Changes

Jump to navigation Jump to search
Line 115: Line 115:  
* Include your users and other stakeholders as part of DevSecOps process
 
* Include your users and other stakeholders as part of DevSecOps process
   −
== Security Architecture <s>and Privacy</s> ==
+
== Security Architecture ==
 
The GC Enterprise Security Architecture (ESA) program is a government-wide initiative to provide a standardized approach to developing IT security architecture, ensuring that basic security blocks are implemented across the enterprise as the infrastructure is being renewed.  
 
The GC Enterprise Security Architecture (ESA) program is a government-wide initiative to provide a standardized approach to developing IT security architecture, ensuring that basic security blocks are implemented across the enterprise as the infrastructure is being renewed.  
  −
<s>Security architecture and privacy has always been an important but often poorly addressed aspect of solution design.  However, for the successful implementation of the GC Enterprise Ecosystem Target Architecture depends on a proper security architectural implementation.  Legacy systems based on monolithic architectures often had simplistic approaches to mitigating security risks. The future digitally enabled GC services will support a diverse community and have interoperating components spread across multiple environments.  It is critical that security be built into all processes and across all architectural layers.</s>
      
=== Build Security into the System Life Cycle, Across All Architectural Layers ===
 
=== Build Security into the System Life Cycle, Across All Architectural Layers ===
Line 136: Line 134:  
* Enable event logging, in accordance with GC Event Logging Guidance, and perform monitoring of systems and services in order to detect, prevent, and respond to attacks.
 
* Enable event logging, in accordance with GC Event Logging Guidance, and perform monitoring of systems and services in order to detect, prevent, and respond to attacks.
 
* Establish an incident management plan in alignment with the GC Cyber Security Event Management Plan (GC CSEMP) and report incidents to the Canadian Centre for Cyber Security (CCCS).
 
* Establish an incident management plan in alignment with the GC Cyber Security Event Management Plan (GC CSEMP) and report incidents to the Canadian Centre for Cyber Security (CCCS).
  −
=== <s>Privacy by Design</s> ===
  −
* <s>Perform Privacy Impact Assessment (PIA) to support risk mitigation activities when personal information is involved</s>
  −
* <s>Perform Algorithmic Impact Assessment (AIA) to support risk mitigation activities when deploying an automated decision system as per Directive on Automated Decision Making. For more info, please go to this link</s>
  −
* <s>Implement security measures to assure the protection of personal information and data</s>
  −
* <s>Take into consideration the 7 Foundational Privacy Design Principles (English only) when designing services</s>
      
== EA Framework Playbook ==
 
== EA Framework Playbook ==
 
Here is an [[GC Enterprise Architecture/Playbook#1. Business Architecture|archived version of the playbook]] that was developed for the original EA assessment Criteria. It will updated to align the updated EA Framework once it is approved at GC EARB.
 
Here is an [[GC Enterprise Architecture/Playbook#1. Business Architecture|archived version of the playbook]] that was developed for the original EA assessment Criteria. It will updated to align the updated EA Framework once it is approved at GC EARB.
   −
<nowiki>*</nowiki>The Open Group Architecture Framework (TOGAF) is a framework for enterprise architecture that provides an approach for designing, planning, implementing, and governing an enterprise information technology architecture. TOGAF has been adopted by the Government of Canada.{{OCIO_GCEA_Footer}}
+
{{OCIO_GCEA_Footer}}

Navigation menu

GCwiki