1.1 Users accessing GC systems or sensitive information use a GC-approved platform and endpoint configurations that support the applicable User and Workpoint Profiles.
1.2 All information at rest on endpoint devices is protected through the use of appropriate encryption safeguards, including full-disk encryption, as set out in the portable data storage configuration.
1.3 All data in transit makes use of appropriate encryption safeguards when communicating sensitive information over public network infrastructure. Such safeguards include the use of approved remote access services.
1.4 Split tunnelling is disabled except for domains that are included in the list approved by GC Enterprise Architecture Review Board. All other network traffic to or from the Internet must flow through the GC-approved pathways to the Internet rather than via a direct connection to the Internet, in order to leverage the Canadian Centre for Cyber Security’s cyber defences.
1.5 Endpoints must be protected against both known and unknown malicious activity with appropriate host-based protections, including:
1.5.1 Cyber defence security services that detect and respond to anomalous behaviour, including those offered through Canadian Centre for Cyber Security host-based sensors;
1.5.2 A host firewall to limit both inbound and outbound network connections; and
1.5.3 On-device reputational site-filtering and malware detection software that is configured with:
1.5.3.1 Up-to-date signatures and heuristic detection capabilities to detect, isolate and defeat malicious code;
1.5.3.2 Advanced threat detection, including detection of file-less malware;
1.5.3.3 Engine and definition files that are checked for currency and updated at least daily; and
1.5.3.4 Automatic and regular scanning that is configured for all fixed disks and removable media.
2. Endpoint hardening
2.1 Use standard operating environment baselines that make use of operating system and applications with the latest releases of supported, up-to-date and tested versions of software, including Windows 10 Baseline Configuration.
2.2 Disable all non-essential services, ports or functionality of systems, devices and applications.
2.3 Remove or disable unnecessary accounts from systems, and change passwords for default accounts.
2.4 Implement application control to restrict the execution of executables, software libraries, scripts and installers to an approved set that is configured to generate event logs for failed execution attempts.
2.5 Implement device access control to prevent unauthorized devices from being connected.
3. Endpoint management
3.1 Use an endpoint management solution to:
3.1.1 Maintain an inventory;
3.1.2 Enable the application of device management configurations on all endpoints; and
3.1.3 Assess the hardware, software and specific configuration settings on each endpoint, record this data in one or more repositories, and make that information available to other systems.
3.2 Actively patchFootnote 1 all operating systems software applications, hardware and firmware installed on endpoint devices to mitigate known software flaws and vulnerabilities.
3.3 Configure logging on endpoints, in alignment with GC Event Logging Guidance, to improve the ability to detect and identify anomalous behaviours and for subsequent forwarding to an approved GC centralized security event and information log system to support incident response and forensic analysis.
