Get documents about "Ministry of Government Services Ministry Of Transportation
Shared by: mky16363
Categories
Tags
government services, ministry of government services, ministry of transportation, government of ontario, the minister, ontario government, driver's licence, government of saskatchewan, public services, ontario public service, first nations, social services, minister of government services, provincial government, off-road vehicle
-
Stats
- views:
- 207
- posted:
- 6/3/2010
- language:
- English
- pages:
- 69
Document Sample
Ministry of Government Services
Ministry Of Transportation
Ontario Photo Card & Enhanced Photo Card
(OPC&EPC)
Conceptual
Threat and Risk Assessment
Prepared By: Corporate Security Branch
Ministry of Government Services
Date Published: Dec 15, 2008
Final Version 2.0
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2
Document History and Tracking
Revision Date Description of Revision Pages Affected
V 0.1 Nov 11, 2008 Initial draft – Jessica Li All
V 0.2 Nov 18, 2008 Summary and Recommendations – Jessica All
Li
V0.3 Nov 19, 2008 Add recommendations TR-16 and modify All
TR-03 according to Security Design
Specialist Peer review input.- Jessica Li
V0.4 Nov 27, 2008 As per Project Manager Elvin Lam’s 7-8, 12-15, 18-20
request, update the Business Background,
as well the Section 2.3 of Interfaces etc. –
Jessica Li
Final V2.0 Dec 15, 2008 Delete Recommendation(TR-15) because 7-8, 44, 67
the business decide any new RFID
technology selection is out of scope due to
the RFID requirements from WHTI
standards, modification of recommendation
(TR-14) due to OPC/EPC are under same
program area. – Jessica Li
Authors and Reviews
Version
Name Title Reviewed Date
Jessica Li BCP & DRP advisor, Corporate Security, 0.1 Nov 12, 2008
MGCS
Abiodun Oduyemi BCP & DRP advisor, Corporate Security, 0.1 Nov 12, 2008
MGCS
Luis Machado Security Design Specialist, Corporate 0.2 Nov 19, 2008
Security, MGCS
Table of Contents
TRA Summary .............................................................................................. 5
1.0 Introduction ........................................................................................ 7
1.1 Purpose................................................................................................................ 7
1.2 Background ......................................................................................................... 7
1.3 Scope................................................................................................................... 8
1.4 Assumptions........................................................................................................ 9
1.5 Information Gathering ........................................................................................ 9
1.6 TRA Methodology ............................................................................................ 10
2.0 System Description ........................................................................... 11
2.1 Business Processes............................................................................................ 11
2.2 Conceptual System Overview........................................................................... 16
2.3 Interfaces........................................................................................................... 18
2.4 Asset Description .............................................................................................. 19
3.0 Statement of Sensitivity and Assets ................................................ 21
3.1 Identification of Critical Assets ........................................................................ 21
3.2 Critical Assets and Statement of Sensitivity..................................................... 21
3.3 Sensitivity Assessments .................................................................................... 24
4.0 Threat, Vulnerability and Risk Assessment .................................. 26
4.1 Threat Assessment Summary............................................................................ 27
4.2 Vulnerability and Risk Assessment .................................................................. 32
5.0 Recommendations............................................................................. 38
5.1 Timeframe for Implementation......................................................................... 38
5.2 Recommendations............................................................................................. 40
6.0 Acceptance of Threat Risk Assessment .......................................... 47
Appendix A – Personnel Resources........................................................... 48
Appendix B - Documentation Resources .................................................. 49
Appendix C – Sensitivity Rating Tool and Classification....................... 50
Appendix D – Threat Analysis Criteria.................................................... 52
Appendix E – Vulnerabilities and Safeguards ......................................... 54
Appendix F – Abbreviations ...................................................................... 57
Appendix G – Glossary of Terms .............................................................. 59
Appendix H – Enterprise Architecture Framework ............................... 63
Appendix I – Client Response.................................................................... 64
TRA Summary
This document describes the conceptual Threat Risk Assessment (TRA) of Ontario Photo Card
(OPC) and Enhanced Photo Card (EPC).
The scope of this TRA is limited to the I.T. infrastructure, business process and the personnel
supporting the OPC/EPC services, interfaces which deliver the Ontario Photo Card and Enhanced
Photo Card services provided to Ontarians, detailed scope of this TRA is described later in this
document.
This TRA follows best practices in IT risk assessment methodology, which requires clear
determination and understanding of the critical assets and the assignment of the relative
sensitivity ratings. The assessment is based on the information obtained from documentation
provided. The level of detail is consistent with the Business Process Model (i.e., Conceptual) of
the Enterprise Architecture Framework as illustrated in Appendix H.
A Statement of Sensitivity assessment was conducted as part of the analysis of information assets
to determine values for confidentiality, integrity and availability. The OPC&EPC data and
infrastructure was rated as High for Confidentiality, High for Integrity and Medium for
Availability, in accordance with the Information Security Privacy Classification standard Injury
Tests.
The items listed below start with key specific recommendations of this TRA(#1 - #7),
following key common recommendations(#8 - #19), require immediate or short term
action in order to mitigate the risks: S.14(1)(i)(l) & S. 18(1)(c)(d)
1. Ensure that backups are stored in an encrypted format and ensure the integrity of backup
data. (TR-01)
2. High sensitivity data in transit and storage must be encrypted. (TR-02)
3. Integrity check on high sensitive information should be implemented. (TR-11)
4. Ensure Non-repudiation session requirement are met on the interfaces with CBSA
(Canada Border Services Agency), CPC (Card Production Center). (TR-12)
5. Consult with Archives of Ontario (Records Management Program) and Cluster for the
development of policies and procedures for the appropriate retention and disposal of data.
(NR-09)
6. Information sent from CPC (Card Production Center) to MTO Service Management and
Integrity Office containing sensitive OPC/EPC information should be encrypted and
digital signed. (TR-13)
7. Data segregation must observe separated databases of OPC/EPC information from other
Ministry of Transportation programs.(TR-14)
8. Software Development Life Cycle must be followed through the application development
phase, conduct code review on OPC/EPC system.(TR-16)
9. Vulnerability and Penetration Test should be conducted prior to the implementation and
on an annual basis at minimum after, or when major configuration changes and upgrades
occurred in the OPC/EPC system. (TR-08)
10. The OPC/EPC system must observe 3-tiered architecture. Separate Internet user
application access from Intranet application access.(TR-03)
11. Implement application firewalls between the multiple network tiers.(TR-04) Implement
host based and network based intrusion detection/prevention services to monitor the
OPC/EPC environment network and data traffic.(TR-05)
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 5 of 69
12. Password management practices must comply with Government of Ontario ITS
standards. Encrypt the username, password and all instances of recovery questions.(TR-
06)
13. Ensure access log and database audit trails are enabled to track accountability and all the
access logs should be centralized on a separate server, logs should be reviewed
periodically only by authorized staff and tamper resistant.(TR-07&TR10)
14. Employees and third parties (Service Providers, Vendors and Contractors) with
privileged access to OPC/EPC should undergo a Security Clearance process.(NR-03)
15. Create a security policy and awareness program tailored to the OPC/EPC services
including Information Security & Privacy Classification (ISPC) policy and procedures.
(NR-06&NR-07)
16. Develop, implement, monitor and enforce Service Level Agreements (SLA) with CPC,
Service Ontario and all vendors/service providers. (NR-10)
17. Ensure MTO/MGS/Service Ontario/Card Production Center staff and third parties adhere
to proper separation of duties and Job Rotation practices, RBAC (Role Based Access
Control) should be observed with regards to all level of access. (NR-04&NR-05&TR-09)
18. Develop, implement, test and maintain Business Continuity Plan, Disaster Recovery plan,
and IT Contingency Plan. (NR-01&NR-02)
(Please see section 5 for a detailed list of all recommendations) S. 14(1)(i)(l) & S. 18(1)(c)(d)
Conclusion
If the above recommendations, together with other safeguards described later in the document,
are adopted, it is estimated that the residual security risk would be reduced to an acceptable level.
Please note, the mitigation or acceptance of the risks and recommendations outlined in this TRA
are the responsibility of the Program Area.
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 6 of 69
1.0 Introduction
1.1 Purpose
In March 1998, and revised in August 2005, Management Board Secretariat (MBS, now Ministry
of Government and Consumer Services, MGCS) issued an Information and Information
Technology Security Directive. The purpose of the Directive is to protect information and
information technology resources with reasonable security measures, to a degree that ensures that
the Government meets its legal and practical business obligations.
The Directive prescribes a Risk Management Framework that requires ministries and agencies to:
• Assess risks at the program level, considering potential threats, the likelihood of
occurrence of these threats, and their resulting impact;
• Where possible, reduce risks through system or organizational design; and
• Implement security measures to reduce the remaining risks to an acceptable level.
1.2 Background
In 2004, responding to recommendations from the 9/11 Commission, The United States (US)
government passed the Western Hemisphere Travel Initiative (WHTI) under the Intelligence
Reform and Terrorism Prevention Act. The law requires all travellers entering the United States
to produce a passport or other accepted secure document (such as NEXUS card, Enhanced
Driver’s License) that establishes the bearer’s identity and citizenship.
WHTI is being implemented in phases: Rules for entry to the US by air came into effect January
23, 2007. U.S. Department of Homeland Security announced the WHTI Final Rule for Land and
Sea on March 27, 2008 indicating that the rules for entry by land and sea will be fully
implemented by June 2009.
Treasury Board/Management Board of Cabinet (TBMBC) has approved funding for MTO to
develop and implement a new, voluntary Ontario photo card for non-drivers and Enhanced photo
card to be used for US land and sea (water) border crossings. S.12(1)
The Photo card is used as an alternative to passport and Enhanced Driver’s Licence. The
Enhanced Photo Card is an extension to the Ontario Photo Card. It will be build using the current
Driver Licence Model and with RFID technology embedded in the card would expedite border
crossings and facilitate unplanned and frequent travel across the border to and from Canada.
MTO is working with Service Ontario on deployment and delivery through publicly operated
Service Ontario offices.
The photo card will include name, photo, signature, address, gender, date of birth of holder etc.
An individual would not be able to hold both a DL and a photo card simultaneously for fraud
prevention reasons and for the enhanced products to meet WHTI requirements. An individual
must be 12 years or older to obtain an OPC/EPC, who does not already possess a DL; EDL; OPC
or EPC.
EPC is for Canadian citizens who reside in Ontario. Similar to the EDL program, enhanced photo
card applicants will be required to sign a consent form before screening begins. Consent
acknowledges full understanding of enhanced photo card requirements and authorizes staff to
verify records and share personal information with CBSA to disclose to the US border authorities.
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 7 of 69
The enhanced photo card application screening process will include a combination of document
verification, record verification, and an appointment to confirm an applicant’s identity.
Fraud prevention will be paramount throughout the photo card and enhanced photo card
processes. An individual will not be able to obtain both a DL and a photo card simultaneously.
This will limit the number of identification products to one that an individual could obtain from
the same authorized source, otherwise could become one stop shop for criminals. The enhanced
photo card application screening process will include a combination of document verification,
record verification, and an interview to confirm an applicant’s identity. All documents will be
photocopied or imaged to provide a complete account for audit, evaluation, and fraud
investigation purposes. An applicant will be denied a photo card or enhanced photo card if fraud
is suspected. Photo comparison technology will be implemented at the same time as the EDL
program. When implemented, a background one-to-many facial comparison process will be
carried out on photo card applicants prior to card production. The purpose of this is to reduce the
likelihood of more than one photo card being issued to the same person under different identities.
Fraud prevention will also be prevalent in the card production, inventory management and
staffing aspects of the photo card processes. Production security measures, auditing practices and
staff security checks will be in place to address these concerns.
Photo comparison technology (PCT) will be implemented as a fraud prevention and risk
mitigation measure. PCT does not mean the collection of new information about a driver. The
photo comparison process is simply enhanced using new technology, as opposed to the current,
inefficient and time consuming manual verification process. One method converts a driver’s
photo image by means of a mathematical, computer algorithm into a set of numbers as a basis for
recognition. Once the facial image is captured, the system takes a series of measurements and
calculates a “template”. The “template” is then compared to the existing database of DL image
values. If there is a match with an existing image “template”, then the information is added to an
image verification list that must be further reviewed and verified by a staff member before the
DL, EDL, Photo Card or Enhanced Photo Card is produced. PCT will be an acquired solution
and MTO will work with the successful vendor acquired through a competitive procurement
process to integrate PCT into the current driver licensing and future photo card computer systems.
PCT implementation would be aligned with the EDL program targeting December 2008. PCT is
passive and non-intrusive for customers. There is no additional skill or training requirements for
front-line service providers. PCT is scalable to a very large database.
Please note that the Photo Card Technology (PCT) is a dependency to this project and PCT is
analysed in a separate TRA from OPC&EPC.
1.3 Scope
This TRA deals with conceptual design and associated business processes.
The scope for the OPC and Enhanced PC TRA will include:
• Business process and business data supports OPC&EPC project
• I&IT infrastructure that supports the OPC&EPC project: Ontario Photo card Registration
systems and Databases, changes made on web servers, security database, Reporting and
Audit Database, Card Ordering System - which accommodate both Ontario Photo Card
and Enhanced Photo card
• Users and technical personnel supporting OPC/EPC card system life cycle
• MTO RUS Service Delivery Channel with Service Ontario
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 8 of 69
• Electronic interfaces to/from OPC/EPC systems: PCT Systems, Photo Storage Database,
ICMS (Image Capture Management System), Card Production Server, CBSA, Driver
License System, ORG Server, Scheduling Server, EPP system, Service Ontario counter
(workshops)
It is noted that other OPC business processes, although out of scope for this TRA, may be
included in future OPC TRA iterations.
The following systems will not constitute part of the scope:
• Service Ontario Applicant Registration System
• Service Ontario Scheduling Service
• Electronic Payment System (EPP)
• Photo Storage Database Server
• Photo Comparison Technology (PCT)
• Physical ITS Data Centre;
• Card Production Center Systems (G&D)
• Canada Border Services Agency System ( CBSA)
As well as, the business unit determine that the consideration and procurement of new RFID
technology with more security features built in will be out of scope of this TRA due to the
specific requirements under Western Hemisphere Travel Initiative (WHTI) for RFID technology.
A detailed list of critical OPC&EPC system assets is provided in Section 3.0.
1.4 Assumptions
This TRA is based on the following assumption:
• Information collected from documentation and the workshop session represent an
accurate depiction of the OPC&EPC system and environment.
1.5 Information Gathering
Information for the TRA was gathered through documents provided by the OPC&EPC TRA
participants and at the workshop held on Oct 21st, 2008 and Oct 28th, 2008 at 1201 Wilson Ave,
Toronto with OPC & EPC project team. For a complete list of participants please see Appendix
A – Personnel Resources
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 9 of 69
1.6 TRA Methodology
The process used for the TRA is aligned with the Government of Ontario MGCS TRA
Guidelines. The process also borrows from the Royal Canadian Mounted Police (RCMP) and
Communications Security Establishment (CSE) methodologies. The best practices of Canadian
Industry and Federal Government will be used when specific Government of Ontario criteria are
not available. This overall methodology combines the best elements for the threat and
vulnerability analysis.
1.6.1 TRA Phases
The major phases of this TRA methodology are:
Phase 1: TRA Preparation and Planning
• Define business scope and parameters of the TRA;
• Consult appropriate personnel; and
• Identify and document all non-I&IT assets, especially those of a sensitive nature.
Phase 2: TRA Analysis
• Identify and document I&IT assets and other sensitive assets, evaluate sensitivity in
relation to Confidentiality, Integrity, Availability, Accountability and Non-repudiation;
• Identify threat agents and assess the likelihood and consequences of compromise of the
assets being assessed;
• Quantify the risk by identifying likely threat events (a specific threat acting on a
vulnerability in an asset); and
• Quantify the risk against the existing or proposed safeguards.
Phase 3: TRA Recommendations
• Suggest a plan of action of recommended safeguards based on the level of acceptable risk
determined by the TRA.
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 10 of 69
2.0 System Description
2.1 Business Processes
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 11 of 69
This section provides a high level description of the business processes and supporting workflows
in scope of this assessment in order to provide a business context for Ontario Photo Card and
Enhanced Photo Card services.
Table 1: OPC/EPC Business Process and Supporting Workflow
Function Description
After the applicant chooses the type of service, they proceed
Request Authorized Product
to Request Authorized Product. The applicant has a choice
of:
• Book an interview
• Pre-submit an application online or
• Book an exam (is out of scope for this project, but in
context for this model)
Register for Photo Card and • Individual choice / request for a card.
Enhanced Photo Card • Assumes that registration may take place at any or all of
Service Ontario Centre
• Photo and signature required
• Integration with workstation applications e.g. PINPADS
will be required
• DL eligibility check required, i.e. ability to verify that
applicant is NOT a DL Card holder
Online Application • Ability to complete application online
Document Capture • Ability to scan documents upon registration.
• As PHOTO data must be kept separate from DL data,
this requires an additional subset of the Image database
Renew Cards • Individual engaged in renewal to retain card
• New photo and signature required
• Generation of renewal notices required (renewal
postcard can be used instead of letter)
• DL eligibility check required
Reactivate Cards • Individual engaged in reactivation, which occurs if a
card is inactive.
• New photo and signature required if the reactivation
coincides with the renewal period.
• DL eligibility check required
Replace Cards • Individual request for replacement of card
• New photo and signature required if the replacement
coincides with the renewal period.
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 12 of 69
Function Description
• DL eligibility check required
Cancel Card • Individual may request for cancellation
• MTO (for example in case of fraud) requests
cancellation of the Photo Card. In this case, a notice
may need to be sent to the holder if card cancelled by
MTO
• NO refunds if card cancelled prior to expiry
• Auto-cancel (of application) functionality required
MTO receives notification that an enhanced card
Revoke Enhanced Card
holder/applicant is:
• not a Canadian Citizen
• has restrictions
• has invalid birth information
When the notification is received:
• If an application, the application is cancelled and status
updated.
• If a card request, the request is cancelled and status
updated.
• If a produced card, card vendor destroys card, MTO
updates card status and notifies CBSA
• If a delivered card, MTO retrieves and destroys card,
MTO updates card status and notifies CBSA
The applicant is changing personal information:
Change Information
• Name (Channel – OTC only)
• DOB (Channel – OTC only)
• Gender (Channel – OTC only)
• Proper documentation would need to be presented,
verified, and captured
• Requesting a new photo
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 13 of 69
Function Description
After New Card, Renew Card, Replace Card or Change
Approve Card
Information, MTO processes the card as follows:
• Receives card data
• Creates card request
• Sends card request data to PCT
• Receives PCT results
• Sends card request to card vendor
The card vendor processes the card request as follows:
Card Production
• Confirms receipt of card request to MTO
• Produces card
• Notifies MTO card produced
• Purges applicant information
The card is delivered as follows from the card vendor:
Card Delivery
• MTO notified card shipped
• Post Office delivers non-enhanced cards
• Secure couriers deliver enhanced cards to:
a. Applicant’s home
b. Card service provider
c. Redirected address
i. If delivered to applicant’s home,
applicant signs for card
ii. if delivered to card service provider,
applicant is called to pick up card
1. if applicant picks up card,
applicant signs card and their
signature and photo is verified
by the card service provider
• If a card is undeliverable, the card is returned to MTO
d. If the undeliverable card is an enhanced card,
MTO notifies CBSA.
• MTO destroys the card
Administrative Portal / User • To provide ‘super user’ functionality. May be for
Management Hotline (MGCS), IRP and/or some other ‘Head Office’
functionality
• Ability to manage users
• Sub-functions:
• create, update, view, delete / expire, search.
Perform Enquiry (Search) • Ability to enquire about a card holder using holder name
and/or card number
• Capability to retrieve registrant information including
photo and card history
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 14 of 69
Function Description
• For internal use: potential for head office staff / power
user to enquire upon different fields or combination of
fields. Includes customer care support functions.
Generate Reports • Requires development of operational reports as well as
interfacing with MIS warehouse
• Ability to capture card status, report on which cards
have failed, etc. This is required because each card is
considered a stock item and each card is paid for to
G&D.
Transaction / Application • Record the following:
Logging • Fees collected – fee based on transaction type
• Operator Activity
• Card transactions
• Application/Audit Tracking (Requests, Events) (this
exists for new DL card, but would need to be modified
for Photo Card and Enhanced Photo Card
Security • Authentication and Authorization
Card Ordering & Audit • Card requests for cards to be processed, batched and sent
Reconciliation System to CISS (via SFTP)
Send Closeout Transactions • DL Closeout transactions to be sent to other provinces
when an applicant requests a photo card or enhanced
photo card. It is assumed that the individual must cancel
their DL card separately through the service provider
(GIC, PIN, etc.) before they will be eligible to receive
the card. Likewise the individual must cancel/inactivate
their photo card separately.
Process Death Data • Death data from ORG to be uploaded and processed in
the system to match against photo card and enhanced
photo card holders.
• Registrant status may be updated as a result
Financial Reconciliation • Assumes that there will be deferred revenue.
Modifications to Driver • Modification of functionality on the driver’s system to
Transactions - Application, allow the capability to verify that the applicant is not a
Renewal, replacement, photo card holder.
reinstatement • Communication between the mainframe to mid-tier will
be required.
Capture repudiated information • Ability to capture information on lost, stolen, cancelled,
deactivated, returned cards (at OTC locations, by
internal staff)
• Ability to query for repudiated information at over the
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 15 of 69
Function Description
counter locations, by internal staff
• Associate repudiated information with Photo Card
record
2.2 Conceptual System Overview
The OPC&EPC system would be a new mid-tier application deployed with a new web-based
front end for the service providers and an enhancement to the DL card production back end. The
new system will not be built as part of the existing Licensing and Control System (LCS) to align
with the Transportation IT Cluster’s vision to modernize RUS systems rather than deploy on an
aged system (LCS) that has been slated for replacement.
OPC / EPC Registration System Functions:
Application/Registration/Renewal/Cancellation
Process online Ontario Photo Card Pre-Applications
Register Ontario Photo Card applicants
Register Enhanced Photo Card applicants
Handle renew/replace/cancel transactions
Initiate Card Order Requests
Data Change
Perform data change (name, address, DOB)
Registrant Inquiry
Search for registrants, by name and ID
Retrieve registrant information, including registrant photo and history
Payment Processing
Record payments
Log Generation
Write Operator Logs and Business Event Logs
Security
Authentication / Access Control / User Admin
Audit
Write Audit Events
Access / Review Audit Events
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 16 of 69
S.14(1)(i)(l) & S.18(1)(c)(d)
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 17 of 69
Similar to the plans for the EDL, the new database will be able to track lost, stolen, surrendered,
rescinded and returned photo cards and enhanced photo cards and CBSA will be advised about
new enhanced photo cards issued upon confirmation of successful production from card
production. Changes in the status of the enhanced photo card of interest to border crossing
privileges will be provided to CBSA in real-time or near-real-time. CBSA will share this
information with DHS through a secure channel. Enhanced photo card information will be
retained in a secure database held in Canada by the CBSA. DHS will only access the information
if the person presents the card to cross the border to determine eligibility to enter/remain in the
US. Information will be limited to what is needed for the intended purpose.
2.3 Interfaces
OPC/EPC System will be connecting to other systems as described below. Please note additional
linkages may be needed for the enhanced photo card, but until all the requirements are developed
for the OPC/EPC and successful implemented in 2008. In this conceptual TRA some of the
interfaces has been determined by the project team is out of scope at this moment displayed in the
following table such as Inter-provincial Record Exchange, ORG exchange are out of scope.
Table 2: OPC/EPC Interfaces
# Interface Required Description Functional
Requirement
From To Supported by
Interface
1. Photo Card System Credit Card For payment processing. Register for Photo Card
Application using
Customer Service Renew Photo Card
Representative Replace Photo Card
(CSR) Workstations
2. Image Capture Application Photo Card System To send photo & signature Register for Photo Card
using CSR Workstations
Renew Photo Card
Replace Photo Card
3. Photo Card System CISS To send photo & signature Register for Photo Card
Renew Photo Card
Replace Photo Card
4. Photo Card System Driver LCS System To verify that applicant is Register for Photo Card
not a holder of an active
Ontario Driver Licence Renew Photo Card
card Replace Photo Card
5. Photo Card System Inter-provincial To verify whether individual Perform Enquiry(Search)
Record Exchange holds a DL Card in another
province. This can only be
carried out if the individual
provides their DL # from
that other jurisdiction.
6. Photo Card System MIS For generation of Generate Reports
management reports
7. Photo Card System Audit Database For transaction and Transaction / Application
application logging Logging
8. Photo Card system Card Order System For Photo card requests to Card Ordering & Audit
and Audit & be processed, batched and Reconciliation System
Reconciliation sent to Card Order System
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 18 of 69
# Interface Required Description Functional
Requirement
From To Supported by
Interface
Database Card
requests
9. ORG Photo Card system death data to be received Process Death Data
from ORG
10. Driver LCS Photo Card To check that DL applicants Modifications to Driver
do not hold an Photo Card Transactions - Application,
Renewal, replacement,
reinstatement
2.4 Asset Description
The following section describes some of the asset listed in the Inventory of Information and
Assets:
OPC/EPC Program Information: It includes Blank forms in electronic and hard copy which
need be filled by OPC/EPC applicant at Service Ontario, Guides for applicant regarding how to
apply and contact information of Service Ontario, internal policy information regarding how to
notice and deal with fraud issues which are only available to specific group within Service
Ontario.
OPC/EPC Applicant: It includes Applicant Personal Data, Applicant Photo Image Data,
Applicant Signature Data, Applicant Supporting Document (Personal Data).
Applicant Personal Data: Personal data of applicant, required for producing Ontario Photo Card
and Enhance Photo Card, such as Name, DOB, Gender, Height, Signature, Citizenship Status,
Citizenship Status Data.
Photo Image Data: The photo used for the OPC/EPC in digital and hardcopy format.
Signature Data: The signature used for the OPC/EPC in paper and digital format.
Applicant Supporting Document: Accepted Certified Document issued by Government to
prove applicant’s identity when applying for OPC/EPC card, which will be scanned and kept at
Service Ontario, such as copy of valid birth certificate.
EPC Appointment: Appointment time for EPC applicant, it include Name and Contact Details
such Date, Time Slot and Location, Contact Purpose Description, Comment Text.
Payment Outcome Information: This information is used to determine whether applicant paid
the fees for OPC/EPC, which includes Transaction Reference number, Status information.
Eligibility (Determined at Appointment): This includes eligibility criteria to apply for
OPC/EPC card, should be public knowledge information, eligibility result is for EPC applicant to
determine whether he/she is qualified for EPC card after the appointment by Service Ontario
personnel.
Fraud Detection: The applicant’s personal data and image data will be collected and undergo
PCT (Photo Comparison Technology) to prevent fraud, and then the Image Review result will be
produced.
Card Production Data: This are the information needed to produce a physical card at CPC
(Card Production Center), also the information to keep track of the any blank card stock, card
status information.
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 19 of 69
Document Control Number: Unique Document Control Number used to track and account for
the card stock.
RFID data: MTO will store the RFID# and send it the Canadian Border Services Agency. This
unique number is associated with personal data on the card and will allow MTO or CBSA or
partners with access to the data base to obtain and validate the information on the physical card.
Card Design Specifications: includes Security Features for Cards: RFID chips and features that
enhance the tamper resistance of the cards as well as Hologram, Violet Ink Printing, Micro
Printing, Multi Colour Anti Counterfeit Printing discouraging falsified document production.
Card Production Result: It is the Card Status, within one day because need notify CBSA about
the card status (Card Ready, Card Assigned, Card Destroyed, Card Returned, Card Rejected, Card
at Backup Facility, Card Manufacturing Defect, Card Destroyed)
Machine Readable Zone Data: Data printed on the card requiring special software and hardware
to read. This is intended to contain the same information as is on the face of the card and is
associated with the RFID#.
Audit and Reconciliation Data: This is used to account for system access, physical access to
facilities, controlled stock and lifecycle management for all of the above.
Authentication Credentials: Passwords, Ids, encryption keys and certificates (where applicable)
used to secure access and information on the system.
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 20 of 69
3.0 Statement of Sensitivity and Assets
3.1 Identification of Critical Assets
A clear determination and understanding of the relevant assets must first be achieved
before the relative sensitivities can be determined. Assets are divided into two main
categories: intangible assets (primarily information) and tangible system assets.
3.2 Critical Assets and Statement of Sensitivity
Table 3: Inventory of Information and Assets - Statement of Sensitivity
Statement of Sensitivity
Confidentiality (H / M / L)
Non-Repudiation (√ / X)
Availability (H / M / L)
Authentication (√ / X)
Integrity (H / M / L)
Asset / Information
Tangible Assets
[Tangible Assets Data/Form/Report/Other]
OPC/EPC Program Information
Blank Application Forms (electronic, paper) U M L X X
Process Information (How to apply, S.O. locations,
contact methods, etc.) U M L X X
Policy Information M M U X X
OPC/EPC Application
Applicant Personal Data H H L √ X
Applicant Photo Image Data L H L √ X
Applicant Signature Data H H L √ X
Applicant Supporting Documents (Personal Data) H H L √ X
EPC Appointment
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 21 of 69
Appointment Personal Data M M L √ X
Appointment Information L M L √ X
Payment
Payment Outcome Information L M L √ X
Eligibility (Determined at Appointment)
Eligibility Criteria U M L X X
Eligibility Result M M L √ X
Fraud Detection
Applicant Personal Data H H L √ X
Applicant Photo Image Data L H L √ X
Fraud Detection Result M M L √ X
Card Production
Applicant Personal Data H H L √ X
Applicant Photo Image Data L H L √ X
Applicant Signature Data H H L √ X
Card Identifier (Document Control Number) L M L √ X
Card Security Identifier (RFID) L M L √ X
Card design specifications M M U X X
Card Production Result M M M √ √
CBSA
Applicant Personal Data H H L √ X
Applicant Photo Image Data L H L √ X
Card Identifier (Document Control Number) L M L √ X
Card Security Identifier (RFID) L M L √ X
CBSA Transfer Result M M M √ √
Reporting & Audit
Audit and Reporting Data (read-only) M M L √ X
Driver Enquiry
Applicant Personal Data H H L √ X
Driver Enquiry Result M M L √ X
Stock
Returned OPC/EPC Card information M M M √ X
Audit Logs M M L √ X
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 22 of 69
[Tangible Assets - Hardware]
Web Server N/A N/A M
Application Server N/A N/A M
Database Servers N/A N/A M
Card Ordering System N/A N/A M
[Tangible Assets - Software]
Web Server Application N/A N/A M
OPC/EPC Registration System N/A N/A M
OPC/EPC Registration Database N/A N/A M
Reporting and Card Audit Database N/A N/A M
Security Database N/A N/A M
[Personnel]
CSR (Service Ontario Customer Service Rep) N/A N/A M
Head Office Access (MTO/MGS) N/A N/A M
System Admin N/A N/A M
DB Admin N/A N/A M
Network Admin N/A N/A M
Technical Support Staff such as Vendor/Contractor N/A N/A M
Business Support Staff N/A N/A M
CPC Staff/Contractor N/A N/A M
PCT Fraud Prevention Staff N/A N/A M
[Physical Facility Locations]
ITS Data Centre Facilities N/A N/A M
Legend
H High N/A Not Applicable
M Medium √ Required
L Low X Not Required
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 23 of 69
3.3 Sensitivity Assessments
Sensitivity ratings are assigned to each critical asset (as High, Medium or Low) through a process
of determining the severity or nature of harm that may result if the asset was to become
compromised in some way. The impact assessment matrix to guide sensitivity rating is contained
in Appendix C – Sensitivity Rating Tool and Classification.
3.3.1 Confidentiality Considerations
The information or data must be protected from unauthorized disclosure or viewing while
it is being stored, processed or transmitted. The protection is against access by
unauthorized individuals. The information in the data files for OPC&EPC, and backup
data are considered to be of High sensitivity.
A loss of confidentiality at any stage in the information life cycle could also result in the
following range of impacts:
• Loss of personal and individual privacy;
• Embarrassment to the program, the Ministry and the Ontario Government at large
due to criticism of mishandling sensitive data; and
• Loss of confidence in the OPS IT systems if confidentiality is comprised.
3.3.2 Integrity Considerations
Integrity is the accuracy and completeness of information and assets and the authenticity
of transactions. The integrity requirement of OPC&EPC is High sensitivity. Accuracy of
information within this environment is critical as because it relates to the applicant’s
personal identification data.
The impact of not maintaining the integrity of information assets could range from:
• Loss of accuracy and usefulness in OPC/EPC systems;
• Loss of confidence in the OPS IT systems if integrity is not maintained;
• Embarrassment to the program, the Ministry and the Ontario Government at large
due to criticism of mishandling sensitive data; and
3.3.3 Availability
Availability is the accessibility of systems, programs, services and information to
authorized users when needed and without undue delay. The availability requirements
for the OPC&EPC services are considered to be Medium. In respect to availability, the
definition of medium is “Not more than 1 days of interruption during regular business
hours”.
3.3.4 Accountability Considerations
Accountability means that measures are in place to ensure that the person(s) having
control over the information or entity may be identified, authenticated and held
responsible for their actions. Accountability is inherent in the confidentiality value.
Users of the OPC&EPC systems must authenticate and authorized to the service and
audit records must be created based on this authentication and authorization. OPC&EPC
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 24 of 69
registration and enrolment process is a crucial process which should be secure and
auditable to minimize the possibility of fraud on top of utilizing Photo Comparison
Technology.
3.3.5 Non-Repudiation Considerations
Non-repudiation means the capability that guarantees a message or data can be proven to
have originated from a specific person or system. In the workshop sessions, it was
established that this level of assurance is required for the linkage from OPC&EPC to
CPC (Card Production Center) and CBSA (Canada Border Services Agent).
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 25 of 69
4.0 Threat, Vulnerability and Risk Assessment
The threat analysis determines what threat agents to protect against and which of the identified
threats are of the greatest concern to the OPC&EPC service. The threat analysis is presented as
relevant high-level threat scenarios that would adversely affect the critical assets. The threat
scenarios will target confidentiality, integrity and availability. Postulating how these threat
events occur assists in identifying possible threat agents. Threat information was collected during
the information gathering session as described in Section 1.5.
Vulnerability is a characteristic, attribute, or weakness of any asset within a system or
environment and which increases the probability of a threat event occurs or the severity of its
effects causing harm (in terms of confidentiality, availability and/or integrity). The presence of
vulnerability does not in itself cause harm; vulnerability is merely a condition or a set of
conditions that could allow assets to be harmed by an attack. The vulnerabilities of the system
are first assessed assuming there are no existing safeguards. This is followed by an analysis to
establish the risk after considering existing safeguards.
Vulnerabilities may be mitigated through good policy, awareness and well-defined procedures.
However, good work habits and understanding are not enough to thwart all technology-based
vulnerabilities. For this reason, the examination of vulnerabilities has focused on both non-
technical and technical weaknesses.
The Vulnerability and Risk Assessment Table takes into account the current safeguards in place.
Detailed threat, vulnerability and risk information is presented in the following
TRA Work tables.
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 26 of 69
4.1 Threat Assessment Summary
Consequence of
TH S.14(1)(i)(l) & S.18(1)(c)(d) REAT
Exposure Rating
Occurrence (Y/N)
Threat Event
Confidentiality
Impact
Availability
Integrity
Loss of
Loss of
Loss of
Likelihood
Threat Threat Class By means of
Intent Asset
Agent (Mode)
Natural
1 Disaster Inadvertently Cause(s) the loss of ITS Data Centre Flood or Fire M N N Y H 7
Hardware
2 failure Inadvertently Interrupt(s) OPC/EPC System Disk Failure M N N Y M 6
Service
3 provider Inadvertently Disclose(s) Backup tapes Lost backup tapes M Y N N H 7
Exploit of the
Network/Server
4 Hacker Deliberately Compromise(s) All Information Assets vulnerabilities M Y Y Y H 7
Privilege abuse
System and Unauthorized
5 Administrator Deliberately Disclose(s) All Information Assets use M Y Y Y H 7
DB Applicant Personal Unauthorized use
6 Administrator Deliberately Disclose(s) Information and disclose M Y N N H 7
DB OPC/EPC Registration Privilege access to
7 Administrator Inadvertently Disclose(s) Database high sensitive data L Y N N H 4
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of persons and information, and of systems and procedures established by the
Ontario Government for the protection of such persons, property and information.
Draft Version 0.2 27 of 69
Consequence of
TH S.14(1)(i)(l) & S.18(1)(c)(d) REAT
Exposure Rating
Occurrence (Y/N)
Threat Event
Confidentiality
Impact
Availability
Integrity
Loss of
Loss of
Loss of
Likelihood
Threat Threat Class By means of
Intent Asset
Agent (Mode)
Shoulder surfing,
Password
Applicant Personal guessing/attack to
Information, RFID#, MRZ, access to
Disgruntled Card Production Result, database, PCT
8 employee Deliberately Modify(ies) Fraud Detection Result result etc M Y Y N H 7
Social Engineering
Attack, Improper
High/Medium
Applicant Personal Sensitivity
MTO RUS Information, MIS Auditing Information
9 Staff Inadvertently Disclose(s) and Report handling M Y N N H 7
CBSA Received Data, Card
Production Data, Intercept and
Special Application Personal modify the data in
10 interest group Deliberately Intercepts Information transit M Y Y N H 7
Intercepted and
modified email
from external Card
Service Provider
Document Control Number, sender to MTO
RFID and Card Production RUS recipients
11 Hacker Deliberately Modify(ies) Result (packet sniffing) M Y Y Y M 6
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of persons and information, and of systems and procedures established by the
Ontario Government for the protection of such persons, property and information.
Draft Version 0.2 28 of 69
Consequence of
TH S.14(1)(i)(l) & S.18(1)(c)(d) REAT
Exposure Rating
Occurrence (Y/N)
Threat Event
Confidentiality
Impact
Availability
Integrity
Loss of
Loss of
Loss of
Likelihood
Threat Threat Class By means of
Intent Asset
Agent (Mode)
Password
guessing or
Sharing
authentication
credentials to
access to CISS(
Central Image
Disgruntled OPC/EPC Applicant Storage Site)
12 employee Deliberately Compromise(s) Personal Information Photo Server M Y N N H 7
Lack of strong
Card Security Program
Production and lack of due
13 Center Staff Deliberately Compromise(s) OPC/EPC Program diligence M Y N N H 7
Service
Ontario
14 Counter Staff Deliberately Compromise(s) OPC/EPC Program Collusion L Y Y N H 4
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of persons and information, and of systems and procedures established by the
Ontario Government for the protection of such persons, property and information.
Draft Version 0.2 29 of 69
Consequence of
TH S.14(1)(i)(l) & S.18(1)(c)(d) REAT
Exposure Rating
Occurrence (Y/N)
Threat Event
Confidentiality
Impact
Availability
Integrity
Loss of
Loss of
Loss of
Likelihood
Threat Threat Class By means of
Intent Asset
Agent (Mode)
WHTI partners
may provide MTO
personal data to
other law
enforcement
agencies in
partner countries.
Data security
levels in other
jurisdictions are
Business OPC/EPC Applicant not known with
15 Partner Deliberately Disclose(s) Personal Information certainty L Y N N H 4
Vicinity RFID
number can be
read from fair
amount of
Criminal distance(up to 20-
16 Elements Deliberately Disclose(s) EPC RFID Number 30 feet away) M Y N N M 6
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of persons and information, and of systems and procedures established by the
Ontario Government for the protection of such persons, property and information.
Draft Version 0.2 30 of 69
Consequence of
TH S.14(1)(i)(l) & S.18(1)(c)(d) REAT
Exposure Rating
Occurrence (Y/N)
Threat Event
Confidentiality
Impact
Availability
Integrity
Loss of
Loss of
Loss of
Likelihood
Threat Threat Class By means of
Intent Asset
Agent (Mode)
Manufacturing the
fraudulent card
with all the current
security features
such as Hologram,
Violet Ink Printing,
Micro Printing,
Multi Colour Anti
Counterfeit
Criminal Printing are
17 Elements Deliberately Compromise(s) EPC Card Security Feature circumvented L Y Y N H 4
New code may
contain
vulnerabilities that
can be exploited
by a virus, Trojan
Malicious or worm,
18 code Deliberately Interrupt(s) OPC/EPC system attackers. M Y Y Y H 7
Lack of policy and
procedure to
handle the
Personal
Information
Service OPC/EPC Applicant records retention
19 provider Inadvertently Disclose(s) Personal Information and disposal H Y N N H 9
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of persons and information, and of systems and procedures established by the
Ontario Government for the protection of such persons, property and information.
Draft Version 0.2 31 of 69
4.2 Vulnerability and Risk Assessment
Projected Risk Level
Projected Safeguard
Vulnerability Level
TS.14(1)(i)(l) & S.18(1)(c)(d)eat
Exposure Rating
Effectiveness
Effectiveness
Risk Level
Safeguard
Threat Event
REF Vulnerability Existing
NO.
Recommended Safeguards
Description Safeguards
Threat Agent and Class Asset
1 Natural Disaster ITS Data 7 Inadequate Disaster None N M 5 NR-01(BCP/DR Planning) H 2
Inadvertently Cause(s) Centre Recovery Planning and
the loss of Business Continuity
Planning
2 Hardware failure OPC/EPC 6 Inadequate Contingency Backup Data L M 4 NR-02(IT Contingency H 2
Inadvertently Interrupt(s) System Plan including hardware Planning)
redundancy NR-09(SLA/MOU)
3 Service provider Backup tapes 7 Information on backup tapes None L M 5 TR-01 (Encryption of backup H 2
Inadvertently Disclose(s) is not encrypted data)
NR-09(SLA / Non-Disclosure)
4 Hacker Deliberately All 7 Inadequate detection of Multiple Layers of M M 4 TR-03(N-Tire Architecture) H 2
Compromise(s) Information network probing, internal firewalls within OPS, TR-04(Application Firewalls)
Assets port scanning, Inspection of Access controls, TR-05(Host and Network based
malicious encrypted network Auditing IDS/IPS)
traffic TR-06(GO-ITS Password
Standards)
TR-07(Access Logging and
Centralization)
TR-08(Vulnerability and Pen-
Test)
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of persons and information, and of systems and procedures established by the
Ontario Government for the protection of such persons, property and information.
Draft Version 0.2 32 of 69
Projected Risk Level
Projected Safeguard
Vulnerability Level
TS.14(1)(i)(l) & S.18(1)(c)(d)eat
Exposure Rating
Effectiveness
Effectiveness
Risk Level
Safeguard
Threat Event
REF Vulnerability Existing
NO.
Recommended Safeguards
Description Safeguards
Threat Agent and Class Asset
5 System Administrator All 7 Unmonitored Privileged Hiring practices, Oath, M M 4 NR-03(Security Clearance) H 2
Deliberately Disclose(s) Information access, Inadequate logging logs NR-04(Separation of Duties)
Assets and effective monitoring TR-07(Access Logging and
Centralization)
6 DB Administrator Applicant 7 Account not removed upon Hiring practices, Oath, M M 4 NR-03(Security Clearance) H 2
Deliberately Disclose(s) Personal role change, lack of process, DB Auditing logs TR-09(RBAC)
Information broad access rights TR-10(Database Audit Trail)
7 DB Administrator OPC/EPC 4 Limited DBA group M H 3 NR-06(Security Awareness H 2
Inadvertently Disclose(s) Registration Training)
Database High sensitivity data are TR-02 (Encrypt any high
stored unencrypted in DB sensitive data Stored in DB)
8 Disgruntled employee Applicant 7 Highly integrity data are Limited DBA group M M 5 TR-11(Integrity Check) H 2
Deliberately Modify(ies) Personal stored without integrity
Information, check, for example
RFID#, MRZ, Changing the RFID#, MRZ
Card data or other MTO personal
Production data in the database could
Result, Fraud render the finished EPC
Detection card and process in CBSA
Result unusable diminishing faith in
the system.
9 MTO RUS Staff Applicant 7 Lack of Security awareness Unknown N M 5 NR-06(Security Awareness H 2
Inadvertently Disclose(s) Personal training and ISPC Operating Training)
Information, Requirements Training NR-07 (ISPC Training,
MIS Auditing Labelling, Handling, Disposal
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of persons and information, and of systems and procedures established by the
Ontario Government for the protection of such persons, property and information.
Draft Version 0.2 33 of 69
Projected Risk Level
Projected Safeguard
Vulnerability Level
TS.14(1)(i)(l) & S.18(1)(c)(d)eat
Exposure Rating
Effectiveness
Effectiveness
Risk Level
Safeguard
Threat Event
REF Vulnerability Existing
NO.
Recommended Safeguards
Description Safeguards
Threat Agent and Class Asset
and Report and Classification)
10 Special interest group CBSA 7 Inserting a false data stream Propose to use M M 4 TR-02(Encryption any of High H 2
Deliberately Intercepts Received into the transmission to Secure Channels over Sensitivity data in transit )
Data, Card CBSA coupled with a Internet/Go- TR-12(Non-repudiation)
Production falsified card would result in Net/Intranet
Data, circumventing the entire
Application EPC enrolment process
Personal
Information
11 Hacker Deliberately Document 6 Email content & attachments Unknown N M 5 TR-13(Re-engineer email H 2
Modify(ies) Control sent over internet in plain process into secure channel)
Number, text is vulnerable to session
RFID and hijacking, unauthorized
Card access and modification
Production because the email traverses
Result un-trusted network
12 Disgruntled employee OPC/EPC 7 Gaining unauthorized Project Require the M M 4 TR-09(RBAC) H 2
Deliberately Applicant access to the photo server Capability to TR-14(Data segregation)
Compromise(s) Personal (Central Image Storage Site differentiate between
Information - CISS) database will grant DL and PHOTO
malicious employee access CARD for storage
to potential
DL/EDL/OPC/EPC
confidential information if
they are not separated on its
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of persons and information, and of systems and procedures established by the
Ontario Government for the protection of such persons, property and information.
Draft Version 0.2 34 of 69
Projected Risk Level
Projected Safeguard
Vulnerability Level
TS.14(1)(i)(l) & S.18(1)(c)(d)eat
Exposure Rating
Effectiveness
Effectiveness
Risk Level
Safeguard
Threat Event
REF Vulnerability Existing
NO.
Recommended Safeguards
Description Safeguards
Threat Agent and Class Asset
own service platform
database
13 Card Production Center OPC/EPC 7 Vendor has access to Existing SLA M M 4 NR-09(SLA/MOU) H 2
Staff Deliberately Program MTO/RUS owned PI
Compromise(s)
14 Service Ontario Counter OPC/EPC 4 It is possible for Service Hiring practices, Oath, M M 2 NR-03(Security Clearance) H 1
Staff Deliberately Program Ontario personnel to collude Auditing log, Photo NR-05(Job Rotation)
Compromise(s) with malicious individuals or Comparison NR-08(Third Party Auditing)
groups and claim to pass all Technology(PCT) TR-09(RBAC)
criteria for OPC/EPC
submission, where the
application would otherwise
fail. This might be done to
help a friend or as part of a
criminal conspiracy or
organization.
15 Although OPC/EPC clients Intra Governmental 4 4
sign an acknowledgement Agreements and
that their personal WHTI standards.
information will be shared,
the Government of Ontario
OPC/EPC has no control over how
Applicant data will be handled once it
Business Partner Personal is provided to other
Deliberately Disclose(s) Information 4 Governments. N L N/A N
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of persons and information, and of systems and procedures established by the
Ontario Government for the protection of such persons, property and information.
Draft Version 0.2 35 of 69
Projected Risk Level
Projected Safeguard
Vulnerability Level
TS.14(1)(i)(l) & S.18(1)(c)(d)eat
Exposure Rating
Effectiveness
Effectiveness
Risk Level
Safeguard
Threat Event
REF Vulnerability Existing
NO.
Recommended Safeguards
Description Safeguards
Threat Agent and Class Asset
16 RFID # can be picked up Ensure the protective M M 3 TR-15(Research/Test New M 2
from a distance of several sleeve (wallet size) RFID Technology )
feet away by a RFID reader and instructions will be
without user knowledge or provided to applicant
permission. This could be with the EPC card.
captured and used as a
unique identifier to track an
individual’s whereabouts
Criminal Elements EPC RFID and possibly to create
Deliberately Disclose(s) Number 6 fraudulent EPC cards.
17 Criminal Elements EPC Card 4 It is possible to make a Non-personal related M M 2 TR-11(Integrity Check) H 1
Deliberately Security cloned EPC card with new number embedded in
Compromise(s) Feature personal biographic printed RFID/MRZ data,
on the cloned card, with the Strict Card Stock
right RFID# pick up by RFID Controlled by
reader described above or CPC/MTO, Manual
even the right format of MRZ Identification Process
data by Border Officer in
place to defeat the
fraudulent purpose to
across the border
because MRZ or RFID
will be used in
conjunction with back
end database which
must match against a
known value stored in
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of persons and information, and of systems and procedures established by the
Ontario Government for the protection of such persons, property and information.
Draft Version 0.2 36 of 69
Projected Risk Level
Projected Safeguard
Vulnerability Level
TS.14(1)(i)(l) & S.18(1)(c)(d)eat
Exposure Rating
Effectiveness
Effectiveness
Risk Level
Safeguard
Threat Event
REF Vulnerability Existing
NO.
Recommended Safeguards
Description Safeguards
Threat Agent and Class Asset
the database
18 Malicious code OPC/EPC 7 Virus or another type of Anti-Virus software M M 4 TR-08(Vulnerability H 2
Deliberately Interrupt(s) system malware, or Denial Of Assessment and Pen-Test)
Service, Buffer Overflow
TR-16(Software Development
attack infected OPC/EPC
Life Cycle)
system
19 Service provider OPC/EPC 9 Personal Information is not Unknown N M 5 NR-10(Data Retention and H 2
Inadvertently Disclose(s) Applicant securely removed on service Disposal)
Personal provider's
Information equipment(including backup
tapes) before disposal
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of persons and information, and of systems and procedures established by the
Ontario Government for the protection of such persons, property and information.
Draft Version 0.2 37 of 69
OPC & EPC TRA GO MEDIUM SENSITIVITY
5.0 Recommendations
This review was completed without consideration as to who should be responsible or be held
accountable for the implementation of these recommendations. Implementation and planning for
the implementation of these recommendations should be seen as a separate effort and as such is
not in scope. Implementation timeframes are defined in Section 5.1.
Described below are the main areas of concern and related recommendations for risk mitigation
that should be implemented as a priority. The ‘Risk Level’ identified in the sections above as 4.2
Vulnerability and Risk Assessment; represent the highest risk level the recommendation may
mitigate. It is possible that a recommendation may be applied as a safeguard for multiple
vulnerabilities.
Please refer to Table 4: Recommendations and Timeframe for Implementation for detailed
recommendations.
It is expected the Project will adhere to all OPS security policies (including ISPC) and GO-
ITS Standards. Particular attention should be paid to applying the standards and best
practices in the following areas:
• GO-ITS Security Standards and Operational Procedures;
• ITIL Service Management;
• User Acceptance Testing and Staging;
• Patch Management;
• Separation of Duties;
• Training (Help/Service Desk, Users, etc.);
• Security Awareness Training;
• Resource and Knowledge;
• Documentation; and
• Audit Responsibilities.
There are additional recommendations in the tables following the main areas of concern. The
recommendations outline the proposed actions to reduce the overall risk level to Low.
5.1 Timeframe for Implementation
The ‘Timeframe for Implementation’ column of the Recommendations tables provides four
options: Immediate, Short-Term, Medium-Term and Long-Term.
The expectation for recommendations associated with an immediate timeframe is that they are
implemented as soon as possible and no later than 3 months of receipt of recommendations or in
advance of implementing the functioning enterprise.
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 38 of 69
OPC & EPC TRA GO MEDIUM SENSITIVITY
The Short-Term timeframe is implementation within three (3) to six (6) months. Medium-Term
is within six (6) to twelve (12) months and Long-Term is implementation over a year (12
months).
It is recognized that in some cases it is not feasible to meet the defined timeframes, however, the
best-effort approach is expected through initiating steps for implementation as soon as possible
(e.g. planning, funding request).
The most viable (easy fix) recommendations should also be implemented as soon as possible to
achieve incremental improvements in the security posture.
The complete set of recommendations is presented on the following pages along with suggested
timeframes for implementation. If comparable solutions other than those recommended below
are pursued or are currently being pursed they must be in compliance with GO ITS security
standards and policy requirements.
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 39 of 69
OPC & EPC TRA GO MEDIUM SENSITIVITY
5.2 Recommendations
Table 4: Recommendations and Timeframe for Implementation
S.14(1)(i)(l) & S.18(1)(c)(d) Recommendations
Timeframe for
Implementation
Specific Recommendations for this TRA
Ref. and Current
NO. Risk Level
Technical
TR-01(Encryption Backup data from OPC/EPC system contains high sensitive information.
of backup data) Backups should be encrypted to prevent unauthorized access during its storage or transit. Immediate (Risk
Backup data integrity check should be implemented for tamper resistance. Level: 5)
TR-02 (Encrypt The Information Security and Privacy Classification (ISPC) policy and operating procedure requires that all High
sensitive data in sensitivity data be encrypted in transit and stored in encrypted form.
transit and high
sensitive data in The sensitivity rating for confidentiality of OPC&EPC information assets is defined as High which requires strong
Database) encryption for data transmission over local and wide areas networks. All communications, including user/IT
administrator sessions and server-to-server communications must be encrypted.
Immediate(Risk
There are two options for consideration – SSL and PKI encryption. Cryptography algorithms must follow Go-ITS
Level: 4)
standard, please refer to: GO-ITS 25.12 Security Requirements for the Use of Cryptography Version 1.1.
Any folders residing on the hard drive in laptops and PCs that contain sensitive information must be encrypted.
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of persons and information, and of systems and procedures
established by the Ontario Government for the protection of such persons, property and information.
Draft Version 0.2 40 of 69
OPC & EPC TRA GO MEDIUM SENSITIVITY
TR-03(N-Tire Ar It is recommended that for OPC/EPC system architecture must observe 3-tire network architecture, and separate the
S.14(1)(i)(l) & Internet facing application access(OPC/EPC applicant) from the Go-Net facing application access(CSR access and
S.18(1)(c)(d) Admin User).
ecture) Immediate(Risk
Separating network architectures into segregated environments (‘Tiers), based on functionality, is an industry standard
Level: 4)
way of further sub-grouping project components by common requirements. In this way, several network layers can be
created, and optimised to accommodate the needs of web servers, application servers, databases, etc. and adhere to
overall security best practices
TR-04(Application Implement an application level firewall between the Web Servers (presentation tier) and the application servers,
Firewall) between application servers and database servers. Configure the firewalls to restrict port availability based on
required traffic and address potential harmful internal attacks via filtering (i.e. spy ware, etc.). Note that the firewalls Immediate(Risk
should apply stateful inspection rather than packet filtering. Level: 4)
TR- Implement Intrusion Detection/Prevention system in the OPC/EPC environment.
05(Implementation It is recommend host the system with behaviour based NIDS (Network based IDS) and HIDS (Host based IDS)
IDS/IPS) protection, which may lead to a Zone-1 compliant data center environment. Immediate(Risk
Level: 4)
TR-06(Password Password management practices (both within the OPS and by the service provider/vendor) must comply with
Management) Government of Ontario IT Standards (GO-ITS 25.15). Immediate(Risk
Please refer to: http://www.gov.on.ca/mgs/graphics/173720.pdf Level: 4)
TR-07(Access Access Logging must be enabled to track accountability and all the access logs should be centralized on a separate
Logging and server, logs should be reviewed periodically only by authorized staff and tamper resistant. Immediate(Risk
Centralization) (See GOITS 25, section 2.2.4.2 for additional requirements) Level: 4)
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of persons and information, and of systems and procedures
established by the Ontario Government for the protection of such persons, property and information.
Draft Version 0.2 41 of 69
OPC & EPC TRA GO MEDIUM SENSITIVITY
TR- Vulnerability and penetration testing must be conducted on whole OPC/EPC system prior to the implementation and
08(Vulnerability a on an annual basis at minimum after, or specifically when major configuration changes and upgrades have occurred.
S.14(1)(i)(l) & Include results and mitigation strategies in the annual security plan. The scope of the penetration test should extended
Short Term(Risk
S.18(1)(c)(d) nd to related Service Ontario owned systems and CPC production servers, the Pen-Test mandate should be addressed in
Level: 4)
Penetration Test) the separated SLA with them.
TR-09(RBAC) RBAC (Role Based Access Control) should be planned and implemented into OPC/EPC system and extended to
Service Ontario, Card Production Center.
RBAC should be strictly observed with regard to the following accounts and roles: MTO Staff, PCT fraud Staff,
future Application Users & Administrators, Database Administrators, Operations / Help Desk, Service Providers, all
system/application accounts and all associated workstations, and servers. Ensure that users, administrators and Short Term(Risk
service providers do not have broad access to data they do not require to fulfill their job function, strictly between Level: 4)
OPC and EPC application roles.
Ensure there is formal procedure for provision, de-provision, access auditing of all levels of accounts mentioned
above are developed and maintained.
TR-10(Database Ensure to incorporate audit trails and due diligence checks into applications/systems/database to detect improper
Audit Trail) transactions that could arise out of human error or malicious activities. Include audit logging for: database record
changes, database import and export record of high sensitive data for additions / deletions of user IDs, failed login Short Term(Risk
attempts, database schema changes. Audit Trail should be reviewed periodically only by authorized staff and tamper Level: 4)
resistant.
TR-11(Integrity Integrity check should be planned and implemented in the database or application level to detect and prevent human
Check) error or malicious activities causing incomplete or inaccurate information in OPC/EPC system, integrity compromise
could render the finished EPC/OPC card and process in CBSA unusable. Immediate(Risk
Level: 5)
Hash/HMAC/CBC-HMAC should be used as per OPS standard. Accepted Hashing algorithm is SHA-256 or stronger.
Please refer to: GO-ITS 25.12 Security Requirements for the Use of Cryptography Version 1.1.
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of persons and information, and of systems and procedures
established by the Ontario Government for the protection of such persons, property and information.
Draft Version 0.2 42 of 69
OPC & EPC TRA GO MEDIUM SENSITIVITY
TR-12(Non-r During the workshops, non-repudiation requirement has been determined for transaction between OPC&EPC system
S.14(1)(i)(l) & and CBSA, as well as CPC. Digital certificate is recommended to be used to digitally sign the data from end to end. Immediate(Risk
S.18(1)(c)(d) Level: 4)
epudiation)
TR-13(Re- There is one issue has been identified that email sent from CPC to MTO Business Integrity Department containing
engineer email damage card information (DCN number and RFID number, card status information).
process into secure
channel) It is highly recommended that MTO should consider re-engineering the email process to the secure channel between Immediate(Risk
CPC and OPC/EPC system. All the business data must be go through secure channel. Email containing information Level: 5)
classified as High Confidentiality (card status information) must be encrypted (including attachments) and digital
signed.
TR-14(Data If there is any shared infrastructure in MTO to hold different service information such as Driver License, Enhanced
Segregation) Driver License, Ontario Photo Card, and Ontario Enhance Photo Card. It is highly recommended that the database
information dedicated for OPC/EPC must be separated logically or physically between OPC and EPC and among Immediate(Risk
other MTO Services (DL/EDL). Level: 4)
TR-15(Software Application development must follow GO-ITS Standards for SDLC, must consider the security from software
Development Life architecture, conduct code review of OPC/EPC system prior to implementation. Immediate(Risk
Cycle) Please refer to http://www.gov.on.ca/mgs/graphics/241105.pdf Level: 4)
Non-Technical
NR-01 (BCP&DR The Recovery Time Objective (RTO) for the OPC/EPC application is not more than 1 days of interruption during
Planning) regular business hours due to the CBSA requirement, To ensure the availability even Disaster or catastrophic disaster
happens, a Business Continuity and Disaster Recovery plans should be developed to achieve continuity of service in
line with the MTO. The plans should address the logistics of operations continuity at an alternate location.
Short Term(Risk
Very importantly, the Business Continuity and Disaster Recovery Plans need to be tested on an annual basis to Level: 5)
confirm the ability to fully recover OPC/EPC services and validate the Recovery Time Objective for the Program.
Also, BCP/DRP plan need to be reviewed, maintained and updated whenever there is a major change to the business
or IT infrastructure of OPC/EPC services.
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of persons and information, and of systems and procedures
established by the Ontario Government for the protection of such persons, property and information.
Draft Version 0.2 43 of 69
OPC & EPC TRA GO MEDIUM SENSITIVITY
NR-02 (IT The IT Contingency Plan should be developed to maintain the availability of OPC/EPC systems if there are
Continge software/hardware failures. As well as the security incident plan should be developed and tested to facilitate the
Immediate(Risk
S.14(1)(i)(l) & recovery of system after the security incident happened.
Level: 4)
S.18(1)(c)(d) ncy
Plan)
NR-03 (Security MTO employees with privileged access to OPC/EPC must undergo a Security Clearance process [1]. New hires
Clearance) should immediately undergo Security Clearance as part of the recruitment process.
Contractors and service provider (Service Ontario Staff and CPC staff) should be brought in with a security clearance Immediate(Risk
already completed or as a requirement of the contract to at least a general Screening Clearance Check. Level: 4)
(1)See http://intra.hropenweb.gov.on.ca/hrpolicies/PersonScrnChk_pol.html
NR-04 (Separation Different environmental types such as development, testing and production should be properly separated;
of Duties) functionality and operations should not overlap. Developers should not have access to the code used in production.
The code should be tested, submitted to the staging library and then sent to the production environment. At no time
should the developers and testers have access to production data. The data owners must complete any modifications to Short Term(Risk
data. Level: 4)
Where possible test, analytical and statistical data used by QA / Developers should be "sanitized" or "masked" for
high/medium sensitivity information.
System administrators should not have access/inquiry/modify to any information in the database because by privileges
abuse and such activity should be recorded and alerted by database auditing logs.
NR-05(Job To detect fraud and collusion, job rotation in Service Ontario should be implemented to detect any malicious or Immediate(Risk
Rotation) concealed activity, of course the personnel need be trained to backup and perform other co-worker's daily job. This Level: 2)
requirement should be included in the SLA with Service Ontario.
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of persons and information, and of systems and procedures
established by the Ontario Government for the protection of such persons, property and information.
Draft Version 0.2 44 of 69
OPC & EPC TRA GO MEDIUM SENSITIVITY
S.14(1)(i)(l) & Conduct and maintain Security Policy and Awareness training for all MTO staff, IT support staff and service
S.18(1)(c)(d) R- providers with access to sensitive OPC/EPC information. Because there will be copy of applicant's certified Immediate(Risk
06(Security documents handled in Service Ontario, as well as MTO p high sensitive information, a tailored security training Level: 5)
Awareness program must be developed including ISPC policy and operational procedures.
Training)
NR-07 (ISPC When information is classified as High or Medium, the minimum standards for its handling and protection and
Training, disposal must be followed.
Labelling,
Implement Information Security and Privacy Classification operational policies and procedures as described in the Immediate(Risk
Handling,
Information Security and Privacy Classification Operating Procedures. Pay particular attention to "required Level: 5)
Disposal and
safeguards" for High Sensitivity information. Online training is available at
Classification)
http://intra.collaboration.gov.on.ca/mgs/occio/ocipo/im/ispc/mod4/m04t01p01_e.html.
NR-08(Third Party Third Party Auditing in Service Ontario is recommended to detect any malicious or fraudulent activity, this
Auditing) requirement should be included in the SLA with Service Ontario.
Short Term(Risk
Level: 2)
NR-09(Data MTO must look into how long the sensitive data be kept and which should then be destroyed and which need to be
Retention and preserved as permanent archival records, based on the requirement of legislation, business services and process, this
Disposal) would impact the service provider but not limited to SO, CPC as well as CBS where all the sensitive Ontario's
personal information are kept and get backed up.
Consult with Archives of Ontario (Records Management Program) and Cluster for the development of policies and
procedures for the appropriate retention and disposal of data.
Short Term(Risk
Information about Archives of Ontario: OPS services on http://intra.ops.myops.gov.on.ca
Level: 5)
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of persons and information, and of systems and procedures
established by the Ontario Government for the protection of such persons, property and information.
Draft Version 0.2 45 of 69
OPC & EPC TRA GO MEDIUM SENSITIVITY
NR-10 Develop, implement, monitor and enforce Service Level Agreements (SLA) and Memorandums of Understanding
S.14(1)(i)(l) & (MOU) for OPC&EPC service between MTO and/or all vendors/service providers (i.e. backup service provider, ITS
S.18(1)(c)(d) & CPC) and external stakeholder (CBSA- Canada Border Services Agent)
(SLA/MOU)
All vendors and service provider (Offsite Backup Services, Service Ontario Staff and CPC employees) with access to
the OPC/EPC or backup data should sign non-disclosure agreements as part of their service contracts or SLA/MOU.
The SLA with backup service provider should include but not be limited to: Appropriate handling the backup tape,
physical security of tape storage location.
The SLA with SO/CPC should address but not be limited to: MTO Reserve the right to audit CPC security programs,
physical security of card production center(equivalent to ITS zone1 data center requirement), Security Clearance of
CPC personnel access to OPC/EPC data, implementation of Information Protection Plan, Vulnerability management
and Pen-Test, the requirement for the reporting of security breaches, retention of data and Incident & Change
Management processes, standards for anti-virus and software patching levels for computers in the CPC environment, Immediate(Risk
Strong Authentication, Authorization and Auditing. Level: 4)
The SLA with CBSA should include the protection plan for Government of Ontario high sensitivity information
to maintain the data security in its life cycle.
Ensure that Government of Ontario information security strategies, programs, policies, standards, as outlined
and required in the Outsource Contract are implemented and followed for all Government of Ontario related work.
The service providers must co-operate when audits are conducted, making information and staff available as
requested.
The following publication provides a guideline for contracting services related to personal information
(http://intra.cio.gov.on.ca/pub/contracting_guidelines.pdf).
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of persons and information, and of systems and procedures
established by the Ontario Government for the protection of such persons, property and information.
Draft Version 0.2 46 of 69
OPC & EPC TRA GO MEDIUM SENSITIVITY
6.0 Acceptance of Threat Risk Assessment
Client Acceptance
• I acknowledge that this document has been prepared in accordance with OPS
standard procedures and methods for performing Threat-Risk Assessments.
• I agree with its scope and the statement of sensitivity.
• I acknowledge the existing safeguards as listed are currently in place.
• I accept the recommendations as presented, and I accept responsibility either
for implementing them or not implementing (based on sound business
decisions).
• Finally, I accept all residual risk resulting to the program after the
implementation (or non-implementation) of the recommendations.
On behalf of the Ministry of Transportation
Julian Appel,
Signature:
Cluster Security Officer,
Ministry of Transportation, PAMS
(Planning Architect) Date:
On behalf of the Ministry of Transportation
Steve Burnett
Signature:
Manager,
Ministry of Transportation, Service Date:
Management and Business Integrity
Office
On behalf of MGS Corporate Security Branch
Signature:
Carl Rajack,
Manager, IT Security Operations,
Date:
CSB
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 47 of 69
OPC & EPC TRA GO MEDIUM SENSITIVITY
Appendix A – Personnel Resources
The following personnel contributed to this report by participating in the kick-off
meeting, workshop, or TRA review.
Table 1: Workshop Participants
NAME TITLE, BRANCH, MINISTRY
Elvin Lam Project Manager, Ministry of Transportation, SPMO
Julian Appel Cluster Security Officer, Ministry of Transportation, PAMS
Xiaoshu Chen Lead Solution Architect, Ministry of Transportation, SPMO
Don Hunter Lead Architect, Consultant
Amy Chan Business Analyst, Ministry of Transportation, ESO
David Zhang Lead Business Analyst, Ministry of Transportation, ESO
Abiodun Oduyemi Business Continuity & Dr Planning Advisor, It Business Contingency
Management, Government Services
Jessica Li Business Continuity & Dr Planning Advisor, It Business Contingency
Management, Government Services
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 48 of 69
OPC & EPC TRA GO MEDIUM SENSITIVITY
Appendix B - Documentation Resources
Table 2: Documents Provided by Program Area
DATE
DOCUMENT TITLE VERSION NO
PUBLISHED
TB-MB20_EDL_FINAL (3).DOC.doc Draft Version for
OPC/EPC
Scope statement.doc Sept 05, 2008 0.3
Ontario Photo Card Business Process.doc Sept 25, 2008 0.3
Ontario Photo Card Workflow Model.doc Oct 01, 2008 0.1
OPC - Program Profile.doc
OPC - Service Profile.doc
OPC.doc
Visio-Ontario Photo Card Conceptual Architecture. PDF
OPC_EPC Business Process Model.doc
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 49 of 69
OPC & EPC TRA GO MEDIUM SENSITIVITY
Appendix C – Sensitivity Rating Tool and
Classification
The “Statement of Sensitivity” establishes High, Medium, Low or Unclassified ratings
for each Asset with regard to the need for: Confidentiality, Integrity and Availability. For
example, an asset could be rated low for confidentiality, high for integrity and medium
for availability. The need for Authentication and Non-Repudiation is also assessed.
The criteria for the ratings are based on the definitions and Injury Tests provided in
Corporate Security’s “Information Security and Privacy Classification Policy”(ISPC).
The table below provides an overview of the ISPC classifications and Injury Tests.
Table 3: ISPC Guidance for Asset Sensitivity
Asset Sensitivities, Information Security and Privacy Classification Schema & Injury Tests
Category Definition and Context
High sensitivity is an information or material asset that is extremely sensitive and is intended
for use by named individuals (positions) only.
Could reasonably be expected to cause loss of life or public safety, extremely serious
High personal or enterprise injury, major political or economic impact, sabotage/terrorism,
Sensitivity significant financial loss, and social hardship. Also included is all medical and financial
information about identifiable individuals.
[Examples of this are identity documents, tax returns, personal health information, witness
protection records, Cabinet documents, Cabinet deliberations and supporting documents].
Medium sensitivity is an information or material asset that is sensitive within OPS and is
intended for use only by specified groups of employees.
Could reasonably be expected to cause serious personal or enterprise injury, loss of
competitive advantage, loss of confidence in the government program, moderate financial
loss, damage to partnerships, relationships and reputation and loss of trade secrets or
Medium Intellectual Property. Also included is all other personal information that is confidential under
Sensitivity FIPPA or any other applicable law or policy that is not included above under High Sensitivity
as well as solicitor client privileged documents.
[Examples of this may include business information contained in briefing notes the disclosure
of which may result in legal or remedial harm or may include any personal information
irrespective of whether harm may result. Legal opinions are another example of information
falling within Medium Sensitivity].
Low sensitivity is an information or material asset that is generally available to employees
and approved non-employees.
Low Could reasonably be expected to cause injury that would result in minor financial loss,
Sensitivity embarrassment and inconvenience. [Examples of this are materials containing escalation
procedures, staff meeting minutes and agenda where the information contained in the
documents does not fall within the classifications High or Medium Sensitivity.]
Will not result in any harm or injury.
Unclassified
[Examples of this are materials that are in the public domain.]
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 50 of 69
Ontario Photo Card & Enhanced Photo Card TRA GO MEDIUM SENSITIVITY
Table 8: General Guidance for Asset Sensitivity
V 1.0 Definition
High Medium Low Unclassified
Information that is of highest Information that is sensitive Information generally Information that is
value to the government of within the OPS and is available to employees and publicly available.
Ontario, and is intended for intended for use only by approved non-employees.
E.g. materials that
use by named individuals specific groups of
E.g. Staff meeting minutes, have been
Confidentiality only. employees.
(Ranking is based telephone directory, org published, speeches
on Injury Test) E.g. Identity registration E.g. Registration charts, etc. that have been
(birth, death, driver’s, SIN, information for GO-PKI, delivered, etc.
OHIP), strategic planning personal or business info
documents, etc. contained in briefing or
policy notes, etc.
Integrity Integrity ranking is based on Integrity ranking is based on Integrity ranking is based on Integrity ranking is
(Ranking is based the Injury Test. the Injury Test. the Injury Test. based on the Injury
on Injury Test) Test.
No interruption during regular Not more than 1 day of Not more than 3 days of More than 3 days
Availability business hours interruption during regular interruption during regular of interruption
(Ranking is based business hours business hours during regular
on Injury Test)
business hours
• Loss of Life • Loss of Reputation or • Little or no damage • No injury to
• Extreme Serious Injury Competitive Advantage • Limited inconvenience individuals,
• Loss of Confidence in or embarrassment governments or
• Loss of Public Safety to private sector
Ontario Government • Limited Adverse Impact
• Significant Financial Loss Program institutions
if Unavailable
• Social Hardship • Cost to Rebuild
Injury Test
(I.e. compromise • Loss of Personal or • Future Access to
of the asset, or Individual Privacy Information Denied
unauthorized • Legal System • Loss of Trade Secrets or
disclosure of the Compromised Intellectual Property
information • Compromise of Cabinet • Damage to Partnerships
could cause the Deliberations
following:) and Relationships
• Loss of Investment • Negative Impact on
Opportunity Contract
• Destruction of Partnerships • Measurable Physical
and Relationships Damage
• Significant Physical
Damage
Reference: Information Security and Privacy Classification Policy, 2005
Authentication:
Is there a requirement for identity authentication for this information/asset? Yes/No
Definition: The process for verifying that someone or some entity is who or what they claim to be.
Non-repudiation:
Is there a requirement to guarantee non-repudiation or this information? Yes/No
Definition: Non-repudiation is about convincing a third party that something happened involving the two
direct participants in a transaction.
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 51 of 69
Ontario Photo Card & Enhanced Photo Card TRA GO MEDIUM SENSITIVITY
Appendix D – Threat Analysis Criteria
A threat agent is any entity that may act to cause a threat event to occur, accidentally or
deliberately, by exploiting one or more vulnerabilities present in the environment. This agent can
be a natural occurrence or an individual who could either deliberately or accidentally cause:
unauthorized disclosure, destruction, removal, modification or interruption of critical assets
and/or services.
For the purposes of this TRA, internal threat agents will include only ACW full and part-time
staff. External threat agents will include all other personnel.
D.1 Threat Event Class
The threat events, as they affect critical assets, will fall into one or more of five threat classes as
indicated in the Threat Assessment Summary Table:
o Disclosure - primarily a confidentiality issue (i.e. emanations, interception, improper
handling and storage, or hackers / crackers);
o Interruption - primarily an availability issue for an asset or service (i.e. malicious
code, power failure, chemical spill, fire, flood, earthquake, or strike by personnel);
o Modification - primarily an integrity issue of accuracy and completeness (i.e. data
entry errors, malicious code, intentional internal unauthorized modifications, or
hackers);
o Destruction - primarily an availability issue (i.e. power spikes, fire, flood, or
earthquake); and/or
o Removal or Loss - primarily a confidentiality and availability issue (i.e. theft of data
hardware).
These threat classes allow for grouping the potential harmful affects of each threat event into
terms consistent with the business requirements of the information assets.
D.2 Likelihood of Occurrence
The likelihood of a particular threat event occurring is a major element of the eventual threat
exposure rating. The choice of plausible scenarios is critical to the effectiveness of the analysis.
The likelihood of the specific threat event actually occurring is based on a subjective assessment
of historical events on the specific environment, familiarity with the system under review, trends
of threat agents and events, and threat information from lead agencies. The likelihood of
occurrence as it pertains to both remote access services within the boundary of review is rated by
general probability as:
o Low probability – there is no history of threat events involving the asset and the
threat is considered unlikely to occur;
o Medium probability – there is some history of threat events and there is a possibility
a threat event may occur; or
o High probability – there is a significant history of threat events and a threat event is
likely to occur.
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 52 of 69
Ontario Photo Card & Enhanced Photo Card TRA GO MEDIUM SENSITIVITY
D.3 Exposure Ratings
The outcome of the threat analysis is the various ‘Exposure Ratings’ calculated for each critical
asset. These rating are derived by comparing the subjectively arrived at likelihood and impact
evaluations. The threat exposure ratings in the Threat Assessment Summary Table are expressed
in numerical terms of one (lowest) through nine (highest) as shown in the following matrix:
Table 9: Exposure Rating Matrix
Exposure Rating Calculation Table
Likelihood of threat Level of Impact
occurrence
High Medium Low
High 9 8 5
Medium 7 6 3
Low 4 2 1
For each asset, a threat assessment has been made to determine possible threat agents
(both deliberate and accidental), the likelihood that this threat will occur, the
consequences to ACW should the threat occur, including an impact and exposure rating.
It is important to note that this analysis does not directly consider the present safeguards
within the ACW system. The most appropriate threat agent for each threat event is
shown in the analysis. The following table presents the Threat Assessment findings in
accordance with the prescribed MGCS Corporate Security methodology.
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 53 of 69
Ontario Photo Card & Enhanced Photo Card TRA GO MEDIUM SENSITIVITY
Appendix E – Vulnerabilities and Safeguards
E.1 Safeguards, Controls and Countermeasures
In order to ascertain the current level of risk, the existing safeguards / controls were considered.
For each threat scenario within the Risk Assessment Summary Table, the related safeguards are
listed and evaluated for their effectiveness in preventing or lessening the harmful effects if the
threat event were to occur. Recommended safeguards are also shown that will be applied to
mitigate risk in various threat events. A list of pertinent existing and recommended safeguards
within the boundary of analysis follows:
Safeguards, Controls and Countermeasures
[Identification and authentication]
Password
One-time generated passwords
Biometrics Smart-card
Random generated password
[Physical Protection]
Locks and structural access protection
Monitored intrusion detection systems
Protection from oversight
Climate control
Fire detection, sprinklers
[Encryption]
Encryption modem
File/disk encryption
PCMCIA cards
[Other]
Auditing and network intrusion detection
Procedures, training
Virus scan
E.2 Vulnerabilities and Risk Examples
Possible Examples (but not limited to):
[Personnel Vulnerabilities]
Inadequately trained workers
Inadequate or lack of data entry validation measures
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 54 of 69
Ontario Photo Card & Enhanced Photo Card TRA GO MEDIUM SENSITIVITY
Inadequate or lack of security training/awareness
Inadequate or lack of security screening on job candidates
[Physical Security Vulnerabilities]
Inadequate access control
Inadequate access controls for desktop/laptop PCs
Inadequate access controls for servers
Inadequate access controls for storage media
Insufficient separation of functions
[Policies and Procedures Vulnerabilities]
Inadequate security policies
Inadequate system administration policy and procedures
Inadequate compliance monitoring and surveillance
Inadequate emergency and business resumption planning
Inadequate incident response procedures
Inadequate change control procedures
Inadequate testing procedures
Inadequate deletion/destruction/transportation procedures
Inadequate e-mail usage policy and procedures
[Software Vulnerabilities]
Inadequate software security features (firewalls)
Inadequate configuration of software and IT security features (not toggled on)
Inadequate maintenance of software (patches, fixes, releases)
Inadequate management/system administrator controls
Multi-platform interfaces with potential incompatibilities
Inadequate virus/Trojan protection
Inadequate intrusion detection software
[Hardware Vulnerabilities]
Inadequate protection for servers from remote operations and third parties
Inadequate protection for networking equipment such as routers, hubs and switches
[Network Security Vulnerabilities]
Unreliable network connectivity
Inadequate measures for detecting network sniffing, probing and port scanning
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 55 of 69
Ontario Photo Card & Enhanced Photo Card TRA GO MEDIUM SENSITIVITY
Inadequate measures against service attacks
Inadequate measures against session hijacking
Inadequate measures against direct data alteration
Unregulated network traffic
Inadequate remote access control
Operating system configuration weaknesses
Lack of IT service interruption protection
E.3 Risk Ratings
The following Risk Level Grid provides the matrix from which the Risk Level Ratings were
derived by comparing the Exposure Rating, Safeguard Effectiveness Rating and the Vulnerability
Rating for each critical asset:
Table 10: Risk Level Grid
Risk level is automatically calculated from Vulnerability, Safeguard and Exposure values.
Vulnerability High Medium Low
Safeguard None Low Medium High None Low Medium High None Low Medium High
Exposure Risk Level Risk Level Risk Level
9 5 5 5 3 5 5 5 2 5 5 5 2
8 5 5 5 3 5 5 5 2 5 5 4 2
7 5 5 5 3 5 5 4 2 5 4 3 1
6 5 5 4 2 5 4 3 2 4 3 2 1
5 5 5 4 2 5 4 3 1 4 3 2 1
4 5 4 3 2 5 4 2 1 4 3 1 1
3 4 4 3 1 4 3 2 1 3 2 1 1
2 4 3 2 1 3 2 1 1 2 1 1 1
1 3 3 2 1 2 2 1 1 1 1 1 1
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 56 of 69
Ontario Photo Card & Enhanced Photo Card TRA GO MEDIUM SENSITIVITY
Appendix F – Abbreviations
Table 11: List of Abbreviations
ABBREVIATION DESCRIPTION
OPC Ontario Photo Card
EPC Enhanced Photo Card
SO Service Ontario
CPC Card Production Center
CBSA Canada Border Services Agency
BCP Business Continuity Plan
BIA Business Impact Assessment
CSE Communications Security Establishment
CWRS Child Welfare Review System
CWRU Child Welfare Review Unit
DBA Data Base Administrator
DR Disaster Recovery
ENA External Network Access
GO-PKI Government of Ontario PKI
HIDS Host Based Intrusion Detection System
I&IT Information and Information Technology
IAA Identification, Authentication and Authorization
IDS Intrusion Detection System
INS Integrated Network Service
ISPC Information Security and Privacy Classification
IT Information Technology
ITIL Information Technology Infrastructure Library
LAN Local Area Network
MGCS Ministry of Government Consumer Services
MS Microsoft
NIDS Network Based Intrusion Detection System
OLA Operating Level Agreement
OPS Ontario Public Service
PDCO Primary Data Centre
PIAU Private and International Adoptions Unit
PKI Public Key Infrastructure
PRU Provincial Records Unit
RAS Remote Access Server
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 57 of 69
Ontario Photo Card & Enhanced Photo Card TRA GO MEDIUM SENSITIVITY
ABBREVIATION DESCRIPTION
RBAC Role Based Access Control
RCMP Royal Canadian Mounted Police
ROACH Report On Adjustment of the Child in the Home
RPO Recovery Point Objective
RTO Recovery Time Objective
SDCO Secondary Data Centre
SDLC Software Development Life Cycle
SLA Service Level Agreement
SLO Service Level Objective
SMTP Simple Mail Transfer Protocol
SoS Statement of Sensitivity
SQL Structured Query Language
TCP/IP Transmission Control Protocol / Internet Protocol
TRA Threat and Risk Assessment
UPS Uninterruptible Power Supply
WAN Wide Area Network
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 58 of 69
Ontario Photo Card & Enhanced Photo Card TRA GO MEDIUM SENSITIVITY
Appendix G – Glossary of Terms
Acceptable Level of Risk - A judicious and carefully considered assessment by the appropriate
Designated Approving Authority that an Information Technology (IT) activity or network meets
the minimum requirements of applicable security directives. The assessment should take into
account the value of IT assets; threats and vulnerabilities; countermeasures and their efficiency in
compensating for vulnerabilities; and operational requirements.
Accountability - The property that ensures that the actions of an entity may be traced uniquely to
that entity.
Administrative Security - The management constraints; operational, administrative, and
accountability procedures and supplemental controls established to provide an acceptable level of
protection for information and assets.
Asset - A component or part of the total system or network to which the department directly
assigns a value to represent the level of importance to the "business" or operations/operational
mission of the department, and therefore warrants an appropriate level of protection. Assets types
include: information, hardware, communications equipment, firmware, documents/publications,
environmental equipment, people/staff, infrastructure, goodwill, money, income, organizational
integrity, customer confidence, services and organizational image.
Assurance - The degree of confidence that the implemented security functions of an IT system or
product adequately enforce the system security policy. Alternatively, the degree of confidence
that the implemented system meets its stated security requirements.
Attack - The act of aggressively trying to bypass security controls on an IT system or network.
The fact that the attack is made does not mean it will succeed. The success depends on the
vulnerability of the system, network or activity and the effectiveness of the safeguards in place.
Authentication - The act of verifying the claimed identity of an entity.
Authorization - The granting of rights, which includes the granting of access based on access
rights.
Availability - The accessibility of systems, programs, services and information to authorized
users when needed and without undue delay.
Breach of Security - When any sensitive information and/or assets have been compromised.
Without restricting its scope, a breach may include compromise in circumstances that make it
probable that a breach has occurred.
Capability – A measure of a threat agent’s ability (including the level of effort required) to
successfully attack an asset by exploiting its vulnerabilities.
Classification - A determination that information requires a specific degree of protection against
unauthorized disclosure together with a designation signifying that such a determination has been
made.
Compromise - A violation of the security policy of a system or network such that an
unauthorized disclosure, modification, removal, interruption or destruction of sensitive
information may have occurred.
Confidentiality - The property that information is not made available or disclosed to
unauthorized individuals, entities, or processes.
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 59 of 69
Ontario Photo Card & Enhanced Photo Card TRA GO MEDIUM SENSITIVITY
Configuration Management - The management of changes made to a system's hardware,
software, and firmware and to the documentation that chronicles changes to the equipment,
personnel and security systems throughout the development and operational life of the system.
Continuity of Operations - The maintenance of essential services for an information system
after a major failure. The failure may result from natural causes (such as fire, flood or
earthquakes) or from deliberate events (such as sabotage).
Data Integrity - The property that data is being handled as intended and has not been exposed to
accidental or intentional modification or destruction.
Denial of Service - The prevention or delay of legitimate or authorized access, or the
unauthorized withholding of critical information or resources.
Disclosure - A violation of the security policy of a system in which information has been made
available to unauthorized entities.
DMZ - A Demilitarized Zone (DMZ) is a computer host or small network inserted as a "neutral
zone" between a company's private network and the outside public network. It prevents outside
users from getting direct access to a server that has company data.
Encryption - The transformation of readable data or information into an unreadable stream of
alpha/numeric using a reversible coding process.
Hacker(s) - All persons, criminal or otherwise, who penetrate computers or communications
networks with malicious intent.
Identification - A unique and perhaps auditable representation of each individual user within an
IT system, usually in the form of a string of characters (e.g., LoginID).
Intangible Asset - The attitude, value or perception impacting the organization, e.g., public
confidence, goodwill, competitive advantage, morale, ethics, productivity or loyalty. Create
Tangible assets – physical assets such as computers software
Integrity - The accuracy and completeness of information and assets and the authenticity of
transactions.
IT Security Policy - Rules, directives and practices that govern how assets, including sensitive
information, are managed, protected and distributed within an organization and its IT systems.
Likelihood - The probability of a given event occurring.
Loss - A quantitative measure of harm or deprivation resulting from a compromise.
Loss of Confidence - The condition of losing faith in the organization's information and/or IT
systems.
Loss of Service - The condition of not being able to produce and/or deliver a specific service, or
have a required service delayed to the point where it causes interference with normal day-to-day
activities.
Managed Risk - Attained when the extent of security protection is commensurate with the cost
of implementing security measures and the risk: the likelihood of a breakdown in security and the
impact that it would have on a program.
Tangible Asset - A physical item of some value. This may include but is not limited to buildings
or facilities within, accommodations, furniture, supplies and IT equipment and/or systems.
Motivation - A measure combining the potential benefit to the threat agent, and the resources
available to the threat agent.
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 60 of 69
Ontario Photo Card & Enhanced Photo Card TRA GO MEDIUM SENSITIVITY
Permissions - A description of the type of authorized interactions a subject can have with an
object. Permissions include: read, write, execute, add, modify, and delete.
Personnel Security - The procedures established to ensure that all personnel who have access to
any sensitive information have the required authorities as well as all appropriate clearances.
Physical Security - The application of physical barriers and control procedures to provide
protection, detection and response mechanisms used in the physical environment to control access
to sensitive information and assets.
Privacy - The right of individuals to control or influence what information related to them may
be collected and stored and by whom and to whom that information may be disclosed. Note:
Because this term relates to the right of individuals, it cannot be very precise and its use should be
avoided except as a motivation for requiring security.
Procedural Security - Approved management constraints; operational, administrative, and
accountability procedures; and other supplemental controls established to provide protection for
sensitive information.
Reliability - The property of an IT system to maintain consistent, intended and trustworthy
operation over a given period of time.
Residual Risk - The risk that remains after safeguards have been selected and implemented.
Risk - Intuitively, the adverse effects that can result if a vulnerability is exploited or if a threat is
actualized. In some contexts, a risk is a measure of the likelihood of adverse effects or the product
of the likelihood and the quantified consequences. There is no standard definition. (Based on
Computer Related Risks).
Risk Management - The process by which resources are planned, organized, directed, and
controlled to ensure the risk of operating a system remains within acceptable bounds at optimal
cost.
Safeguard(s) - The approved minimum security measure(s) and controls which, when correctly
employed, will prevent or reduce the risk of exploitation of specific vulnerability(ies) which
would compromise an IT system.
Security Screening - The type of personnel background check that, with a need to know, is
required for access to sensitive information and assets.
Security Officer - A person who is made responsible for the overall security of an IT system.
(Note: The security officer will normally consider physical, personnel and procedural security.)
Security Requirement(s) - The specification of a security function(s) needed within an IT
system, which if satisfied will result in the IT system meeting its Target Residual Risk.
Sensitive Information - Information that requires protection due to the risk of loss or harm that
could result from inadvertent or deliberate disclosure, modification, or destruction. Examples of
this are the breach of confidentiality of personal information, unauthorized modification of
financial data, release of pre-budget information.
Severity - A measure of the degree of damage suffered as the result of an event. May be
expressed as a percentage of the impacted assets or as a time interval.
Statement of Sensitivity (SoS) - A description of the confidentiality, integrity and/or availability
requirements associated with the information or assets stored or processed in or transmitted by an
IT system.
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 61 of 69
Ontario Photo Card & Enhanced Photo Card TRA GO MEDIUM SENSITIVITY
Threat - Any potential event or act that could cause one or more of the following to occur:
unauthorized disclosure, destruction, removal, modification or interruption of sensitive or critical
information, assets or services. A threat can be natural, deliberate or accidental.
Vulnerability - A quantifiable, threat-independent characteristic or attribute of any asset within a
system boundary or environment in which it operates and which increases the probability of a
threat event occurring and causing harm in terms of confidentiality, availability and/or integrity,
or increases the severity of the effects of a threat event if it occurs.
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 62 of 69
Ontario Photo Card & Enhanced Photo Card TRA GO MEDIUM SENSITIVITY
Appendix H – Enterprise Architecture Framework
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of persons and information, and of systems and procedures established by the
Ontario Government for the protection of such persons, property and information.
Draft Version 0.2 63 of 69
Ontario Photo Card & Enhanced Photo Card TRA GO MEDIUM SENSITIVITY
Appendix I – Client Response
S.14(1)(i)(l) & S.18(1)(c)(d)
Section
TR-01 Backup data from OPC/EPC system contains high sensitive information.
Backups should be encrypted to prevent unauthorized access during its storage or
transit.
Backup data integrity check should be implemented for tamper resistance.
MTO
Response
TR-02 The Information Security and Privacy Classification (ISPC) policy and operating
procedure requires that all High sensitivity data be encrypted in transit and stored in
encrypted form.
The sensitivity rating for confidentiality of OPC&EPC information assets is defined
as High which requires strong encryption for data transmission over local and wide
areas networks. All communications, including user/IT administrator sessions and
server-to-server communications must be encrypted.
There are two options for consideration – SSL and PKI encryption. There are two
options for consideration – SSL and PKI encryption. Cryptography algorithms must
follow Go-ITS standard, please refer to: GO-ITS 25.12 Security Requirements for the
Use of Cryptography Version 1.1.
Any folders residing on the hard drive in laptops and PCs that contain sensitive
information must be encrypted.
MTO
Response
TR-03 It is recommended that for OPC/EPC system architecture must observe 3-tire network
architecture, and separate the Internet facing application access(OPC/EPC applicant)
from the Go-Net facing application access(CSR access and Admin User).
Separating network architectures into segregated environments (‘Tiers), based on
functionality, is an industry standard way of further sub-grouping project components
by common requirements. In this way, several network layers can be created, and
optimised to accommodate the needs of web servers, application servers, databases,
etc. and adhere to overall security best practices.
MTO
Response
TR-04 Implement an application level firewall between the Web Servers (presentation tier)
and the application servers, between application servers and database servers.
Configure the firewalls to restrict port availability based on required traffic and
address potential harmful internal attacks via filtering (i.e. spy ware, etc.). Note that
the firewalls should apply stateful inspection rather than packet filtering.
MTO
Response
TR-05 Implement Intrusion Detection/Prevention system in the OPC/EPC environment.
It is recommend host the system with behaviour based NIDS (Network based
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 64 of 69
Ontario Photo Card & Enhanced Photo Card TRA GO MEDIUM SENSITIVITY
IS.14(1)(i)(l) & S.18(1)(c)(d)
DS (Host based IDS)
MTO
Response
TR-06 Password management practices (both within the OPS and by the service
provider/vendor) must comply with Government of Ontario IT Standards (GO-ITS
25.15).Please refer to: http://www.gov.on.ca/mgs/graphics/173720.pdf
MTO
Response
TR-07 Access Logging must be enabled to track accountability and all the access logs should
be centralized on a separate server, logs should be reviewed periodically only by
authorized staff and tamper resistant.
(See GOITS 25, section 2.2.4.2 for additional requirements)
MTO
Response
TR-08 Vulnerability and penetration testing must be conducted on whole OPC/EPC system
prior to the implementation and on an annual basis at minimum after, or specifically
when major configuration changes and upgrades have occured. Include results and
mitigation strategies in the annual security plan. The scope of the penetration test
should extended to related Service Ontario owned systems and CPC production
servers, the Pen-Test mandate should be addressed in the separated SLA with them.
MTO
Response
TR-09 RBAC (Role Based Access Control) should be planned and implemented into
OPC/EPC system and extended to Service Ontario, Card Production Center.
RBAC should be strictly observed with regard to the following accounts and roles:
MTO Staff, PCT fraud Staff, future Application Users & Administrators, Database
Administrators, Operations / Help Desk, Service Providers, all system/application
accounts and all associated workstations, and servers. Ensure that users,
administrators and service providers do not have broad access to data they do not
require to fulfill their job function, strictly between OPC and EPC application roles.
Ensure there is formal procedure for provision, de-provision, access auditing of all
levels of accounts mentioned above are developed and maintained.
MTO
Response
TR-10 Ensure to incorporate audit trails and due diligence checks into
applications/systems/database (OPS and Service Providers) to detect improper
transactions that could arise out of human error or malicious activities. Include audit
logging for: database record changes, database import/export record of high sensitive
data (such as personal identity information), for additions / deletions of user IDs,
failed login attempts, database schema changes. Audit logs and information must be
protected by strict controls to prevent modification.
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 65 of 69
Ontario Photo Card & Enhanced Photo Card TRA GO MEDIUM SENSITIVITY
MTO IS.14(1)(i)(l) & S.18(1)(c)(d)
Response
TR-11 Integrity check should be planned and implemented in the database or application
level to detect and prevent human error or malicious activities causing incomplete or
inaccurate information in OPC/EPC system, integrity compromise could render the
finished EPC/OPC card and process in CBSA unusable.
Hash/HMAC/CBC-HMAC should be used as per OPS standard. Accepted Hashing
algorithm is SHA-256 or stronger. Please refer to: GO-ITS 25.12 Security
Requirements for the Use of Cryptography Version 1.1.
MTO
Response
TR-12 During the workshops, non-repudiation requirement has been determined for
transaction between OPC&EPC system and CBSA, as well as CPC. Digital certificate
is recommended to be used to digitally sign the data from end to end.
MTO
Response
TR-13 There is one issue has been identified that email sent from CPC to MTO Business
Integrity Department containing damage card information (DCN number and RFID
number, card status information).
It is highly recommended that MTO should consider re-engineering the email process
to the secure channel between CPC and OPC/EPC system. All the business data must
be go through secure channel. Email containing information classified as High
Confidentiality (card status information) must be encrypted (including attachments)
and digital signed.
MTO
Response
TR-14 If there is any shared infrastructure in MTO to hold different service information such
as Driver License, Enhanced Driver License, Ontario Photo Card, and Ontario
Enhance Photo Card. It is highly recommended that the database information
dedicated for OPC and EPC must be separated logically or physically between OPC
and EPC and among other MTO Services (DL/EDL).
MTO
Response
TR-15 Application development must follow GO-ITS Standards for SDLC, consider the
security from software architecture, conduct code review of OPC/EPC system prior to
implementation.
please refer to http://www.gov.on.ca/mgs/graphics/241105.pdf
MTO
Response
NR-01 The Recovery Time Objective (RTO) for the OPC/EPC application is not more than 1
days of interruption during regular business hours due to the CBSA requirement, To
ensure the availability even Disaster or catastrophic disaster happens, a Business
Continuity and Disaster Recovery plans should be developed to achieve continuity of
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 66 of 69
Ontario Photo Card & Enhanced Photo Card TRA GO MEDIUM SENSITIVITY
S.14(1)(i)(l) & S.18(1)(c)(d) y at an alternate location.
Very importantly, the Business Continuity and Disaster Recovery Plans need to be
tested on an annual basis to confirm the ability to fully recover OPC/EPC services and
validate the Recovery Time Objective for the Program. Also, BCP/DRP plan need to
be reviewed, maintained and updated whenever there is a major change to the
business or IT infrastructure of OPC/EPC services.
MTO
Response
NR-02 The IT Contingency Plan should be developed to maintain the availability of
OPC/EPC systems if there are software/hardware failures. As well as the security
incident plan should be developed and tested to facilitate the recovery of system after
the security incident happened.
MTO
Response
NR-03 MTO employees with privileged access to OPC/EPC must undergo a Security
Clearance process [1]. New hires should immediately undergo Security Clearance as
part of the recruitment process.
Contractors and service provider (Service Ontario Staff and CPC staff) should be
brought in with a security clearance already completed or as a requirement of the
contract to at least a general Screening Clearance Check.
(1)See http://intra.hropenweb.gov.on.ca/hrpolicies/PersonScrnChk_pol.html
MTO
Response
NR-04 Different environmental types such as development, testing and production should be
properly separated; functionality and operations should not overlap. Developers
should not have access to the code used in production. The code should be tested,
submitted to the staging library and then sent to the production environment. At no
time should the developers and testers have access to production data. The data
owners must complete any modifications to data.
Where possible test, analytical and statistical data used by QA / Developers should be
"sanitized" or "masked" for high/medium sensitivity information.
System administrators should not have access/inquiry/modify to any information in
the database because by privileges abuse and such activity should be recorded and
alerted by database auditing logs.
MTO
Response
NR-05 To detect fraud and collusion, job rotation in Service Ontario should be implemented
to detect any malicious or concealed activity, of course the personnel need be trained
to backup and perform other co-worker's daily job. This requirement should be
included in the SLA with Service Ontario.
MTO
Response
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 67 of 69
Ontario Photo Card & Enhanced Photo Card TRA GO MEDIUM SENSITIVITY
Conduct and maintain Security Policy and Awareness training for all MTO staff, IT
S.14(1)(i)(l) & S.18(1)(c)(d) t staff and service providers with access to sensitive
OPC/EPC information. Because there will be copy of applicant's certified documents
NR-06
handled in Service Ontario, as well as MTO processes high sensitive information, a
tailored security training program must be developed including ISPC policy and
operational procedures.
MTO
Response
When information is classified as High or Medium, the minimum standards for its
handling and protection and disposal must be followed.
Implement Information Security and Privacy Classification operational policies and
NR-07 procedures as described in the Information Security and Privacy Classification
Operating Procedures. Pay particular attention to "required safeguards" for High
Sensitivity information. Online training is available at
http://intra.collaboration.gov.on.ca/mgs/occio/ocipo/im/ispc/mod4/m04t01p01_e.html.
MTO
Response
Third Party Auditing in Service Ontario is recommended to detect any malicious or
NR-08 fraudulent activity, this requirement should be included in the SLA with Service
Ontario
MTO
Response
MTO must look into how long the sensitive data be kept and which should then be
destroyed and which need to be preserved as permanent archival records, based on the
requirement of legislation, business services and process, this would impact the
service provider but not limited to SO, CPC as well as CBS where all the sensitive
Ontario's personal information are kept and get backed up.
NR-09
Consult with Archives of Ontario (Records Management Program) and Cluster for the
development of policies and procedures for the appropriate retention and disposal of
data.
Information about Archives of Ontario: OPS services on
http://intra.ops.myops.gov.on.ca
MTO
Response
Develop, implement, monitor and enforce Service Level Agreements (SLA) and
Memorandums of Understanding (MOU) for OPC&EPC service between MTO
and/or all vendors/service providers (i.e. backup service provider, ITS & CPC) and
external stakeholder (CBSA- Canada Border Services Agent)
NR-10 All vendors and service provider (Offsite Backup Services, Service Ontario Staff and
CPC employees) with access to the OPC/EPC or backup data should sign non-
disclosure agreements as part of their service contracts or SLA/MOU.
The SLA with backup service provider should include but not be limited to:
Appropriate handling the backup tape, physical security of tape storage location.
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 68 of 69
Ontario Photo Card & Enhanced Photo Card TRA GO MEDIUM SENSITIVITY
The Sdit CPC security programs, physical security of card production center (equiv
IS.14(1)(i)(l) & S.18(1)(c)(d) alent to ITS zone1 data center requirement), Security
Clearance of CPC personnel access to OPC/EPC data, implementation of Information
Protection Plan, Vulnerability management and Pen-Test, the requirement for the
reporting of security breaches, retention of data and Incident & Change Management
processes, standards for anti-virus and software patching levels for computers in the
CPC environment, Strong Authentication, Authorization and Auditing.
The SLA with CBSA should include the protection plan for Government of Ontario
high sensitivity information to maintain the data security in its life cycle.
Ensure that Government of Ontario information security strategies, programs,
policies, standards, as outlined and required in the Outsource Contract are
implemented and followed for all Government of Ontario related work.
The service providers must co-operate when audits are conducted, making
information and staff available as requested.
The following publication provides a guideline for contracting services related to
personal information
(http://intra.cio.gov.on.ca/pub/contracting_guidelines.pdf).
MTO
Response
Confidentiality Notice – This document is confidential and concerns the security of Ontario Government property, of
persons and information, and of systems and procedures established by the Ontario Government for the protection of
such persons, property and information.
Draft Version 0.2 69 of 69
Related docs
