Government of Canada Cyber Security Event Management Plan (GC CSEMP) 2019

1.1 About this document

This document describes the Government of Canada (GC) Cyber Security Event Management Plan (CSEMP). This plan outlines the stakeholders and actions required to ensure that cyber security events are addressed in a consistent, coordinated and timely fashion GC-wide. The plan will be tested and reviewed annually, and modified as required.

1.2 Effective Date

This plan takes effect on April 8, 2020. It replaces the version dated January 26, 2018.

1.3 Application

This plan is prepared in the exercise of the responsibilities conferred to the Treasury Board of Canada Secretariat (TBS) under the Policy on Government Security (PGS) and is intended for all departments and agencies subject to the PGS.

1.4 Definitions

Note: These definitions are from the Policy on Government Security. Additional examples are provided for some terms to clarify their interpretation for the purposes of this plan.

Compromise:

A breach of government security. Includes but is not limited to:

• unauthorized access to, disclosure, modification, use, interruption, removal or destruction of sensitive information or assets, causing a loss of confidentiality, integrity, availability or value
• an event causing a loss of integrity or availability of government services or activities

Security event:

Any event, act, omission or situation that may be detrimental to government security, including threats, vulnerabilities and security incidents.

• Examples of cyber security events: Disclosure of a new vulnerability, intelligence that a threat actor may be planning an attack against a GC information system (for example, a distributed denial of service (DDoS) attack, attempts to breach the network perimeter)

Security incident:

Any event (or collection of events), act, omission or situation that has resulted in a compromise.

• Every cyber security incident is a cyber security event (or collection of cyber security events), but not every cyber security event is a cyber security incident (see Figure 1)
• Examples of cyber security incidents: Active exploitation of one or more identified vulnerabilities, exfiltration of data, failure of a security control, breach of a cloud-hosted or managed GC service

Threat:

Any potential event or act, deliberate or unintentional, or natural hazard that could result in a compromise.

Vulnerability:

A factor that could increase susceptibility to compromise.

Figure 1 - Text version

Figure 1 identifies the difference between cyber security events and cyber security incidents as they are defined in the CSEMP through the use of two circles, one within the other. The first larger circle represents cyber security events, and the second much smaller circle within the first identifies cyber security incidents as being a subset of cyber security events.

1.5 Glossary of acronyms and abbreviations

2.1 Context

Cyber security events related to Government of Canada (GC) information systems can have a significant impact on the delivery of government programs and services to Canadians and, consequently, confidence in government. The ability to respond to cyber security events in a consistent, coordinated and timely manner across the GC is essential to ensure the security and resilience of GC program and service delivery.

2.2 Purpose

The purpose of this document is to provide an operational framework for the management of cyber security events (including cyber threats, vulnerabilities or security incidents) that impact or threaten to impact the GC’s ability to deliver programs and services to Canadians. This document provides context for plans and procedures developed by departments and agencies to manage cyber security events related to the programs and services for which they are responsible.

This document also complements the all-hazards arrangements and response mechanism of the Federal Emergency Response Plan (FERP) to provide a coherent framework for managing the consequences of cyber events affecting multiple government institutions, confidence in government, or both.

2.3 Scope

The scope of this plan is limited to cyber security events (including threats, vulnerabilities or security incidents) on GC information systems classified as Secret and below that either:

• affect or may affect delivery of government programs and services to Canadians, government operations, security or privacy of information or confidence in government
• require an integrated GC-wide response to minimize impacts and enable prompt mitigation and restoration of government programs and services

This plan does not address:

• cyber security events impacting Top Secret information systems
• the coordination of cross-jurisdictional cyber security events (for example, with provinces, territories, municipalities, other countries or non-governmental organizations)

2.4 Objectives

The objectives of this cyber security event management plan are to:

• enhance situational awareness of likely cyber threats and vulnerabilities, as well as confirmed cyber security incidents, across the GC
• improve cyber event coordination and management within the GC
• mitigate threats and vulnerabilities before a compromise can occur
• support GC-wide cyber risk assessment practices and remediation prioritization efforts
• minimize the impacts of cyber events to the confidentiality, availability or integrity of government programs and services, information and operations
• inform decision-making at all necessary levels
• improve sharing and exchange of GC knowledge and expertise
• enhance public confidence in the GC’s ability to manage cyber security events

2.5 Assumptions

The following assumptions were made during the development of this plan:

• all departments and agencies have event management processes and business continuity plans in place as established under the Policy on Government Security
• responsibilities of GC cyber security stakeholders are established in accordance with current departmental mandates
• cyber security events related to the disclosure of personal information or private communications will also follow established privacy protocols
• federal cyber security events impacting multiple jurisdictions (national or international) are coordinated in accordance with national plans issued by Public Safety Canada

3.3.1 Determination of GC response levels

GC response levels are determined based on the analysis of two factors: Departmental impact assessment and scope of the cyber security event in question.

Departmental impact assessments are conducted using the process outlined in Appendix B of this document. This process, applicable to all cyber security events in scope of this plan, is based on a standardized injury test designed to measure the degree of injury that has occurred or could reasonably be expected to occur due to a compromise. This injury assessment considers both the severity and scope of the event. Once the degree of injury is assessed, a modifier is applied to account for the probability of injury realization in cases where an incident has not yet occurred (for example, unrealized cyber threats and vulnerabilities).

Departmental impact assessment results from affected departments are then rolled up at the GC-wide level and Appendix C of this document is then used by the CCCS-IMOC (in collaboration with TBS’s Office of the Chief Information Officer (TBS-OCIO) and other applicable partners) to assess the GC-wide urgency and establish an appropriate GC response level.

Note: In some cases (such as the disclosure of a new security vulnerability for which injury is difficult to discern), more detailed departmental impact assessments may be required in order to establish a GC response level. In these cases, departments will be instructed to perform a detailed assessment via a CCCS-IMOC Request for Action (RFA) and submit results back to the CCCS-IMOC to feed GC response level determination.

3.4.1 Event Coordination Team

The Event Coordination Team (ECT) is a group of key working-level stakeholders that is activated when triggered by the GC CSEMP (Level 2 events) or when invoked by the Executive Management Team (EMT) (Level 3 events) or DG Event Response Committee (DG ERC) (Level 4 events). The purpose of the ECT is to collaborate with key stakeholders and jointly propose recommendations for appropriate courses of action for the GC at large. The ECT is also responsible for ensuring that situational awareness is maintained at the DG level by actively updating EMT members of ongoing cyber security event management progress.

The ECT is co-chaired by TBS-OCIO and CCCS-IMOC, with stakeholder representation varying depending on the nature of the event. As a primary stakeholder, TBS-SCMA will participate, along with the co-chairs, in responding to all types of cyber security events (cyber threats, vulnerabilities and security incidents).

When a cyber security incident is confirmed, or when a cyber threat event falls within the scope of other mandates, the team will expand to include the following specialized stakeholders, as required:

• SSC (Networks, Security and Digital Services)
• Public Safety (National Cyber Security Directorate)
• RCMP (Technical Investigation Services and Federal Policing)
• CSIS (Cyber)
• DND-CAF (Information Management Operations)

Departments directly affected by specific threats or incidents will also be invited to participate on the ECT. Departmental invitations will be determined by the co-chairs, who may limit invitations to ensure optimal operation of the ECT.

During Level 4 events, the ECT co-chairs will ensure that a subject matter expert is co-located in the GOC to provide advice and guidance and ensure that situational awareness is maintained.

3.4.2 Executive Management Team

The Executive Management Team (EMT) is a DG-level committee that is activated when triggered by the GC CSEMP (Level 3 events). The EMT provides strategic direction and guidance to the ECT and presents products to senior GC officials (such as decision briefs or proposed GC-wide mitigation plans that require approval at the ADM level). The EMT is also responsible for ensuring that situational awareness is maintained at higher levels by actively updating appropriate ADM committees. During Level 4 events, the EMT is integrated within the FERP’s DG ERC.

The EMT is co-chaired by TBS-OCIO and CCCS-IMOC, with stakeholder representation varying depending on the nature of the event. As a primary stakeholder, TBS-SCMA will participate, along with the co-chairs, in responding to all types of cyber security events (cyber threats, vulnerabilities and security incidents). When a cyber security incident is confirmed, or when a cyber threat event falls within the scope of other mandates, the team will expand to include the following specialized stakeholders, as required:

• Government Operations Centre (GOC)
• Public Safety (NCSD)
• RCMP (Technical Investigation Services and Federal Policing)
• CSIS (Cyber)
• SSC (NSDS)
• DND-CAF (Information Management Operations)

Departments directly affected by specific threats or incidents will also be invited to participate on the EMT. Departmental invitations will be determined by the co-chairs, who may limit invitations to ensure optimal operation of the EMT.

3.4.3 ADM IT Security Tripartite Committee

The ADM IT Security Tripartite Committee (ADM ITST) is an ADM-level committee that serves as a decision-making body supporting the effective design, delivery and management of priority IT security initiatives affecting internal GC systems and GC-wide operations. In the context of cyber security event management, its activation may be triggered by the GC CSEMP (Level 3 events). The ADM ITST provides mitigation direction and guidance to the EMT when responding to a cyber security event. The ADM ITST is also responsible for ensuring that situational awareness is maintained at higher levels by actively updating appropriate DMs. During Level 4 events, the ADM ITST will support the FERP’s Committee of Assistant Deputy Ministers as appropriate.

The ADM ITST is chaired by the Chief Technology Officer (CTO) at TBS-OCIO, and its primary members are CSE’s Deputy Chief at CCCS and the ADM at SSC-NSDS. Other stakeholder representation at ADM ITST will vary depending on the nature of the event. As a primary stakeholder, TBS-SCMA will participate, along with the co-chairs, in responding to all cyber security types of events (cyber threats, vulnerabilities and security incidents).

When a cyber security incident is confirmed, or when a cyber threat event falls within the scope of other mandates, the team will expand to include the following specialized stakeholders, as required:

• Government Operations Centre (GOC)
• Public Safety (National and Cyber Security Branch)
• SSC (Service Delivery Management)
• RCMP (Technical Investigation Services and Federal Policing)
• DND-CAF (Chief of Staff Information Management Group)
• CSIS
• Affected departments and agencies

3.4.4 Escalation model

The escalation model of the GC CSEMP, outlined in Figure 4, identifies both the working-level and senior management stakeholders required, differentiating between primary and specialized members that vary based on event type (reflected by the black and red outlines). Appropriate governance bodies (either the ECT, the EMT or both) will be invoked, as required, by any stakeholder following analysis of data received from affected organizations. It should be noted that this model identifies the minimum subset of stakeholders that must be involved in escalation; co-chairs of each governance body can invite other GC organizations as appropriate (for example, a specialized stakeholder from whom information originated).

Given the short time frames in which cyber security events can cause significant damage, rapid invocation of the appropriate governance body is essential. As such, the initial invocation of each respective governance body is dependent on the GC response level established for that particular event. For example, should an event be assessed at a Level 3 from the outset, governance will immediately begin at the EMT level.

Figure 4 - Text version

Figure 4 represents the CSEMP escalation model. This figure identifies the required governance based on the response level identified in figure three. Figure four identifies the working level and senior management stakeholders required, differentiating between primary and specialized members who vary based on event type. They are as follows:

1. Level 1 – Departmental response
   1. This level falls under GC CSEMP governance
   2. Departments and agencies provide information to CCCS for all events
   3. CCCS will then relay this information to TBS-OCIO
2. Level 2 – Limited GC-wide response
   1. This level falls under GC CSEMP governance
   2. An event at this level invokes the Event Coordination team (invoked by CCCS and/or TBS-OCIO). This team is made up of the following working-level members:
      1. TBS-OCIO (co-chair)
      2. CCCS (co-chair)
      3. Public Safety (National Cyber Security Directorate)
      4. TBS-SCMA (TBS communications)
   3. In scenarios where a threat or incident has been identified, the following members will join the Cyber Security Event Management team:
      1. RCMP
      2. DND-CAF
      3. CSIS
      4. the affected department(s)
3. Level 3 – Comprehensive GC-wide response
   1. This level falls under GC CSEMP governance
   2. An event at this level invokes the Executive Management team, which is made up of the following DG-level members:
      1. TBS-OCIO (co-chair)
      2. CCCS (co-chair)
      3. Public Safety
      4. TBS-SCMA (TBS communications)
   3. In scenarios where a threat or incident has been identified, the following members will join the Executive Event Management team:
      1. RCMP
      2. DND-CAF
      3. GOC (who acts as the Executive Event Management team liaison to the FERP governance structure if the incident required further escalation)
      4. CSIS
      5. the affected department(s)
   4. In level three, the GC-CIO and other ADM-level committees (which are intentionally flexible because engagement will vary based on the type of event) are identified as stakeholders and will be provided information by the Executive Event Management team
4. Level 4 – Emergency (crisis) response
   1. This level falls under FERP governance
   2. This level is active in the case of threats and incidents only
   3. There are three identified governance bodies in this level, which inform from the bottom up in the following order:
      1. Government Operations Centre (working-level)
         1. Cyber Security Event Management team
         2. Event team (FERP)
         3. affected departments
      2. DG Event Response Committee (DG-level)
         1. GOC (co-chair)
         2. TBS-OCIO (co-chair)
         3. DG Cyber Operations Members, DG Communications working group, and others as required
      3. ADM, DM, Cabinet Committees

Following are other notes about the escalation model:

• For all events:
  • stakeholders in the lower levels of the escalation model are engaged (or remain active, if already engaged) when higher levels are engaged during an event
  • stakeholders in higher levels of the escalation model, even if not formally engaged, are provided with appropriate situational awareness updates throughout the life cycle of an event
• For Level 2 events:
  • ECT invocation implies that implicated stakeholders are simply in communication with one another and does not necessarily require that members formally convene in person
  • the ECT will escalate if mitigation efforts need to be augmented, if greater event impact is realized or if event context dictates heightened GC response
• For Level 3 events:
  • EMT invocation implies that implicated stakeholders convene formally in person
  • the decision to escalate and move to FERP response coordination will be made by DG GOC, in consultation with the EMT
• For Level 4 events:
  • GC CSEMP stakeholders will remain engaged with the FERP event teams and will continue to fulfill their respective mandates within the GC, aligned with direction provided via FERP governance
  • existing information-sharing mechanisms will be used as much as possible to maintain efficiency

3.4.5 Escalation and response levels

Stakeholders also need to be aware that GC response levels can change as an event unfolds depending on whether certain criteria are met. Figure 5 illustrates triggers for escalation that can be used during an event in order to invoke the appropriate stakeholders at the appropriate times. Escalation from one level to the next is determined jointly by the stakeholders involved, using injury (or potential injury) to the GC as a trigger (based on the results from the injury test outlined in Appendix B). Other escalating factors may also need to be considered, based on the context of the event in question.

Depending on the nature of the event, injury tests may need to be re-evaluated in order to accurately assess the level of escalation required. For cyber threat and vulnerability events, escalation would be triggered based on an increase in exposure to injury (for example, increased likelihood of occurrence, increased exploitability or exposure of vulnerable systems, decreased effectiveness of security controls). For confirmed cyber security incidents, escalation would be triggered based on an increase in severity or scope of the injury.

Figure 5 - Text version

Figure 5 identifies relevant stakeholders and the associated triggers for escalation for the various government response levels identified in figure two through the use of concentric circles and an attached table. The triggers for escalation are as follows:

1. Level 1 – Departmental response
   1. Stakeholders
      1. Day-to-day operations of:
         1. Departments and agencies
         2. CCCS
   2. Triggers for escalation
      1. Threats and vulnerabilities
         1. Increased probability of medium or higher impact to multiple departments
         2. Increased exposure of vulnerable systems or increased exploitability of vulnerability
      2. Incidents
         1. Medium-impact compromise affecting delivery of one or more public facing GC programs and services
         2. Indicators of broader propagation
2. Level 2 – Limited GC-wide response
   1. Stakeholders
      1. Event Coordination team
   2. Triggers for escalation
      1. Threats and vulnerabilities
         1. Imminent threat of high or higher impact to one or more departments
         2. High exposure of vulnerable systems
      2. Incidents
         1. High or higher impact of compromise affecting delivery of a public-facing GC programs and services or operation of one or more mission-critical systems
         2. High likelihood of broader propagation
3. Level 3 – Comprehensive GC-wide response
   1. Stakeholders
      1. Executive Management team
      2. ADM committees (as required)
      3. GC CIO
   2. Triggers for escalation
      1. Threats and vulnerabilities
         1. N/A
      2. Incidents
         1. Compromise affecting delivery of many mission-critical programs and services resulting in severe injury (widespread propagation)
4. Level 4 – Emergency (crisis) response
   1. Stakeholders
      1. Federal Emergency Response Plan
         1. GOC
         2. DM and Cabinet committees
   2. Triggers for escalation
      1. N/A

3.4.6 De-escalation

GC response levels can be reduced as an event unfolds depending on whether mitigation measures are effective, if an incident is determined to be less severe than originally believed, if the threat is reduced or if the vulnerability of government systems is determined to be lessened. The decision to de-escalate from one level to the next is made by the committee co-chairs, in consultation with stakeholders involved, using injury (or potential injury) to the GC as a trigger (based on the results from the injury test outlined in Appendix B). Other de-escalating factors may also need to be considered, depending on the context of the event in question.

Depending on the nature of the event, injury tests may need to be re-evaluated in order to accurately assess the level of response required. For cyber threat and vulnerability events, de-escalation will be triggered based on a decrease in exposure to injury (for example, less likelihood of occurrence, decreased exploitability or exposure of vulnerable systems, increased effectiveness of security controls). For confirmed cyber security incidents, de-escalation will be triggered based on a decrease in severity or scope of the injury.

4.1 Preparation

Figure Preparation - Text version

This is a repeat of figure 2, with all but the preparation arrow in the colour grey. The preparation arrow is highlighted in the colour blue and this image is a visual representation of the phase being described for the reader in this section.

The preparation phase is an ongoing phase in which the GC executes a set of continuous processes in order to ensure proactive readiness for specific or unpredictable events. This phase includes the maintenance and improvement of existing capabilities and the development of new mechanisms for setting priorities, integrating multiple organizations and functions, and ensuring that the appropriate means are available to support the full spectrum of cyber security event management requirements. This phase also includes the application of protective and preventive measures in advance of a cyber event.

In this phase:

• all GC CSEMP stakeholders (including all departments and agencies) will implement applicable protective and preventive measures within their respective areas of responsibility, in accordance with advice and guidance issued by lead security agencies (LSAs)
• TBS will develop and maintain the GC CSEMP, coordinate regular exercises with all implicated stakeholders and ensure that lessons learned are implemented
• TBS will review post-mortem and lessons-learned reports from past events and drive changes to security policy or enterprise security reference architectures, as required
• CCCS-IMOC will maintain GC-wide operational distribution lists and ensure that departments and agencies are continually provided with advice and guidance required to mitigate cyber threats and vulnerabilities in order to prevent the occurrence of cyber security incidents
• Departments and agencies, including service providers such as SSC, will align departmental plans, processes and procedures with the GC CSEMP, participate in exercises when required and ensure that applicable government-wide lessons learned are implemented at the departmental level
• Departments and agencies, including service providers such as SSC, will continually maintain a list of their mission-critical information systems

Inputs and outputs for this phase are as follows:

• Inputs
  • Lessons learned from previous events, mitigation strategies, exercises and test scenarios
  • Ongoing recommendations from LSAs
  • Industry best practices
• Outputs
  • Implemented lessons learned
  • Updated GC-wide cyber security event management plans, processes, guidelines and tools
  • Exercises, scenarios and tests to validate the effectiveness of the GC CSEMP
  • Updated departmental plans, processes and procedures that align with the GC CSEMP
  • Understanding of critical systems across the GC

4.2 Detection and assessment

Figure Detection and assessment - Text version

This is a repeat of figure 2, with all but the detection and assessment arrow in the colour grey. The Detection and Assessment arrow is highlighted in the colour blue and this image is a visual representation of the phase being described for the reader in this section.

The detection and assessment phase involves the continuous monitoring of information sources for early indications of emerging cyber security events and the assessment of their impact (potential or actual) on the delivery of services to Canadians, government operations or confidence in government.

The detection portion of this phase is constant for any type of cyber event (threat, vulnerability or security incident) and also covers the initial notification of appropriate stakeholders. Detection occurs as a direct result of monitoring; if the monitoring component is inadequate or incomplete, then the detection process may miss anomalies or events that could impact the GC.

In the detection portion of this phase:

• Primary and specialized GC CSEMP stakeholders will monitor their respective information sources for precursors of emerging cyber threat or vulnerability events, or indicators of potential or confirmed cyber security incidents, and immediately notify the CCCS-IMOC of any malicious cyber activity that may affect GC information systems. Specifically:
  • CCCS-IMOC will monitor:
    • technical sources and information reported by other stakeholders
    • the GC perimeter and all endpoints for which they have visibility
    • department-operated cloud-based environments, including endpoints or services within their purview
    • government networks and intelligence sources
    • information from domestic and international sources
  • RCMP will monitor information from criminal surveillance sources
  • CSIS will monitor information from intelligence sources
  • DND-CAF will monitor all DND-owned and -operated networks, as well as networks from allied sources (such as NATO), and when deployed on operation
• Primary and specialized GC CSEMP stakeholders will, upon detection of a cyber event, report cyber security events to applicable organizations, as per subsection 5.1 of this plan
• Departments and agencies, including service providers such as SSC, will implement the general security controls established under the Policy on Government Security on IT infrastructure for which they are responsible and notify the CCCS-IMOC upon detection of a cyber security event, as per the reporting requirements outlined in subsection 5.2 of this plan
• Departments and agencies, including service providers such as SSC, will notify appropriate law enforcement or national security authorities when information is received indicating that an event would fall under these particular domains, as per subsection 5.2.3 of this plan

The assessment portion of this phase begins once information has been received that a potential or actual cyber security event may exist. The purpose of the assessment phase is to establish a GC response level and determine whether invocation of GC CSEMP or FERP governance is required.

In the assessment portion of this phase:

• CCCS-IMOC will establish the initial GC response level, in consultation with TBS-OCIO and other applicable partners, based on a roll-up of departmental information, and invoke the appropriate GC CSEMP governance bodies in accordance with the assessed response level
  • When further information is required to assess GC-wide risk:
    • CCCS-IMOC will leverage, where possible, automated tools to gather information required to support an impact assessment
    • CCCS-IMOC will issue a Request for Action (RFA) to departments and agencies, in consultation and concurrence with TBS-OCIO, to perform a departmental impact assessment
    • Departments and agencies will perform a departmental impact assessment and submit results back to the CCCS-IMOC within the defined time frame

Inputs and outputs for this phase are as follows:

• Inputs
  • Threat and intelligence reports from GC event management stakeholders or external sources (vendors, open source, etc.)
  • Incident reports from GC event management stakeholders, departmental incident reports or external sources
• Outputs
  • Departmental and government-wide impact assessment reports
  • Establishment of a GC response level
  • Identification of events that require a coordinated GC-wide response
  • Invocation of GC CSEMP or FERP governance, if required

4.3 Mitigation and recovery

Figure Mitigation and recovery - Text version

This is a repeat of figure 2, with all but the mitigation and recovery arrow in the colour grey. The mitigation and recovery arrow is highlighted in the colour blue and this image is a visual representation of the phase being described for the reader in this section.

The purpose of the mitigation and recovery phase is to mitigate threat and vulnerability events before they become incidents, or to contain and mitigate the effects of incidents when they occur. Activities in this phase will vary depending on the nature of the event, but could include actions such as the installation of patches, implementation of preventive measures, containment and eradication of a confirmed incident (which may involve investigative analysis), the invocation of business continuity and disaster recovery plans or the temporary shutdown of vulnerable services. Regardless of the type of event, the end goal of the phase is to minimize impacts and ensure the timely restoration of normal operations.

In this phase, for all applicable events (note that the degree of involvement will vary based on the established GC response level):

• TBS-OCIO will perform strategic coordination, which may include the issuance of strategic direction to departments and agencies on measures to minimize the GC-wide impact of cyber security events (for example, shutting down vulnerable public-facing information systems, invoking disaster recovery plans) (Level 3 events or when warranted by Level 2 events).
• GOC will perform strategic coordination, which may include the issuance (via TBS-OCIO) of strategic direction to departments and agencies on measures to minimize the GC-wide impact of cyber security events (Level 4 events only).
• CCCS-IMOC, as a defensive service provider, will perform operational coordination, which includes issuing technical direction and advice to departments and agencies on measures to mitigate or contain impact to departmental systems (for example, patch installation, blocking of IP addresses), and tracking and reporting these measures (all events).
• All primary and specialized GC CSEMP stakeholders will contribute advice and guidance based on information received from their respective sources.
• Departments and agencies, including service providers such as SSC, will implement the direction provided by CCCS-IMOC and TBS-OCIO within established timelines (on devices and infrastructure for which they are responsible). Service providers, such as SSC, will liaise with their client departments to coordinate infrastructure patching (all events).

In addition, for confirmed incidents (all Level 3+ and applicable Level 2):

• CCCS-IMOC will:
  • lead the development of a GC-wide containment plan, in collaboration with GC CSEMP stakeholders
  • leverage their collection capabilities to facilitate a targeted response
  • help implement the prevention or containment plan in their respective areas of responsibility
  • lead forensic examination and analysis (including evidence collection) on IT systems that it supports, in collaboration with affected departments, agencies and applicable LSAs
• Applicable service providers and affected departments and agencies will help implement the prevention or containment plan in their respective areas of responsibility
• SSC-NSDS will help identify and report on affected or vulnerable systems to facilitate a targeted approach to mitigation activities, in collaboration with departments and agencies

Inputs and outputs for this phase are as follows:

• Inputs
  • Incident and situation reports
  • Intelligence information
  • Forensic findings
  • Other considerations (political, legal, and so on)
  • Impact assessment reports
  • Business continuity plans/disaster recovery plans
• Outputs
  • Response plan
  • Mitigation of threat or vulnerability (when applicable)
  • Containment and eradication of incident (when applicable)
  • Restoration to normal operations
  • Validated end to threat, vulnerability or incident

4.4 Post-event activity

Figure Post-event activity - Text version

This is a repeat of figure 2, with all but the post-event activity and feedback arrows in the colour grey. The post-event activity and feedback arrows are highlighted in the colour blue and this image is a visual representation of the phase being described for the reader in this section.

The post-event activity phase leverages knowledge gained from each cyber security event to ensure the continual improvement of the cyber security event management process and, by extension, the security posture of the GC infrastructure as a whole. The purpose of this phase is to formally close out the cyber security event by conducting a post-event analysis, identifying lessons learned (when applicable) and driving changes to security policy or enterprise security architecture improvements, as required.

The degree of effort and resources allocated to this phase will vary from event to event. Serious events (including confirmed incidents) will require deeper post-event analysis than those that are less serious in nature. Repetitive events may require post-event analysis in aggregate.

In this phase, for applicable events (or upon request):

• affected departments and agencies will produce their own departmental lessons-learned report and action plan, and contribute to GC-wide post-event activities, as required
• CCCS-IMOC will collate all departmental findings and produce a post-event report, including a timeline of events and root cause analysis
• TBS-OCIO will produce a lessons-learned report and action plan on behalf of the GC and monitor implementation of the recommendations (Level 3 events or when warranted by Level 2 events)
• GOC will produce a lessons-learned report and provide coordination for the production of departmental action plans and monitor the implementation of the recommendation (Level 4 events only)
• all other GC CSEMP stakeholders will provide information required to support the development of GC-wide lessons-learned reports and assist with implementation of related action items under their particular areas of responsibility

Inputs and outputs for this phase are as follows:

• Inputs
  • Review of event timeline
  • Review of reporting and communication procedures and timeliness of products
  • Root cause analysis
  • Other relevant input from implicated CSEMP stakeholders
• Outputs
  • Departmental lessons-learned report
  • GC-level post-event reports
  • GC-wide lessons learned and action plan (if applicable)
  • Recommendations to improve policy instruments or enterprise security architecture

5.1 Government-wide reporting and communication

At the government-wide level, reporting and communication will be handled as follows:

• TBS-SCMA will coordinate the development of a communications strategy and develop and publish external communications materials (in accordance with TBS’s Cyber Security Communications Framework^{Footnote 1}) required during the cyber security event management life cycle, in collaboration with CCCS-Comms and PCO-SC (for all events that require external communications or coordinated messaging)
• affected departments and agencies will develop their own stakeholder, client and public communications products (all events, but with TBS-SCMA and PCO-SC approval for Level 3 and Level 4 events, in accordance with TBS’s Cyber Security Communications Framework^{Footnote 1})
• TBS-OCIO will coordinate messaging to the Chief Information Officer (CIO) and Chief Security Officer (CSO) community and disseminate Senior Management Updates as required throughout the cyber security event management process (Level 3 and Level 4 events or when situational awareness is required during Level 2 events)
• CCCS-IMOC will communicate government-wide business impact assessment results with the GOC and Privy Council Office’s Security and Intelligence (PCO-S&I) (Level 2 and Level 3 events)
• GOC will disseminate FERP governance updates and situational awareness products and briefings as required throughout the cyber security event management process (Level 3 and Level 4 events or when situational awareness is required during Level 2 events)
• CCCS-IMOC will coordinate messaging to the operational (IT Security) community and disseminate technical information products (cyber flashes, advisories, alerts, and so on), including GC CSEMP response level status and situation reports to implicated stakeholders as required throughout the cyber security event management process (all events), in collaboration with TBS-OCIO and other applicable partners
• primary and specialized GC CSEMP stakeholders will ensure that appropriate organizations are notified when criminal-, terrorist- or military-related cyber event activity is detected (RCMP, CSIS and DND respectively)
  • CCCS-IMOC will take the lead on reporting to the RCMP, and to CSIS or DND or both, if activity related to their mandates is discovered during the course of managing a GC event

A pictorial representation of the information-sharing flow can be found in Figure 6. Note that information-sharing at lower levels will continue in parallel to higher-level information-sharing.

Figure 6 - Text version

Figure 6 identifies the CSEMP information sharing flow separated by the different GC response levels outlined in figure two. Figure six applies only to the first three levels of response and does not address information sharing at Level 4 (emergency or crisis response).

1. Level 1 – Departmental response
   1. CCCS is the central agent in gathering information
   2. CCCS will obtain and provide information to the following sources:
      1. TBS-OCIO
      2. Departments and agencies (IT Security team)
      3. Technical information sources
   3. TBS-OCIO is to receive information only from CCCS
2. Level 2 – Limited GC-wide response
   1. The Event Coordination team is identified as the central source for information sharing
   2. The Event Coordination team is comprised of the following agents:
      1. TBS-OCIO
      2. CCCS
      3. other CSEMP stakeholders
   3. The Event Coordination team will provide and receive information from the following stakeholders:
      1. Departments and agencies (IT Security team) (through the CCCS)
      2. PCO-S&I (through CCCS)
      3. other CSEMP stakeholders
3. Level 3 – Comprehensive GC-wide response
   1. Two governance bodies are identified as central sources for information-sharing
   2. The first is the Executive Management team comprised of the following agents:
      1. TBS-OCIO
      2. TBS-SCMA
      3. CCCS
      4. other CSEMP stakeholders
   3. The Executive Management team (through TBS-OCIO) will provide information to departments and agencies (CSO)
   4. The EMT will provide and receive information from CCNSS as a committee
   5. The EMT (through TBS-SCMA) will provide and receive information from Departments and Agencies (comms), PCO-Comms
   6. The EMT (through TBS-OCIO) will inform the second level of governance at the ADM level
   7. The second level of governance consists of:
      1. identified ADM committees
      2. GC CTO
   8. The GC CTO will provide information to departments and agencies at the CIO level

5.2 Departmental reporting requirements

5.3 Secure communications

During the cyber security event management life cycle (specifically, during the detection and assessment or mitigation and recovery phases), it frequently becomes necessary for key stakeholders to share information with one another. When this information becomes sensitive in nature (for example, specifics related to vulnerable IT systems, details about data exfiltration), secure communications methods must be used to transmit this information between stakeholders.

As such, all stakeholders need to be prepared to send and receive sensitive information. Such preparation includes ensuring that available secure communications tools (in other words, secure data and voice infrastructure) are in working order, with procedures in place and personnel trained for their use. Stakeholders not equipped with sufficient tools will ensure that alternative manual processes are in place to send and receive this information, recognizing that these manual processes may delay receipt.

1.  Primary GC Cyber Security Event Management stakeholders

The following is a list of primary stakeholders in the GC cyber security event management process that will be engaged in all events that meet the appropriate trigger criteria (including potential threats and vulnerabilities, and confirmed incidents). The degree of involvement from each stakeholder will vary based on the impact or severity of the event.

2. Specialized GC Cyber Security Event Management stakeholders

The following is a list of specialized stakeholders in the GC cyber security event management process that will be engaged for confirmed cyber security incidents or threat events that require specialized attention related to their particular mandates.

3. Other stakeholders

Step 1 (for all cyber security events): Injury test

The injury test, performed using Table 3, is based on severity and scope of the injury that could reasonably be expected to occur.

Severity: The severity of the injury refers to the level of harm, damage or loss (for example, from physical injury to loss of life, from minor financial losses to loss of financial viability, from minor inconvenience to significant hardship). The severity of the injury may be characterized as limited, serious or severe, based on an assessment of the following types of injury:

• harm to the health and safety of individuals
• financial losses or economic hardship
• impacts to government programs and services
• loss of civil order or national sovereignty
• damage to reputations or relationships

Other factors specific to a departmental or agency mandate or operational context may also be considered.

Scope: The scope of injury refers to the number of people, organizations, facilities or systems impacted, the geographical area affected (for example, localized or widespread), or duration of the injury (for example, short term or long term). The scope of injury can be characterized as:

• Wide: widespread; national or international; multiple countries or jurisdictions; major government programs or sectors
• Medium: jurisdiction, business sector, government program; group or community
• Narrow: individual, small business

Table 4 can be consulted to analyze potential expected results of a compromise and validate the outcome of the initial injury test. Once confirmed, this value can be entered in the incident report and submitted to the CCCS-IMOC.

Step 2 (for cyber threat and vulnerability events only): Risk assessment

Unlike cyber security incidents, where injury has been realized, injury is still in a potential state for cyber threat and vulnerability events. As such, in order to establish an accurate potential impact level, a risk assessment must be conducted (using Table 5) to determine the probability of occurrence for the injury. Using the results of the injury test performed in Step 1 (in other words, expected injury), a risk-modified departmental impact level is determined based on factors such as intelligence indicators (likelihood of compromise), exploitability, exposure of affected information systems, and implementation of compensating controls.

This risk-modified departmental impact level is to be reported to the CCCS-IMOC (when requested via an RFA) for consumption at the GC-wide level.

Cyber threat or vulnerability events are to be classified as cyber security incidents as soon as injury is realized. When injury moves from a potential state to a realized state, the injury tests in this appendix will require re-evaluation and resubmission to the CCCS-IMOC to determine whether changes to event response or further escalation are required.