Changes

Jump to navigation Jump to search
no edit summary
Line 84: Line 84:  
* Contribute all improvements back to the communities
 
* Contribute all improvements back to the communities
 
* Register Open Source software to the Open Resource Exchange
 
* Register Open Source software to the Open Resource Exchange
 +
<br>
    
<b>Use SaaS hosted in the Cloud</b>
 
<b>Use SaaS hosted in the Cloud</b>
Line 89: Line 90:  
* Align with SaaS capabilities; extend as Open Source modules
 
* Align with SaaS capabilities; extend as Open Source modules
 
* Configuration over customization
 
* Configuration over customization
 +
<br>
    
<b>Design for [https://www.gcpedia.gc.ca/wiki/En/GCinterop Interoperability]</b>
 
<b>Design for [https://www.gcpedia.gc.ca/wiki/En/GCinterop Interoperability]</b>
Line 94: Line 96:  
* Use micro services scoped to a single purpose and API-led connectivity
 
* Use micro services scoped to a single purpose and API-led connectivity
 
* Expose functionality as services, make services available through APIs and make the APIs discoverable
 
* Expose functionality as services, make services available through APIs and make the APIs discoverable
 +
<br>
    
<b>Use DevOps / Continuous Integration to ensure maintainability and AB Testing</b>
 
<b>Use DevOps / Continuous Integration to ensure maintainability and AB Testing</b>
Line 113: Line 116:  
* Enforce this order of preference: Public cloud first, then Hybrid cloud, then Private cloud, and lastly non-cloud (on-premises) solutions
 
* Enforce this order of preference: Public cloud first, then Hybrid cloud, then Private cloud, and lastly non-cloud (on-premises) solutions
 
* Design for cloud mobility and develop an exit strategy to avoid vendor lock-in
 
* Design for cloud mobility and develop an exit strategy to avoid vendor lock-in
 +
<br>
    
<b>Design for Performance, Availability, and Scalability</b>
 
<b>Design for Performance, Availability, and Scalability</b>
* Design for resiliency
   
* Ensure response times meet user needs, and critical services are highly available
 
* Ensure response times meet user needs, and critical services are highly available
 
* Support zero-downtime deployments for planned and unplanned maintenance
 
* Support zero-downtime deployments for planned and unplanned maintenance
Line 133: Line 136:  
<b>Build Security into the Full System Life Cycle, Across All Architectural Layers</b>
 
<b>Build Security into the Full System Life Cycle, Across All Architectural Layers</b>
 
* Identify and classify risks associated to the service’s business objectives, goals, and strategy
 
* Identify and classify risks associated to the service’s business objectives, goals, and strategy
* Design security measures according to business and user needs, risks identified, and security categorization of the information and assets; integrate security across all architectural layers (BIAT).
+
* Design security measures according to business and user needs, risks identified, and security categorization of the information and assets; integrate security across all architectural layers (BIAT)
** Maintain focus on users’ ease of use through selection of context-appropriate controls
+
* Design systems to not be susceptible to common security vulnerabilities; resilient and can be rebuilt quickly in the event of compromise; and fail secure if the system encounters an error or crashes
** Apply an information-centric approach to reduce resources’ exposure to threats, and minimize the opportunity for compromise.
+
* Ensure that data received from external parties is profiled and validated prior to its use
** Protect data while in transit, in use and at rest using appropriate encryption and protocols. Ensure effective disposition of data per retention schedules, following service sunset.
+
<br>
* Design systems that: are not susceptible to common security vulnerabilities; are resilient and can be rebuilt quickly in the event of compromise; and fail secure if the system encounters an error or crashes.
  −
* Reduce human intervention and maximize automation of security tasks and processes.
  −
** Integrate and automate security testing to validate code and address vulnerabilities prior to deployments
      
<b>Ensure Secure Access to Systems and Services</b>
 
<b>Ensure Secure Access to Systems and Services</b>
* Identify and authenticate users and devices to an appropriate level of assurance before granting access to information and services.
+
* Identify and authenticate individuals, processes and/or devices to an appropriate level of assurance before granting access to information and services
* Separate and compartmentalize user responsibilities and privileges; assign the least set of privileges necessary to complete the job.
+
* Constrain service interfaces to authorized entities (users and devices), with clearly defined roles
* Constrain service interfaces to authorized entities (users and devices), with clearly defined roles, and only expose the interfaces necessary to operate the service
+
* Make use of modern password guidance, and prioritizing length over complexity, eliminating expiry, and blacklisting common passwords
* Make use of modern credential guidance, and use GC-approved multi-factor authentication where required to stop unauthorized access.
+
<br>
    
<b>Maintain Secure Operations</b>
 
<b>Maintain Secure Operations</b>
* Integrate SA&A activities into security architecture lifecycle processes, to ensure reference artefacts remain relevant and valid.
+
* Integrate aggregate outputs from security assessment and authorization activities into security architecture lifecycle processes, to ensure reference artefacts remain relevant and valid
* Continuously monitor system events and performance in order to detect, prevent, and respond to attacks.
+
* Design processes to operate and manage services securely, and continuously monitor system events and performance in order to detect, prevent, and respond to attacks  
* Design processes to operate services securely, and establish processes and mechanisms to respond effectively to security events.
+
* Establish processes to monitor security advisories, and apply security-related patches and updates to reduce exposure to vulnerabilities. Apply appropriate risk-based mitigations when patches can’t be applied
* Collect transaction logs at infrastructure and application levels to support automated root-cause analysis and performance tuning.
  −
* Include an audit function in information systems. Use a trusted time source and protect audit logs from manipulation.
  −
* Establish processes to monitor security advisories, and apply security-related patches and updates. Apply appropriate risk-based mitigations when patches can’t be applied.
   
<br>
 
<br>
 +
 
<b> Privacy by Design </b>
 
<b> Privacy by Design </b>
 
* Perform a privacy impact assessment (PIA) to support risk mitigation activities when personal information is involved
 
* Perform a privacy impact assessment (PIA) to support risk mitigation activities when personal information is involved
514

edits

Navigation menu

GCwiki