Government of Canada Cyber Security Event Management Plan (GC CSEMP) 2018

On this page

1.0 Preamble

1.1 About this document

This document describes the Government of Canada (GC) Cyber Security Event Management Plan (GC CSEMP). This plan outlines the stakeholders and actions required to ensure that cyber security events are addressed in a consistent, coordinated and timely fashion GC-wide. The plan will be tested and reviewed annually, and modified as required.

1.2 Effective Date

This plan takes effect on . It replaces the version of the GC CSEMP

1.3 Application

This plan is prepared in the exercise of the responsibilities conferred to the Treasury Board of Canada Secretariat (TBS) under the Policy on Government Security (PGS) and is intended for all departments and agencies subject to the PGS.

1.4 Definitions

Note: The definitions below originate from the 2017 draft of the Policy on Government Security.  Additional examples are provided for some terms to clarify their interpretation for the purposes of this plan.

Compromise

A breach of government security which includes, but is not limited to:

  • unauthorized access to, disclosure, modification, use, interruption, removal, or destruction of sensitive information or assets, causing a loss of confidentiality, integrity, availability or value;
  • any action, conduct, threat or gesture of a person toward an employee in the workplace or an individual within federal facilities that caused harm or injury to that employee or individual; and,
  • events causing a loss of integrity or availability of government services or activities.
Security event

Any event, omission or situation that may be detrimental to government security, including threats, vulnerabilities and security incidents.

  • Examples of cyber security events: Disclosure of a new vulnerability, intelligence that a threat actor may be planning an attack against a GC information system (e.g. Distributed Denial of Service (DDOS) attack), attempts at breaching the network perimeter, etc.
Security incident

Any event (or collection of events), act, omission or situation that has resulted in a compromise.

  • Examples of cyber security incidents: Active exploitation of one or more identified vulnerabilities, exfiltration of data, failure of a security control, breach of a cloud-hosted or managed GC service, etc.
  • Every cyber security incident is a cyber security event (or collection of cyber security events), but not every cyber security event is a cyber security incident (see Figure 1).
Threat

Any potential event or act, deliberate or accidental, or natural hazard that could result in a compromise.

Vulnerability

A factor that could increase susceptibility to compromise.

Figure 1: Cyber events vs incidents (in the context of the GC CSEMP)
Graphic representing that cyber security incident is a cyber security event, text version below:
Figure 1: Text version

Figure 1 identifies the difference between Cyber Security Events and Cyber Security Incidents as they are defined in the CSEMP through the use of two circles, one within the other. The first larger circle represents Cyber Security Events, and the second much smaller circle within the first identifies Cyber Security Incidents as being a subset of Cyber Security Events.

1.5 Glossary of Acronyms and Abbreviations

ADM Assistant Deputy Minister
BCP Business Continuity Plan
CCIRC Canadian Cyber Incident Response Centre
CCNSS Canadian Committee on National Security Systems
CIO Chief Information Officer
CIOB Chief Information Officer Branch
CIOC Chief Information Officer Committee
Comms Communications
CRTC Canadian Radio-Television Telecommunications Commission
CSE Communications Security Establishment
CSEMP Cyber Security Event Management Plan
CSIS Canadian Security Intelligence Service
CTEC Cyber Threat and Evaluation Centre
DG Director General
DG ERC Director General Event Response Committee
DND/CAF Department of National Defence / Canadian Armed Forces
DR Disaster Recovery
DSO Departmental Security Officer
ECT Event Coordination Team
EMT Executive Management Team
ERC Event Response Committee
FERP Federal Emergency Response Plan
GC Government of Canada
GC-CIRT Government of Canada Computer Incident Response Team
GOC Government Operations Centre
IT Information Technology
ITSec Information Technology Security
LSA Lead Security Agency
MITS Management of Information Technology Security
NSS National Security Systems
PCO Privy Council Office
PGS Policy on Government Security
PS Public Safety
RCMP Royal Canadian Mounted Police
RFA Request for Action
S&I Security and Intelligence
SC Strategic Communications
SCMA Strategic Communications and Ministerial Affairs
SIEM Security Information and Event Management
SOC Security Operations Centre
SOP Standard Operating Procedure
SSC Shared Services Canada
TBS Treasury Board of Canada Secretariat
WG Working Group

2.0 Introduction

2.1 Context

Cyber security events related to Government of Canada (GC) information systems can have a significant impact on the delivery of government programs and services to Canadians and, consequently, confidence in government. The ability to respond to cyber security events in a consistent, coordinated and timely manner across the GC is essential to ensure the security and resilience of GC program and service delivery. 

2.2 Purpose

The purpose of this document is to provide an operational framework for the management of cyber security events (including cyber threats, vulnerabilities or security incidents) that impact or threaten to impact the GC’s ability to deliver programs and services to Canadians.  This document provides context for plans and procedures developed by departments and agencies to manage cyber security events related to the programs and services for which they are responsible.

This document also complements the all-hazards arrangements and response mechanism of the Federal Emergency Response Plan (FERP) to provide a coherent framework for managing the consequences of cyber events affecting multiple government institutions and/or confidence in government.

2.3 Scope

The scope of this plan is limited to cyber security events (including threats, vulnerabilities or security incidents) on GC information systems classified as secret and below that:

  • Affect or may affect delivery of government programs and services to Canadians, government operations, security or privacy of information or confidence in government; or,
  • Require an integrated GC-wide response to minimize impacts and enable prompt mitigation and restoration of government programs and services.

This plan does not address:

  • Cyber security events impacting Top Secret information systems; or,
  • The coordination of cross-jurisdictional cyber security events (e.g. with provinces/territories, municipalities, or other countries).

2.4 Objectives

The objectives of this cyber security event management plan are to:

  • Enhance situational awareness of likely cyber threats and vulnerabilities, as well as confirmed cyber security incidents, across the GC;
  • Improve cyber event coordination and management within the GC;
  • Mitigate threats and vulnerabilities before a compromise can occur;
  • Support GC-wide cyber risk assessment practices and remediation prioritization efforts;
  • Minimize the impacts of cyber events to the confidentiality, availability or integrity of government programs and services, information and/or operations;
  • Inform decision-making at all necessary levels;
  • Improve sharing and exchange of GC knowledge and expertise; and,
  • Enhance public confidence in the GC’s ability to manage cyber security events.

2.5 Assumptions

The following assumptions were made during the development of this plan:

  • All departments and agencies have event management processes and business continuity plans in place as established under the PGS;
  • Responsibilities of GC cyber security stakeholders are established in accordance with current departmental mandates;
  • Cyber security events related to the disclosure of personal information or private communications will also follow established privacy protocols; and,
  • Federal cyber security events impacting multiple jurisdictions (national or international) are coordinated in accordance with national plans issued by Public Safety Canada.

3.0 GC Cyber Security Event Management

Government security and the continuity of GC programs and services rely upon the ability of departments and agencies, as well as government as a whole, to manage cyber security events. All government departments experience events that either impact or threaten to impact the delivery of government programs and services. As the GC is increasingly dependent upon IT to deliver services to Canadians and maintain operations, it needs to be prepared to react quickly and effectively to any event that may adversely affect services to Canadians, government operations, or confidence in government.

The GC Cyber Security Event Management Plan (GC CSEMP) outlines the stakeholders and actions required to ensure that cyber security events are addressed in a consistent, coordinated and timely fashion GC-wide.  This section of the plan outlines the cyber security event management process, identifies implicated stakeholders, defines cyber security event response levels and describes escalation triggers.

3.1 Process Overview

The overall cyber security event management process defined in this document has several phases, as outlined in Figure 2 below.

Figure 2: Cyber Security Event Management Process
Graphic representing the CSEMP process, text version below:
Figure 2 - Text version

See text below for description full description.

The initial phase, preparation, involves general readiness activities to ensure that the GC is ready to respond to the broad range of cyber security events.  In this phase, event-related roles and responsibilities are established, plans and procedures are documented (or updated with lessons learned) and exercised, and personnel are trained.  A key component of this phase also includes the application of protective and preventative measures at the host, application and network levels. Protective measures also include the implementation of vulnerability management, patch management and other related processes.

The second phase, detection & assessment, involves the discovery of potential cyber security events, including confirmed cyber security incidents, through the monitoring of various information sources (including departmental and GC wide hardware/software solutions) and submission of reports by affected departments and agencies.  This phase also includes an initial assessment of event impact levels that feed into the determination of an appropriate GC response.

The third phase, mitigation & recovery, consists of all response actions required to minimize impacts to confidentiality, availability and integrity, and lead to restoration of normal operations.  Containment and eradication are key components of this phase, which includes, but is not limited to, actions such as shutting down systems, disconnecting from networks, disabling functionality, and/or mitigating exploited vulnerabilities via patch installation.  Recovery actions in this phase include invocation of business continuity or disaster recovery plans, or any other measure that will reduce impact to affected information systems and allow for a return to normal operations.  This phase also includes root cause analysis and investigation, which consist of activities such as evidence gathering, forensic analysis, research and other related processes that could influence recovery actions.

The final phase, post-event activity, is vital for continuous improvement of the overall cyber security event management process and, as such, feeds back into the preparation phase to complete the event management life cycle.  This phase consists of post-event analysis, preparing and reviewing event lessons learned and recommending changes to processes or procedures in order to continuously mature the GC’s cyber security event management capability. 

From the time that an event is detected to the conclusion of post-event activities, reporting and communication between stakeholders occurs throughout, enabling whole-of-government situational awareness.  Entrenching these ongoing activities into the lifecycle of cyber security event management is imperative to ensure that mitigation advice and status updates are shared with both affected and non-affected parties in a timely fashion, enabling situational awareness and supporting informed decision-making. 

3.2 Stakeholders

In addition to individual departments and agencies, who play a key role in informing and actioning GC cyber security event management activities, there are a number of additional stakeholders implicated in the GC CSEMP. Below is a summary of stakeholders, organized into three major categories.  Detailed roles and responsibilities of each stakeholder can be found in Annex A.

  1. Primary Lead Security Agency (LSA) stakeholders
    • Treasury Board of Canada Secretariat (TBS)
      • Chief Information Officer Branch (CIOB)
      • Strategic Communications and Ministerial Affairs (SCMA)
    • Shared Services Canada (SSC)
      • GC Computer Incident Response Team (GC-CIRT)
    • Communications Security Establishment (CSE)
      • Cyber Threat and Evaluation Centre (CTEC)
    • Public Safety Canada (PS)
      • Canadian Cyber Incident Response Centre (CCIRC)
      • Communications (Comms)
  2. Specialized LSA Stakeholders
    • Royal Canadian Mounted Police (RCMP)
    • Canadian Security Intelligence Service (CSIS)
    • Department of National Defence / Canadian Armed Forces (DND/CAF)
  3. Other Stakeholders
    • GC Chief Information Officer (GC CIO)
    • Government Operations Centre (GOC)
    • Privy Council Office (PCO)
      • Security & Intelligence (S&I)
      • Strategic Communications (SC)
    • Canadian Committee on National Security Systems (CCNSS)
    • DG Event Response Committee (DG ERC)
    • External Partners

3.3 GC Response Levels

There are four (4) response levels that govern GC cyber security event management activities, as indicated in Figure 3 below. These response levels will dictate the level of coordination required in response to any given cyber security event, including level of escalation, stakeholder participation and reporting required.

Figure 3: GC Response Levels
Graphic representing the different levels of response, text version below:
Figure 3 - Text version

See text below for description full description.

The first level (Level 1) essentially represents day-to-day operations in the GC. The dynamic nature of the cyber threat environment and the constant disclosure of new cyber security vulnerabilities indicate that, on average, the GC will typically operate in a Level 1 state.  In this state, departments and agencies are to coordinate response in accordance with their standard departmental procedures, continue the application of regular preventative measures and maintain communication with the Government of Canada Computer Incident Response Team (GC-CIRT) for advice and guidance.  At a GC-wide level, no further coordination amongst primary/specialized stakeholders is required, aside from regular information sharing between stakeholders for situational awareness. 

The next level (Level 2) indicates that heightened attention is required at the GC level.  This level will trigger invocation of the lower tier of GC CSEMP governance (as outlined in section 3.4.4) and implies that some limited GC-wide coordination may be required.  At this level, all primary GC CSEMP stakeholders (and specialized stakeholders, when required) will be on heightened alert for cyber activity, monitoring GC-wide risk levels and ensuring that any impact or potential impact is contained and mitigated.  Additional targeted advice to departments and agencies on how to proceed with event response, which could include invocation of emergency patch management processes.

The third level (Level 3) indicates that immediate focus and action is required at the GC level.  This level will trigger invocation of upper tier of GC CSEMP governance (as outlined in section 3.4.4) and implies that centralized, GC-wide coordination will be required.  At this level, event response will be fully coordinated via the GC CSEMP governance structure, with departments and agencies given ongoing direction and guidance on how to proceed with event response.  Response may range from invocation of emergency patch management processes to the disconnection of systems from GC networks.  Events at this level will also trigger invocation of TBS' Cyber Security Communications Framework.Footnote 1

The final level (Level 4) is reserved for severe or catastrophic events that affect multiple government institutions, confidence in government or other aspects of the national interest.  Events that reach this level will immediately shift to the FERP governance structure, coordinated by the GOC in accordance with the FERP, in order to ensure the harmonization of federal response efforts.    

3.3.1 Determination of GC Response Levels

GC Response Levels are determined based on the analysis of two factors: Departmental impact assessment and scope of the cyber security event in question.

Departmental impact assessments are conducted using the process outlined in Annex B of this document.  This process, applicable to all cyber security events in scope of this plan, is based on a standardized injury test designed to measure the degree of injury that has occurred or could reasonably be expected to occur due to a compromise.  This injury assessment considers both the severity and scope of the event.  Once the degree of injury is assessed, a modifier is applied to account for the probability of injury realization, in cases where an incident has not yet occurred (e.g. unrealized cyber threats and vulnerabilities).

Departmental impact assessment results from affected departments are then rolled up at the GC-wide level and Annex C of this document is then used by the GC-CIRT (in collaboration with Treasury Board Secretariat Chief Information Officer Branch (TBS/CIOB) and other applicable partners) to assess the GC-wide urgency and establish an appropriate GC Response Level. 

Note: In some cases (such as the disclosure of a new security vulnerability for which injury is difficult to discern), more detailed departmental impact assessments may be required in order to establish a GC Response Level.  In these cases, departments will be instructed to perform a detailed assessment via a GC-CIRT Request for Action (RFA) and submit results back to the GC-CIRT to feed GC Response Level determination.

3.4 Governance

During a cyber security event, the timely engagement of the appropriate level of governance bodies will focus both management and operations to prevent, detect, respond to and recover from cyber security events in a prioritized manner.

The GC CSEMP governance structure introduces three key governance bodies that will manage escalation of a cyber security event: The Event Coordination Team (ECT), the Executive Management Team (EMT), and the ADM IT Security Tripartite (ADM ITST).

3.4.1 Event Coordination Team

The Event Coordination Team (ECT) is a group of key working-level stakeholders that is activated when triggered by the GC CSEMP (Level 2 events) or when invoked by the Executive Management Team (EMT) (Level 3 events) or DG Event Response Committee (DG ERC) (Level 4 events).  The purpose of the ECT is to collaborate with key stakeholders and jointly propose recommendations for appropriate courses of action for the GC at large. The ECT is also responsible for ensuring that situational awareness is maintained at the DG-level by actively updating EMT members of ongoing cyber security event management progress.

The ECT is co-chaired by TBS/CIOB and GC-CIRT, with stakeholder representation varying depending on the nature of the event. For all cyber security event types (cyber threats, vulnerabilities and security incidents), the following primary stakeholders will participate in addition to the co-chairs:

  • TBS/SCMA;
  • CSE/CTEC; and,
  • PS/CCIRC.

When a cyber security incident is confirmed, or when a cyber threat event falls within the scope of other mandates, the team will expand to include the following specialized stakeholders, as required:

  • SSC/SOC;
  • RCMP (Technical Investigation Services, and Federal Policing);
  • CSIS (Cyber); and,
  • DND/CAF (Information Management Operations).

Departments directly affected by specific threats or incidents will also be invited to participate on the ECT.  Departmental invitations will be determined by the co-chairs, who may limit invitations to ensure optimal operation of the ECT.

During Level 4 events, the ECT co-chairs will ensure that a subject matter expert is co-located in the GOC to provide advice and guidance and ensure situational awareness is maintained.

3.4.2 Executive Management Team

The Executive Management Team (EMT) is a DG-level committee that is activated when triggered by the GC CSEMP (Level 3 events).  The EMT provides strategic direction and guidance to the ECT and presents products to senior GC officials (such as decision briefs or proposed GC-wide mitigation plans that require approval at the ADM level).  The EMT is also responsible for ensuring that situational awareness is maintained at higher levels by actively updating appropriate ADM Committees.  During Level 4 events, the EMT is integrated within the FERP’s DG ERC.

The EMT is co-chaired by TBS/CIOB and SSC/Cyber Security Operations, with stakeholder representation varying depending on the nature of the event.  For all cyber security event types (cyber threats, vulnerabilities and security incidents), the following primary stakeholders will participate in addition to the co-chairs:

  • TBS/SCMA;
  • CSE (Cyber Defence); and,
  • Public Safety (National Cyber Security Directorate).

