diff --git a/tools/itsg33-issue-generator/controls.csv b/tools/itsg33-issue-generator/controls.csv index a5d5f3b8..a3289ba5 100644 --- a/tools/itsg33-issue-generator/controls.csv +++ b/tools/itsg33-issue-generator/controls.csv @@ -25,29 +25,12 @@ AC,2,,ACCOUNT MANAGEMENT,Technical,"(A) The organization identifies and selects It is recommended these reviews be performed when physical access list reviews are performed (see PE-2). This security control/enhancement can be addressed by the organization using a combination of automated and procedural controls. The minimization of administrative privileges is an account management best-practice.",P1,X,(J) frequency [at a frequency no longer than monthly], -AC,3,,ACCESS ENFORCEMENT,Technical,(A) The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.,"Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g.: access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3",,S,S,R,,,,,P1,X,, -AC,4,,INFORMATION FLOW ENFORCEMENT,Technical,(A) The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies],"Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations should consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy re-grading mechanisms to reassign security attributes and security labels. - Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18.",CSE ITSG-22 Baseline Security Requirements for Network Security Zones in the Government of Canada [Reference 41].,S,S,R,,,,"Examples of devices that can perform information flow enforcement include firewalls, gateways and virtual private networks. - Example technologies that implement this control are the Sender Policy Framework (SPF) that can be used to help protect organizations from spoofed email attacks, web content filtering devices that help protect organizations from malicious web traffic and deny users' access to unauthorized web sites, and Data Loss Prevention products.",P1,X,, -AC,5,,SEPARATION OF DUTIES,Technical,"(A) The organization: - (a) Separates [Assignment: organization-defined duties of individuals]; - (b) Documents separation of duties of individuals; and - (c) Defines information system access authorizations to support separation of duties.","Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2",,S,R,S,,,,"This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases.",P1,X,, AC,6,,LEAST PRIVILEGE,Technical,"(A) The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.","Organizations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions/business functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational information systems. Related controls: AC-2, AC-3, AC-5, CM-6, CM-7, PL-2",,S,R,S,,,,"This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases.",P1,X,, AC,7,,UNSUCCESSFUL LOGIN ATTEMPTS,Technical,"(A) The information system enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]. (B) The information system automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded.","Due to the potential for denial of service, automatic lockouts initiated by the information system are usually temporary and automatically release after a predetermined time period established by the organization. If a delay algorithm is selected, the organization may choose to employ different algorithms for different information system components based on the capabilities of those components. Response to unsuccessful login attempts may be implemented at both the operating system and the application levels. This control applies to all accesses other than those accesses explicitly identified and documented by the organization in AC-14",,S,S,R,,,,"This security control/enhancement requires careful balance between usability and security. Care needs to be taken to ensure that the appropriate balance between the two seemingly conflicting requirements is achieved. If possible, an increasing time-out period should be used to deter determined attackers. For example, an original time-out of 5 minutes can become 10 minutes after the next 3 unsuccessful attempts, then 20 minutes, then 40 minutes, etc.",P1,X,"(A) number [of a maximum of 5] (A) time period [period of at least 5 minutes] (B) automatic response [locks the account/node for an organization defined time period]", -AC,8,,SYSTEM USE NOTIFICATION,Technical,"(A) The information system displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices in accordance with the TBS Policy on the Use of Electronic Networks [Reference 5]. - (B) The information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system. - (C) The information system for publicly accessible systems: - (a) Displays system use information [Assignment: organization-defined conditions], before granting further access; - (b) Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and - (c) Includes a description of the authorized uses of the system.",System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Deparmental Legal Services Branch for legal review and approval of warning banner content,TBS Policy on the Use of Electronic Networks [Reference 5].,S,S,R,,,,"This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases.",P1,X,, -AC,9,,PREVIOUS LOGON (ACCESS) NOTIFICATION,Technical,"(A) The information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access).","This control is applicable to logons to information systems via human user interfaces and logons to systems that occur in other types of architectures (e.g., service-oriented architectures). Related controls: AC-7, PL-4",,,,R,,,,"This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases. - This security control/enhancement should be implemented where possible and practical. Some COTS operating systems may not support this capability.",P2,X,, -AC,10,,CONCURRENT SESSION CONTROL,Technical,(A) The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number].,"Organizations may define the maximum number of concurrent sessions for information system accounts globally, by account type (e.g., privileged user, non-privileged user, domain, specific application), by account, or a combination. For example, organizations may limit the number of concurrent sessions for system administrators or individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts",,S,,R,,,,,P2,X,(A) concurrent [a number not greater than 3], AC,11,,SESSION LOCK,Technical,"(A) The information system prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user. (B) The information system retains the session lock until the user re-establishes access using established identification and authentication procedures.","Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays. Related control: AC-7",,S,,R,,,,"This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases.",P2,X,(A) time period [after a period no longer than 30 minutes], AC,12,,SESSION TERMINATION,Technical,(A) The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].,"This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use. Related controls: SC-10, SC-23",,,R,,,,,,None defined,Not Selected,, @@ -84,7 +67,6 @@ AC,22,,PUBLICLY ACCESSIBLE CONTENT,Technical,"(A) The organization designates in (D) The organization reviews the content on the publicly accessible information system for confidentially sensitive information [Assignment: organization-defined frequency] and removes such information, if discovered.","In accordance with GC legislation and TBS policies, directives and standards, the general public is not authorized access to confidentially sensitive information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy. Related controls: AC-3, AC-4, AT-2, AT-3, AU-13",,R,,,,,S,This security control/enhancement is applicable to the organization as opposed to a specific information system.,P1,Not Selected,, AC,23,,DATA MINING PROTECTION,Technical,(A) The organization employs [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to adequately detect and protect against data mining.,"Data storage objects include, for example, databases, database records, and database fields. Data mining prevention and detection techniques include, for example: (i) limiting the types of responses provided to database queries; (ii) limiting the number/frequency of database queries to increase the work factor needed to determine the contents of such databases; and (iii) notifying organizational personnel when atypical database queries or accesses occur. This control focuses on the protection of organizational information from data mining while such information resides in organizational data stores. In contrast, AU-13 focuses on monitoring for organizational information that may have been mined or otherwise obtained from data stores and is now available as open source information residing on external sites, for example, through social networking or social media websites",,,R,,,,,,None defined,Not Selected,, AC,24,,ACCESS CONTROL DECISIONS,Technical,(A) The organization establishes procedures to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement.,"Access control decisions (also known as authorization decisions) occur when authorization information is applied to specific accesses. In contrast, access enforcement occurs when information systems enforce access control decisions. While it is very common to have access control decisions and access enforcement implemented by the same entity, it is not required and it is not always an optimal implementation choice. For some architectures and distributed information systems, different entities may perform access control decisions and access enforcement",,R,S,,,,,,None defined,Not Selected,, -AC,25,,REFERENCE MONITOR,Technical,"(A) The information system implements a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.","Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Reference monitors typically enforce mandatory access control policies—a type of access control that restricts access to objects based on the identity of subjects or groups to which the subjects belong. The access controls are mandatory because subjects with certain privileges (i.e., access permissions) are restricted from passing those privileges on to any other subjects, either directly or indirectly—that is, the information system strictly enforces the access control policy based on the rule set established by the policy. The tamperproof property of the reference monitor prevents adversaries from compromising the functioning of the mechanism. The always invoked property prevents adversaries from bypassing the mechanism and hence violating the security policy. The smallness property helps to ensure the completeness in the analysis and testing of the mechanism to detect weaknesses or deficiencies (i.e., latent flaws) that would prevent the enforcement of the security policy. Related controls: AC-3, AC-16, SC-3, SC-39",,,,R,,,,,None defined,Not Selected,, AT,1,,SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES,Operational,"(A) The organization develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: (a) A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls. @@ -123,24 +105,11 @@ AU,2,,AUDITABLE EVENTS,Technical,"(A) The organization determines that the infor (b) Successful and unsuccessful logon attempts (c) Starting and ending time for user access to the system (d) Concurrent logons from different workstations",P1,X,(A) events [Authorizer defined list of auditable events (see Notes and additional requirements column)], -AU,3,,CONTENT OF AUDIT RECORDS,Technical,"(A) The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.","Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI-11",,S,,R,,,,,P1,X,, AU,4,,AUDIT STORAGE CAPACITY,Technical,(A) The organization allocates audit record storage capacity in accordance with [Assignment: organization-defined audit record storage requirements].,"Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability. Related controls: AU-2, AU-5, AU-6, AU-7, AU-11, SI-4",,,R,,,,,,P1,X,, -AU,5,,RESPONSE TO AUDIT PROCESSING FAILURES,Technical,"(A) The information system alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and - (B) The information system takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].","Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Related controls: AU-4, SI-12",,S,S,R,,,,"This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases.",P2,X,(B) Action [overwrite], AU,6,,"AUDIT REVIEW, ANALYSIS, AND REPORTING",Technical,"(A) The organization reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]. (B) The organization reports findings to [Assignment: organization-defined personnel or roles].","Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority. Related controls: AC-2, AC-3, AC-6, AC-17, AT-3, AU-7, AU-16, CA-7, CM-5, CM-10, CM-11, IA-3, IA-5, IR-5, IR-6, MA-4, MP-4, PE-3, PE-6, PE-14, PE-16, RA-5, SC-7, SC-18, SC-19, SI-3, SI-4, SI-7",TBS Operational Security Standard - Management of Information Technology Security [Reference 7].,R,,,,,,"In order for audit to be effective, audit logs need to be collected from the various systems, amalgamated centrally and analyzed regularly by an automated tool. This approach ensures that audit logs are scrutinized and that coordinated attacks can be identified. Although an automated capability is preferable, this security control can be met using manual processes.",P1,X,, -AU,7,,AUDIT REDUCTION AND REPORT GENERATION,Technical,"(A) The information system provides an audit reduction and report generation capability that supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents. - (B) The information system provides an audit reduction and report generation capability that does not alter the original content or time ordering of audit records.","Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behaviour in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient. Related control: AU-6",,,,R,,,,,P2,X,, -AU,8,,TIME STAMPS,Technical,"(A) The information system uses internal system clocks to generate time stamps for audit records. - (B) The information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement].","Time stamps generated by the information system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. Related controls: AU-3, AU-12",,,,R,,,,,P1,X,, -AU,9,,PROTECTION OF AUDIT INFORMATION,Technical,"(A) The information system protects audit information and audit tools from unauthorized access, modification, and deletion.","Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6",,,,R,,,,,P2,X,, -AU,10,,NON-REPUDIATION,Technical,(A) The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation].,"Types of individual actions covered by non-repudiation include, for example, creating information, sending and receiving messages, approving information (e.g., indicating concurrence or signing a contract). Non-repudiation protects individuals against later claims by: (i) authors of not having authored particular documents; (ii) senders of not having transmitted messages; (iii) receivers of not having received messages; or (iv) signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from a particular individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Organizations obtain non-repudiation services by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts). Related controls: SC-12, SC-8, SC-13, SC-16, SC-17, SC-23",CSE ITSG-31 User Authentication for IT Systems [Reference 18].,,,R,,,,"This security control/enhancement specifies a very specialized and/or advanced capability that is not required for all systems. Consequently, inclusion in a departmental profile is made on a case by case basis.",None defined,Not Selected,, AU,11,,AUDIT RECORD RETENTION,Technical,(A) The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.,"al Guidance: Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to legal requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. Related controls: AU-4, AU-5, AU-9, MP-6",,R,,,,,,Applicable legal requirements may determine the required retention period.,P2,X,, -AU,12,,AUDIT GENERATION,Technical,"(A) The information system provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components]. - (B) The information system allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system. - (C) The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.","Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7",,,,R,,,,"In order to facilitate audit review and analysis, audit records should be time correlated and provided in a common format. Time correlation can be achieved by synchronizing the clocks of the systems generating the audit events.",P1,X,(A) components [Authorizer defined components], AU,13,,MONITORING FOR INFORMATION DISCLOSURE,Technical,(A) The organization monitors [Assignment: organization-defined open source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information.,"Open source information includes, for example, social networking sites. Related controls: PE-3, SC-7",,R,,,,,,,None defined,Not Selected,, -AU,14,,SESSION AUDIT,Technical,(A) The information system provides the capability for authorized users to select a user session to capture/record or view/hear.,"Session audits include, for example, monitoring keystrokes, tracking websites visited, and recording information and/or file transfers. Session auditing activities are developed, integrated, and used in consultation with legal counsel in accordance with applicable GC legislation and TBS policies, directives and standards. Related controls: AC-3, AU-4, AU-5, AU-9, AU-11",,,,R,,,,,None defined,Not Selected,, AU,15,,ALTERNATE AUDIT CAPABILITY,Technical,(A) The organization provides an alternate audit capability in the event of a failure in primary audit capability that provides [Assignment: organization-defined alternate audit functionality].,"Since an alternate audit capability may be a short-term protection employed until the failure in the primary auditing capability is corrected, organizations may determine that the alternate audit capability need only provide a subset of the primary audit functionality that is impacted by the failure. Related control: AU-5.",,,R,,,,,,None defined,Not Selected,, AU,16,,CROSS-ORGANIZATIONAL AUDITING,Technical,(A) The organization employs [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries.,"When organizations use information systems and/or services of external organizations, the auditing capability necessitates a coordinated approach across organizations. For example, maintaining the identity of individuals that requested particular services across organizational boundaries may often be very difficult, and doing so may prove to have significant performance ramifications. Therefore, it is often the case that cross-organizational auditing (e.g., the type of auditing capability provided by service-oriented architectures) simply captures the identity of individuals issuing requests at the initial information system, and subsequent systems record that the requests emanated from authorized individuals. Related control: AU-6.",,,R,,,,,,None defined,Not Selected,, CA,1,,SECURITY ASSESSMENT AND AUTHORIZATION POLICIES AND PROCEDURES,Management,"(A) The organization develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: @@ -263,11 +232,6 @@ IA,1,,IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES,Technical,"(A) The (B) The organization Reviews and updates the current: (a) Identification and authentication policy [Assignment: organization-defined frequency]; and (b) Identification and authentication procedures [Assignment: organization-defined frequency].","This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable GC legislation and TBS policies, directives, and standards. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.",TBS Operational Security Standard - Management of Information Technology Security [Reference 7].,R,,,,,S,,P1,X,(A) (B) frequency [at a frequency no longer than annually], -IA,2,,IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS),Technical,(A) The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).,"Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case of multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted VPNs for network connections between organization-controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and identity smart cards. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8. Related controls: AC-2, AC-3, AC-14, AC-17, AC-18, IA-4, IA-5, IA-8.","CSE ITSG-31 User Authentication for IT Systems [Reference 18]. - CSE ITSB-60 Guidance on the Use of the Transport Layer Security Protocol within the Government of Canada [Reference 34].",S,R,S,,,,"The implementation of this security control/enhancement should be determined based on a Threat and Risk Assessment (TRA). - Multifactor authentication can be addressed using a software-based certificate in conjunction with a username and password. - Network access is not the same as remote access.",P1,X,, -IA,3,,DEVICE IDENTIFICATION AND AUTHENTICATION,Technical,(A) The information system uniquely identifies and authenticates [Assignment: organization-defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.,"Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and EAP, Radius server with EAP-TLS authentication, Kerberos) to identify/authenticate devices on local and/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability. Related controls: AC-17, AC-18, AC-19, CA-3, IA-4, IA-5",,S,,R,,,,"This security control/enhancement can be met using readily available Commercial-Off-The-Shelf (COTS) components. Consequently, inclusion in a departmental profile is strongly encouraged in most cases.",P1,X,, IA,4,,IDENTIFIER MANAGEMENT,Technical,"(A) The organization manages information system identifiers by receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier. (B) The organization manages information system identifiers by selecting an identifier that identifies an individual, group, role, or device. (C) The organization manages information system identifiers by assigning the identifier to the intended individual, group, role, or device. @@ -283,18 +247,6 @@ IA,5,,AUTHENTICATOR MANAGEMENT,Technical,"(A) The organization manages informati (H) The organization manages information system authenticators by protecting authenticator content from unauthorized disclosure and modification. (I) The organization manages information system authenticators by requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators. (J) The organization manages information system authenticators by changing authenticators for group/role accounts when membership to those accounts changes.","Individual authenticators include, for example, passwords, tokens, biometrics, Public Key Infrastructure (PKI) certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28",CSE ITSG-31 User Authentication for IT Systems [Reference 18].,S,R,S,,,,,P1,X,(G) [not to exceed 180 days], -IA,6,,AUTHENTICATOR FEEDBACK,Technical,(A) The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.,"The feedback from information systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of information systems or system components, for example, desktops/notebooks with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with 2-4 inch screens, this threat may be less significant, and may need to be balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring the feedback of authentication information includes, for example, displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before fully obscuring it. Related control: PE-18",,,,R,,,,"This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases.",P1,X,, -IA,7,,CRYPTOGRAPHIC MODULE AUTHENTICATION,Technical,"(A) The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable GC legislation and TBS policies, directives, and standards for such authentication.","Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role. Related controls: SC-12, SC-13","CSE ITSA-11 Approved Cryptographic Algorithms for the Protection of Protected Information [Reference 8]. - CSE ITSG-31 User Authentication for IT Systems [Reference 18]. - CSE ITSB-40A Government of Canada Policy for the Protection of Classified Information Using Suite B Algorithms [Reference 28]. - NIST FIPS PUB 140-2 Security Requirements for Cryptographic Modules [Reference 4]",,,R,,,,"This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases. - For additional guidance please refer to ITSG-31 User Authentication Guidance for IT Systems.",P2,X,, -IA,8,,IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS),Technical,(A) The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).,"Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. Authentication of non-organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to GC information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users. Related controls: AC-2, AC-14, AC-17, AC-18, IA-2, IA-4, IA-5, MA-4, RA-3, SA-12, SC-8","CSE ITSG-31 User Authentication for IT Systems [Reference 18]. - TBS Standard on Identity and Credential Assurance [Reference 60]. - TBS Guideline on Defining Authentication Requirements [Reference 61]. - TBS Guideline on Identity Assurance [Reference 62].",,,R,,,,,P2,X,, -IA,9,,SERVICE IDENTIFICATION AND AUTHENTICATION,Technical,(A) The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards].,"This control supports service-oriented architectures and other distributed architectural approaches requiring the identification and authentication of information system services. In such architectures, external services often appear dynamically. Therefore, information systems should be able to determine in a dynamic manner, if external providers and associated services are authentic. Safeguards implemented by organizational information systems to validate provider and service authenticity include, for example, information or code signing, provenance graphs, and/or electronic signatures indicating or including the sources of services",,S,S,R,,,,"This security control/enhancement specifies a very specialized and/or advanced capability that is not required for all systems. Consequently, inclusion in a departmental profile is made on a case by case basis.",None defined,Not Selected,, -IA,10,,ADAPTIVE IDENTIFICATION AND AUTHENTICATION,Technical,(A) The organization requires that individuals accessing the information system employ [Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organization-defined circumstances or situations].,"Adversaries may compromise individual authentication mechanisms and subsequently attempt to impersonate legitimate users. This situation can potentially occur with any authentication mechanisms employed by organizations. To address this threat, organizations may employ specific techniques/mechanisms and establish protocols to assess suspicious behaviour (e.g., individuals accessing information that they do not typically access as part of their normal duties, roles, or responsibilities, accessing greater quantities of information than the individuals would routinely access, or attempting to access information from suspicious network addresses). In these situations when certain pre-established conditions or triggers occur, organizations can require selected individuals to provide additional authentication information. Another potential use for adaptive identification and authentication is to increase the strength of mechanism based on the number and/or types of records being accessed. Related controls: AU-6, SI-4",,S,S,R,,,,"This security control/enhancement specifies a very specialized and/or advanced capability that is not required for all systems. Consequently, inclusion in a departmental profile is made on a case by case basis.",None defined,Not Selected,, IA,11,,RE-AUTHENTICATION,Technical,(A) The organization requires users and devices to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication].,"In addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of individuals and/or devices in other situations including, for example: (i) when authenticators change; (ii), when roles change; (iii) when security categories of information systems change; (iv), when the execution of privileged functions occurs; (v) after a fixed period of time; or (vi) periodically. Related control: AC-11",,R,S,S,,,,"This security control/enhancement specifies a very specialized and/or advanced capability that is not required for all systems. Consequently, inclusion in a departmental profile is made on a case by case basis.",None defined,Not Selected,, IR,1,,INCIDENT RESPONSE POLICY AND PROCEDURES,Operational,"(A) The organization develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: (a) An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and @@ -386,8 +338,6 @@ MP,8,,MEDIA DOWNGRADING,Operational,"(A) The organization establishes [Assignmen (D) The organization downgrades the identified information system media using the established process.","This control applies to all information system media, digital and non-digital, subject to release outside of the organization, whether or not the media is considered removable. The downgrading process, when applied to system media, removes information from the media, typically by security category or classification level, such that the information cannot be retrieved or reconstructed. Downgrading of media includes redacting information to enable wider release and distribution. Downgrading of media also ensures that empty space on the media (e.g., slack space within files) is devoid of information","TBS Information Technology Policy Implementation Notice 2014-01 [Reference 68]. None. CSE ITSG-06 Cleaning and Declassifying Electronic Data Storage Devices [Reference 16].",R,S,,,,,,P1,X,, -PE,18,,LOCATION OF INFORMATION SYSTEM COMPONENTS,Operational,(A) The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access.,"Physical and environmental hazards include, for example, flooding, fire, tornados, earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. In addition, organizations consider the location of physical entry points where unauthorized individuals, while not being granted access, might nonetheless be in close proximity to information systems and therefore increase the potential for unauthorized access to organizational communications (e.g., through the use of wireless sniffers or microphones). Related controls: CP-2, PE-19, RA-3","CSE ITSG-02 Criteria for the Design, Fabrication, Supply, Installation and Acceptance Testing of Walk-in, Radio-Frequency-Shielded Enclosures [Reference 35]. - RCMP G1-026 Guide to the Application of Physical Security Zones [Reference 52].",S,,,R,,,,P1,X,, PE,20,,ASSET MONITORING AND TRACKING,Operational,"(A) The organization employs [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas]. (B) The organization ensures that asset location technologies are employed in accordance with applicable GC legislation and TBS policies, directives, and standards.",Asset location technologies can help organizations ensure that critical assets such as vehicles or essential information system components remain in authorized locations. Organizations consult with the Office of the General Counsel and the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) regarding the deployment and use of asset location technologies to address potential privacy concerns. Related control: CM-8,TBS Policy Framework for the Management of Assets and Acquired Services [Reference 75].,,R,,,,,,P1,X,, PL,1,,SECURITY PLANNING POLICY AND PROCEDURES,Management,"(A) The organization develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: @@ -527,19 +477,7 @@ SC,1,,SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES,Technical,"(A) (B) The organization reviews and updates the current: (a) System and communications protection policy [Assignment: organization-defined frequency]; and (b) System and communications protection procedures [Assignment: organization-defined frequency].","This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. The system and communications protection policy and procedures reflect applicable GC legislation and TBS policies, directives, and standards. Security program policies and procedures at the organization level may make system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures",TBS Operational Security Standard - Management of Information Technology Security [Reference 7].,R,,,,,S,"This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases.",P1,X,(A) (B) frequency [at a frequency no longer than annually], -SC,2,,APPLICATION PARTITIONING,Technical,(A) The information system separates user functionality (including user interface services) from information system management functionality.,"Information system management functionality includes, for example, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical. Organizations implement separation of system management-related functionality from user functionality by using different computers, different central processing units, different instances of operating systems, different network addresses, virtualization techniques, or combinations of these or other methods, as appropriate. This type of separation includes, for example, web administrative interfaces that use separate authentication methods (e.g., using a logical separation, web administrators would use 2-factor authentication and normal users of the web application would use username/password authentication). Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls. Related controls: SA-4, SA-8, SC-3",,,,R,,,,"This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases.",P1,X,, -SC,3,,SECURITY FUNCTION ISOLATION,Technical,(A) The information system isolates security functions from non-security functions.,"The information system isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains). Such isolation controls access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Information systems implement code separation (i.e., separation of security functions from non-security functions) in a number of ways, including, for example, through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk, and address space protections that protect executing code. Information systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. While the ideal is for all of the code within the security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include non-security functions within the isolation boundary as an exception. Related controls: AC-3, AC-6, SA-4, SA-5, SA-8, SA-13, SC-2, SC-7, SC-39","CSE ITSG-23 BlackBerry Enterprise Server Isolation in a Microsoft Exchange Environment [Reference 42]. - CSE ITSG-38 Network Security Zoning – Design Considerations for Placement of Services within Zones [Reference 43].",,,R,,,,"This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases. However, this security control/enhancement cannot be met using readily available COTS components. Consequently, compliance with this security control/enhancement may be problematic. - Note that this security control/enhancement applies at the platform level.",None defined,Not Selected,, -SC,4,,INFORMATION IN SHARED RESOURCES,Technical,(A) The information system prevents unauthorized and unintended information transfer via shared system resources.,"This control prevents information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This control does not address: (i) information remanence which refers to residual representation of data that has been nominally erased or removed; (ii) covert channels (including storage and/or timing channels) where shared resources are manipulated to violate information flow restrictions; or (iii) components within information systems for which there are only single users/roles. Related controls: AC-3, AC-4, MP-6",,,,R,,,,"This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases. However, this security control/enhancement cannot be met using readily available COTS components. Consequently, implementation of this security control/enhancement may be problematic.",None defined,Not Selected,, SC,5,,DENIAL OF SERVICE PROTECTION,Technical,(A) The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards].,"A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks. Related controls: SC-6, SC-7",CSE ITSG-22 Baseline Security Requirements for Network Security Zones in the Government of Canada [Reference 41].,,,R,,,,,P1,X,(A) list [Organizationally defined list], -SC,6,,RESOURCE AVAILABILITY,Technical,(A) The information system protects the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more); priority; quota; [Assignment: organization-defined security safeguards]].,Priority protection helps prevent lower-priority processes from delaying or interfering with the information system servicing any higher-priority processes. Quotas prevent users or processes from obtaining more than predetermined amounts of resources. This control does not apply to information system components for which there are only single users/roles,,,,R,,,,"This security control/enhancement can be met using readily available Commercial-Off-The-Shelf (COTS) components. Consequently, inclusion in a departmental profile is strongly encouraged in most cases.",None defined,Not Selected,, -SC,7,,BOUNDARY PROTECTION,Technical,"(A) The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. - (B) The information system implements sub-networks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks. - (C) The information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.","Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected sub-networks). Sub-networks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13","CSE ITSG-22 Baseline Security Requirements for Network Security Zones in the Government of Canada [Reference 41]. - CSE ITSG-23 BlackBerry Enterprise Server Isolation in a Microsoft Exchange Environment [Reference 42]. - CSE ITSG-38 Network Security Zoning – Design Considerations for Placement of Services within Zones [Reference 43].",,R,S,,,,A Web Content Filtering proxy is a common device to monitor and control web traffic. Network-based intrusion detection or prevention system is another common device to monitor and control network traffic.,P1,X,, -SC,8,,TRANSMISSION CONFIDENTIALITY AND INTEGRITY,Technical,(A) The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.,"This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing protected distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4",,,,R,,,,TLS encryption between email servers is an example implementation of this control applied for emails exchange.,P1,X,, SC,10,,NETWORK DISCONNECT,Technical,(A) The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity.,"This control applies to both internal and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of inactivity may be established by organizations and include, for example, time periods by type of network access or for specific network accesses",,,,R,,,,"This security control/enhancement can be met using readily available Commercial-Off-The-Shelf (COTS) components. Consequently, inclusion in a departmental profile is strongly encouraged in most cases. The security control/enhancement refers to user sessions such as Web sessions or client VPN sessions. Firewalls will automatically drop TCP/IP sessions after a certain period of inactivity.",P3,X,, SC,11,,TRUSTED PATH,Technical,"(A) The information system establishes a trusted communications path between the user and the following security functions of the system: [Assignment: organization-defined security functions to include at a minimum, information system authentication and re-authentication].","Trusted paths are mechanisms by which users (through input devices) can communicate directly with security functions of information systems with the requisite assurance to support information security policies. The mechanisms can be activated only by users or the security functions of organizational information systems. User responses via trusted paths are protected from modifications by or disclosure to untrusted applications. Organizations employ trusted paths for high-assurance connections between security functions of information systems and users (e.g., during system logons). Enforcement of trusted communications paths is typically provided via an implementation that meets the reference monitor concept. Related controls: AC-16, AC-25",,S,,R,,,,"This security control/enhancement specifies a very specialized and/or advanced capability that is not required for all systems. Consequently, inclusion in a departmental profile is made on a case by case basis. Should be used to protect PIN entry for high robustness authentication mechanisms.",None defined,Not Selected,, SC,12,,CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT,Technical,"(A) The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].","Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable GC legislation and TBS policies, directives, and standards, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. The cryptography must be compliant with the requirements of control SC-13. Related controls: SC-13, SC-17","CSE ITSA-11 Approved Cryptographic Algorithms for the Protection of Protected Information [Reference 8]. @@ -549,29 +487,16 @@ SC,12,,CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT,Technical,"(A) The organiz SC,13,,CRYPTOGRAPHIC PROTECTION,Technical,"(A) The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable GC legislation and TBS policies, directives and standards.","Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and CSE-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls or policies, organizations document each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: CSE-approved cryptography; provision of digital signatures: FIPS-validated cryptography). Related controls: AC-2, AC-3, AC-7, AC-17, AC-18, AU-9, AU-10, CM-11, CP-9, IA-3, IA-7, MA-4, MP-2, MP-4, MP-5, SA-4, SC-8, SC-12, SC-28, SI-7","CSE ITSA-11 Approved Cryptographic Algorithms for the Protection of Protected Information [Reference 8]. CSE ITSB-40A Government of Canada Policy for the Protection of Classified Information Using Suite B Algorithms [Reference 28]. CSE ITSD-01A Directives for the Application of Communications Security in the Government of Canada [Reference 14].",,,R,,,,,P3,X,, -SC,15,,COLLABORATIVE COMPUTING DEVICES,Technical,"(A) The information system prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]. - (B) The information system provides an explicit indication of use to users physically present at the devices.","Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated. Related control: AC-21",,S,,R,,,,,P3,X,(A) [no exceptions], -SC,16,,TRANSMISSION OF SECURITY ATTRIBUTES,Technical,(A) The information system associates [Assignment: organization-defined security attributes] with information exchanged between information systems and between system components.,"Security attributes can be explicitly or implicitly associated with the information contained in organizational information systems or system components. Related controls: AC-3, AC-4, AC-16",,,,R,,,,"This security control/enhancement specifies a very specialized and/or advanced capability that is not required for all systems. Consequently, inclusion in a departmental profile is made on a case by case basis.",None defined,Not Selected,, SC,17,,PUBLIC KEY INFRASTRUCTURE CERTIFICATES,Technical,(A) The organization issues public key certificates under an [Assignment: organization-defined certificate policy] or obtains public key certificates from an approved service provider.,"For all certificates, organizations manage information system trust stores to ensure only approved trust anchors are in the trust stores. This control addresses both certificates with visibility external to organizational information systems and certificates related to the internal operations of systems, for example, application-specific time services. Related control: SC-12",TBS Operational Security Standard: Management of Information technology Security (MITS). [Reference 74],S,R,S,,,,This security control ensures that public key certificates are issued from an appropriate GC Certification Authority.,P3,X,, SC,18,,MOBILE CODE,Technical,"(A) The organization defines acceptable and unacceptable mobile code and mobile code technologies. (B) The organization establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies. (C) The organization authorizes, monitors, and controls the use of mobile code within the information system.","Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems. Related controls: AU-2, AU-12, CM-2, CM-6, SI-3",,R,S,S,,,,,P1,X,, -SC,20,,SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE),Technical,"(A) The information system provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries. - (B) The information system provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.","This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data. Related controls: AU-10, SC-8, SC-12, SC-13, SC-21, SC-22",,,,R,,,,"This security control/enhancement specifies a very specialized and/or advanced capability that is not required for all systems. Consequently, inclusion in a departmental profile is made on a case by case basis. - This security control/enhancement cannot be met using readily available Commercial-Off-The-Shelf (COTS) components. Consequently, implementation