ESA Program Processes

Revision as of 08:31, 7 April 2021 by Greggory.elton (talk | contribs) (Created page with "<div style="float: right; z-index: 10; position: absolute; right: 0; top: 1;">File:JoinusonGCconnex.png|link=http://gcconnex.gc.ca/groups/profile/2785549/gc-enterprise-secur...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
JoinusonGCconnex.png
ESAcontactus.png
GOC ESA.jpg

Overview of ESA Program Processes

The GC ESA Program Implementation Framework describes some of the strategies that will help implement the ESA program in order to meet GC strategic objectives. It focuses on the processes required to support the successful delivery of the program, which are summarized on this page. For more information, please read the GC ESA Program Implementation Framework.


Governance and Management

The IT Security Tripartite (TBS-CIOB, CSEC, SSC) has been established under the ESA program to provide a pan-government, horizontal and coordinated approach for implementing IT security across the GC. The GC ESA Program Charter outlines the ESA governance structure and its relationships with other groups, including the GC Architecture Review Board (GCARB) and Departmental architecture review boards (ARBs) that will be mandated by TBS IT policy instruments. Communications with existing governance bodies, such as ADM SIDC and CIO Council will increase understanding and support for the program. For more information about the Governance and Management of the ESA Program, please read the GC ESA Program Implementation Framework.


Architecture Definition

To facilitate the development of enterprise IT security architectures that are driven by business needs for security, the ESA program will develop architectural artifacts from a GC-wide, strategic view. This can be found in the GC Enterprise Security Architecture (ESA) Framework which provides an overview of how the enterprise IT security architectures are being developed from an architecture perspective. It provides a set of methods and tools for developing a broad range of different architectures, designing an information system in terms of a set of building blocks, and showing how the building blocks fit together. Tools and templates that are developed under the GC ESA Program are also described in further detail in the GC ESA Program Framework document.


Risk Management

IT Security Risk Management

 
IT Security Risk Management approach

The ESA Program will introduce an enterprise risk management approach for IT security, based off of CSE's ITSG-33 - IT Security Risk Management: A Lifecycle Approach, to support departmental IT security risk management practices and enable the secure implementation, operation, and disposal of information systems as depicted in the image on the right.

The approach consists of four major areas:

  1. GC IT Security Risk Management activities;
  2. Departmental IT Security Risk Management activities;
  3. Information System Security Risk Management activities, and
  4. Ongoing Enterprise Security Threat Assessment (ESTA).

The architectures and requirements that result from the GC IT Security Risk Management activities flow down to Information System Security Risk Management Activities and the System Lifecycle (SLC), and are critical elements for authorizing an integrated system to operate and providing validated architectures against which assessors can perform assessments. For more information about the GC ESA Program's IT security risk management approach, please read the GC ESA Program Implementation Framework.

Security Control Profile Development

ITSG-33 - IT Security Risk Management: A Lifecycle Approach, outlines the need for developing baseline security control profiles which can be applied to specific projects and target information systems. These security control profiles must be developed with an understanding of the business, technical, and threat environment. This includes content for:

  • Business Context: The business landscape for the proposed system and includes identification and security categorization of assets;
  • Technical Context: The operational needs, desires, visions, and expectations of the user without being overly technical or formal, and;
  • Threat Context: Documents the process of identifying and qualifying threats faced by an organization's business activities and the information systems supporting them.

The ESA Program will provide tools and templates to support the creation of suitable security control profiles that consider the protection of the confidentiality, integrity, and availability of departmental information technology assets against threats that could cause injury to business activities and the information systems supporting them. For more information about security control profile development for the ESA Program, please read the GC ESA Program Implementation Framework.



Program Support

Program support activities for the ESA Program include engagement with the community and collaboration, as well as coordination with practitioners internally and externally. GC 2.0 collaboration tools are also used to communicate ESA Program artifacts (see Reference Materials page) to the broader GC IT security community. GCconnex allows for closed communications with members of the ESA interdepartmental working group, and for open collaboration and communication of ESA artifacts, GCPedia is used.

Industry Support

To support the ESA Program, industry (contractor) support is required to identify and develop the enterprise IT security architecture requirements, design expertise, and other technical services as required in a variety of technology areas identified in the ESA Program IT security focus areas. Industry experts with extensive experience in designing secure, large-scale enterprise infrastructures are required to assist the GC as it evolves from a large number of disparate and aging infrastructures to a modern, resilient, and secure enterprise infrastructure.

For more information about ESA Program support activities, please read the GC ESA Program Implementation Framework.


Program Delivery Activities

The image below provides a detailed depiction of the various GC ESA program delivery activities:

File:ESA Program Delivery Activities.PNG
ESA Program delivery activities


Security Measurement and Monitoring

GC ESA target architectures and security patterns will help translate abstract policy and business requirements into more tangible security controls within an information system and provide a mechanism for security measurement. Security measurement is important for assessing the current security status and helps to identify specific security controls that are implemented incorrectly, are not implemented, or are ineffective. Security measurement can enable the GC to quantify improvements in securing information systems and demonstrate quantifiable progress in accomplishing GC strategic goals and objectives.

Compliance

The ESA Program will develop and provide tools to support compliance with applicable Government of Canada (GC) legislation and Treasury Board of Canada Secretariat (TBS) policies, directives, and standards. To ensure that there is a consistent security posture of the IT architecture across the GC, a set of mandatory baseline controls will be incorporated into TBS policy instruments, specifically the Standard on the Security of IT (SSIT). To aid departments in implementing the security controls identified for the enterprise, the ESA Program will develop IT security architecture patterns and target architectures that will help to contextualize the controls and provide guidance for developing secure solution architectures.

Management Accountability Framework (MAF)

The Information Management and Information Technology combined Area of Management (AoM) in the MAF recognizes the shift towards the government-wide approach for data, information, and technology to deliver on priorities. The Security AoM is focused on assessing security practices that address the priority risks and threats to government operations, including risks and threats to GC information, assets, people, and continuity of business, as well as, demonstrating security policy priorities alignment in support of Government of Canada cyber security and modernization goals. MAF will be a mechanism to obtain feedback for the ESA Program.

Performance Measurement

At the ESA Program level, monitoring of performance using metrics will enable management to ensure that goals are achieved. The Horizontal Performance Measurement Strategy (HPMS) is a Public Safety-led initiative to monitor performance of initiatives identified under Pillar 1 of Canada's Cyber Security Strategy (CCSS). For ministerial reporting, TBS is the lead to collect data from Pillar 1 departments and provide the consolidated data to Public Safety for inclusion in the ministerial report. As part of the IT Security Tripartite (ITST), TBS will collaborate with SSC and CSE, as well as the Canadian Security intelligence Service (CSIS) to ensure that evaluation reporting reflects the intent of the TB submission for Pillar 1 activities.

For more information about security measurement and monitoring of the ESA Program, please read the GC ESA Program Implementation Framework.


Communications Plan

File:ESA Program Commitment Curve.PNG
ESA Program Commitment Curve

An effective communications plan is critical to building GC-wide commitment to the ESA program and its initiatives. The communications strategy is targeted at moving stakeholder GC departments and staff along the ESA Program commitment curve shown in the image on the right.

In addition to the framework provided by the commitment curve, the communications plan will be constructed using the following principles:

  • Recruit leaders and use existing GC initiatives and their working groups to serve as communications champions;
  • Distribute ESA Program communications in a tiered fashion to build message consistency and allow for delivery from the appropriate leader for each stakeholder group;
  • Provide stakeholder engagement venues to solicit stakeholder-specific operational requirements and capability priority vetting for a given ESA Program initiative, and provide timely updates that are appropriately scoped for each stakeholder group throughout the entire ESA program process;
  • Incorporate a two-way communications process, providing stakeholders with mechanisms to ask questions, provide stakeholder-specific operational requirements/capability priority input, and raise issues;
  • Establish a procedure for addressing issues and communicating results to stakeholders in a timely fashion;
  • Develop messages that detail how the ESA Program initiative addresses stakeholder needs and concerns, and;
  • Conduct the planning, budgeting, and governance of the ESA Program in a way that ensures a transitional and non-duplicative set of IT/IS security capabilities are provided by a set of capability implementation plans.

The expected benefits of the strategy include consistent messaging throughout the ESA Program process, well-informed, actively participating stakeholders, and coordinated efforts across the GC in support of meeting the initiative's intended goals. For more information about the communications plan for the ESA Program, please read the GC ESA Program Implementation Framework.


References