Protected B (Canada)

Introduction

The Government of Canada (GC) classifies data using various security categorization levels (e.g., Protected A, Protected B, Confidential, Secret, and Top Secret) depending on the sensitivity of the information, and the potential harm that would occur if the information suffered a compromise of its confidentiality, integrity and/or availability. While cloud services can be used by GC departments and agencies, GC departments must first identify and categorize information to understand the security controls that should be applied.

What is Protected B?

"Protected" information can be categorized as either Protected A, Protected B, or Protected C, and applies to personal information, commercial confidential information, or any other information or assets that, if compromised, could reasonably be expected to cause injury to a non-national interest. More specifically, Protected B can include sensitive personal information such as: medical records, performance evaluation reports, detailed financial information, etc. The unauthorized disclosure of this type of information could cause serious injury to a person or organization like distress, financial loss, or damage to their reputation.

The GC has published policy instruments such as the Policy on Government Security Policy, Directive, and Guideline on Service and Digital, Contract Security Manual, and Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN) that describe the physical, personnel, and IT security requirements, and controls that departments, agencies, and private sector organizations should consider for safeguarding sensitive government information.

What are the cloud-related security control requirements for Protected B?

For cloud, the security control requirements are described in Annex 3 of Information Technology Security Guidance (ITSG-33) – IT Security Risk Management: A Lifecycle Approach. The Cyber Center’s Medium Cloud Security Control Profile is used as the baseline of IT security requirements. Additionally, the GC has developed a Protected B High Value Assets (PBHVA) Cloud Security Control Profile which defines additional integrity and availability controls that can be applied as an enhancement to support Protected B workloads that have been identified to be high value asset systems.

Public Services and Procurement Canada (PSPC) Contract Security Program (CSP)

The PSPC CSP verifies personnel and physical security for cloud service contracts. This involves ensuring Google Cloud is registered in the PSPC CSP and holds the requisite organizational security clearance, and facilitates personnel security clearances for employees who have a business need to access Protected information or operation zones. PSPC also conducts physical security inspections at Google Cloud’s Canadian data centre locations to confirm secure operation zones, proper data safeguarding, controlled access, and contract security requirements are met.

Canadian Centre for Cyber Security (CCCS) Supply Chain Integrity (SCI)

The Cyber Center SCI team assesses company-related risk factors like ownership, location, and business practices, alongside technical risks of the product or service itself. The SCI team uses various sources to generate a risk rating, which contributes to the final cloud security assessment determination. Further information on the SCI process can be found in ITSAP.10.070, Cyber supply chain: An approach to assessing risk.

Canadian Centre for Cyber Security (CCCS) CSP IT Security Assessment Process

The Cloud Service Provider (CSP) Information Technology Security (ITS) Assessment Process (ITSM.50.100) consists of a detailed assessment of the cloud solution against the security controls, such as the Medium Cloud Profile and/or Protected B High Value Asset Overlay Profile. Google Cloud is responsible for providing evidence to demonstrate adherence to each of the security controls in the relevant control profile. The CCCS then issues a security assessment report summarizing their findings.