of this security control/enhancement may be somewhat problematic.",None defined,Not Selected,, -SC,21,,SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER),Technical,(A) The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.,"Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data. Related controls: SC-20, SC-22",,,,R,,,,,None defined,Not Selected,, -SC,23,,SESSION AUTHENTICITY,Technical,(A) The information system protects the authenticity of communications sessions.,"This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Related controls: SC-8, SC-10, SC-11",,,,R,,,,,P1,X,, -SC,24,,FAIL IN KNOWN STATE,Technical,(A) The information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure.,"Failure in a known state addresses security concerns in accordance with the mission/business needs of organizations. Failure in a known secure state helps to prevent the loss of confidentiality, integrity, or availability of information in the event of failures of organizational information systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving information system state information facilitates system restart and return to the operational mode of organizations with less disruption of mission/business processes. Related controls: CP-2, CP-10, CP-12, SC-7, SC-22",,,,R,,,,"This security control/enhancement is appropriate for organizationally defined systems (e.g., firewalls).",P1,X,, SC,25,,THIN NODES,Technical,(A) The organization employs [Assignment: organization-defined information system components] with minimal functionality and information storage.,"The deployment of information system components with reduced/minimal functionality (e.g., diskless nodes and thin client technologies) reduces the need to secure every user endpoint, and may reduce the exposure of information, information systems, and services to cyber-attacks. Related control: SC-30",,,,R,,,,,None defined,Not Selected,, SC,26,,HONEYPOTS,Technical,"(A) The information system includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks.","A honeypot is set up as a decoy to attract adversaries and to deflect their attacks away from the operational systems supporting organizational missions/business function. Depending upon the specific usage of the honeypot, consultation with the Office of the General Counsel before deployment may be needed. Related controls: SC-30, SC-44, SI-3, SI-4",,,,R,,,,,None defined,Not Selected,, -SC,27,,PLATFORM-INDEPENDENT APPLICATIONS,Technical,(A) The information system includes: [Assignment: organization-defined platform-independent applications].,"Platforms are combinations of hardware and software used to run software applications. Platforms include: (i) operating systems; (ii) the underlying computer architectures, or (iii) both. Platform-independent applications are applications that run on multiple platforms. Such applications promote portability and reconstitution on different platforms, increasing the availability of critical functions within organizations while information systems with specific operating systems are under attack. Related control: SC-29",,,,R,,,,,None defined,Not Selected,, SC,28,,PROTECTION OF INFORMATION AT REST,Technical,(A) The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].,"This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest. Related controls: AC-3, AC-6, CA-7, CM-3, CM-5, CM-6, PE-3, SC-8, SC-13, SI-3, SI-7","CSE ITSA-11 Approved Cryptographic Algorithms for the Protection of Protected Information [Reference 8]. CSE ITSB-40A Government of Canada Policy for the Protection of Classified Information Using Suite B Algorithms [Reference 28].",,,R,,,,,P1,X,, -SC,29,,HETEROGENEITY,Technical,(A) The organization employs a diverse set of information technologies for [Assignment: organization-defined information system components] in the implementation of the information system.,"Increasing the diversity of information technologies within organizational information systems reduces the impact of potential exploitations of specific technologies and also defends against common mode failures, including those failures induced by supply chain attacks. Diversity in information technologies also reduces the likelihood that the means adversaries use to compromise one information system component will be equally effective against other system components, thus further increasing the adversary work factor to successfully complete planned cyber-attacks. An increase in diversity may add complexity and management overhead which could ultimately lead to mistakes and unauthorized configurations. Related controls: SA-12, SA-14, SC-27",,S,S,R,,,,"In this context employing diverse information technologies refers specifically to the practice of deploying security safeguards from different vendors at various locations. The intent of this security control is to ensure that an attack which exploits a security flaw in one product will be mitigated by a second product from a different vendor. The principle being that products from different vendors are unlikely to be susceptible to the same flaw. For example, firewalls from different vendors should be used in adjacent network zones. Or, virus scanners from different vendors should be used on servers (e.g., mail server) and on desktops.",P2,X,, -SC,30,,CONCEALMENT AND MISDIRECTION,Technical,(A) The organization employs [Assignment: organization-defined concealment and misdirection techniques] for [Assignment: organization-defined information systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries.,"Concealment and misdirection techniques can significantly reduce the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete cyber-attacks. For example, virtualization techniques provide organizations with the ability to disguise information systems, potentially reducing the likelihood of successful attacks without the cost of having multiple platforms. Increased use of concealment/misdirection techniques including, for example, randomness, uncertainty, and virtualization, may sufficiently confuse and mislead adversaries and subsequently increase the risk of discovery and/or exposing tradecraft. Concealment/misdirection techniques may also provide organizations additional time to successfully perform core missions and business functions. Because of the time and effort required to support concealment/misdirection techniques, it is anticipated that such techniques would be used by organizations on a very limited basis. Related controls: SC-26, SC-29, SI-14",,,S,R,,,,,None defined,Not Selected,, SC,31,,COVERT CHANNEL ANALYSIS,Technical,"(A) The organization performs a covert channel analysis to identify those aspects of communications within the information system that are potential avenues for covert [Selection (one or more): storage; timing] channels. (B) The organization estimates the maximum bandwidth of those channels.","Developers are in the best position to identify potential areas within systems that might lead to covert channels. Covert channel analysis is a meaningful activity when there is the potential for unauthorized information flows across security domains, for example, in the case of information systems containing export-controlled information and having connections to external networks (i.e., networks not controlled by organizations). Covert channel analysis is also meaningful for multilevel secure (MLS) information systems, multiple security level (MSL) systems, and cross-domain systems. Related controls: AC-3, AC-4, PL-2",,S,S,R,,,,,None defined,Not Selected,, -SC,32,,INFORMATION SYSTEM PARTITIONING,Technical,(A) The organization partitions the information system into [Assignment: organization-defined information system components] residing in separate physical domains or environments based on [Assignment: organization-defined circumstances for physical separation of components].,"Information system partitioning is a part of a defence-in-depth protection strategy. Organizations determine the degree of physical separation of system components from physically distinct components in separate racks in the same room, to components in separate rooms for the more critical components, to more significant geographical separation of the most critical components. Security categorization can guide the selection of appropriate candidates for domain partitioning. Managed interfaces restrict or prohibit network access and information flow among partitioned information system components. Related controls: AC-4, SA-8, SC-2, SC-3, SC-7",,S,S,R,,,,,None defined,Not Selected,, SC,35,,HONEYCLIENTS,Technical,(A) The information system includes components that proactively seek to identify malicious websites and/or web-based malicious code.,"Honeyclients differ from honeypots in that the components actively probe the Internet in search of malicious code (e.g., worms) contained on external websites. As with honeypots, honeyclients require some supporting isolation measures (e.g., virtualization) to ensure that any malicious code discovered during the search and subsequently