Address security and privacy risks Take a balanced approach to managing risk by implementing appropriate privacy and security measures. Make security measures frictionless so that they do not place a burden on users. Guidance: Address security and privacy risks Digital services are core to service delivery, and they must securely store and manage the information of Canadians to maintain trust in government services. Security and privacy should be taken as a consideration from the onset of work for a given service, in alignment with Iterate and Improve. The implementation of security and privacy controls should be considered part of daily work. Similarly, processes should promote and monitor the continuous implementation of security and privacy controls throughout the lifecycle of a service. This will demonstrably increase the security and privacy posture of digital services by leveraging automated testing and real time reporting and monitoring over anecdotal document-heavy manual processes. Said processes, and the security and privacy controls themselves, should be frictionless, ensuring that services are designed first and foremost for users, not to satisfy existing legacy government procedures, tooling, or processes. Furthermore, by creating frictionless processes and permitting services to be iterated and improved upon quickly, the government is better situated to respond quickly to security or privacy risk. By responding to these operational needs within hours or minutes rather than months, the government can improve its security and privacy posture. Aligned Behaviours 1. Our team considers security and privacy throughout the service design process. 2. When implementing or enforcing security or privacy controls, our team takes into consideration how they would impact the quality or efficiency of the service and how it will impact the end users of the service. 3. Security measures are frictionless so that they do not place a burden on users. 4. Our team has privacy and security knowledge and understanding as a competency within the team. 5. The service has implemented automated security checks and privacy protections include role-based access and audit functions against the service. 6. There are procedures and processes in place to quickly respond to security or privacy breaches or incidents. Misaligned Behaviours 1. Team has no internal privacy or security knowledge, relying on other teams to identify nearly all security or privacy controls and best practices. 2. The core services upon which our team works have no automated security checks or privacy protections. 3. Our team relies on security through obscurity, hiding services or information rather than improving the security posture of the service. 4. Our team implements or enforces security or privacy controls without considering the impact on service usability.