When a cyber security incident is confirmed, or when a cyber threat event falls within the scope of other mandates, the team will expand to include the following specialized stakeholders, as required:

  • Government Operations Centre (GOC);
  • RCMP (Technical Investigation Services, and Federal Policing);
  • CSIS (Cyber); and,
  • DND/CAF (Information Management Operations).

Departments directly affected by specific threats or incidents will also be invited to participate on the EMT.  Departmental invitations will be determined by the co-chairs, who may limit invitations to ensure optimal operation of the EMT.

3.4.3 ADM IT Security Tripartite Committee

The ADM IT Security Tripartite Committee (ADM ITST) is an ADM-level committee that serves as a decision-making body supporting the effective design, delivery and management of priority IT security initiatives affecting internal Government of Canada (GC) systems and GC-wide operations.  In the context of cyber security event management, its activation may be triggered by the GC CSEMP (Level 3 events).  The ADM ITST provides mitigation direction and guidance to the EMT when responding to a cyber security event.  The ADM ITST is also responsible for ensuring that situational awareness is maintained at higher levels by actively updating appropriate DMs.  During Level 4 events, the ADM ITST will support the FERP’s Committee of Assistant Deputy Ministers as appropriate.

The ADM ITST is chaired by the Chief Information Officer of the Government of Canada (GC CIO), and its primary members are from SSC (ADM Cyber and IT Security) and CSE (Deputy Chief ITS). Other stakeholder representation at ADM ITST will vary depending on the nature of the event.  For all cyber security event types (cyber threats, vulnerabilities and security incidents), the following additional stakeholders will participate in addition to the co-chairs:

  • TBS/SCMA;
  • Public Safety (National and Cyber Security Branch)

When a cyber security incident is confirmed, or when a cyber threat event falls within the scope of other mandates, the team will expand to include the following specialized stakeholders, as required:

  • Government Operations Centre (GOC);
  • RCMP (Technical Investigation Services, and Federal Policing);
  • DND/CAF (Chief of Staff Information Management Group);
  • CSIS; and,
  • Affected department(s)/agency(ies).

3.4.4 Escalation Model

The escalation model of the GC CSEMP, outlined in Figure 4 below, identifies both the working level and senior management stakeholders required, differentiating between primary and specialized members that vary based on event type (reflected by the black and red outlines).  Appropriate governance bodies (i.e. ECT and/or EMT) will be invoked, as required, by any stakeholder following analysis of data received from affected organizations.  It should be noted that this model identifies the minimum subset of stakeholders that must be involved in escalation; co-chairs of each governance body can invite other GC organizations as appropriate (for example, a specialized stakeholder from whom information originated).

Given the short time frames in which cyber security events can cause significant damage, rapid invocation of the appropriate governance body is essential.  As such, the initial invocation of each respective governance body is dependent on the GC Response Level established for that particular event.  For example, should an event be assessed at a Level 3 from the outset, governance will immediately begin at the EMT level.

Figure 4: CSEMP Escalation Model
Governance model, text version below:
Figure 4 - Text version

Figure 4 represents the CSEMP escalation model. This figure identifies the required governance based on response level identified in Figure 3. Figure 4 identifies the working level and senior management stakeholders required, differentiating between primary and specialized members that vary based on event type. They are as follows:

  1. Level  1 – Departmental Response
    1. This level falls under GC CSEMP governance
    2. Departments and agencies provide information to SSC/GC-CIRT for all events
    3. SSC/GC-CIRT will then relay this information to TBS/CIOB
  2. Level 2 – Limited GC-wide Response
    1. This level falls under GC CSEMP governance
    2. An event at this level invokes the Event Coordination Team (invoked by SSC/GC-CIRT and/or TBS/CIOB).  This team is made up of the following working-level members:
      1. TBS/CIOB (co-chair)
      2. SSC/GC-CIRT (co-chair)
      3. Public Safety (CCIRC)
      4. TBS/SCMA (TBS communications)
      5. CSE/CTEC
    3. In scenarios where a threat or incident has been identified, the following members will join the Event Coordination Team:
      1. RCMP
      2. DND/CAF
      3. SSC/IT-SIRT
      4. CSIS
      5. The Affected Department(s)
  3. Level 3 – Comprehensive GC-Wide Response
    1. This level falls under GC CSEMP governance
    2. An event at this level invokes the Executive Management Team, which is made up of the following DG-level members:
      1. TBS/CIOB (co-chair)
      2. SSC/Security Operations (co-chair)
      3. Public Safety
      4. TBS/SCMA (TBS communications)
      5. CSE
    3. Only in scenarios where a threat or incident has been identified the following members will join the Executive Management Team
      1. RCMP
      2. DND/CAF
      3. GOC (who acts as the Executive Management Team liaison to the FERP governance structure if the incident required further escalation)
      4. CSIS
      5. The Affected Department(s)
    4. During level three, the GC-CIO and other ADM level committees (which are intentionally flexible as engagement will vary based on the type of event) are identified as stakeholders, who will be provided information by the Executive Management Team
  4. Level 4 – Emergency (crisis) response
    1. This level falls under FERP governance
    2. This level is only active in the case of threats and incidents only
    3. There are three identified governance bodies in this level which inform from the bottom up in the following order:
      1. Government Operations Centre (working-level)
        1. Event Coordination Team
        2. Event Team (FERP)
        3. Affected Departments
      2. DG Event Response Committee (DG-level)
        1. GOC (co-chair)
        2. TBS/CIOB (co-chair)
        3. DG Cyber Operations Members, DG Communications working group, and others as required
      3. ADM/DM/Cabinet Committees

Other notes about the escalation model:

  • For all events:
    • Stakeholders in the lower levels of the escalation model are engaged (or remain active, if already engaged) when higher levels are engaged during an event; and,
    • Stakeholders in higher levels of the escalation model, even if not formally engaged, are provided with appropriate situational awareness updates throughout the life cycle of an event. 
  • For Level 2 events:
    • ECT invocation implies that implicated stakeholders are simply in communication with one another and does not necessarily require that members formally convene in person; and,
    • The ECT will escalate if mitigation efforts need to be augmented, if greater event impact is realized or if event context dictates heightened GC response.
  • For Level 3 events:
    • EMT invocation implies that implicated stakeholders convene formally in person; and,
    • The decision to escalate and move to FERP response coordination will be made by DG GOC, in consultation with the EMT.
  • For Level 4 events:
    • GC CSEMP stakeholders will remain engaged with the FERP Event Teams and will continue to fulfill their respective mandates within the GC, aligned with direction provided via FERP governance; and,
    • Existing information sharing mechanisms will be used as much as possible to maintain efficiency.

3.4.5 Escalation and Response Levels

Stakeholders also need to be aware that GC Response Levels can change as an event unfolds depending on whether or not certain criteria are met. Figure 5 describes triggers for escalation that can be used during an event in order to invoke the appropriate stakeholders at the appropriate times.  Escalation from one level to the next is determined jointly by the stakeholders involved, using injury (or potential injury) to the GC as a trigger (based on the results from the injury test outlined in Annex B). Other escalating factors may also need to be considered, based on the context of the event in question.

Depending on the nature of the event, injury tests may need to be re-evaluated in order to accurately assess the level of escalation required.  For cyber threat and vulnerability events, escalation would be triggered based on an increase in exposure to injury (e.g. increased likelihood of occurrence, increased exploitability or exposure of vulnerable systems, decreased effectiveness of security controls, etc.).  For confirmed cyber security incidents, escalation would be triggered based on an increase in severity or scope of the injury.

Figure 5: Escalation and Response Levels
Graphic representing the escalation and response levels, text version below:
Figure 5 - Text version

Figure 5 identifies relevant stakeholders and the associated triggers for Escalation for the various government response levels identified in figure two through the use of concentric circles and an attached table. The triggers for escalation are as follows:

  1. Level 1 – Departmental Response
    1. Stakeholders
      1. Day to day operations of:
        1. Departments and agencies
        2. GC-CIRT
    2. Triggers for Escalation
      1. Threats/Vulnerabilities
        1. Increased probability of medium or higher impact to multiple departments
        2. Increased exposure of vulnerable systems or increased exploitability of vulnerability
      2. Incidents
        1. Medium impact compromise affecting delivery of one or more public facing GC programs/services
        2. Indicators of broader propagation
  2. Level 2 – Limited GC-wide Response
    1. Stakeholders
      1. Event Coordination Team
    2. Triggers for Escalation
      1. Threats/Vulnerabilities
        1. Imminent threat of High or higher impact to one or more departments
        2. High exposure of vulnerable systems
      2. Incidents
        1. High or higher impact of compromise affecting delivery of a public facing GC programs/services or operation of one or more mission-critical systems
        2. High likelihood of broader propagation
  3. Level 3 – Comprehensive GC-wide Response
    1. Stakeholders
      1. Executive Management Team
      2. ADM Committees (as required)
      3. GC CIO
    2. Triggers for Escalation
      1. Threats/Vulnerabilities
        1. N/A
      2. Incidents
        1. Compromise affecting delivery of many mission-critical programs/services resulting in severe injury (widespread propagation)
  4. Level 4 – Emergency (crisis) Response
    1. Stakeholders
      1. Federal Emergency Response Plan
        1. GOC
        2. DM and Cabinet Committees
    2. Triggers for Escalation
      1. N/A

3.4.6 De-escalation

GC Response Levels can be reduced as an event unfolds depending on whether or not mitigation measures are effective, if an incident is determined to be less severe than originally believed, if the threat is reduced or if the vulnerability of government systems is determined to be lessened. The decision to de-escalate from one level to the next is made by the committee co-chairs, in consultation with stakeholders involved, using injury (or potential injury) to the GC as a trigger (based on the results from the injury test outlined in Annex B). Other de-escalating factors may also need to be considered, depending upon the context of the event in question.

