Iron Fort Key Features
Simplify audits and maintain standards with our all-in-one ITSG-33 compliance management platform.
Unique Solutions to Unique Problems
Iron Fort ensures your company meets ITSG-33 compliance requirements effortlessly. Manage documentation, track progress, vulnerabilities, and be audit-ready with our intuitive platform.
| Objective | Description |
|---|---|
| ATO Compliance Solution Tailored for Canadian government use-cases | Our comprehensive service package includes Security Assessment and Authorization (SA&A) and Authority to Operate (ATO) for federal departments. We ensure that authorized software and hardware meet stringent security requirements, providing peace of mind with timely, fixed-fee services. |
| Data, AI & Security Maturity Assessments | Assess your organization's position on the Maturity Assessment Model to drive strategic improvements in data, AI, and security practices. |
| Comprehensive Security & Compliance Enhancements | Apply a multifaceted approach combining strategies, technologies, and practices to effectively mitigate risks and strengthen cloud security and compliance. |
| Structured SA&A for ATO Process | Complete Security Assessment and Authorization (SA&A) with a structured approach to secure an Authority to Operate (ATO) and ensure systems meet security requirements. |
Navigation
- Dashboard -
Organization wide analytics showing department's aggregated risk level, compliance score, and
data classification coverage across applications, environments and controls.
- How To: Use Controls-awaiting Assessment Widget
- How To: Plan of Action Measurements (PoAM) Widget
- How To: Statement of Sensitivity awaiting review
- How To: Mission Critical Systems
- How To: Compliance Score by Environment
- How To: Residual Risks Register
- How To: Data Classification Coverage
- How To: Security Assessment Coverage
- How To: Customize the Dashboard
- Average Compliance Score Widget
- Rolling Risk Level Widget
- Controls Awaiting Assessment Widget
- Controls Submitted vs. Approved Widget
- Plan of Action and Milestone (POAM) Widget
- Statement of Sensitivity awaiting business owner approval Widget
- Mission-critical Systems Widget
- Compliance Score by Application & Environment Widget
- Compliance Score by Control Widget
- Residual Risks Register Widget
- Data Classification Coverage Widget
- Security Assessment Coverage Widget
- How To: Navigate to My-To-do List
- How To: Navigate to Controls Assigned To Me
- Applications -
Built-in mini Application Portfolio Managemnet (APM) to organize your organization information systems in one place.
Visually view which environments each application is hosted in, to get an holistic view of it's software.
- How To: Register a new application in Iron Fort
- What is an Application?
- How To: Add an Application in Iron Fort
- How To: Edit Application Details
- How To: Navigate Back from the Application Overview Page
- How To: Download Application Overview in PDF format
- How To: Print Application Details
- How To: Locate the Tag Section in the Application Overview
- How To: Access the Statement of Sensitivity Tab in an Application
- How To: Generate a New Statement of Sensitivity for an Application
- How To: Navigate to the Components Tab in Application
- How To: Add Application Components to an Existing Application
- How To: Navigate to the Hosted In Tab from the Application Page
- How To: Navigate to the Assessment Tab from the Application Page
- How To: View Application Overview details
- How To: View the List of Applications
- How To: Add Assessment under Application
- Environment -
Built-in mini infrastructure map of the organization to depict individually and shared hosting architecture.
Visually see you compliance hierarchy and compliance for hosting infrastructure.
- What is an Environment?
- How To: Register a new Environment in Iron Fort
- What is a Nested Environment?
- How To: Add a Nested Environment in Iron Fort?
- How To: Add an Environment in Iron Fort?
- How To: View the List of Environment
- How To: View Environment Overview details
- How To: Navigate Back from the Environment Overview Page
- How To: Edit Environment Details
- How To: Print Environment Details
- How To: Navigate tag Icon under Environment
- How To: Navigate to Application Tab under Environment
- How To: Navigate to Components Tab under Environment
- How To: Add environment under Components in Environment
- How To: Navigate to Statement of Sensitivity under Environment
- How To: Navigate to Security Assessment under Environment
- How To: Navigate to Hosted In under Environment
- How To: Download Environment Overview in PDF format
- Controls -
OSCAL compliance controls catalogue for ITSG-33.
Cyber security controls along with their description and implementation guidelines.
- Catalogue
- Control Profile
-
Control Sets
- What is a control set?
- What control sets are available by default?
