![]() the development of policy instruments and guidance for SA&A has been evolving at a slow pace. ![]() The risk management practices for Enterprise and Departmental SA&A align well with TB policy and related guidance. SSC’s risk management for IT applications and infrastructure makes use of standard artifacts, active risk logging and a risk register to identify outstanding risks related to IT applications and infrastructure. The SSC governance structure defines two separate entities that conduct SA&A: Corporate Services is responsible for conducting SA&A for internal systems (Corporate) and, the Chief Technology Officer Branch (CTOB) is responsible for enterprise infrastructure (Enterprise). The objective of this audit was to provide assurance that Security Assessment and Authorization (SA&A) reviews of IT systems and services are being conducted in accordance with a formal process and in compliance with Treasury Board of Canada (TB) and SSC policy requirements. Treasury Board (TB) policy Footnote 1 and Shared Services Canada (SSC) departmental Footnote 2 specify that SA&A must be conducted and periodically reviewed for all departmental IT systems and applications. This authorization is referred to as “the Authority to Operate” (ATO). Security Authorization involves obtaining and maintaining a security risk management decision which explicitly accepts the related residual risk, based on the results of a security assessment. Security Assessment is an ongoing process that evaluates security practices and controls to determine if these are implemented correctly, operating as intended, and achieving the desired outcome. Security Assessment and Authorization (SA&A) is the process by which departments ensure that only authorized software and hardware are implemented in their information technology (IT) environment.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |