Government of Canada Enterprise Security Architecture (ESA) Program

Revision as of 08:35, 25 August 2020 by Greggory.elton (talk | contribs)


Welcome

Welcome to the Government of Canada (GC) Enterprise Security Architecture (ESA) Program Portal. This portal is designed to help Government of Canada employees familiarize themselves with the GC ESA program by providing detailed, but concise information about the program, its key stakeholders, guiding principles, scope, and much more. It also includes a page with tools and templates to be used by security practitioners and a page with reference materials that provide details about different aspects of the GC ESA program for those interested in learning more about it. At the top of the screen you will find the navigation bar. You can use this bar to easily navigate between pages within the GC ESA Portal and learn more about the GC ESA program. The rest of this page provides a basic overview of the GC ESA program.

If you have any questions, suggestions or constructive criticism regarding the GC ESA program portal or its content, please feel free to contact us by clicking on the button in the top right corner, labelled "Contact Us". Also, please join our group on GCconnex by clicking on the other button in the top right corner, labelled "Join us on: GCconnex". By doing so, you will receive all of the latest news regarding the GC ESA Program and other related IT security activities, and you will be the first to know about any new tools or resources we create.


Overview of the GC ESA Program

 
GC Direction and the ESA Program

The GC ESA program is a government-wide initiative to provide a standardized approach to developing IT security architecture, ensuring that basic security blocks are implemented across the enterprise as the infrastructure is being renewed. The image on the right shows how the GC ESA program supports the direction the GC is taking with regards to GC IT security.

The GC ESA program aims to:

  • Ensure more cost-effective, interoperable, resilient and secure IT solutions in support of GC enterprise objectives;
  • Maintain availability of GC systems and services while complying with relevant GC legislation and policy instruments;
  • Adopt an architecture methodology and approach to ensure common understanding, alignment, and reduce duplication of effort amongst interdepartmental stakeholders;
  • Ensure security of information, IT infrastructure and applications with the implementation of consistent security controls which reduces total cost of ownership; and
  • Keep risk at acceptable levels.

The GC ESA program will serve as a guide to departments and agencies in planning, implementing, and operating their information systems by offering the necessary framework, tools, and templates to design, evaluate, and build an IT security architecture tailored to their organization, in accordance with Communications Security Establishment’s (CSE) ITSG-33 – IT Security Risk Management: A Lifecycle Approach and other security industry best practices in the area of architecture, risk management and compliance.

For more information about the GC ESA Program, please read the GC ESA Program Charteror its synopsis.


Scope of GC ESA Program

 
Scope of the ESA Program

As the image on the left shows, the scope of the GC ESA program is high-level, with a focus on enterprise as a whole, but it can also assist with security activities at all layers, in accordance with the GC ESA Program Charter.

The GC may develop IT security architectures that can be categorized into three groups based on level of detail:

High-level view: Artifacts developed at this layer are high-level with GC Enterprise in scope and have a strategic impact. Examples include an Enterprise Security Concept of Operations or a GC Baseline Threat Assessment.

Context-specific view: Artifacts developed at this layer provide supplementary details, are common, shared or departmental in scope and have a tactical impact. Examples include a specific focus area Security Requirements Traceability Matrix, or a context-specific architecture (e.g. Business Control Profile for a Human Resources System).

Solution view: Artifacts developed at this layer are very detailed, system-specific in scope and have an operational impact. Examples include a detailed design documentation or a Standard Operating Procedure for a Data Loss Prevention System.

For more information about the scope of the ESA program, please read the GC ESA Program Charteror its synopsis.


GC ESA Areas of Focus

 
ESA Program focus areas

Enhancing the security posture of GC systems and networks requires a comprehensive IT security strategy that includes defining requirements, developing IT security architectures, and designing patterns that can be used to implement defence-in-depth IT security capabilities. The GC established the ESA program for to address these areas.

Over the next several years, the ESA program will focus on the following eight focus areas:

  • Identity, Credential and Access Management (ICA)
  • Endpoint Security (END)
  • Data Security (DAT)
  • Application Security (APP)
  • Network and Communications Security (NCS)
  • Security Operations (OPS)
  • Compute and Storage Services Security (CSS)

For more information about the ESA program areas of focus, please read the GC ESA Vision and Strategy document.


Benefits and Risks of the GC ESA Program

Implementation of the GC IT security strategy, including the GC ESA program, will result in many benefits, including:

  • Enhanced security posture throughout the GC;
  • Better awareness of threats to GC IT infrastructure;
  • Improved understanding of the motivations and techniques of adversaries;
  • Increased abilities to provide rapid response to IT security incidents affecting GC systems;
  • Better positioned to acquire and share cyber threat information from/with trusted partners; and
  • Enhanced level of confidence with users, citizens, allies and other levels of government.

However, while the benefits are substantial, the GC IT security strategy is not without any risks, including:

  • Culture shift,
  • Costs,
  • Achieving balanced results,
  • Long-term commitment,
  • Technology advancements,
  • Technology limitations, and
  • Insufficient resources.

For a more detailed explanation of the benefits and risks of the GC IT security strategy and ESA program, please read the GC ESA Program Vision and Strategy document.

Key Stakeholders and Governance Structure of the GC ESA Program

 
ESA Program Key Stakeholders

Key Stakeholders

While the ESA program encompasses the entire GC, there are three key stakeholders that who play a large role in designing and implementing the program. The image on the left shows the three key stakeholders, the Treasury Board of Canada Secretariat, Shared Services Canada, and Communications Security Establishment, and it briefly describes the role each of them play in carrying out the GC ESA program:

Treasury Board Secretariat: Develops the long-term vision and establishes the priorities for the ESA program. It also leads the development of enterprise strategies and designs.

Shared Services Canada: Implements designs for consolidated IT infrastructure and provides service delivery.

Communications Security Establishment: Provides specialized technical expertise for enterprise designs and contributes design support and review for critical components.

These three stakeholders formed the IT Security Tripartite to develop and maintain a consistent and cohesive enterprise IT security architecture vision, strategy and designs under the ESA program.

Also included in the image on the left are the many other departments that are participating in the development of designs for the IT security architectures and identifying business requirements for IT security.

Relationship of the GC ESA Program Governance to GC IT Security Governance

The image below depicts the relationship of the IT Security Tripartite with the current GC Security Governance Structure. The scope of the GC Security Structure is much broader than IT. The IT Security Tripartite consists of members from ADM Security and Identity Committee (ADM SIDC) and the Lead Security Agency Steering Committee (LSA SC). The IT Security Tripartite aligns through the LSA SC and ADM SIDC. Communication is required to both the Departmental Security Officer and IT Security Coordinator communities, as well as to the Chief Information Officer Council (CIOC), which is the GC CIO's advisory body.

For more information about the ESA program key stakeholders and the relationship of the ESA program governance to the GC security governance, please read the GC ESA Program Charter or its synopsis.

 
ESA Program Governance and GC security governance


GC IT Security Strategy Vision and Guiding Principles

The GC is taking steps to transform the current disparate and aging IT infrastructure into an integrated, secure, modern and agile environment that will provide citizens, partners and our workforce with reliable and trusted access to GC programs and services. The overall vision of the GC IT security strategy is:

A modern, secure and resilient GC enterprise infrastructure enabling the trusted delivery of internal and external GC programs and services.

There are a number of fundamental principles that will guide the formation and evolution of the GC IT security strategy in order to realise this vision, including:

  • The GC needs to increase its understanding of the cyber threat landscape to devise better and more comprehensive security defences;
  • Security will be applied in a more consistent manner;
  • The GC must not act in isolation;
  • The GC will improve its information sharing and collaboration capabilities;
  • Security must be considered through all phases of the development life cycle, not bolted on afterwards;
  • The GC must seek an appropriate balance between security, the associated cost and the end-user experience;
  • Defence in depth will remain a key tenet of enterprise security; and
  • The GC needs to be agile and adapt to a constantly changing threat environment.

The ESA program will provide support to the broader GC IT security strategy and its transformation initiatives using a proactive approach to build an infrastructure that will address threats, technologies, and business requirements as they change over time and develop flexible and dynamic architectures that enable faster adoption of new use models and capabilities, while providing security across and increasingly complex environment and changing threat landscape.

For more information about the GC IT Security Strategy Vision and Guiding Principles, please read the GC ESA Backgrounder or its synopsis


Integration of the GC ESA into GC IT Security Management Activities

 
Integration of ESA into GC IT Security Risk Management Activities

The GC ESA program is a key component of IM/IT governance in the Government of Canada. The GC ESA program will use terminology and concepts from CSE’s IT Security Risk Management: A Lifecycle Approach (ITSG-33) to enable it integrate IT security in the development of business needs for security and system security architectures. ITSG-33 defines a set of activities to ensure key steps are continuously performed during the entire life cycle of the departmental security program and information systems. It also ensures that risk management is applied from a business and threat context perspective.

The image on the left provides a high-level view of the GC IT Security Risk Management approach. It is one example of how the ESA supports programs and services in following risk management processes and in remaining compliant. It demonstrates how ESA artifacts such as blueprints, use cases, and security requirements traceability matrices complement and provide input to departmental IT security risk management artifacts such as a departmental security plan, departmental security control profiles, and departmental threat assessments. In turn, those artifacts inform the information system security risk management activities that relate to implementation of an information system.

For more information about how the GC ESA program is being integrated into GC IT security management activities and the IM/IT planning and reporting cycle, please read the GC ESA Program Implementation Framework or its synopsis.