Number:  GoA.GCC-06
Creation Date:  2023-02-01
Effective Date:  2023-02-01
Version:  2.0
Last Reviewed:  2024-01-24
Security Classification:  Protected A
Scheduled Review Date:  2025-01-24
Status:  Approved

Please note that information classified as Protected (per the Data and Information Security Classification standard) is only accessible to Government of Alberta Employees. External users are therefore not able to download this document. To request access, please contact us:

The purpose of this control is to establish risk and security management practices for the procurement, configuration, and development of Information Management Technology solutions in the Government of Alberta (GoA). The control objectives established in this policy apply whether the solution is developed in house, purchased as Commercial off the Shelf (COTS), open source, or a cloud-based solution (e.g., Software as a Solution (SaaS) or Platform as a Service (PaaS)). All solution delivery, including acquisition and development, regardless of type, must include risk and security management practices in all phases.​

Keywords: software, acquisition, development, procurement, SaaS, risk assessment, DevSecOps