🌶 Case study highlights: Conducting research to recommend informed design interventions over a theory of change. All collaborative activities were done remotely.

🤝 The partner: Office of the Chief Information Officer (OCIO)

🌎 The team: Lean discovery team (product & security subject matter expert, service owner, service designer & researcher)

🧠 My role: Service designer & researcher

🗓 Winter 2020 — Spring 2020

<aside> 👁️ Abstract: In order for us to be human-centered in our delivery processes, we must be able to deliver often to test with the public and iterate.

It was hypothesized that the current security assessment and assurance process in the GC is one of the biggest blockers to that. The team conducted research with the main actors of this process and ideated a portfolio of hypotheses to test in the next prototyping phase.

</aside>

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/aaea6886-daff-4a07-8baf-01d5afa65688/5f15e0d35e41862f069382f9_cont-sec.png

Background

The security assessment process in the Government of Canada has been seen as a long approach that doesn’t leave room for project and delivery teams to release and iterate frequently. The Canadian Digital service operates through an agile methodology that doesn’t fit with the current GC security approach.

ITSG-33 is guidance that details the roles, activities, security controls,  and threat profiles to be assessed against when moving into a department's production.

These activities generally come at the end of a delivery/project phase and can halt teams from moving into iterative testing, design, and development lifecycles. Many practitioners take this guidance and follow each step in a spreadsheet (waterfall) format.

The OCIO drafted guidance (Security Playbook for Information System Solutions) on how to create a more iterative environment whilst using the controls and profiles from ITSG-33. This guidance creates a baseline of controls that are seen as departmental activities that should be implemented on every current project and inherited by future projects.

Private sector companies like Mozilla have adapted an iterative security model as Test Driven Security and have embedded security tests into the development lifecycle.

Opportunity: