><tr><td>RA-05(11)</td> <td>Vulnerability monitoring and scanning: Public disclosure program</td> <td>NCO</td> <td>none</td> </tr><tr><td>RA-07</td> <td>Risk response</td> <td>CI</td> <td><a href="#03-11-04">Risk response 03.11.04</a></td> </tr><tr><td>RA-09</td> <td>Criticality analysis</td> <td>NCO</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab17"><caption>Table 17: System and services acquisition (SA)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>SA-01</td> <td>System and services acquisition policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>SA-02</td> <td>Allocation of resources</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-03</td> <td>System development life cycle</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-04</td> <td>Acquisition process</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-04(01)</td> <td>Acquisition process: Functional properties of controls</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-04(09)</td> <td>Acquisition process: Functions, ports, protocols, and services in use</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-04(10)</td> <td>Acquisition process: Use of approved digital credential products</td> <td>GC</td> <td>none</td> </tr><tr><td>SA-04(12)</td> <td>Acquisition process: Data ownership</td> <td>GC</td> <td>none</td> </tr><tr><td>SA-05</td> <td>System documentation</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-08</td> <td>Security and privacy engineering principles</td> <td>CI</td> <td><a href="#03-16-01">Security engineering principles 03.16.01</a></td> </tr><tr><td>SA-09</td> <td>External system services</td> <td>CI</td> <td><a href="#03-16-03">External system services 03.16.03</a></td> </tr><tr><td>SA-09(01)</td> <td>External system services: Risk assessments and organizational approvals</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-09(02)</td> <td>External System Services: Identification of functions, ports,protocols, and services</td> <td>ORC</td> <td>none</td> </tr><tr><td>SA-10</td> <td>Developer configuration management</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-10(01)</td> <td>Developer configuration management: Software and firmware integrity verification</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-11</td> <td>Developer testing and evaluation</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-15</td> <td>Development process, standards, and tools</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-15(03)</td> <td>Development process, standards, and tools: Criticality Analysis</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-16</td> <td>Developer provided training</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-17</td> <td>Developer security and privacy architecture and design</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-22</td> <td>Unsupported system components</td> <td>CI</td> <td><a href="#03-16-02">Unsupported system components 03.16.02</a></td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab18"><caption>Table 18: System and communications protection (SC)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>SC-01</td> <td>System and communications protection policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>SC-02</td> <td>Separation of system and user functionality</td> <td>ORC</td> <td>none</td> </tr><tr><td>SC-04</td> <td>Information in shared system resources</td> <td>CI</td> <td><a href="#03-13-04">Information in shared system resources 03.13.04</a></td> </tr><tr><td>SC-05</td> <td>Denial-of-service protection</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-05(02)</td> <td>Denial-of-service protection: Capacity, bandwidth, and redundancy</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-05(03)</td> <td>Denial-of-service protection: Detection and monitoring</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-07</td> <td>Boundary protection</td> <td>CI</td> <td><a href="#03-13-01">Boundary protection 03.13.01</a></td> </tr><tr><td>SC-07(03)</td> <td>Boundary protection: Access points</td> <td>ORC</td> <td>none</td> </tr><tr><td>SC-07(04)</td> <td>Boundary protection: External telecommunications services</td> <td>ORC</td> <td>none</td> </tr><tr><td>SC-07(05)</td> <td>Boundary protection: Deny by default – allow by exception</td> <td>CI</td> <td><a href="#03-13-06">Network communications – deny by default – allow by exception 03.13.06</a></td> </tr><tr><td>SC-07(07)</td> <td>Boundary protection: Split tunneling for remote devices</td> <td>ORC</td> <td>none</td> </tr><tr><td>SC-07(08)</td> <td>Boundary protection: Route traffic to authenticated proxy servers</td> <td>ORC</td> <td>none</td> </tr><tr><td>SC-07(09)</td> <td>Boundary protection: Restrict threatening outgoing communications traffic</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-07(11)</td> <td>Boundary protection: Incoming communications traffic</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-07(12)</td> <td>Boundary protection: Host-based protection</td> <td>ORC</td> <td>none</td> </tr><tr><td>SC-07(13)</td> <td>Boundary protection: Isolation of security tools, mechanisms, and support components</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-08</td> <td>Transmission confidentiality and integrity</td> <td>CI</td> <td><a href="#03-13-08">Transmission and storage confidentiality 03.13.08</a></td> </tr><tr><td>SC-08(01)</td> <td>Transmission confidentiality and integrity: Cryptographic protection</td> <td>CI</td> <td><a href="#03-13-08">Transmission and storage confidentiality 03.13.08</a></td> </tr><tr><td>SC-10</td> <td>Network disconnect</td> <td>CI</td> <td><a href="#03-13-09">Network disconnect 03.13.09</a></td> </tr><tr><td>SC-12</td> <td>Cryptographic key establishment and management</td> <td>CI</td> <td><a href="#03-13-10">Cryptographic key establishment and management 03.13.10</a></td> </tr><tr><td>SC-12(01)</td> <td>Cryptographic key establishment and management: Availability</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-13</td> <td>Cryptographic protection</td> <td>CI</td> <td><a href="#03-13-11">Cryptographic protection 03.13.11</a></td> </tr><tr><td>SC-15</td> <td>Collaborative computing devices and applications</td> <td>CI</td> <td><a href="#03-13-12">Collaborative computing devices and applications 03.13.12</a></td> </tr><tr><td>SC-15(03)</td> <td>Collaborative computing devices and applications: Disabling and removal in secure work areas</td> <td>GC</td> <td>none</td> </tr><tr><td>SC-17</td> <td>Public key infrastructure certificates</td> <td>GC</td> <td>none</td> </tr><tr><td>SC-18</td> <td>Mobile code</td> <td>CI</td> <td><a href="#03-13-13">Mobile code 03.13.13</a></td> </tr><tr><td>SC-18(01)</td> <td>Mobile code: Identify unacceptable code and take corrective actions</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-18(02)</td> <td>Mobile code: Acquisition, development, and use</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-18(03)</td> <td>Mobile code: Prevent downloading and execution</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-18(04)</td> <td>Mobile code: Prevent automatic execution</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-18(05)</td> <td>Mobile code: Allow execution only in confined environments</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-20</td> <td>Secure name/address resolution service (authoritative source)</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-21</td> <td>Secure name/address resolution service (recursive or caching resolver)</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-22</td> <td>Architecture and provisioning for name/address resolution service</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-23</td> <td>Session authenticity</td> <td>CI</td> <td><a href="#03-13-15">Session authenticity 03.13.15</a></td> </tr><tr><td>SC-23(01)</td> <td>Session authenticity: Invalidate session identifiers at logout</td> <td>ORC</td> <td>none</td> </tr><tr><td>SC-23(03)</td> <td>Session authenticity: Unique system-generated session identifiers</td> <td>ORC</td> <td>none</td> </tr><tr><td>SC-28</td> <td>Protection of information at rest</td> <td>CI</td> <td><a href="#03-13-08">Transmission and storage confidentiality 03.13.08</a></td> </tr><tr><td>SC-28(01)</td> <td>Protection of information at rest: Cryptographic protection</td> <td>CI</td> <td><a href="#03-13-08">Transmission and storage confidentiality 03.13.08</a></td> </tr><tr><td>SC-29</td> <td>Heterogeneity</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-39</td> <td>Process isolation</td> <td>NCO</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab19"><caption>Table 19: System and information integrity (SI)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>SI-01</td> <td>System and information integrity policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>SI-02</td> <td>Flaw remediation</td> <td>CI</td> <td><a href="#03-14-01">Flaw remediation 03.14.01</a></td> </tr><tr><td>SI-02(02)</td> <td>Flaw remediation: Automated flaw remediation status</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-02(06)</td> <td>Flaw remediation: Removal of previous versions of software and firmware</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-03</td> <td>Malicious code protection</td> <td>CI</td> <td><a href="#03-14-02">Malicious code protection 03.14.02</a></td> </tr><tr><td>SI-03(04)</td> <td>Malicious code protection: Updates only by privileged users</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-04</td> <td>System monitoring</td> <td>CI</td> <td><a href="#03-14-06">System monitoring 03.14.06</a></td> </tr><tr><td>SI-04(02)</td> <td>System monitoring: Automated tools and mechanisms for real-time analysis</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-04(04)</td> <td>System monitoring: Inbound and outbound communications traffic</td> <td>CI</td> <td><a href="#03-14-06">System monitoring 03.14.06</a></td> </tr><tr><td>SI-04(05)</td> <td>System monitoring: System-generated alerts</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-04(10)</td> <td>System monitoring: Visibility of encrypted communications</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-04(11)</td> <td>System monitoring: Analyze communications traffic anomalies</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-04(12)</td> <td>System monitoring: Automated organization-generated alerts</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-04(13)</td> <td>System monitoring: Analyze traffic and event patterns</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-04(14)</td> <td>System monitoring: Wireless intrusion detection</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-04(15)</td> <td>System monitoring: Wireless to wireline communications</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-05</td> <td>Security alerts, advisories, and directives</td> <td>CI</td> <td><a href="#03-14-03">Security alerts, advisories, and directives 03.14.03</a></td> </tr><tr><td>SI-07</td> <td>Software, firmware, and information integrity</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-07(01)</td> <td>Software, firmware, and information integrity: Integrity checks</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-07(02)</td> <td>Software, firmware, and information integrity: Automated notifications of integrity violations</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-07(03)</td> <td>Software, firmware, and information integrity: Centrally-managed integrity tools</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-07(07)</td> <td>Software, firmware, and information integrity: Integration of detection and response</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-08</td> <td>Spam protection</td> <td>ORC</td> <td>none</td> </tr><tr><td>SI-08(02)</td> <td>Spam protection: Automatic updates</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-10</td> <td>Information input validation</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-11</td> <td>Error handling</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-12</td> <td>Information management and retention </td> <td>CI</td> <td><a href="#03-14-08">Information management and retention 03.14.08</a></td> </tr><tr><td>SI-16</td> <td>Memory protection</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-400</td> <td>Dedicated administration workstation</td> <td>CI</td> <td><a href="#03-14-09">Dedicated administration workstation 03.14.09</a></td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab20"><caption>Table 20: Supply chain risk management (SR)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>SR-01</td> <td>Supply chain risk management policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>SR-02</td> <td>Supply chain risk management plan</td> <td>CI</td> <td><a href="#03-17-01">Supply chain risk management plan 03.17.01</a></td> </tr><tr><td>SR-02(01)</td> <td>Supply chain risk management plan: Establish <abbr title="supply chain risk management">SCRM</abbr> team</td> <td>NCO</td> <td>none</td> </tr><tr><td>SR-03</td> <td>Supply chain controls and processes</td> <td>CI</td> <td><a href="#03-17-03">Supply chain requirements and processes 03.17.03</a></td> </tr><tr><td>SR-05</td> <td>Acquisition strategies, tools, and methods</td> <td>CI</td> <td><a href="#03-17-02">Acquisition strategies, tools, and methods 03.17.02</a></td> </tr><tr><td>SR-06</td> <td>Supplier assessments and reviews</td> <td>CI</td> <td><a href="#03-11-01">Risk assessment 03.11.01</a></td> </tr><tr><td>SR-08</td> <td>Notification agreements</td> <td>NCO</td> <td>none</td> </tr><tr><td>SR-10</td> <td>Inspection of systems or components</td> <td>NCO</td> <td>none</td> </tr><tr><td>SR-11</td> <td>Component authenticity</td> <td>NCO</td> <td>none</td> </tr><tr><td>SR-11(01)</td> <td>Component authenticity: Anti-counterfeit training</td> <td>NCO</td> <td>none</td> </tr><tr><td>SR-11(02)</td> <td>Component authenticity: Configuration control for component service and repair</td> <td>NCO</td> <td>none</td> </tr><tr><td>SR-12</td> <td>Component disposal</td> <td>ORC</td> <td>none</td> </tr></tbody></table></div> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="AB">Annex B Organization-defined parameters</h2> <p>This appendix lists the organization-defined parameters (ODPs) that are included in the security requirements in Section 3. The <abbr title="organization-defined parameter">ODP</abbr>s are listed sequentially by requirement family, beginning with the first requirement containing an <abbr title="organization-defined parameter">ODP</abbr> in the Access Control (AC) family and ending with the last requirement containing an <abbr title="organization-defined parameter">ODP</abbr> in the Supply Chain Risk Management (SR) family.