Government of Canada Cyber Security Event Management Plan (GC CSEMP) 2019

On this page

1.0 Preamble

1.1 About this document

This document describes the Government of Canada (GC) Cyber Security Event Management Plan (CSEMP). This plan outlines the stakeholders and actions required to ensure that cyber security events are addressed in a consistent, coordinated and timely fashion GC-wide. The plan will be tested and reviewed annually, and modified as required.

1.2 Effective Date

This plan takes effect on . It replaces the version dated .

1.3 Application

This plan is prepared in the exercise of the responsibilities conferred to the Treasury Board of Canada Secretariat (TBS) under the Policy on Government Security (PGS) and is intended for all departments and agencies subject to the PGS.

1.4 Definitions

Note: These definitions are from the Policy on Government Security. Additional examples are provided for some terms to clarify their interpretation for the purposes of this plan.

Compromise:
A breach of government security. Includes but is not limited to:
  • unauthorized access to, disclosure, modification, use, interruption, removal or destruction of sensitive information or assets, causing a loss of confidentiality, integrity, availability or value
  • an event causing a loss of integrity or availability of government services or activities
Security event:
Any event, act, omission or situation that may be detrimental to government security, including threats, vulnerabilities and security incidents.
  • Examples of cyber security events: Disclosure of a new vulnerability, intelligence that a threat actor may be planning an attack against a GC information system (for example, a distributed denial of service (DDoS) attack, attempts to breach the network perimeter)
Security incident:
Any event (or collection of events), act, omission or situation that has resulted in a compromise.
  • Every cyber security incident is a cyber security event (or collection of cyber security events), but not every cyber security event is a cyber security incident (see Figure 1)
  • Examples of cyber security incidents: Active exploitation of one or more identified vulnerabilities, exfiltration of data, failure of a security control, breach of a cloud-hosted or managed GC service
Threat:
Any potential event or act, deliberate or unintentional, or natural hazard that could result in a compromise.
Vulnerability:
A factor that could increase susceptibility to compromise.
Figure 1: Cyber security events versus incidents
Graphic representing that cyber security incident is a cyber security event, text version below:
Figure 1 - Text version

Figure 1 identifies the difference between cyber security events and cyber security incidents as they are defined in the CSEMP through the use of two circles, one within the other. The first larger circle represents cyber security events, and the second much smaller circle within the first identifies cyber security incidents as being a subset of cyber security events.

1.5 Glossary of acronyms and abbreviations

ADM Assistant Deputy Minister
CCCS Canadian Centre for Cyber Security, part of the Communications Security Establishment
CCNSS Canadian Committee on National Security Systems
CIO Chief Information Officer
Comms Communications
CSE Communications Security Establishment
CSEMP Cyber Security Event Management Plan
CSIS Canadian Security Intelligence Service
CSO Chief Security Officer
DG Director General
DG ERC Director General Event Response Committee
DND-CAF National Defence/Canadian Armed Forces
ECT Event Coordination Team
EMT Executive Management Team
ERC Event Response Committee
FERP Federal Emergency Response Plan
GC Government of Canada
GOC Government Operations Centre
IMOC Incident Management and Operational Coordination, part of the Canadian Centre for Cyber Security
IT Information technology
ITSec Information technology security
LSA Lead Security Agency
NSDS Networks, Security and Digital Services, part of Shared Services Canada
NSS National Security Systems
OCIO Office of the Chief Information Officer, part of the Treasury Board of Canada Secretariat
PCO Privy Council Office
PS Public Safety Canada
RCMP Royal Canadian Mounted Police
RFA Request for Action
S&I Security and intelligence
SC Strategic communications
SCMA Strategic Communications and Ministerial Affairs, part of the Treasury Board of Canada Secretariat
SSC Shared Services Canada
TBS Treasury Board of Canada Secretariat

2.0 Introduction

2.1 Context

Cyber security events related to Government of Canada (GC) information systems can have a significant impact on the delivery of government programs and services to Canadians and, consequently, confidence in government. The ability to respond to cyber security events in a consistent, coordinated and timely manner across the GC is essential to ensure the security and resilience of GC program and service delivery.

2.2 Purpose

The purpose of this document is to provide an operational framework for the management of cyber security events (including cyber threats, vulnerabilities or security incidents) that impact or threaten to impact the GC’s ability to deliver programs and services to Canadians. This document provides context for plans and procedures developed by departments and agencies to manage cyber security events related to the programs and services for which they are responsible.

This document also complements the all-hazards arrangements and response mechanism of the Federal Emergency Response Plan (FERP) to provide a coherent framework for managing the consequences of cyber events affecting multiple government institutions, confidence in government, or both.

2.3 Scope

The scope of this plan is limited to cyber security events (including threats, vulnerabilities or security incidents) on GC information systems classified as Secret and below that either:

  • affect or may affect delivery of government programs and services to Canadians, government operations, security or privacy of information or confidence in government
  • require an integrated GC-wide response to minimize impacts and enable prompt mitigation and restoration of government programs and services

This plan does not address:

  • cyber security events impacting Top Secret information systems
  • the coordination of cross-jurisdictional cyber security events (for example, with provinces, territories, municipalities, other countries or non-governmental organizations)

2.4 Objectives

The objectives of this cyber security event management plan are to:

  • enhance situational awareness of likely cyber threats and vulnerabilities, as well as confirmed cyber security incidents, across the GC
  • improve cyber event coordination and management within the GC
  • mitigate threats and vulnerabilities before a compromise can occur
  • support GC-wide cyber risk assessment practices and remediation prioritization efforts
  • minimize the impacts of cyber events to the confidentiality, availability or integrity of government programs and services, information and operations
  • inform decision-making at all necessary levels
  • improve sharing and exchange of GC knowledge and expertise
  • enhance public confidence in the GC’s ability to manage cyber security events

2.5 Assumptions

The following assumptions were made during the development of this plan:

  • all departments and agencies have event management processes and business continuity plans in place as established under the Policy on Government Security
  • responsibilities of GC cyber security stakeholders are established in accordance with current departmental mandates
  • cyber security events related to the disclosure of personal information or private communications will also follow established privacy protocols
  • federal cyber security events impacting multiple jurisdictions (national or international) are coordinated in accordance with national plans issued by Public Safety Canada

3.0 Government of Canada Cyber Security Event Management

Government security and the continuity of GC programs and services rely upon the ability of departments and agencies, as well as government as a whole, to manage cyber security events. All government departments experience events that either impact or threaten to impact the delivery of government programs and services. As the GC is increasingly dependent upon IT to deliver services to Canadians and maintain operations, it needs to be prepared to react quickly and effectively to any event that may adversely affect services to Canadians, government operations or confidence in government.

The GC Cyber Security Event Management Plan (GC CSEMP) outlines the stakeholders and actions required to ensure that cyber security events are addressed in a consistent, coordinated and timely fashion GC-wide. This section of the plan outlines the cyber security event management process, identifies implicated stakeholders, defines cyber security event response levels and describes escalation triggers.

3.1 Process overview

The overall cyber security event management process defined in this document has several phases, as outlined in Figure 2.

Figure 2: Cyber Security Event Management Process
Graphic representing the CSEMP process, text version below:
Figure 2 - Text version

Figure 2 represents the overall cyber security event management process and its multiple phases, as defined in this document. The four phases (preparation, detection and assessment, mitigation and recovery, and post-event activity) are depicted in the middle, with an arrow pointing from the final phase (post-event activity) back to the first (preparation) to indicate a continuous feedback loop. Under each key phase is a short description. The descriptions read as follows:

  1. Preparation
    1. Establish roles and responsibilities
    2. Document and test procedures
    3. Train personnel
    4. Apply protective measures
  2. Detection and assessment
    1. Monitor information sources
    2. Detect and recognize cyber security events
    3. Triage and prioritize
  3. Mitigation and recovery
    1. Conduct forensic analysis
    2. Mitigate (via containment and eradication)
    3. Restore to normal operations
  4. Post-event activity
    1. Conduct post-event analysis
    2. Conduct lessons learned
    3. Continuous improvement

Above phases 2 to 4 is a box that contains the words reporting and communication. This indicates that reporting is an ongoing activity throughout these phases. This box has arrows pointing up to a box that contains the words GC situational awareness to represent the central concept of ongoing situational awareness across the GC at every point in the event management lifecycle.

The initial phase, preparation, involves general readiness activities to ensure that the GC is ready to respond to the broad range of cyber security events. In this phase, event-related roles and responsibilities are established, plans and procedures are documented (or updated with lessons learned) and exercised, and personnel are trained. A key component of this phase also includes the application of protective and preventive measures at the host, application and network levels. Protective measures also include the implementation of vulnerability management, patch management and other related processes.

The second phase, detection and assessment, involves the discovery of potential cyber security events, including confirmed cyber security incidents, through the monitoring of various information sources (including departmental and GC-wide hardware and software solutions) and submission of reports by affected departments and agencies. This phase also includes an initial assessment of event impact levels that feed into the determination of an appropriate GC response.

The third phase, mitigation and recovery, consists of all response actions required to minimize impacts to confidentiality, availability and integrity, and lead to restoration of normal operations. Containment and eradication are key components of this phase, which includes, but is not limited to, actions such as shutting down systems, disconnecting from networks, disabling functionality, and mitigating exploited vulnerabilities via patch installation. Recovery actions in this phase include invocation of business continuity or disaster recovery plans, or any other measure that will reduce impact to affected information systems and allow for a return to normal operations. This phase also includes root cause analysis and investigation, which consist of activities such as evidence gathering, forensic analysis, research and other related processes that could influence recovery actions.

The final phase, post-event activity, is vital for continuous improvement of the overall cyber security event management process and, as such, feeds back into the preparation phase to complete the event management life cycle. This phase consists of post-event analysis, preparing and reviewing event lessons learned, and recommending changes to processes or procedures in order to continually mature the GC’s cyber security event management capability.

From the time that an event is detected to the conclusion of post-event activities, reporting and communication between stakeholders occurs throughout, enabling whole-of-government situational awareness. Entrenching these ongoing activities into the life cycle of cyber security event management is imperative to ensure that mitigation advice and status updates are shared with both affected and non-affected parties in a timely fashion, enabling situational awareness and supporting informed decision-making.

3.2 Stakeholders

In addition to individual departments and agencies, which play a key role in informing and taking action on GC cyber security event management activities, a number of other stakeholders are also involved in the GC CSEMP. Below is a summary of stakeholders, organized into three major categories. Detailed roles and responsibilities of each stakeholder can be found in Appendix A.

GC CSEMP stakeholders

  1. Primary stakeholders
    • Treasury Board of Canada Secretariat (TBS)
      • Office of the Chief Information Officer (OCIO)
      • Strategic Communications and Ministerial Affairs (SCMA)
    • Canadian Centre for Cyber Security (CCCS), part of the Communications Security Establishment (CSE)
      • Incident Management and Operational Coordination (IMOC)
      • Communications (Comms)
  2. Specialized stakeholders
    • Royal Canadian Mounted Police (RCMP)
    • Canadian Security Intelligence Service (CSIS)
    • National Defence/Canadian Armed Forces (DND-CAF)
    • Shared Services Canada (SSC)
      • Networks, Security and Digital Services (NSDS)
      • Service Delivery Management
      • Public Safety Canada, National Cyber Security Directorate (NCSD)
  3. Other stakeholders
    • GC Chief Information Officer (GC CIO)
    • Government Operations Centre (GOC)
    • Privy Council Office (PCO)
      • Security and Intelligence (S&I)
      • Strategic Communications (SC)
    • Canadian Committee on National Security Systems (CCNSS)
    • DG Event Response Committee (DG ERC)
    • External Partners

3.3 GC response levels

There are four response levels that govern GC cyber security event management activities, as indicated in Figure 3. These response levels will dictate the level of coordination required in response to any given cyber security event, including level of escalation, stakeholder participation and reporting required.

Figure 3: GC response levels
Graphic representing the different levels of response, text version below:
Figure 3 - Text version

Figure 3 represents the four GC response levels that govern GC cyber security event management activities and dictate the necessity and degree of enterprise response required. The figure uses four stacked boxes with the level of required coordination identified to the right of the boxes.

  1. Level 1 – Departmental response
    1. Requires standard coordination
  2. Level 2 – Limited GC-wide response
    1. Requires GC CSEMP coordination
  3. Level 3 – Comprehensive GC-wide response
    1. Requires GC CSEMP coordination
  4. Level 4 – Emergency (crisis) response
    1. Requires FERP coordination

Level 1 essentially represents day-to-day operations in the GC. The dynamic nature of the cyber threat environment and the constant disclosure of new cyber security vulnerabilities indicate that, on average, the GC will typically operate in a Level 1 state. In this state, departments and agencies are to coordinate response in accordance with their standard departmental procedures, continue the application of regular preventive measures and maintain communication with the Canadian Centre for Cyber Security (CCCS)’s Incident Management and Operational Coordination (IMOC) Group for advice and guidance. At a GC-wide level, no further coordination among primary or specialized stakeholders is required, aside from regular information-sharing between stakeholders for situational awareness.

Level 2 indicates that heightened attention is required at the GC level. This level will trigger invocation of the lower tier of GC CSEMP governance (as outlined in section 3.4.4) and implies that some limited GC-wide coordination may be required. At this level, all primary GC CSEMP stakeholders (and specialized stakeholders, when required) will be on heightened alert for cyber activity, monitoring GC-wide risk levels and ensuring that any impact or potential impact is contained and mitigated. Additional targeted advice to departments and agencies on how to proceed with an event response, which could include invocation of emergency patch management processes.

Level 3 indicates that immediate focus and action is required at the GC level. This level will trigger invocation of the upper tier of GC CSEMP governance (as outlined in subsection 3.4.4) and implies that centralized, GC-wide coordination will be required. At this level, event response will be fully coordinated via the GC CSEMP governance structure, with departments and agencies given ongoing direction and guidance on how to proceed with event response. Response may range from invocation of emergency patch management processes to the disconnection of systems from GC networks. Events at this level will also trigger invocation of TBS’s Cyber Security Communications FrameworkFootnote 1.

Level 4 is reserved for severe or catastrophic events that affect multiple government institutions, confidence in government or other aspects of the national interest. Events that reach this level will immediately shift to the FERP governance structure, coordinated by the GOC in accordance with the FERP, in order to ensure the harmonization of federal response efforts.

3.3.1 Determination of GC response levels

GC response levels are determined based on the analysis of two factors: Departmental impact assessment and scope of the cyber security event in question.

Departmental impact assessments are conducted using the process outlined in Appendix B of this document. This process, applicable to all cyber security events in scope of this plan, is based on a standardized injury test designed to measure the degree of injury that has occurred or could reasonably be expected to occur due to a compromise. This injury assessment considers both the severity and scope of the event. Once the degree of injury is assessed, a modifier is applied to account for the probability of injury realization in cases where an incident has not yet occurred (for example, unrealized cyber threats and vulnerabilities).

Departmental impact assessment results from affected departments are then rolled up at the GC-wide level and Appendix C of this document is then used by the CCCS-IMOC (in collaboration with TBS’s Office of the Chief Information Officer (TBS-OCIO) and other applicable partners) to assess the GC-wide urgency and establish an appropriate GC response level.

Note: In some cases (such as the disclosure of a new security vulnerability for which injury is difficult to discern), more detailed departmental impact assessments may be required in order to establish a GC response level. In these cases, departments will be instructed to perform a detailed assessment via a CCCS-IMOC Request for Action (RFA) and submit results back to the CCCS-IMOC to feed GC response level determination.

3.4 Governance

During a cyber security event, the timely engagement of the appropriate level of governance bodies will focus both management and operations to prevent, detect, respond to and recover from cyber security events in a prioritized manner.

The GC CSEMP governance structure introduces three key governance bodies that will manage escalation of a cyber security event: the Event Coordination Team (ECT), the Executive Management Team (EMT) and the ADM IT Security Tripartite (ADM ITST). When a cyber event occurs, the lead minister for the response will be determined on a case-by-case basis, according to the unique context of the event.

3.4.1 Event Coordination Team

The Event Coordination Team (ECT) is a group of key working-level stakeholders that is activated when triggered by the GC CSEMP (Level 2 events) or when invoked by the Executive Management Team (EMT) (Level 3 events) or DG Event Response Committee (DG ERC) (Level 4 events). The purpose of the ECT is to collaborate with key stakeholders and jointly propose recommendations for appropriate courses of action for the GC at large. The ECT is also responsible for ensuring that situational awareness is maintained at the DG level by actively updating EMT members of ongoing cyber security event management progress.

The ECT is co-chaired by TBS-OCIO and CCCS-IMOC, with stakeholder representation varying depending on the nature of the event. As a primary stakeholder, TBS-SCMA will participate, along with the co-chairs, in responding to all types of cyber security events (cyber threats, vulnerabilities and security incidents).

When a cyber security incident is confirmed, or when a cyber threat event falls within the scope of other mandates, the team will expand to include the following specialized stakeholders, as required:

  • SSC (Networks, Security and Digital Services)
  • Public Safety (National Cyber Security Directorate)
  • RCMP (Technical Investigation Services and Federal Policing)
  • CSIS (Cyber)
  • DND-CAF (Information Management Operations)

Departments directly affected by specific threats or incidents will also be invited to participate on the ECT. Departmental invitations will be determined by the co-chairs, who may limit invitations to ensure optimal operation of the ECT.

During Level 4 events, the ECT co-chairs will ensure that a subject matter expert is co-located in the GOC to provide advice and guidance and ensure that situational awareness is maintained.

3.4.2 Executive Management Team

The Executive Management Team (EMT) is a DG-level committee that is activated when triggered by the GC CSEMP (Level 3 events). The EMT provides strategic direction and guidance to the ECT and presents products to senior GC officials (such as decision briefs or proposed GC-wide mitigation plans that require approval at the ADM level). The EMT is also responsible for ensuring that situational awareness is maintained at higher levels by actively updating appropriate ADM committees. During Level 4 events, the EMT is integrated within the FERP’s DG ERC.

The EMT is co-chaired by TBS-OCIO and CCCS-IMOC, with stakeholder representation varying depending on the nature of the event. As a primary stakeholder, TBS-SCMA will participate, along with the co-chairs, in responding to all types of cyber security events (cyber threats, vulnerabilities and security incidents). When a cyber security incident is confirmed, or when a cyber threat event falls within the scope of other mandates, the team will expand to include the following specialized stakeholders, as required:

  • Government Operations Centre (GOC)
  • Public Safety (NCSD)
  • RCMP (Technical Investigation Services and Federal Policing)
  • CSIS (Cyber)
  • SSC (NSDS)
  • DND-CAF (Information Management Operations)

Departments directly affected by specific threats or incidents will also be invited to participate on the EMT. Departmental invitations will be determined by the co-chairs, who may limit invitations to ensure optimal operation of the EMT.

3.4.3 ADM IT Security Tripartite Committee

The ADM IT Security Tripartite Committee (ADM ITST) is an ADM-level committee that serves as a decision-making body supporting the effective design, delivery and management of priority IT security initiatives affecting internal GC systems and GC-wide operations. In the context of cyber security event management, its activation may be triggered by the GC CSEMP (Level 3 events). The ADM ITST provides mitigation direction and guidance to the EMT when responding to a cyber security event. The ADM ITST is also responsible for ensuring that situational awareness is maintained at higher levels by actively updating appropriate DMs. During Level 4 events, the ADM ITST will support the FERP’s Committee of Assistant Deputy Ministers as appropriate.

The ADM ITST is chaired by the Chief Technology Officer (CTO) at TBS-OCIO, and its primary members are CSE’s Deputy Chief at CCCS and the ADM at SSC-NSDS. Other stakeholder representation at ADM ITST will vary depending on the nature of the event. As a primary stakeholder, TBS-SCMA will participate, along with the co-chairs, in responding to all cyber security types of events (cyber threats, vulnerabilities and security incidents).

When a cyber security incident is confirmed, or when a cyber threat event falls within the scope of other mandates, the team will expand to include the following specialized stakeholders, as required:

  • Government Operations Centre (GOC)
  • Public Safety (National and Cyber Security Branch)
  • SSC (Service Delivery Management)
  • RCMP (Technical Investigation Services and Federal Policing)
  • DND-CAF (Chief of Staff Information Management Group)
  • CSIS
  • Affected departments and agencies

3.4.4 Escalation model

The escalation model of the GC CSEMP, outlined in Figure 4, identifies both the working-level and senior management stakeholders required, differentiating between primary and specialized members that vary based on event type (reflected by the black and red outlines). Appropriate governance bodies (either the ECT, the EMT or both) will be invoked, as required, by any stakeholder following analysis of data received from affected organizations. It should be noted that this model identifies the minimum subset of stakeholders that must be involved in escalation; co-chairs of each governance body can invite other GC organizations as appropriate (for example, a specialized stakeholder from whom information originated).

Given the short time frames in which cyber security events can cause significant damage, rapid invocation of the appropriate governance body is essential. As such, the initial invocation of each respective governance body is dependent on the GC response level established for that particular event. For example, should an event be assessed at a Level 3 from the outset, governance will immediately begin at the EMT level.

Figure 4: GC CSEMP escalation model
Governance model, text version below:
Figure 4 - Text version

Figure 4 represents the CSEMP escalation model. This figure identifies the required governance based on the response level identified in figure three. Figure four identifies the working level and senior management stakeholders required, differentiating between primary and specialized members who vary based on event type. They are as follows:

  1. Level 1 – Departmental response
    1. This level falls under GC CSEMP governance
    2. Departments and agencies provide information to CCCS for all events
    3. CCCS will then relay this information to TBS-OCIO
  2. Level 2 – Limited GC-wide response
    1. This level falls under GC CSEMP governance
    2. An event at this level invokes the Event Coordination team (invoked by CCCS and/or TBS-OCIO). This team is made up of the following working-level members:
      1. TBS-OCIO (co-chair)
      2. CCCS (co-chair)
      3. Public Safety (National Cyber Security Directorate)
      4. TBS-SCMA (TBS communications)
    3. In scenarios where a threat or incident has been identified, the following members will join the Cyber Security Event Management team:
      1. RCMP
      2. DND-CAF
      3. CSIS
      4. the affected department(s)
  3. Level 3 – Comprehensive GC-wide response
    1. This level falls under GC CSEMP governance
    2. An event at this level invokes the Executive Management team, which is made up of the following DG-level members:
      1. TBS-OCIO (co-chair)
      2. CCCS (co-chair)
      3. Public Safety
      4. TBS-SCMA (TBS communications)
    3. In scenarios where a threat or incident has been identified, the following members will join the Executive Event Management team:
      1. RCMP
      2. DND-CAF
      3. GOC (who acts as the Executive Event Management team liaison to the FERP governance structure if the incident required further escalation)
      4. CSIS
      5. the affected department(s)
    4. In level three, the GC-CIO and other ADM-level committees (which are intentionally flexible because engagement will vary based on the type of event) are identified as stakeholders and will be provided information by the Executive Event Management team
  4. Level 4 – Emergency (crisis) response
    1. This level falls under FERP governance
    2. This level is active in the case of threats and incidents only
    3. There are three identified governance bodies in this level, which inform from the bottom up in the following order:
      1. Government Operations Centre (working-level)
        1. Cyber Security Event Management team
        2. Event team (FERP)
        3. affected departments
      2. DG Event Response Committee (DG-level)
        1. GOC (co-chair)
        2. TBS-OCIO (co-chair)
        3. DG Cyber Operations Members, DG Communications working group, and others as required
      3. ADM, DM, Cabinet Committees

Following are other notes about the escalation model:

  • For all events:
    • stakeholders in the lower levels of the escalation model are engaged (or remain active, if already engaged) when higher levels are engaged during an event
    • stakeholders in higher levels of the escalation model, even if not formally engaged, are provided with appropriate situational awareness updates throughout the life cycle of an event
  • For Level 2 events:
    • ECT invocation implies that implicated stakeholders are simply in communication with one another and does not necessarily require that members formally convene in person
    • the ECT will escalate if mitigation efforts need to be augmented, if greater event impact is realized or if event context dictates heightened GC response
  • For Level 3 events:
    • EMT invocation implies that implicated stakeholders convene formally in person
    • the decision to escalate and move to FERP response coordination will be made by DG GOC, in consultation with the EMT
  • For Level 4 events:
    • GC CSEMP stakeholders will remain engaged with the FERP event teams and will continue to fulfill their respective mandates within the GC, aligned with direction provided via FERP governance
    • existing information-sharing mechanisms will be used as much as possible to maintain efficiency

3.4.5 Escalation and response levels

Stakeholders also need to be aware that GC response levels can change as an event unfolds depending on whether certain criteria are met. Figure 5 illustrates triggers for escalation that can be used during an event in order to invoke the appropriate stakeholders at the appropriate times. Escalation from one level to the next is determined jointly by the stakeholders involved, using injury (or potential injury) to the GC as a trigger (based on the results from the injury test outlined in Appendix B). Other escalating factors may also need to be considered, based on the context of the event in question.

Depending on the nature of the event, injury tests may need to be re-evaluated in order to accurately assess the level of escalation required. For cyber threat and vulnerability events, escalation would be triggered based on an increase in exposure to injury (for example, increased likelihood of occurrence, increased exploitability or exposure of vulnerable systems, decreased effectiveness of security controls). For confirmed cyber security incidents, escalation would be triggered based on an increase in severity or scope of the injury.

Figure 5: Escalation and response levels
Graphic representing the escalation and response levels, text version below:
Figure 5 - Text version

Figure 5 identifies relevant stakeholders and the associated triggers for escalation for the various government response levels identified in figure two through the use of concentric circles and an attached table. The triggers for escalation are as follows:

  1. Level 1 – Departmental response
    1. Stakeholders
      1. Day-to-day operations of:
        1. Departments and agencies
        2. CCCS
    2. Triggers for escalation
      1. Threats and vulnerabilities
        1. Increased probability of medium or higher impact to multiple departments
        2. Increased exposure of vulnerable systems or increased exploitability of vulnerability
      2. Incidents
        1. Medium-impact compromise affecting delivery of one or more public facing GC programs and services
        2. Indicators of broader propagation
  2. Level 2 – Limited GC-wide response
    1. Stakeholders
      1. Event Coordination team
    2. Triggers for escalation
      1. Threats and vulnerabilities
        1. Imminent threat of high or higher impact to one or more departments
        2. High exposure of vulnerable systems
      2. Incidents
        1. High or higher impact of compromise affecting delivery of a public-facing GC programs and services or operation of one or more mission-critical systems
        2. High likelihood of broader propagation
  3. Level 3 – Comprehensive GC-wide response
    1. Stakeholders
      1. Executive Management team
      2. ADM committees (as required)
      3. GC CIO
    2. Triggers for escalation
      1. Threats and vulnerabilities
        1. N/A
      2. Incidents
        1. Compromise affecting delivery of many mission-critical programs and services resulting in severe injury (widespread propagation)
  4. Level 4 – Emergency (crisis) response
    1. Stakeholders
      1. Federal Emergency Response Plan
        1. GOC
        2. DM and Cabinet committees
    2. Triggers for escalation
      1. N/A

3.4.6 De-escalation

GC response levels can be reduced as an event unfolds depending on whether mitigation measures are effective, if an incident is determined to be less severe than originally believed, if the threat is reduced or if the vulnerability of government systems is determined to be lessened. The decision to de-escalate from one level to the next is made by the committee co-chairs, in consultation with stakeholders involved, using injury (or potential injury) to the GC as a trigger (based on the results from the injury test outlined in Appendix B). Other de-escalating factors may also need to be considered, depending on the context of the event in question.