Depending on the nature of the event, injury tests may need to be re-evaluated in order to accurately assess the level of response required.  For cyber threat and vulnerability events, de- escalation will be triggered based on a decrease in exposure to injury (e.g. less likelihood of occurrence, decreased exploitability or exposure of vulnerable systems, increased effectiveness of security controls, etc.).  For confirmed cyber security incidents, de-escalation will be triggered based on a decrease in severity or scope of the injury.

4.0 Concept of Operations

The following sections provide an overview of stakeholder expectations for each phase of the GC cyber security event management lifecycle.  These sections will demonstrate how the GC CSEMP is operationalized, and describe the key inputs and outputs from each phase.

All stakeholders are responsible for developing their own Standard Operating Procedures (SOPs) or internal processes to deliver the expected outputs.

4.1 Preparation

Graphic representing the first step of the process, text version below:
Figure Preparation - Text version

See text below for description full description.

The preparation phase is an ongoing phase in which the GC executes a set of continuous processes in order to ensure proactive readiness for specific or unpredictable events.  This includes not only the maintenance and improvement of existing capabilities, but also the development of new mechanisms for setting priorities, integrating multiple organizations and functions, and ensuring that the appropriate means are available to support the full spectrum of cyber security event management requirements.  This phase also includes the application of protective and preventative measures in advance of a cyber event.

In this phase:

  • All GC CSEMP stakeholders (including all departments and agencies) will implement applicable protective and preventative measures within their respective areas of responsibility, in accordance with advice and guidance issued by Lead Security Agencies (LSAs);
  • TBS will develop and maintain the GC CSEMP, coordinate regular exercises with all implicated stakeholders and ensure that lessons learned are implemented;
  • TBS will review post-mortem and lessons learned reports from past events and drive changes to security policy or enterprise security reference architectures, as required;
  • GC-CIRT will maintain GC-wide operational distribution lists and ensure that departments and agencies are continuously provided with advice and guidance required to mitigate cyber threats and vulnerabilities in order to prevent the occurrence of cyber security incidents;
  • Departments and agencies will align departmental plans, processes and procedures with the GC CSEMP, participate in exercises when required and ensure that applicable government-wide lessons learned are implemented at the departmental level; and,
  • Departments and agencies will continuously maintain a listing of their mission-critical information systems.

Inputs and outputs for this phase are as follows:

  • Inputs
    • Lessons learned from previous events, mitigation strategies, exercises and test scenarios
    • Ongoing recommendations from LSAs
    • Industry best practices
  • Outputs
    • Implemented lessons learned
    • Updated GC-wide cyber security event management plans, processes, guidelines & tools
    • Exercises, scenarios and tests to validate the effectiveness of the GC CSEMP
    • Updated departmental plans, processes and procedures that align with the GC CSEMP
    • Understanding of critical systems across the GC

4.2 Detection & Assessment

Graphic representing the second step of the process, text version below:
Figure Detection & Assessment - Text version

See text below for description full description.

The detection and assessment phase involves the continuous monitoring of information sources for early indications of emerging cyber security events and the assessment of their impact (potential or actual) on the delivery of services to Canadians, government operations or confidence in government. 

The detection portion of this phase is constant for any type of cyber event (threat, vulnerability or security incident) and also covers the initial notification of appropriate stakeholders. Detection occurs as a direct result of monitoring; if the monitoring component is inadequate or incomplete, then the detection process may miss anomalies or events that could impact the GC

In the detection portion of this phase:

  • Primary and specialized GC CSEMP stakeholders will monitor their respective information sources for precursors of emerging cyber threat or vulnerability events, or indicators of potential or confirmed cyber security incidents, and immediately notify the GC-CIRT of any malicious cyber activity that may affect GC information systems. Specifically:
    • GC-CIRT will monitor their own technical sources, as well information reported by other stakeholders;
    • SSC Security Operations Centre (SOC) will monitor the SSC-operated infrastructure, including the SSC network perimeter and any other endpoints or services within their purview;
    • CSE/CTEC will monitor government networks as well as intelligence and technical sources;
    • PS/CCIRC will monitor information from domestic and international sources;
    • RCMP will monitor information from criminal surveillance sources;
    • CSIS will monitor information from intelligence sources; and,
    • DND/CAF will monitor all DND owned and operated networks, as well as networks from allied sources (such as NATO), and when deployed on operation.
  • Primary and specialized GC CSEMP stakeholders will, upon detection of a cyber event, report cyber security events to applicable organizations as per section 5.1 of this plan;
  • Departments and agencies will implement the general security controls established under the Policy on Government Security (PGS) on department-owned IT infrastructure and notify the GC-CIRT upon detection of a cyber security event, as per the reporting requirements outlined in section 5.2 of this plan; and,
  • Departments and agencies will notify appropriate law enforcement or national security authorities when information is received indicating that an event would fall under these particular domains, as per section 5.2.3 of this plan.

The assessment portion of this phase begins once information has been received that a potential or actual cyber security event may exist.  The purpose of the assessment phase is to establish a GC Response Level and determine whether or not invocation of GC CSEMP or FERP governance is required. 

In the assessment portion of this phase:

  • GC-CIRT will establish the initial GC Response Level, in consultation with TBS/CIOB and other applicable partners, based on a roll-up of departmental information, and invoke the appropriate GC CSEMP governance bodies in accordance with the assessed response level
    • When further information is required to assess GC-wide risk:
      • GC-CIRT will issue a Request for Action (RFA) to departments and agencies to perform a departmental impact assessment; and,
      • Departments and agencies will perform a departmental impact assessment and submit results back to the GC-CIRT within the defined timeframe.

Inputs and outputs for this phase are as follows:

  • Inputs
    • Threat & intelligence reports from GC event management stakeholders or external sources (vendors, open source, etc.)
    • Incident reports from GC event management stakeholders, departmental incident reports or external sources
  • Outputs
    • Departmental and government-wide impact assessment reports
    • Establishment of a GC response level
    • Identification of events that require a coordinated GC-wide response
    • Invocation of GC CSEMP or FERP governance, if required

4.3 Mitigation & Recovery

Graphic representing the third step of the process, text version below:
Figure Mitigation & Recovery - Text version

See text below for description full description.

The purpose of the mitigation & recovery phase is to mitigate threat and vulnerability events before they become incidents, or to contain and mitigate the effects of incidents when they occur. Activities in this phase will vary depending on the nature of the event, but could include actions such as the installation of patches, implementation of preventative measures, containment and eradication of a confirmed incident (which may involve investigative analysis), the invocation of business continuity and disaster recovery plans or the temporary shutdown of vulnerable services.  Regardless of the type of event, the end goal of the phase is to minimize impacts and ensure the timely restoration of normal operations.

In this phase, for all applicable events (note that the degree of involvement will vary based on the established GC Response Level):

  • TBS/CIOB will perform strategic coordination, which may include the issuance of strategic direction to departments and agencies on measures to minimize the GC-wide impact of cyber security events (e.g. shutting down vulnerable public-facing information systems, invoking disaster recovery plans, etc.) (Level 3 events or when warranted by Level 2 events);
  • GOC will perform strategic coordination, which may include the issuance (via TBS/CIOB) of strategic direction to departments and agencies on measures to minimize the GC-wide impact of cyber security events (Level 4 events only);
  • GC-CIRT will perform operational coordination, which includes the issuance of technical direction and advice to departments and agencies on measures to mitigate or contain impact to departmental systems (e.g. patch installation, blocking of IP addresses, etc.) as well as the tracking and reporting of these measures (all events);
  • CSE will implement appropriate mitigation measures on devices for which they are responsible (all events);
  • All Primary and specialized GC CSEMP stakeholders will contribute advice and guidance based on information received from their respective sources; and,
  • Departments and agencies will implement the direction provided by GC-CIRT and TBS/CIOB within established timelines (on infrastructure that they own) (all events).