</p> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab21"><caption>Table 21: Organization-defined parameters</caption> <thead><tr class="active"><th class="text-center" scope="col">Security requirement</th> <th class="text-center" scope="col">Organization-defined parameter</th> </tr></thead><tbody><tr><td><a href="#03-01-01">Account management 03.01.01</a>.F.02</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-01-01">Account management 03.01.01</a>.G.01</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-01-01">Account management 03.01.01</a>.G.02</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-01-01">Account management 03.01.01</a>.G.03</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-01-01">Account management 03.01.01</a>.H</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-01-01">Account management 03.01.01</a>.H</td> <td>[Assignment: organization-defined circumstances]</td> </tr><tr><td><a href="#03-01-05">Least privilege 03.01.05</a>.B</td> <td>[Assignment: organization-defined security functions]</td> </tr><tr><td><a href="#03-01-05">Least privilege 03.01.05</a>.B</td> <td>[Assignment: organization-defined security-relevant information]</td> </tr><tr><td><a href="#03-01-05">Least privilege 03.01.05</a>.C</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-01-06">Least privilege – privileged accounts 03.01.06</a>.A</td> <td>[Assignment: organization-defined personnel or roles]</td> </tr><tr><td><a href="#03-01-08">Unsuccessful logon attempts 03.01.08</a>.A</td> <td>[Assignment: organization-defined number]</td> </tr><tr><td><a href="#03-01-08">Unsuccessful logon attempts 03.01.08</a>.A</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-01-08">Unsuccessful logon attempts 03.01.08</a>.B</td> <td>[Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt; notify system administrator; take other action]</td> </tr><tr><td><a href="#03-01-10">Device lock 03.01.10</a>.A</td> <td>[Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended]</td> </tr><tr><td><a href="#03-01-11">Session termination 03.01.11</a></td> <td>[Assignment: organization-defined conditions or trigger events requiring session disconnect]</td> </tr><tr><td><a href="#03-01-20">Use of external systems 03.01.20</a>.B</td> <td>[Assignment: organization-defined security requirements]</td> </tr><tr><td><a href="#03-02-01">Literacy training and awareness 03.02.01</a>.A.01</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-02-01">Literacy training and awareness 03.02.01</a>.A.02</td> <td>[Assignment: organization-defined events]</td> </tr><tr><td><a href="#03-02-01">Literacy training and awareness 03.02.01</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-02-01">Literacy training and awareness 03.02.01</a>.B</td> <td>[Assignment: organization-defined events]</td> </tr><tr><td><a href="#03-02-02">Role-based training 03.02.02</a>.A.01</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-02-02">Role-based training 03.02.02</a>.A.02</td> <td>[Assignment: organization-defined events]</td> </tr><tr><td><a href="#03-02-02">Role-based training 03.02.02</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-02-02">Role-based training 03.02.02</a>.B</td> <td>[Assignment: organization-defined events]</td> </tr><tr><td><a href="#03-03-01">Event logging 03.03.01</a>.A</td> <td>[Assignment: organization-defined event types]</td> </tr><tr><td><a href="#03-03-01">Event logging 03.03.01</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-03-04">Response to audit logging process failures 03.03.04</a>.A</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-03-04">Response to audit logging process failures 03.03.04</a>.B</td> <td>[Assignment: organization-defined additional actions]</td> </tr><tr><td><a href="#03-03-05">Audit record review, analysis, and reporting 03.03.05</a>.A</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-03-07">Time stamps 03.03.07</a>.B</td> <td>[Assignment: organization-defined granularity of time measurement]</td> </tr><tr><td><a href="#03-04-01">Baseline configuration 03.04.01</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-04-02">Configuration settings 03.04.02</a>.A</td> <td>[Assignment: organization-defined configuration settings]</td> </tr><tr><td><a href="#03-04-06">Least functionality 03.04.06</a>.B</td> <td>[Assignment: organization-defined functions, ports, protocols, connections, and/or services]</td> </tr><tr><td><a href="#03-04-06">Least functionality 03.04.06</a>.C</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-04-08">Authorized software – allow by exception 03.04.08</a>.C</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-04-10">System component inventory 03.04.10</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-04-12">System and component configuration for high-risk areas 03.04.12</a>.A</td> <td>[Assignment: organization-defined system configurations]</td> </tr><tr><td><a href="#03-04-12">System and component configuration for high-risk areas 03.04.12</a>.B</td> <td>[Assignment: organization-defined security requirements]</td> </tr><tr><td><a href="#03-05-01">User identification, authentication, and re-authentication 03.05.01</a>.B</td> <td>[Assignment: organization-defined circumstances or situations requiring re-authentication]</td> </tr><tr><td><a href="#03-05-02">Device identification and authentication 03.05.02</a></td> <td>[Assignment: organization-defined devices or types of devices]</td> </tr><tr><td><a href="#03-05-05">Identifier management 03.05.05</a>.C</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-05-05">Identifier management 03.05.05</a>.D</td> <td>[Assignment: organization-defined characteristic identifying individual status]</td> </tr><tr><td><a href="#03-05-07">Password management 03.05.07</a>.A</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-05-07">Password management 03.05.07</a>.F</td> <td>[Assignment: organization-defined composition and complexity rules]</td> </tr><tr><td><a href="#03-05-12">Authenticator management 03.05.12</a>.E</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-05-12">Authenticator management 03.05.12</a>.E</td> <td>[Assignment: organization-defined events]</td> </tr><tr><td><a href="#03-06-02">Incident monitoring, reporting, and response assistance 03.06.02</a>.B</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-06-02">Incident monitoring, reporting, and response assistance 03.06.02</a>.C</td> <td>[Assignment: organization-defined authorities]</td> </tr><tr><td><a href="#03-06-03">Incident response testing 03.06.03</a></td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-06-04">Incident response training 03.06.04</a>.A.01</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-06-04">Incident response training 03.06.04</a>.A.03</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-06-04">Incident response training 03.06.04</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-06-04">Incident response training 03.06.04</a>.B</td> <td>[Assignment: organization-defined events]</td> </tr><tr><td><a href="#03-08-07">Media use 03.08.07</a>.A</td> <td>[Assignment: organization-defined types of system media]</td> </tr><tr><td><a href="#03-09-01">Personnel screening 03.09.01</a>.B</td> <td>[Assignment: organization-defined conditions requiring rescreening]</td> </tr><tr><td><a href="#03-09-02">Personnel termination and transfer 03.09.02</a>.A.01</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-10-01">Physical access authorizations 03.10.01</a>.C</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-10-02">Monitoring physical access 03.10.02</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-10-02">Monitoring physical access 03.10.02</a>.B</td> <td>[Assignment: organization-defined events or potential indications of events]</td> </tr><tr><td><a href="#03-10-06">Alternate work site 03.10.06</a>.B</td> <td>[Assignment: organization-defined security requirements]</td> </tr><tr><td><a href="#03-11-01">Risk assessment 03.11.01</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-11-02">Vulnerability monitoring and scanning 03.11.02</a>.A</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-11-02">Vulnerability monitoring and scanning 03.11.02</a>.B</td> <td>[Assignment: organization-defined response times]</td> </tr><tr><td><a href="#03-11-02">Vulnerability monitoring and scanning 03.11.02</a>.C</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-12-01">Security assessment 03.12.01</a></td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-12-05">Information exchange 03.12.05</a>.A</td> <td>[Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service-level agreements; user agreements; nondisclosure agreements; other types of agreements]</td> </tr><tr><td><a href="#03-12-05">Information exchange 03.12.05</a>.C</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-13-09">Network disconnect 03.13.09</a></td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-13-10">Cryptographic key establishment and management 03.13.10</a></td> <td>[Assignment: organization-defined requirements for key establishment and management]</td> </tr><tr><td><a href="#03-13-11">Cryptographic protection 03.13.11</a></td> <td>[Assignment: organization-defined types of cryptography]</td> </tr><tr><td><a href="#03-13-12">Collaborative computing devices and applications 03.13.12</a>.A</td> <td>[Assignment: organization-defined exceptions where remote activation is to be allowed]</td> </tr><tr><td><a href="#03-14-01">Flaw remediation 03.14.01</a>.B</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-14-02">Malicious code protection 03.14.02</a>.C.01</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-15-01">Policy and procedures 03.15.01</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-15-02">System security plan 03.15.02</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-15-03">Rules of behaviour 03.15.03</a>.D</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-16-01">Security engineering principles 03.16.01</a></td> <td>[Assignment: organization-defined systems security engineering principles]</td> </tr><tr><td><a href="#03-16-03">External system services 03.16.03</a>.A</td> <td>[Assignment: organization-defined security requirements]</td> </tr><tr><td><a href="#03-17-01">Supply chain risk management plan 03.17.01</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-17-03">Supply chain requirements and processes 03.17.03</a>.B</td> <td>[Assignment: organization-defined security requirements]</td> </tr></tbody></table></div> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–><!–FOOTNOTE SECTION EN–> <aside class="wb-fnote" role="note"><h2 id="reference">Notes</h2> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p>System that is used or operated by a <abbr title="Government of Canada">GC</abbr> department or agency, by a contractor, or by another organization on behalf of a department or agency. The term system as used in this publication includes people, processes and technologies involved in the handling, processing, storage or transmission of <abbr title="controlled information">CI</abbr>. Systems can include operational technology (OT), information technology (IT), Internet of Things (IoT) devices, industrial IoT (IIoT) devices, specialized systems, cyber-physical systems, embedded systems, and sensors.</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote</span>1<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 2</dt> <dd id="fn2"> <p>Components include workstations, servers, notebook computers, smartphones, tablets, input and output devices, network components, operating systems, virtual machines, database management systems, and applications.</p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote</span>2<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></div> </div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="635" about="/en/guidance/mobile-device-guidance-high-profile-travellers-itsap-00088" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–DESKTOP STARTS HERE–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>March 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.00.088</strong></p> </div> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>March 2025 | Awareness series</strong></p> </div> <!–pdf download–> <p>High-profile positions, such as politics or senior management, often require travel for work. These roles typically involve using mobile devices to access sensitive data while traveling for business. Mobile devices can be targeted by threat actors seeking information, including foreign intelligence services, criminal groups, or competitor organizations. If a device is compromised, it may lead to unauthorized access to an organization’s network and important data. It is advisable to assess the risks of using mobile devices in certain locations before embarking on business travels.</p> <h2 class="text-info">Threats to your mobile devices and information</h2> <p>Threat actors use different techniques to gain access to devices and sensitive information. The following are examples of common attack methods.</p> <ul><li><strong>Shoulder surfing:</strong> Using in-person techniques to physically view and steal your sensitive information.</li> <li>Phishing: Sending fraudulent emails or texts that include malicious files, malicious links, or requests for personal information. <ul><li><strong>Spear-phishing:</strong> Attacking a select group of individuals or a single person and including details that are tailored to be more convincing, making the source appear more legitimate.</li> <li><strong>Whaling:</strong> Attacking a big “phish” such as a CEO, or executive because of their level of authority and possible access to more sensitive information.</li> </ul></li> <li><strong>Network spoofing:</strong> Masquerading as a legitimate network.</li> <li><strong>Signal jamming:</strong> Interfering with, disrupting, or blocking communications signals and services.</li> <li><strong>Adversary-in-the-middle attacks (AitM):</strong> Exploiting vulnerabilities to intercept and potentially manipulate communications in transit.</li> <li><strong>Ransomware:</strong> Using malicious software to encrypt files or lock systems and devices until the victim pays a sum of money.</li> </ul><p>For more information on these types of threats, refer to:</p> <ul><li><a href="/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks">Don’t take the bait: Recognize and avoid phishing attacks (ITSAP.00.101)</a></li> <li><a href="/en/guidance/protecting-your-organization-while-using-wi-fi-itsap80009">Protecting your organization while using Wi-Fi (ITSAP.80.009)</a></li> <li><a href="/en/guidance/ransomware-how-prevent-and-recover-itsap00099">Ransomware: How to prevent and recover (ITSAP.00.099)</a></li> </ul><h2 class="text-info">Travel devices</h2> <p>Your organization should identify and consider the risks for high-profile travellers and determine your level of tolerance. If the risk level is significant, you should consider issuing travel devices for high-profile travellers as a mitigation measure. Travel devices have limitations in user functionality and data storage.</p> <p>If travel devices are not available, your organization should ensure that travellers use corporately owned devices with the appropriate security controls installed. High-profile travellers should also complete awareness training to further mitigate risks.</p> <p>Your organization should advise against the use of personal devices for business use during travel. For more information on device security and travel, refer to <a href="https://www.cyber.gc.ca/en/guidance/device-security-travel-and-telework-abroad-itsap00188">Device security for travel and telework abroad (ITSAP.00.188)</a>.</p> <h3>High-risk travel</h3> <p>Travel is considered high risk if a traveller’s identity or occupation is well known or high profile. This is especially true if they are travelling to a widely known event or if the destination is considered high risk by <a href="https://travel.gc.ca/travelling/advisories">Global Affairs Canada (GAC) Travel advice and advisories by destination</a>.</p> <p>Your organization should consider all potential risks introduced by international travel and determine its level of tolerance. You and your organization should implement measures to mitigate those identified risks. If you are unsure of the risk of your travel, contact your IT security department.</p> <h3>Guide for high-profile business travellers</h3> <p>Consider the following tips before, during and after your travel abroad.</p> <h4>Before your trip</h4> <ul><li>Contact your IT security department to implement any additional security measures on your devices or ask for a corporate temporary travel device</li> <li>Enforce multi-factor authentication (MFA) to access devices and accounts</li> <li>Install anti-virus and spyware protection and a firewall <ul><li>Configure devices to run anti-virus software on storage devices, such as USB drives, upon installation</li> </ul></li> <li>Run updates and install patches for operating systems and applications</li> <li>Backup devices for possible recovery upon return</li> <li>Remove unnecessary data and applications</li> <li>Install an approved virtual private network (VPN) application on your devices to securely transfer data</li> <li>Encrypt all sensitive information on your mobile device</li> <li>Limit administrative privileges in order to secure software settings and restrict downloadable applications</li> <li>Turn off Bluetooth, Wi-Fi, hotspot and location sharing when not strictly necessary or when not in use</li> </ul><h4>During your trip</h4> <ul><li>Encrypt sensitive information</li> <li>Avoid using personal accounts <ul><li>If necessary, secure accounts with MFA, inform IT of the use of your personal accounts and change passwords upon return</li> </ul></li> <li>Assume that communications transmitted over public servers can be intercepted</li> <li>Use your organization’s network and VPN to access and send sensitive information</li> <li>Be wary of devices and peripherals given to you by individuals outside of your</li> <li>organization</li> <li>Keep your devices in your possession and be aware of your surroundings at all times <ul><li>Encrypt your device</li> <li>Ensure your device is locked when not in use</li> <li>Maintain control of chargers, cables and peripherals</li> </ul></li> <li>Do not store or communicate information above the approved classification of the device</li> <li>Turn off devices before going through customs and security <ul><li>Inform IT if your device is inspected by security</li> </ul></li> <li>Communicate security concerns with your IT security department</li> </ul><h4>After your trip</h4> <ul><li>Use anti-virus software to scan devices for malicious activity before connecting to your home and work networks</li> <li>Change passphrases, passwords or PINs on your devices and accounts that you accessed while travelling</li> <li>Report suspected security concerns to your IT security department so they can complete the following steps: <ul><li>Compare the device’s image with a backup for signs of malicious activity</li> <li>Conduct forensic research and a factory reset if your device has been compromised</li> <li>Use secure backup to restore the device before further use</li> </ul></li> </ul><p>If you notice suspicious activity on your device during or after travel, follow these security measures:</p> <ul><li>Disconnect your device from the Internet and from any other devices</li> <li>Use another device to contact your service provider and your IT team to begin the appropriate incident management processes</li> <li>Keep the device disconnected for the rest of your trip</li> <li>Examine the device in your organization’s secure environment once you return from travelling</li> <li>Eliminate the threat from the device and use the latest secure backup to restore the device</li> <li>Replace the device’s SIM card</li> </ul><h2 class="text-info">Learn more</h2> <ul><li><a href="/en/guidance/using-your-mobile-device-securely-itsap00001">Using your mobile device securely (ITSAP.00.001)</a></li> <li><a href="/en/guidance/mobile-devices-and-business-travellers-itsap00087">Mobile devices and business travellers (ITSAP.00.087)</a></li> <li><a href="/en/guidance/securing-enterprise-mobility-itsm80001">Securing the enterprise for mobility (ITSM.80.001)</a></li> <li><a href="/en/guidance/security-considerations-mobile-device-deployments-itsap70002">Security considerations for mobile device deployments (ITSAP.70.002)</a></li> <li><a href="/en/guidance/using-encryption-keep-your-sensitive-data-secure-itsap40016">Using encryption to keep your sensitive data secure (ITSAP.40.016)</a></li> <li><a href="/en/guidance/virtual-private-networks-itsap80101">Virtual private networks (ITSAP.80.101)</a></li> </ul></div> </div> </div> </div> </div> </article>

Resources to learn more about cyber threats to elections and mitigate their impacts