- How To: View the List of Control sets
- How To: Navigate Control sets under Control Tab
- How To: Add Custom Control sets under Control Tab
- How To: Navigate Control Enhancement under Control sets navigation tab
- How To: Create a new Control Set
- How To: List existing control sets
- How To: Edit a control set
- How To: Create a new custom Control Set
- Control Families
- Control
- Statement of Sensitivity -
View your organization data classification coverage at a glance. List of statement of sensitivities and their results for applications, and
environments covering Unclassified, Protected B, and Protected C.
- How To: Create a new Statement Of Sensitivity?
- How To: Edit Statement of Sensitivity Details
- How To: Download Statement of Sensitivity Overview in PDF format
- How To: Print Statement of Sensitivity Details
- How To: View a Statement of Sensitivity Overview details
- How To: View the List of Statement of Sensitivity
- How To: Add Tag under Statement of Sensitivity
- Security Assessment -
View your organization's compliance coverage at a glance.
List of organization's security assessment that are completed, in-progress, or expired.
- What is a Security Assessment?
- What are evidences?
- What is the difference between attached evidence and external evidence?
- How To: Begin an Assessment?
- How To: Plan a security assessment?
- How To: Attach an evidence for a control in a security assessment?
- How To: Attach a link to an internal document to a security assessment for evidence?
- How To: Submit a control to an assessor?
- How To: Finalize an assessment and submit it for approval?
- How To: View evidence in security assessment
- How To: Plan a new security assessment?
- How To: Inherit from Approved Security Assessment
- How To: View the List of Security Assessment
- How To: View Security Assessment Overview details
- How To: Add POAM under Security Assessment
- How To: Add Residual Risk under Security Assessment
- How To: Edit Security Assessment Details
- How To: Navigate Back from the Security Assessment Overview Page
- How To: Print Security Assessment Overview Details
- How To: Download Security Assessment Overview in PDF format
- How To: Attach evidence control using screenshot
- How To: Add Addendums under Security Assessment
- How To: Add Tag under Security Assessment
- How To: Add Reviewers to the Security Assessment
- How To: Add Assessor to the Security Assessment
- How To: Add Approvers to the Security Assessment
- How To: Delete Assessor to the Security Assessment
- How To: Delete Reviewers to the Security Assessment
- How To: Collapse the Control Evidence Modal in a Security Assessment
- How To: Delete Approvers to the Security Assessment
- Standard Settings -
Manage and customize your organization's settings, including user profiles, permissions, and system configurations.
- How To: Login
- How To: Logout
- How To: Register with Tenant Key
- How To: Reset a password, if you forgot password
- How To: Login using Google Account
- How To: Login using Microsoft Account
- How To: Change your password
- How To: Check what permissions you have
- How To: Setup your user profile
- How To: Invite a Team Member
- How To: View Team Members and their Access Type
- How To: Switch languages to English or French
- How To: Create your tenant key
- How To: Create a Support Case
- How To: Setup Application Categorization
- How To: View Available Roles
- What is a Role?
- How To: Request changes to a Role
- How To: Monitor a Support Case
- How To: Create an Integration
- How To: Activate an user account
- How To: Resend an OTP Code
- How To: To request a new user activation email
- How To: Navigate to Application Categorization under Settings
- How To: Navigate to Environment Types under Settings
- How To: Add Environment Type
- How To: Navigate to User Management under Settings
- How To: Open and Edit a Team Member’s Profile from User Management
- How To: Navigate to Organizational Details under Settings
- How To: Navigate to Directorate under Settings
- How To: Add Directorate
- How To: Navigate to Integration under Settings
- How To: Navigate to Support Case History
- How To: Navigate to Audit Trails under Settings
- How To: Navigate to Archive Audit Trails under Settings
- How To: Set a Date Range to Archive Audit Trails
- How To: Check Archived Trails Record
- How To: Edit and Update Your User Profile
- How To: View Archived Overview Details
- How To: Edit Your Account Settings and Save Changes
- How To: Navigate to Billing and Payment under Settings
- Compliance-as-Code Using OSCAL -
Leverage OSCAL to automate and streamline compliance processes, ensuring consistency and efficiency in managing security controls and assessments.
- What is a Oscal?
- How To: view OSCAL code for a Control?
- How To: view OSCAL code for a Control Family?
- How To: view OSCAL code for a Catalogue?
- How To: view OSCAL code for a Application?
- How To: view OSCAL code for a Statement of Sensitivty?
- How To: view OSCAL code for a PoAM?
- How To: view OSCAL code for a Environment?
- How To: view OSCAL code for a Control Set?
- How To: view OSCAL code for a Security Assessment
- How To: view OSCAL code for Profile in Controls
- Forti AI - Discover Forti AI Chat, an intelligent assistant designed to simplify compliance management and provide instant support for your queries.
- Documents -
Manage and organize your organization's documents, including uploading, categorizing, and attaching them to relevant assessments or records.
- What is Documents?
- How To: Request a Document
- How To: Attach documents to Security Assessment
- How To: Attach documents to Statement of Sensitivity
- How To: Open a folder in Documents
- How To: Open file in Documents
- How To: Add a Document in Documents
- How To: View the List of Documents
- How To: View Documents Overview details
- How To: Invite a New User When Requesting a Document
- How To: Open a Folder from the Documents Page Using the Three-Dot Menu
- How To: Use the Three-Dot Menu to Request Documents from a Folder
- How To: Drag Files on the Document page modal
- Components - Manage and organize your organization's components, including adding, categorizing, and associating them with relevant applications or environments.
Getting started
Yep, as simple as that.
The Login Page is the gateway to accessing the web application. It is where users can sign in with their credentials or register as new users if they don’t already have an account. To access the login page, navigate to the homepage and click on the **Login** or **Register** button prominently displayed. New users can select the registration option, fill out the required details, and create an account to begin using the application. Returning users can enter their email and password to securely log in and access their personalized dashboard and features.
Demo
By watching those short video you will better understand how the template works. In those demos we share some best practice recommendations to help you optimize your experience.
Standard Settings
Here's the full list of all available options. You could easily customize your item, just write the required option within your custom.js
| Property | Description |
|---|---|
| Application Categorization | Allows you to organize and manage applications by category for better accessibility and navigation. |
| Message Template | Customize email templates for user invitations and other communication purposes. |
| Subscription Plans | Displays the current subscription plan and the features available to your organization. |
| Billings and Payment | Manage and edit billing details, including payment methods and invoices. |
| User Management | View and manage the status and roles of all users within your department. |
| Audit Trail | Track and review user actions and activities for accountability and compliance. |
| Notifications | Adjust notification preferences to control how and when alerts are received. |
| Organization Details | Update and view detailed information about your organization, such as name and contact details. |
| Departments | Manage and update department-specific details, including names and associated roles. |
| Address | Update the company’s address and ensure accurate organizational location details. |
| Support Case | Report bugs or issues encountered in the platform to the support team for resolution. |
Browser support
Specifically, we support the latest versions of the following browsers and platforms. On Windows, we support Internet Explorer 9+. More specific support information is provided below.
-
Chrome
-
Safari
-
Opera
-
FireFox
-
IE 9+
FAQ
Begin typing your question. If we don't have an answer for it in our FAQ, please leave us a message on our contact page.
-
What is Iron Fort?
Iron Fort is a comprehensive Security Assessment & Authorization (SA&A) lifecycle management solution designed for Government of Canada departments and technology vendors. It facilitates the process of obtaining and maintaining Authority to Operate (ATO) status for applications across cloud and on-premises environments. Iron Fort streamlines control selection, evidence collection, security assessments, and continuous monitoring, aligning with GC cloud security requirements on a secure and compliant platform. -
What deployment options are available?
The solution offers flexible deployment options including:- Secure Public-cloud deployment in Canada
- Private-Cloud deployment within GC-managed environments
- On-premises deployment in GC data centers
-
Who is the intended user base?
The solution is designed for:- Federal government departments and agencies managing their cloud service assessments
- Technology vendors seeking to obtain and maintain ATO status for their solutions
- Security assessment teams conducting SA&A processes
- Continuous monitoring teams maintaining security compliance
* Please see Version Release Schedule below for details on what capabilities come on stream in which release.
-
What security level of data can the solution handle in its initial release?
The initial release is designed to handle Unclassified (Unprotected) data only; however, it can link to secured data repositories. Future releases will incorporate capabilities for handling higher security levels, subject to appropriate certifications and approvals. -
Does the solution comply with GC cloud security control profiles?
Yes, the solution is built to align with GC cloud security control profiles and relevant TBS directives. Specific compliance documentation is available upon request. -
How is data sovereignty maintained?
All data is stored exclusively within Canadian borders, regardless of deployment model. This includes primary data, backups, and any cached information. -
What cloud platforms does the solution support?
The solution is multi-cloud and on-prem capable, supporting major cloud service providers approved for GC use. This includes but is not limited to Azure, AWS, and Google Cloud, provided they meet Canadian data residency requirements. -
What features are included in Release 1?
Release 1 focuses on core SA&A lifecycle management capabilities. A detailed feature matrix is available separately, but key functionalities include:- Initial security assessment workflow management
- Evidence collection and documentation
- Basic reporting capabilities
-
What is the current roadmap for future version releases, and what is the functionality uplift on each release?
We are working towards more automated control selections based on departmental preferences and recommendations for where the users can find and capture the evidence needed for assessments. We are also developing an assistant to work alongside the business and security teams to quickly answer any questions according to best practices for evidence collection and process workflows. -
How does the solution integrate with existing GC systems?
The solution is designed to work independently while maintaining compatibility with GC systems. Future versions will see increased interoperability through standard interfaces that will allow for continuous monitoring and preventative remediation. Specific integration requirements would be discussed during implementation planning. -
What level of support is provided?
Our Licensing Arrangement includes both Iron Fort Customer Support [through our Iron Fort Customer Success Team] as well as included LNine Professional Services Support for deployments, configurations, integrations, and additional benefits.
A non-exhaustive list of support includes:- Technical support
- Documentation, on-boarding training
- Implementation Assistance & Regular maintenance and updates
- LNine’s “white glove” Professional Services Support Wrapper
-
What is the implementation timeline?
Implementation timelines vary based on deployment model and organizational requirements. Typical implementations range from 4-12 weeks, including testing and user training. -
How is data backed up and protected?
The solution implements comprehensive backup procedures including:- Regular automated backups
- Geographic redundancy within Canada
- Encryption at rest and in transit
- Configurable retention policies
-
Can we export our data if we choose to change providers?
Yes, the solution includes data export capabilities in standard formats to ensure departmental data portability and sovereignty into standard CSV and Excel files. -
How often are updates released?
The solution follows a regular update schedule with:- Readily available security updates
- Monthly feature updates
- Quarterly major version releases
-
Is there a User-Group, and can only existing customers become members?
Iron Fort was designed in conjunction with the GoC requirements and communities. Building the solution to be valued by our clients remains a priority. As such, we do have a user-group that is open to all interested parties and is not restricted just to paying customers. We want your voice to be heard. -
How does the solution support official languages requirements?
The solution fully supports both English and French in accordance with Official Languages Act requirements, including:- Complete bilingual user interface
- All documentation available in both official languages
- Support services in both English and French
- Reporting capabilities in both languages
- System-generated communications in both languages
-
Does the solution meet GC accessibility requirements?
Yes, the solution is designed to comply with the Accessible Canada Act and Treasury Board Secretariat accessibility standards, including:- WCAG 2.1 Level AA compliance
- Keyboard navigation support
- Screen reader compatibility
- Configurable display options for visibility and readability
- Accessible documentation formats
-
What audit capabilities are included?
The solution provides comprehensive audit features including:- Complete audit trails of all system actions
- User activity logging
- Change tracking for all assessment documentation
- Exportable audit logs for compliance reporting
- Integration capabilities with departmental audit systems
- Custom report generation for oversight requirements
-
What business continuity measures are in place?
The solution includes robust business continuity features:- High availability architecture
- Automated failover capabilities
- Regular disaster recovery testing
- Documented recovery time objectives (RTO)
- Documented recovery point objectives (RPO)
- Business continuity documentation aligned with GC standards
-
How is user access managed?
The solution provides comprehensive IAM features including:- Role-based access control (RBAC)
- Integration with departmental identity providers
- Support for multi-factor authentication
- Granular permission settings
- User session management
- Access review and certification capabilities
-
What training resources are provided?
The solution includes comprehensive training support:- Role-based training materials
- Online self-service training portal
- Regular training webinars
- Custom training sessions available
- Training materials in both official languages
- Best practices documentation
- Quick reference guides
-
How does the solution handle performance at scale?
The solution is designed for enterprise-scale performance:- Configurable resource allocation based on workload
- Automated scaling capabilities
- Performance monitoring and alerting
- Regular performance testing and optimization
- Documented performance benchmarks
- Capacity planning tools
-
What regulatory standards does the solution comply with?
The solution is designed to meet various regulatory requirements including:- Privacy Act compliance
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Treasury Board information management policies
- Digital Standards
- Cloud Security Program requirements
- Departmental security requirements
-
How are security incidents handled?
The solution includes comprehensive incident management procedures:- Automated incident detection and alerting
- Incident response playbooks
- Integration with departmental incident management systems
- Regular incident response testing
- Post-incident analysis and reporting
- Continuous improvement processes