Important: The GCConnex decommission will not affect GCCollab or GCWiki. Thank you and happy collaborating!

Changes

Jump to navigation Jump to search

GC Enterprise Architecture/Framework (view source)

Revision as of 15:39, 31 July 2019

4,089 bytes added ,  15:39, 31 July 2019
m
no edit summary
Line 43: Line 43:  
* Include all skillsets required for delivery, including for requirements, design, development, and operations
 
* Include all skillsets required for delivery, including for requirements, design, development, and operations
 
* Work across the entire application lifecycle, from development and testing to deployment and operations
 
* Work across the entire application lifecycle, from development and testing to deployment and operations
* Ensure quality is considered throughout the Software Development Lifecycle
+
* Ensure quality <u><i>and security</i></u> is <u><i>underpinning</i></u> the Software Development Lifecycle
 
* Ensure accountability for privacy is clear
 
* Ensure accountability for privacy is clear
* Encourage and adopt Test Driven Development (TDD) to improve the trust between Business and IT
+
* Encourage and adopt <u><i>a process (for example:</i></u> Test Driven Development (TDD)) to improve the trust between Business and IT
    
<b>Design Systems to be Measurable and Accountable</b>
 
<b>Design Systems to be Measurable and Accountable</b>
Line 67: Line 67:  
* Ensure data is collected through ethical practices supporting appropriate citizen and business-centric use
 
* Ensure data is collected through ethical practices supporting appropriate citizen and business-centric use
 
* Data should only be purchased once and should align with international standards
 
* Data should only be purchased once and should align with international standards
* Where necessary, ensure collaboration with department/agency data stewards/custodians, other levels of government and indigenous people
+
* Where necessary, ensure collaboration with department/agency data stewards/custodians, other levels <u><i>and jurisdiction</i></u> of government and indigenous people
 +
* Reduce the collection of redundant data
    
<b>Data Management</b>
 
<b>Data Management</b>
Line 77: Line 78:     
<b>Data Storage</b>
 
<b>Data Storage</b>
* Ensure data is stored in a secure manner in accordance with the National Cyber Security Strategy and the Privacy Act
+
* <i><u> Only handle data which is essential to your service. Do not store all data that you capture unless absolutely necessary</i></u>
* Follow existing retention and disposition schedules
+
* Ensure data is stored in a secure manner in accordance with <I><u>CSE approved cryptographic algorithms and protocols</I></u> and <I><u>legislation such as</I></u> the Privacy Act
 +
* <I><u>Retain data fro the minimum time necessary.</u></I> Follow existing retention and disposition schedules
 
* Ensure data is stored in a way to facilitate easy data discoverability, accessibility and interoperability
 
* Ensure data is stored in a way to facilitate easy data discoverability, accessibility and interoperability
    
<b>Data Sharing</b>
 
<b>Data Sharing</b>
* Data should be shared openly by default as per the Directive on Open Government
+
* Data should be shared openly by default as per the Directive on Open Government <I><u>while taking into consideration existing laws and regulations the safeguarding of security and the privacy of data, while permitting free and open access</I></u>
 
* Ensure government-held data can be combined with data from other sources enabling interoperability and interpretability through for internal and external use
 
* Ensure government-held data can be combined with data from other sources enabling interoperability and interpretability through for internal and external use
* Reduce the collection of redundant data
   
* Reduce existing data where possible
 
* Reduce existing data where possible
 
* Encourage data sharing and collaboration
 
* Encourage data sharing and collaboration
 +
* <I><u>Validate or transform all external input before processing</I></u>
 
|}
 
|}
   Line 115: Line 117:  
* Run applications in containers
 
* Run applications in containers
 
* Leverage the [[gccollab:groups/profile/1238235/engovernment-of-canada-digital-exchangefru00c9change-numu00e9rique-du-gouvernement-du-canada|GC Digital Exchange Platform]] for components such as the API Store, Messaging, and the GC Service Bus
 
* Leverage the [[gccollab:groups/profile/1238235/engovernment-of-canada-digital-exchangefru00c9change-numu00e9rique-du-gouvernement-du-canada|GC Digital Exchange Platform]] for components such as the API Store, Messaging, and the GC Service Bus
 +
 +
<I><u><b>Develop with Security in mind</b>
 +
* Applications that store, process, handle, or have network access to sensitive information should be developed with security in mind from the start, and should be audited and assessed before use
 +
* Ensure sensitive data is protected appropriately when stored and transmitted
 +
* Minimise the opportunity for accidental data leakage across application boundaries
 +
* Ensure only authorised parties can access sensitive information
 +
* Restrict access to sensitive data to those applications designed to handle such material in a secure manner</u></I>
 
|}
 
|}
   Line 133: Line 142:  
* Support zero-downtime deployments for planned and unplanned maintenance
 
* Support zero-downtime deployments for planned and unplanned maintenance
 
* Use distributed architectures, assume failure will happen, handle errors gracefully, and monitor actively
 
* Use distributed architectures, assume failure will happen, handle errors gracefully, and monitor actively
 +
* <u><I>Establish architectures that supports new technology insertion with minimal disruption to existing programs and services</I></u>
 
|}
 
|}
   Line 142: Line 152:     
<b>Design for Security and Privacy</b>
 
<b>Design for Security and Privacy</b>
* Implement security across all architectural layers
+
<I><u>
* Categorize data properly to determine appropriate safeguards
+
* Perform security categorization to identify and categorize information based on the degree of injury that could be expected to result from a compromise of its confidentiality, integrity and availability.
* Perform a privacy impact assessment (PIA) when personal information is involved
+
* Build in security from the outset of design, development, and throughout the system life cycle, across all architectural layers.
* Balance user and business needs with proportionate security measures
+
* Implement appropriate and cost-effective security measures and privacy protections, proportionate to user and business needs. Apply graduated safeguards that are commensurate with the security category of the information and assets.
 +
* Protect data while in transit, in use and at rest using appropriate encryption and protocols.
 +
* Apply a defense in depth approach to reduce exposure to threats and minimize the degree of compromise.
 +
* Design services that:
 +
i. Prioritize ease of use in security design to make security simple for users;
 +
ii. Protected from common security vulnerabilities;
 +
iii. Expose and secure only the interfaces necessary to operate the service;
 +
iv. Are resilient and can be rebuilt quickly to a known clean state in the event that a compromise is detected; and
 +
v. Fail secure even if the system encounters an error or crashes.
 +
* Integrate and automate security testing to validate code and address vulnerabilities prior to deployment
 +
* Reduce human intervention and maximize automation of security tasks and processes.
 +
 
 +
<b> Ensure Secure Access to Systems and Services </b>
 +
* User access to service interfaces should be constrained to authorised individuals, with clearly defined roles.
 +
* Identify and authenticate individuals, processes, and/or devices to an appropriate level of assurance before being granted access to information and services.
 +
* Separate and compartmentalise user responsibilities and privileges. Assign the least set of privileges necessary to complete the job.
 +
* Use GC-approved multi-factor authentication where possible to protect against unauthorized access.
 +
 
 +
<b> Maintain Secure Operations </b>
 +
* Design processes to operate and manage services securely in order to impede, detect or prevent attacks.
 +
* Collect all relevant security events and logs at infrastructure and application levels to support root-cause analysis. Use a trusted time source and protect audit logs from manipulation.
 +
* Continuously monitor system events and performance, and include a security audit log function in all information systems.
 +
* Promptly apply security-related patches and updates to reduce exposure to vulnerabilities. Apply a risk-based mitigations when patches can’t be applied.
 +
* Establish appropriate mechanisms to respond effectively to security incidents. Monitor security advisories and patches.
 +
 
 +
<b> Privacy by Design </b>
 +
* Perform a privacy impact assessment (PIA) to support risk mitigation activities when personal information is involved
 +
* Implement security measures to assure the protection of personal information
 +
* Take into consideration the 7 foundational privacy design principles when designing services.
 +
</i></u>
 
|}
 
|}
  
Gita.nurlaila
514

edits

Retrieved from "https://wiki.gccollab.ca/Special:MobileDiff/11517"

Navigation menu

GCwiki