Changes

2,542 bytes added ,  08:29, 23 September 2020
no edit summary
Line 82: Line 82:  
* Monitor
 
* Monitor
 
For more information about the governance and management of the GC ESA Program, please read the [http://www.gcpedia.gc.ca/gcwiki/images/8/81/GC_ESA_Program_Charter.pdf GC ESA Program Charter].
 
For more information about the governance and management of the GC ESA Program, please read the [http://www.gcpedia.gc.ca/gcwiki/images/8/81/GC_ESA_Program_Charter.pdf GC ESA Program Charter].
 +
 +
==== Risk Management ====
 +
As outlined in the GC ESA Program Charter, to manage any risks, the ESA program will leverage terminology and concepts from CSE’s [https://www.cse-cst.gc.ca/en/publication/itsg-33 ITSG-33 - IT Security Risk Management: A Lifecycle Approach.] The IT security risk management process documented in ITSG-33 defines a set of activities to ensure key steps are performed on an ongoing basis during the lifetime of the information systems, and to ensure risk management is applied from an enterprise perspective. Continuous improvement is a key aspect of the recommended process to ensure that as the threat environment evolves, so do the controls that have been put into place. For more information about how the ESA program will use a risk-managed approach, please read the [http://www.gcpedia.gc.ca/gcwiki/images/8/81/GC_ESA_Program_Charter.pdf GC ESA Program Charter].
 +
 +
==== Architecture Compliance ====
 +
The program charter dictates that an architecture compliance review process is required to ensure that a consistent security posture of the IT architecture is maintained, security controls are appropriately implemented, and the total cost of ownership to the GC is minimized. An architecture compliance review is a scrutiny of the compliance of a specific project against established GC objectives and architectural criteria, such as the ESA program target architectures and security patterns. As a separate initiative led by TBS, a GC IT Architecture Review Board (GC ITARB) is being proposed that will include an architecture compliance review process. ESA program processes will be aligned with the GC ITARB as it is further developed.
 +
 +
==== Monitoring and Measurement ====
 +
GC ESA target architectures and security patterns will help translate abstract policy and business requirements into more tangible security controls within an information system and provide a mechanism for security measurement. Security measurement can enable the GC to quantify improvements in securing information systems and demonstrate quantifiable progress in accomplishing GC strategic goals and objectives. A strategy will be developed to ensure that controls are monitored on an ongoing basis, remain effective, and are updated as required. At the ESA program level, monitoring of performance using metrics enables management to ensure that goals are achieved, in accordance with the goals and objectives outlined in the [http://www.gcpedia.gc.ca/gcwiki/images/8/81/GC_ESA_Program_Charter.pdf GC ESA Program Charter].
 +
 +
<br>