514
edits
Changes
Jump to navigation
Jump to search
mLine 43:
Line 43: − + − + Line 67:
Line 67: − + + Line 77:
Line 78: − + − + + − + − * Reduce the collection of redundant data + Line 115:
Line 117: + + + + + + + Line 133:
Line 142: + Line 142:
Line 152: − + − + − + − + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
GC Enterprise Architecture/Framework (view source)
Revision as of 15:39, 31 July 2019
, 15:39, 31 July 2019no edit summary
* Include all skillsets required for delivery, including for requirements, design, development, and operations
* Include all skillsets required for delivery, including for requirements, design, development, and operations
* Work across the entire application lifecycle, from development and testing to deployment and operations
* Work across the entire application lifecycle, from development and testing to deployment and operations
* Ensure quality is considered throughout the Software Development Lifecycle
* Ensure quality <u><i>and security</i></u> is <u><i>underpinning</i></u> the Software Development Lifecycle
* Ensure accountability for privacy is clear
* Ensure accountability for privacy is clear
* Encourage and adopt Test Driven Development (TDD) to improve the trust between Business and IT
* Encourage and adopt <u><i>a process (for example:</i></u> Test Driven Development (TDD)) to improve the trust between Business and IT
<b>Design Systems to be Measurable and Accountable</b>
<b>Design Systems to be Measurable and Accountable</b>
* Ensure data is collected through ethical practices supporting appropriate citizen and business-centric use
* Ensure data is collected through ethical practices supporting appropriate citizen and business-centric use
* Data should only be purchased once and should align with international standards
* Data should only be purchased once and should align with international standards
* Where necessary, ensure collaboration with department/agency data stewards/custodians, other levels of government and indigenous people
* Where necessary, ensure collaboration with department/agency data stewards/custodians, other levels <u><i>and jurisdiction</i></u> of government and indigenous people
* Reduce the collection of redundant data
<b>Data Management</b>
<b>Data Management</b>
<b>Data Storage</b>
<b>Data Storage</b>
* Ensure data is stored in a secure manner in accordance with the National Cyber Security Strategy and the Privacy Act
* <i><u> Only handle data which is essential to your service. Do not store all data that you capture unless absolutely necessary</i></u>
* Follow existing retention and disposition schedules
* Ensure data is stored in a secure manner in accordance with <I><u>CSE approved cryptographic algorithms and protocols</I></u> and <I><u>legislation such as</I></u> the Privacy Act
* <I><u>Retain data fro the minimum time necessary.</u></I> Follow existing retention and disposition schedules
* Ensure data is stored in a way to facilitate easy data discoverability, accessibility and interoperability
* Ensure data is stored in a way to facilitate easy data discoverability, accessibility and interoperability
<b>Data Sharing</b>
<b>Data Sharing</b>
* Data should be shared openly by default as per the Directive on Open Government
* Data should be shared openly by default as per the Directive on Open Government <I><u>while taking into consideration existing laws and regulations the safeguarding of security and the privacy of data, while permitting free and open access</I></u>
* Ensure government-held data can be combined with data from other sources enabling interoperability and interpretability through for internal and external use
* Ensure government-held data can be combined with data from other sources enabling interoperability and interpretability through for internal and external use
* Reduce existing data where possible
* Reduce existing data where possible
* Encourage data sharing and collaboration
* Encourage data sharing and collaboration
* <I><u>Validate or transform all external input before processing</I></u>
|}
|}
* Run applications in containers
* Run applications in containers
* Leverage the [[gccollab:groups/profile/1238235/engovernment-of-canada-digital-exchangefru00c9change-numu00e9rique-du-gouvernement-du-canada|GC Digital Exchange Platform]] for components such as the API Store, Messaging, and the GC Service Bus
* Leverage the [[gccollab:groups/profile/1238235/engovernment-of-canada-digital-exchangefru00c9change-numu00e9rique-du-gouvernement-du-canada|GC Digital Exchange Platform]] for components such as the API Store, Messaging, and the GC Service Bus
<I><u><b>Develop with Security in mind</b>
* Applications that store, process, handle, or have network access to sensitive information should be developed with security in mind from the start, and should be audited and assessed before use
* Ensure sensitive data is protected appropriately when stored and transmitted
* Minimise the opportunity for accidental data leakage across application boundaries
* Ensure only authorised parties can access sensitive information
* Restrict access to sensitive data to those applications designed to handle such material in a secure manner</u></I>
|}
|}
* Support zero-downtime deployments for planned and unplanned maintenance
* Support zero-downtime deployments for planned and unplanned maintenance
* Use distributed architectures, assume failure will happen, handle errors gracefully, and monitor actively
* Use distributed architectures, assume failure will happen, handle errors gracefully, and monitor actively
* <u><I>Establish architectures that supports new technology insertion with minimal disruption to existing programs and services</I></u>
|}
|}
<b>Design for Security and Privacy</b>
<b>Design for Security and Privacy</b>
* Implement security across all architectural layers
<I><u>
* Categorize data properly to determine appropriate safeguards
* Perform security categorization to identify and categorize information based on the degree of injury that could be expected to result from a compromise of its confidentiality, integrity and availability.
* Perform a privacy impact assessment (PIA) when personal information is involved
* Build in security from the outset of design, development, and throughout the system life cycle, across all architectural layers.
* Balance user and business needs with proportionate security measures
* Implement appropriate and cost-effective security measures and privacy protections, proportionate to user and business needs. Apply graduated safeguards that are commensurate with the security category of the information and assets.
* Protect data while in transit, in use and at rest using appropriate encryption and protocols.
* Apply a defense in depth approach to reduce exposure to threats and minimize the degree of compromise.
* Design services that:
i. Prioritize ease of use in security design to make security simple for users;
ii. Protected from common security vulnerabilities;
iii. Expose and secure only the interfaces necessary to operate the service;
iv. Are resilient and can be rebuilt quickly to a known clean state in the event that a compromise is detected; and
v. Fail secure even if the system encounters an error or crashes.
* Integrate and automate security testing to validate code and address vulnerabilities prior to deployment
* Reduce human intervention and maximize automation of security tasks and processes.
<b> Ensure Secure Access to Systems and Services </b>
* User access to service interfaces should be constrained to authorised individuals, with clearly defined roles.
* Identify and authenticate individuals, processes, and/or devices to an appropriate level of assurance before being granted access to information and services.
* Separate and compartmentalise user responsibilities and privileges. Assign the least set of privileges necessary to complete the job.
* Use GC-approved multi-factor authentication where possible to protect against unauthorized access.
<b> Maintain Secure Operations </b>
* Design processes to operate and manage services securely in order to impede, detect or prevent attacks.
* Collect all relevant security events and logs at infrastructure and application levels to support root-cause analysis. Use a trusted time source and protect audit logs from manipulation.
* Continuously monitor system events and performance, and include a security audit log function in all information systems.
* Promptly apply security-related patches and updates to reduce exposure to vulnerabilities. Apply a risk-based mitigations when patches can’t be applied.
* Establish appropriate mechanisms to respond effectively to security incidents. Monitor security advisories and patches.
<b> Privacy by Design </b>
* Perform a privacy impact assessment (PIA) to support risk mitigation activities when personal information is involved
* Implement security measures to assure the protection of personal information
* Take into consideration the 7 foundational privacy design principles when designing services.
</i></u>
|}
|}