In addition, for confirmed incidents (all Level 3+ and applicable Level 2):

  • GC-CIRT will lead the development of a GC-wide containment plan, in collaboration with GC CSEMP stakeholders;
  • CSE, applicable service providers and affected departments and agencies will assist in the implementation of the prevention or containment plan within their respective areas of responsibility; and,
  • SSC/SOC will lead forensic examination and analysis (including evidence collection) on IT systems that it supports, in collaboration with affected departments and agencies and applicable LSAs.

Inputs and outputs for this phase are as follows:

  • Inputs
    • Incident and situation reports
    • Intelligence information
    • Forensic findings
    • Other considerations (political, legal, etc.)
    • Impact assessment reports
    • BCP/DR plans
  • Outputs
    • Response plan
    • Mitigation of threat or vulnerability (when applicable)
    • Containment & eradication of incident (when applicable)
    • Restoration to normal operations
    • Validated end to threat, vulnerability or incident

4.4 Post-Event Activity

Graphic representing the fourth step of the process, text version below:
Figure Post-Event Activity - Text version

See text below for description full description.

The post-event activity phase leverages knowledge gained from each cyber security event to ensure the continuous improvement of the cyber security event management process and, by extension, the security posture of the GC infrastructure as a whole.  The purpose of this phase is to formally closeout the cyber security event by conducting a post-event analysis, identifying lessons learned (when applicable) and driving changes to security policy or enterprise security architecture improvements, as required. 

The degree of effort and resources allocated to this phase will vary from event to event.  Serious events (including confirmed incidents) will require deeper post-event analysis than those that are less serious in nature.  Repetitive events may require post-event analysis in aggregate.

In this phase, for applicable events (or upon request):

  • Affected departments and agencies will produce their own departmental lessons learned report and action plan, and contribute to GC-wide post-event activities, as required;
  • GC-CIRT will collate all departmental findings and produce a post-event report, including timeline of events and root cause analysis;
  • TBS/CIOB will produce a lessons learned report and action plan on behalf of the GC and monitor implementation of the recommendations (Level 3 events or when warranted by Level 2 events);
  • GOC will produce a lessons learned report and provide coordination for the production of departmental action plans and monitor the implementation of the recommendation (Level 4 events only); and,
  • All other GC CSEMP stakeholders will provide information required to support the development of GC-wide lessons learned reports and assist with implementation of related action items under their particular areas of responsibility.

Inputs and outputs for this phase are as follows

  • Inputs
    • Review of event timeline
    • Review of reporting and communication procedures and timeliness of products
    • Root cause analysis
    • Other relevant input from implicated CSEMP stakeholders
  • Outputs
    • Departmental lessons learned report
    • GC-level post-event reports
    • GC-wide Lessons Learned & Action Plan (if applicable)
    • Recommendations to improve policy instruments or enterprise security architecture

5.0 Reporting & Communication

Graphic representing the fifth step of the process, text version below:
Figure Reporting & Communication - Text version

See text below for description full description.

As cyber security events are detected, there is a need for certain GC stakeholders to be informed.  These stakeholders may be internal to the GC CSEMP governance structure, external to the GC CSEMP structure but still within the GC (including intradepartmental or employee communications), or external (including media and the Canadian public). Continuous (both routine and ad hoc) reporting and communication are vital in the cyber security event management process, ensuring that appropriate stakeholders at all levels of government are provided with the situational awareness required to make decisions and maintain an understanding of potential impact to GC programs and services.

This section will describe the reporting and communications products that will be distributed during the course of the GC event management lifecycle, as well as specific reporting requirements for departments and agencies.

5.1 Government-wide Reporting & Communication

At the government-wide level, reporting and communication will be handled as follows:

  • TBS/SCMA will coordinate the development of a Communications Strategy and develop and publish external communications materials (in accordance with TBS' Cyber Security Communications FrameworkFootnote 1) required during the cyber security event management lifecycle, in collaboration with PS/Comms and PCO/SC (for all events that require external communications or coordinated messaging);
  • Affected departments and agencies will develop their own stakeholder/client and public communications products (all events, but with TBS/SCMA and PCO/SC approval for Level 3 and Level 4 events, in accordance with TBS’ Cyber Security Communications FrameworkFootnote 1);
  • TBS/CIOB will coordinate messaging to the Chief Information Officer (CIO) and Departmental Security Officer (DSO) community and disseminate Senior Management Updates as required throughout the cyber security event management process (Level 3 and Level 4 events or when situational awareness is required during Level 2 events);
  • TBS/CIOB will communicate government-wide business impact assessment results with the GOC and Privy Council Office Security and Intelligence (PCO/S&I) (Level 2 and 3 events);
  • GOC will disseminate FERP governance updates and situational awareness products/briefings as required throughout the cyber security event management process (Level 3 and Level 4 events or when situational awareness is required during Level 2 events);
  • GC-CIRT will coordinate messaging to the operational (IT Security) community and disseminate technical information products (cyber flashes, advisories, alerts, etc.) including GC CSEMP response level status and situation reports to implicated stakeholders as required throughout the cyber security event management process (all events);and,
  • Primary and specialized GC CSEMP stakeholders will ensure that appropriate organizations are notified when criminal, terrorist or military related cyber event activity is detected (RCMP, CSIS and DND respectively). 
    • GC-CIRT will take the lead on reporting to the RCMP, CSIS and/or DND if activity related to their mandates is discovered during the course of managing a GC event.

A pictorial representation of the information sharing flow can be found in Figure 6 above.  Note that information sharing at lower levels will continue in parallel to higher level information sharing.

Figure 6: CSEMP Information Sharing Flow
Flow process chart, text version below:
Figure 6: Text version

See text above for description full description.

5.1.1 Reporting & Communication Summary

Below summarizes the types of reporting and communication that will occur internally in the GC over the course of a cyber security event under the GC CSEMP.  Information sharing between primary and specialized CSEMP stakeholders will occur in accordance with established SOPs.  Note that this table does not describe day-to-day information sharing that will continue through existing processes or mechanisms.

Table 1A: Reporting & Communication Summary
Between Primary and Specialized CSEMP stakeholders
Type Sender Recipient Timeline to issue
Situational Awareness Updates (for Level 2+ events) GC-CIRT
  • TBS/CIOB
  • CSE/CTEC
  • PS/CCIRC
As new information becomes available (includes detection, mitigation and general status updates until event closeout)
General event updates (from domestic and international partners) PS/CCIRC GC-CIRT As new information becomes available
Cyber security event reporting
  • SSC/SOC
  • CSE/CTEC
  • RCMP
  • CSIS
  • PS/CCIRC
  • DND/CAF
GC-CIRT Immediately upon detection of a malicious cyber security event related to GC systems
Mandate-specific reporting Primary & Specialized GC CSEMP Stakeholders RCMP Immediately upon suspicion or detection of a cyber event related to criminal activity
CSIS Immediately upon suspicion or detection of a cyber event related to terrorist activity
DND Immediately upon suspicion or detection of a cyber event related to national defense
Updates on impacts to the delivery of GC programs & services TBS/CIOB
  • PCO/S&I
As new information becomes available
Situational Awareness Updates (for Level 2 events only) PS/CCIRC
  • GOC
As new information becomes available (includes detection, mitigation and general status updates until event closeout)
Table 1B: Reporting & Communication Summary
From Primary and Specialized CSEMP stakeholders to Departments
Type Sender Recipient Timeline to issue
Departmental incident notification GC-CIRT Affected Department
(ITSec Team)
Immediately upon notification/detection of a malicious cyber security event
Cyber Flashes, Alerts, Advisories GC-CIRT All Departments
(ITSec Team)
  • High+ Severity: Within 8 hours of disclosure
  • Medium Severity: Within 24 hours of disclosure
  • Low Severity: Within 72 hours of disclosure
Requests for Action (RFAs) GC-CIRT All Departments
(ITSec Team)
As required (typically for High+ severity vulnerabilities when GC-wide exposure is unknown)
Technical Situation Reports GC-CIRT All Departments
(ITSec Team)
Level 2/3/4 Events: As required
Senior Management Updates TBS/CIOB All Departments
(CIOs, DSOs)
Level 2/3/4 Events: As required
GC-wide strategic direction to minimize impact of cyber event TBS/CIOB (via GC CIO) All Departments
(CIOs)
  • Level 4 Events: As directed by FERP governance
  • Level 2/3 Events: As required
External Communications Materials TBS/SCMA Affected Department (Comms Team) As required
All necessary information products CSE/CTEC CCNSS As required

5.2 Departmental Reporting Requirements

5.2.1 Threat/Vulnerability Events

Mandatory departmental reporting on a threat or vulnerability event is required when a Request for Action (RFA) is issued by the GC-CIRT (as described in section 4.2).  Timelines for response will vary depending on the nature of the RFA; as such, each RFA will specify the target turnaround time for response.  Response times specified will typically range from 24 to 48 hours, depending on the nature of the event.

RFAs will always be sent to the generic departmental IT Security Operations mailbox.  Departments need to ensure that this mailbox is monitored with procedures in place to respond to these RFAs in a timely fashion.

5.2.2 Incidents

All cyber security incidents within the scope of this document (see section 2.3) will be reported to the GC-CIRT using the Cyber Portal Incident Reporting form in accordance with the Table 2 below. Reporting mechanisms and timelines for reporting will vary based on the departmental impact level, calculated by using the process outlined in Annex B.  GC-CIRT will ensure appropriate storage of these incident reports and will only share information related to detection or mitigation techniques (e.g. indicators of compromise, identification of malicious sites, etc.) with other departments and agencies.  Sensitive department-specific information will not be shared GC-wide.

Table 2: Incident reporting requirements
Impact Level Initial Incident Report Detailed Incident Report Lessons Learned Report Incident rollup summary
High/Very High ASAP after detection < 24 hours after detection < 30 days after resolution Quarterly
Medium < 1 hour after detection < 48 hours after detection < 30 days after resolution Quarterly
Low N/A N/A N/A Quarterly

5.2.3 Reporting Examples

The GC-CIRT is the central repository for cyber security event reporting in the GC.  While minor infractions may be dealt with at the departmental level, the majority of cyber security events must be reported to the GC-CIRT in a timely fashion.  The following examples, while not a complete list, can be used as a guide for types of events that should be reported:

  • Suspicious or targeted emails with attachments/links that were not detected by existing security controls;
  • Suspicious or unauthorized network activity that represent a deviation from baseline;
  • Data breaches or compromise/corruption of information;
  • Intentional or accidental introduction of malware to a network;
  • Denial of service attacks; and,
  • Web or online presence defacement or compromise (including unauthorized use of GC social media accounts).

Consideration should also be given to whether events may impact other GC organizations.  If in doubt, it is better to over report than under report.

5.2.4 Other

If there is reasonable evidence of suspected criminal activity under the Criminal Code of Canada, in addition to standard reporting to the GC-CIRT, departments and agencies will report directly to the RCMP or Military Police, as applicable.

Departments will also report to the GC-CIRT upon the realization that a cyber security event may require additional assistance in the mitigation & recovery phase (e.g. aid from the GC-CIRT, SSC/SOC, CSE/CTEC, RCMP, service providers, etc.) or if they are unable to implement given direction within the provided timeframe.

Departments and agencies providing services to other GC organizations are also responsible for notifying affected service recipients (in addition to their regular reporting to the GC-CIRT) of any cyber security events that impact recipient information or service delivery.

Communications teams from affected departments and agencies will coordinate the development of stakeholder/client and public communications products with TBS/SCMA and PCO/SC, in accordance with the TBS’ Cyber Security Communications FrameworkFootnote 1.

In the event of any real or suspected privacy breach, departments and agencies will respond in accordance with the Directive on Privacy Practices.  Departments and agencies should apprise themselves of TBS Guidelines for Privacy Breaches and the Privacy Breach Management Toolkit. These privacy instruments identify causes of privacy breaches, provide guidance on how to respond, contain and manage privacy breaches, delineate roles and responsibilities, and include links to relevant supporting documentation.

5.3 Secure Communications

Frequently during the cyber security event management lifecycle (specifically, during the detection & assessment or mitigation & recovery phases), it becomes necessary for key stakeholders to share information with one another.  When this information becomes sensitive in nature (e.g. specifics related to vulnerable IT systems, details about data exfiltration, etc.), secure communications methods must be used to transmit this information between stakeholders.

As such, all stakeholders need to be prepared to send and receive sensitive information.  This includes ensuring that available secure communications tools (i.e. secure data and voice infrastructure) are in working order, with procedures in place and personnel trained for their use.  Stakeholders not equipped with sufficient tools will ensure that alternative manual processes are in place to send and receive this information, acknowledging that these manual processes may delay receipt.

Annex A – Roles and Responsibilities

This Annex describes roles and responsibilities of GC CSEMP stakeholders.  Roles and responsibilities will vary depending on the type of event (threat vs vulnerability vs security incident) as well as its priority level. 

i. Primary GC Cyber Security Event Management Stakeholders

The following is a list of primary Lead Security Agency (LSA) stakeholders in the GC cyber security event management process that will be engaged in all events that meet the appropriate trigger criteria (including potential threats and vulnerabilities, as well as confirmed incidents).  The degree of involvement from each stakeholder will vary based on the impact or severity of the event.

Treasury Board of Canada Secretariat

Treasury Board of Canada Secretariat (TBS) provides strategic oversight and direction in the GC cyber security event management process, ensuring that events are effectively coordinated in order to support decision-making and minimize potential impacts and losses to the GC

In the context of this plan, TBS’ strategic oversight responsibilities, via its Chief Information Officer Branch (CIOB), include:

  • Establishing, maintaining and testing the GC CSEMP and related procedures;
  • Ensuring strategic coordination of GC response to priority cyber security events (typically Level 3 events, or when warranted by Level 2 events), which includes:
    • The role of co-chair and secretariat for all GC CSEMP governance teams (including escalation and de-escalation decisions in coordination with SSC);
    • The assessment of government-wide program/service impact of cyber threats, vulnerabilities and security incidents to support government-wide reporting and prioritization (assessed in collaboration with GC-CIRT and other applicable partners); and,
    • The issuance of direction (via the GC CIO) to departments and agencies on measures to minimize the GC-wide impact of significant cyber security events.
  • Providing strategic advice to the Director General (DG) Event Response Committee (ERC) during Level 4 cyber security events;
  • Ensuring that TBS’ Strategic Communications and Ministerial Affairs (SCMA) team is provided with timely information required to develop communications products; and,
  • Analyzing post-event reports from the GC-CIRT and conducting GC-wide lessons learned exercises (when warranted) to drive security policy or enterprise security architecture related improvements.

TBS/SCMA has a role in this plan with regards to strategic communication, typically for Level 3 events (or when warranted by events at other levels).  As the designated spokesperson on behalf of the GC for any cyber security event affecting government program and service delivery, TBS/SCMA is responsible for:

  • Developing internal (GC-wide) and external communications materials related to all phases of cyber security event management, in collaboration with Public Safety Communications and Privy Council Office (PCO) Strategic Communications, and in consultation with Communications teams from implicated CSEMP stakeholders;
  • Determining the necessity and timing of public statements (proactive and reactive); and,
  • Approving all communications plans (internal, stakeholder/client and public), in collaboration with affected organizations and PCO Strategic Communications. 

Shared Services Canada

Shared Services Canada (SSC) houses the Security Operations Centre (SOC), which includes the Government of Canada Computer Incident Response Team (GC-CIRT).

The GC-CIRT is responsible for coordinating all phases of event management for cyber security events that have impacted or may impact the GC, which includes:

  • Monitoring of and response to cyber security events on SSC-owned infrastructure (including the SSC network perimeter) and the implementation of preventative and mitigation measures as required;
  • Acting as the central cyber coordination point of contact for the GC, both for the distribution of technical information products and for the collection of event related reports from GC organizations;
  • Ensuring operational coordination of GC response to all cyber security events, including:
    • The monitoring of technical information sources (including LSAs, affected departments and agencies, vendors, etc.) for precursors of cyber threat or vulnerability events or indicators of potential or confirmed cyber security incidents;
    • The day-to-day issuance of security information products containing technical mitigation advice (e.g. alerts, advisories, etc.) and requests for action to departments and agencies;
    • The collation, tracking and reporting of departmental event-related reports/responses and implementation of technical mitigations;
    • The assessment of government-wide program/service impact of cyber threats, vulnerabilities and security incidents to support government-wide reporting and prioritization (assessed in collaboration with TBS/CIOB and other applicable partners);
    • The coordination of prevention, mitigation and recovery efforts, including timely situational awareness updates to other GC CSEMP stakeholders; and,
    • The role of co-chair for all GC CSEMP governance teams (including escalation and de-escalation decisions in coordination with TBS).
  • Producing post-event reports, including timeline of events and root cause analysis (based on departmental analysis and lessons learned reports) and submitting to TBS/CIOB and other relevant organizations, as required (e.g. CSE, PCO);
  • Two-way communication with both Public Safety’s Canadian Cyber Incident Response Centre (PS/CCIRC) and TBS/CIOB throughout the cyber security event management lifecycle;
  • Verifying closeout of events and notifying appropriate CSEMP stakeholders; and
  • Sharing cyber intelligence related to investigations and provide situational awareness related to cyber threats, vulnerabilities and attack techniques.

Other services offered by the SSC SOC to support departments and agencies in recovering from cyber security events and returning to normal operations include, but are not limited to:

  • Forensic examination and analysis (including evidence collection and investigation support);
  • Vulnerability analysis and response; and,
  • Malware analysis and response.

Delivery of these services is typically managed by the SSC/SOC, but prioritization may be recommended via the CSEMP governance structure when warranted.

Communications Security Establishment 

Communications Security Establishment (CSE), including the Cyber Threat and Evaluation Centre (CTEC), develops, provides and operates capabilities and tools for the management of cyber security events, and acts in a technical advisory capacity within the GC CSEMP.  In the context of this plan, CSE is responsible for:

  • Detecting, blocking or mitigating cyber threat activities targeting GC networks or information;
  • Providing reporting and other information products to the GC-CIRT, PS/CCIRC and other key CSEMP stakeholders;
  • Supporting the identification, risk assessment, mitigation, recovery and post-analysis of cyber security events with the GC;
  • Providing situational awareness of cyber security events (on GC systems that are Secret or below) to CCNSS; and,
  • Participating on GC CSEMP governance teams in an advice and guidance capacity.

Public Safety Canada

Public Safety Canada (PS) houses the Canadian Cyber Incident Response Centre (CCIRC), which is Canada’s national coordination centre for the prevention and mitigation of, preparedness for, response to and recovery from cyber security events. CCIRC works with domestic and international partners to address significant cyber security concerns, including critical infrastructure organizations and provincial, territorial or municipal governments.

While the GC-CIRT performs the role of cyber event coordination for the GC, CCIRC does have a technical advisory role within the GC CSEMP as a result of its national coordination mandate for critical infrastructure owners/operators and other levels of government.  In the context of this plan, PS/CCIRC is responsible for:

  • Sharing cyber threat, vulnerability and incident information and warnings received from domestic and international partners with the GC-CIRT and the GOC (Note that CCIRC will only be responsible for sharing information with the GOC for events up to Level 2);
  • Sharing unclassified information from GC partners (threats, vulnerabilities, indicators, etc.) with domestic and international partners;
  • Sharing information regarding the potential scope and impact of a given event from the perspective of Canadian critical infrastructure owners and operators in order to ensure a fulsome understanding of impacts not directly tied to GC systems but affecting GC interest; and,
  • Participating on GC CSEMP governance teams in an advice and guidance capacity and for situational awareness.

Public Safety Canada has the responsibility of coordinating the overall national response to significant cyber events that are national in scope through CCIRC and the Government Operations Centre.

From a communications perspective, PS’ Communications (Comms) team also plays a role during significant cyber events.  In the context of this plan, PS/Comms is responsible for assisting TBS/SCMA by coordinating all federal public communications-related efforts during a cyber security event.

ii. Specialized GC Cyber Security Event Management Stakeholders

The following is a list of specialized LSA stakeholders in the GC cyber security event management process that will be engaged for confirmed cyber security incidents or threat events that require specialized attention related to their particular mandates.

Royal Canadian Mounted Police

The Royal Canadian Mounted Police (RCMP) is the primary investigative department on all cyber security incidents dealing with actual or suspected cybercrime of non-state origin on the GC IT infrastructure. 

In the context of this plan, the RCMP is responsible for:

  • Leading the criminal investigation on cyber security incidents linked to non-state criminal activity (including criminal investigations involving terrorist activity); and,
  • Participating on GC CSEMP governance teams in an advice and guidance capacity, when warranted by a particular cyber security incident or threat event.

Canadian Security Intelligence Service

Canadian Security Intelligence Service (CSIS) is the primary department responsible for investigating threats against information systems and critical infrastructure posed by foreign state actors and terrorists.

In the context of this plan, CSIS is responsible for:

  • Leading the investigation on cyber security incidents that constitute a threat to the security of Canada, as defined by the CSIS Act (including terrorism and espionage); and,
  • Participating on GC CSEMP governance teams in an advice and guidance capacity, when warranted by a particular cyber security incident or threat event.

Department of National Defence / Canadian Armed Forces

The Department of National Defence / Canadian Armed Forces (DND/CAF) is the primary department responsible for addressing cyber threats, vulnerabilities or security incidents against or on military systems.  In the context of this plan, DND/CAF is responsible for:

  • Leading the investigation on any cyber incidents (foreign or domestic) linked to activities directed against military systems (systems directly supporting military operational theaters and weapon systems);
  • Potentially providing additional support and assistance to other government departments, if tasked; and,
  • Participating on GC CSEMP governance teams in an advice and guidance capacity, when warranted by a particular cyber security incident or threat event.

iii. Other Stakeholders

Government of Canada Chief Information Officer

The Government of Canada Chief Information Officer (GC CIO) represents whole-of-government interests during cyber security events that affect or may affect the delivery of programs and services, addressing topics that include overall GC response to cyber security events and enterprise-level actions taken to protect GC information systems.  The GC CIO is responsible for briefing the Associate DM’s Office and higher as required in addition to advising Assistant Deputy Minister Committees on event-related issues, such as security and operations of GC IT systems and networks, service delivery, and confidence in government. The GC CIO also chairs a committee of departmental CIOs through the CIO Council (CIOC); through this Council, the GC CIO may issue direction to departmental CIOs regarding cyber security event management activities, specifically around mitigation and recovery related activities.

Government Operations Centre

The Government Operations Centre (GOC), on behalf of the GC, leads and supports response coordination of any type of event (i.e. not restricted to cyber) affecting the national interest.  It provides 24/7 monitoring and reporting, national-level situational awareness, warning products and integrated risk assessments, as well as national-level planning and whole-of-government response management.  During periods of heightened response, the GOC is augmented by staff from other organizations (both government and non-government) that physically work in the GOC or connect to it virtually.

In the context of this plan, the GOC is responsible for:

  • Monitoring Level 3 cyber security events for potential escalation, which includes:
    • Providing warning and situational awareness products to operations centres across government;
    • Conducting risk assessments and planning; and,
    • Briefing the FERP governance.
  • Coordinating the overall GC response during Level 4 events, in accordance with the FERP.

Privy Council Office

As the hub of non-partisan advice to the Prime Minister and Cabinet, PCO, in its role as a central agency, helps to clearly articulate and implement the Government's policy agenda and to coordinate timely responses to issues facing the government that are of national, intergovernmental and international importance.  In that respect, PCO’s Security & Intelligence (S&I) team has a leading role in the coordination of government-wide response to national security emergencies.  In the context of this plan, PCO/S&I is responsible for:

  • Supporting the GC decision-making process by ensuring that senior officials are apprised in a timely manner of cyber security incidents that may be of national importance or may have national security implications; and,
  • Participating on GC CSEMP governance teams in an advice and guidance capacity, when warranted by a particular national incident or threat event.

From a communications perspective, PCO’s Strategic Communications (SC) team also plays a role during significant cyber events.  In the context of this plan, PCO/SC is responsible for providing communications advice to Cabinet and senior officials of the PCO and coordinating government-wide communications, in collaboration with PS/Comms, including crisis management, during a cyber security event.

Canadian Committee on National Security Systems

The Canadian Committee on National Security Systems (CCNSS), chaired by CSE's Deputy Chief of IT Security, develops and provides governance of an enterprise approach to securing those GC systems requiring the highest level of assurance: i.e., National Security Systems (NSS). CCNSS leads a parallel EMP applying to all GC NSS and can offer visibility to GC CSEMP governance bodies on situations that may also impact non-NSS systems.  Such situations may also arise in the GC CSEMP context; CCNSS, therefore, benefits from a bi-directional triage bridge at the executive level and is a client of certain types of GC CSEMP alerts.

Director General Event Response Committee

The Director General Event Response Committee (DG ERC) is a federal committee of directors general who manage operational response efforts and who direct, support and improve response planning and coordination for events affecting the national interest.  In the context of this plan, the DG ERC becomes the GC CSEMP interface into the FERP governance structure during Level 4 events, liaising with ADM, DM and Cabinet Committees as required.

External Partners

Departments and agencies often rely on various partners external to the GC to support program and service delivery, including private sector suppliers and other levels of government.  External partners are required to manage and report on cyber events in accordance with the stipulations outlined in their respective contractual agreements with departmental service owners.

iv. Departments and Agencies

Departments and agencies play a key role in GC-wide cyber security event management, whether directly affected by an event or not.  Detailed departmental roles and responsibilities related to security event management can be found in departmental governance, plans and procedures that are developed to support the implementation of the PGS and related Directives and Standards.

In the context of this plan, all departments and agencies are responsible for:

  • Reporting cyber security events as per Section 5.2 of this plan;
  • Monitoring GC-CIRT technical information products and assessing their applicability to department-owned/managed information systems;
  • Assessing departmental program/service impact of cyber threats, vulnerabilities and security incidents;
  • Responding to GC-CIRT requests for action (RFAs) in accordance with specified timelines;
  • Implementing mitigations based on direction and guidance issued by LSAs or Central Agencies;
  • Notifying the GC-CIRT if additional assistance is required to perform event response-related activities;
  • Notifying appropriate law enforcement or national security authorities when an event falls under these domains;
  • Participating on GC CSEMP governance teams when requested by a co-chair (typically when affected by a cyber security event);
  • Following appropriate protocols upon occurrence of a privacy breach;
  • Conducting post-event analysis and preparing departmental lessons learned reports (for applicable events) and submitting them to the GC-CIRT;
  • Developing and disseminating applicable stakeholder and client management communications products (in consultation with or under the direction of TBS/SCMA and PCO/SC, as required)
  • Ensuring that management and reporting requirements related to cyber security events are clearly stipulated in contracts, MOUs or other formal arrangements with external partners (e.g. private sector suppliers and other levels of government) and that these address the requirements established in applicable GC and departmental policy instruments including, but not limited to, this plan;
  • Developing, maintaining and testing departmental cyber security event management plans and processes, and ensuring alignment with GC-wide direction, plans and processes;
  • Maintaining an up-to-date inventory of mission-critical information systems and understanding of information holdings in order to facilitate event response and/or prioritization; and,
  • Continuously maintaining and improving their departmental event response capability, including, but not limited to, implementation of lessons learned (GC-wide and departmental), regular exercising of departmental plans/procedures, maintenance of departmental contact lists, and the training of appropriate cyber security response personnel.

Departments and agencies providing services to other GC organizations are responsible for establishing mechanisms to inform service recipients of cyber security events that impact their systems or information.  Service providers are also responsible for providing service recipients with the information necessary to support GC CSEMP reporting requirements outlined in Section 5.2 of this plan (specifically, to support the completion of incident reports and responses to RFAs) in a timely fashion, as well as any other digital evidence required to support departmental mitigation, recovery and/or post-event activities.

Annex B – Event Impact Assessment (Departmental)

The purpose of this Annex is to outline the high-level process used to assess impact related to a cyber security event.  The end result of this process is the establishment of a departmental cyber security event impact level that will be used to determine an event response level for the GC as a whole.

Assessment of impact for all cyber security events (threats, vulnerabilities and confirmed incidents) begins with an injury test to measure the degree of injury that could reasonably be expected to occur due to a compromise (see Step 1 below). For confirmed cyber security incidents, the result of this injury test represents the departmental impact of the incident, as injury has been confirmed, and no further steps are required.

For cyber threat and vulnerability events, an additional step is required to determine the probability of injury occurrence in order to obtain a more accurate representation of potential departmental impact (see Step 2 below).

Step 1 (for all cyber security events): Injury test

The injury test, performed using Table 3 below, is based on severity and scope of the injury that could reasonably be expected to occur.

Severity: The severity of the injury refers to the level of harm, damage or loss (e.g. from physical injury to loss of life, from minor financial losses to loss of financial viability, from minor inconvenience to significant hardship).  The severity of the injury may be characterized as limited, serious or severe, based on an assessment of the following types of injury:

  • Harm to the health and safety of individuals;
  • Financial losses or economic hardship;
  • Impacts to government programs/services;
  • Loss of civil order or national sovereignty; and,
  • Damage to reputations or relationships. 

Other factors specific to a departmental or agency mandate or operational context may also be considered.

Scope: The scope of injury refers to the number of people, organizations, facilities or systems impacted, the geographical area affected (e.g. localized or widespread), or duration of the injury (e.g. short term or long term).  The scope of injury can be characterized as:

  • Wide:  widespread; national or international; multiple countries or jurisdictions; major government programs or sectors;
  • Medium:  jurisdiction, business sector, government program; group or community; or
  • Narrow: individual, small business.
Table 3: Injury Test
  Scope
Narrow Medium Wide
Severity Severe Medium High Very High
Serious Low Medium High
Limited Low Low Medium
Departmental Impact Level [Injury Test Result]

Table 4 below can be consulted to analyze potential expected results of a compromise and validate the outcome of the initial injury test. Once confirmed, this value can be entered in the incident report and submitted to the GC-CIRT.

Table 4: Expected Results of Compromise
Impact Result of Compromise
Very High
  • Widespread loss of life
  • Major long-term damage to the Canadian economy
  • Severe impediment to national security (e.g. compromising capabilities of Canadian Forces or national intelligence operations)
  • Severe damage to diplomatic or international relations
  • Long-term loss of public confidence in the GC that disrupts the stability of government
High
  • Severe injury or loss of life to a group of individuals, or widespread serious injury
  • Serious financial loss that impedes the Canadian economy, compromises the viability of a GC program or reduces international competitiveness
  • Serious impediment to one or more mission-critical programs/services or impediment to national security
  • Serious damage to international relations that could result in a formal protest or sanction
  • Long-term loss of public confidence in the GC that disrupts a priority objective of the government
Medium
  • Threat to the life or safety of an individual, or serious injury to a group of individuals
  • Financial loss that affects performance across a sector of the economy, affects GC program outcomes or affects the well-being of a large number of Canadians
  • Serious impediment to public-facing programs/services or departmental operations, jeopardizing program objectives
  • Damage to federal-provincial relations
  • Serious loss of public trust or confidence in the GC or embarrassment to the GC
Low
  • Physical or psychological harm to an individual
  • Financial stress or hardship to an individual
  • Impediment to departmental operations that could have a limited impact on program effectiveness
  • Harm to the reputation of an individual or business
  • Minor loss of public trust or confidence in the GC

Step 2 (for cyber threat and vulnerability events only): Risk Assessment

Unlike cyber security incidents, where injury has been realized, injury is still in a potential state for cyber threat and vulnerability events.  As such, in order to establish an accurate potential impact level, a risk assessment must be conducted (using Table 5 below) to determine the probability of occurrence for the injury.  Using the results of the injury test performed in Step 1 (i.e. expected injury), a risk-modified departmental impact level is determined based factors such as intelligence indicators (likelihood of compromise), exploitability, exposure of affected information systems and/or implementation of compensating controls.

Table 5: Risk Assessment
  Exposure
Low Medium High Very High
  • Low likelihood that threat will target GC
  • Vulnerability very difficult to exploit
  • Vulnerable systems are not directly exposed (e.g. standalone systems)
  • Existing security controls effectively counter threat or vulnerability
  • Medium likelihood that threat will target GC
  • Vulnerability exploitable with significant resources
  • Vulnerable systems are visible to one department only (i.e. intranet)
  • Existing security controls partially counter threat or vulnerability
  • High likelihood that threat will target GC
  • Vulnerability exploitable with moderate resources
  • Vulnerable systems are visible to many departments (e.g. GC extranet)
  • Existing security controls provide limited protection against threat or vulnerability
  • Threat or compromise imminent
  • Vulnerability easily exploitable with limited resources
  • Vulnerable systems are highly exposed (e.g. Internet facing)
  • Existing security controls do not provide protection against threat or vulnerability
Impact Level (as per injury test in Step 1) Very High High High High Very High
High Medium Medium High High
Medium Low Medium Medium Medium
Low Low Low Low Low
Risk-Modified Departmental Impact Level [Risk Assessment Result]

This risk-modified departmental impact level is to be reported to the GC-CIRT (when requested via an RFA) for consumption at the GC-wide level.

Cyber threat or vulnerability events are to be classified as cyber security incidents as soon as injury is realized.  When injury moves from a potential state to a realized state, the injury tests in this Annex will require re-evaluation and re-submission to the GC-CIRT to determine whether changes to event response or further escalation are required.

Annex C – Response Level Calculation Matrix (GC-Wide)

Using the collated results of departmental impact assessments returned to the GC-CIRT, the GC response level is calculated based on the urgency of the cyber security event across the GC (using Table 6 below).

Table 6: GC Response Levels
  GC Urgency
Low Medium High
  • Affects one internal GC program/service
  • Unlikely to propagate further
  • Affects one external or several internal GC programs/services
  • Potential for broader propagation
  • Affects multiple GC internal/external programs/services
  • Broader propagation imminent/confirmed
Departmental Impact Level (as per Annex B) Very High Level 3 Level 3 Level 4
High Level 2 Level 2 Level 3
Medium Level 1 Level 2 Level 2
Low Level 1 Level 1 Level 1
GC Response Level [Calculated GC Response Level]

The GC response level calculation matrix is to be used as a guideline. There may be other externalities or escalating factors that need to be considered when establishing a GC response level. As such, TBS/CIOB reserves the right to adjust the overall GC response level based on the context of any given cyber event scenario.

© Her Majesty the Queen in Right of Canada, represented by the President of the Treasury Board, 2018,
ISBN: 978-0-660-24005-3

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: