Security & Privacy Requirements

[cgye]

Identify non-functional Security & Privacy Requirements which are required for compliance with:

• Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN)
• Government of Canada Security Control Profile for Cloud-based GC Services

Per Secure SDLC, security & privacy requirements should be determined early in the process. Section 3.1 Mandatory Requirements and Section 3.2 Recommended Requirements of this document describes the Security & Privacy Requirements which must/should be considered.

[dinophile]

SaaS procurement feature is confirmed to need PBMM controls. As per Jenn S.

Training form feature will require PBMM eventually, so we will evaluate it as such from the beginning.

[cgye]

The following are currently executed, in scope, Security & Privacy requirements per Section 3.1 Mandatory Requirements of Secure Software Development Lifecycle:

• Security Categorization
  • Classify Information
  • Establish System Security Control Profile
• Auditing
  • Configure or use an authoritative time source for the time-stamp of the audit records generated by your solution components.
• Networking
  • Network boundary protection (e.g. WAF) for external facing interfaces (deny-all or allow-by-exception policy)
• Secure Development (see #335)
  • Static Application Security Testing (SAST)
  • Dynamic Application Security Testing (DAST)
  • Penetration Testing
  • Vulnerability Scanning
• Security Operations (#see 335)
  • Automated Vulnerability Scanning
  • Vulnerability and Patch management process
  • Incident Response Plan
  • System Monitoring Process

The following are new, where the scope is up for discussion, Security & Privacy requirements per Section 3.1 Mandatory Requirements of Secure Software Development Lifecycle:

• System Concept
  • Business Requirements
  • Identify all user and service management roles
  • Describe all operational scenarios
• Identity and Access Management
  • Uniquely identify and authenticate users (no anonymize access)
  • Multi-factor authentication for privileged accounts
  • Process for managing access privileges (Principle of Least Privilege)
  • Enforce access authorizations
• Data Protection (see #330)
  • Encryption of data in transit (Guidance on securely configuring network protocols ITSP.40.062)
  • Encryption of data at rest (Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B Information - ITSP.40.111)
  • Secret management procedures
• Auditing
  • Identify the events within the solution that must be audited
  • Implement an audit process for the auditable events identified. At a minimum, the business owner or an auditor should audit actions against user accounts according to SPIN 2017‑01.
  • Protect audit information by controlling access to the audit log tools.
• Service Continuity
  • Backup-and-restore process for GC data
  • Fail-over and availability (e.g. for MM)
• Configuration Management
  • Define and document baseline configuration, which represents the most restrictive (secure) mode of operation
  • Implement a process to keep baseline configuration up to date as changes are implemented
• Security Operations
  • Periodic Penetration Testing