ESA Framework Actors

Revision as of 08:36, 7 April 2021 by Greggory.elton (talk | contribs) (Created page with "<div class="center"><div style="float: right; z-index: 10; position: absolute; right: 0; top: 1;">File:JoinusonGCconnex.png|link=http://gcconnex.gc.ca/groups/profile/2785549...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Enterprise Actors

As defined by The Open Group Architecture Framework (TOGAF), an actor is "a person, organization, or system that has a role that initiates or interacts with activities." Actors may be internal or external to an organization. The list below originates from the GC ESA Concept of Operations (ConOps) document, and defines a set of notional Enterprise Actors. The set of actors will remain constant even though GC roles may change over time or vary by department. A single GC role may assume multiple responsibilities or a responsibility may be shared by multiple roles. This is not an exhaustive list of actors and should be modified as appropriate. For more information, please read the GC ESA Framework and/or GC ESA ConOps document.


Actor GC Roles Definition Responsibilities
80px Deputy Head The highest-level senior official or executive within an organization.
  • Providing information security protections commensurate with the risk and magnitude of harm to organizational operations and assets, individuals, other organizations, and the Nation resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of: (i) information collected or maintained by or on behalf of the agency; and (ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.
80px Department Security Officer The risk executive is an individual or group within an organization that helps to ensure that: (i) risk-related considerations for individual information systems, including authorization decisions, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its core missions and business functions; and (ii) information system-related security risks are consistently managed across the organization, reflect organizational risk tolerance, and are considered along with other types of risks in order to ensure mission/business success.
  • Providing a comprehensive, organization-wide, holistic approach for addressing risk—an approach that provides a greater understanding of the integrated operations of the organization.
70px CIO A senior official designated by the senior organization official to represent the organization on matters relating to IT management.
  • Effectively and efficiently managing GC information and IT assets,
  • Designating a senior information security officer,
  • Developing and maintaining information security policies, procedures, and control techniques to address all applicable requirements,
  • Overseeing personnel with significant responsibilities for information security and ensuring that the personnel are adequately trained,
  • Assisting senior organizational officials concerning their security responsibilities,
  • Reporting annually, in coordination with other senior officials, to the head of the organization on the overall effectiveness of the organization’s information security program, including progress of remedial actions, and
  • Ensuring that an organization-wide information security program is effectively implemented resulting in adequate security for all organizational information systems and environments of operation for those systems.
80px Organizational official with legislative, management, or operational authority for specified information.
  • Establishing the policies and procedures governing information generation, collection, processing, dissemination, and disposal, and
  • Establishing the rules for appropriate use and protection of subject information, and retaining responsibility even when the information is shared with or provided to other organizations.
80px IM Functional Specialist Individual or group that ensures the careful and responsible management of federal information belonging to the federal government, regardless of the entity or source that may have originated, created, or compiled the information.
  • Providing maximum access to federal information to elements of the federal government and its customers, balanced by the obligation to protect the information in accordance with legislation and any associated security-related federal policies, directives, regulations, standards, and guidance.
80px Organizational official representing the information security interests of the CIO who heads an office with the mission and resources to assist the organization in achieving more secure information and information systems.
  • Carrying out chief information officer security responsibilities, and
  • Serving as the primary liaison for the chief information officer to the organization’s authorizing officials, information system owners, common control providers, and information system security officers.
80px Senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations and assets, individuals, other organizations, and the Nation.
  • Being held accountable for the security risks associated with information system operations, and
  • Providing authorization decisions and signing the associated authorization decision document.
80px An individual, group, or organization responsible for the development, implementation, assessment, and monitoring of common controls
  • Documenting the organization-identified common controls in a security plan (or equivalent document prescribed by the organization),
  • Ensuring that required assessments of common controls are carried out by qualified assessors with an appropriate level of independence defined by the organization,
  • Documenting assessment findings in a security assessment report, and
  • Producing a plan of action and milestones for all controls having weaknesses or deficiencies.
80px Program Owner; Service Provider Organizational official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system, also called 'Program Manager'.
  • Addressing the operational interests of the user community and ensuring compliance with information security requirements,
  • Developing and maintaining the security plan and ensuring the system is deployed and operated in accordance with the agreed-upon security controls, and
  • Deciding who has access to the system and ensuring that system users and support personnel receive the requisite security training.
80px IT Security Coordinator Individual with assigned responsibility for maintaining the appropriate operational security posture for an information system or program, and the principal advisor on all matters, technical and otherwise, involving the security of an information system.
  • Maintaining the appropriate operational security posture, including day-to-day security operations of a system, physical and environmental protection, personnel security, incident handling, security training and awareness, developing and updating the security plan, managing and controlling changes to the system, and assessing the security impact of those changes, and
  • Supporting the development of, and compliance to, security policies and procedures.
80px Liaison between the enterprise architect and the information system security engineer, who also coordinates between information system owners, common control providers, and information system security officers on the allocation of security controls as system-specific, hybrid, or common controls.
  • Ensuring that the information security requirements necessary to protect the organization’s core missions and business processes are adequately addressed in all aspects of enterprise architecture, including reference models, segment and solution architectures, and the resulting information systems supporting those missions and business processes, and
  • Advising senior officials on security-related issues, such as establishing information system boundaries, assessing the severity of weaknesses and deficiencies in the information system, plans of action and milestones, risk mitigation approaches, security alerts, and potential adverse effects of identified vulnerabilities.
80px An individual, group, or organization responsible for conducting information system security engineering activities
  • Capturing and refining information security requirements and ensuring that the requirements are effectively integrated into information technology component products and information systems through purposeful security architecting, design, development, and configuration.
80px An individual, group, or organization responsible for conducting a comprehensive, independent assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls
  • Providing an assessment of the severity of weaknesses or deficiencies discovered in the information system and its environment of operation and recommending corrective actions to address identified vulnerabilities,
  • Preparing the final security assessment report containing the results and findings from the assessment, and
  • Conducting an assessment of the security plan prior to initiating the security control assessment to help ensure that the plan provides a set of security controls for the information system that meet the stated security requirements.
80px Responsible for the protection of privacy for an organization.
  • Ensuring appropriate privacy protection measures are applied to all departmental IM and IT assets, activities and processes.
80px Interprets Canadian and international law, provides guidance to organizational activities, participates in investigation and lawful pursuits, and is an integral part of contract negotiations
  • Overseeing the legal operation of the organization,
  • Participating in investigations and lawful pursuit, and
  • Defending chain of trust for forensic evidence.
80px Handles activities related to people in the organization, including conduct, compensation, development, performance management, motivation, safety, wellness, benefits, hiring, training, organizational development, and communications.
  • Finding, screening, recruiting and training, and retaining employees, administering employee programs, and establishing policies and processes for employees.
80px Audits federal government operations, looks for compliance from a security perspective, from a contract perspective, and from a privacy perspective, and conducts independent analysis.
  • Conducting independent assessments, and
  • Reporting to Department Senior Management or the Canadian Parliament.
80px Any users, including GC employees, contractors, trusted partners, and public users, accessing an IT/IS asset directly or via a service.
  • Complying with organizational policies and/or terms of use.
80px Personnel responsible for developing, integrating, and testing IT/IS solutions prior to introduction to the production environment.
  • Complying with organizational policies and/or terms of use.
80px Insider Threat Any user, including a black hat hacker inside or outside the enterprise, unauthorized or authorized users, and privileged users, attempting to exploit the IT/IS assets with the goal of unauthorized access, distribution, modification, or deletion of GC content, and/or to prevention of access to GC information.
  • None


References