Language selection

Government of Canada / Gouvernement du Canada

Search

Government of Canada Cyber Security Event Management Plan (GC CSEMP)

On this page

1. Introduction

In this section

1.1 Context

Cyber security events related to Government of Canada (GC) information systems can have a significant impact on the delivery of government programs and services to Canadians and, consequently, confidence in government. Government security and the continuity of GC programs and services rely upon the ability of departments and agencies, as well as government as a whole, to manage cyber security events. The ability to respond to cyber security events in a consistent, coordinated and timely manner across the GC is essential to ensure the security and resilience of GC programs and service delivery.

1.2 Purpose

This document provides:

  • an operational framework for the management of cyber security events (including cyber threats, vulnerabilities, or security incidents) that impact or threaten to impact the GC’s ability to deliver programs and services to Canadians
  • context for the plans and procedures developed by departments and agencies to manage cyber security events related to their programs and services, in alignment with this planFootnote 1

1.3 Scope

The scope of this plan applies to cyber security events affecting GC information systemsFootnote 2 irrespective of their categorization that:

  • affect or may affect delivery of government programs and services to Canadians, government operations, security or privacy of information or confidence in government
  • require an integrated GC-wide response to minimize impacts and enable prompt mitigation and restoration of government programs and services

In addition, elements of this plan may be leveraged to provide a GC-wide coordinated approach for events that may arise such as:

  • security events where GC information or data hosted on non-GC information systems is or may be impacted (from a confidentiality, integrity or availability perspective) such as a third-party breach
  • insider-threat events where there is a cyber nexus
  • significant IT service outages affecting the GC enterprise

This plan does not address the coordination of responses to cross-jurisdictional cyber security events (for example, with provinces, territories, municipalities, other countries or non-governmental organizations such as private sector).

1.4 Alignment with other plans and protocols

This document complements other GC plans and protocols, including:

  • Federal Emergency Response Plan (FERP)Reference R1 – The FERP outlines the processes required to facilitate GC-wide response to severe or catastrophic events that impact the national interest and supports an all-hazards arrangements and response mechanism. It also acts as an additional emergency plan that should be read in conjunction with event-specific departmental areas or areas of responsibilities current emergency plan.
  • Federal Cyber Incident Response Plan (FCIRP)Reference R2 – The FCIRP is a framework for the GC’s management of cyber incidents that affect assets that are not owned or operated by the GC and are essential to the health, safety, security, defence or economic well-being of Canadians. If a cyber incident affects both GC and non–GC cyber systems, the FCIRP and the GC CSEMP will be activated concurrently (though not necessarily at the same level, depending on the severity of the respective incidents), with the Treasury Board of Canada Secretariat (TBS), the Canadian Centre for Cyber Security (Cyber Centre) and Public Safety Canada (PS) as tripartite co-chairs.
  • Significant Event Information Sharing Protocol (SEISP)Reference R3 (Accessible on the GC network only) – This protocol supports the FERP and Appendix G: Mandatory Procedures for Security Event Management Control of the Directive on Security ManagementReference R4.

1.5 Key terms

The following key definitions support this plan:

compromise: A breach of government security. Includes but is not limited to:

  • unauthorized access to or disclosure, modification, use, interruption, removal or destruction of sensitive information or assets, causing a loss of confidentiality, integrity, availability or value
  • an event causing a loss of integrity or availability of government services or activities

cybercrime: Any crime where a cyber element (that is, the internet and information technologies such as computers, tablets or smart phones) has a substantial role in the commission of a criminal offenceReference R5.

cyber security: The body of technologies, processes, practices, and response and mitigation measures designed to protect electronic information and information infrastructure from mischief, unauthorized use or disruption.

Figure 1-1: Types of cyber security events
Types of cyber security events, text version below:
Figure 1-1 - Text version

Figure 1-1 identifies the difference between cyber security events, cyber security incidents, vulnerabilities, and cyber threats, as they are defined in the CSEMP through the use of four circles. The first larger circle represents cyber security events, and the much smaller circles within the first identifies cyber security incidents, cyber threats, and vulnerabilities as being a subset of cyber security events.

cyber security event: Any event, act, omission or situation that may be detrimental to government security, including threats, vulnerabilities and incidents (see Figure 1-1).

Examples of cyber security events:

  • disclosure of a new vulnerability
  • intelligence that a threat actor may be planning malicious cyber activities against a GC information system
  • attempts to breach the network perimeter
  • suspicious or targeted emails with attachments or links that were not detected by existing security controls
  • suspicious or unauthorized network activity that represents a deviation from baseline

cyber security incident: Any event (or collection of events), act, omission or situation that has resulted in a compromise. Examples of cyber security incidents include:

  • data breaches or compromise or corruption of information
  • credential stuffing attacks
  • phishing campaigns
  • intentional or accidental introduction of malware to a network
  • denial-of-service attacks
  • web or online presence defacement or compromise (including unauthorized use of GC social media accounts)
  • successful ransomware attempts

Every cyber security incident is a cyber security event, but not every cyber security event is a cyber security incident (see Figure 1-1).

cyber threat: An activity intended to compromise the security of an information system by altering the confidentiality, integrity or availability of a system or the information it containsReference R6

privacy breach: The improper or unauthorized access, creation, collection, use, disclosure, retention or disposition of personal information.

vulnerability: Weakness in an information system, system security procedures, internal controls or implementation that could be exploited or triggered by a threat sourceReference R7

zero-day exploit: An attack directed against a zero-day vulnerabilityReference R7

zero-day vulnerability: A software vulnerability that is not yet known by the vendor and therefore has not been mitigatedReference R7

1.6 Application

This plan is prepared in the exercise of the responsibilities conferred to the Treasury Board of Canada Secretariat (TBS) under the Policy on Government Security (PGS)Reference R10 and is intended for all departments and agencies subject to the PGS.

1.7 Effective date

This plan takes effect on May 19, 2026. It replaces the version dated .

2. Concept of operations

In this section

This section of the GC CSEMP outlines the cyber security event management process, identifies implicated stakeholders and defines cyber security event response levels and escalation triggers to:

  • enhance the situational awareness of likely cyber threats, vulnerabilities, and confirmed cyber security incidents, across the GC
  • mitigate threats and vulnerabilities before a compromise can occur
  • minimize the impacts of cyber events on the confidentiality, integrity or availability of government programs, services, information (including personal information) and operations
  • improve cyber event coordination and management within the GC, including sharing GC knowledge and expertise
  • support GC -wide cyber risk assessment practices and remediation prioritization efforts
  • inform decision-making- at all necessary levels
  • enhance public confidence in the GC’s ability to manage cyber security events in a consistent, coordinated and timely fashion

The plan will be reviewed and tested annually, and updated if changes are warranted, to ensure effectiveness.

2.1 Process overview

The overall cyber security event management process defined in this document has several phases, as depicted in Figure 2-1.

Figure 2-1: Cyber security event management process
Graphic representing the CSEMP process, text version below:
Figure 2-1 - Text version

Figure 2-1 represents the overall cyber security event management process and its multiple phases, as defined in this document. The four phases (preparation, detection and assessment, mitigation and recovery, and post-event activity) are depicted in the middle, with an arrow pointing from the final phase (post-event activity) back to the first (preparation) to indicate a continuous feedback loop. Under each key phase is a short description. The descriptions read as follows:

  1. Preparation
    1. Establish roles and responsibilities
    2. Document and test procedures
    3. Train personnel
    4. Apply protective measures
  2. Detection and assessment
    1. Monitor information sources
    2. Detect and recognize cyber security events
    3. Triage and prioritize
  3. Mitigation and recovery
    1. Conduct forensic analysis
    2. Mitigate (via containment and eradication)
    3. Restore to normal operations
  4. Post-event activity
    1. Conduct post-event analysis
    2. Conduct lessons learned
    3. Continuous improvement

Above phases 2 to 4 is a box that contains the words reporting and communication. This indicates that reporting is an ongoing activity throughout these phases. This box has arrows pointing up to a box that contains the words GC situational awareness to represent the central concept of ongoing situational awareness across the GC at every point in the event management lifecycle.

  1. Preparation: The initial phase involves readiness activities that departments and the broader GC should undertake to ensure they are prepared to respond to a broad range of possible cyber security events, minimizing the resultant impact.
  2. Detection and assessment: The second phase involves the discovery of potential cyber security events, including emerging threats, vulnerabilities or confirmed cyber security incidents, and an initial assessment of the appropriate GC response levels.
  3. Mitigation and recovery: The third phase consists of all response actions required by various stakeholders to minimize the impact and return to normal operations.
  4. Post-event activity: This final phase is vital for continuous improvement of the overall cyber security event management process and, as such, feeds back into the preparation phase to complete the event management life cycle.

The following sections outline stakeholder expectations for each phase of the GC cyber security event management life cycle and will demonstrate:

  • how the GC CSEMP is operationalized, in support of foundational requirements under the PGSReference R10 and the cyber security management function outlined under the Policy on Service and Digital (PSD)Reference R11
  • the key inputs and outputs from each phase. Note that in practice, phases may overlap when some activities from an earlier phase continue as the next phase is initiated

All stakeholders are responsible for developing their own standard operating procedures or internal processes to deliver the expected outputs.

2.2 Preparation

Figure 2-2: Preparation phase
Preparation phase, text version below:
Figure 2-2 - Text version

This is a repeat of figure 2-1, with all but the preparation arrow in the colour grey. The preparation arrow is highlighted in the colour blue and this image is a visual representation of the phase being described for the reader in this section.

The preparation phase is an ongoing phase in which GC organizations execute a set of continuous processes in order to ensure proactive readiness for specific or unpredictable events. This phase includes the development of an organizational understanding to manage cyber security risk to systems, people, assets, data, and capabilities. It also addresses the maintenance and improvement of existing capabilities and the development of new mechanisms for setting priorities, integrating multiple organizations and functions, and ensuring that the appropriate means are available to support the full spectrum of cyber security event management requirements.

The application of protective and preventive measures in advance of a cyber event is a key element of this phase. Developing and implementing appropriate safeguards to ensure delivery of critical services, including establishing repeatable and standardized processes for activities such as vulnerability management and patch management are critical in ensuring the security of systems and services. As set out in the PGS, a critical service is one that, if disrupted, would result in a high or very high degree of injury to the health, safety, security or economic well-being of Canadians, or to the effective functioning of the Government of Canada. All departments are required to identify their respective critical services and related supporting resources.

Conducting regular exercises to test both the GC CSEMP as well as departmental CSEMPs is important to ensure individual stakeholders (especially when there are changes in personnel) understand their roles, to validate the plans, and revise them based on lessons learned during exercises.

Appendix C outlines the GC CSEMP stakeholder roles and responsibilities for each phase of the GC CSEMP process.

Inputs and outputs for this phase are as follows:

Inputs Outputs
  • Application of protective and preventive measures to ensure the security of systems
  • Implemented lessons learned
  • Updated GC -wide cyber security event management plans, processes, guidelines and tools
  • Exercises, scenarios and tests to regularly validate the effectiveness of the GC CSEMP and departmental CSEMPs
  • Employee security awareness training
  • Updated departmental plans (including departmental CSEMPs), processes and procedures that align with the GC CSEMP
  • Understanding of critical systems across the GC
  • Clear, documented roles and responsibilities, including for cyber event management and the implementation of security safeguards, documented in third-party contracts, internal enterprise agreements (as applicable), and GC interconnection agreements

2.3 Detection and assessment

Figure 2-3: Detection and assessment phase
Detection and assessment phase, text version below:
Figure 2-3 - Text version

This is a repeat of figure 2-1, with all but the detection and assessment arrow in the colour grey. The Detection and assessment arrow is highlighted in the colour blue and this image is a visual representation of the phase being described for the reader in this section.

The detection and assessment phase involves the continuous monitoring of information sources for early indications of emerging cyber security events, including vulnerabilities or confirmed cyber security incidents, and the initial assessment of their impact (potential or actual) on the delivery of services to Canada, government operations or confidence in government.

Inputs and outputs for the detection and assessment phase are as follows:

Inputs Outputs
  • Threat and intelligence reports from GC event management stakeholders or external sources (for example, vendors, open source)
  • Incident reports from GC event management stakeholders, departmental incident reports or external sources
  • Departmental and government-wide impact assessment reports, and possible public communications
  • Establishment of a GC response level
  • Identification of events that require a coordinated GC-wide response
  • Invocation of GC CSEMP, and possibly FERP governance, if required

2.3.1 Detection

The detection portion of this phase is constant for any type of cyber security event and also covers the initial notification of appropriate stakeholders. Detection occurs as a direct result of monitoring and having sufficient inputs to monitor; if the monitoring component is inadequate or incomplete, then the detection process may miss anomalies or events that could impact the GC.

2.3.1.1 Monitoring

To ensure that cyber security events are addressed in a consistent, coordinated and timely fashion GC-wide, it is essential that the Canadian Centre for Cyber Security (Cyber Centre) and TBS-Office of the Chief Information Officer (TBS-OCIO) have up-to-date departmental cyber incident contact information to ensure the receipt of critical communications such as Cyber Centre situational awareness products and messages from the Chief Information Officer of Canada (GC CIO).

Cyber Centre situational awareness products

Advisory (AV) – Publicly posted on the Cyber Centre website. AVs highlight vendor patches for vulnerabilities that do not meet CF or AL urgency or impact.

Alert (AL) – Publicly posted on the Cyber Centre website and disseminated through email. ALs provide a summary of the topic (incident, vulnerability, joint advisory) and technical advice. May contain additional details such as indicators of compromise (IoCs).

Cyber flash (CF) – Non-public technical and time-sensitive report. Provides detailed descriptions, detections and mitigation advice. Disseminated through email to specific distribution lists at TLP:AMBER:STRICT to ensure appropriate handling and continued sharing of cyber threat intelligence with departments.

More information on the Traffic Light Protocol (TLP) is available from the Forum of Incident Response and Security Teams (FIRST).

GC organizations are required to establish generic mailboxes for their departmental chief information officer (CIO), designated official for cyber security (DOCS), and IT security teams, and are expected to regularly monitor them. Refer to the Guideline on Managing Cyber Incident Contact Information for more information (accessible only on the GC network).

In addition to monitoring Cyber Centre advisories, GC organizations are expected to monitor vendor notifications as part their vulnerability management programs. Also, while it is important to leverage indicators of compromise (IoCs) (such as, known bad IP addresses, domains, file hashes) from Cyber Centre products and other threat intelligence sources to detect (and prevent) malicious activity, there are limitations. Threat actors will often change IPs, domains and re-encode files, and so on, to evade such defences. Therefore, establishing a robust monitoring regime and understanding baseline/normal activity will help to detect anomalous behaviours and spot adversarial tactics, techniques and procedures (TTPs).

2.3.1.2 Reporting

GC organizations must report all cyber security incidents to the Cyber Centre, who act as the central point of contact for cyber security incident reporting for the GC.

For cyber incidents affecting a service provided by an internal enterprise service organization (IESO), the organization that first detects the incident is to report to the Cyber Centre. If the service consumer (for example, a department or an agency) is the first to detect it, it too is expected to report the cyber incident to the IESO. Otherwise, the IESO will report to the Cyber Centre and inform affected departments and agencies.

If in doubt, it is better to over-report than to under-report. Reporting all events will enable the Cyber Centre to identify trends or suspicious patterns of activity and identify potential impacts to other GC organizations who may be using the same service/system as an affected department.

The Cyber Centre will store and handle these incident reports. Information may be shared with TBS-OCIO and other LSAs, as required. To enable broader cyber defence protections, technical information such as IoCs and TTPs may be shared more widely. Sensitive department-specific information will not be shared beyond LSAs without approval from the department.

For cyber events affecting NSS, it is important that appropriate tools, commensurate with the security category of the affected information system, are used to securely communicate with the Cyber Centre.

Departments are expected to report incidents based on the timeframes outlined in Table 2-1.

Table 2-1 Reporting timeframes
Type of report Timeframe Remarks
Initial incident report

As soon as possible, and not to exceed 1 hour after initial detection

 Not applicable
Detailed incident report Within 24 hours after detection Where possible, likely or potential business impact to the organization should be included in the reporting.

Refer to Appendix D: Reporting Procedures for information on how to contact the Cyber Centre, including expectations for initial and detailed incident reports.

If a GC organization requires additional assistance navigating GC CSEMP governance or reporting processes, TBS-OCIO, as part of its oversight function, should be engaged to ensure that the appropriate coordination and support is in place to enable rapid response.

2.3.1.3 Reporting to law enforcement

In most cases, a cyber incident is a cybercrime. In addition to reporting to the Cyber Centre, departments and agencies are expected to report cyber incidents directly to the police of jurisdiction (specifically, the RCMP National Cybercrime Coordination Centre (NC3) or Military Police). It is the role of law enforcement to conduct an investigation to determine whether there is reasonable evidence to suspect criminal activity, which may lead to charges, arrests, search and seizures, or other disruptive outcomes that help to deter future cyber incidents. Although not every complaint will result in a criminal investigation, reporting to law enforcement will strengthen efforts to investigate and disrupt cybercriminal activities that impact the safety and security of Canadians.

Refer to Appendix D: Reporting Procedures for information on how to contact the RCMP.

2.3.1.4 Personal information and privacy breaches
Figure 2-4: Cyber security incidents involving personal information
Figure 2-4: Cyber security incidents involving personal information. Text version below:
Figure 2-4 - Text version

Figure 2-4 identifies the overlap between a cyber security incident and a privacy breach in the event that personal information may be involved. The figure uses two circles, with the circle on the left representing cyber security incidents and the circle on the right representing privacy breaches. The element of personal information represents the intersection of the two circles.

GC organizations are accountable and transparent in the protection and management of personal information. If the possibility exists that personal information is involved in a cyber security incident, it is expected that the appropriate authorities are notified. This includes, for GC organizations subject to the Privacy ActReference R14 and the Policy on Privacy Protection,Reference R15, immediately notifying departmental Access to Information and Privacy (ATIP) offices to determine whether a privacy breach has occurred. If one has occurred, departments and agencies will respond in accordance with their privacy breach plans and procedures set out in the Directive on Privacy Practices.Reference R16

This process should involve:

  • an assessment to determine the potential impact to the GC when hardware or software vulnerabilities are disclosed
  • an assessment to determine whether personal information may be involved as part of the event or incident, signaling that a privacy breach may have occurred

Departments and agencies should also apprise themselves of Directive on Privacy PracticesReference R16 and the Privacy Breach Management ToolkitReference R9. These privacy instruments identify causes of privacy breaches; provide guidance on how to respond to, contain and manage privacy breaches; delineate roles and responsibilities; and include links to relevant supporting documentation. Departments and agencies should consult legal counsel as needed.

2.3.1.5 Reporting security incidents involving third-party suppliers

As set out in the Public Services and Procurement Canada (PSPC)’s Contract Security Program (CSP)Reference R17, private sector organizations contracting to the GC have an obligation to maintain compliance with the requirements of the CSP at all times throughout the life of a contract. This includes reporting security incidents and changes in circumstances and behaviour using the Security Incident Report form for security officers, to the PSPC CSP who will coordinate the investigation. Departments remain accountable for ensuring that security and privacy incidents involving third-party suppliers are identified, escalated and reported.

For more detailed reporting requirements in the context of a cyber event involving a third-party service, please refer to the Third-party Service Provider Cyber Event Management ProtocolReference R18 (accessible only on the GC network) for additional information.

2.3.2 Assessment

The purpose of the assessment phase is to establish a GC response level and determine whether invocation of GC CSEMP and possibly FERP governance is required. Upon detection of a cyber security event, TBS-OCIO and the Cyber Centre will conduct an initial assessment and determine the appropriate GC response through declaration of GC response level. Requisite stakeholders will then be notified of the response level, and mitigation and recovery activities will follow.

2.3.2.1 GC response levels

There are four response levels that govern GC cyber security event management activities, as indicated in Figure 2-5. These response levels will dictate the level of coordination required in response to any given cyber security event, including level of escalation, stakeholder participation and reporting required. Table 2-2 provides more information on each of the levels.

Figure 2-5: GC response levels
Figure 2-5: GC Response levels. Text version below:
Figure 2-5 - Text version

Figure 2-5 represents the four GC response levels that govern GC cyber security event management activities and dictate the necessity and degree of enterprise response required. The figure uses four stacked boxes with the level of required coordination identified to the left of the boxes.

  1. Level 1 – Departmental response
    1. Requires standard coordination
  2. Level 2 – Limited GC-wide response
    1. Requires GC CSEMP coordination
  3. Level 3 – Comprehensive GC-wide response
    1. Requires GC CSEMP coordination
  4. Level 4 – Emergency (crisis) response
    1. Requires combined FERP & GC CSEMP Coordination
Table 2-2: GC response levels

Level

Scope

Description

Coordination lead

1

Departmental response

Level 1 responses are limited to a departmental response. As such, departments and agencies should follow their standard departmental procedures, continue applying regular preventive measures, and maintain communication with the Cyber Centre for advice and guidance.

Events at this level can trigger invocation of the TBS-Strategic Communications and Ministerial Affairs (SCMA) Cyber Security Communications FrameworkReference R19 when it is deemed appropriate, such as a limited event that has disproportionate media interest. GC-wide briefings can be led by GC CIO where warranted.

Department

2

Limited GC-wide response

Level 2 indicates that limited GC-wide coordination is required, triggering the establishment of the Event Coordination Team (ECT). At this level, all primary GC CSEMP stakeholders (and specialized stakeholders, when required) will be on heightened alert for cyber activity, monitoring GC-wide risk levels and ensuring that any potential impact is contained and mitigated. Additional targeted advice may be provided to departments and agencies on how to proceed with an event response, which could include invocation of emergency patch management processes. Events at this level will trigger invocation of TBS-SCMA’s Cyber Security Communications FrameworkReference R19. GC-wide briefings will be led by GC CIO where warranted.

ECT

3

Comprehensive GC-wide response

Level 3 indicates that a comprehensive GC-wide response is required triggering the establishment of the executive management team (EMT) (see section 3.2). At this level, event response will be fully coordinated through the ECT and EMT, with departments and agencies given ongoing direction and guidance on how to proceed with event response. Response may range from emergency patch management processes to the disconnection of systems from GC networks. Events at this level will trigger invocation of TBS-SCMA’s Cyber Security Communications FrameworkReference R19. GC-wide briefings will be led by GC CIO.

EMT

4

Emergency (crisis) response

Level 4 is reserved for severe or catastrophic events that affect multiple government institutions, confidence in government or other aspects of the national interest. TBS-OCIO and Cyber Centre may recommend to Public Safety the declaration of a Level 4 event, if warranted. Events that reach this level will immediately fall under the FERP governance structure, coordinated by the Government Operations Centre (GOC) in accordance with the FERPReference R1, to ensure the harmonization of federal response efforts. Cyber aspects of the response in Level 4 will use GC CSEMP governance structures.

PS-GOC
2.3.2.2 Response level assessment

TBS-OCIO and Cyber Centre will jointly determine the appropriate GC CSEMP response level (Levels 2 and 3) for a cyber event, with the support of affected department(s) as appropriate.

The assessment approach differs depending on whether the event is an incident or whether it is related to a cyber threat or vulnerability (see Appendix E: Departmental Impact Assessment for details). The response level is determined using injury to the GC (for incidents), or potential injury (for threat/vulnerability). In this assessment, several factors are considered, such as:

  • likelihood of occurrence
  • exploitability or exposure of vulnerable systems
  • breadth of impact
  • effectiveness of security controls

Other factors may also need to be considered, based on the context of the event in question, as depicted in Figure 2-6. While this assessment guides the determination of an appropriate response level, TBS-OCIO and the Cyber Centre may consider additional factors, such as business impact and geo-political factors, to establish an appropriate response.

Figure 2-6: GC CSEMP response level criteria
Threats/Vulnerabilities Incidents
Level 1
Departmental Response
  • Low impact to single department.
  • Low exposure of vulnerable systems
  • Low impact compromise of a non-public-facing GC programs/services in a single department
  • No indicators of broader propagation or lateral movement
Level 2
Limited GC-Wide Response
  • Increased probability of Medium+ impact to multiple depts.
  • Medium+ exposure of vulnerable systems or increased exploitability of vulnerable systems
  • Medium+ impact compromise affecting delivery of one or more public-facing GC programs/services
  • Indicators of broader propagation / lateral movement within an affected department(s)
Level 3
Comprehensive GC-Wide Response
  • Imminent threat of High+ impact to multiple depts.
  • High+ exposure of vulnerable systems
  • High+ impact compromise affecting delivery of public-facing GC programs/services or operation of one or more systems
  • Strong likelihood of broader propagation / lateral movement across the GC
Level 4
Emergency Response
  • Imminent threat of Very High impact to multiple depts.
  • Very High exposure of multiple vulnerable systems
  • Very High impact compromise affecting delivery of programs or services resulting in severe injury
  • Widespread propagation / lateral movement across the GC

Any subsequent escalation or de-escalation from one level to another, as the need arises, is similarly jointly determined (see Appendix F: Escalation and De-Escalation Procedures for details).

2.4 Mitigation and recovery

Figure 2-7: Mitigation and recovery phase
Figure 2-7: Mitigation and recovery phase, text version below:
Figure 2-7 - Text version

This is a repeat of figure 2-1, with all but the mitigation and recovery arrow in the colour grey. The mitigation and recovery arrow is highlighted in the colour blue and this image is a visual representation of the phase being described for the reader in this section.

The purpose of the mitigation and recovery phase is to contain and mitigate the injury or potential injury of a cyber security event. Activities in this phase will vary depending on the nature of the event but could include actions such as the installation of patches, implementation of preventive measures, containment and eradication of a confirmed incident, the invocation of business continuity and disaster recovery plans, or the temporary shutdown of vulnerable services. Regardless of the type of event, the end goal of the phase is to minimize impacts and ensure the timely restoration of normal operations.

For incidents, containment and eradication are key components of this phase, which includes, but is not limited to, actions such as shutting down systems, disconnecting from networks or disabling functionality including accounts, addressing exploited vulnerabilities through patch installation. These actions may be taken by the departmental business owners of affected assets, or as directed by their chain of command up to a department’s deputy head. GC organizations should document roles and responsibilities for such decisions to enable rapid decision-making. Additionally, the GC CIO has the authority to direct a deputy head to take action in response to a cyber event.Footnote 3

Appendix C outlines the GC CSEMP stakeholder roles and responsibilities for each phase of the GC CSEMP process.

Inputs and outputs for this phase are as follows:

Inputs Outputs
  • Incident reports
  • Intelligence
  • Forensic findings
  • Other considerations (political, legal)
  • Impact assessment reports
  • Business continuity plans
  • Disaster recovery plans
  • Situation reports (SITREPs)
  • Change log
  • Response plan
  • Mitigation of threat or vulnerability (when applicable)
  • Containment and eradication of incident (when applicable)
  • Ongoing restoration to normal operations

2.5 Post-event activity

Figure 2-8: Post-event activity phase
Figure 2-8: Post-event activity phase , text version below:
Figure 2-8 - Text version

This is a repeat of figure 2-1, with all but the post-event activity and feedback arrows in the colour grey. The post-event activity and feedback arrows are highlighted in the colour blue and this image is a visual representation of the phase being described for the reader in this section.

The post-event activity phase uses knowledge gained from each cyber security event to ensure the continual improvement of the process and, by extension, the security posture of the GC infrastructure as a whole. The purpose of this phase is to formally close out the cyber security event by conducting a post-event analysis; identifying lessons learned; and driving improvements to policy, security architecture, or other controls, as required. The degree of effort and resources allocated to this phase will vary from event to event. More complex and serious events will require deeper post-event analysis than less serious events will. Repetitive events may require post-event analysis in aggregate.

Appendix C outlines the GC CSEMP stakeholder roles and responsibilities for each phase of the GC CSEMP process.

Inputs and outputs for this phase are as follows:

Inputs Outputs
  • Review of event timeline
  • Change log
  • Review of reporting and communication procedures and timeliness of products
  • Root-cause analysis
  • Other relevant input from implicated CSEMP stakeholders
  • Departmental lessons-learned report and action plan (if applicable)
  • GC level post-event reports
  • GC-wide lessons-learned and action plan (if applicable)
  • Recommendations to improve policy instruments, cyber security event management process, training, or enterprise security architecture

3. Governance

In this section

3.1 Stakeholders

Several key stakeholders are involved in taking action during GC cyber security events (see Table 3-1).

Table 3-1: Key stakeholders in managing GC cyber security events
Category Description Organization

Primary lead security agency (LSA) stakeholders

Stakeholders that lead the coordination of all events that meet the criteria for a GC CSEMP Level 2 response and above. This includes potential threats, vulnerabilities and confirmed incidents.
  • Treasury Board of Canada Secretariat (TBS)
    • Office of the Chief Information Officer (OCIO)
    • Strategic Communications and Ministerial Affairs (SCMA)
  • Canadian Centre for Cyber Security (Cyber Centre), part of Communications Security Establishment Canada (CSEC)

Specialized LSA stakeholders

Stakeholders that will be involved in the GC CSEMP process for confirmed cyber security incidents or threat events that are relevant to their specific mandate.Footnote 4
  • Privy Council Office (PCO)
    • Security and Intelligence (S&I)
  • RCMP
    • National Cybercrime Coordination Centre (NC3)
    • Federal Policing Cybercrime (FPCC)
  • Canadian Security Intelligence Service (CSIS) – Cyber
  • National Defence / Canadian Armed Forces (DND-CAF) – Information Management Operations
  • Public Safety Canada – National Cyber Security Directorate (NCSD)
  • Global Affairs Canada (GAC)

Other stakeholders

Stakeholders who are involved in the GC cyber security event management process and may be engaged for confirmed cyber security incidents or threat events.
  • Shared Services Canada (SSC)
  • Public Safety Canada – Government Operations Centre (GOC)
  • Privy Council Office (PCO)
    • Strategic Communications (SC)
  • Director General Emergency Management Committee (DG EMC)
  • Departments
    • Legal Services
    • Incident Management Team
    • Access to Information and Privacy Team (privacy breach management)
    • Communications (Comms) Team
  • IESOs (such as Shared Services Canada)
  • External partners
  • Third-party suppliers

Detailed roles and responsibilities of each stakeholder are found in Appendix C: Detailed Roles and Responsibilities.

3.2 Governance bodies

During a cyber security event, the timely engagement of the appropriate governance bodies will focus both management and operations to prevent, detect, respond to and recover from cyber security events in a prioritized manner. The GC CSEMP response level determines the governance bodies that are to be established. These bodies serve to direct and facilitate mitigation and recovery activities.

Figure 3-1 shows the relevant stakeholders for each response level and corresponding governance bodies, including:

  • Level 2 events and higher, an Event Coordination Team (ECT) is established to provide leadership (director level).
  • Level 3 events and higher, an Executive Management Team (EMT) is established to provide executive level leadership (director general (DG) level).

Ad hoc ECT or EMT meetings may be set up before any escalation of GC CSEMP levels as a proactive, precautionary measure and for situational awareness purposes. Escalation may or may not follow, depending on the development of an event.

Should an event be assessed at a Level 3 from the outset, governance will immediately begin at the DG level with EMT and ECT teams set up at the same time.

Both teams, co-chaired by TBS-OCIO and the Cyber Centre, provide advice and guidance to the GC CIO. The GC CIO is responsible for executing decisions on the management of cyber security risks on behalf of the GC and directing deputy heads to implement specific response(s) to cyber security events. This includes assessing whether there has been a privacy breach, implementing security controls, and ensuring that systems that put the GC at risk are disconnected or removed, when warranted.Footnote 5 The GC CIO is supported by the Chief Information Security Officer of the GC (GC CISO) and the Head of the Cyber Centre.

The lead minister for the response will be determined on a case-by-case basis, depending on the context of the event, supported by recommendations from the ECT, EMT and the GC CIO.

Figure 3-1: GC CSEMP Coordination Teams
Figure 3-1 GC CSEMP Coordination Teams. Text version below:
Figure 3-1 - Text version

Figure 3-1 identifies the relevant stakeholders for each of the GC response level, as outlined in figure 2-5. Figure 3-1 does not explicitly address stakeholders at Level 4 (emergency or crisis response), as Level 4 invokes FERP governance which is out of scope of this document. However, for Level 4 events, the ECT (of Level 2) and the EMT (of Level 3) remain in play to address any elements related to cyber events in the GC.

  1. Level 1 – Departmental response
    1. Stakeholders:
      1. Dept. CIO (or designate), supported by the DOCS)
      2. Departments and agencies
      3. RCMP
      4. Cyber Centre
      5. TBS/OCIO

  2. Level 2 (and higher) – Limited GC-wide response

    Event Coordination Team (ECT) is established, comprised of the following stakeholders:

    1. Primary stakeholders:
      1. GC CIO (supported by the GC CISO, Deputy Chief CCCS, other GC CSEMP stakeholders as appropriate)
      2. TBS/OCIO (co-chair)
      3. Cyber Centre (co-chair)
      4. TBS SCMA
    2. Specialized stakeholders:
      1. PCO/S&I
      2. CSIS
      3. DND/CAF
      4. PS
      5. RCMP
    3. Other stakeholders:
      1. SSC/NSSB
      2. Affected department(s)

  3. Level 3 (and higher) – Comprehensive GC-wide response

    The Executive Management Team (EMT) is established to provide leadership at the executive level (i.e. Director General level). The EMT is made up of the same stakeholders as the ECT.

    1. Primary stakeholders:
      1. GC CIO (supported by the GC CISO, Deputy Chief CCCS, other GC CSEMP stakeholders as appropriate)
      2. TBS/OCIO (co-chair)
      3. Cyber Centre (co-chair)
      4. TBS SCMA
    2. Specialized stakeholders:
      1. PCO/S&I
      2. CSIS
      3. DND/CAF
      4. PS
      5. RCMP
    3. Other stakeholders:
      1. SSC/NSSB
      2. Affected department(s)

Depending on the size and scope of the cyber event, departments directly affected by specific threats or vulnerabilities may also be invited to participate in the ECT and/or EMT. Impacted departments will always be invited to ECT and/or EMT if they are experiencing an incident. Participation will be determined by the co-chairs to ensure optimal operation of the governance bodies.

Detailed roles and responsibilities of each stakeholder, within the ECT and EMT, are summarized in Table 3-2 and Table 3-3.

Table 3-2: Event Coordination Team

Level 2 (and higher) – Event Coordination Team (ECT)

Membership

Director level (or above) participants from the following departments:

Primary LSA stakeholders:

  • TBS-OCIO (director)
  • Cyber Centre (director)
  • TBS-SCMA (director)

Engagement (depending on the event):

  • Specialized LSA stakeholders
  • Other stakeholders
    • SSC-CSSB-ECSS (director)
    • Impacted departments (DOCS)

Responsibilities
Threats and vulnerabilities

Responsibilities
Incidents

Activated by GC CSEMP Level 2 or higher

  • Support central coordination for all threat and vulnerability management and response
  • Establish and participate in cyber war rooms to identify, assess and mitigate the threat or vulnerability (ECT co-chairs will designate which stakeholder will establish the cyber war room)
  • Collaborate with key stakeholders to jointly propose recommended mitigation plans
  • Engage third-party suppliers as appropriate
  • At Level 3 or higher, ensure that situational awareness is maintained at the DG level by actively updating EMT members of ongoing CSEMP progress

Activated by GC CSEMP Level 2 or higher

  • Support central coordination and information sharing for all event management and response
  • Establish and participate in cyber war rooms to identify, assess and mitigate the incident (ECT co-chairs will designate which stakeholder will establish the cyber war room)
  • Collaborate with key stakeholders to jointly propose recommended mitigation plans
  • Engage third-party suppliers as appropriate
  • At Level 3 or higher, ensure that situational awareness is maintained at the DG level by actively updating EMT members of ongoing CSEMP progress
Table 3-3: Executive Management Team

Level 3 (and higher) – Executive Management Team (EMT)

Membership

DG level (or above) stakeholders from the following departments:

Primary LSA stakeholders:

  • GC CISO
  • TBS-SCMA (DG)
  • Cyber Centre (DG)

Engagement (depending on the event):

  • Specialized LSA stakeholders
  • Other stakeholders
    • SSC-CSSB-ECSS (DG)
    • Impacted departments (CIO, DOCS, and/or designate)

Responsibilities
Threats and vulnerabilities

Responsibilities
Incidents

Activated by GC CSEMP Level 3 events or higher

  • Brief senior GC officials (decision briefs, SITREPs and mitigation plans that require ADM approval), on an ongoing basis, as required
  • Provide situational awareness, executive direction and guidance to the ECT
  • Engage third-party suppliers as appropriate

Activated by GC CSEMP Level 3 events or higher

  • Brief senior GC officials (decision briefs, SITREPs and mitigation plans that require ADM approval), on an ongoing basis, as required
  • Provide situational awareness, executive direction and guidance to the ECT
  • Engage third-party suppliers as appropriate.
  • As a subcommittee to the EMT, stand up a DG-level incident command centre with primary stakeholders (including affected department(s)), to enable rapid incident-related decisions and ensure a coordinated approach for compromise recovery and remediation efforts, in support of business resumption

3.3 Integrated Command Structure

The GC CSEMP focuses on the authorities and responsibilities related to cyber events. Cyber events may evolve into non-cyber events that fall outside the scope of the GC CSEMP scope, such as confirmed privacy breaches or non-security related information technology (IT) service outages.

In these instances, it is important to establish a handoff from the authorities guided by the GC CSEMP to the authorities guided by the appropriate authoritative framework or process to ensure that the GC can respond to rapidly evolving non-cyber events that require continued leadership through a coordinated, whole-of-government approach.

Refer to Appendix G: Integrated Command Structure for an overview of a notional integrated command structure that can be established depending on the situation at hand.

4. Reporting and communications

In this section
Figure 4-1: Reporting and communication
Figure 4-1: Graphic representing the fifth step of the process, text version below:
Figure 4-1 - Text version

This is a repeat of figure 2-1, with all but the GC situational awareness and reporting and communication boxes in the colour grey. The GC situational awareness and reporting and communication boxes are highlighted in the colour blue and this image is a visual representation of the phase being described for the reader in this section.

To maintain whole-of-government situational awareness, ongoing reporting and communication between stakeholders must be maintained throughout an event’s life cycle to ensure that everyone has the same information. This will require the engagement of additional participants from stakeholder departments and agencies to the EMT and/or ECT bodies along with bidirectional communication flows to ensure that any mitigating actions are coordinated and documented to minimize duplication of efforts and streamline response activities.

As set out in the Directive on Security Management, Appendix I: Standard on Security Event ReportingReference R20 entrenching ongoing communication practices from detection through to the conclusion of post-event activities is imperative to ensure that mitigation advice and status updates are shared with both affected and appropriate non-affected parties in a timely fashion.

In addition, it is expected that departments and agencies refrain from making any public attribution statements without engaging key GC CSEMP stakeholders such as Global Affairs Canada and/or the RCMP, as appropriate.

4.1 Reporting structure and communications

Figure 4-2 GC CSEMP government-wide reporting and communication summarizes how reporting and communication will be handled at the government-wide level.

Figure 4-2: GC CSEMP Government-wide reporting and communication
Figure 4-2: GC CSEMP Government-wide reporting and communication. Text version below:
Figure 4-2 - Text version

Figure 4-2 identifies the CSEMP government-wide reporting and communication, separated by the different GC response levels outlined in figure 2-5. Figure 4-2 does not describe government-wide reporting and communication at Level 4 (emergency or crisis response) invoked under FERP.

  1. Level 1 – Departmental response
    1. Cyber Centre is the central agent in gathering information
    2. Cyber Centre will obtain and provide information to the following sources:
      1. TBS/OCIO
      2. Departmental IT Security Teams
      3. Technical information sources
    • TBS-OCIO is to receive information from Cyber Centre
  2. Level 2 – Limited GC-wide response
    1. The Event Coordination Team (ECT) is identified as the central source for reporting and communication
    2. The Event Coordination Team is comprised of the following agents:
      1. TBS-OCIO
      2. TBS/SCMA
      3. Cyber Centre
      4. Specialized LSA Stakeholders
      5. other CSEMP stakeholders
    • The Event Coordination team will provide and receive information from the following stakeholders:
      1. Departmental IT Security Teams (through the Cyber Centre)
      2. other CSEMP stakeholders
  3. Level 3 – Comprehensive GC-wide response
    1. Two governance bodies are identified as central sources for reporting and communication, the ECT and the Executive Management team (EMT).
    2. The Executive Management team comprised of the following agents:
      1. TBS-OCIO
      2. TBS-SCMA
      3. Cyber Centre
      4. Specialized LSA Stakeholders
      5. other CSEMP stakeholders
    3. The EMT (through TBS-OCIO) will provide information to Designated Officials for Cyber Security (DOCS)
    4. The EMT (through TBS-SCMA) will provide and receive information from Departmental Comms, PCO/Comms, and CSE/Comms
    5. The EMT (through TBS-OCIO) will provide strategic direction to the Event Coordination team (ECT).

At the government-wide level, reporting and communication should adhere to the following guidelines:

  • TBS-SCMA will coordinate the development of communications products and a path forward in accordance with the TBS-SCMA Cyber Security Communications FrameworkReference R19 in collaboration with Cyber Centre Communications, and PCO Strategic Communication (PCO SC) (for all events that require external communications or coordinated messaging (such as Level 3 GC CSEMP events or when warranted by Level 2 GC CSEMP events).
  • Impacted departments and agencies will develop their own stakeholder, client and public communications products, in alignment with the TBS-SCMA Cyber Security Communications Framework. In particular, TBS-SCMA and PCO SC approval is required for communications products related to Level 2 and Level 3 events.
  • TBS-OCIO will coordinate messaging to the CIO, DOCS and chief security officer (CSO) communities, including supporting the GC CIO in GC-wide briefings, and will disseminate senior management updates as required.
  • Cyber Centre will coordinate messaging to the operational (IT Security) community and disseminate technical information products (cyber flashes, advisories, alerts, and so on), including GC CSEMP response level status and SITREPs to implicated stakeholders as required, in collaboration with TBS and other applicable partners.
  • Cyber Centre will disseminate SITREPs with the GOC and Privy Council Office’s Security and Intelligence (PCO S&I) during or when considering escalation to a GC CSEMP Level 4 involving FERP.

Appendix A: Acronyms and abbreviations

ADM Assistant Deputy Minister
AL Alert
AV Advisory
ATIP Access to Information and Privacy
CF Cyber Flash
CIO Chief Information Officer
CISO Chief Information Security Officer
Comms Communications
CSEC Communications Security Establishment Canada
CSEMP Cyber Security Event Management Plan
CSIRT Computer Security Incident Response Team
CSIS Canadian Security Intelligence Service
CSO Chief Security Officer
CSP Cloud Service Provider
Cyber Centre Canadian Centre for Cyber Security, part of the Communications Security Establishment
DG Director General
DG EMC Director General Emergency Management Committee
DND-CAF National Defence/Canadian Armed Forces
DOCS Designated Official for Cyber Security
ECT Event Coordination Team
EMT Executive Management Team
FCIRP Federal Cyber Incident Response Plan
FERP Federal Emergency Response Plan
FIRST Forum of Incident Response and Security Teams
FPCC Federal Policing Cybercrime, part of the RCMP
GAC Global Affairs Canada
GC Government of Canada
GOC Government Operations Centre
IESO Internal Enterprise Service Organizations
IoC Indicators of Compromise
IP Internet Protocol
IT Information Technology
LSA Lead Security Agency
MSP Managed Service Providers
NC3 National Cybercrime Coordination Centre, part of the RCMP
NCSD National Cyber Security Directorate, part of Public Safety Canada
NSS National Security Systems
OCIO Office of the Chief Information Officer, part of the Treasury Board of Canada Secretariat
PCO Privy Council Office
PS Public Safety Canada
RCMP Royal Canadian Mounted Police
RFA Request for Action
S&I Security and Intelligence
SC Strategic Communications
SCMA Strategic Communications and Ministerial Affairs, part of the Treasury Board of Canada Secretariat
SEISP Significant Event Information Sharing Protocol
SITREP Situation Report
SSC Shared Services Canada
SSC-CSSB-ECSS Connectivity and Security Services Branch, part of Shared Services Canada, Enterprise Cyber Security Services
TBS Treasury Board of Canada Secretariat
TLP Traffic Light Protocol
TTPs Tactics, Techniques and Procedures

Appendix B: References

Appendix C: Detailed roles and responsibilities

In this section

This appendix describes roles and responsibilities of GC CSEMP stakeholders. Roles and responsibilities will vary depending on the type of event (such as vulnerability/threat or a compromise/breach (resulting in an incident)), and its priority level, in support and in the context of this plan.

C-1 Roles and responsibilities by organization

Table C-1: GC CSEMP primary stakeholders
Organization Responsibilities

Treasury Board of Canada Secretariat (TBS)

TBS provides strategic oversight and direction in the GC cyber security event management process.Footnote 6 TBS ensures that events are effectively coordinated to support decision making and minimize potential impacts and losses to the GC.

In the context of this plan, the Chief Information Officer of Canada (GC CIO) represents whole-of-government interests during cyber security events that affect or may affect the delivery of programs and services. The GC CIO addresses topics that include overall GC response to cyber security events and enterprise-level actions taken to protect GC information systems. This includes responsibilities for:

  • executing cyber security risk management decisions by issuing mandatory direction to departments in response to cyber security eventsFootnote 7 (for example, implementing security controls and disconnecting systems that put the GC at risk, when warranted)
  • briefing the associate DM’s office and higher, as required, and advising assistant deputy minister committees on event-related issues, such as security and operations of GC IT systems and networks, service delivery and confidence in government
  • chairing a committee of departmental CIOs through the CIO Council; through this council, the GC CIO may issue directions to departmental CIOs regarding cyber security event management activities, specifically activities related to mitigation and recovery

TBS-Office of the Chief Information Officer (OCIO) supports the GC CIO and has strategic oversight responsibilities, including:

  • establishing, maintaining, and testing the GC CSEMP and related procedures, in accordance with the PGSReference R10 and the PSDReference R11
  • ensuring strategic coordination of GC response to priority cyber security events (typically Level 3 events or, when warranted, by Level 2 events), which includes:
    • the role of co-chair and secretariat for all GC CSEMP governance teams, alongside the Cyber Centre (including escalation and deescalation decisions in coordination with the Cyber Centre)
    • assessment of government-wide program and service impact of cyber threats, vulnerabilities and security incidents to support government wide reporting and prioritization (assessed in collaboration with the Cyber Centre and other applicable partners)
    • issuance of direction (through the GC CIO) to departments and agencies on measures to minimize the GC-wide impact of significant cyber security events
    • standing up a DG-level incident command centre and sub-committee to the EMT, to enable rapid incident-related decisions and ensure a coordinated approach for compromise-recovery and compromise-remediation efforts, in support of business resumption
  • providing advice to the DG EMC during Level 4 cyber security events
  • ensuring that TBS’s SCMA team has timely information to develop communications products and ensure that a coordinated and aligned approach is in place for public communications among stakeholders, according to the TBS-SCMA Cyber Security Communications FrameworkReference R19
  • analyzing post-event reports and conducting GC-wide lessons-learned exercises (when warranted) to drive security policy, privacy policy or enterprise security architecture–related improvements
  • receiving material privacy breach reports from institutions
  • providing government-wide advice on privacy breach management

In addition, TBS’s strategic communications responsibilities, through its SCMA division, include:

  • acting as designated spokesperson on behalf of the GC for any cyber security event affecting government program and service delivery, typically for Level 3 events (or when warranted by events at other levels)
  • for Level 4 events, supporting Public Safety Communications (PS-Comms), which leads strategic communication responsibilities for events that fall under their purview (Level 4 events), according to the FERP
  • supporting affected organizations by developing and or sharing internal (GC-wide) and external communication material related to all phases of cyber security event management, in collaboration with the Cyber Centre and the PCO’s Strategic Communications, and in consultation with communications teams from implicated CSEMP stakeholders
  • determining the necessity and timing of public statements (proactive and reactive)
  • approving all communications plans (internal, stakeholder, client and public), in collaboration with affected organizations and PCO’s Strategic Communications

Canadian Centre for Cyber Security (Cyber Centre), part of the Communications Security Establishment Canada (CSEC)

The Cyber Centre is housed in the CSE. Under the GC CSEMP, the Cyber Centre is Canada’s national coordination centre for preventing, mitigating, preparing for, responding to and recovering from cyber security eventsFootnote 8 impacting the GC.

In the context of this plan, the Cyber Centre is responsible for:

  • collaborating with TBS-OCIO as one of the primary LSA stakeholders
  • performing operational coordination, which includes issuing technical direction and advice to departments and agencies on measures to mitigate or contain impact to departments, and tracking and reporting these measures (all events)
  • engaging with international counterpart organizations, such as international computer security incident response teams (CSIRTs) and national cyber centres as part of the coordination activities as appropriate
Table C-2 GC: CSEMP specialized LSA stakeholders
Organization Responsibilities

Royal Canadian Mounted Police (RCMP)

RCMP is the lead security agency responsible for fulfilling government-wide functions related to criminal investigations.Footnote 9

The NC3 and Federal Policing Cybercrime (FPCC) are the primary stakeholders within the RCMP responsible for law enforcement functions under this plan, including:

  • leading the criminal investigation of cyber security incidents linked to criminal activity (including criminal investigations involving terrorist activity) (FPCC)
  • participating on GC CSEMP governance teams in an advice and guidance capacity, when warranted by a particular cyber security incident or threat event (FPCC and NC3)
  • coordinating and assisting multi-jurisdictional cybercrime investigations in collaboration with law enforcement, federal government and other partners (FPCC and NC3)

Canadian Security Intelligence Service (CSIS)

CSIS is mandated to investigate threats to national securityFootnote 10 including cyber-espionage, cyber-sabotage, cyber-terrorism, and cyber-based foreign-influenced activities and advise the GC accordingly.

In the context of this plan, CSIS is responsible for:

  • leading the investigation of cyber security threats to Canada’s national security, defined by the Canadian Security Intelligence Service Act
    • to enable these investigative actions, CSIS requires the provision of all information related to cyber security events impacting GC systems when it is assessed that there to be a link to national security threat activities
  • when applicable, if there are reasonable grounds to believe that a particular cyber activity constitutes a threat to the security of Canada or Canadians, CSIS is authorized to take measures to reduce the threat
  • participating on CSEMP governance teams in an advice and guidance capacity, when warranted by a particular cyber security incident or threat event

National Defence/Canadian Armed Forces (DND/CAF)

DND/CAF is responsible for addressing cyber threats, vulnerabilities- or security incidents against or on military systems.Footnote 11

In the context of this plan, DND/CAF is responsible for:

  • leading the investigation of any cyber incidents linked to activities directed against military systems (systems directly supporting military operational theatres and weapon systems)
  • providing additional support and assistance to other government departments, if tasked
  • participating on CSEMP governance teams in an advice and guidance capacity, when warranted by a particular cyber security incident or threat event

Public Safety Canada (PS)

Through its National Cyber Security Directorate (NCSD), located in the National and Cyber Security Branch, PS leads and coordinates Canada’s national cyber security policy and strategy, and provides advice to the Minister on cyber security incidents and events affecting GC and non-GC systems.

PS coordinates the overall response to significant events that could affect the safety and security of Canadians. The Government Operations Centre (GOC), described in Table C-1.3, resides within PS’s Emergency Management Branch.

In the context of this plan, PS-NCSD is responsible for participating on CSEMP governance teams in an advice and guidance capacity.

Global Affairs Canada (GAC)

GAC is responsible for conducting Canada’s international relations, including working with partners and allies to address international cyber threats.

In the context of this plan, GAC is responsible for:

  • developing international messaging related to cyber security event management, in collaboration with TBS-SCMA, Cyber Centre, and the PCO’s Strategic Communications, and in consultation with communications teams from implicated CSEMP stakeholders
  • coordinating with and messaging international partners (at a state-to-state level), allies and other Ministry of Foreign Affairs counterparts in the context of a cyber event taking place in Canada, even if there is no cross-jurisdiction coordination involved
  • providing foreign policy advice and international coordination in the context of a cyber event that has international ramifications
  • leading GC coordination efforts in developing public attribution statements of malicious cyber activity to a foreign state actor or their proxies
Table C-3: Other stakeholders
Organization Responsibilities

Shared Services Canada (SSC)

SSC is responsible for planning, designing, building, operating, supporting and maintaining effective, efficient and responsive enterprise IT security infrastructure services to secure GC data and systems under its responsibility.Footnote 12 This includes managing tools to support the monitoring of departmental electronic networks and devices.Footnote 13

In the context of this plan, SSC is responsible for:

  • monitoring the security infrastructure health and unusual activity on the SSC managed networks
  • blocking and mitigating cyber threat activity targeting SSC-managed networks or information
  • reporting security events of interest to the Cyber Centre and client departments through the Cyber Centre, as required
  • responding to the Cyber Centre and TBS recommendations, and ensuring that updates and mitigating measures are applied in a timely manner
  • supporting the identification, risk assessment, mitigation, recovery and post-analysis of cyber security events within the GC
  • assessing government-wide program and service impacts of cyber threats, vulnerabilities and security incidents to support government-wide reporting, to be submitted to the Cyber Centre and TBS
  • implementing prevention, mitigation and recovery efforts, including timely situational awareness updates to key GC CSEMP stakeholders
  • when a cyber security event occurs, coordinating with partners to determine whether any infrastructure it manages has to be shut down or be isolated from the network establishing and implementing a patch management plan, including an emergency patching process, for the scope of the services and systems under its responsibility
  • providing reporting and other information products to key CSEMP stakeholders including:
    • status of vulnerability and mitigation to affected organizations
    • infrastructure security logs to the Cyber Centre
    • producing post-event reports, including timeline of events and root-cause analysis, and submitting them to the Cyber Centre, TBS and other relevant organizations, as required (for example, PCO)

Public Safety Canada – Government Operations Centre (GOC)

The GOC leads and supports response coordination of any type of event affecting the national interest. It provides 24/7 monitoring and reporting, national-level situational awareness, warning products and integrated risk assessments, as well as national-level planning and whole-of-government response management. During periods of heightened response, the GOC is augmented by staff from other organizations.

In the context of this plan, the GOC is responsible for:

  • monitoring Level 3 and higher cyber security events for potential escalation, such as:
    • providing warning and awareness products to operations centres across government
    • conducting risk assessments and planning
    • briefing the FERP governance
  • ensuring that a link is maintained between the CSEMP and the SEISPReference R3 (Accessible on the GC network only)
  • recommending activation of the CSEMP, should the GOC become aware of a significant event with a cyber nexus
  • recommending escalation of the SEISP should a cyber incident pose concerns within the scope of the SEISP
  • coordinating the overall GC response to events that fall under the FERP (Level 4) and ensuring coordination between cyber and non-cyber aspects
  • ensuring that PS-Comms has timely information to develop communications products and ensure that a coordinated and aligned approach is in place for public communications among stakeholders during a Level 4 incident

Privy Council Office (PCO)

PCO helps to articulate and implement the GC’s policy agenda and to coordinate timely responses to issues facing the GC that are of national, inter-governmental and international importance. In that respect, PCO’s Security and Intelligence (S&I) team has a leading role in the coordination of government-wide response to national security emergencies.

In the context of this plan, PCO Security and Intelligence (S&I) is responsible for:

  • supporting the GC decision-making process by ensuring that senior officials are apprised in a timely manner of cyber security incidents that may be of national importance or may have national security implications
  • participating on GC CSEMP governance teams in an advice and guidance capacity, when warranted by a particular national incident or threat event

In addition, PCO Strategic Communications (SC) team plays a role during significant cyber events including:

  • providing communications advice to Cabinet and senior officials of the PCO
  • coordinating government-wide communications (in collaboration with PS-Comms and CSE Comms (Cyber Centre)), including crisis management, during a cyber security event

Director General Emergency Management Committee (DG EMC)

The DG EMC comprises federal institutions with statutory mandates to advance a disaster-resilient Canada, as well as a broad range of federal institutions with potentially relevant mandates to emergency management. The DG EMC is responsible for advancing a whole-of-society perspective on horizontal emergency management issues.

In the context of this plan, the DG EMC becomes the GC CSEMP interface into the FERP governance structure during Level 4 events, liaising with ADM, DM and Cabinet Committees, as required.

Departments and agencies

Departments and agencies play a key role in GC-wide cyber security event management, whether they are directly affected by an event or not. Departmental governance, plans and procedures are to be developed to support departmental roles and responsibilities related to security event management and business continuity plans in place, in accordance with the Policy on Government SecurityReference R10 and related directives and standards.

In the context of this plan, departments and agencies, under the leadership of the departmental DOCS, in collaboration with the departmental CIO and CSO as appropriate, are responsible for:

  • ensuring that cyber security requirements and appropriate risk-based measures are applied continuously in an identify, protect, detect, respond and recover approach, in accordance with the Directive on Security Management, Appendix B: Mandatory Procedures for Information Technology Security ControlFootnote 14
  • establishing a departmental cyber event management plan, including clear roles and responsibilities where there may be various stakeholders involved in responding to GC CSEMP activitiesFootnote 15 (for example, incident management team, Access to Information and Privacy team (for privacy breach management), departmental communications representatives, and IESOs (such as SSC))
  • ensuring that management and reporting requirements related to cyber security events are clearly stipulated in contracts, memoranda of understanding or other formal arrangements with external partners (for example, private sector suppliers and other levels of government) and address the requirements established in applicable GC and departmental policy instruments including, but not limited to, this plan
  • ensuring that an up-to-date inventory of critical services and understanding of information holdings is maintained to facilitate event response and prioritization
  • ensuring that a departmental patch management plan that includes clear roles and responsibilities and emergency patch management procedures is established and maintained
  • ensuring that event logging is configured on department-managed IT services, and logs are forwarded to centralized security event and information log system
  • performing information security continuous monitoring for services and systems within scope of the department’s span of responsibility (including applications and department managed IT services such as desktop endpoints, cloud-based environments.)
  • ensuring alignment of roles, responsibilities and processes between the departmental business continuity plan(s) and the departmental cyber security event management plan
  • monitoring the Cyber Centre technical information products and assessing their applicability to department owned and managed information systems
  • maintaining generic departmental CIO, DOCS and IT Security teams mailboxes that are PKI-enabled to support secure communications
  • assessing departmental program and service impacts of cyber threats, vulnerabilities and security incidents
  • reporting cyber security events and incidents, in accordance with sections 2.3.1.2–2.3.1.4 of this plan, including:
    • following appropriate protocols upon occurrence of a privacy breach, including reporting material privacy breaches to the Office of the Privacy Commissioner of Canada and TBS (the Directive on Privacy PracticesReference R16)
    • notifying the Cyber Centre if additional assistance is required to perform event response–related activities
    • notifying appropriate law enforcement or national security authorities when an event falls under these domains
    • taking immediate action within the department to assess impacts, including whether there has been a privacy breach, and implementing mitigation measures in response to cyber security eventsFootnote 16
  • responding to requests for action (RFAs) in accordance with specified timelines
  • implementing mitigations and supporting recovery activities based on direction and guidance issued by LSAs or central agencies
  • participating on GC CSEMP governance teams when requested (typically when affected by a cyber security event)
  • developing and disseminating applicable stakeholder and client management communications products (in consultation with or under the direction of TBS-SCMA and PCO-SC, as required)
  • conducting post-event analysis and preparing departmental lessons-learned reports (for applicable events) and submitting them to the Cyber Centre
  • continually maintaining and improving their departmental event response capability, including, but not limited to implementing lessons learned (GC-wide and departmental), regularly exercising departmental plans and procedures, maintaining departmental contact lists, and training appropriate cyber security response personnel

IESOs

IESO as defined under the PGSReference R10 is a department or organization that provides internal enterprise services to other GC departments. IESOs are responsible for establishing mechanisms to inform service recipients of cyber security events that impact their systems or information. This includes providing service recipients with the information necessary for the completion of incident reports and responses to RFAs in a timely fashion, as well as any other digital evidence required to support departmental mitigation, recovery and post event- activities.

External partners

Departments and agencies often rely on various partners external to the GC to support program and service delivery, including other orders of government and academic or scientific partners. External partners are required to manage and report on cyber events in accordance with the stipulations outlined in their respective agreements with departmental service owners.

Third-party suppliers

Third-party suppliers include private sector organizations such as cloud service providers (CSP) and managed service providers (MSP). While an MSP is a company that remotely manages IT infrastructure and user end systems on behalf of a client, a CSP dictates both the technology and the operational procedures available to the consumer (departments and agencies). Third-party suppliers are required to manage and report on cyber events in accordance with the stipulations outlined in their respective contractual agreements provisioned by departmental service owners as part of the departmental supply chain risk management approach.

In the context of this plan, third party suppliers are expected to:

  • respond quickly to an incident that has an impact on GC information and assets to minimize the resulting damage. Cyber events can be identified by the GC (for example, usability issues with a service) or by the third-party supplier
  • manage and report on cyber events in accordance with the stipulations outlined in the respective contractual agreements provisioned by departmental service owners
  • work collaboratively with the Cyber Centre and affected departments to obtain the necessary information, including event logs, to conduct investigations and to support containment, eradication and recovery activities

C-2 Roles and responsibilities by phase

This section describes roles and responsibilities of GC CSEMP stakeholders, by phase.

C-2.1 Preparation

Table C-4: Stakeholder activities during preparation phase
Stakeholder Activities

All GC CSEMP stakeholders (including all departments and agencies)
  • ensure that cyber security requirements and appropriate risk-based protective and preventive measures are applied continuously in an identify, protect, detect, respond and recover approach to protect information systems and services within their responsibility, in accordance with advice and guidance issued by LSAs
  • provide security awareness training for all employees and specialized training for security functional specialists, as appropriate
  • develop departmental plans, processes and procedures to respond to cyber security events and reporting of incidents to appropriate authorities, in alignment with the GC CSEMP; test and practice their response to a cyber event; participate in GC-wide exercises when required; and ensure that applicable lessons learned are implemented at the departmental level
  • continually maintain an inventory of their information system assets, including a list of their critical services
  • continuously monitor information systems and assets to identify cyber security events, manage vulnerabilities and implement corrective actions, such as promptly applying security-related patches and updates
  • maintain contact information, including generic mailboxes for their departmental CIO, DOCS and IT Security teams
  • establish a process to monitor the generic mailboxes both during and outside of regular business hours
  • ensure that supply chain threats and vulnerabilities to IT services that are obtained through third-party suppliers are mitigated and managed through contractual arrangements that outline clear roles and responsibilities between the GC organizations, that third-party suppliers assure their cyber security against GC-approved security baselines and contract security requirements, and include requirements to collaborate with GC CSEMP stakeholders as part of a cyber event affecting the third-party supplier
  • for cyber events affecting NSS, ensure that the departmental CIO, DOCS and IT Security teams have the appropriate tools, commensurate with the security category of the affected information system, to securely communicate with the Cyber Centre

Treasury Board of Canada Secretariat – Office of the Chief Information Officer
  • develops and maintains the GC CSEMP, coordinates regular exercises with all implicated stakeholders and ensures that lessons learned are implemented
  • reviews post-mortem and lessons-learned reports from past events and drives changes to Treasury Board policy instruments, enterprise security direction and reference architectures, and so on, as required

Cyber Centre
  • maintains GC-wide operational distribution lists and ensures that departments and agencies are continually provided with the advice and guidance required to mitigate cyber threats and vulnerabilities to prevent the occurrence of cyber security incidents
  • produces strategic cyber threat assessments for GC consumption and awareness

C-2.2 Detection and assessment

Table C-5: Stakeholder activities during detection phase
Stakeholder Activities

All GC CSEMP stakeholders (including departments and agencies)
  • monitor their respective information sources for precursors of emerging cyber threat or vulnerability events, or indicators of potential or confirmed cyber security incidents, and immediately notify the Cyber Centre of any potential cyber events that may affect GC information systems

Cyber Centre
  • monitors information from their sensor program, intelligence and operational sources, international and trusted partners

Specialized LSA stakeholders
  • RCMP will monitor information from open source, intelligence and operational sources
  • CSIS will monitor information from intelligence sources and operational sources, judicially authorized collection, domestic and foreign partners, and other trusted partners.
  • DND-CAF will monitor all DND-owned and operated networks, as well as networks from allied sources (such as NATO) and when deployed on operation, and provide intelligence and indicators identified by external military partners and through DND-CAF activities

Departments and agencies
  • enable detection through configuring event logging, in accordance with the GC Event Logging GuidanceReference R13 on IT assets for subsequent forwarding to a centralized security event and information log system
  • monitor Cyber Centre advisories and vendor notifications

IESOs (such as SSC)
  • where an internal enterprise service organization (IESO) such as SSC manages partner services, the IESO reports the event on behalf of the partner
  • ensures that third-party suppliers, through contractual agreements, report and communicate cyber events that impact the GC with primary LSA stakeholders, as appropriate
  • identifies and reports on affected or vulnerable systems, or security events of interest, to the Cyber Centre, as required
Table C-6: Stakeholder activities during assessment phase
Stakeholder Activities

Cyber Centre
  • establishes the initial cyber response level, in consultation with TBS-OCIO and other applicable partners based on available information, including departmental information, and invoke the appropriate GC CSEMP governance bodies
  • collaborates with TBS-OCIO to determine expectations for any RFA

Treasury Board of Canada Secretariat – Office of the Chief Information Officer
  • may direct a deputy head to implement a specific response to cyber security events,Footnote 17 including an RFA to departments and agencies in response to a Cyber Centre notification
  • determines the details of the request and applicable actions, in consultation with the Cyber Centre
  • collects departmental responses from RFAs and shares with the Cyber Centre

IESOs (such as SSC)
  • assists in conducting either an injury test (incident) or risk assessment (threat/vulnerability), as required
  • monitors security infrastructure health and looks for unusual activity on the GC networks
  • provides timely situational awareness updates to key GC CSEMP stakeholders

Departments and agencies

  • perform a departmental impact assessment, including assessing impacts to the organization, individuals, businesses, and third parties, among others
  • use all available information sources, including automated tools, where possible, to gather information required to support an impact assessment
  • assess whether there has been a privacy breach; if personal information is potentially involved in the incident, notify the appropriate authorities such as the departmental ATIP office to determine whether a privacy breach has occurred and, if so, activate the institutional privacy breach protocol
  • apply the reporting requirements outlined in section 2.3.1.2 of this plan upon detection of a cyber security event, including submitting departmental assessment results to the Cyber Centre within time frames,cooperating with appropriate law enforcement and national security authorities if the event constitutes a criminal offence or a national security threat to the safety and security of Canadians

C-2.3 Mitigation and recovery

Table C-7: Stakeholder activities during mitigation and recovery phase
Stakeholder Activities

Treasury Board of Canada Secretariat – Office of the Chief Information Officer
  • performs strategic coordination, which may include issuing strategic direction and briefings to departments and agencies on measures to minimize the GC-wide impact of cyber security events (for example, shutting down vulnerable public-facing information systems, invoking business continuity plans for Level 3 GC CSEMP events or when warranted by Level 2 GC CSEMP events)
  • for Level 3 events or, when warranted by Level 2 events, stands up a DG-level incident command centre and sub-committee to the EMT to enable rapid incident-related decisions and ensure a coordinated approach for compromise recovery and remediation efforts, in support of business resumption

Cyber Centre
  • performs operational coordination, which includes issuing technical direction and advice to departments and agencies on measures to mitigate or contain impact to departmental systems (such as, patch installation, blocking of IP addresses), and tracking and reporting these measures (all events)
  • for Level 2 and Level 3 GC CSEMP events, leads incident response coordination activities
  • for Level 4, works with the GOC, which activates FERP, to ensure that a coordinated approach is established between governmental and non-governmental organizations
  • for confirmed incidents (all Level 3+ GC CSEMP and applicable Level 2 GC CSEMP):
    • leads the development of a GC-wide containment plan in collaboration with GC CSEMP stakeholders
    • uses their technical capabilities for a targeted response
    • helps implement the prevention or containment plan in their respective areas of responsibility
    • leads forensic examination and analysis activities (including evidence collection) on IT systems

Specialized LSA stakeholders
  • contributes advice and guidance based on information received from their respective sources

Public Safety – Government Operations Centre
  • for events with an ongoing FERP response, performs strategic coordination, which may include issuing (through TBS-OCIO) direction to departments and agencies on measures to minimize the GC-wide impact (Level 4 GC CSEMP events only)

Departments and agencies

  • take immediate actionFootnote 18 within the department to implement mitigation measures in response to cyber security events based on guidance and direction from the Cyber Centre and TBS-OCIO, or based on direction from GC CIO, within established timelines (on devices and infrastructure for which they are responsible)
  • collaborate with their IESO as appropriate to implement the prevention or containment plan in their respective areas of responsibility
  • ensure that a chain-of-custodyFootnote 19 process is defined and implemented as appropriate

IESOs (such as SSC)
  • take immediate action within the department based on direction from GC CIO, including implementing mitigation measures in response to cyber security events based on guidance and direction from the Cyber Centre and TBS-OCIO within established timelines (on devices and infrastructure for which they are responsible)
  • Identify and report on affected or vulnerable systems within the scope of the IESO’s responsibility
  • liaise with their partners or client departments to implement cyber event mitigations, such as coordination of infrastructure patching
  • report to key GC CSEMP stakeholders on status of vulnerability management or mitigation and recovery activities

C-2.4 Post-event activity

Table C-8: Stakeholder activities during post-event phase
Stakeholder Activities

Treasury Board of Canada Secretariat – Office of the Chief Information Officer
  • produces a lessons-learned report and action plan on behalf of the GC, based on post-event reports developed from Cyber Centre (Level 3 events or when warranted by Level 2 events)
  • monitors implementation of the recommendations from lessons-learned reports and associated action plans

Cyber Centre
  • collates all departmental findings
  • produces a post-event report, including a timeline of events and root cause analysis

IESOs (such as SSC)
  • conducts proactive, on-demand vulnerability assessments and penetration testing
  • produces post-event reports, including timeline of events and root-cause analysis and submits them to the Cyber Centre, TBS and other relevant organizations, as required

Public Safety – Government Operations Centre
  • produces a lessons-learned report for Level 4 events
  • monitors the implementation of the recommendations (Level 4 events only)

Departments and agencies
  • produce their own departmental lessons-learned report and action plan where they are affected by a cyber event
  • contribute to GC-wide post-event activities, as required

All other GC CSEMP stakeholders

  • provide information required to support the development of GC-wide lessons-learned reports
  • assist with implementation of related action items under their areas of responsibility

Appendix D: Reporting procedures

In this section

Appendix D outlines the procedures for reporting to the Cyber Centre and the RCMP. Examples of types of events that should be reported include, but are not limited to:

  • suspected or actual compromise of any administrative credentials
  • suspicious activity on devices that have been in foreign countries or have been connected to untrusted networks or devices (such as a USB key gift)
  • suspicious or targeted emails with attachments or links that were not detected by existing security controls
  • suspicious or unauthorized network activity that represents a deviation from baseline
  • data breaches or compromise or corruption of information
  • intentional or accidental introduction of malware to a network
  • denial of service attacks
  • successful ransomware attempts
  • web or online presence defacement or compromise (including unauthorized use of GC social media accounts)
  • activities that pose an actual or suspected risk of insider threat

For cyber security incidents involving NSS, only submit high level details when contacting the Cyber Center or Police of Jurisdiction (including RCMP or Military Police) and provide further details over appropriate secure channels.

D-1 Incident reporting information

Table D-1 outlines the information that should be provided when reporting an incident to the Cyber Centre and the RCMP.

To balance timeliness with completeness of reporting, departments are expected to:

  • provide an initial report as soon as possible and no longer than 1 hour after initial detection with as much information as possible
  • provide a more complete, detailed report within 24 hours after detection, addressing the remaining items in Table D-1 (to the greatest extent possible).

Departments are expected to include the Departmental Impact Assessment (refer to Appendix E) as part of the detailed report, when possible.

Table D-1: Incident reporting information
ID Type Description

1

Contact details

Name, phone number, email, organization or department, and role

2

Type of request

Request for Assistance (urgent or not urgent) or Information only

3

Incident description/summary

Describe the cyber incident by answering as many of the following questions as possible:

  • When did the activity occur?
  • When was the activity discovered?
  • Is the malicious activity still ongoing?
  • What type of asset(s) are affected (phone, website, computer, account, services, other?)
  • What is the impact of the incident on your organization or services (scope and severity)?
  • Is the situation under control?
  • Have any artifacts been preserved (email addresses, IP addresses, suspicious files, ransom note, log files, other)?

4

Additional information

Any further information including references, device details, indicators such as URLs, IP addresses, any mitigation actions taken, and so on.

D-2 How to contact the Cyber Centre

Regular reporting channels (by email and, if urgent, by phone) should be used to contact the Cyber Centre in the case of an incident. If no regular reporting channels have been established, Government of Canada organizations can use the Cyber Centre’s Incident Reporting Portal. Upon receipt, the Cyber Centre will triage and respond in a timely manner.

D-3 How to contact the RCMP

To report a cybercrime incident to the RCMP, departmental representatives are to contact the NC3 at NC3Cyber-CyberGNC3@rcmp-grc.gc.ca or contact the RCMP Operational Coordination Centre (ROCC) at Telephone: 343-547-2730 or Email: rocc_ops_ccog@rcmp-grc.gc.ca, and request to speak to someone at the NC3.

Upon receipt of the report of the incident, the RCMP will triage and respond in a timely manner. Responses from the RCMP may include an email response advising of the receipt of the report, a request for further information and / or a request for a virtual or in-person interview.

Appendix E: Departmental impact assessment

In this section

This appendix outlines a high-level process to assess impact related to a cyber security event. This two-step process can be adopted and used by departments as required to inform their incident response plan.

Step 1: Injury Test

Assessment of impact for all cyber security events (threats, vulnerabilities and confirmed incidents) begins with an injury test to measure the degree of injury that could reasonably be expected to occur due to a compromise, resulting in an incident

Step 2: Risk Assessment

For cyber threat and vulnerability events, determine the probability of injury occurrence to obtain a more accurate representation of potential departmental impact

E-1 Step 1: Injury test – for all cyber security events

The injury test, performed using Table E-1, is based on severity and scope of the injury that could be reasonably expected to occur.

Severity

The severity levels can be characterized as

  • Limited: an event that, if it occurred, would cause limited injury
  • Serious: an event that, if it occurred, would cause serious injury
  • Severe: an event that, if it occurred, would cause severe injury

The severity of the injury refers to the level of harm, damage or loss for the following types of injury:

  • harm to the health and safety of individuals
  • financial losses or economic hardship
  • impacts to government programs and services
  • loss of civil order or national sovereignty
  • damage to reputations or relationships
  • injury to the nation or national security

Other factors specific to a departmental or agency mandate or operational context may also be considered, as well as the security categorization of the information system as defined by the Directive on Security Management, Appendix J: Standard on Security Categorization.Reference R21

Scope

The scope of injury refers to the number of people, organizations, facilities or systems impacted; the geographical area affected (for example, localized or widespread); or duration of the injury (for example, short term or long term). The scope of injury can be characterized as:

  • Wide: widespread, national or international, multiple countries or jurisdictions, major government programs or sectors
  • Medium: jurisdiction, business sector, government program; group or community
  • Narrow: individual, small business
Table E-1: Injury test
  Scope
Narrow Medium Wide
Severity Severe Medium High Very high
Serious Low Medium High
Limited Low Low Medium
Result Departmental impact level

Table E-2 can be consulted to analyze potential expected results of a compromise and validate the outcome of the initial injury test. Once confirmed, this value can be entered in the incident report and submitted to the Cyber Centre.

Table E-2: Expected results of compromise
Impact Result of compromise

Very high
  • Widespread loss of life
  • Major long-term damage to the Canadian economy
  • Severe impediment to national security (for example, compromising capabilities of Canadian Armed Forces or national intelligence operations)
  • Severe damage to diplomatic or international relations
  • Long-term loss of public confidence in the GC that disrupts the stability of government

High
  • Severe injury or loss of life to a group of individuals, or widespread serious injury
  • Serious financial loss that impedes the Canadian economy, compromises the viability of a GC program or reduces international competitiveness
  • Serious impediment to one or more critical services or impediment to national security
  • Serious damage to international relations that could result in a formal protest or sanction
  • Long-term loss of public confidence in the GC that disrupts a priority objective of the government

Medium
  • Threat to the life or safety of an individual, or serious injury to a group of individuals
  • Financial loss that affects performance across a sector of the economy, affects GC program outcomes or affects the well-being of a large number of Canadians
  • Serious impediment to public-facing programs and services or departmental operations, jeopardizing program objectives
  • Damage to federal–provincial relations
  • Serious loss of public trust or confidence in the GC or embarrassment to the GC

Low
  • Physical or psychological harm to an individual
  • Financial stress or hardship to an individual
  • Impediment to departmental operations that could have a limited impact on program effectiveness
  • Harm to the reputation of an individual or business
  • Minor loss of public trust or confidence in the GC

E-2 Step 2: Risk assessment – for cyber threat and vulnerability events only

Unlike cyber security incidents, where injury has been realized, injury is still in a potential state for cyber threat and vulnerability events. To establish an accurate potential impact level, a risk assessment is conducted (using Table E-3) to determine the probability of occurrence for the injury. Using the results of the injury test performed in Step 1, a risk-modified departmental impact level is determined based on factors such as intelligence indicators (likelihood of compromise), exploitability, exposure of affected information systems, and implementation of compensating controls.

Table E-3: Risk assessment
  Exposure
Low Medium High Very high
  • Low likelihood that threat will target GC
  • Vulnerability very difficult to exploit
  • Vulnerable systems are not directly exposed (for example, stand‑alone systems)
  • Existing security controls effectively counter threat or vulnerability
  • Medium likelihood that threat will target GC
  • Vulnerability exploitable with significant resources
  • Vulnerable systems are visible to one department only (for example, on its intranet)
  • Existing security controls partially counter threat or vulnerability
  • High likelihood that threat will target GC
  • Vulnerability exploitable with moderate resources
  • Vulnerable systems are visible to many departments (for example, GC extranet)
  • Existing security controls provide limited protection against threat or vulnerability
  • Threat or compromise imminent
  • Vulnerability easily exploitable with limited resources
  • Vulnerable systems are highly exposed (for example, Internet-facing)
  • Existing security controls do not provide protection against threat or vulnerability
Impact level (as per injury test in Step 1) Very high High High High Very high
High Medium Medium High High
Medium Low Medium Medium Medium
Low Low Low Low Low
Result Risk modified departmental impact level

This risk-modified departmental impact level is to be reported to the Cyber Centre (when requested through an RFA) for consumption at the GC -wide level.

Cyber threat or vulnerability events are to be classified as cyber security incidents as soon as injury is realized. When injury moves from a potential state to a realized state, the injury tests in this appendix will require re-evaluation and resubmission to the Cyber Centre to determine whether changes to event response or further escalation are required.

Appendix F: Escalation and de-escalation procedures

In this section

F-1 Escalation procedures

Table F-1 outlines the activities for escalation procedures between GC CSEMP response levels.

Table F-1: GC CSEMP escalation procedures
Escalation Procedures Activities

Escalation from a Level 1 to a Level 2 GC CSEMP event
  • Declaration of a Level 2 GC CSEMP event is jointly determined by executives at the director-level from the Cyber Centre and TBS-OCIO
  • An update is disseminated to operational stakeholders by the Cyber Centre
  • Upon declaration, the Cyber Centre will establish an ECT as a central coordination body. The ECT will meet on an agreed upon frequency to facilitate information sharing and deconfliction, with ECT representatives providing their respective department’s operational updates
  • Participating GC CSEMP stakeholder organizations are responsible for designating operation leads (primary and secondary) and SMEs that are to attend each meeting
  • During these meetings, departments will provide in-depth updates to the Cyber Centre on all lines of incident response and coordination, for the purposes of the creation of a formal situation report (SITREP) report.
  • Escalation may occur if increased mitigation efforts are required, a greater event impact is realized, or when the situation dictates a heightened GC response
  • TBS-SCMA’s Cyber Security Communication Framework will also be invoked

Escalation from a Level 2 to a Level 3 GC CSEMP event
  • Declaration of a Level 3 GC CSEMP event is jointly determined by executives at the director general level from the Cyber Centre and TBS-OCIO (GC CISO)
  • An update will be disseminated by the Cyber Centre to operational stakeholders.
  • The Cyber Centre will stand up an EMT and may include impacted departments, depending on the size and scope of the compromise. In addition to the ECT, the EMT will meet on a regular basis
  • As a subcommittee to the EMT, TBS-OCIO will stand up a DG-level incident command centre that comprises primary stakeholders (including affected department(s)), to enable rapid incident-related decisions and ensure a coordinated approach for compromise recovery and remediation efforts, in support of business resumption
  • The ECT will continue meeting and coordinating ongoing activities on a regular basis. Central SITREP reporting will continue to be issued by the Cyber Centre. Representatives from impacted departments, SSC (where appropriate), TBS-OCIO, and other LSAs will attend and provide their department’s brief on important operational updates
  • TBS-SCMA’s Cyber Security Communication Framework will also be invoked

Escalation from a Level 3 to a Level 4 GC CSEMP event
  • Where a FERP event is declared by Public Safety, executives at the director general level from the Cyber Centre, TBS-OCIO (GC CISO), and the GOC, in consultation with the EMT, will recommend to the GC CIO whether a GC CSEMP Level 4 event should be declared, in alignment with the FERP response coordination framework
  • If a GC CSEMP Level 4 event escalation is approved by the GC CIO, the GOC will activate FERP
  • GC CSEMP stakeholders will continue to fulfill their respective mandates within the GC and remain engaged in coordinating ongoing activities alongside FERP event teams
  • The ECT and EMT will continue meeting and coordinating ongoing activities on a regular basis. Central SITREP reporting will continue to be issued by the Cyber Centre. Representatives from affected departments, SSC (where appropriate), TBS-OCIO and other LSAs will attend and provide their department’s brief on important operational updates
  • TBS-SCMA’s Cyber Security Communication Framework will be invoked, in coordination with FERP

F-2 De-escalation procedures

GC response levels can be downgraded as a cyber event unfolds. Several de-escalating factors will need to be considered including if: an incident is sufficiently contained or determined to be less severe than originally determined; or the threat is reduced, or vulnerability mitigated. Table F-2 outlines the activities for de-escalation procedures between GC CSEMP response levels.

Table F-2: GC CSEMP de-escalation procedures
Escalation Procedures Activities

De-escalation from a Level 4 to a Level 3 GC CSEMP event
  • Where Public Safety stands down a FERP event that triggered a Level 4 GC CSEMP event, GC CSEMP level automatically de-escalates to a Level 3
  • An update will be disseminated to all operational stakeholders as appropriate
  • EMT and ECT meetings will continue on a regular basis, along with ongoing central SITREP reporting from the Cyber Centre at Level 3 GC CSEMP event
  • TBS-SCMA’s Cyber Security Communication Framework will be invoked

De-escalation from a Level 3 to a Level 2 GC CSEMP event
  • De-escalation is jointly determined by executives at the director general level within the Cyber Centre and TBS-OCIO (GC CISO), who will hold a conference to determine the current severity of the cyber event
  • An update is disseminated to all operational stakeholders as appropriate
  • The Cyber Centre will stand down the EMT
  • ECT meetings are to continue on a regular basis, along with ongoing central SITREP reporting from the Cyber Centre
  • TBS-SCMA’s Cyber Security Communication Framework will remain invoked

De-escalation from a Level 2 to a Level 1 GC CSEMP event
  • De-escalation is jointly determined by executives at the Director level within the Cyber Centre and TBS-OCIO, based on the current severity of the cyber event
  • An update is disseminated to all operational stakeholders as appropriate
  • The Cyber Centre will stand down the ECT
  • Post-event activities will be conducted, in accordance with section 4.4
  • TBS-SCMA will support organizations in the transition to communicating at a Level 1

Appendix G: Integrated Command Structure

In this section

G-1 Overview

For any type of event requiring an organizational response, leadership plays a pivotal role in ensuring response measures are appropriate, effective, timely and communicated to the appropriate stakeholders. As per Section 3.3, while the GC CSEMP focuses on the authorities and responsibilities to address cyber events, these events may evolve to non-cyber events that fall outside of the GC CSEMP scope, such as confirmed privacy breaches or non-security related information technology (IT) service outages.

As depicted in Figure G-1, to ensure that there is continued leadership when events are deemed as non-cyber events, a notional integrated command structure (ICS) is proposed. The establishment of an ICS will enable the GC to define the handoff from the GC CSEMP to the appropriate authoritative framework or process, to respond to rapidly evolving events requiring GC-wide coordination.

The ICS highlights the leadership role of an event commander which is designated based on the nature of the non-cyber event and includes supporting roles that will help to facilitate a holistic approach to address non-cyber events impacting the GC.

For some events, there may be instances where there are multiple handovers for event command as the situation evolves.

Figure G-1: Notional integrated command structure
Notional integrated command structure, text version below:
Figure G-1 - Text version

At the top of the command structure is the event commander.

The event commander is determined based on the event category.

Rotation of event commanders may be required as the event evolves.

Supporting artifacts are as follows:

  • Government of Canada Cyber Security Event Management Plan (GC CSEMP)
  • Federal Cyber Incident Response Plan (FCIRP)
  • Federal Emergency Response Plan (FERP)
  • Communications
  • Logistical plans
  • Administrative and financial documents
  • Departmental plans

Support functions are as follows:

  • Cyber security
  • Information technology
  • Privacy
  • Corporate security
  • Legal services
  • Communications
  • Human resources

G-2 Roles & Responsibilities

The following table outlines responsibilities of the event commander.

Table G-1: Event Commander Responsibilities
Responsibility Description

Leadership
  • Establish clear, achievable event response objectives
  • Ensure effective resource allocation and management
  • Provide a unified source of truth in communicating critical information to relevant stakeholders

Coordination
  • Organize and direct appropriate stakeholders in response to the event unfolding.
  • Lead engagements with external organizations (such as, third-party suppliers)
  • Chair event coordination meetings
  • Lead briefings to senior officials

Tactical decision-making
  • Escalate events in accordance with the appropriate framework or other supporting plans applicable to the non-cyber event at hand
  • Work with appropriate stakeholders
  • Make final decisions on courses of action, in collaboration with appropriate stakeholders and supporting functions

Executive Briefings
  • Lead important briefings to senior leadership committees and/or members, depending on the nature of the event
  • Provide situational reports to executive committees as required, including but not limited to:
    • initial incident reports
    • detailed incident reports
  • Escalate decisions requiring senior official or ministerial approval

Under the direction of the event commander, the appropriate support functions would be responsible for actions such as:

  • Investigating root causes of incident(s).
  • Conducting forensics or other required analyses.
  • Collecting information required to support decision-making.
  • Escalating critical information to the event commander.
  • Contributing to initial incident reports and detailed event reports for respective areas of expertise and situational awareness.Reference R22
  • Attending event coordination meetings or committees as subject matter expertise to support the event commander on an as-needed basis.

Page details

2026-05-20