Line 53: |
Line 53: |
| The GC ESA Program Charter states that overall objective of the ESA program is to ensure that security is built into the designs of the IT infrastructure as it undergoes its transformation. The GC must, on an ongoing basis, identify threats to GC networks and systems, prioritize and counter identified and potential threats, and continually improve the robustness and security of the GC IT infrastructure. | | The GC ESA Program Charter states that overall objective of the ESA program is to ensure that security is built into the designs of the IT infrastructure as it undergoes its transformation. The GC must, on an ongoing basis, identify threats to GC networks and systems, prioritize and counter identified and potential threats, and continually improve the robustness and security of the GC IT infrastructure. |
| [[File:Esa scope picture.png|left|thumb|574x574px|Scope of the ESA Program]] | | [[File:Esa scope picture.png|left|thumb|574x574px|Scope of the ESA Program]] |
| + | |
| + | === ''Scope'' === |
| + | As the image on the left shows, the program charter establishes that the scope of the ESA program is high-level, with a focus on enterprise as a whole, but it can also assist with security activities at all layers. |
| + | |
| + | The GC may develop IT security architectures that can be categorized into three groups based on level of detail: |
| + | |
| + | '''High-level view''': Artifacts developed at this layer are high-level with GC Enterprise in scope and have a strategic impact. Examples include an Enterprise Security Concept of Operations or a GC Baseline Threat Assessment. |
| + | |
| + | '''Context-specific view''': Artifacts developed at this layer provide supplementary details, are common, shared or departmental in scope and have a tactical impact. Examples include a specific focus area Security Requirements Traceability Matrix, or a context-specific architecture (e.g. Business Control Profile for a Human Resources System). |
| + | |
| + | '''Solution view''': Artifacts developed at this layer are very detailed, system-specific in scope and have an operational impact. Examples include detailed design documentation or a Standard Operating Procedure for a Data Loss Prevention System. |
| + | |
| + | For more information about the scope of the GC ESA program, please read the [http://www.gcpedia.gc.ca/gcwiki/images/8/81/GC_ESA_Program_Charter.pdf GC ESA Program Charter]. |
| + | |
| + | === ''Program Approach'' === |
| + | The program charter also provides an overview of the governance, risk, architecture compliance, and monitoring and measurement strategies for the GC ESA program. It notes that the desired results of the GC ESA program can only be achieved through the collaboration of departments and agencies that have a specific role in designing and implementing the GC enterprise IT security architecture, with support from other lead security agencies and key stakeholders. |