Shared Services Canada: Standing Committee on Government Operations and Estimates—May 29, 2023
Document navigation for "Standing Committee on Government Operations and Estimates: May 29, 2023"
Cyber security overview
Context
Explaining Shared Services Canada’s (SSC) role in addressing cyber security, which is a shared responsibility with other agencies, such as the Treasury Board of Canada Secretariat (TBS)–Office of the Chief Information Officer (OCIO) and the Communications security establishment (CSE), which holds the Canadian Centre for Cyber Security (CCCS).
Suggested response
- SSC works diligently to keep networks safe, secure and accessible for Canadians
- SSC applies cyber security measures to identify and prevent malicious actors from gaining access to government networks by using firewalls, network scans, anti-virus, anti-malware as well as identification and authentication tools and services
- Cyber security is a shared responsibility between SSC, the CSE, the TBS as well as departments and agencies
- When a cybersecurity event occurs, SSC and its partners coordinate to determine root causes, limit impact and undertake recovery
- SSC supports the effective design, delivery and management of information technology (IT) security initiatives
If pressed on current and future cyber security investments:
- The government is investing $515.8 million over 6 years for SSC, CSE, and TBS to address the rapidly evolving cyber threat landscape
- The proposed funding will help:
- support cloud security at SSC
- expand cyber security protection for small departments and agencies
- support SSC’s security information and event management system
- modernize the government’s approach to cyber security
- support TBS’s associated efforts to reinforce government cyber security
- SSC responsibilities include government networks, email, data centres, and classified IT infrastructure
If pressed on SSC’s responsibility versus that of CSE:
- Although most security systems used to protect the government’s IT infrastructure are designed and managed by SSC, CSE uses complimentary solutions to supplement SSC‑managed security systems
- While SSC provides IT security infrastructure, CSE monitors government systems and networks for malicious activities and cyber-attacks and leads the government's operational response to cyber security events
If pressed on any particular cyber event (exchange vulnerability, Log4j, Print Nightmare, Global Affairs Canada incident, National Research Council incident, etc.):
- SSC has people, technology and processes in place to safeguard systems, and works collaboratively with TBS, CSE and departments to detect and respond to cyber threats
- When a cyber security event occurs, SSC and other departments coordinate to determine root causes, limit impact and undertake recovery
- The risk of cyberattacks is persistent and requires constant vigilance
Auditor General report on cybersecurity of personal information in the cloud
Context
In November 2022, the Auditor General of Canada tabled a report in Parliament that includes a chapter on cybersecurity of personal information in the cloud.
Suggested response
- We accept the recommendations made by the Auditor General. This audit will help SSC strengthen its operating framework for cloud services
- Protecting the government’s systems and information is a shared responsibility across 3 organizations: SSC, the TBS and the CSE through the Canadian Cyber Centre for Security
- The Government of Canada (GC) has a critical role to play in protecting the information of Canadians and has implemented an approach to managing security risks in the cloud that safeguards Canadians data and privacy through a series of policy instruments that guide departments as they adopt cloud services. SSC enables smart cloud adoption across departments so they can harness the benefits of cloud technology by providing:
- an easy and secure access to cloud services
- a secure network connection between government applications hosted in the cloud and government data centres
- operational guidance and support
- A number of strict security requirements, which includes cloud guardrails, must be met before departments can begin to store data in the cloud
- Public Services Procurement Canada (PSPC) and SSC are aligning the GC’s approach to cloud procurement. Cloud procurement templates are being developed which will include standard contract clauses and sustainability terms for cloud service providers
- We have made significant progress in implementing measures in response to the Auditor General report
Government of Canada readiness for return to worksite
Context
There are concerns that, with a large number of public servants returning to the worksite, the underlying IT infrastructure will not effectively function.
Suggested response
- From the onset of the COVID-19 pandemic, SSC rapidly and effectively responded through enabling remote work for thousands of public servants ensuring continued service delivery to Canadians
- SSC will continue to ensure service delivery to Canadians by public servants, whether it is from their home-based office or GC worksites, all while following the guidance from the TBS Office of the Chief Human Resources Officer
- SSC has been working with departments to ensure IT networks are supporting their employees as they transition to hybrid work
- SSC is working with departments to prioritize GC worksites to enable a smooth return for employees
Document navigation for "Standing Committee on Government Operations and Estimates: May 29, 2023"
Page details
- Date modified: