Address security and privacy risks
Address security and privacy risks
On this page
What is addressing security and privacy risks?
Addressing privacy and security risks involves identifying potential vulnerabilities and implementing measures to protect user data and maintain the integrity of your product. This includes ensuring compliance with regulations, conducting regular security assessments, and incorporating robust data protection practices throughout the life cycle of your product.
Why is this important?
Digital services are core to service delivery. They must securely store and manage Canadians’ information with effective, transparent and accountable measures. It is essential that organizations maintain public trust and confidence by designing and operating with confidentiality and integrity. Organizations must ensure that the appropriate security and privacy standards have been met for products.
How to do it
These are suggested steps on how to address security and privacy risks. Depending on where you’re at in your process, you might not need to follow every step.
Discover
- List the type of sensitive information that your product will collect, if any. If your product will collect any sensitive information, list it and indicate why the data is needed, how it will be used and shared, and whether there is legal authority to collect the information.
- Identify requirements. Identify legislative and policy requirements that apply to your product. Consult with security and privacy experts early on to ensure that your practices are in line with enterprise-wide requirements for the management of identities, credentials and access to information.
- Develop a concept case. Develop a concept case using the appropriate template. Your concept case will help you identify key information on which a potential future digital project should be predicated. See the Policy on the Planning and Management of Investments to see if you need to submit a concept case for your product.
- Conduct risk analyses. Conduct risk analyses to determine your product’s risk profile. Use the guidance on the security categorization of cloud-based services to determine a security control profile that adequately protects information and business activities.
- Develop an incident response plan. Develop an incident response plan detailing how your organization detects, responds to and recovers from incidents that could occur. This will help your team be prepared to handle incidents when they happen, mitigate the threats and associated risks, and recover quickly. Consult the Canadian Centre for Cyber Security’s guidance on developing your incident response plan for more information.
- Develop a retention and disposition plan. If your product will collect, use and retain personal information, you will need a retention and disposition plan. Visit the Digital Privacy Playbook for more information on when to keep and delete personal information.
Build
- Create a list of security features. Create a clear list of security features for your product to manage identity, access, data protection, network security and application security. Make sure that these features are trusted.
- Map out potential threats. Map out potential threats for your product to ensure that all threat exposures in it are covered by appropriate designs and security mechanisms. For more information, see section 2.5 “Threat modelling” of the playbook on information system solutions.
- Conduct a privacy impact assessment (PIA). You will need to conduct a PIA if personal information is involved in your product. This will help you identify potential risks and ensure that legal requirements are met and that privacy impacts are either addressed or minimized before a problem occurs.
- Design a secure and frictionless architecture. As you develop mock-ups for your product, ensure that the design for your system architecture is secure and frictionless for users. Include your security and privacy features in your service blueprints and see if there are any pain points in the user experience.
- Apply security-enhancing safeguards. Apply security-enhancing safeguards to your product such as trusted digital identity, multi-factor authentication (MFA), and end-to-end encryption. This will ensure that data and personal information is handled securely and responsibly.
- Include a privacy notice. Before you collect personal information, make sure that an individual has access to read or listen to a privacy notice before providing you with their information.
- Conduct a security assessment. Conduct a security assessment to understand the risk to the IT system, mitigate any unacceptable risks and have a plan to address any outstanding risks.
Test
- Conduct automated security testing. Establish automated testing early on. This will ensure that you identify issues and fix them promptly.
- Conduct penetration testing. Conduct periodic penetration testing, also known as ethical hacking, to simulate cyber attacks to find weaknesses in your system. This will help you find vulnerabilities and understand and mitigate them.
- Establish appropriate oversight and governance bodies. Establish appropriate oversight and governance bodies to oversee the performance of your product. Do this by defining clear roles and responsibilities. This will ensure regular reporting, accountability and compliance.
- Establish key performance indicators (KPIs). Establish KPIs to measure the effectiveness and the security posture of your product.
Monitor and iterate
- Monitor your product continuously. Monitor your product continuously and ensure that it remains compliant with security and privacy policies and regulations. Adjust your privacy measures as necessary based on ongoing assessments.
- Schedule regular updates. Schedule regular product updates to address any security and privacy vulnerabilities you have identified. This will ensure continuous improvement of your security measures and strengthen your product’s security posture.
- Implement patches to address vulnerabilities. Implement effective patches to address vulnerabilities to minimize intrusions and their impacts. Do this by developing a vulnerabilities management process.
- Update and review your information safeguards regularly. Update and review your information safeguards when there are physical, technical or administrative changes to your product. This could involve new ways of handling information, including the use of a new system or platform, or staff turnover.
Resources
Principles
- Privacy by design
- Security by design
Considerations
- Contact the Government Advisory team at the OPC at any stage for support in identifying compliance issues, risks to privacy and potential mitigation strategies.
Tools and resources
- Security playbook for information system solutions
- Digital privacy playbook
- 10 fair information principles
- Personal information retention and disposal: Principles and best practices
- Security categorization tool — GCpedia (Government of Canada networks only)
- Privacy impact assessment
- Choosing secure and verifiable technologies
- Developing your incident response plan
- A malware detection and analysis tool
- Sample privacy notice for Government of Canada institutions
- Cyber security event management plan
- Pan-Canadian Trust Framework
- Department_CSEMP_Template (Government of Canada networks only)
- Patch Management Guidance
- Event Logging Guidance
Case studies
Talent
- Agile
- UX designers
- Privacy and security experts
- IT security training and expertise
- Data architecture
- Enterprise architecture
- Legal expertise
GC policy instruments
Laws
- Privacy Act (the act in brief)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
Policies
Directives
Standards and other instruments
- Standard on security categorization
- Technology and cyber risk management
- Security control profile for cloud-based GC services
- Direction on the secure use of commercial cloud services
- Baseline security requirements for network security zones
- Patch management guidance
- Mandatory procedures for concept cases for digitally enabled projects
GC Communities and Training
Help us improve
This work is iterative, and we will continue to improve on it based on your feedback.
Share your thoughts and suggestions by email: servicedigital-servicesnumerique@tbs-sct.gc.ca
Page details
- Date modified: