Professional Documents
Culture Documents
This document contains highly sensitive, confidential information that may reveal the security
and/or technology posture of the Government of Newfoundland and Labrador's Information
Technology environment. Distribution of this document is limited to Authorized Individuals
only.
As information within this document will be used to protect Government's technology assets
and information, it is essential that its contents remain accurate and up to date. For more
information, please contact sdea@gov.nl.ca.
Note The contents of this document are subject to review and revision upgrades. This template is
owned and maintained by the Enterprise Architecture (EA) Division within the Solution Delivery
Branch of the Office of the Chief Information Officer (OCIO). Direct your questions about this template
to SDEA@gov.nl.ca.
Document History
Version
Date
Summary
Responsible
YYYY-MM-DD
Page 2 of 22
This document may contain inline guidance to assist you with the completion of various sections. The
inline guidance is contained within a table layout. The information and the table must be deleted prior
to submitting the document to SDEA for review.
The document also contains a table of contents, a table of figures and a table of tables. If you do not
use tables or images within this document those headings must be deleted prior to submitting the
document to SDEA for review.
If you encounter any difficulty or are unsure about anything within this document, please contact your
assigned EA Prime.
Completed in Full
Each section of the DAD must be completed in full. If a particular section is not applicable to this
project, then you must write Not Applicable and provide a reason. No sections are to be deleted from
this document.
Guidance
Text contained within << >> provides information on how to complete that section and should be
deleted once the section has been completed. When appropriate, individual sections of this document
reference the Guidelines and Best Practices for Government Technology Solutions document.
TRIM
Insert the TRIM document number in the footer. Project teams can obtain a document number from
the Information Services Centre (ISC) by emailing OCIOISC@gov.nl.ca.
Document Embedding
To insert a document (BRD, PPIA, PIA, etc.) into this document, perform the following steps:
From the Insert Menu, click Object;
Click the Create from File Tab;
Find the document via the Browse button;
Check the Display as icon checkbox;
Click OK; and
Add the TRIM number.
Page 3 of 22
TABLE OF CONTENTS
1.
1.1
1.2
1.3
2.
Project Information...............................................................................6
SUMMARY DETAILS................................................................................................................................... 6
KEY PROJECT CONTACTS......................................................................................................................... 6
KEY DATES.............................................................................................................................................. 6
2.1
INFORMATION........................................................................................................................................... 7
2.1.1 Public Facing...................................................................................................................................... 7
2.2
INFORMATION SECURITY CLASSIFICATION.................................................................................................. 7
2.2.1 Availability.......................................................................................................................................... 7
2.3
RESULTS.................................................................................................................................................. 7
2.3.1 Pre-Threat Risk Assessment.............................................................................................................. 7
3.
3.1
SYSTEM PROFILE..................................................................................................................................... 8
3.1.1 Solution Type...................................................................................................................................... 8
3.1.2 Project Type....................................................................................................................................... 8
3.2
SOLUTION DETAILS................................................................................................................................... 8
3.2.1 COTS Customization (NOT Configurations).......................................................................................8
3.3
VIRTUALIZATION........................................................................................................................................ 8
3.4
GUIDELINES AND BEST PRACTICES........................................................................................................... 9
3.4.1 Deviations.......................................................................................................................................... 9
3.4.2 Reason for Deviation(s)...................................................................................................................... 9
3.4.3 Deviation Approval............................................................................................................................. 9
4.
4.1
5.
5.1
5.2
6.
User Community..................................................................................10
USER COMMUNITY PROFILE.................................................................................................................... 10
Application Architecture......................................................................11
APPLICATION ARCHITECTURE DIAGRAM.................................................................................................... 11
DESCRIPTION......................................................................................................................................... 12
Network Architecture..........................................................................12
6.1
NETWORK ARCHITECTURE AND DESIGN DESCRIPTION..............................................................................12
6.1.1 Network / Technical Architecture Diagram........................................................................................ 12
6.1.2 Network Enhancements / Changes.................................................................................................. 13
6.2
COMMUNICATIONS AND PERFORMANCE................................................................................................... 14
6.2.1 Data Flows and Network Protocols.................................................................................................. 14
6.2.2 Network Traffic................................................................................................................................. 14
7.
Database Architecture.........................................................................16
7.1
INITIAL SIZE OF DATABASE...................................................................................................................... 16
7.2
ANTICIPATED ANNUAL GROWTH............................................................................................................... 16
7.3
DATABASE FEATURES............................................................................................................................. 16
7.3.1 Database Environment..................................................................................................................... 16
7.3.2 Database Connection Account Type................................................................................................16
7.4
STORED PROCEDURES........................................................................................................................... 16
7.5
CLUSTERING.......................................................................................................................................... 17
7.6
DATABASE NORMALIZATION..................................................................................................................... 17
8.
Security Architecture...........................................................................17
Page 4 of 22
9.
9.1
TABLE OF TABLES
Table 1 - Project Summary..................................................................................................................................... 6
Table 2 - Key Project Contacts............................................................................................................................... 6
Table 3 - Key Dates................................................................................................................................................ 6
Table 4 - Information Security Classification.......................................................................................................... 7
Table 5 - Deviation Approval Contact Information.................................................................................................. 9
Table 6 - User Community Profile........................................................................................................................ 10
Table 8 - Data Flow Inbound and Outbound, Network Protocols..........................................................................14
Table 9 - User Locations...................................................................................................................................... 15
Table 10 - Sample Data Object List...................................................................................................................... 15
Table 11 - Data Object List................................................................................................................................... 15
TABLE OF FIGURES
Figure 1 - Application Architecture Diagram......................................................................................................... 11
Figure 2 Network / Technical Architecture Diagram Template...........................................................................13
Page 5 of 22
1. Project Information
1.1 Summary Details
Name
Description
Project Number
Project Name
Project Description
Name
Phone
Project Manager
Delivery Manager
Enterprise Architecture (EA)
Prime
Manager of Operations
Server / Storage
Manager of Operations
Network / Security
Manager of Operations
Service Delivery
Manager
of
Application
Services
Table 2 - Key Project Contacts
Date (YYYY-MM-DD)
Page 6 of 22
Yes
No
Please refer to the following section(s) in the Guidelines and Best Practices document for
specific guidance:
Section 3.5: Architectural Patterns
Section 4.4.4: Web Security
Section 6.3: Architecture Components
Medium
Low
Unclassified
Confidentiality
Integrity
Availability
Table 4 - Information Security Classification
Please refer to the following section(s) in the Guidelines and Best Practices document for
specific guidance:
Section 7.1: Information Security Classification
Section 7.2: Security Functional Controls
Section 7.3: Security Physical Architecture
Section 7.4: Use Of Cryptography
2.2.1 Availability
<< Explain how your solution is architected to meet availability requirements.>>
2.3 Results
2.3.1 Pre-Threat Risk Assessment
Insert the results of the Pre-TRA performed on this solution.
Note: To insert the Pre-TRA, follow the instructions found in the Important Notes for Completing this
Document section at the beginning of the template.
Page 7 of 22
3.3 Virtualization
Does this system support virtualization?
Yes
No
Page 8 of 22
Phone
Page 9 of 22
4. User Community
4.1 User Community Profile
User
Number of Users
Who
Distinct User
Groups
Connection
Internal
<<Identify estimated
number of internal
users.>>
<<Identify who
the users are.>>
<<Identify
estimated number
of departments.>>
<<How do they
connect (e.g.
VPN, Intranet,
etc.).>>
External
<<Identify estimated
number of external
users.>>
<<Identify who
the users are.>>
<<Identify
estimated number
of distinct external
organizations.>>
<<How do they
connect (e.g.
VPN, Intranet,
etc.).>>
Extranet Partners
<<Identify estimated
number of users from
extranet partners.>>
<<Identify who
the users are.>>
<<Identify
estimated number
of distinct extranet
partners.>>
<<How do they
connect (e.g.
VPN, Intranet,
etc.).>>
Remote Access
<<Identify estimated
number of Remote
Access users.>>
<<Identify who
the users are.>>
<<Identify
estimated number
of distinct Remote
Access groups.>>
<<How do they
connect (e.g.
VPN, Intranet,
etc.).>>
Page 10 of 22
5. Application Architecture
Please refer to the following section(s) in the Guidelines and Best Practices document for
specific guidance:
Section 4: Application Architecture
Note: Ensure the diagram is labeled appropriately, including all application components, and
integration of internal and external components / applications.
Page 11 of 22
Detailed Architecture Design (DAD)
Template Version 6.0, 2012-12-15
5.2 Description
<<For Custom Applications: Describe the logical layers and where they reside within the physical
architecture and the method of inter-layer/inter-tier communication.>>
6. Network Architecture
Please refer to the following section(s) in the Guidelines and Best Practices document for
specific guidance:
Section 6.2: Network Best Practices
Section 6.3: Architecture Components
Section 6.4: Network Topologies
Page 12 of 22
Yes
No
<<These changes could include but are not limited to any of the following:
Detailed Architecture Design (DAD)
Template Version 6.0, 2012-12-15
Page 13 of 22
Source
Port(s) /
Protocols
Destination
Encrypted
or Not
Encrypted
Description
Estimated
Number of
Connections
Number of
Users
at Location
Local Area
Network
Wide Area
Network
Internet
Identify the types of data objects that will be passed between the user and the application, and the
anticipated size.
[1]
This access is controlled by Government SSL VPN RSA functionality based on the users login ID and not
directly through firewall rules.
Page 14 of 22
Detailed Architecture Design (DAD)
The table below offers a sample list of data objects. For more information, consult the EA Prime
assigned to your project.
Type of Object
Size in Kbytes
Terminal Screen
E-Mail Message
10
Web Page
50
Spreadsheet
100
Word Document
200
Graphical Terminal
500
Presentation Document
2000
High-Resolution Image
50,000
Multimedia Object
Table 9 - Sample Data Object List
Type of Object
100,000
Size in Kbytes
Page 15 of 22
7. Database Architecture
Please refer to the following section(s) in the Guidelines and Best Practices document for
specific guidance:
Section 5.3: Database Security
Note: For Database Security considerations refer to the Security Model section of this document.
____ GB
____ GB
Triggers
Views
Private Database Links
Public Database Links
Global Database Links
Yes
No
Please refer to the following section(s) in the Guidelines and Best Practices document for
specific guidance:
Section 3.5: Architecture Patterns for Information Systems
Section 7.5: Application Level Security Requirements
Yes
No
Page 16 of 22
Please refer to the following section(s) in the Guidelines and Best Practices document for
specific guidance:
Section 3.5: Architecture Patterns for Information Systems
7.5 Clustering
Is database clustering being used?
Yes
No
Yes
No
8. Security Architecture
8.1 Threat Mitigation Plan
<<Describe any controls in the application that would address vulnerabilities such as those identified
in the Open Web Application Security Project (OWASP) Top Ten Vulnerabilities, and the following:
Input validation: Describe the level of validation used when implementing precautions against
malicious input at each tier;
Security of interfaces to the Internet and/or other systems: Describe the security
methodologies used to interface with the Internet and/or other systems (e.g. ePayment
System);
Use of Mobile Code: Describe the use of secure mobile coding practices (e.g. ActiveX,
Javascript, etc.); and
Exception handling: Indicate security strategy for handling application errors in order to
prevent Denial of Service attacks and information disclosure to unauthorized users such as
displaying stack trace to users, etc.>>
Please refer to the following section(s) in the Guidelines and Best Practices document for
specific guidance:
Section 3.5: Architecture Patterns for Information Systems
Section 5.3: Database Security
Section 7.5: Application Level Security Requirements
Section 4.4.4: Web Security
Page 17 of 22
Administrative privileges to system objects such as user account create, modify, and delete of
user;
System privileges such as starting or stopping services or view/modify rights to audit and
logging files; and
Roles should support the principle of least privilege and segregation of duties.>>
Please refer to the following section(s) in the Guidelines and Best Practices document for
specific guidance:
Section 5.3.1 Roles
8.2.2 Authentication Authorization and Access Control
<<Identify how the application authenticates and stores user credentials and implements authorization
and access control (e.g. passwords are hashed in the database, authorization is carried out by the
application checking for a specific group membership, and access controls are in place to enforce
authorization such as file permissions, IP restrictions, or time of day restrictions).>>
Please refer to the following section(s) in the Guidelines and Best Practices document for
specific guidance:
Section 5.3.1 Roles
Section 7.2: Security Functional Controls
Section 7.3: Security Physical Architecture
8.2.3 Account and Password Management
Are OCIO Password Management and Application Account Management standards being
followed?
Yes
No
Page 18 of 22
Please refer to the following section(s) in the Guidelines and Best Practices document for
specific guidance:
Section 3.5: Architecture Patterns for Information Systems
Section 6.6.5: Encryption - Data in Transit
Section 7.3: Security Physical Architecture
Section 7.5: Application Level Security Requirements
8.2.5 Cached Data / Temporary Files
<<Describe any cached data and/or temporary files either within the system or at the endpoint, and
describe the lifetime of this data and how it is secured.>>
Please refer to the following section(s) in the Guidelines and Best Practices document for
specific guidance:
Section 7.6.2: Protection at Rest
8.2.6 Application Logging
<<Identify application / product log files generated, their location(s) and which role(s) have access to
them. Events to log may include, but not limited to:
Start-up and shutdown;
Successful / failed login;
Use of privileges;
Change of rights / privileges;
Addition / removal of user accounts;
Access (read and write) to sensitive information (e.g. configuration information, registry keys,
classified information, etc.);
Administrative activity;
Backup and restore;
Data imports and exports;
Password changes; and
Exceptions.>>
Note: All logged events must be accompanied by event ID, user ID, timestamp, application generating
event and resource reference at a minimum.
Please refer to the following section(s) in the Guidelines and Best Practices document for
specific guidance:
Section 7.6.4: Logging and Auditing
Section 7.2: Security Functional Controls
Page 19 of 22
<<Describe how administrative and user traffic are separated (e.g., the application user and
administrative modules are deployed on separate hosts).>>
Please refer to the following section(s) in the Guidelines and Best Practices document for
specific guidance:
Section 3.5: Architecture Patterns for Information Systems
8.3.2 Operating System Accounts and Privileges
<<Identify the operating system service accounts used to manage the infrastructure and the
associated privileges of those accounts. For sensitivity reasons, do not include actual system
usernames and passwords.>>
Please refer to the following section(s) in the Guidelines and Best Practices document for
specific guidance:
Section 7.2: Security Functional Controls
Section 7.3: Security Physical Architecture
8.3.3 Server Hardening
Will the servers be built and hardened by Solution Deliverys Project Support Team?
Yes
No
<<If not, identify how server hardening was applied throughout the n-tier architecture and what
hardening standards were applied.>>
Please refer to the following section(s) in the Guidelines and Best Practices document for
specific guidance:
Section 7.3: Security Physical Architecture
Table 7 - Minimal Security Physical Control Requirements for the OCIO
Page 20 of 22
Please refer to the following section(s) in the Guidelines and Best Practices document for
specific guidance:
Section 5.3.2: Logins
8.4.3 Database Logging
<<Identify database log files generated, their location(s) and which role(s) have access to them.
Events to log may include, but not limited to:
Access to specific tables;
Creation of data files external to the database;
Execution of DDL statements that affect objects;
Create, Drop or Alter statements for the following:
Tables;
Database links;
Directories;
Indexes;
Stored procedures;
Profiles;
Roles;
Tablespace;
Triggers;
Users; and
Views.
Note: All logged events must be accompanied by event id, user id, timestamp, application generating
event and resource reference at a minimum.>>
Please refer to the following section(s) in the Guidelines and Best Practices document for
specific guidance:
Section 7.6.4: Logging and Auditing
8.4.4 Database Link Privileges
<<Describe the privileges associated with any database links. For example, can the database link be
used to update, insert, or delete data into the target database?>>
Yes
No
Page 21 of 22
Yes
No
Yes
No
<<If yes, describe the encryption (e.g., SSL, IPSec, SSH, SFTP/FTPS, etc.>>
Is data-at-rest encryption used?
Yes
No
<<If yes, describe the encryption (e.g., file/folder/disk/USB drive encryption etc.>>
Is backup encryption used?
Yes
No
External
Page 22 of 22