ITSG 33 implementation project for Department tasks.
This Annex is part of a series of guidelines on information technology (IT) security risk management that
the Communications Security Establishment Canada (CSEC) issues under the Information Technology
Security Guidance publication number 33 (ITSG-33) to help Government of Canada (GC) departments
and agencies implement, operate, and maintain dependable information systems.
The ITSG-33 guidelines describe an IT security risk management process that includes activities at two
distinct levels: the departmental level and the information system level.
This Annex provides guidelines to departments and agencies on the IT security risk management
activities that are performed by a departmental IT security function as part of a departmental security
program. These activities have four objectives:
Identify and understand the IT security needs of departmental programs and services, and define
security controls that satisfy these needs;
Deploy security controls that satisfy IT security needs and the IT security risk management
requirements of Treasury Board of Canada Secretariat (TBS) policy instruments;
Continuously monitor and assess the performance of departmental security controls to detect
security incidents and identify vulnerabilities and deficiencies in a timely manner; and
Update implemented security controls based on the results of the continuous monitoring and
assessment activities to respond to security incidents, correct vulnerabilities, and continuously
improve the security posture of departmental information systems.
Adherence to the ITSG-33 guidelines has many benefits for departments, including compliance with the
overall risk management strategy and objectives established by TBS, addressing key aspects of IT
security in an efficient manner, and consistently and cost-effectively managing IT security risks.