ITSG-33 Industry Standard report
The ITSG-33 industry standard compliance report helps you assess your web app's security against the Government of Canada's IT security risk management framework.
About the ITSG-33 Industry Standard
Government of Canada (GC) departments use information systems to support their business activities. These systems are often subject to serious threats that can compromise the confidentiality, integrity, or availability of IT assets. The ITSG-33 standard provides a framework to manage these IT security risks as part of your ongoing operations.
This report shows how your app complies with the relevant security controls for the secure design, development, and operation of web apps.
The security controls in ITSG-33 are grouped into three classes:
- Management controls focus on activities for managing IT security and risks.
- Technical controls are implemented by information systems through mechanisms in hardware, software, and firmware.
- Operational controls are implemented through processes that people run.
The technical security control class contains these families:
- Access control supports the ability to permit or deny user access to resources.
- Audit and accountability supports the ability to collect, analyze, and store audit records for user operations.
- Identification and authentication supports the unique identification and authentication of users who access system resources.
- System and communications protection supports the protection of the information system and its internal and external communications.
Covered entities
The following organizations are expected to use the ITSG-33 framework:
- Government of Canada departments and agencies.
- Shared services and common service providers, such as Shared Services Canada (SSC).
- Crown corporations and federally regulated bodies that process sensitive federal information.
- Third-party vendors and contractors who deliver IT solutions to federal institutions.
ITSG-33 Industry Standard report vulnerabilities
The following table lists the specific ITSG-33 technical security controls that are evaluated. Vulnerabilities found in your app are mapped to these control IDs.
| ID | Name |
|---|---|
| AC-3 | The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
| AC-4 | The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable information flow control policies. |
| AC-5.A.c | The organization defines information system access authorizations to support separation of duties. |
| AC-6 | The information system enforces the most restrictive set of rights and privileges necessary for users to accomplish their assigned tasks. |
| AC-7.A | The information system enforces a limit of consecutive invalid logon attempts by a user during a time period. |
| AC-7.B | The information system automatically locks the account or delays next logon attempt when the maximum number of unsuccessful attempts is exceeded. |
| AC-10 | The information system limits the number of concurrent sessions for each account to an organization-defined number. |
| AC-11.A | The information system prevents further access to the system by initiating a session lock after a defined period of inactivity or upon receiving a request from a user. |
| AC-11.B | The information system retains the session lock until the user reestablishes access using established identification and authentication procedures. |
| AC-12 | The information system automatically terminates a user session after an organization-defined condition or period of inactivity. |
| AC-17.A | The organization establishes and documents usage restrictions, configuration requirements, connection requirements, and implementation guidance for each type of remote access allowed. |
| AC-18.A | The organization establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for wireless access to the information system. |
| IA-2 | The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of users). |
| IA-4.D | The organization disables information system identifiers after an organization-defined time period of inactivity. |
| IA-5.C | The information system enforces minimum password complexity requirements for authenticators. |
| IA-5.E | The information system prohibits password reuse for a specified number of generations. |
| IA-5.F | The information system enforces password minimum and maximum lifetime restrictions. |
| IA-5.G | The information system protects authenticator content from unauthorized disclosure and modification by using cryptographic mechanisms. |
| IA-5.H | The information system protects authenticator content from unauthorized disclosure during transmission. |
| IA-6 | The information system obscures feedback of authentication information during the authentication process to protect the information from unauthorized use. |
| IA-7 | The information system implements mechanisms to authenticate to cryptographic modules before establishing a cryptographic connection. |
| SA-18 | The information system implements tamper resistance and detection mechanisms to prevent and/or identify unauthorized changes to software, firmware, and hardware components. |
| SC-5 | The information system protects against or limits the effects of denial of service attacks. |
| SC-6 | The information system protects the availability of resources by allocating priorities to system processes and ensuring that higher-priority processes receive preferential treatment under resource contention. |
| SC-7.A | The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
| SC-8 | The information system protects the confidentiality and integrity of transmitted information. |
| SC-12 | The information system establishes and manages cryptographic keys using automated mechanisms with supporting procedures. |
| SC-13 | The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information. |
| SC-20.A | The information system provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data it returns in response to external name/address resolution queries. |
| SC-23 | The information system protects the authenticity of communications sessions. |
| SC-28 | The information system protects the confidentiality and integrity of information at rest. |
| SI-2.A | The organization identifies, reports, and corrects information system flaws in a timely manner. |
| SI-3.A | The organization employs malicious code protection mechanisms at system entry/exit points and endpoints, and keeps the mechanisms and signatures up to date to detect and eradicate malicious code. |
| SI-10 | The information system checks the validity of information inputs for accuracy, completeness, and authenticity. |
| SI-11.A | The information system generates error messages that provide information necessary for corrective actions without revealing sensitive information that could be exploited. |