CYBER SECURITY AUDIT PROGRAM PLACEMAT

UNCLASSIFIED

1. AUDIT OF INTERNET GATEWAY PROTECTION } Internet gateways are consolidated and secured } All external connections are documented

2. AUDIT OF PATCHING OF OPERATING SYSTEMS } A System Maintenance Policy is fully implemented } Applications are current, tested and supported } Security patches are tested, then applied automatically } Ongoing system scanning & assessments are applied

3. AUDIT OF ENFORCEMENT OF ADMINISTRATIVE PRIVILEGES

} A comprehensive Access Control Policy is in place } The number of users with admin privileges is minimized } The need for users to have privileged accounts is reviewed } The process to change admin account passwords is verified } Role-based access controls are strictly applied

4. AUDIT OF HARDENING OF OPERATING SYSTEMS } A System & Communications Protection Policy is in place } A process to disable all non-essential ports and services is comprehensive and is in use

} Threat Risk Assessments (TRAs), and a baseline configuration for operating systems, are established and implemented

5. AUDIT OF SEGMENTATION OF DATA/INFORMATION } Networks are zoned based on information protection needs } Network diagrams are current and reviewed often } A continuous monitoring strategy & program is implemented

6. AUDIT OF TAILORING OF AWARENESS & TRAINING } A Security Awareness & Training Policy is implemented } Regular training and awareness activities are applied } Regular management reporting on attempted and actual system compromises is in place

7. AUDIT OF DEVICE MANAGEMENT AT THE ENTERPRISE LEVEL

} A Device Management Framework is applied } A formal BYOD* policy and/or framework is in place } BOYD’s are only allowed on networks rated for low data confidentiality and low data integrity (BYOD = Bring Your Own Device to work)

8. AUDIT OF PROTECTION AT THE HOST LEVEL } A Host-based Intrusion Protection System (HIPS) is deployed on all critical systems

} HIPS alerts and logs are formally monitored

9. AUDIT OF THE ISOLATION OF WEB-CONNECTED* APPLICATIONS

} Web-connected/facing applications run in isolation } Sub-networks, that support web/internet-connected system components, allow for the physical/logical separation from internal networks (*e-mail, internet, etc.)

10. AUDIT OF APPLICATION ALLOWLISTING } A deny-all or permit-by-exception policy (or equivalent approach) is in place to allow for the safe execution of authorized software programs

} Testing is conducted, initially and periodically, to confirm application allowlisting is effective

11. AUDIT OF GOVERNANCE OF CYBER SECURITY } Cyber security goals, requirements and practices are clearly documented, defined & approved

} Roles & responsibilities are formally assigned } Cyber security is supported by a robust organization structure } Policies and procedures are current and implemented

12. AUDIT OF CYBER SECURITY RISK MANAGEMENT } A formal risk management process is implemented } Cyber risks are identified, assessed and escalated } Cyber risks are mitigated, managed and reported

INTERNAL AUDIT, COMMUNICATIONS SECURITY ESTABLISHMENTReferences: CSE ITSG-33, NIST, COBIT 5, ISO, TB Policy on Government Security,

Directive on Security Management, Directive on Identity Management

CommunicationsSecurity Establishment

Centre de la sécuritédes télécommunications

PROTECT YOUR NETWORK. PROTECT CANADA’S INFORMATION.The Top 10 IT Security Actions were selected and prioritized based on CSE’s analysis of cyber threat trends affecting Government of Canada (GC) Internet-connected networks. When implemented as a set, the Top 10 helps minimize intrusions or the impacts to a network if a successful cyber intrusion occurs.

cyber.gc.ca