government of canada it strategic plan & cloud … / non classifiÉ government of canada it...
TRANSCRIPT
UNCLASSIFIED / NON CLASSIFIÉ
Government of Canada
IT Strategic Plan & Cloud Adoption Strategy
Association of Public Sector Information Professionals (DPI) John Messina Chief Information Officer of the Government of Canada November 25, 2016
GCDocs: 23529902
UNCLASSIFIED / NON CLASSIFIÉ
Outline
Opening Remarks
GC Information Technology (IT) Strategic Plan
GC Cloud Adoption Strategy
GC Right Cloud Selection Guidance
GC Security Control Profile for Cloud
Preparing the Workforce
Next Steps / Q&A
2
1
2
3
5
6
7
4
UNCLASSIFIED / NON CLASSIFIÉ
Government of Canada
IT Strategic Plan
3
1
UNCLASSIFIED / NON CLASSIFIÉ
4
Government of Canada IT Strategic Plan
UNCLASSIFIED / NON CLASSIFIÉ
5
Putting IT in context… delivering digital government
IT Strategic Plan (published June 2016)
IM Strategy (includes Open Data, Open Government)
IT (cyber) Security (part of the GC IT
Strategic Plan)
Digital Government
Strategy
Client First Service Strategy
Underpinned by: PRIVACY PROTECTION: Ensuring personal information collected and used by federal institutions is properly managed and secure SECURITY: Assuring information, assets and services are protected against compromise and individuals are protected against workplace violence
UNCLASSIFIED / NON CLASSIFIÉ
6
Key Drivers
Security Citizen expectations
Workplace and workforce
evolution
The enterprise approach
Aging IT and sustainability
UNCLASSIFIED / NON CLASSIFIÉ
Strategic Goals
Service A responsive and innovative IT service that meet business needs and enhances the end-user experience
Security A secure and resilient enterprise infrastructure that enables the trusted delivery of programs and services
Value Smart investments that are both high in value and cost-effective
Agility An agile, connected and high-performing workforce with modern tools
7
UNCLASSIFIED / NON CLASSIFIÉ
8
The Framework
UNCLASSIFIED / NON CLASSIFIÉ
9
Service – Security – Value - Agility
A responsive and innovative IT service that meets business needs and enhances the end-user experience
CLOUD COMPUTING • Adopt cloud computing
services • Establish a cloud service
broker • Offer public cloud services • Offer private cloud services
INFORMATION SHARING • Build a platform for enterprise
interoperability • Introduce a government mobile
applications store • Introduce a government API store • Implement a platform for external
collaboration • Advance analytics capabilities
SERVICE MANAGEMENT AND MODERNIZATION • Develop IT service portfolios and
catalogues • Report on key areas of IT system
health performance • Implement enterprise IT Service
Management tools • Complete data centre
consolidation and modernization • Complete network consolidation • Complete government email
consolidation
= future actions
UNCLASSIFIED / NON CLASSIFIÉ
10
Service – Security – Value - Agility
A secure and resilient enterprise infrastructure that enables the trusted delivery of programs and services
DEFENCE-IN-DEPTH • Secure the government’s
network perimeter • Implement endpoint security
profiles • Implement an enterprise
approach to vulnerability and patch management
• Manage and control administrative privileges
AWARENESS AND UNDERSTANDING • Enable comprehensive visibility of
endpoint devices • Enhance awareness of enterprise
cyber security threat and risk environment
TRUSTED IT • Protect web transactions to and
from external-facing websites • Implement an improved cyber
authentication service • Implement a trusted digital identity
for people accessing government networks and systems
• Implement a secure communication service for classified information
• Implement enterprise data loss prevention
= future actions
UNCLASSIFIED / NON CLASSIFIÉ
11
Service – Security – Value - Agility
Smart investments that are both high in value and cost-effective
GOVERNANCE • Establish enterprise IT
governance • Develop methods for
prioritizing investments in legacy and transformation initiatives
• Document roles and responsibilities for IT and IT security
PRACTICES • Evolve IT management practices,
processes and tools • Develop enterprise architectures
for business and information • Adopt agile approaches to
implementing IT solutions
INNOVATION AND SUSTAINABILITY • Lead innovation • Adopt modern, flexible
business models • Ensure IT infrastructure
sustainability • Rationalize investments
= future actions
UNCLASSIFIED / NON CLASSIFIÉ
12
Service – Security – Value - Agility
An agile, connected and high-performing workforce with modern tools
IT WORKFORCE • Invest in executive
talent management • Enhance workforce
planning • Enable career
development • Promote gender parity
MODERN WORKPLACE • Modernize workplace technology
devices • Support a mobile workforce • Provide Wi-Fi access • Provide desktop videoconferencing
to employees • Implement managed print services
DIGITAL COLLABORATION TOOLS • Promote digital literacy and
collaboration • Advance digital
collaboration
= future actions
UNCLASSIFIED / NON CLASSIFIÉ
13
The Way Forward… delivering on results
Establish clear accountabilities and metrics
Set direction and context
Track and report on progress
Create realistic budgets, plans, and targets
Take action to improve results
Enterprise IT Governance
Review performance
UNCLASSIFIED / NON CLASSIFIÉ
Government of Canada
Cloud Adoption Strategy
14
2
UNCLASSIFIED / NON CLASSIFIÉ
Linkages to IT Strategic Plan
The GC Cloud Adoption Strategy is a deliverable of the GC IT Strategic Plan and covers the following Strategic Actions :
7: Adopt Cloud Services 8: Establish a cloud service broker 9: Offer public cloud services 10: Offer private cloud services
It also fulfills the commitment that “TBS will publish the Government of Canada Cloud Adoption Strategy to guide the adoption of cloud computing services in a cost effective and secure manner”
15
UNCLASSIFIED / NON CLASSIFIÉ
What’s Available
Government of Canada Cloud Adoption Strategy: Learn how the Government of Canada will maximize the benefits of cloud adoption while keeping the confidentiality and privacy of Canadian’s data.
Government of Canada Security Control Profile for Cloud-based IT Services: A robust risk-management approach will ensure that the appropriate Government of Canada Security controls are in place.
Government of Canada Right Cloud Selection Guidance: Find out which workloads are right for the cloud, and how to consider deployment models.
16
UNCLASSIFIED / NON CLASSIFIÉ
Consultations: Who We Heard From
Provincial/Territorial Governments
Other Federal Governments
Security, Privacy, and Procurement Authorities
IT Industry Bargaining Agents IT Leaders / CIOs
17
UNCLASSIFIED / NON CLASSIFIÉ
What is Cloud?
Cloud is a new model for delivering computer power In lieu of acquiring and operating computing infrastructure such as data centres and servers, computing power is consumed from a provider. Much like the water flowing into our homes, cloud computing is on-demand; metered to rising and falling needs of the consumer, and pricing is based on what is consumed.
Cloud adoption ensures that the Government of Canada can maintain IT service excellence during a period of increasing demand for online services.
18
UNCLASSIFIED / NON CLASSIFIÉ
Why Cloud?
Service: self-service provisioning of resources dramatically reduces the time for a requirement to be met.
Public cloud services provide the most cost effective means of delivering on the online service delivery expectations of Canadians
Security: Robust security features and internationally recognized certifications that would be a challenge for any one consumer to deliver.
Innovation: New technologies such as social media, mobile platforms, and analytic tools introduced constantly without large capital investments.
Agility: Rapid access to resources. Rapid introduction of new features. Tools to support the rapid creation of new applications through automation and self-service.
Elasticity: commoditized services that can grow and shrink with the level of demand (e.g. census and elections) . Pay for what is needed for the time it is needed.
19
UNCLASSIFIED / NON CLASSIFIÉ
Cloud Adoption Strategy
Balance Supply with
Demand
20
The goals of the GC’s Cloud Adoption Strategy are as follows:
Consistent Risk
Management
Prepare the Workforce
UNCLASSIFIED / NON CLASSIFIÉ
21
Cloud Adoption Principles
Selection: Departments and agencies will follow a ‘Right Cloud’ strategy – adopting cloud services when they best meet business needs.
• Public cloud; secure commercial environments • Private cloud; GC is the only tenant • Non-cloud; legacy environment
Security: ensuring the GC manages its security risks through the use of commercial security controls & certifications Residency: departments and agencies will adopt the policy that all protected data under government control will be stored on servers that reside in Canada
UNCLASSIFIED / NON CLASSIFIÉ
Government of Canada
Right Cloud Selection Guidance
22
3
UNCLASSIFIED / NON CLASSIFIÉ
Public Cloud
A commercially available offering procured and
security assessed for the use of a single GC
organization
Private Cloud
A non-commercially available cloud offering
tailored for the GC
Non-Cloud or Legacy
An environment for hosting applications that cannot be
deployed to a cloud environment
OR OR
Selecting the Right Cloud
23
UNCLASSIFIED / NON CLASSIFIÉ
24
Considering the Business Context
The decision on deployment model is driven by a variety of factors which together determine the CIO’s business context
Financial Which is more desirable for your program; operational expense or a capital expense? Cloud pricing is consumption based; this may be desirable in cases where demand is controlled, however in some cases where consumption may spike; can your program absorb these costs within its revenue model?
Speed Consider the speed with which you require a solution. Solutions with standardized offerings and pricing provide rapid access.
Longevity Consider for how long you will need the solution.
Sensitivity What is stakeholders’ risk tolerance for deploying information to a third-party’s IT environment?
Elasticity Consider how your requirements will grow with time. Does the program require capacity on-demand at peak periods?
Connectivity How integrated is your solution with other applications? What integrations are part of your solution? Are analytics a requirement?
Location Consider the impact of latency. High chatter applications are sensitive to solution that is physically distant from the users.
Innovation Is your program service delivery is expected to evolve with new technologies and trends?
DevOps Consider the speed of which your solution must promoted from dev. to production and the toolset needed to support that process.
Legacy Can the solution exist in a virtualized environment?
Commoditized Can the requirement be met with commoditized solutions? What is the market availability of the solution?
Busi
ness
In
form
atio
n Ap
plic
atio
n Te
chno
logy
UNCLASSIFIED / NON CLASSIFIÉ Shared Services Canada will assess and focus the array of cloud service providers for use by departments
The Cloud Service Broker – Shared Services Canada
The Buyers – Departments
Identify Security Needs
Identify Requirement
Select Services and Cloud
Security Control Profile
Advertise Requirements
Assess Against Security
Requirements
Award Contract
Select Service(s) from Marketplace
Select Appropriate
Controls
Assess Additional Controls required
Authorize for Operation
Buying Activity
Security Activity
25
UNCLASSIFIED / NON CLASSIFIÉ
Major Strategic Action Areas
Right Cloud Adoption: adopting cloud services when they best meet business needs. Choosing the right deployment model for the given business context. Security: security control profiles will be tailored to their applicability to cloud environments, while recognizing the provider and consumer’s shared security responsibility. Data Residency: all sensitive or protected data, under government control, will be stored on servers that reside in Canada. Workforce: for the adoption of cloud to be successful, the GC must immerse itself in a cloud ecosystem with both skilled employees and experienced professional services. Community Cloud: exploit common business opportunities within the public sector community (incl. provincial, territorial, municipal governments).
26
UNCLASSIFIED / NON CLASSIFIÉ
Government of Canada
Security Control Profile for Cloud
27
4
UNCLASSIFIED / NON CLASSIFIÉ
Control over security/privacy relinquished to cloud service provider, however GC depts./agencies remain accountable
Current GC guidance targeted at non-cloud environment and interpreted inconsistently
Risk management approach is performed on a case by case basis, often following a lengthy process which impacts timely delivery of IT services
Opportunity Adopt an approach for cloud risk management that aims to re-use existing certification to the maximum extent possible, in order to minimize the cost, time and impact on both providers and consumers.
Problem/Opportunity Statement
CSPs are spending significant time and cost to meet the numerous compliance schemes and different audit requirements
28
UNCLASSIFIED / NON CLASSIFIÉ
GC Cloud PBMM Security Control
Profile
GC Cloud Security Control Profile TAILORED PBMM PROFILE TO SUPPORT GC CLOUD RISK MANAGEMENT APPROACH
29
Business Context Discussion on general GC business activities that the profile is meant to support
Threat Context Discussion on threat context the profile is meant to mitigate
Discussion on applicability of profile to IT environment in GC
Recommended controls List of controls applying to the CSP and GC customer; Mapping of security certifications to provider evidence
Technical Context
NIST SP800-53
Rev 4
CSE ITSG-33a PBMM
FedRAMP Moderate
UNCLASSIFIED / NON CLASSIFIÉ
30
Mapping Controls to Industry Certifications ACCELERATING SECURITY ASSESSMENT WITH REUSE OF EXISTING EVIDENCE TO EVALUATE REQUIREMENTS
Cloud Service Provider
3rd Party Audit
Reports
Reuse Evidence for Security Assessment
Mapping Controls to Industry Standards
Compliance with Industry Standards and Certification
Maintenance
GC Cloud PBMM Security Control Profile
UNCLASSIFIED / NON CLASSIFIÉ
31
Shared Responsibility Between GC and Cloud Service Providers
UNCLASSIFIED / NON CLASSIFIÉ
Shared Responsibility Between GC and Cloud Service Providers
Client Managed Service Provider Managed
32
UNCLASSIFIED / NON CLASSIFIÉ
Cloud Security Control Profile Selection
Cloud Security Control Profile Selection C
onfid
entia
lity
Prot
ecte
d
C
B
A
Unclassified
Integrity Low Medium High Low Medium High Low Medium High
Availability Low Medium High
High (Canadian residency)
Moderate (Canadian residency)
Low (May reside outside of Canada)
Profiles:
33
UNCLASSIFIED / NON CLASSIFIÉ
Government of Canada
Preparing the Workforce
34
5
UNCLASSIFIED / NON CLASSIFIÉ
Implementation of the GC IT Strategic Plan – The IT Workforce
Environment
The nature of work being undertaken by IT professionals is shifting. Non-traditional and emerging skills sets are required to ensure successful implementation of the GC IT Strategic Plan and the associated Cloud Adoption Strategy. The heightened focus on Digital Government further highlights the need for IT professionals with the skills and competencies to support the integration of new technologies across government and into client-centered services with Canadians.
35
UNCLASSIFIED / NON CLASSIFIÉ
The Government of Canada IT Strategic Plan 2020 includes the commitment to a high-performing IT workforce, and a modern workplace enabled by digital collaboration tools
The Government of Canada IT Strategic Plan 2020
36
UNCLASSIFIED / NON CLASSIFIÉ
37
There are new sources of value, such as the ability to be versatile, participative, engaged and to collaboratively shape ideas. These new sources rely on developing people.
- Gartner
IT Professional Past
Transition
IT Professional Future
CIO organizations in the Government of Canada are undergoing significant transformation, calling for new and non-traditional competencies along with greater understanding of the organization.
IT Professionals - adapting to the changing environment
Exciting time of transformation for IT professionals that presents opportunities for career development and challenges: • Demand for a broader range of competencies and
skill sets in an increasingly digital work and services environment.
• Opportunity for more involvement in the business of your departments and in the delivery of services and programs.
• Need for a better and fuller knowledge of your organization.
• Opportunities for career growth / enrichment.
UNCLASSIFIED / NON CLASSIFIÉ
Emerging Skills • Business Analysis • Strategic Collaboration • Vendor Management • Project Management
Emerging Attributes
Emerging Competencies • Analytical Thinking • Visioning and Strategic Direction • Change Leadership • Client Focus • Communication • Developing others • Continuous Learning
• Networking / Relationship Building
• Partnering • Creative Thinking • Conflict Management • Results Orientation • Values and Ethics
• Contributes to direction • Has enterprise perspective • Thinks innovatively • Thinks strategically • Business acumen
A skilled, agile, connected and high-performing workforce – combining knowledge of business and technology
38
UNCLASSIFIED / NON CLASSIFIÉ
39
Expanding career path options...
While traditional career paths will still be right for some….
Career development will increasingly require a broader approach and the
acquisition of new skills
UNCLASSIFIED / NON CLASSIFIÉ
40
The Technical Expert Focus on technical and organizational depth within a single work stream
Application Development Security Database / Data Admin. Managerial Technical Managerial Technical Managerial Technical
EX Director Director Director
CS-05 Director Director Director
CS-04 Manager Senior Advisor Manager Senior Advisor Manager Senior Advisor
CS-03 Technical Advisor
Technical Advisor
Team Leader Technical Advisor
Team Leader Technical Advisor
CS-02 Programmer -
Analyst Programmer -
Analyst Security Analyst Security Analyst
CS-01 Programmer Programmer
Note: The career path outlined on this slide illustrates conceptually how a CS might approach career progression depending on personality and interests. Specific career paths have not been analysed for this exercise.
Career path options…
UNCLASSIFIED / NON CLASSIFIÉ
41
The IT Explorer Expanding breadth of experience across CIO functional areas
Planning Enterprise Archit. IT Security Infrastructure / Ops Managerial Technical Managerial Technical Managerial Technical Managerial Technical
EX Director Director
Director
Director
CS-05 Director Director
CS-04 Manager Manager Senior
Advisor Manager Manager
Senior Advisor
CS-03 Project Leader
Technical Advisor
Project Leader
Technical Advisor
Team Leader
Technical Advisor
Team Leader
Technical Advisor
CS-02 Support Analyst
Support Analyst
CS-01 Technician Technician
Note: The career path outlined on this slide illustrates conceptually how a CS might approach career progression depending on personality and interests. Specific career paths have not been analysed for this exercise.
Director
Career path options…
UNCLASSIFIED / NON CLASSIFIÉ
42
Career path options…
The Enterprise Explorer Pursuing diverse experiences within and outside the department’s CIO organization
Application Development
Security
EX Director Director
CS-05 Director Director
CS-04 Manager Manager
CS-03 Technical Advisor Team Leader
CS-02 Programmer -
Analyst
Security Analyst
CS-01 Programmer
Enterprise Architecture
Program Area Outside IT
Director
Director
Director
Manager Manager
Project Leader
Other Organization
Director
Manager
Note: The career path outlined on this slide illustrates conceptually how a CS might approach career progression depending on personality and interests. Specific career paths have not been analysed for this exercise.
UNCLASSIFIED / NON CLASSIFIÉ
Moving forward:
• Promote gender parity
• Promote digital literacy and collaboration
TBS will create career growth and competency tools to support career development, as well as an internal skills inventory of the public service IT workforce.
The Canada School of Public Service will design new learning products that target new and non-traditional skills for IT professionals.
Departments: Three-year departmental workforce planning strategies.
TBS will leverage this work in order to provide enterprise-level analysis that will identify shifts and gaps in workforce complement and competencies, emerging issues , and strategic opportunities. TBS will work with departments and agencies to explore new approaches to utilize internal capacity to meet current and future needs.
Enable career development for IT professionals
Enhance Workforce Planning
The GC IT Strategic Plan includes commitments to enhanced workforce planning and the enablement of career development for IT Professionals Together, the actions identified under these two commitments will help ensure that the community is prepared to respond to the changing nature of work
43
UNCLASSIFIED / NON CLASSIFIÉ
Moving forward: what can you do…
Managers and Departments
IT Professionals
• Encourage, facilitate, and support employee development and the acquisition of new skill sets (leverage learning plans)
• Ensure on-going communications and change management • Get connected ! Participate in information/consultation sessions
•Speak to their managers about the potential impact of the changing nature of work on their responsibilities and the skills that they should be developing
•Engage in on-going discussions with their managers regarding learning and career development
•Commit to own career development and skills diversification •Get connected and stay informed ! Participate in information/consultation
sessions , check out information on the GCTools •Get mentors from both in and out of the technical community
IT Professionals and their managers can work together to ensure that employees have the information and support required to broaden skill sets in support of career development and sustained organizational success.
44
UNCLASSIFIED / NON CLASSIFIÉ
Community Support
TBS CIOB Community Enablement
Develops and promotes research, analysis, guidance and tools in support of the community and the evolving role of IT Professionals
Works regularly with government and private industry associations, including DPI, GTEC, ICTC and ITAC to share best practices and trends and to collaborate on learning sessions for IT professionals (including a focus on the competencies required)
45
UNCLASSIFIED / NON CLASSIFIÉ
The IM/IT Functional Community on GCpedia supports employees in managing their careers…
IM/IT Community Page on GCpedia: http://i.gc20.ca/IFC_CFI
46
UNCLASSIFIED / NON CLASSIFIÉ
47
CIO Suite of Generic Products… enabling a high performing IT workforce
CIO Suite of Generic Products on GCpedia: http://www.gcpedia.gc.ca/wiki/CIO_Suite
UNCLASSIFIED / NON CLASSIFIÉ
Next Steps
48
6
UNCLASSIFIED / NON CLASSIFIÉ
49
IT Strategic Plan and Cloud Consultation
• Publish a ‘What We Heard’ report based on feedback by the
end of 2016
• Publish finalized GC Cloud Adoption Strategy by early 2017
• Publish updated GC IT Strategic Plan in 2017
UNCLASSIFIED / NON CLASSIFIÉ
Q&A
50
7
UNCLASSIFIED / NON CLASSIFIÉ
51
Join the Conversation
The IT Strategic Plan and Cloud Adoption Strategy are available online GCconnex • https://gcconnex.gc.ca/groups/profile/20866369/gc-it-strategic-
plan-plan-strategique-de-la-ti-du-gc • https://gcconnex.gc.ca/groups/profile/21532627/gc-cloud-
adoption-strategy Canada.ca • http://www.tbs-sct.gc.ca/hgw-cgf/oversight-surveillance/itpm-
itgp/it-ti/itsp-tips-eng.asp • http://www.tbs-sct.gc.ca/hgw-cgf/oversight-surveillance/itpm-
itgp/it-ti/cloud-nuage/index-eng.asp To contact us, please send your request to: [email protected]