GC Information Technology Incident Management Plan
1 Effective Date
This plan takes effect on May 10, 2012. It replaces the 2009 Government of Canada Information Technology Incident Management Plan (GC IT IMP). The GC IT IMP will be reviewed on a yearly basis and modified as appropriate.
2.1 This Plan is prepared under the authorities delegated to the Treasury Board of Canada Secretariat under the Financial Administration Act and the associated Policy on Government Security; department mandates; as well as the delegated authorities of the Minister of Public Safety under the Emergency Management Act.
2.2 This Plan applies to all federal institutions subject to the Policy on Government Security and addresses:
- Threats, vulnerabilities, and incidents within an IT environment that affect or may affect service to Canadians, government operations, security or privacy of information or confidence in government;
- Incidents within an IT environment requiring an integrated GC response;
- Networks classified secret and below.
2.3 This plan does not address the coordination of national and international cyber incidents with other forms of crisis and emergency management.
2.4 This version of the plan requires departments to report IT incidents to the Government of Canada Cyber Threat Evaluation Center (GC CTEC) at the Communications Security Establishment Canada (CSEC) until such time as Shared Services Canada (SSC) is ready to assume the role of the Government of Canada Computer Incident Response Team (GC CIRT).
2.5 The following IT incident management departmental operating procedures will be provided to Treasury Board Secretariat (TBS) for inclusion in appendices to this document: Public Safety (PS), Communications Security Establishment Canada (CSEC), Canadian Security Intelligence Service (CSIS), Royal Canadian Mounted Police (RCMP), Treasury Board Secretariat (TBS), Shared Services Canada (SSC) and Department of National Defence (DND).
The occurrence of Information Technology (IT) incidents involving Government of Canada (GC) networks and infrastructure can have a significant impact on government operations, services delivered to Canadians and, consequently, confidence in government. The ability to detect and respond to incidents in a coordinated and consistent fashion, across the GC, is essential to maintaining government operations and services and to ensure the confidentiality, integrity and availability of the Government's information and IT assets.
The Government of Canada Information Technology Incident Management Plan (GC IT IMP) provides an operational framework for the management of IT security incidents and events that could have or have had an impact on the GC computer networks.
- Enhanced situational awareness across the GC;
- Improved coordination and incident management planning within the GC;
- Timely resolution of incidents that affect GC services and operations;
- Informed decision making and associated incident mitigation and response;
- A shared sense of responsibility and partnership among the GC IT and Information Technology Security (ITS) communities;
- Improved shared GC knowledge and expertise;
- Enhanced Canadian public confidence in the GC.
The following assumptions were made during the development of this Plan:
- All organizations have incident management processes / plans and business continuity plans (BCP) in place as established under the Policy on Government Security;
- Current departmental mandates and responsibilities will be respected;
- IT security incidents related to the disclosure of personal information or private communications will follow established privacy procedures;
- In addition if the incident is considered a crime, particulars should be reported directly to the Royal Canadian Mounted Police or Military Police as applicable, and if considered of national security importance, details will be reported directly to the Canadian Security Intelligence Service.
4 Governance Model
During a serious incident, the timely engagement of senior government officials is key to a strong and effective response. The governance model of the GC IT IMP identifies the senior management committees and officials who will be engaged when severity and trigger criteria are met.
Guidance provided by the committees and officials of the GC IT IMP governance structure will cover both short- and long-term activities for more serious incidents. Short-term activities are event-driven and are carried out during the mitigation of a threat or vulnerability or the response to or recovery from an incident. These activities require a prompt and coherent response. Longer-term activities involve post incident analysis and lessons learned, which will allow the Assistant Deputy Minister Security Committee (ADM Security) and / or Assistant Deputy Minister National Security (ADM NS) along with the Chief Information Officer Council (CIOC) to provide longer-term strategic leadership, direction, and governance related to security and IT respectively.
The engagement of the following committees and officials will be based on the circumstances and gravity of each situation.
Figure 1: Governance Structure
5 Incident Management Process
The incident management process will consist of the following five defined stages (see Figure 2): the stages "preparation" and "identification" are integral components to an effective incident management plan that must be in place and kept up to date to be properly prepared for managing an incident. The other three stages, "response", "recovery" and "post incident analysis" will be the focus of the governing structure.
Figure 2: Stages of Incident Management Process
The responsibilities of departments related to incident management process are documented for each of the stages in the following sections. A summary of departmental responsibilities for all stages of the incident management process is summarized in appendix B.
The preparation stage involves incident handling planning and training activities designed to provide adequate capabilities to prevent and detect incidents.
As a minimum, Departments will:
- Develop and practice incident handling planning and training activities and exercises to enable identification and effective response
- Ensure the response plan and communications procedures are well known and easily accessible to all IT personnel, and reviewed and updated (as required) both periodically and following an incident.
- Identify their critical systems (Business and Operations) to better identify injury and impact levels when reporting an event or incident.
- Integrate the processes of the GC IT IMP into their departmental Security, Business Continuity, IT contingency plans and Departmental Security Plan (DSP).
- Ensure awareness and response training is available to all employees commensurate with, the current and emergent threat landscape.
- Ensure provision of appropriate training and awareness of incident identification, incident management policy, and procedures to IT staff, so that all individuals involved understand their role and responsibilities related to incidents.
- Ensure that standard measures are defined in advance for rapid implementation as required.
- Monitor and manage software, hardware and firmware configurations including versions numbers and patch level in a departmental database to ensure that departments are able to identify vulnerabilities and act accordingly.
- Take reasonable measures to ensure the preservation and protection of evidence (see Appendix C).
The identification stage consists of the detection of an event suspected of being a cyber security incident, advising Information Technology representatives for the affected systems (who will perform the initial assessment to determine if it is an actual incident), and determining the impact, severity, and probable cause of the suspected incident.
As a minimum, Departments will:
- Carry out monitoring and intrusion detection activities (e.g. track and analyze threats, vulnerabilities, events via logs from various sources such as firewalls or Intrusion Detection Systems (IDS), which may affect departmental IT systems) as per the Standard on the Management of Information Technology Security (MITS). This should also include a proactive vulnerability management process using standard frameworks such as The National Institute of Standards and Technology's (NIST) Common Vulnerability Scoring System (CVSS);
- Monitor information coming from GC CIRT or Government of Canada Cyber Threat Evaluation Centre (GC CTEC) (e.g. GC status reports, requests for information —(RFI), GC incident reports, GC incident situation reports, warnings, threat assessments and GC situational awareness reports) and take appropriate actions;
- Contact the Government of Canada Computer Incident Response Team (GC CIRT) for assistance in characterizing potentially suspicious events;
- Once it is determined that an event has the potential or has been confirmed to be an incident, send an initial departmental incident report to the GC CIRT (Appendix "E") and when further information becomes available, submit an updated departmental incident report;
- Departments will preserve evidence as outlined in Appendix C.
The incident information must be reported to the GC CIRT no later than one (1) hour after the detection of an incident. The Incident Report Template located in Appendix E should be used as the incident report. In the incident report, departments must assign a level of injury and impact severity. Appendix D should be used as a guideline to categorize the level.
If relevant, affected departments should attempt to correlate multiple incident reports to identify those that are related to a single incident.
If the GC CIRT or GC CTEC notifies the department of a significant event, departments will be requested to confirm if the event is in fact an incident. Departments then must respond by reporting the incident using the Incident Report Template in Appendix E.
The GC CIRT may trigger the Incident Management process if they detect an incident involving one or more departments.
The affected department shall assign a category to the confirmed or suspected incident within the Incident Report Template using the chart provided in Appendix D.
Affected departments shall prioritize based on the incidents' potential impact. Impact is the effect of the incident on the organization's objectives and mission based on the following factors:
- Technical impact (current and future): The current negative effects of the incident and likely future effects. For example, malware spreading within one regional office has an immediate local impact, but if the malware spread across the Wide Area Network (WAN), it could affect operations throughout the department; and
- Criticality of affected resources: The criticality of the Information system (IS) resources that are or could be affected by the incident. Critical systems have been identified through the Business Impact Assessments (BIA) and other business continuity activities.
