5. Address security and privacy risks

Canadians who use government services must have confidence that:

If a service cannot guarantee confidentiality, integrity and availability of the system, people will not use it. Effective cyber and IT security is an essential enabler of digital transformation. Securing #GCDigital requires the delivery of government services that are safe, secure and trusted by Canadians.

Guidelines:

5.1 Take a balanced approach to managing risk by implementing appropriate privacy and security measures

All organizations face risks, no matter the size, yet one size does not fit all when it comes to risk management. Each IT organisation has to make difficult decisions around how much time and money to spend protecting their technology and services. An understanding of the users, data and threats that affect the service will help to inform this risk-based approach to support the delivery of a usable and secure system. Appropriate steps must be taken to identify, assess and understand security and privacy risks to GC sensitive and protected data and the systems that process this data.

A key goal of risk management is to inform and improve these decisions. Making it easy for those responsible for risk management decisions to have access to (and understand) the information they require is important for the effective communication of risks. The effective communication of risk management information helps organizations to direct and control risk management activities. Accepting that technology and security risks will be realised and understanding what the organisation will do to minimise damage, continue to operate, and make improvements based on lessons learned.

Assessing cyber risks cannot be done in isolation. It must be assessed while considering potential impacts on other parts of an organization, and interactions with other elements such as financial risk and safety. Understanding what an organization cares about, and why it's important, will help to prioritize where to invest when implementing appropriate privacy and security measures into your design with minimal user impact. The level of investment in privacy and security should be based on the perceived or actual value placed on the assets or information you are protecting. When considering the balance of controls, account for the cost of lost trust - the effort to rebuild trust, should your service be compromised.

Formerly guideline 9.3

Include security and privacy in innovation

Canadians’ support for open data and digital services is enhanced when their privacy rights are protected: transparency and respect for privacy are complementary goals. The shift to digital government offers opportunities to strengthen privacy rights and safely share more data that can benefit society. Innovation must be matched by conscious responsibility regarding stewardship of users’ personal information and data.

Embedding privacy protection in the design of digital applications or open data increases political legitimacy and public confidence, and privacy safeguards are a necessary condition for a successful shift to a digital Government of Canada. Digital services also have the potential to enhance privacy rights, for example, by facilitating access to and correction of personal information.

Organizations have a responsibility to ensure that the data under their care remains protected at all times, including in the process of sharing with external partners and within their own network. This requires an understanding what data is worth protecting, manage who and what can access it, and build effective defenses that both support innovation and protect the investment made in services and associated assets.

Formerly guideline 9.4

The law and governance in cyberspace is not the sole responsibility nor under the authority of any one specific government, or group; boundary-less services require a fulsome understanding of any jurisdiction in which you operate.

Canadians want to have confidence that government digital services are designed to meet the laws and regulations stipulated in multiple acts protecting the confidentiality, integrity and accessibility of systems and information. Develop a legal and regulatory view of the department for the purposes of designing secure information systems through identifying the business needs for security. A business need for security is any protection or compliance requirement that ensures the confidentiality, integrity or availability of a business activity or information assets supporting a business activity. Business needs for security can also be derived from departmental missions, objectives, priorities, the need to preserve the organization's image and reputation, and various obligations that may have been contracted.

Checklist

  • Document the approach to security and risk management including the types of information and optimum level of documentation, necessary to make timely and effective decisions.
  • Ensure that you identify and categorize information based on the degree of injury that could be expected to result from a compromise of its confidentiality, integrity and availability. Determine the type of information collected, how it should be secured, how long it is kept, and how it may be used and shared.
  • At the start of designing a new service or feature, the team lead should engage the appropriate privacy, information management, and legal officer(s) to ensure that solutions comply with all requirements for the collection, sharing and protection of personal information.
  • Determine what you absolutely need to protect through risk assessment and threat modeling – can you clearly identify what components are essential to the success of your service? Not all assets need the same level of protection. #pragmaticsecurity
  • Determine what you’re willing to pay for security – can you adequately protect your assets with the desired level of investment? Is the cost of protection in excess of the value of your assets? #pragmaticsecurity
  • Complete a preliminary privacy impact assessment (PPIA) or privacy impact assessment (PIA) if personal information is involved in the service.
  • Establish a cycle of re-evaluation to ensure what you’re protecting is actually what you need to protect and make improvements based on lessons learned.
  • Develop your system with the 7 principles of Privacy by Design (Information and Privacy Commissioner of Ontario) in mind.
  • Ensure your service complies with Canadian security and privacy legislation, government policy instruments, and departmental security policies at all stages.
  • Identify and understand the jurisdictional requirements of where your digital service operates, and where your stakeholders are.
  • Develop, update, and maintain written cybersecurity policies and procedures, including on governance by both service and organizational management.
  • Develop, publish and maintain training and awareness material as required, to establish secure service-user behaviours
  • Make sure the service limits access to physical and logical assets and associated facilities to authorized users, processes, or devices consistent with the risk of unauthorized access.
  • Maintain logs of user access and system interactions to fully trace a user as they traverse each part of the system
  • Implement layered defenses to reduce exposure to cyber threats with increased awareness and understanding to proactively manage such threats

Alpha Stage

  • Plan recurring interactions with the business and information risk teams to ensure ongoing alignment.
  • Integrate a security advisor into the delivery team to support IT security risk management throughout the full delivery of the service.
  • Document the protective measures implemented to enable the secure processing and sharing of data and information across government
  • Document how the service manages information and records (data) in order to protect their confidentiality and integrity, and ensure their availability.
  • Ensure all APIs have appropriate authentication and that only authorized users/services are able to access the information; “open data” APIs are explicitly configured to allow access by all by default.

Beta Stage

{: .dpgn-standards-hide .dpgn-stage-beta} Note: Beta Stage includes all elements from the previous Alpha stage, plus the following:

  • Where collecting personal information, inform users about privacy rights and protections, and about their right to access and correct their own personal information.
  • Use appropriate de-identification strategies to minimize the risk of disclosing personal information.
  • Establish a data access audit process to provide assurance to users that their data has not been accessed in an unauthorized manner.
  • Incorporate privacy safeguards into partnership and data sharing agreements.
  • Ensure that privacy breach protocol is implemented and understood. Federal institutions are required to notify the Office of the Privacy Commissioner of Canada (OPC) and the Treasury Board of Canada Secretariat (TBS) of all material privacy breaches and of the mitigation measures being implemented, if the breach involves sensitive personal information and could reasonably be expected to cause serious injury to the individual.
  • Establish terms of services to ensure users understand how their data will be used and how it will be accessed
  • Ensure your service has properly documented event management processes, in the event of a data breach or compromise of the integrity of your systems.
  • Provide users adequate information (Terms and Conditions / Privacy Agreement) to ensure they fully understand the authority they are providing to 3rd party services.
  • Ensure all APIs are developed in alignment with secure connection guidance; APIs should be accessed over HTTPS.

Live Stage

{: .dpgn-standards-hide .dpgn-stage-beta} Note: Live Stage includes all elements from the previous Alpha and Beta stages, plus the following:

  • Establish agreements with 3rd parties who may benefit from receiving data from your service in accordance with guidance such as the TBS Guidance on Preparing Information Sharing Agreements Involving Personal Information, to ensure they will treat your data with appropriate care.

Implementation guides

Reusable solutions

Similar resources

5.2 Make security measures frictionless so that they do not place a burden on users

Digital services need to be designed to provide a rich and streamlined user experience, while also ensuring that sensitive information is protected within a processing environment that remains secure throughout its lifecycle. Service owners must be mindful that users will often find a way to circumvent burdensome security measures for convenience. It is important to make security seamless and frictionless by designing security measures that enable the user experience, through streamlined user-interface and features with which they interact, and to help improve the overall posture to prevent workarounds. Leveraging enabling services such as digital identity will help to provide users with access to digital services from their preferred device.

Services must be designed to resist attacks. However, security is not one-size fits all, and appropriate defenses are best developed to address the “soft spots” in your systems. By thinking about situations in which you could be compromised, it will help to identify and eliminate design issues. Undertaking a defense-in-depth approach provides layered security measures to help prevent against evolving and existing threats. It allows security to be addressed at multiple layers, hardening your systems as required, while providing unimpeded operations in others.

Integrating security from the outset and “shifting security left” in the service design will help to address security and privacy risks earlier in the development process, allowing teams to identify security needs as components are developed, reducing the cost and burden of changes later. A process of continuous review and improvement should be built into the development and maintenance of the service to support the selection of proportionate security measures that will protect against cyber attacks.

Checklist

  • Implement an Identity and Access Management (IAM) solution that aligns with trusted digital identity frameworks, such as the Pan-Canadian Trust Framework, for security commensurate to service sensitivity, ID portability across platforms, and authentication and authorization agility.
  • Where possible, provide users easily-accessible means of authentication (e.g.: biometrics) to your service - take advantage of improvements in consumer technologies.
  • Use deployment scripts to ensure configuration of production environment remains consistent and controllable.
  • Test and certify components in each layer of the technology stack for security vulnerabilities, and then to re-use these same pre-certified components for multiple services.
  • Ensure all APIs are developed in alignment with secure connections requirements from TBS and CSE; all APIs should be accessed over HTTPS only.
  • Ensure all APIs have appropriate authentication and that only authorized users/services are able to access the information; “open data” APIs are explicitly configured to allow access by all by default
  • Ensure your digital service offers a quick and easy reporting mechanism, that enables the process of security vulnerability disclosures; alerts should be treated with care and consideration equal to internal evaluations.
  • Develop robust IT Continuity plans, including infrastructure and data backups, to ensure that your digital service is able to return to operational status with minimal disruption.
  • Document the plan and process for technical updates and support for services/system software
  • Leverage existing services and frameworks such as the Pan-Canadian Trust Framework to foster multi-jurisdictional service delivery.

Implementation guides

Reusable solutions

[TODO: Add/revise reusable solutions]

Similar resources