COTS Security Guidance (CSG) Program Overview
What is the Commercial-Off-The-Shelf (COTS) Products Security Guidance Program?
The Government of Canada continues to increase its presence on the Internet, seeking to deliver more of its products and services to Canadians via electronic and online means. While each department has its own unique offering, they all have a common cyber-security challenge to overcome: how to mitigate the threats and risks that seek to undermine or disrupt the delivery of these products and services.
In order to help protect networks from cyber-attacks, GC departments procure and install Commercial-Off-The-Shelf, or COTS, IT security products. While these products can contribute to the security of the network, simply acquiring them does not mean they will automatically or successfully defend against typical cyber-threats.
The Communications Security Establishment Canada (CSEC) is mandated to, "Provide advice, guidance and services to help ensure the protection of electronic information and information infrastructures of importance to the Government of Canada."
The COTS Security Guidance (CSG) Program is a new initiative by CSEC to provide GC departments with the relevant and applicable contextual guidance necessary for the secure use of COTS technologies.
Traditionally, CSEC has offered forms of COTS product assurance to GC departments through evaluation programs, such as the Canadian Common Criteria Scheme and the Crypto-Module Validation Program. The growing sophistication of the cyber-threat coupled with the increase in 'cyber-events' on government networks has resulted in changes to CSEC's COTS assurance programs to address security issues throughout the full life-cycle of these products.
To help GC departments improve the operational performance of IT Security technologies against cyber-threats, the CSG program offers a suite of guidance documents, providing recommendations in the specification, configuration, implementation and maintenance of IT security technologies.
The CSG product line is tailored to specific audiences, including Chief Information Officers, Departmental Security Officers and System/Network Administrators, and is comprised of the following document types: Leaflets, Summaries and Technical Publications.
| Document Type: | Information Leaflet |
|---|---|
| Intended Audience: | Chief Information Officers, Senior Executives |
| Description: | The CSG Information Leaflet is a single-page summary of the key points addressed in the full Technical Publications. The information presented in the Leaflet has been written for CIOs and Senior Executives to efficiently review and determine if there are factors that require consideration for their organizations. The leaflet is written in plain English and, where possible, displays a graphical representation of the information to facilitate its review. |
| Document Type: | Summary Document |
|---|---|
| Intended Audience: | Departmental Security Officers |
| Description: | The CSG Summary Document is a review of recommendations contained within the Technical Publication. The Summary is targeted towards Departmental Security Officers to provide an efficient overview of security issues, threats, mitigation strategies and other relevant points of a commercial IT Security technology that may affect their department. |
| Document Type: | Technical Publication |
|---|---|
| Intended Audience: | System and Network Administrators, Technical Specialists |
| Description: | The CSG Technical Publication Document is the base document to the CSG suite and contains the most details and information relating to a technology. This guidance document is written primarily for System and Network Administrators and other technical specialists, and aims at giving them the tools to establish and/or strengthen the IT security posture of their environment. |
How do I obtain COTS Security Guidance publications?
CSEC plans to disseminate CSG leaflets and summaries via the CSEC website http://www.cse-cst.gc.ca/its-sti/services/csg-cspc/index-eng.html. In order to obtain copies of the full technical publications, GC departments are asked to contact IT Security Client Services at 613-991-7654 or itsclientservices@cse-cst.gc.ca.
In order to track GC client take-up of security recommendations and to monitor client satisfaction with the program, CSEC will register requests for technical publications and follow-up with GC departments to obtain feedback.
What other products or services does CSEC provide for COTS IT Security products?
CSEC also operates managed evaluation services for GC departments including the Canadian Common Criteria Scheme and the Crypto-Module Validation Program. For a database of products evaluated under these programs, please see http://www.cse-cst.gc.ca/its-sti/services/index-eng.html.
For assistance with these programs, or to obtain more information on managing the security of COTS technologies throughout their full life cycle, please contact IT Security Client Services at 613-991-7654 or itsclientservices@cse-cst.gc.ca.