13_Plan-for-Continuity.md

Plan for Continuity

(Back)

Objective

Ensure that there is a plan for continuity of access and service that accommodates both expected and unexpected events.

Applicable Service Models

IaaS, PaaS, SaaS

Mandatory Requirements

Activity	Validation
Document, implement, and test a break glass emergency account management process.	Verify that an emergency account management procedure has been developed Verify that alerts are in place to report any use of emergency accounts Verify that testing of emergency accounts took place, and that periodic testing is included in emergency account management procedures.
Obtain confirmation from the departmental chief information officer (CIO) in collaboration with the designated official for cyber security (DOCS) with signatures that acknowledge and approve the emergency account management procedures.	Confirm through attestation that the departmental CIO, in collaboration with the DOCS, has approved the emergency account management procedure for the cloud service.

Additional Considerations

Activity	Validation
Develop a cloud backup strategy that considers where GC data is stored, replicated, or backed up by the cloud service, and the IT continuity plan for the service or application.	Confirm through attestation that the cloud backup strategy is developed and approved by the business owner. Verify if there are scripts that support the ability to restore from code (for example, infrastructure as code).
Ensure that cloud workloads are associated with the relevant Application ID (identifier) in the Treasury Board of Canada Secretariat Application Portfolio Management (APM) tool, in support of Appendix H: Standard on At-Risk Technology.	Provide a list of all software, including versions, deployed on virtual machines associated with the Application IDs from the APM.
Ensure that departmental cyber security event management plans include cloud services, in alignment with the Government of Canada Cyber Security Event Management Plan.	Provide a list of all software, including versions, deployed on virtual machines associated with the Application IDs from the APM

References

• Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN) 2017-01, subsection 6.2.9
• Break glass emergency account management procedure for Azure and Office 365 (accessible only on the Government of Canada network)
• Cyber Security Event Management Plan template for departments (Word file) (accessible only on the Government of Canada network)
• Directive on Service and Digital

Related security controls from ITSG-33

AC-1, CP-1, CP-2, CP-9, CA-3