Government of Canada Cyber Security Event Management Plan (formerly GC IT Incident Management Plan)

Transcription

1 Government of Canada Cyber Security Event Management Plan (formerly GC IT Incident Management Plan) Presentation to PSCIOC March 5 th, 2015

2 Overview Drivers Current Landscape Proposed Changes Expected Outcomes Next Steps 2

3 Recent GC Headlines 3

4 Drivers Recent incidents have shown that the GC continues to be a target for cyber attacks Exploited vulnerability, compromising 900 SINs at Revenue Canada (April 2014) Sophisticated, targeted cyber intrusion at National Research Council (June 2014) Two incidents on different ends of the spectrum provided good insight into GC incident management processes Lessons Learned exercises from both incidents revealed some recurring themes related to the GC IT Incident Management Plan 4

5 Current Landscape: Incident Management Roles and Responsibilities All departments/agencies Departmental security (people, information, assets and services) Treasury Board Secretariat Security policy direction & oversight All depts. TBS Canadian Security Intelligence Service Investigations of threats to national security CSIS CSE Communications Security Establishment IT Security advice, guidance & intelligence Monitoring and detection on internal systems Royal Canadian Mounted Police Criminal investigations, cyber crime, forensics RCMP SSC Shared Services Canada (for 43 departments & agencies) Service provider & infrastructure owner IT Security for servers, networks and Public Safety (Canadian Cyber Incident Response Centre) National incident response coordination for non-federal government systems Public Safety (CCIRC) DND SSC (GC-CIRT) GC Computer Incident Response Team (for all of the GC) Central coordination authority for incident response (housed at SSC) Department of National Defence Investigations and intelligence related to national defence 5

6 Current Landscape: GC IT Incident Management Plan (IMP) Provides an operational framework for the horizontal management of IT security incidents on GC networks Originally published in 2009, updated in 2012 Due for renewal Lessons Learned exercises following Heartbleed and NRC incidents revealed some issues with the IMP: Focuses on incidents only after a compromise occurs Lacks clearly defined invocation/escalation triggers Complex governance structure Missing link to Public Safety s Federal Emergency Response Plan (FERP) 1 Contains minimal reporting requirements 1 Additional FERP detail found in Annex A 6

7 A New Approach: GC Cyber Security Event Management Plan Drafting of the new GC Cyber Security Event Management Plan (GC CS EMP) is currently underway Addresses lessons learned and improves the GC s ability to respond in consistent and coordinated manner GC IT IMP (old) Focused on confirmed incidents only Lack of clearly defined invocation and escalation triggers Complex governance structure No link to FERP Minimal reporting requirements GC CS EMP (new) Considers all cyber events (which include potential threats & vulnerabilities, as well as confirmed incidents) Clearly defined triggers for invocation and escalation, based on priority levels Streamlined governance structure, with dynamic invocation of appropriate committees based on event priority Clearly defined priority level that implies immediate invocation of FERP Detailed reporting and communication requirements (including timelines) for all stakeholders 7

8 GC CS EMP: Other Changes UNCLASSIFIED / NON CLASSIFIÉ Other changes to the GC CS EMP include: A detailed RACI (Responsible, Authority, Consulted, Informed) matrix to clarify roles and responsibilities Updated processes and clearly defined inputs/outputs for each phase of the event management lifecycle Clearly defined departmental expectations in all phases More granular departmental requirements have been removed (to be included in a separate departmental incident management best practices guide) New event priority levels that dictate level of response required (see next slide) Explicitly defined communications channels Ensures that situational awareness is maintained throughout the event management lifecycle Includes clear linkages between the GC and Public Safety to enable effective sharing of technical information and coordination of public communication 8

9 GC CS EMP: Proposed Priority Levels* *Draft, based on the multi-state information sharing & analysis center methodology ( 9

10 Expected Outcomes The GC CS EMP is expected to: Improve coordination and incident management planning within the GC Mitigate threats and vulnerabilities before a compromise can occur Enhance situational awareness across the GC Inform decision-making at all levels Enhance public confidence in GC 10

11 Impact to Provinces/Territories UNCLASSIFIED / NON CLASSIFIÉ The GC CS EMP is used to address cyber security events in the GC only No explicit role for P/Ts in this plan P/Ts are assumed to have their own incident management framework that ultimately links into the FERP GC CS EMP does have indirect benefits to P/Ts: More effective coordination of GC-wide events will minimize impact on federal programs and services that P/Ts rely on A normalized view of the federal cyber landscape will be shared with CCIRC through more efficient information sharing channels More value added federal event information that P/Ts can to respond to similar events 11

12 Next Steps March 2015 Finalize draft of GC CS EMP Q1 2015/16 Table top exercises at varying levels Departments Lead Security Agencies (first responders) Senior Management (DG/ADM) Finalization of GC CS EMP (including formal approval) Q2 2015/16 Publish GC CS EMP 12

13 ANNEX A: Federal Emergency Response Plan Federal Emergency Response Plan (FERP) background: Harmonizes federal emergency response efforts with those of provinces and territories, NGOs, and the private sector Allows for horizontal and vertical harmonization of effort throughout the federal government Provides an integrated, strategic GC response FERP coordination is utilized when: A province or territory requests federal support to deal with an emergency An emergency of such magnitude occurs that it impacts multiple jurisdictions and/or government departments An event directly involves federal assets, services, employees, statutory authority/responsibilities, or impacts confidence in government Aspects of the national interest are affected 13