586
edits
Changes
GC Enterprise Architecture/Playbook (view source)
Revision as of 09:41, 23 September 2020
, 09:41, 23 September 2020no edit summary
When department has an idea, a problem or an issue that needs to be addressed, the <b>main</b> question that needs to be answered is that "<b><u>Is it worth it</b>?".
When department has an idea, a problem or an issue that needs to be addressed, the <b>main</b> question that needs to be answered is that "<b><u>Is it worth it</b>?".
To answer this question, department has to:<br><br>
To answer this question, department has to:<br><br>
<br><br>
<br><br>
<h2><span style="font-size: 1.5em;"> 1. Business Architecture</span></h2> <br>
<h3><span style="font-size: 1.5em;"> 1. Business Architecture</span></h3> <br>
Business Architecture is where an organization identifies the various services that it needs to provide externally, as well as the various functions it owns or needs to own internally to support their services to the public. In the context of GC Enterprise Business Architecture, this is where the Government of Canada identifies the various departments, the services they provide to Canadians and the functions they owns. <br><br>
Business Architecture is where an organization identifies the various services that it needs to provide externally, as well as the various functions it owns or needs to own internally to support their services to the public. In the context of GC Enterprise Business Architecture, this is where the Government of Canada identifies the various departments, the services they provide to Canadians and the functions they owns. <br><br>
<h2><span style="font-size: 1.5em;">2. Information Architecture</span></h2>
<h3><span style="font-size: 1.5em;">2. Information Architecture</span></h3>
<!-- COLUMN 1 ENDS: -->
<!-- COLUMN 1 ENDS: -->
<h4><b><u>Use and share data openly in an ethical and secure manner</u></b></h4>''Section under development'' (ESP/Bitar)
<h4><b><u>Use and share data openly in an ethical and secure manner</u></b></h4>''Section under development'' (ESP/Bitar)
<h2><span style="font-size: 1.5em;">3. Application Architecture</span></h2> <br><br>
<h3><span style="font-size: 1.5em;">3. Application Architecture</span></h3> <br><br>
Application Architecture consists of understanding and designing the various applications within a department, how they tie in to the business service supporting the departmental mandate, where they are located in the architecture landscape of the department as well as the GC, how they interact with each other and with their users, the zoning requirements, etc. Application Architecture focuses less on internal mechanics and specific programming and more on overall design on how data is consumed and created by the system. It views the interactions between applications, databases, middleware to ensure scalability, reliability, availability and manageability. <br><br>
Application Architecture consists of understanding and designing the various applications within a department, how they tie in to the business service supporting the departmental mandate, where they are located in the architecture landscape of the department as well as the GC, how they interact with each other and with their users, the zoning requirements, etc. Application Architecture focuses less on internal mechanics and specific programming and more on overall design on how data is consumed and created by the system. It views the interactions between applications, databases, middleware to ensure scalability, reliability, availability and manageability. <br><br>
<h4><b><u>Use Software as a Service (SaaS) hosted in Public Cloud</b></h4>
<h4><b><u>Use Software as a Service (SaaS) hosted in Public Cloud</b></h4>
* <I><b>Choose SaaS that best fit for purpose based on alignment with SaaS capabilities </b><br>
* <b><I>Choose SaaS that best fit for purpose based on alignment with SaaS capabilities </b><br>
* <I><b>Choose a SaaS solution that is extendable </b><br>
* <b><I>Choose a SaaS solution that is extendable </b><br>
* <I><b>Configure SaaS and if customization is necessary extend as Open Source modules </b><br>
* <b><I>Configure SaaS and if customization is necessary extend as Open Source modules </b><br>
<br>
<br>
The most important use of interoperability is it provides the ability to communicate between one system to another without the need of manual intervention. It doesn't matter if one system is built with one platform, eg. UNIX/LINUX, and the other system is built with another platform, eg. Windows, "OR" if one system is legacy, eg. Mainframe, and the other is an innovative product, eg. machine learning. With interoperability, these different systems can communicate with one another, thereby enabling efficiency and/or effectiveness of a solution. Interoperability can also enable easier communication between one department to another, thereby creating better collaboration and automation exchange of data.<br><br>
The most important use of interoperability is it provides the ability to communicate between one system to another without the need of manual intervention. It doesn't matter if one system is built with one platform, eg. UNIX/LINUX, and the other system is built with another platform, eg. Windows, "OR" if one system is legacy, eg. Mainframe, and the other is an innovative product, eg. machine learning. With interoperability, these different systems can communicate with one another, thereby enabling efficiency and/or effectiveness of a solution. Interoperability can also enable easier communication between one department to another, thereby creating better collaboration and automation exchange of data.<br><br>
* <I><b>Design systems as highly modular and loosely coupled services</b><br>
* <b><I>Design systems as highly modular and loosely coupled services</b><br>
A good system design starts from building a small simple independent function. Focus on smallest unit of purpose, and develop a single function. The small single function can then become a building block for a larger more complicated function, and be combined with other simple functions to finally create a service. Having a simple independent function also means that it be reused to create another complicated function. Thus, it is very important to build a function that is small and simple enough to make it highly modular.
A good system design starts from building a small simple independent function. Focus on smallest unit of purpose, and develop a single function. The small single function can then become a building block for a larger more complicated function, and be combined with other simple functions to finally create a service. Having a simple independent function also means that it be reused to create another complicated function. Thus, it is very important to build a function that is small and simple enough to make it highly modular.
<h2><span style="font-size: 1.5em;">4. Technology Architecture</span></h2> <br><br>
<h3><span style="font-size: 1.5em;">4. Technology Architecture</span></h3> <br><br>
<h4><b>Use Cloud first</b></h4>
<h4><b>Use Cloud first</b></h4>
<h2><span style="font-size: 1.5em;">Security Architecture</span></h2>
Overview of the GC ESA Program<br><br>The GC ESA program is a government-wide initiative to provide a standardized approach to developing IT security architecture, ensuring that basic security blocks are implemented across the enterprise as the infrastructure is being renewed. The image on the right shows how the GC ESA program supports the direction the GC is taking with regards to GC IT security.
The GC ESA program aims to:
* Ensure more cost-effective, interoperable, resilient and secure IT solutions in support of GC enterprise objectives;
* Maintain availability of GC systems and services while complying with relevant GC legislation and policy instruments;
* Adopt an architecture methodology and approach to ensure common understanding, alignment, and reduce duplication of effort amongst interdepartmental stakeholders;
* Ensure security of information, IT infrastructure and applications with the implementation of consistent security controls which reduces total cost of ownership; and
* Keep risk at acceptable levels.
The GC ESA program will serve as a guide to departments and agencies in planning, implementing, and operating their information systems by offering the necessary framework, tools, and templates to design, evaluate, and build an IT security architecture tailored to their organization, in accordance with Communications Security Establishment’s (CSE) ITSG-33 – IT Security Risk Management: A Lifecycle Approach and other security industry best practices in the area of architecture, risk management and compliance.<h4><b>Build Security into the Full System Life Cycle, Across All Architectural Layers</b></h4>
* Identify and classify risks associated to the service’s business objectives, goals, and strategy
* Design security measures according to business and user needs, risks identified, and security categorization of the information and assets; integrate security across all architectural layers (BIAT)
** Maintain focus on users’ ease of use through selection of context-appropriate controls
** Apply an information-centric approach to reduce resources’ exposure to threats, and minimize the opportunity for compromise.
** Protect data while in transit, in use and at rest using appropriate encryption and protocols. Ensure effective disposition of data per retention schedules, following service sunset.
* Design systems to not be susceptible to common security vulnerabilities; resilient and can be rebuilt quickly in the event of compromise; and fail secure if the system encounters an error or crashes
* Reduce human intervention and maximize automation of security tasks and processes
** Integrate and automate security testing to validate code and address vulnerabilities prior to deployments
<br>
<h4><b>Ensure Secure Access to Systems and Services</b></h4>
* Identify and authenticate individuals, processes and/or devices to an appropriate level of assurance before granting access to information and services
* Separate and compartmentalize user responsibilities and privileges; assign the least set of privileges necessary to complete the job
* Constrain service interfaces to authorized entities (users and devices), with clearly defined roles, and only expose the interfaces necessary to operate the service
* Make use of modern password guidance, and use GC-approved multi-factor authentication where required to stop unauthorized access
(prioritize length over complexity, eliminating expiry, and blacklisting common passwords)
<br><br>
<h4><b>Maintain Secure Operations</b></h4>
* Integrate aggregate outputs from security assessment and authorization activities into security architecture lifecycle processes, to ensure reference artefacts remain relevant and valid
* Continuously monitor system events and performance in order to detect, prevent, and respond to attacks
* Design processes to operate and manage services securely, and establish processes and mechanisms to respond effectively to security events
** Collect transaction logs at infrastructure and application levels to support automated root-cause analysis and performance tuning
** Include an audit function in information systems. Use a trusted time source and protect audit logs from manipulation
* Establish processes to monitor security advisories, and apply security-related patches and updates to reduce exposure to vulnerabilities. Apply appropriate risk-based mitigations when patches can’t be applied
<br>
<h4><b> Privacy by Design </b></h4>
* Perform a privacy impact assessment (PIA) to support risk mitigation activities when personal information is involved
* Perform [https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/responsible-use-ai/algorithmic-impact-assessment.html Algorithmic Impact Assessment (AIA)] to support risk mitigation activities when deploying an automated decision system
* Implement security measures to assure the protection of personal information
* Take into consideration the <b>[https://www.ryerson.ca/pbdce/certification/seven-foundational-principles-of-privacy-by-design/ 7 Foundational Privacy Design Principles] </b> when designing services
<!-- FOOTER -->{| width="100%" cellpadding="10"
|- valign="top"
| style="color:#3C6D9E;" |
<!-- COLUMN STARTS: -->
<div style="font-size: 1.8em; text-align:center;">Need help? Contact us.</div>
<!-- COLUMN 1 STARTS: -->
{| width="100%" cellpadding="5"
|- valign="top"
| width="33.3%" style="border: 1px solid lightgray; background-color:#fff; color:#409DE2;" |
[[Image: Envelope_icon_blue.png |100px | center]]
<div style="font-size:1.5em; text-align:center; color:white;">{{em|ZZCIOBDP@tbs-sct.gc.ca}}</div>
<!-- COLUMN 1 ENDS: -->
<!-- COLUMN 2 STARTS: -->
| width="33.3%" style="border: 1px solid lightgray; background-color:#fff; color:#409DE2;" |
[[Image: gccollab_icon_blue.png |100px | center]]
<div style="font-size:1.5em; text-align:center;">[https://gccollab.ca/groups/profile/1896301/enenterprise-architecture-community-of-practicefrcommunitu00e9-de-pratique-de-architecture-integru00e9e GC EA CoP Collab]</div>
<!-- COLUMN 2 ENDS: -->
== The GC ESA program will serve as a guide to departments and agencies in planning, implementing, and operating their information systems by offering the necessary framework, tools, and templates to design, evaluate, and build an IT security architecture tailored to their organization, in accordance with Communications Security Establishment’s (CSE) ITSG-33 – IT Security Risk Management: A Lifecycle Approach and other security industry best practices in the area of architecture, risk management and compliance. ==
<!-- COLUMN 3 STARTS: -->
| width="33.3%" style="border: 1px solid lightgray; background-color:#fff; color:#409DE2;" |
[[Image: gcconnex_icon_blue.png |100px | center]]
<div style="font-size:1.5em; text-align:center;">[https://gcconnex.gc.ca/groups/profile/7322003/gc-ea-working-group?language=en GC EA Connex]</div>
<!-- COLUMN 3 ENDS: -->
<!-- TABLE ENDS --> |}
<!-- COLUMN ENDS: -->
<!-- TABLE ENDS --> |}
<!-- end -->