Line 1: |
Line 1: |
| {{OCIO_GCEA_Header}} | | {{OCIO_GCEA_Header}} |
| | | |
− | <i><h3> This is a <b><u>DRAFT COPY</u></b> of the proposed GC EA Playbook. It is a work IN PROGRESS, and has not undergone any review. </h3></i> | + | <i><big> This is a <b><u>DRAFT COPY</u></b> of the proposed GC EA Playbook. It is a work IN PROGRESS, and has not undergone any review. </big></i> |
| <br> | | <br> |
| | | |
Line 20: |
Line 20: |
| <h2> The Plays </h2> <br> | | <h2> The Plays </h2> <br> |
| | | |
− | <span style="font-size: 1.5em;"> 1. Business Architecture</span> <br><br> | + | <h3><span style="font-size: 1.5em;"> 1. Business Architecture</span></h3> <br><br> |
| | | |
| A Business Architecture is where an organization identifies the various services that it suppose to provide externally, as well as the various functions it owns or needs to own internally to support their services to the public. In terms of GC Enterprise Business Architecture, this is where the Government of Canada identifies the various departments, the services they provide to Canadians and the functions they owns. <br><br> | | A Business Architecture is where an organization identifies the various services that it suppose to provide externally, as well as the various functions it owns or needs to own internally to support their services to the public. In terms of GC Enterprise Business Architecture, this is where the Government of Canada identifies the various departments, the services they provide to Canadians and the functions they owns. <br><br> |
| | | |
− | <b><u>Fulfill the Government of Canada stakeholder needs</b></u> | + | <h4><b><u>Fulfill the Government of Canada stakeholder needs</b></u></h4> |
| | | |
| As the provider of service to Canadians, it is important for the GC to understand the stakeholders well. The stakeholders in this case can mean their users, their partners (if any), their suppliers (if any), their program or project manager, their implementor, etc. Once a department identify all its stakeholders, it needs to map them into their roles and responsibilities as well as identify their requirements. From there, department will need to figure out how to make it easier for the stakeholder to use the business service, which means department needs to really drill down on the user interface design of their service. This is what digital is all about, to make it easy for the users to consume the GC service. | | As the provider of service to Canadians, it is important for the GC to understand the stakeholders well. The stakeholders in this case can mean their users, their partners (if any), their suppliers (if any), their program or project manager, their implementor, etc. Once a department identify all its stakeholders, it needs to map them into their roles and responsibilities as well as identify their requirements. From there, department will need to figure out how to make it easier for the stakeholder to use the business service, which means department needs to really drill down on the user interface design of their service. This is what digital is all about, to make it easy for the users to consume the GC service. |
Line 47: |
Line 47: |
| Modeling business service delivery end-to-end will provide better digital experience to the stakeholders. It will also help provide better understanding of what components are required to create a service, what various channels which a service can be delivered, as well as individual areas that can be improved to maximize effectiveness and optimize efficiencies of the overall service. Modeling end-to-end business service delivery will expand the horizon and knowledge of the implementer of the business service and will ensure each part of the service delivery is considered and its impact to changes <br><br> | | Modeling business service delivery end-to-end will provide better digital experience to the stakeholders. It will also help provide better understanding of what components are required to create a service, what various channels which a service can be delivered, as well as individual areas that can be improved to maximize effectiveness and optimize efficiencies of the overall service. Modeling end-to-end business service delivery will expand the horizon and knowledge of the implementer of the business service and will ensure each part of the service delivery is considered and its impact to changes <br><br> |
| | | |
− | <b><u>Architect to be Outcome Driven and Strategically Aligned to the Department and to the Government of Canada</b></u> | + | <h4><b><u>Architect to be Outcome Driven and Strategically Aligned to the Department and to the Government of Canada</b></u></h4> |