executed does not infect organizational information systems. Related controls: SC-26, SC-44, SI-3, SI-4",,S,,R,,,,,None defined,Not Selected,, SC,36,,DISTRIBUTED PROCESSING AND STORAGE,Technical,(A) The organization distributes [Assignment: organization-defined processing and storage] across multiple physical locations.,"Distributing processing and storage across multiple physical locations provides some degree of redundancy or overlap for organizations, and therefore increases the work factor of adversaries to adversely impact organizational operations, assets, and individuals. This control does not assume a single primary processing or storage location, and thus allows for parallel processing and storage. Related controls: CP-6, CP-7",,,S,R,,,,,None defined,Not Selected,, SC,37,,OUT-OF-BAND CHANNELS,Technical,"(A) The organization employs [Assignment: organization-defined out-of-band channels] for the physical delivery or electronic transmission of [Assignment: organization-defined information, information system components, or devices] to [Assignment: organization-defined individuals or information systems].","Out-of-band channels include, for example, local (non-network) accesses to information systems, network paths physically separate from network paths used for operational traffic, or non-electronic paths such as Canada Post. This is in contrast with using the same channels (i.e., in-band channels) that carry routine operational traffic. Out-of-band channels do not have the same vulnerability/exposure as in-band channels, and hence the confidentiality, integrity, or availability compromises of in-band channels will not compromise the out-of-band channels. Organizations may employ out-of-band channels in the delivery or transmission of many organizational items including, for example, identifiers/authenticators, configuration management changes for hardware, firmware, or software, cryptographic key management information, security updates, system/data backups, maintenance information, and malicious code protection updates. Related controls: AC-2, CM-3, CM-5, CM-7, IA-4, IA-5, MA-4, SC-12, SI-3, SI-4, SI-7",,,S,R,,,,,None defined,Not Selected,, @@ -579,8 +504,6 @@ SC,38,,OPERATIONS SECURITY,Technical,(A) The organization employs [Assignment: o SC,39,,PROCESS ISOLATION,Technical,(A) The information system maintains a separate execution domain for each executing process.,"Information systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each information system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. This capability is available in most commercial operating systems that employ multi-state processor technologies. Related controls: AC-3, AC-4, AC-6, SA-4, SA-5, SA-8, SC-2, SC-3",,,S,R,,,,,None defined,Not Selected,, SC,40,,WIRELESS LINK PROTECTION,Technical,(A) The information system protects external and internal [Assignment: organization-defined wireless links] from [Assignment: organization-defined types of signal parameter attacks or references to sources for such attacks].,"This control applies to internal and external wireless communication links that may be visible to individuals who are not authorized information system users. Adversaries can exploit the signal parameters of wireless links if such links are not adequately protected. There are many ways to exploit the signal parameters of wireless links to gain intelligence, deny service, or to spoof users of organizational information systems. This control reduces the impact of attacks that are unique to wireless systems. If organizations rely on commercial service providers for transmission services as commodity items rather than as fully dedicated services, it may not be possible to implement this control. Related controls: AC-18, SC-5",,,S,R,,,,,None defined,Not Selected,, SC,41,,PORT AND I/O DEVICE ACCESS,Technical,(A) The organization physically disables or removes [Assignment: organization-defined connection ports or input/output devices] on [Assignment: organization-defined information systems or information system components].,"Connection ports include, for example, Universal Serial Bus (USB) and Firewire (IEEE 1394). Input/output (I/O) devices include, for example, Compact Disk (CD) and Digital Video Disk (DVD) drives. Physically disabling or removing such connection ports and I/O devices helps prevent exfiltration of information from information systems and the introduction of malicious code into systems from those ports/devices",,,S,R,,,,,P2,X,, -SC,42,,SENSOR CAPABILITY AND DATA,Technical,"(A) The information system prohibits the remote activation of environmental sensing capabilities with the following exceptions: [Assignment: organization-defined exceptions where remote activation of sensors is allowed]. - (B) The information system provides an explicit indication of sensor use to [Assignment: organization-defined class of users].","This control often applies to types of information systems or system components characterized as mobile devices, for example, smart phones, tablets, and E-readers. These systems often include sensors that can collect and record data regarding the environment where the system is in use. Sensors that are embedded within mobile devices include, for example, cameras, microphones, Global Positioning System (GPS) mechanisms, and accelerometers. While the sensors on mobiles devices provide an important function, if activated covertly, such devices can potentially provide a means for adversaries to learn valuable information about individuals and organizations. For example, remotely activating the GPS function on a mobile device could provide an adversary with the ability to track the specific movements of an individual",,,S,R,,,,,P2,X,, SC,43,,USAGE RESTRICTIONS,Technical,"(A) The organization establishes usage restrictions and implementation guidance for [Assignment: organization-defined information system components] based on the potential to cause damage to the information system if used maliciously. (B) The organization authorizes, monitors, and controls the use of such components within the information system.","Information system components include hardware, software, or firmware components (e.g., Voice Over Internet Protocol, mobile code, digital copiers, printers, scanners, optical devices, wireless technologies, and mobile devices). Related controls: CM-6, SC-7",,,S,R,,,,,P1,X,, SC,44,,DETONATION CHAMBERS,Technical,"(A) The organization employs a detonation chamber capability within [Assignment: organization-defined information system, system component, or location].","Detonation chambers, also known as dynamic execution environments, allow organizations to open email attachments, execute untrusted or suspicious applications, and execute Universal Resource Locator (URL) requests in the safety of an isolated environment or virtualized sandbox. These protected and isolated execution environments provide a means of determining whether the associated attachments/applications contain malicious code. While related to the concept of deception nets, the control is not intended to maintain a long-term environment in which adversaries can operate and their actions can be observed. Rather, it is intended to quickly identify malicious code and reduce the likelihood that the code is propagated to user environments of operation (or prevent such propagation completely). Related controls: SC-7, SC-25, SC-26, SC-30",CSE ITSB-89 Version 3 Top 10 IT Security Actions to Protect Government of Canada Internet-Connected Networks and Information [Reference 66],,S,R,,,,,None defined,Not Selected,, @@ -614,17 +537,7 @@ SI,5,,"SECURITY ALERTS, ADVISORIES, AND DIRECTIVES",Operational,"(A) The organiz (B) The organization generates internal security alerts, advisories, and directives as deemed necessary. (C) The organization disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]. (D) The organization implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of non-compliance.","Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and Canada should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations. Related control: SI-2",TBS Government of Canada Information Technology Information Management Plan [Reference 67].,R,S,,,,,,P1,X,(C) list [list of roles], -SI,6,,SECURITY FUNCTIONAL VERIFICATION,Operational,"(A) The information system verifies the correct operation of [Assignment: organization-defined security functions]. - (B) The information system performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]]. - (C) The information system notifies [Assignment: organization-defined personnel or roles] of failed security verification tests. - (D) The information system [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered.","Transitional states for information systems include, for example, system start-up, restart, shutdown, and abort. Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications such as lights. Related controls: CA-7, CM-6",,S,R,S,,,,,None defined,Not Selected,, -SI,7,,"SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY",Operational,"(A) The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].","Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes, for example, the Basic Input Output System (BIOS). Information includes metadata such as security attributes associated with information. State-of-the-practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications. Related controls: SA-12, SC-8, SC-13, SI-3",,,R,S,,,,,P2,X,, SI,8,,SPAM PROTECTION,Operational,"(A) The organization employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages. (B) The organization updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.","Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, mobile devices, and notebook/laptop computers. Spam can be transported by different means including, for example, electronic mail, electronic mail attachments, and web accesses. Spam protection mechanisms include, for example, signature definitions. Related controls: AT-2, AT-3, SC-5, SC-7, SI-3",,,R,,,,,"Spam filters are increasingly relying on the reputation of the email originator. Consequently, these systems need to be continuously updated in order to be effective.",P1,X,, -SI,10,,INFORMATION INPUT VALIDATION,Operational,(A) The information system checks the validity of [Assignment: organization-defined information inputs].,"Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Pre-screening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks",,,,R,,,,"This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases. This security control/enhancement should be addressed where applicable and if practical to do so.",P3,X,, -SI,11,,ERROR HANDLING,Operational,"(A) The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. - (B) The information system reveals error messages only to [Assignment: organization-defined personnel or roles].","Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information such as account numbers, social security numbers, and credit card numbers. In addition, error messages may provide a covert channel for transmitting information. Related controls: AU-2, AU-3, SC-31",,,,R,,,,,P3,X,(B) [Authorizer defined sensitive or harmful information], SI,12,,INFORMATION OUTPUT HANDLING AND RETENTION,Operational,"(A) The organization handles and retains information within the information system and information output from the system in accordance with applicable GC legislation and TBS policies, directives and standards.","Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Library and Archives Canada provides guidance on records retention. Related controls: AC-16, AU-5, AU-11, MP-2, MP-4",,R,S,S,,,,,P3,X,, -SI,14,,NON-PERSISTENCE,Operational,(A) The organization implements non-persistent [Assignment: organization-defined information system components and services] that are initiated in a known state and terminated [Selection (one or more): upon end of session of use; periodically at [Assignment: organization-defined frequency]].,"This control mitigates risk from advanced persistent threats (APTs) by significantly reducing the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete cyber-attacks. By implementing the concept of non-persistence for selected information system components, organizations can provide a known state computing resource for a specific period of time that does not give adversaries sufficient time on target to exploit vulnerabilities in organizational information systems and the environments in which those systems operate. Since the advanced persistent threat is a high-end threat with regard to capability, intent, and targeting, organizations assume that over an extended period of time, a percentage of cyber-attacks will be successful. Non-persistent information system components and services are activated as required using protected information and terminated periodically or upon the end of sessions. Non-persistence increases the work factor of adversaries in attempting to compromise or breach organizational information systems. Non-persistent system components can be implemented, for example, by periodically re-imaging components or by using a variety of common virtualization techniques. Non-persistent services can be implemented using virtualization techniques as part of virtual machines or as new instances of processes on physical machines (either persistent or non-persistent).The benefit of periodic refreshes of information system components/services is that it does not require organizations to first determine whether compromises of components or services have occurred (something that may often be difficult for organizations to determine). The refresh of selected information system components and services occurs with sufficient frequency to prevent the spread or intended impact of attacks, but not with such frequency that it makes the information system unstable. In some instances, refreshes of critical components and services may be done periodically in order to hinder the ability of adversaries to exploit optimum windows of vulnerabilities. Related controls: SC-30, SC-34.",,,S,R,,,,,None defined,Not Selected,, -SI,15,,INFORMATION OUTPUT FILTERING,Operational,(A) The information system validates information output from [Assignment: organization-defined software programs and/or applications] to ensure that the information is consistent with the expected content.,"Certain types of cyber-attacks (e.g., SQL injections) produce output results that are unexpected or inconsistent with the output results that would normally be expected from software programs or applications. This control enhancement focuses on detecting extraneous content, preventing such extraneous content from being displayed, and alerting monitoring tools that anomalous behaviour has been discovered. Related controls: SI-3, SI-4",,,S,R,,,,,None defined,Not Selected,, -SI,17,,FAIL-SAFE PROCEDURES,Operational,(A) The information system implements [Assignment: organization-defined fail-safe procedures] when [Assignment: organization-defined failure conditions occur].,"Failure conditions include, for example, loss of communications among critical system components or between system components and operational facilities. Fail-safe procedures include, for example, alerting operator personnel and providing specific instructions on subsequent steps to take (e.g., do nothing, re-establish system settings, shut down processes, restart the system, or contact designated organizational personnel). Related controls: CP-12, CP-13, SC-24, SI-13",,S,R,,,,,,None defined,Not Selected,, \ No newline at end of file +SI,14,,NON-PERSISTENCE,Operational,(A) The organization implements non-persistent [Assignment: organization-defined information system components and services] that are initiated in a known state and terminated [Selection (one or more): upon end of session of use; periodically at [Assignment: organization-defined frequency]].,"This control mitigates risk from advanced persistent threats (APTs) by significantly reducing the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete cyber-attacks. By implementing the concept of non-persistence for selected information system components, organizations can provide a known state computing resource for a specific period of time that does not give adversaries sufficient time on target to exploit vulnerabilities in organizational information systems and the environments in which those systems operate. Since the advanced persistent threat is a high-end threat with regard to capability, intent, and targeting, organizations assume that over an extended period of time, a percentage of cyber-attacks will be successful. Non-persistent information system components and services are activated as required using protected information and terminated periodically or upon the end of sessions. Non-persistence increases the work factor of adversaries in attempting to compromise or breach organizational information systems. Non-persistent system components can be implemented, for example, by periodically re-imaging components or by using a variety of common virtualization techniques. Non-persistent services can be implemented using virtualization techniques as part of virtual machines or as new instances of processes on physical machines (either persistent or non-persistent).The benefit of periodic refreshes of information system components/services is that it does not require organizations to first determine whether compromises of components or services have occurred (something that may often be difficult for organizations to determine). The refresh of selected information system components and services occurs with sufficient frequency to prevent the spread or intended impact of attacks, but not with such frequency that it makes the information system unstable. In some instances, refreshes of critical components and services may be done periodically in order to hinder the ability of adversaries to exploit optimum windows of vulnerabilities. Related controls: SC-30, SC-34.",,,S,R,,,,,None defined,Not Selected,, \ No newline at end of file