This plan takes effect on May 10, 2012. It replaces the 2009 Government of Canada Information Technology Incident Management Plan (GC IT IMP). The GC IT IMP will be reviewed on a yearly basis and modified as appropriate.
2.1 This Plan is prepared under the authorities delegated to the Treasury Board of Canada Secretariat under the Financial Administration Act and the associated Policy on Government Security; department mandates; as well as the delegated authorities of the Minister of Public Safety under the Emergency Management Act.
2.2 This Plan applies to all federal institutions subject to the Policy on Government Security and addresses:
2.3 This plan does not address the coordination of national and international cyber incidents with other forms of crisis and emergency management.
2.4 This version of the plan requires departments to report IT incidents to the Government of Canada Cyber Threat Evaluation Center (GC CTEC) at the Communications Security Establishment Canada (CSEC) until such time as Shared Services Canada (SSC) is ready to assume the role of the Government of Canada Computer Incident Response Team (GC CIRT).
2.5 The following IT incident management departmental operating procedures will be provided to Treasury Board Secretariat (TBS) for inclusion in appendices to this document: Public Safety (PS), Communications Security Establishment Canada (CSEC), Canadian Security Intelligence Service (CSIS), Royal Canadian Mounted Police (RCMP), Treasury Board Secretariat (TBS), Shared Services Canada (SSC) and Department of National Defence (DND).
The occurrence of Information Technology (IT) incidents involving Government of Canada (GC) networks and infrastructure can have a significant impact on government operations, services delivered to Canadians and, consequently, confidence in government. The ability to detect and respond to incidents in a coordinated and consistent fashion, across the GC, is essential to maintaining government operations and services and to ensure the confidentiality, integrity and availability of the Government's information and IT assets.
The Government of Canada Information Technology Incident Management Plan (GC IT IMP) provides an operational framework for the management of IT security incidents and events that could have or have had an impact on the GC computer networks.
The following assumptions were made during the development of this Plan:
During a serious incident, the timely engagement of senior government officials is key to a strong and effective response. The governance model of the GC IT IMP identifies the senior management committees and officials who will be engaged when severity and trigger criteria are met.
Guidance provided by the committees and officials of the GC IT IMP governance structure will cover both short- and long-term activities for more serious incidents. Short-term activities are event-driven and are carried out during the mitigation of a threat or vulnerability or the response to or recovery from an incident. These activities require a prompt and coherent response. Longer-term activities involve post incident analysis and lessons learned, which will allow the Assistant Deputy Minister Security Committee (ADM Security) and / or Assistant Deputy Minister National Security (ADM NS) along with the Chief Information Officer Council (CIOC) to provide longer-term strategic leadership, direction, and governance related to security and IT respectively.
The engagement of the following committees and officials will be based on the circumstances and gravity of each situation.
Figure 1: Governance Structure
The incident management process will consist of the following five defined stages (see Figure 2): the stages "preparation" and "identification" are integral components to an effective incident management plan that must be in place and kept up to date to be properly prepared for managing an incident. The other three stages, "response", "recovery" and "post incident analysis" will be the focus of the governing structure.
Figure 2: Stages of Incident Management Process
The responsibilities of departments related to incident management process are documented for each of the stages in the following sections. A summary of departmental responsibilities for all stages of the incident management process is summarized in appendix B.
The preparation stage involves incident handling planning and training activities designed to provide adequate capabilities to prevent and detect incidents.
As a minimum, Departments will:
The identification stage consists of the detection of an event suspected of being a cyber security incident, advising Information Technology representatives for the affected systems (who will perform the initial assessment to determine if it is an actual incident), and determining the impact, severity, and probable cause of the suspected incident.
As a minimum, Departments will:
The incident information must be reported to the GC CIRT no later than one (1) hour after the detection of an incident. The Incident Report Template located in Appendix E should be used as the incident report. In the incident report, departments must assign a level of injury and impact severity. Appendix D should be used as a guideline to categorize the level.
If relevant, affected departments should attempt to correlate multiple incident reports to identify those that are related to a single incident.
If the GC CIRT or GC CTEC notifies the department of a significant event, departments will be requested to confirm if the event is in fact an incident. Departments then must respond by reporting the incident using the Incident Report Template in Appendix E.
The GC CIRT may trigger the Incident Management process if they detect an incident involving one or more departments.
The affected department shall assign a category to the confirmed or suspected incident within the Incident Report Template using the chart provided in Appendix D.
Affected departments shall prioritize based on the incidents' potential impact. Impact is the effect of the incident on the organization's objectives and mission based on the following factors:
Figure 3: Incident Flow (Departmental View)
Once an event is received from an affected department, partner, Public Safety or GC CTEC, the GC CIRT will send an acknowledgment of receipt. If it is determined to be an incident the GC CIRT will assess the information received to determine whether the incident is of an IT or cyber nature, and provide appropriate mitigation advice and guidance to the affected department(s) and will alert other departments of the threat and how to protect against it. If the incident is of a cyber security nature, the GC CIRT will also provide this information to GC CTEC for analysis. The GC CIRT will also provide a summary of incidents on a regular basis to TBS CIOB for situational awareness.
Based on the incident categorization (Appendix D), the incident will be handled accordingly as indicated below.
If deemed low risk:
If deemed medium to high risk:
The CRU will proceed according to standard operating procedures.
The CRU's main goal is to provide mitigation advice to the affected department(s) and to alert other departments of the threat and how to protect against it.
If containment cannot be achieved at the department level, the GC CIRT will lead the containment effort as per established procedures.
At any time departments may update their incident report to provide additional information to the GC CIRT or to request further mitigation advice.
Threat and vulnerability events will be escalated by the GC CIRT or TBS to the CRU when there is a high risk to the GC.
Figure 4: Incident Escalation Flow
The Management Team is the decision-making group that is convened to advise and intervene when attempts to restore services have not produced expected results or when no action taken/conceived can provide for the continuity of operations and rapid recovery of services. The Management Team has the authority to make important decisions necessary in a crisis: activation of a disaster recovery service, approval of special budgets, etc. In addition, if mitigation requires additional resources, the Management Team will be called upon to review the CRU's action plan and act accordingly.
More concise guidance is being developed and will be completed by June 2012. In the interim these incident categories (Appendix D) can be used.
Most incidents will necessitate recovery actions to restore systems and services to normal operations and preventative actions to avoid recurrence. Recovery actions may include restoration of systems from original media or images, installation of patches and immediate mitigation actions to prevent reoccurrence. System/service recovery should be conducted in a manner that preserves the integrity of the system to assist with an in-depth analysis/investigation of the incident.
The recovery process should align with internal departmental processes such as: Incident Management, Problem Management, Change Management, Configuration Management, and Release Management.
If a department is unable to recover from the incident in a timely fashion, assistance may be available through SSC's IT-SIRT (IT-Security Incident Recovery Team) See footnote  and further with the Cyber Protection Supply Arrangement (CPSA).
Prior to reconnecting affected systems or restoring services, incident handlers shall ensure that reinstating the system or service will not result in another incident.
As a minimum, Departments will:
Post analysis of incidents is vital for learning and continuously improving GC safeguards and response plans and procedures. Reviewing the incident recording of lessons learned, recommending changes in processes, procedure, and developing long-term capability improvement solutions are crucial for a successful preparation phase.
For every major incident that occurs:
Departments will perform a post incident analysis, which summarizes the impact of the incident and identifies:
Affected departments will provide the GC CIRT a post incident summary report. TBS will be the repository of such reports.
TBS CIOB will close the post incident analysis phase of the GC IT IMP based on the implementation of mitigating measures and actions.
For multi departmental incidents, TBS CIOB will lead post incident analysis and will lead implementation of identified changes / improvements.
This section identifies roles and responsibilities within departments relevant to the GC IT IMP.
The Departmental Security Officer (DSO) is responsible for:
The Departmental IT Security Coordinator (ITSC) is responsible for:
Security practitioners and Operational IT Staff are responsible for:
All departmental employees are responsible for:
The Government of Canada Computer Incident Response Team's (GC CIRT) role is to coordinate the identification, mitigation, recovery and post-analysis of IT incidents within the Government of Canada.
The Government of Canada Cyber Threat Evaluation Centre (GC CTEC), within Communications Security Establishment Canada (CSEC), supports the identification, risk assessment, mitigation, recovery and post-analysis of cyber security incidents within the Government of Canada that relate to the malicious use or threat of IT that affect the confidentiality, integrity or availability of information systems use of, and information resident therein.
Public Safety – CCIRC's role is to provide advice to the GC CIRT as government is identified as a critical infrastructure within CCIRC.
The CTU's role is to determine if an investigation by either Canadian Security Intelligence Service (CSIS) or the Royal Canadian Mounted Police (RCMP) is warranted or ongoing.
When activated, the CRU role is to lead and / or assist a response to mitigate the impact of cyber security incidents to the Government of Canada when deemed necessary.
The nature of the incident will determine CRU composition. The team shall consist of members of Shared Services Canada (SSC), Public Safety (PS), CSIS, Department of National Defence / Canadian Forces (DND/CF), CSEC, RCMP, and Treasury Board Secretariat (TBS) as applicable.
Treasury Board Secretariat's role is of oversight and direction. TBS is responsible for ensuring the management of security incidents is effectively coordinated within departments and government-wide. TBS is also responsible for monitoring the implementation of the policy on government security, its directives and standards.
Figure 5: Area of responsibility for IT incidents
Please direct enquiries about this plan to your department's DSO. For interpretation of this plan, departmental DSO should contact:
Security Division, Chief Information Officer Branch
Treasury Board of Canada Secretariat
2745 Iris Street
Ottawa, ON K1A 0R5
E-mail: Contact Security Division by email: firstname.lastname@example.org