Depending on the nature of the event, injury tests may need to be re-evaluated in order to accurately assess the level of response required. For cyber threat and vulnerability events, de-escalation will be triggered based on a decrease in exposure to injury (for example, less likelihood of occurrence, decreased exploitability or exposure of vulnerable systems, increased effectiveness of security controls). For confirmed cyber security incidents, de-escalation will be triggered based on a decrease in severity or scope of the injury.

4.0 Concept of Operations

The following subsections provide an overview of stakeholder expectations for each phase of the GC cyber security event management life cycle. These subsections will demonstrate how the GC CSEMP is operationalized, and describe the key inputs and outputs from each phase.

All stakeholders are responsible for developing their own standard operating procedures or internal processes to deliver the expected outputs.

4.1 Preparation

Graphic representing the first step of the process, text version below:
Figure Preparation - Text version

This is a repeat of figure 2, with all but the preparation arrow in the colour grey. The preparation arrow is highlighted in the colour blue and this image is a visual representation of the phase being described for the reader in this section.

The preparation phase is an ongoing phase in which the GC executes a set of continuous processes in order to ensure proactive readiness for specific or unpredictable events. This phase includes the maintenance and improvement of existing capabilities and the development of new mechanisms for setting priorities, integrating multiple organizations and functions, and ensuring that the appropriate means are available to support the full spectrum of cyber security event management requirements. This phase also includes the application of protective and preventive measures in advance of a cyber event.

In this phase:

  • all GC CSEMP stakeholders (including all departments and agencies) will implement applicable protective and preventive measures within their respective areas of responsibility, in accordance with advice and guidance issued by lead security agencies (LSAs)
  • TBS will develop and maintain the GC CSEMP, coordinate regular exercises with all implicated stakeholders and ensure that lessons learned are implemented
  • TBS will review post-mortem and lessons-learned reports from past events and drive changes to security policy or enterprise security reference architectures, as required
  • CCCS-IMOC will maintain GC-wide operational distribution lists and ensure that departments and agencies are continually provided with advice and guidance required to mitigate cyber threats and vulnerabilities in order to prevent the occurrence of cyber security incidents
  • Departments and agencies, including service providers such as SSC, will align departmental plans, processes and procedures with the GC CSEMP, participate in exercises when required and ensure that applicable government-wide lessons learned are implemented at the departmental level
  • Departments and agencies, including service providers such as SSC, will continually maintain a list of their mission-critical information systems

Inputs and outputs for this phase are as follows:

  • Inputs
    • Lessons learned from previous events, mitigation strategies, exercises and test scenarios
    • Ongoing recommendations from LSAs
    • Industry best practices
  • Outputs
    • Implemented lessons learned
    • Updated GC-wide cyber security event management plans, processes, guidelines and tools
    • Exercises, scenarios and tests to validate the effectiveness of the GC CSEMP
    • Updated departmental plans, processes and procedures that align with the GC CSEMP
    • Understanding of critical systems across the GC

4.2 Detection and assessment

Graphic representing the second step of the process, text version below:
Figure Detection and assessment - Text version

This is a repeat of figure 2, with all but the detection and assessment arrow in the colour grey. The Detection and Assessment arrow is highlighted in the colour blue and this image is a visual representation of the phase being described for the reader in this section.

The detection and assessment phase involves the continuous monitoring of information sources for early indications of emerging cyber security events and the assessment of their impact (potential or actual) on the delivery of services to Canadians, government operations or confidence in government.

The detection portion of this phase is constant for any type of cyber event (threat, vulnerability or security incident) and also covers the initial notification of appropriate stakeholders. Detection occurs as a direct result of monitoring; if the monitoring component is inadequate or incomplete, then the detection process may miss anomalies or events that could impact the GC.

In the detection portion of this phase:

  • Primary and specialized GC CSEMP stakeholders will monitor their respective information sources for precursors of emerging cyber threat or vulnerability events, or indicators of potential or confirmed cyber security incidents, and immediately notify the CCCS-IMOC of any malicious cyber activity that may affect GC information systems. Specifically:
    • CCCS-IMOC will monitor:
      • technical sources and information reported by other stakeholders
      • the GC perimeter and all endpoints for which they have visibility
      • department-operated cloud-based environments, including endpoints or services within their purview
      • government networks and intelligence sources
      • information from domestic and international sources
    • RCMP will monitor information from criminal surveillance sources
    • CSIS will monitor information from intelligence sources
    • DND-CAF will monitor all DND-owned and -operated networks, as well as networks from allied sources (such as NATO), and when deployed on operation
  • Primary and specialized GC CSEMP stakeholders will, upon detection of a cyber event, report cyber security events to applicable organizations, as per subsection 5.1 of this plan
  • Departments and agencies, including service providers such as SSC, will implement the general security controls established under the Policy on Government Security on IT infrastructure for which they are responsible and notify the CCCS-IMOC upon detection of a cyber security event, as per the reporting requirements outlined in subsection 5.2 of this plan
  • Departments and agencies, including service providers such as SSC, will notify appropriate law enforcement or national security authorities when information is received indicating that an event would fall under these particular domains, as per subsection 5.2.3 of this plan

The assessment portion of this phase begins once information has been received that a potential or actual cyber security event may exist. The purpose of the assessment phase is to establish a GC response level and determine whether invocation of GC CSEMP or FERP governance is required.

In the assessment portion of this phase:

  • CCCS-IMOC will establish the initial GC response level, in consultation with TBS-OCIO and other applicable partners, based on a roll-up of departmental information, and invoke the appropriate GC CSEMP governance bodies in accordance with the assessed response level
    • When further information is required to assess GC-wide risk:
      • CCCS-IMOC will leverage, where possible, automated tools to gather information required to support an impact assessment
      • CCCS-IMOC will issue a Request for Action (RFA) to departments and agencies, in consultation and concurrence with TBS-OCIO, to perform a departmental impact assessment
      • Departments and agencies will perform a departmental impact assessment and submit results back to the CCCS-IMOC within the defined time frame

Inputs and outputs for this phase are as follows:

  • Inputs
    • Threat and intelligence reports from GC event management stakeholders or external sources (vendors, open source, etc.)
    • Incident reports from GC event management stakeholders, departmental incident reports or external sources
  • Outputs
    • Departmental and government-wide impact assessment reports
    • Establishment of a GC response level
    • Identification of events that require a coordinated GC-wide response
    • Invocation of GC CSEMP or FERP governance, if required

4.3 Mitigation and recovery

Graphic representing the third step of the process, text version below:
Figure Mitigation and recovery - Text version

This is a repeat of figure 2, with all but the mitigation and recovery arrow in the colour grey. The mitigation and recovery arrow is highlighted in the colour blue and this image is a visual representation of the phase being described for the reader in this section.

The purpose of the mitigation and recovery phase is to mitigate threat and vulnerability events before they become incidents, or to contain and mitigate the effects of incidents when they occur. Activities in this phase will vary depending on the nature of the event, but could include actions such as the installation of patches, implementation of preventive measures, containment and eradication of a confirmed incident (which may involve investigative analysis), the invocation of business continuity and disaster recovery plans or the temporary shutdown of vulnerable services. Regardless of the type of event, the end goal of the phase is to minimize impacts and ensure the timely restoration of normal operations.

In this phase, for all applicable events (note that the degree of involvement will vary based on the established GC response level):

  • TBS-OCIO will perform strategic coordination, which may include the issuance of strategic direction to departments and agencies on measures to minimize the GC-wide impact of cyber security events (for example, shutting down vulnerable public-facing information systems, invoking disaster recovery plans) (Level 3 events or when warranted by Level 2 events).
  • GOC will perform strategic coordination, which may include the issuance (via TBS-OCIO) of strategic direction to departments and agencies on measures to minimize the GC-wide impact of cyber security events (Level 4 events only).
  • CCCS-IMOC, as a defensive service provider, will perform operational coordination, which includes issuing technical direction and advice to departments and agencies on measures to mitigate or contain impact to departmental systems (for example, patch installation, blocking of IP addresses), and tracking and reporting these measures (all events).
  • All primary and specialized GC CSEMP stakeholders will contribute advice and guidance based on information received from their respective sources.
  • Departments and agencies, including service providers such as SSC, will implement the direction provided by CCCS-IMOC and TBS-OCIO within established timelines (on devices and infrastructure for which they are responsible). Service providers, such as SSC, will liaise with their client departments to coordinate infrastructure patching (all events).

In addition, for confirmed incidents (all Level 3+ and applicable Level 2):

  • CCCS-IMOC will:
    • lead the development of a GC-wide containment plan, in collaboration with GC CSEMP stakeholders
    • leverage their collection capabilities to facilitate a targeted response
    • help implement the prevention or containment plan in their respective areas of responsibility
    • lead forensic examination and analysis (including evidence collection) on IT systems that it supports, in collaboration with affected departments, agencies and applicable LSAs
  • Applicable service providers and affected departments and agencies will help implement the prevention or containment plan in their respective areas of responsibility
  • SSC-NSDS will help identify and report on affected or vulnerable systems to facilitate a targeted approach to mitigation activities, in collaboration with departments and agencies

Inputs and outputs for this phase are as follows:

  • Inputs
    • Incident and situation reports
    • Intelligence information
    • Forensic findings
    • Other considerations (political, legal, and so on)
    • Impact assessment reports
    • Business continuity plans/disaster recovery plans
  • Outputs
    • Response plan
    • Mitigation of threat or vulnerability (when applicable)
    • Containment and eradication of incident (when applicable)
    • Restoration to normal operations
    • Validated end to threat, vulnerability or incident

4.4 Post-event activity

Graphic representing the fourth step of the process, text version below:
Figure Post-event activity - Text version

This is a repeat of figure 2, with all but the post-event activity and feedback arrows in the colour grey. The post-event activity and feedback arrows are highlighted in the colour blue and this image is a visual representation of the phase being described for the reader in this section.

The post-event activity phase leverages knowledge gained from each cyber security event to ensure the continual improvement of the cyber security event management process and, by extension, the security posture of the GC infrastructure as a whole. The purpose of this phase is to formally close out the cyber security event by conducting a post-event analysis, identifying lessons learned (when applicable) and driving changes to security policy or enterprise security architecture improvements, as required.

The degree of effort and resources allocated to this phase will vary from event to event. Serious events (including confirmed incidents) will require deeper post-event analysis than those that are less serious in nature. Repetitive events may require post-event analysis in aggregate.

In this phase, for applicable events (or upon request):

  • affected departments and agencies will produce their own departmental lessons-learned report and action plan, and contribute to GC-wide post-event activities, as required
  • CCCS-IMOC will collate all departmental findings and produce a post-event report, including a timeline of events and root cause analysis
  • TBS-OCIO will produce a lessons-learned report and action plan on behalf of the GC and monitor implementation of the recommendations (Level 3 events or when warranted by Level 2 events)
  • GOC will produce a lessons-learned report and provide coordination for the production of departmental action plans and monitor the implementation of the recommendation (Level 4 events only)
  • all other GC CSEMP stakeholders will provide information required to support the development of GC-wide lessons-learned reports and assist with implementation of related action items under their particular areas of responsibility

Inputs and outputs for this phase are as follows:

  • Inputs
    • Review of event timeline
    • Review of reporting and communication procedures and timeliness of products
    • Root cause analysis
    • Other relevant input from implicated CSEMP stakeholders
  • Outputs
    • Departmental lessons-learned report
    • GC-level post-event reports
    • GC-wide lessons learned and action plan (if applicable)
    • Recommendations to improve policy instruments or enterprise security architecture

5.0 Reporting and Communication

Graphic representing the fifth step of the process, text version below:
Figure Reporting and Communication - Text version

This is a repeat of figure 2, with all but the GC situational awareness and reporting and communication boxes in the colour grey. The GC situational awareness and reporting and communication boxes are highlighted in the colour blue and this image is a visual representation of the phase being described for the reader in this section.

As cyber security events are detected, there is a need for certain GC stakeholders to be informed. These stakeholders may be internal to the GC CSEMP governance structure, external to the GC CSEMP structure but still within the GC (including intradepartmental or employee communications), or external (including media and the Canadian public). Continual (both routine and ad hoc) reporting and communication are vital in the cyber security event management process, ensuring that appropriate stakeholders at all levels of government are provided with the situational awareness required to make decisions and maintain an understanding of potential impact to GC programs and services.

This section will describe the reporting and communications products that will be distributed during the course of the GC event management life cycle, and the specific reporting requirements for departments and agencies.

5.1 Government-wide reporting and communication

At the government-wide level, reporting and communication will be handled as follows:

  • TBS-SCMA will coordinate the development of a communications strategy and develop and publish external communications materials (in accordance with TBS’s Cyber Security Communications FrameworkFootnote 1) required during the cyber security event management life cycle, in collaboration with CCCS-Comms and PCO-SC (for all events that require external communications or coordinated messaging)
  • affected departments and agencies will develop their own stakeholder, client and public communications products (all events, but with TBS-SCMA and PCO-SC approval for Level 3 and Level 4 events, in accordance with TBS’s Cyber Security Communications FrameworkFootnote 1)
  • TBS-OCIO will coordinate messaging to the Chief Information Officer (CIO) and Chief Security Officer (CSO) community and disseminate Senior Management Updates as required throughout the cyber security event management process (Level 3 and Level 4 events or when situational awareness is required during Level 2 events)
  • CCCS-IMOC will communicate government-wide business impact assessment results with the GOC and Privy Council Office’s Security and Intelligence (PCO-S&I) (Level 2 and Level 3 events)
  • GOC will disseminate FERP governance updates and situational awareness products and briefings as required throughout the cyber security event management process (Level 3 and Level 4 events or when situational awareness is required during Level 2 events)
  • CCCS-IMOC will coordinate messaging to the operational (IT Security) community and disseminate technical information products (cyber flashes, advisories, alerts, and so on), including GC CSEMP response level status and situation reports to implicated stakeholders as required throughout the cyber security event management process (all events), in collaboration with TBS-OCIO and other applicable partners
  • primary and specialized GC CSEMP stakeholders will ensure that appropriate organizations are notified when criminal-, terrorist- or military-related cyber event activity is detected (RCMP, CSIS and DND respectively)
    • CCCS-IMOC will take the lead on reporting to the RCMP, and to CSIS or DND or both, if activity related to their mandates is discovered during the course of managing a GC event

A pictorial representation of the information-sharing flow can be found in Figure 6. Note that information-sharing at lower levels will continue in parallel to higher-level information-sharing.

Figure 6: CSEMP Information-sharing flow
Flow process chart, text version below:
Figure 6 - Text version

Figure 6 identifies the CSEMP information sharing flow separated by the different GC response levels outlined in figure two. Figure six applies only to the first three levels of response and does not address information sharing at Level 4 (emergency or crisis response).

  1. Level 1 – Departmental response
    1. CCCS is the central agent in gathering information
    2. CCCS will obtain and provide information to the following sources:
      1. TBS-OCIO
      2. Departments and agencies (IT Security team)
      3. Technical information sources
    3. TBS-OCIO is to receive information only from CCCS
  2. Level 2 – Limited GC-wide response
    1. The Event Coordination team is identified as the central source for information sharing
    2. The Event Coordination team is comprised of the following agents:
      1. TBS-OCIO
      2. CCCS
      3. other CSEMP stakeholders
    3. The Event Coordination team will provide and receive information from the following stakeholders:
      1. Departments and agencies (IT Security team) (through the CCCS)
      2. PCO-S&I (through CCCS)
      3. other CSEMP stakeholders
  3. Level 3 – Comprehensive GC-wide response
    1. Two governance bodies are identified as central sources for information-sharing
    2. The first is the Executive Management team comprised of the following agents:
      1. TBS-OCIO
      2. TBS-SCMA
      3. CCCS
      4. other CSEMP stakeholders
    3. The Executive Management team (through TBS-OCIO) will provide information to departments and agencies (CSO)
    4. The EMT will provide and receive information from CCNSS as a committee
    5. The EMT (through TBS-SCMA) will provide and receive information from Departments and Agencies (comms), PCO-Comms
    6. The EMT (through TBS-OCIO) will inform the second level of governance at the ADM level
    7. The second level of governance consists of:
      1. identified ADM committees
      2. GC CTO
    8. The GC CTO will provide information to departments and agencies at the CIO level

5.1.1 Reporting and communication summary

Below summarizes the types of reporting and communication that will occur internally in the GC over the course of a cyber security event under the GC CSEMP. Information-sharing between primary and specialized CSEMP stakeholders will occur in accordance with established standard operating procedures. Note that this table does not describe day-to-day information-sharing that will continue through existing processes or mechanisms.

Table 1A: Reporting and communication summary between primary and specialized CSEMP stakeholders
Type Sender Recipient Timeline to issue
Situational awareness updates (for Level 2+ events) CCCS-IMOC TBS-OCIO As new information becomes available (includes detection, mitigation and general status updates until event close-out)
Cyber security event reporting RCMP
CSIS
DND-CAF
CCCS-IMOC Upon detection of a malicious cyber security event related to GC systems
Mandate-specific reporting Primary and specialized GC CSEMP stakeholders RCMP Immediately upon suspicion or detection of a cyber event related to criminal activity
CSIS Immediately upon suspicion or detection of a cyber event related to terrorist activity
DND Immediately upon suspicion or detection of a cyber event related to national defence
Updates on impacts to the delivery of GC programs and services CCCS-IMOC PCO-S&I As new information becomes available
Situational awareness updates (for Level 2 events only) CCCS-IMOC GOC As new information becomes available (includes detection, mitigation and general status updates until event close-out)
External communications materials TBS-SCMA Primary and specialized GC CSEMP stakeholders As required
Table 1B: Reporting and communication summary from primary and specialized CSEMP stakeholders to departments
Type Sender Recipient Timeline to issue
Departmental incident notification CCCS-IMOC Affected department
(ITSec team)
Immediately upon notification or detection of a malicious cyber security event
Cyber flashes, alerts, advisories CCCS-IMOC All departments (ITSec team) High+ Severity: Within 8 hours of disclosure
Medium Severity: Within 24 hours of disclosure
Low Severity: Within 72 hours of disclosure
Requests for action (RFAs) CCCS-IMOC All departments (ITSec team) As required (typically for high+ severity vulnerabilities when GC-wide exposure is unknown)
Technical situation reports CCCS-IMOC All departments (ITSec team) Level 2, 3 and 4 events: As required
Senior management updates TBS-OCIO All departments (CIOs, CSOs) Level 2, 3 and 4 events: As required
GC-wide strategic direction to minimize impact of cyber event TBS-OCIO (via GC CIO) All departments (CIOs) Level 4 events: As directed by FERP governance
Level 2 and 3 events: As required
External communications materials TBS-SCMA Affected department (Communications team) As required
All necessary information products CCCS-IMOC CCNSS As required

5.2 Departmental reporting requirements

5.2.1 Threat or vulnerability events

Mandatory departmental reporting on a threat or vulnerability event is required when an RFA is issued by the CCCS-IMOC (as described in subsection 4.2). Timelines for response will vary depending on the nature of the RFA; as such, each RFA will specify the target turnaround time for response. Response times specified will typically range from 24 to 48 hours, depending on the nature of the event.

RFAs will always be sent to the generic departmental IT Security Operations mailbox. Departments need to ensure that this mailbox is monitored, with procedures in place to respond to these RFAs in a timely fashion.

5.2.2 Incidents

All cyber security incidents within the scope of this document (see subsection 2.3) will be reported to the CCCS-IMOC in accordance with the Table 2. Reporting mechanisms and timelines for reporting will vary based on the departmental impact level, calculated by using the process outlined in Appendix B. CCCS-IMOC will ensure appropriate storage of these incident reports and will share only information related to detection or mitigation techniques (for example, indicators of compromise, identification of malicious sites) with other departments and agencies. Sensitive department-specific information will not be shared GC-wide.

Table 2: Incident reporting requirements
Impact level Initial incident report Detailed incident report Lessons learned report Incident rollup summary
High or very high As soon as possible after detection Within 24 hours after detection Within 30 days after resolution Quarterly
Medium Within 1 hour after detection Within 48 hours after detection Within 30 days after resolution Quarterly
Low n/a n/a n/a Quarterly

5.2.3 Reporting examples

The CCCS-IMOC is the central repository for cyber security event reporting in the GC. While minor infractions may be dealt with at the departmental level, the majority of cyber security events must be reported to the CCCS-IMOC in a timely fashion. The following examples, while not a complete list, can be used as a guide for types of events that should be reported:

  • suspicious or targeted emails with attachments or links that were not detected by existing security controls
  • suspicious or unauthorized network activity that represents a deviation from baseline
  • data breaches or compromise or corruption of information
  • intentional or accidental introduction of malware to a network
  • denial-of-service attacks
  • web or online presence defacement or compromise (including unauthorized use of GC social media accounts)

Consideration should also be given to whether events may impact other GC organizations. If in doubt, it is better to over-report than under-report.

5.2.4 Other

If there is reasonable evidence of suspected criminal activity under the Criminal Code, in addition to standard reporting to the CCCS-IMOC, departments and agencies will report directly to the RCMP or Military Police, as applicable.

Departments will also report to the CCCS-IMOC upon the realization that a cyber security event may require additional assistance in the mitigation and recovery phase (for example, aid from the CCCS-IMOC, RCMP, SSC-NSDS, service providers) or if they are unable to implement given direction within the provided timeframe.

Departments and agencies providing services to other GC organizations are also responsible for notifying affected service recipients (in addition to their regular reporting to the CCCS-IMOC) of any cyber security events that impact recipient information or service delivery.

Communications teams from affected departments and agencies will coordinate the development of stakeholder, client and public communications products with TBS-SCMA, in accordance with the TBS’s Cyber Security Communications FrameworkFootnote 1.

In the event of any real or suspected privacy breach, departments and agencies will respond in accordance with the Directive on Privacy Practices. Departments and agencies should apprise themselves of TBS Guidelines for Privacy Breaches and the Privacy Breach Management Toolkit. These privacy instruments identify causes of privacy breaches, provide guidance on how to respond, contain and manage privacy breaches, delineate roles and responsibilities, and include links to relevant supporting documentation. Departments and agencies should consult legal counsel as needed.

5.3 Secure communications

During the cyber security event management life cycle (specifically, during the detection and assessment or mitigation and recovery phases), it frequently becomes necessary for key stakeholders to share information with one another. When this information becomes sensitive in nature (for example, specifics related to vulnerable IT systems, details about data exfiltration), secure communications methods must be used to transmit this information between stakeholders.

As such, all stakeholders need to be prepared to send and receive sensitive information. Such preparation includes ensuring that available secure communications tools (in other words, secure data and voice infrastructure) are in working order, with procedures in place and personnel trained for their use. Stakeholders not equipped with sufficient tools will ensure that alternative manual processes are in place to send and receive this information, recognizing that these manual processes may delay receipt.

Appendix A: Roles and Responsibilities

This appendix describes roles and responsibilities of GC CSEMP stakeholders. Roles and responsibilities will vary depending on the type of event (threat versus vulnerability versus security incident) and its priority level.

1.  Primary GC Cyber Security Event Management stakeholders

The following is a list of primary stakeholders in the GC cyber security event management process that will be engaged in all events that meet the appropriate trigger criteria (including potential threats and vulnerabilities, and confirmed incidents). The degree of involvement from each stakeholder will vary based on the impact or severity of the event.

Treasury Board of Canada Secretariat

Treasury Board of Canada Secretariat (TBS) provides strategic oversight and direction in the GC cyber security event management process, ensuring that events are effectively coordinated in order to support decision-making and minimize potential impacts and losses to the GC.
In the context of this plan, TBS’s strategic oversight responsibilities, via its Office of the Chief Information Officer (OCIO), include:

  • establishing, maintaining and testing the GC CSEMP and related procedures
  • ensuring strategic coordination of GC response to priority cyber security events (typically Level 3 events or, when warranted, by Level 2 events), which includes:
    • the role of co-chair and secretariat for all GC CSEMP governance teams (including escalation and de-escalation decisions in coordination with CCCS-IMOC)
    • assessment of government-wide program and service impact of cyber threats, vulnerabilities and security incidents to support government-wide reporting and prioritization (assessed in collaboration with CCCS-IMOC and other applicable partners)
    • issuance of direction (via the GC CIO) to departments and agencies on measures to minimize the GC-wide impact of significant cyber security events
  • providing strategic advice to the Director General (DG) Event Response Committee (ERC) during Level 4 cyber security events
  • ensuring that TBS’s Strategic Communications and Ministerial Affairs (SCMA) team is provided with timely information required to develop communications products
  • analyzing post-event reports from CCCS-IMOC and conducting GC-wide lessons-learned exercises (when warranted) to drive security policy or enterprise security architecture related improvements

TBS-SCMA has a role in this plan regarding strategic communication, typically for Level 3 events (or when warranted by events at other levels). As the designated spokesperson on behalf of the GC for any cyber security event affecting government program and service delivery, TBS-SCMA is responsible for:

  • developing internal (GC-wide) and external communications materials related to all phases of cyber security event management, in collaboration with the Communications Security Establishment’s (CSE’s) Communications and the Privy Council Office’s (PCO’s) Strategic Communications, and in consultation with communications teams from implicated CSEMP stakeholders
  • determining the necessity and timing of public statements (proactive and reactive)
  • approving all communications plans (internal, stakeholder, client and public), in collaboration with affected organizations and PCO’s Strategic Communications

Communications Security Establishment

Communications Security Establishment houses the Canadian Centre for Cyber Security (CCCS). It has several roles in relation to GC cyber security event management.

Coordination

Incident Management and Operational Coordination (IMOC) coordinates all operational phases of event management for cyber security events that have impacted or could impact the GC. Coordination includes:

  • monitoring the GC perimeter and all endpoints for which they have visibility, responding to cyber security events and implementing preventive and mitigation measures, as required
  • acting as the central cyber operational contact in the GC, both for distributing technical information products and for collecting event-related reports from GC organizations
  • ensuring operational coordination of the GC’s response to all cyber security events, including:
    • monitoring technical information sources (including LSAs, affected departments and agencies, vendors) for precursors of cyber threat or vulnerability events or indicators of potential or confirmed cyber security incidents
    • issuing day-to-day security information products that contain technical advice for mitigating cyber threats (for example, alerts, advisories) and requests for action to departments and agencies
    • collating, tracking and reporting departments’ reports on and responses to events and implementing technical mitigation measures
    • assessing the government-wide impact of cyber threats, vulnerabilities and security incidents on programs and services to support government-wide reporting and prioritization (assessed in collaboration with TBS-OCIO and other applicable partners)
    • coordinating prevention, mitigation and recovery efforts, including providing timely situational awareness updates to other GC CSEMP stakeholders
    • co-chairing all GC CSEMP governance teams (including escalating and de-escalating decisions, in consultation with TBS)
  • producing post-event reports that include a timeline of events and an analysis of root causes (based on departments’ analyses and reports on lessons learned), and submitting them to TBS-OCIO and other relevant organizations, as required (for example, PCO)
  • communicating with TBS-OCIO throughout the cyber security event management life cycle
  • verifying close-out of events and notifying appropriate CSEMP stakeholders
  • sharing cyber intelligence related to investigations and providing situational awareness related to cyber threats, vulnerabilities and attack techniques

Other services the CCCS offers to help departments and agencies recover from cyber security events and return to normal operations include but are not limited to:

  • forensic examination and analysis (including evidence collection and investigation support)
  • vulnerability analysis and response
  • malware analysis and response

Usually, the CCCS manages delivery of these services, but prioritization may be recommended via the CSEMP governance structure when warranted.

Technical advisory capacity

CCCS also develops, provides and operates capabilities and tools for managing cyber security events, and provides technical advice on the GC CSEMP. Its role in this involves:

  • detecting, blocking or mitigating cyber threat activities that target GC networks or information
  • providing reports and other information products to other key CSEMP stakeholders
  • supporting the identification, risk assessment, mitigation, recovery and post-analysis of cyber security events in the GC
  • providing situational awareness of cyber security events (on GC systems that are Secret or below) to CCNSS

National coordination centre

CCCS is Canada’s national coordination centre for preventing, mitigating, preparing for, responding to and recovering from cyber security events.

CCCS-Partnerships works with domestic and international partners to address significant cyber security concerns. Partners include critical infrastructure organizations and provincial, territorial and municipal governments. In the context of this plan, CCCS is responsible for sharing:

  • cyber threat, vulnerability and incident information and warnings received from domestic and international partners with the GOC
  • unclassified information from GC partners (threats, vulnerabilities, indicators, and so on) with domestic and international partners
  • information on the potential scope and impact of a given event from the perspective of Canadian critical infrastructure owners and operators in order to ensure a comprehensive understanding of impacts that do not direct affect GC systems but that do affect the GC interest

Communications

During significant cyber events, CSE’s Communications (Comms) team also plays a role. In the context of this plan, CSE-Comms is responsible for assisting TBS-SCMA by coordinating all federal public communications-related efforts during a cyber security event.

2. Specialized GC Cyber Security Event Management stakeholders

The following is a list of specialized stakeholders in the GC cyber security event management process that will be engaged for confirmed cyber security incidents or threat events that require specialized attention related to their particular mandates.

Shared Services Canada

Shared Services Canada (SSC) is responsible for the network infrastructure for 43 partners, for providing services to other GC departments and agencies and for managing the perimeter using gateways and secret infrastructure.

If a cyber security event occurs, SSC will coordinate with partners to determine whether any infrastructure it manages has to be shut down or be isolated from the network and will respond to recommendations from CCCS-IMOC and direction from TBS-OCIO.

SSC also develops, provides and operates capabilities and tools for preventive defence of network infrastructure for the 43 partners. In the context of this plan, SSC is responsible for:

  • blocking and mitigating cyber threat activities targeting SSC-managed networks or information
  • responding to CCCS-IMOC and TBS-OCIO recommendations, and ensuring that updates and mitigating measures are applied in a timely manner
  • implementing prevention, mitigation and recovery efforts, including timely situational awareness updates to key GC CSEMP stakeholders
  • providing reporting and other information products to key CSEMP stakeholders
  • supporting the identification, risk assessment, mitigation, recovery and post-analysis of cyber security events within the GC
  • assessing government-wide program and service impact of cyber threats, vulnerabilities and security incidents to support government-wide reporting, to be submitted to TBS-OCIO and CCCS-IMOC
  • producing post-event reports, including timeline of events and root cause analysis and submitting to CCCS-IMOC, TBS-OCIO and other relevant organizations, as required (for example, PCO)

Public Safety Canada

Public Safety Canada leads national cyber security policy and strategy by, for example, coordinating the overall response to significant national cyber events through the GOC.

Royal Canadian Mounted Police

The Royal Canadian Mounted Police (RCMP) is the primary investigative department on all cyber security incidents dealing with actual or suspected cybercrime of non-state origin on the GC IT infrastructure.

In the context of this plan, the RCMP is responsible for:

  • leading the criminal investigation on cyber security incidents linked to non-state criminal activity (including criminal investigations involving terrorist activity)
  • participating on GC CSEMP governance teams in an advice and guidance capacity, when warranted by a particular cyber security incident or threat event

Canadian Security Intelligence Service

The Canadian Security Intelligence Service (CSIS) is the primary department responsible for investigating threats against information systems and critical infrastructure posed by foreign state actors and terrorists.

In the context of this plan, CSIS is responsible for:

  • leading the investigation on cyber security incidents that constitute a threat to the security of Canada, as defined by the CSIS act (including terrorism and espionage)
  • participating on GC CSEMP governance teams in an advice and guidance capacity, when warranted by a particular cyber security incident or threat event

National Defence/Canadian Armed Forces

National Defence/Canadian Armed Forces (DND-CAF) is the primary department responsible for addressing cyber threats, vulnerabilities or security incidents against or on military systems. In the context of this plan, DND-CAF is responsible for:

  • leading the investigation on any cyber incidents (foreign or domestic) linked to activities directed against military systems (systems directly supporting military operational theatres and weapon systems)
  • potentially providing additional support and assistance to other government departments, if tasked
  • participating on GC CSEMP governance teams in an advice and guidance capacity, when warranted by a particular cyber security incident or threat event

3. Other stakeholders

Government of Canada Chief Information Officer

The Government of Canada Chief Information Officer (GC CIO) represents whole-of-government interests during cyber security events that affect or may affect the delivery of programs and services, addressing topics that include overall GC response to cyber security events and enterprise-level actions taken to protect GC information systems. In the context of this plan, the GC CIO is responsible for:

  • executing cyber security risk management decisions by acting on mandatory direction to departments in response to cyber security events (for example, implementing security controls and disconnecting systems that put the GC at risk, when warranted)
  • briefing the Associate DM’s Office and higher as required in addition to advising Assistant Deputy Minister Committees on event-related issues, such as security and operations of GC IT systems and networks, service delivery and confidence in government
  • chairing a committee of departmental CIOs through the CIO Council; through this Council, the GC CIO may issue direction to departmental CIOs regarding cyber security event management activities, specifically around mitigation and recovery related activities

Government Operations Centre

The Government Operations Centre (GOC), on behalf of the GC, leads and supports response coordination of any type of event affecting the national interest; its role is not restricted to cyber events. It provides 24/7 monitoring and reporting, national-level situational awareness, warning products and integrated risk assessments, as well as national-level planning and whole-of-government response management. During periods of heightened response, the GOC is augmented by staff from other organizations (both government and non-government) that physically work in the GOC or connect to it virtually.

In the context of this plan, the GOC is responsible for:

  • monitoring Level 3 cyber security events for potential escalation, which includes:
    • providing warning and situational awareness products to operations centres across government
    • conducting risk assessments and planning
    • briefing the FERP governance
  • coordinating the overall GC response during Level 4 events, in accordance with the FERP

Privy Council Office

As the hub of non-partisan advice to the Prime Minister and Cabinet, PCO, in its role as a central agency, helps to clearly articulate and implement the GC’s policy agenda and to coordinate timely responses to issues facing the GC that are of national, intergovernmental and international importance. In that respect, PCO’s Security and Intelligence (S&I) team has a leading role in the coordination of government-wide response to national security emergencies. In the context of this plan, PCO-S&I is responsible for:

  • supporting the GC decision-making process by ensuring that senior officials are apprised in a timely manner of cyber security incidents that may be of national importance or may have national security implications
  • participating on GC CSEMP governance teams in an advice and guidance capacity, when warranted by a particular national incident or threat event

From a communications perspective, PCO’s Strategic Communications (SC) team also plays a role during significant cyber events. In the context of this plan, PCO-SC is responsible for providing communications advice to Cabinet and senior officials of the PCO and coordinating government-wide communications, in collaboration with PS-Comms and CSE-Comms, including crisis management, during a cyber security event.

Canadian Committee on National Security Systems

The Canadian Committee on National Security Systems (CCNSS), chaired by CCCS’s Deputy Chief, develops and provides governance of an enterprise approach to securing those GC systems requiring the highest level of assurance, known as National Security Systems. CCNSS leads a parallel EMP applying to all GC National Security Systems and can offer visibility to GC CSEMP governance bodies on situations that may also impact non-National Security Systems. Such situations may also arise in the GC CSEMP context; CCNSS, therefore, benefits from a bidirectional triage bridge at the executive level and is a client of certain types of GC CSEMP alerts.

Director General Event Response Committee

The Director General Event Response Committee (DG ERC) is a federal committee of directors general who manage operational response efforts and who direct, support and improve response planning and coordination for events affecting the national interest. In the context of this plan, the DG ERC becomes the GC CSEMP interface into the FERP governance structure during Level 4 events, liaising with ADM, DM and Cabinet Committees as required.

External partners

Departments and agencies often rely on various partners external to the GC to support program and service delivery, including private sector suppliers and other levels of government. External partners are required to manage and report on cyber events in accordance with the stipulations outlined in their respective contractual agreements with departmental service owners.

4. Departments and agencies

Departments and agencies play a key role in GC-wide cyber security event management, whether directly affected by an event or not. Detailed departmental roles and responsibilities related to security event management can be found in departmental governance, plans and procedures that are developed to support the implementation of the PGS and related directives and standards.

In the context of this plan, all departments and agencies are responsible for:

  • reporting cyber security events as per section 5.2 of this plan
  • monitoring CCCS-IMOC technical information products and assessing their applicability to department-owned and -managed information systems
  • assessing departmental program and service impact of cyber threats, vulnerabilities and security incidents
  • responding to CCCS-IMOC Requests for Action (RFAs) in accordance with specified timelines
  • implementing mitigations based on direction and guidance issued by LSAs or central agencies
  • notifying the CCCS-IMOC if additional assistance is required to perform event response–related activities
  • notifying appropriate law enforcement or national security authorities when an event falls under these domains
  • participating on GC CSEMP governance teams when requested by a co-chair (typically when affected by a cyber security event)
  • following appropriate protocols upon occurrence of a privacy breach
  • conducting post-event analysis and preparing departmental lessons-learned reports (for applicable events) and submitting them to the CCCS-IMOC
  • developing and disseminating applicable stakeholder and client management communications products (in consultation with or under the direction of TBS-SCMA and PCO-SC, as required)
  • ensuring that management and reporting requirements related to cyber security events are clearly stipulated in contracts, memoranda of understanding or other formal arrangements with external partners (for example, private sector suppliers and other levels of government) and that these address the requirements established in applicable GC and departmental policy instruments including, but not limited to, this plan
  • developing, maintaining and testing departmental cyber security event management plans and processes, and ensuring alignment with GC-wide direction, plans and processes
  • maintaining an up-to-date inventory of mission-critical information systems and understanding of information holdings in order to facilitate event response and prioritization
  • continually maintaining and improving their departmental event response capability, including, but not limited to, implementing lessons learned (GC-wide and departmental), regularly exercising departmental plans and procedures, maintaining departmental contact lists, and training appropriate cyber security response personnel

Departments and agencies providing services to other GC organizations are responsible for establishing mechanisms to inform service recipients of cyber security events that impact their systems or information. Service providers are also responsible for providing service recipients with the information necessary to support GC CSEMP reporting requirements outlined in subsection 5.2 of this plan (specifically, to support the completion of incident reports and responses to RFAs) in a timely fashion, as well as any other digital evidence required to support departmental mitigation, recovery and post event activities.

Appendix B: Event Impact Assessment (Departmental)

The purpose of this appendix is to outline the high-level process used to assess impact related to a cyber security event. The end result of this process is the establishment of a departmental cyber security event impact level that will be used to determine an event response level for the GC as a whole.

Assessment of impact for all cyber security events (threats, vulnerabilities and confirmed incidents) begins with an injury test to measure the degree of injury that could reasonably be expected to occur due to a compromise (see Step 1). For confirmed cyber security incidents, the result of this injury test represents the departmental impact of the incident, as injury has been confirmed, and no further steps are required.

For cyber threat and vulnerability events, an additional step is required to determine the probability of injury occurrence in order to obtain a more accurate representation of potential departmental impact (see Step 2).

Step 1 (for all cyber security events): Injury test

The injury test, performed using Table 3, is based on severity and scope of the injury that could reasonably be expected to occur.

Severity: The severity of the injury refers to the level of harm, damage or loss (for example, from physical injury to loss of life, from minor financial losses to loss of financial viability, from minor inconvenience to significant hardship). The severity of the injury may be characterized as limited, serious or severe, based on an assessment of the following types of injury:

  • harm to the health and safety of individuals
  • financial losses or economic hardship
  • impacts to government programs and services
  • loss of civil order or national sovereignty
  • damage to reputations or relationships

Other factors specific to a departmental or agency mandate or operational context may also be considered.

Scope: The scope of injury refers to the number of people, organizations, facilities or systems impacted, the geographical area affected (for example, localized or widespread), or duration of the injury (for example, short term or long term). The scope of injury can be characterized as:

  • Wide: widespread; national or international; multiple countries or jurisdictions; major government programs or sectors
  • Medium: jurisdiction, business sector, government program; group or community
  • Narrow: individual, small business
Table 3: Injury test
  Scope
Narrow Medium Wide
Severity Severe Medium High Very high
Serious Low Medium High
Limited Low Low Medium
Departmental impact level [Injury test result]

Table 4 can be consulted to analyze potential expected results of a compromise and validate the outcome of the initial injury test. Once confirmed, this value can be entered in the incident report and submitted to the CCCS-IMOC.

Table 4: Expected results of compromise
Impact Result of compromise
Very high
  • Widespread loss of life
  • Major long-term damage to the Canadian economy
  • Severe impediment to national security (e.g. compromising capabilities of Canadian Forces or national intelligence operations)
  • Severe damage to diplomatic or international relations
  • Long-term loss of public confidence in the GC that disrupts the stability of government
High
  • Severe injury or loss of life to a group of individuals, or widespread serious injury
  • Serious financial loss that impedes the Canadian economy, compromises the viability of a GC program or reduces international competitiveness
  • Serious impediment to one or more mission-critical programs/services or impediment to national security
  • Serious damage to international relations that could result in a formal protest or sanction
  • Long-term loss of public confidence in the GC that disrupts a priority objective of the government
Medium
  • Threat to the life or safety of an individual, or serious injury to a group of individuals
  • Financial loss that affects performance across a sector of the economy, affects GC program outcomes or affects the well-being of a large number of Canadians
  • Serious impediment to public-facing programs/services or departmental operations, jeopardizing program objectives
  • Damage to federal-provincial relations
  • Serious loss of public trust or confidence in the GC or embarrassment to the GC
Low
  • Physical or psychological harm to an individual
  • Financial stress or hardship to an individual
  • Impediment to departmental operations that could have a limited impact on program effectiveness
  • Harm to the reputation of an individual or business
  • Minor loss of public trust or confidence in the GC

Step 2 (for cyber threat and vulnerability events only): Risk assessment

Unlike cyber security incidents, where injury has been realized, injury is still in a potential state for cyber threat and vulnerability events. As such, in order to establish an accurate potential impact level, a risk assessment must be conducted (using Table 5) to determine the probability of occurrence for the injury. Using the results of the injury test performed in Step 1 (in other words, expected injury), a risk-modified departmental impact level is determined based on factors such as intelligence indicators (likelihood of compromise), exploitability, exposure of affected information systems, and implementation of compensating controls.

Table 5: Risk assessment
  Exposure
Low Medium High Very high
  • Low likelihood that threat will target GC
  • Vulnerability very difficult to exploit
  • Vulnerable systems are not directly exposed (e.g. stand-alone systems)
  • Existing security controls effectively counter threat or vulnerability
  • Medium likelihood that threat will target GC
  • Vulnerability exploitable with significant resources
  • Vulnerable systems are visible to one department only (for example, on its intranet)
  • Existing security controls partially counter threat or vulnerability
  • High likelihood that threat will target GC
  • Vulnerability exploitable with moderate resources
  • Vulnerable systems are visible to many departments (for example, GC extranet)
  • Existing security controls provide limited protection against threat or vulnerability
  • Threat or compromise imminent
  • Vulnerability easily exploitable with limited resources
  • Vulnerable systems are highly exposed (for example, Internet-facing)
  • Existing security controls do not provide protection against threat or vulnerability
Impact level (as per injury test in Step 1) Very high High High High Very high
High Medium Medium High High
Medium Low Medium Medium Medium
Low Low Low Low Low
Risk modified departmental impact level [Risk assessment result]

This risk-modified departmental impact level is to be reported to the CCCS-IMOC (when requested via an RFA) for consumption at the GC-wide level.

Cyber threat or vulnerability events are to be classified as cyber security incidents as soon as injury is realized. When injury moves from a potential state to a realized state, the injury tests in this appendix will require re-evaluation and resubmission to the CCCS-IMOC to determine whether changes to event response or further escalation are required.

Appendix C: Response Level Calculation Matrix (GC-Wide)

Using the collated results of departmental impact assessments returned to the CCCS-IMOC, the GC response level is calculated based on the urgency of the cyber security event across the GC (using Table 6).

Table 6: GC response levels
  GC urgency
Low Medium High
  • Affects one internal GC program or service
  • Unlikely to propagate further
  • Affects one external or several internal GC programs or services
  • Potential for broader propagation
  • Affects multiple GC internal or external programs or services
  • Broader propagation imminent or confirmed
Departmental impact level (as per Appendix B) Very high Level 3 Level 3 Level 4
High Level 2 Level 2 Level 3
Medium Level 1 Level 2 Level 2
Low Level 1 Level 1 Level 1
GC response level [Calculated GC response level]

The GC response level calculation matrix is to be used as a guideline. There may be other externalities or escalating factors that need to be considered when establishing a GC response level. As such, TBS-OCIO reserves the right to adjust the overall GC response level based on the context of any given cyber event scenario.

© Her Majesty the Queen in Right of Canada, represented by the President of the Treasury Board, 2018,
ISBN: 978-0-660-24005-3

Page details

Date modified: