search

department-of-veterans-affairs / va.gov-team

Public resources for building on and in support of VA.gov. Visit complete Knowledge Hub:
https://depo-platform-documentation.scrollhelp.site/index.html
281 stars 197 forks source link

Platform Architecture Change Management Process #50700

Open raywangoctova opened 1 year ago

raywangoctova commented 1 year ago

LOE

Large

Problem Statement

As a platform, we've never been super proactive with security governance. We had historically performed the privacy and security review when we had the resourcing to do so, but that leaves security to the last minute and then VFS teams sometimes have to perform extra cycles to account for our feedback, ultimately pushing out their expected launch date.

How might we create a process that improves security review and maintains architecture documentation so VA can meet the ATO requirements as new products/features are deployed?

User Impact

All VFS and platform teams

Where was this problem reported?

Thomas and Ray -- Security OCTODE lead

What do we not know about the problem space?

Not much

What (if any) research or discovery has been done?

None

What is the acceptance criteria?

• System Architecture Document: This document provides an overview of the system components, data flows, security measures, and system design. o defines services within the authorization boundary; b. depicts all major components or groups within the boundary; o identifies all interconnected systems, including the Agency Access Point (e.g., VA.gov); o identifies data flows;  anywhere Federal data is to be processed, stored, or transmitted;  clearly delineate how data comes into and out of the system boundary; and  depict how all ports, protocols, and services of all inbound and outbound traffic are represented and managed, including the use of definitive Agency DNS  Ports, Protocols, and Services Template (PPS) o depicts all major software/virtual components (or groups of) within the boundary. o maintains the inventory of software and hardware  All lower environment assets must also be inventoried for discovery purposes due to being connected to the VA network. • Security Architecture Document: This document outlines the system’s security measures, including access controls, threat mitigation, and security incident management.

How should we measure success?

Scope

• Establish a platform architecture management process: Set a platform architecture maintenance schedule (e.g., quarterly, semi-annually, collaboration cycle touch points) and the process for reviewing and updating the architecture documentation. • Assign roles and responsibilities: Designate a team or individual responsible for reviewing and maintaining the architecture documentation and ensure that they have the necessary resources and training to perform the task. • Review and update the architecture documentation: Regularly review the documentation to ensure that it accurately reflects the current state of the architecture. Update and version the documentation to reflect any changes to the platform or hosted applications. • Automate and standardize documentation updates: Utilize tools and automation scripts to reduce manual effort and improve accuracy in documenting changes. • Implement change management procedures: Implement change management procedures to ensure that all architecture changes to the platform or hosted applications are documented and reviewed for potential security implications. • Incorporate security reviews: Integrate security reviews into the platform and application architecture change management to identify and address any potential security vulnerabilities or risks. • Conduct periodic security audits: Regularly conduct security audits to validate the accuracy of the architecture documentation and identify any areas for improvement. • Foster a culture of security: Encourage all stakeholders to prioritize security and view the architecture documentation as an essential tool in maintaining a secure architecture.

TODOs

gary-fallon commented 1 year ago

This will be part of an ongoing effort defined in #53147. I have transferred these items to the comments section.

raywangoctova commented 1 year ago

@alyssagallion I am using this as linked to OCTO for reporting the progress. Please see if you can consolidate it into this ticket and make it EPIC.

jwoodman5 commented 1 year ago

It seems like the problem statement is written for the Collab Cycle. The A/C seems more focused on just documenting flows, systems, access, etc. in a way that only indirectly relates to Governance. Let's talk about this.

little-oddball commented 1 year ago

Per request:

This ticket has a slant towards security compliance which is a huge part but this should be a workflow/process that exists even outside of security related items. There should be discovery related to the security wants/needs around change management… we need to get definition on the specific artifacts that are required. We should work to put guidelines in place around other items and propose the workflow/pipeline to have the checks and verification pieces in place. This should include evaluating some of the other workflows we already have to see what additions or adjustments might be made and working with the teams that control those. This should be broken up into more self contained iterative pieces that can be tracked, managed and applied individually.

annekerr49 commented 1 year ago

No match for roadmap-DMC label