| | | |
| The whole notion of creating a program or project is to support departmental mandate. Thus, it needs to be clear what mandate a program or project is supporting, how it supports it and measure how effective it is in supporting the mandate. A project or program may indirectly support a mandate, however, its derivative outcome may still be able to be tied into a mandate. Everything needs to be tied in to the mandate and everything needs to be measurable. If a department is not sure how a program or project is supporting its mandate, or how it can be measured, then perhaps the program or project may not be required to begin with. | | The whole notion of creating a program or project is to support departmental mandate. Thus, it needs to be clear what mandate a program or project is supporting, how it supports it and measure how effective it is in supporting the mandate. A project or program may indirectly support a mandate, however, its derivative outcome may still be able to be tied into a mandate. Everything needs to be tied in to the mandate and everything needs to be measurable. If a department is not sure how a program or project is supporting its mandate, or how it can be measured, then perhaps the program or project may not be required to begin with. |
Line 65: |
Line 65: |
| One of the benefit or translating business outcomes and strategy into business capabilities is to provide a common ground between business community and IT community. <br><br> | | One of the benefit or translating business outcomes and strategy into business capabilities is to provide a common ground between business community and IT community. <br><br> |
| | | |
− | <b><u> Promote Horizontal Enablement of the Enterprise</b></u> | + | <h4><b><u> Promote Horizontal Enablement of the Enterprise</b></u></h4> |
| * Identify opportunities to horizontally enabled business services and provide cohesive experience to stakeholders | | * Identify opportunities to horizontally enabled business services and provide cohesive experience to stakeholders |
| * Reuse common business capabilities and processes from across government and private sector | | * Reuse common business capabilities and processes from across government and private sector |
Line 71: |
Line 71: |
| | | |
| | | |
− | <span style="font-size: 1.5em;">2. Information Architecture</span> <br><br> | + | <h3><span style="font-size: 1.5em;">2. Information Architecture</span></h3> <br><br> |
| | | |
− | <b>Collect data to address the needs of the stakeholders </b> | + | <h4><b>Collect data to address the needs of the stakeholders </b></h4> |
| * Adopt a needs-based approach to data collection | | * Adopt a needs-based approach to data collection |
| ** Do your data collection processes include an assessment of existing data assets (e.g. as documented in a data inventory and/or catalogue) to minimize redundancy and duplication? | | ** Do your data collection processes include an assessment of existing data assets (e.g. as documented in a data inventory and/or catalogue) to minimize redundancy and duplication? |
Line 85: |
Line 85: |
| ** Do you have a process or mechanism in place to assess and control the quality of data collected? | | ** Do you have a process or mechanism in place to assess and control the quality of data collected? |
| | | |
− | <b>Manage data strategically and responsibly</b> | + | <h4><b>Manage data strategically and responsibly</b></h4> |
| * Define and establish clear roles, responsibilities, and accountabilities for data management | | * Define and establish clear roles, responsibilities, and accountabilities for data management |
| ** Do you have a framework or policy that sets out your organization’s data governance structure? At a minimum, the structure would list key data roles in the organization (e.g. steward, custodian, analyst, scientist) and define the responsibilities and decision-making authorities associated with each of them. | | ** Do you have a framework or policy that sets out your organization’s data governance structure? At a minimum, the structure would list key data roles in the organization (e.g. steward, custodian, analyst, scientist) and define the responsibilities and decision-making authorities associated with each of them. |
Line 104: |
Line 104: |
| * Ensure that data received from external parties is profiled and validated prior to its use | | * Ensure that data received from external parties is profiled and validated prior to its use |
| | | |
− | <b>Use and share data openly in an ethical and secure manner</b> | + | <h4><b>Use and share data openly in an ethical and secure manner</b></h4> |
| * Ensure data formatting aligns to existing enterprise and international standards. Where none exist, develop standards in the open with key subject matter experts, in consultation with the Enterprise Data Community of Practice. | | * Ensure data formatting aligns to existing enterprise and international standards. Where none exist, develop standards in the open with key subject matter experts, in consultation with the Enterprise Data Community of Practice. |
| * Data should be shared openly by default as per the Directive on Open Government and Digital Standards, while adhering to existing enterprise and international standards, including on quality or fitness for purpose. | | * Data should be shared openly by default as per the Directive on Open Government and Digital Standards, while adhering to existing enterprise and international standards, including on quality or fitness for purpose. |
Line 113: |
Line 113: |
| | | |
| | | |
− | <span style="font-size: 1.5em;">3. Application Architecture</span> <br><br> | + | <h3><span style="font-size: 1.5em;">3. Application Architecture</span></h3> <br><br> |
| | | |
| Application Architecture consists of the interaction of applications with each other and with users. It focuses less on internal mechanics and specific programming and more on overall design on how data is consumed and created by the system. It views the interactions between applications, databases, middleware to ensure scalability, reliability, availability and manageability. <br><br> | | Application Architecture consists of the interaction of applications with each other and with users. It focuses less on internal mechanics and specific programming and more on overall design on how data is consumed and created by the system. It views the interactions between applications, databases, middleware to ensure scalability, reliability, availability and manageability. <br><br> |
| | | |
− | <b><u>Use Open Source Solutions hosted in Public Cloud</b></u><br> | + | <h4><b><u>Use Open Source Solutions hosted in Public Cloud</b></u></h4><br> |
| | | |
| While OSS is not a silver bullet several common misconceptions are used as arguments against Open Source software: A misconception with security is that with the code out of the eyes of the public that it prevents successful attacks and lowers liability, however in reality Security Best practices state that 'System security should not depend on the secrecy of the implementation or its components', and as Open Source development relies and hardening (or improving the security) of code it is often equal or more secure then proprietary solutions. | | While OSS is not a silver bullet several common misconceptions are used as arguments against Open Source software: A misconception with security is that with the code out of the eyes of the public that it prevents successful attacks and lowers liability, however in reality Security Best practices state that 'System security should not depend on the secrecy of the implementation or its components', and as Open Source development relies and hardening (or improving the security) of code it is often equal or more secure then proprietary solutions. |
Line 142: |
Line 142: |
| <br> | | <br> |
| | | |
− | <b><u>Use Software as a Service (SaaS) hosted in Public Cloud</b></u> | + | <h4><b><u>Use Software as a Service (SaaS) hosted in Public Cloud</b></u></h4> |
| * <b><I>Choose SaaS that best fit for purpose based on alignment with SaaS capabilities </b></I><br> | | * <b><I>Choose SaaS that best fit for purpose based on alignment with SaaS capabilities </b></I><br> |
| * <b><I>Choose a SaaS solution that is extendable </b></I><br> | | * <b><I>Choose a SaaS solution that is extendable </b></I><br> |
Line 148: |
Line 148: |
| <br> | | <br> |
| | | |
− | <b><u>Design for [https://www.gcpedia.gc.ca/wiki/En/GCinterop Interoperability]</b></u> | + | <h4><b><u>Design for [https://www.gcpedia.gc.ca/wiki/En/GCinterop Interoperability]</b></u></h4> |
| * <b><I>Design systems as highly modular and loosely coupled services</b></I><br> | | * <b><I>Design systems as highly modular and loosely coupled services</b></I><br> |
| Focus on smallest unit of purpose, and developing a single function. Ensure containers contain a single application, and build the smallest image possible. | | Focus on smallest unit of purpose, and developing a single function. Ensure containers contain a single application, and build the smallest image possible. |
Line 168: |
Line 168: |
| | | |
| | | |
− | <span style="font-size: 1.5em;">4. Technology Architecture</span> <br><br> | + | <h3><span style="font-size: 1.5em;">4. Technology Architecture</span></h3> <br><br> |
| | | |
− | <b>Use Cloud first</b> | + | <h4><b>Use Cloud first</b></h4> |
| * Adopt the Use of the GC Accelerators to ensure proper Security and Access Controls | | * Adopt the Use of the GC Accelerators to ensure proper Security and Access Controls |
| * Enforce this order of preference: Software as a Service (SaaS) first, then Platform as a Service (PaaS), and lastly Infrastructure as a Service (IaaS) | | * Enforce this order of preference: Software as a Service (SaaS) first, then Platform as a Service (PaaS), and lastly Infrastructure as a Service (IaaS) |
Line 178: |
Line 178: |
| <br> | | <br> |
| | | |
− | <b>Design for Performance, Availability, and Scalability</b> | + | <h4><b>Design for Performance, Availability, and Scalability</b></h4> |
| * Ensure response times meet user needs, and critical services are highly available | | * Ensure response times meet user needs, and critical services are highly available |
| * Support zero-downtime deployments for planned and unplanned maintenance | | * Support zero-downtime deployments for planned and unplanned maintenance |
Line 186: |
Line 186: |
| | | |
| | | |
− | <span style="font-size: 1.5em;">5. Security and Privacy Architecture</span> <br><br> | + | <h3><span style="font-size: 1.5em;">5. Security and Privacy Architecture</span></h3> <br><br> |
| | | |
− | <b>Build Security into the Full System Life Cycle, Across All Architectural Layers</b> | + | <h4><b>Build Security into the Full System Life Cycle, Across All Architectural Layers</b></h4> |
| * Identify and classify risks associated to the service’s business objectives, goals, and strategy | | * Identify and classify risks associated to the service’s business objectives, goals, and strategy |
| * Design security measures according to business and user needs, risks identified, and security categorization of the information and assets; integrate security across all architectural layers (BIAT) | | * Design security measures according to business and user needs, risks identified, and security categorization of the information and assets; integrate security across all architectural layers (BIAT) |
Line 200: |
Line 200: |
| <br> | | <br> |
| | | |
− | <b>Ensure Secure Access to Systems and Services</b> | + | <h4><b>Ensure Secure Access to Systems and Services</b></h4> |
| * Identify and authenticate individuals, processes and/or devices to an appropriate level of assurance before granting access to information and services | | * Identify and authenticate individuals, processes and/or devices to an appropriate level of assurance before granting access to information and services |
| * Separate and compartmentalize user responsibilities and privileges; assign the least set of privileges necessary to complete the job | | * Separate and compartmentalize user responsibilities and privileges; assign the least set of privileges necessary to complete the job |
Line 208: |
Line 208: |
| <br> | | <br> |
| | | |
− | <b>Maintain Secure Operations</b> | + | <h4><b>Maintain Secure Operations</b></h4> |
| * Integrate aggregate outputs from security assessment and authorization activities into security architecture lifecycle processes, to ensure reference artefacts remain relevant and valid | | * Integrate aggregate outputs from security assessment and authorization activities into security architecture lifecycle processes, to ensure reference artefacts remain relevant and valid |
| * Continuously monitor system events and performance in order to detect, prevent, and respond to attacks | | * Continuously monitor system events and performance in order to detect, prevent, and respond to attacks |
Line 217: |
Line 217: |
| <br> | | <br> |
| | | |
− | <b> Privacy by Design </b> | + | <h4><b> Privacy by Design </b></h4> |
| * Perform a privacy impact assessment (PIA) to support risk mitigation activities when personal information is involved | | * Perform a privacy impact assessment (PIA) to support risk mitigation activities when personal information is involved |
| * Implement security measures to assure the protection of personal information | | * Implement security measures to assure the protection of personal information |
| * Take into consideration the <b>[https://www.ryerson.ca/pbdce/certification/seven-foundational-principles-of-privacy-by-design/ 7 Foundational Privacy Design Principles] </b> when designing services | | * Take into consideration the <b>[https://www.ryerson.ca/pbdce/certification/seven-foundational-principles-of-privacy-by-design/ 7 Foundational Privacy Design Principles] </b> when designing services |