Figure 3: Incident Flow (Departmental View)
Once an event is received from an affected department, partner, Public Safety or GC CTEC, the GC CIRT will send an acknowledgment of receipt. If it is determined to be an incident the GC CIRT will assess the information received to determine whether the incident is of an IT or cyber nature, and provide appropriate mitigation advice and guidance to the affected department(s) and will alert other departments of the threat and how to protect against it. If the incident is of a cyber security nature, the GC CIRT will also provide this information to GC CTEC for analysis. The GC CIRT will also provide a summary of incidents on a regular basis to TBS CIOB for situational awareness.
Based on the incident categorization (Appendix D), the incident will be handled accordingly as indicated below.
If deemed low risk:
- The information will be logged and the circumstances monitored as an integral part of situational awareness. It will also be reviewed against previous events (even those deemed low risk).
If deemed medium to high risk:
- If the incident is deemed to be non cyber in nature, the information will be provided to the management team for review and action if warranted.
- The information will be provided to TBS as to ensure the management of security incidents is effectively coordinated within departments and across government.
- The information will be passed to the CTU (CTU) for an assessment. If an investigation is deemed necessary by the RCMP or CSIS then GC CTEC and the GC CIRT will be informed immediately.
- If an incident has implications for defence, the information will be passed to the Department of National Defence / Canadian Forces (DND/CF). If an investigation is deemed necessary by DND/CF, then GC CTEC and the GC CIRT will be informed immediately.
- While an investigation is ongoing, the investigating party may provide information to GC CTEC, GC CIRT and/or the Cyber Response Unit (CRU) for mitigation purposes.
The CRU will proceed according to standard operating procedures.
The CRU's main goal is to provide mitigation advice to the affected department(s) and to alert other departments of the threat and how to protect against it.
If containment cannot be achieved at the department level, the GC CIRT will lead the containment effort as per established procedures.
At any time departments may update their incident report to provide additional information to the GC CIRT or to request further mitigation advice.
Threat and vulnerability events will be escalated by the GC CIRT or TBS to the CRU when there is a high risk to the GC.
Figure 4: Incident Escalation Flow
The Management Team is the decision-making group that is convened to advise and intervene when attempts to restore services have not produced expected results or when no action taken/conceived can provide for the continuity of operations and rapid recovery of services. The Management Team has the authority to make important decisions necessary in a crisis: activation of a disaster recovery service, approval of special budgets, etc. In addition, if mitigation requires additional resources, the Management Team will be called upon to review the CRU's action plan and act accordingly.
More concise guidance is being developed and will be completed by June 2012. In the interim these incident categories (Appendix D) can be used.
Most incidents will necessitate recovery actions to restore systems and services to normal operations and preventative actions to avoid recurrence. Recovery actions may include restoration of systems from original media or images, installation of patches and immediate mitigation actions to prevent reoccurrence. System/service recovery should be conducted in a manner that preserves the integrity of the system to assist with an in-depth analysis/investigation of the incident.
The recovery process should align with internal departmental processes such as: Incident Management, Problem Management, Change Management, Configuration Management, and Release Management.
If a department is unable to recover from the incident in a timely fashion, assistance may be available through SSC's IT-SIRT (IT-Security Incident Recovery Team) See footnote  and further with the Cyber Protection Supply Arrangement (CPSA).
Prior to reconnecting affected systems or restoring services, incident handlers shall ensure that reinstating the system or service will not result in another incident.
As a minimum, Departments will:
- Respond to GC CIRT and GC CTEC electronic information products as requested. (Cyber flashes, RFI etc.);
- Insofar as possible, implement any relevant GC mitigating measures as recommended / mandated by the GC CIRT, GC CTEC or TBS Chief Information Officer Branch (CIOB);
- Provide situation report updates during the incident phases and provide a final notification to the GC CIRT when normal operations have resumed.
5.5 Post Incident Analysis
Post analysis of incidents is vital for learning and continuously improving GC safeguards and response plans and procedures. Reviewing the incident recording of lessons learned, recommending changes in processes, procedure, and developing long-term capability improvement solutions are crucial for a successful preparation phase.
For every major incident that occurs:
Departments will perform a post incident analysis, which summarizes the impact of the incident and identifies:
- safeguard deficiencies;
- measures to prevent similar incidents;
- measures to reduce the impact of a recurrence;
- improvements to incident-handling procedures and relating policies;
- review preparation phase in terms of the response of the incident; and
- lessons learned.
Affected departments will provide the GC CIRT a post incident summary report. TBS will be the repository of such reports.
TBS CIOB will close the post incident analysis phase of the GC IT IMP based on the implementation of mitigating measures and actions.
For multi departmental incidents, TBS CIOB will lead post incident analysis and will lead implementation of identified changes / improvements.
6 Departmental Roles and Responsibilities
This section identifies roles and responsibilities within departments relevant to the GC IT IMP.
The Departmental Security Officer (DSO) is responsible for:
- Establishing reporting requirements for IT security incidents that align with the requirements established in the GC IT IMP as part of a coordinated approach to the management of departmental security incidents.
The Departmental IT Security Coordinator (ITSC) is responsible for:
- Ensuring that effective processes for the management IT security incidents are developed, documented, approved, promulgated and implemented within the department, and that the effectiveness of these processes is monitored; and
- Reporting on detected IT security incidents in accordance with the requirements established by the DSO.
Security practitioners and Operational IT Staff are responsible for:
- Responding to IT Security incidents in accordance with the processes and procedures established by the department.
All departmental employees are responsible for:
- Reporting real or suspected IT security incidents or other suspicious activity to departmental officials, in accordance with the processes and procedures established by the department.
7 Roles and Responsibilities of Other Government Organizations
7.1 Government of Canada Computer Incident Response Team
The Government of Canada Computer Incident Response Team's (GC CIRT) role is to coordinate the identification, mitigation, recovery and post-analysis of IT incidents within the Government of Canada.
7.2 Government of Canada Cyber Threat Evaluation Centre
The Government of Canada Cyber Threat Evaluation Centre (GC CTEC), within Communications Security Establishment Canada (CSEC), supports the identification, risk assessment, mitigation, recovery and post-analysis of cyber security incidents within the Government of Canada that relate to the malicious use or threat of IT that affect the confidentiality, integrity or availability of information systems use of, and information resident therein.
7.3 Public Safety Canada – Canadian Cyber Incident Response Centre
Public Safety – CCIRC's role is to provide advice to the GC CIRT as government is identified as a critical infrastructure within CCIRC.
The CTU's role is to determine if an investigation by either Canadian Security Intelligence Service (CSIS) or the Royal Canadian Mounted Police (RCMP) is warranted or ongoing.
7.5 Cyber Response Unit
When activated, the CRU role is to lead and / or assist a response to mitigate the impact of cyber security incidents to the Government of Canada when deemed necessary.
The nature of the incident will determine CRU composition. The team shall consist of members of Shared Services Canada (SSC), Public Safety (PS), CSIS, Department of National Defence / Canadian Forces (DND/CF), CSEC, RCMP, and Treasury Board Secretariat (TBS) as applicable.
7.6 Treasury Board Secretariat – Chief Information Officer Branch
Treasury Board Secretariat's role is of oversight and direction. TBS is responsible for ensuring the management of security incidents is effectively coordinated within departments and government-wide. TBS is also responsible for monitoring the implementation of the policy on government security, its directives and standards.
Figure 5: Area of responsibility for IT incidents
Please direct enquiries about this plan to your department's DSO. For interpretation of this plan, departmental DSO should contact:
Security Division, Chief Information Officer Branch
Treasury Board of Canada Secretariat
2745 Iris Street
Ottawa, ON K1A 0R5
E-mail: Contact Security Division by email: firstname.lastname@example.org
- Date modified: