System Management Configuration Requirements
1. Asset management
1.1 Maintain an up-to-date asset inventory that includes:
- 1.1.1 System owner information;
- 1.1.2 Versions and patch histories of applications of drivers, operating systems and firmware for information system components such as endpoints, servers, network devices and all other IT equipment; and
- 1.1.3 Support timelines.
1.2 Manage the life cycle of any information system components and devices that are at end of life, including developing a plan to remove or replace them before end of life occurs with vendor-supported versions, or ensuring that compensating controls are in place if they are unable to be removed.
2. System hardening
2.1 Deploy information systems in network zones that are segmented in accordance with the Cyber Centre’s Baseline Security Requirements for Network Security Zones (Version 2.0): ITSP.80.022 and Network Security Zoning: Design Considerations for Placement of Services Within Zones (ITSG-38).
2.2 Deploy standard operating environment baselines that use operating systems and applications configured with the latest releases of supported, up-to-date and tested versions of software.
2.3 Harden operating systems and applications to provide only essential capabilities in accordance with the Cyber Centre’s Top 10 IT Security Actions: Number 4 Harden Operating Systems and Applications (ITSM.10.090). This includes leveraging hardening frameworks such as those available from Center for Internet Security (CIS).
2.4 Implement application security controls to restrict the execution of executables, software libraries, scripts and installers to an approved set that is configured to generate event logs for failed execution attempts.
3. System integrity
3.1 Subscribe to security notifications from vendors and to advisories provided by the Cyber Centre.
3.2 Implement malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code. System entry and exit points include firewalls and client and server endpoints.
3.3 Perform regular and automated vulnerability scans to ensure that potential vulnerabilities and other security risks are identified and addressed as quickly as possible within information system components in accordance with the Government of Canada’s (GC’s) Guideline on Vulnerability Management.
3.4 Conduct both internal and external penetration testing for information systems:
- 3.4.1 Prior to initial deployment and after significant changes to a system;
- 3.4.2 By an independent assessor on an annual basis for systems hosting personally identifiable information (PI); and
- 3.4.3 By an independent assessor at least every two years for all other designated critical systems.
3.5 Actively patch all operating systems, software applications, hardware and firmware installed on endpoint devices in accordance with GC’s Patch Management Guidance to mitigate known software flaws and vulnerabilities.
4. System administration
4.1 Implement a secure system administration model that makes use of administrative infrastructure services that are hardened and that protect administrative activities and privileged tasks. This includes:
- 4.1.1 Establishing management zones that are dedicated and isolated networks used to perform administrative actions to limit the risk of interception or compromise in accordance with the Cyber Centre’sBaseline Security Requirements for Network Security Zones (Version 2.0): ITSP.80.022;
- 4.1.2 Protecting management interfaces on information system components and devices by removing the management interface from direct exposure to the Internet and making it accessible via an internal network zone such as a remote management access zone in accordance with the Cyber Centre’s Baseline Security Requirements for Network Security Zones (Version 2.0): ITSP.80.022;
- 4.1.3 Limiting administrative access to management zones or interfaces based on user roles and authorized Internet Protocol (IP) address ranges; and
- 4.1.4 Restricting authorized administrative activities to GC-approved administrative hosts such as a purpose-built and dedicated administrator workstation (DAW) that:
- 4.1.4.1 Ensures that only authorized administrative activities and software are executed;
- 4.1.4.2 Disables Internet access to ensure that it does not have access to services such as email and web browsing; and
- 4.1.4.3 Implements a baseline that conforms with the GC’s Endpoint Management Configuration Requirements.
4.2 Establish a privileged access model that strictly limits the ability to perform privileged actions to a few authorized pathways that are protected and closely monitored. This includes:
- 4.2.1 Mitigating unauthorized privilege escalation by enforcing a hierarchy that prevents control of higher planes (such as a control or management plane) from lower planes (such as a data or workload plane) via attacks or abuse of legitimate processes;
- 4.2.2 Validating each user account and device for each session to ensure that they are trusted at a sufficient level before allowing access; and
- 4.2.3 Mitigating lateral traversal by using unique passwords or secrets for accounts and machine keys, so that a compromise of a single device will not immediately lead to control of many or all other devices in the environment.
4.3 Use remote management software and protocols that are:
- 4.3.1 Kept up to date and supported to protect against known vulnerabilities;
- 4.3.2 Configured with Cyber Centre’s approved cryptographic safeguards to protect communication from eavesdropping or tampering;
- 4.3.3 Hardened to disable actions such as SSH Port forwarding for interactive user accounts; and
- 4.3.4 Configured with phishing-resistant multi-factor authentication (MFA).
5. Data backup and restoration
5.1 Back up systems that contain essential business information and ensure that recovery mechanisms effectively and efficiently restore these systems from backups to support business continuity in accordance with Appendix D: Mandatory Procedures for Business Continuity Management Control of the Directive on Security Management.
5.2 Securely store backups in an encrypted state, and restrict access to them to only those who must access them for testing or restoration activities.
6. Monitoring
6.1 Use trusted Network Time Protocol sources to enable accurate time synchronization and validation throughout all environments and systems to support correlation of security events.
6.2 Configure logging in accordance with the GC’s Event Logging Guidance to improve the ability to detect and identify anomalous behaviours. This includes enabling detailed logging of systems and components, such as (but not limited to):
- 6.2.1 Critical systems and data holdings;
- 6.2.2 Internet-facing services, including remote access, network metadata and their underlying server operating system;
- 6.2.3 Identity and domain management servers;
- 6.2.4 Other critical servers;
- 6.2.5 Edge devices, such as boundary routers and firewalls;
- 6.2.6 Administrative workstations; and
- 6.2.7 Highly privileged systems.
6.3 Forward event logs that are protected from unauthorized modification and deletion using the Cyber Centre’s approved cryptographic safeguards to a central logging facility for processing, storage, monitoring and analysis.