Annex 4A - Profile 3 - (SECRET / Medium integrity / Medium availability) (ITSG-33)

 

Suggested organizational security control profile for departments and agencies requiring protection of business activities of security category - SECRET / Medium Integrity / Medium Availability

January 2015

 

Table of contents

List of Tables

List of abbreviations and acronyms

CC
Common Criteria
CMVP
Cryptographic Module Validation Program
COTS
Commercial off the Shelf
CSE
Communications Security Establishment
DSO
Departmental Security Officer
GC
Government of Canada
ISSIP
Information System Security Implementation Process
IT
Information Technology
ITSG
Information Technology Security Guidance
PDARR
Prevention Detection Analysis Response Recovery
SAL
Security Assurance Level
TBS
Treasury Board of Canada Secretariat

Foreword

Annex 4A – Profile 3 (SECRET/ Medium Integrity / Medium Availability) to IT Security Risk Management: A Lifecycle Approach (ITSG-33) is an unclassified publication issued under the authority of the Chief, Communications Security Establishment (CSE).

Suggestions for amendments should be forwarded through departmental communications security channels to your Information Technology (IT) Security Client Services Representative at CSE.

Requests for additional copies or changes in distribution should be directed to your IT Security Client Services Representative at CSE.

For further information, please contact CSE’s IT Security Client Services area by e-mail at itsclientservices@cse-cst.gc.ca, or call 613-991-7654.

Effective Date

This publication takes effect on 20 January 2015.

Originally signed by

Toni Moffa

Deputy Chief, IT Security

Summary

This Annex is part of a series of documents published by the Communications Security Establishment (CSE) under Information Technology Security Guidance Publication 33 (ITSG-33), IT Security Risk Management: A Lifecycle Approach.

This Annex suggests a selection of security controls and control enhancements, together referred to as a security control profile. Departmental security authorities can use this profile as a reference to create departmental-specific security control profiles suitable for protecting the confidentiality, integrity, and availability of departmental information technology (IT) assets against threats that could cause injury to business activities of category SECRET / Medium Integrity / Medium Availability. This security control profile has been developed using ITSG-33 Annex 3A, Security Control Catalogue [Reference 1].

The suggested security controls in this profile constitute a starting point and need to be tailored to the business, technical, and threat and risk context of each department’s business activities and supporting information systems. The selection of security controls was based on industry and governmental security best practices, and under certain threat assumptions, derived from CSE’s analysis of the threat environment faced by information systems in the documented business context.

This profile has been created as a tool to assist security practitioners in their efforts to protect information systems in compliance with applicable Government of Canada (GC) legislation and Treasury Board of Canada Secretariat (TBS) policies, directives, and standards.

It is the responsibility of departmental security authorities, when developing their departmental security control profiles, to ensure compliance to all security requirements of GC regulations and TBS policy instruments applicable to their business activities as well as any other contractual obligations.

1 Introduction

1.1 Purpose

This Annex is part of a series of documents published by the Communications Security Establishment (CSE) under Information Technology Security Guidance Publication 33 (ITSG-33), IT Security Risk Management: A Lifecycle Approach.

This Annex suggests a selection of security controls and control enhancements, together referred to as a security control profile. Departmental security authorities can use this profile as a reference to create departmental-specific security control profiles suitable for protecting the confidentiality, integrity, and availability of departmental information technology (IT) assets against threats that could cause injury to business activities of category SECRET / Medium Integrity / Medium Availability. This security control profile has been developed using ITSG-33 Annex 3A, Security Control Catalogue [Reference 1].

Departmental security control profiles help ensure that the IT security function of a departmental security program can:

  1. Perform appropriate IT security risk management activities; and
  2. Provide adequate support to IT projects.

1.2 Scope and Applicability

The suggested security controls in this profile constitute a starting point and need to be tailored to the business context, technical context, and threat and risk context of each department’sFootnote 1 business activities and supporting information systems (as described in Section 2). The selection of security controls was based on industry and governmental security best practices, and under certain threat assumptions, derived from CSE’s analysis of the threat environment faced by information systems in the documented business context.

This profile does not provide details about the implementation or utilization of these security controls in a department or its information systems. ITSG-33 Annex 1 – Departmental IT Security Risk Management Activities [Reference 2] and Annex 2 – Information System Security Risk Management Activities [Reference 3] provide more detail guidance on these topics. Refer to CSE’s web site for a current list of additional guidance publications.

1.3 Audience

This Annex is intended for:

  • Departmental security officers (DSOs), IT security coordinators, and security practitioners supporting departmental IT security risk management activities; and
  • Participants in the definition, design, development, installation, and operations of information systems, more specifically authorizers, project managers, security architects, security practitioners, security assessors, and members of IT operations groups.

1.4 Publication Taxonomy

This Annex is part of a suite of documents on IT security risk management in the GC. The other documents in the series are as follows:

  • ITSG-33, Overview – IT Security Risk Management: A Lifecycle Approach
  • ITSG-33, Annex 1 – Departmental IT Security Risk Management Activities
  • ITSG-33, Annex 2 – Information System Security Risk Management Activities
  • ITSG-33, Annex 3A – Security Control Catalogue
  • ITSG-33, Annex 4A – Profile 1 – PROTECTED B / Medium Integrity / Medium Availability; and
  • ITSG-33, Annex 5 – Glossary

1.5 Definitions

should
This word indicates a goal or preferred alternative. There may exist valid reasons in particular circumstances to ignore a particular item or statement, but the full implications must be understood and carefully weighed before choosing a different course.
must
This word indicates a requirement that must be fulfilled to claim conformance to the control.

For other definitions of key terms used in this publication, refer to Annex 5 of ITSG-33 [Reference 4].

2 Context and Assumptions

This section characterizes the business context, the technical and threat context, and the security approaches for which this security control profile is suitable. When selecting this profile as a starting point, departmental security authorities (supported by security practitioners) will need to tailor it in order to create departmental-specific security control profiles that will be appropriate for their department and business activities.

2.1 Business Context

This security control profile is suitable for departments using information systems to support GC business activities of medium sensitivity and criticality involving SECRET information. Examples of such business activities include, but are not limited to, plan new federal budget, manage diplomatic correspondence, analyze intelligence information, conduct National Defence command and control operations, conduct a criminal investigation on organized crime.

Departments that are candidates for using this security control profile will perform business activities with a maximum security category marking of (SECRET / Medium Integrity / Medium Availability), as defined in ITSG-33, Annex 1, Section 6 [Reference 2]. Business activities with such a marking have the following general characteristics:

  • Confidentiality – A compromise of the confidentiality of this SECRET information is reasonably expected to cause a high level of injury to national interests;
  • Integrity – A compromise of the integrity of supporting IT assetsFootnote 2 is reasonably expected to cause a medium level of injury to national or non-national interests;
  • Availability – A compromise of the availability of supporting IT assets is reasonably expected to cause a medium level of injury to national or non-national interests; and
  • Acceptable residual risksFootnote 3 – The business activities require the support of an information system operating with residual risks at a maximum level of low for the security objectives of confidentiality, integrity and availability.

Table 1 characterizes, in greater detail, suitable business contexts using confidentiality, integrity, and availability objectives; it also includes examples of consequences of compromise, business processes, and related information.

2.1.1 Compliance with GC Legislation and TBS Policy Instruments

This profile has been created as a tool to assist security practitioners in their efforts to protect information systems in compliance with applicable GC legislation and Treasury Board of Canada Secretariat (TBS) policies, directives, and standards.

It is the responsibility of departmental security authorities, when developing their departmental security control profiles, to ensure compliance to all security requirements of GC regulations and TBS policy instruments applicable to their business activities as well as any other contractual obligations.

Table 1: Characterization of Applicable Business Contexts

Characteristics Descriptions and Examples
Confidentiality Objective The business activities involve the processing, transmission, and storage of SECRET information that needs to be adequately protected from unintentional disclosure.
Integrity and Availability Objective The expected injury from compromise of IT asset integrity and availability is assessed as medium. IT assets therefore need to be adequately protected from integrity and availability compromise.
Acceptable Residual Risks The business activities require the support of an information system operating with residual risks at a maximum level of low for the security objectives of confidentiality, integrity and availability.
Examples of Injuries
  • Civil disorder or unrest such as a riot or the sabotage of a critical infrastructure
  • Physical pain, injury, trauma, hardship, illness, or disability to individuals, loss of life
  • Stress, distress, psychological trauma, or mental illness
  • Financial loss to individuals that affects their quality of life or compromises their financial security
  • Financial loss to Canadian companies that reduces their competitiveness or compromises the viability
  • Harm to the Canadian economy that reduces Canada’s performance or internal competitiveness in a key business sector
  • Harm to Canada’s reputation (e.g., embarrassment), damage to federal-provincial relations
  • Impediment to the development of major government policies
  • Impediments to effective law enforcement
  • Loss of continuity of government
Examples of Business Processes
  • Senior management processes whose disruption could impede effective decision making
  • Consular and passport processes whose disruption could hinder assistance to Canadians abroad
  • Creation and sharing of diplomatic analysis and reports
  • Creation and sharing of critical infrastructure risk analysis and reports
  • Automated support to national emergency responses, including information sharing
  • Creation, processing, and storing of information concerning national defence
Examples of Information Assets
  • Sensitive diplomatic information
  • Critical infrastructure risk analysis
  • Information concerning national safety and security
  • Information concerning national defence

2.2 Technical Context

This security control profile is suitable for departments operating in well-controlled IT environments. In general terms, departmental information systems targeted by this profile can be broadly categorized based on their objective to provide for the creation, processing, storage, and sharing of SECRET information.

It is assumed that these information systems will not be connected directly to the Internet. These information systems may be connected to other GC departments’ information systems of equivalent security posture through appropriate high-robustness cross-domain solutions and Type-1-encrypted communication links. Any transfer of information between the SECRET information systems and unclassified information systems is assumed to be well controlled through the use of appropriate secure transfer mechanisms. This profile must be tailored to add the required security controls related to cross-domain functionality. These safeguards create a high-robustness enclave boundary (see Section 2.4).

Without extensive tailoring, this profile may not be suitable for an operational military context, or when implementing a highly distributed network.

2.3 Threat Context

This security control profile has been developed to protect departmental business activities from IT-related threats that are relevant to both the business context and the technical context.

In addition to the objective of protecting business activities, this profile aims to protect the information systems. This approach is necessary as threats may be directed towards GC IT assets for no other reasons than to compromise technical components and benefit from their resources, irrespective of the type of business activities being supported by these IT assets.

For example, many attackers are not interested in GC information or in disrupting GC business activities; rather, they are interested in compromising GC information systems in order to perform illegal acts, such as storing illegal data (e.g., images, or movies) and covertly sharing that data with other criminals, performing denial of service attacks on commercial websites, extorting money, sending spam, or infecting GC information systems with malware.

Threat information has been analyzed from multiple sources, including TBS and departmental threat and incident reports, in addition to CSE’s own analysis. As a result, this security control profile, when properly implemented (see Section 4), mitigates the risks from exposure to deliberate threat agents of categories from Td1 to Td4 (internal to the enclave boundary) and up to Td7 (external to the boundary, when using appropriate perimeter controls, Type-1 devices, and cross-domain solutions), and accidental threats and natural hazards of categories Ta1 to Ta3 as defined in Table 2 and Table 3. As threat agent capabilities evolve over time, this security control profile will be updated to ensure that the selection of security controls is appropriately adjusted to mitigate new capabilities.

Before selecting and tailoring this profile, departments must ensure that the threat context is applicable to their environment. Depending on the threat context, substantial tailoring may be necessary, or if the threat context is very different, a different security control profile should be selected, if available. If a suitable security control profile is not available, departments will need to create their own profile by considering the suite of security controls documented in ITSG-33 Annex 3A, Security Control Catalogue [Reference 1]. Refer to ITSG-33 Annex 1 [Reference 2] for more details on the creation of security control profiles.

Table 2: Applicable Deliberate Threat Categories

Threat Category Threat Agent Description Examples of Increasing Threat Agent Capabilities
Internal to the high-robustness enclave boundary:
Td1 Non-malicious adversary (e.g., non-malicious unauthorized browsing, modification, or destruction of information due to the lack of training, concern, or attentiveness.) Basic end user capabilities to access information systems and contents
Td2 Passive, casual adversary with minimal resources who is willing to take little risk (e.g., listening, script kiddie).
  • Execution of a publicly available vulnerability scanner
  • Execution of scripts to attack servers
  • Attempts to randomly delete system files
  • Modification of configuration files settings
Td3 Adversary with minimal resources who is willing to take significant risk (e.g., unsophisticated hackers).
  • Use of publicly available hacker tools to run various exploits
  • Insiders installing Trojans and key loggers on unprotected systems
  • Use of simple phishing attacks to compromise targets with malware
  • Execution of programs to crash computers and applications
Td4 Sophisticated adversary with moderate resources who is willing to take little risk (e.g., organized crime, sophisticated hackers, international corporations).
  • Sophisticated use of publicly available hacker tools, including 0-day exploits
  • Ability to create own attack tools in software
  • Basic social engineering attacks
  • Ability to assemble hardware using commercial off the shelf (COTS) components to facilitate attacks
  • Phishing attacks to gain access to credit card or personal data
External to the high-robustness enclave boundary, all previous threat levels in addition to:
Td5 Sophisticated adversary with moderate resources who is willing to take significant risk (e.g., organized crime, international terrorists).
  • Bribery of insiders to get information
  • Modification of or fraudulent commercial products to support financial gain (e.g., tampered or bogus ATM cash machines)
  • Physical destruction of infrastructure
  • Side-channel attacks (e.g., smart cards)
Td6 Extremely sophisticated adversary with abundant resources who is willing to take little risk (e.g., well-funded national laboratory, nation-state, international corporation).
  • TEMPEST attacks
  • Supply chain attacks, such as tampering of or fraudulent commercial products to support espionage (e.g., bogus network routers)
  • Hard to detect implant technologies in hardware or software
  • Exploitation of non-public vulnerabilities
Td7 Extremely sophisticated adversary with abundant resources who is willing to take extreme risk (e.g., nation-states in time of crisis).
  • Bribery, blackmail, or intimidation of insiders to compromise system security
  • Penetration of secure facilities to enable attacks

Table 3: Applicable Accidental Threats and Natural Hazard Categories

Threat Category Magnitude of Events
Ta1 Minor accidental events (e.g., trip over a power cord, enter wrong information)
Ta2
  • Moderate accidental events (e.g., render a server inoperable, database corruption, release information to wrong individual or organization)
  • Minor hardware or software failures (e.g., hard disk failure)
  • Minor mechanical failures (e.g., power failure within a section of a facility)
  • Minor natural hazards (e.g., localized flooding, earthquake compromising part of a facility)
Ta3
  • Serious inadvertent or accidental events (e.g., cut facility telecommunications or power cables, fire in the facility, large scale compromise of information)
  • Moderate mechanical failures (e.g., long term facility power failure)
  • Moderate natural hazards (e.g., localized flooding or earthquake compromising a facility)

2.4 Security Approaches

In addition to the business, technical, and threat contexts documented in previous sections, the selection of security controls documented in Section 4 was also influenced by the choice of security engineering best-practices applied to the implementation of dependable information systems. This profile is meant to address the IT security needs of high sensitivity and medium criticality GC business activities, such as plan new federal budget, manage diplomatic correspondence, analyze intelligence information, conduct National Defence command and control operations, and conduct a criminal investigation on organized crime. The protection of business activities call for security approaches where, at a minimum, the following main security engineering best-practices are applied:

  • Strong Boundary Protection: high-assurance communications links (e.g., Type-1 crypto) and cross-domain solutions are utilized to create a classified enclave and connections to unsecured external network are prohibited;
  • Strong Personnel and Physical Security: personnel screening to Level 2 (SECRET) and above, and Security Zones are utilized;
  • Defence-in-Depth: technical, operational (including personnel and physical), and management security controls are used in a mutually supportive manner to mitigate risks (e.g., technical access controls used to protect sensitive databases, and additional physical security prevents unauthorized personnel to physically access the databases’ servers);
  • Least-Privilege: users are provided only the minimum access necessary to perform their duties (e.g., day-to-day tasks are performed using limited user accounts only, not administrative accounts);
  • Prevent-Protect-Detect-Analyze-Respond-Recover (PDARR): ensures that successful attacks can be detected and contained, IT assets can be restored to a secure and authentic state, and lessons learned are documented and used to improve the security posture of information systems; and
  • Layered Defence: ensures the various layers of an information system, such as applications, databases, platforms, middleware, and communications are adequately protected. This approach reduces the risk of a weakness in one part of the information system could be exploited to circumvent safeguards in other parts (e.g., compromised USB storage device at the platform-layer bypasses network-layer boundary protection).

This set of security approaches uses strict boundary protection and strong physical and personnel security as main protection measures, which potentially affords the use of less robust internal security controls - in turn, reducing cost and complexity. In particular, this set of security approaches specifies a system-high operating mode. In system-high mode all users are cleared to the highest level of information processed on the information system (SECRET), although not all users have a need-to-know or a requirement to access all of the information.

Nevertheless, this profile also suggests a balanced set of security controls to reduce the risks of compromised internal elements of an information system being used to easily compromise additional elements. This profile also suggests security controls to detect, respond, and recover gracefully from security incidents. Many of these controls are operational controls that a mature IT operations group should have in place not only for security reasons, but also for the efficient and cost-effective day-to-day management of information systems.

This set of security approaches requires robust boundary protection, personnel and physical security to ensure risks are mitigated adequately. As such, these critical security controls need to be assessed regularly to ensure they continue to meet their security objectives. This approach allows the internal part of the information systems (inside the boundary) to be secured using a set of security controls similar to the (PROTECTED B / Medium Integrity / Medium Availability) security control profile.

It is important to ensure that this set of security approaches is appropriate to a departmental technical environment before selecting this profile. If not appropriate, then extensive tailoring may be required. This security profile is not suitable for multi-level information systems.

2.4.1 Relationship of Security Controls to Confidentiality, Integrity, and Availability Objectives

The selection of security controls in this profile aims to ensure the appropriate mitigation of threats that could compromise the confidentiality, integrity, or availability of IT assets supporting departmental business activities. This profile does not document the exact mapping between a security control and the specific objectives it aims to fulfill. While some security controls map more clearly to a specific objective (e.g., CP-7 Alternate Processing Site maps to an availability objective), most security controls support more than one security objective. For example, most controls in the Access Control family support, either directly or indirectly, all three objectives of confidentiality, integrity, and availability of IT assets. An adequate implementation of Access Control will mitigate a compromise where a threat agent:

  • Exfiltrates sensitive documents (confidentiality objective);
  • Modifies documents or database records (integrity and usually availability objectives);
  • Tampers with the proper behaviour of a business application (integrity and possibly availability objective);
  • Deletes database records (availability objective); and
  • Corrupts a business application to make it inoperative (availability objective).

The tailoring of this security control profile to satisfy departmental or business needs must take into account the complex and subtle relationships between afforded security control protection and the three security objectives a security control usually aims to fulfill.

3 Adequate Implementation Guidance

3.1 Security Assurance

Security controls need to be implemented in a manner commensurate with the potential for threat and injury. This profile was developed under certain assumptions as described in Section 2. Consequently, the boundary protection, and personnel and physical security controls should be implemented with a high level of effort and due diligence. The remaining security controls should be implemented with a medium level of effort and due diligence, as described in this section, in order to ensure that the information system supporting the business activities operates with residual risks at a maximum level of low.

In order to meet the security control requirements documented in this profile, departments need to define the level of effort that will be invested in developing, documenting, and assessing the implementation of the security controls.

Annex 1 of ITSG-33 [Reference 2] describes activities suggested to put in place, or to update, the security controls in this profile that relate to the management of IT security risks and those that are not deployed as part of information systems. ITSG-33 does not provide guidance on the level of effort expected for implementation of those common security controls (e.g., incident management, risk assessments, personnel screening program, physical security program). TBS provides guidance on the establishment of mature management practices and produces assessment tools to measure the current maturity level of those practices.

Annex 2 of ITSG-33 [Reference 3] describes a suggested information system security implementation process useful to cost-effectively design, develop, test, install, and operate dependable information systems that satisfy business needs for security. Information systems implement most of the technical security controls of this profile. Annex 2 of ITSG-33 [Reference 3] provides guidance to IT project managers, security practitioners, security assessors, and authorizers on the expected level of effort for the security engineering and security assessment tasks to ensure that the IT security implemented in information systems meets the objectives of this profile.

In the case of security controls implemented in information systems, the appropriate level of effort for security engineering and security assessment tasks are defined as security assurance requirements. These requirements are directed at the tasks that security control designers, developers and implementers need to perform to increase confidence that the security engineering work and documentation produced is adequate, and that security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security objectives defined for the information systems. A Security Assurance Level of 2 (SAL2) as defined in ITSG-33, Annex 2, Section 8 [Reference 3], is suggested for use by IT projects for the implementation of the majority of the security controls in this profile.

For critical security controls, in particular those on the boundary of an information system, and those facing greater threat agent capabilities, an adequate implementation will ensure that a greater level of effort has been applied to the design, development, testing, installation, and operations of these security controls. A Security Assurance Level of 3 (SAL3) as defined in ITSG-33, Annex 2, Section 8 [Reference 3] is suggested for use by IT projects for the implementation of the critical security controls in this profile. Note that this may mean the integration of high-assurance devices, such as Type 1 crypto. In that case, the devices themselves have already been implemented and certified. The integration effort and rigor is placed in the correct installation, configuration, operation, and operational testing of the devices.

Additionally, as described in ITSG-33, Annex 2, Section 7.3.2.1 [Reference 3], any supplier involved in the design, development, or operation of an information system processing SECRET information should hold, as a minimum, a SECRET facility clearance.

The criticality of a security control is dependent on the specific design of the information systems and need to be determined by IT projects’ security practitioners. At a minimum, the critical security controls must include boundary protection, and personnel and physical security.

ITSG-33 Annex 2 [Reference 3] provides more detailed guidance to IT projects on security assurance requirements and the development, documentation, and assessment activities required to satisfy those requirements.

In addition, it is recommended that selected commercial IT products, that perform security functionality, need to be evaluated in order to ensure they perform functionally as required and are sufficiently resilient to identified threats. To facilitate this assurance process and ensure that IT products are evaluated against appropriate security requirements, the following are recommended:

  1. For IT products implementing security controls internal to the security boundary, CSE makes available for departments to use at their discretion, a pool of commercially available products that have been evaluated by CSE in partnership with certain commercial LaboratoriesFootnote 4. If Departments choose to leverage this pool of CSE assured IT products, then procurement vehicles should specify that the selected IT security products be verified by the Common Criteria (CC) program against an appropriate security target or CC protection profileFootnote 5 (either defined organizationally in security standards, or determined by the IT project’s security practitioners to satisfy the requirements of Sections 2 and 3). If the IT product contains a cryptographic module, then it should also be verified by the Cryptographic Module Validation ProgramFootnote 6 (CMVP) against FIPS 140-2.
  2. IT products implementing communication encryption at the boundary of the enclave must be implemented using products evaluated and approved by CSE (e.g., Type 1 products). In addition, the organization must follow CSE doctrine when using these products.
  3. The selection, design and configuration of IT products implementing cross-domain functionality at the boundary of the enclave should be made in collaboration with CSE.

3.2 Implementation priority guidance

Not all organizations have the necessary budget to simultaneously implement all of the security controls and enhancements that are required. In reality, organizations may be required to implement security controls and enhancements as time and budget permit. In order to aid organizations in deciding which security controls and enhancements to implement initially, CSE has categorized security controls and enhancements into three priority levels, as documented in Table 4. It should be noted, this effort is targeted at new information systems such that that the emphasis is on prevention rather than detection or response. Priorities would be different for existing systems. This implementation priority ensures mitigation of the most common threats while planning for the implementation of the remaining security controls. In order to appropriately secure an information system, and achieve low residual risks, all of the security controls and enhancements specified in the security control profile must be implemented.

3.3 Format

Table 4 provides the suggested set of security controls and control enhancements for this profile. For each security control, a control ID is provided along with:

  • The name of the security control;
  • A listing of suggested enhancements;
  • Suggested groups responsible (R) to implement or to support (S) the implementation of the control requirements (IT security Function, IT operations group, IT projects, Physical Security Group, Personnel Security Group and Learning Center);
  • General tailoring and implementation guidance notes;
  • Suggested implementation priority;
  • Values for the placeholder parameters documented as part of each security control in the profile; and
  • Additional notes regarding the security controls and control enhancements in the context of this profile.

The complete description of the security control, enhancements and placeholder parameters is available in Annex 3A of ITSG-33 (Security Control Catalogue) [Reference 1].

Note: To make it convenient for security practitioners to create their own departmental security control profile, a spreadsheet document that contains the selection of controls provided in Section 4 is available. Contact IT Security Client Service for a copy of the spreadsheet.

4 Suggested Security Controls and Control Enhancements

Table 4: Suggested Security Controls and Control Enhancements:

5 References

[Reference 1]
Communications Security Establishment Canada. IT Security Risk Management: A Lifecycle Approach – Security Control Catalogue. Information Technology Security Guidance Publication 33 (ITSG-33), Annex 3A. 30 December 2014.
[Reference 2]
Communications Security Establishment. IT Security Risk Management: A Lifecycle Approach – Departmental IT Security Risk Management Activities. Information Technology Security Guidance Publication 33 (ITSG-33), Annex 1. 1 November 2012.
[Reference 3]
Communications Security Establishment. IT Security Risk Management: A Lifecycle Approach – Information System Security Risk Management Activities. Information Technology Security Guidance Publication 33 (ITSG-33), Annex 2. 1 November 2012.
[Reference 4]
Communications Security Establishment. IT Security Risk Management: A Lifecycle Approach – Glossary. Information Technology Security Guidance Publication 33 (ITSG-33), Annex 5. 1 November 2012.

Notes

Date modified: