Skip to main content

Information Technology Strategy Team

The CIO and DOCS are accountable for 480 requirements

2021-06-02 - Written by Rémy Bernard, in collaboration with the IT Strategy team

Last modified: 2023-03-29

This blog highlights the amount of requirements that Treasury Board (TB) policy instruments puts on the different senior officials, the CIO in particular, in enabling the transition towards digital.

A number of TB policy instruments were re-adjusted as part of the Policy Suite Reset exercise, some of which encompasses the broad “Digital” policy suite of instruments. We see a clear indication that lines of business need to develop strong technical acumen to understand digital and plan their digital products roadmaps. We also see how technologists need to foster greater empathy towards their business partners regarding how technology is to enable all service delivery and how it affects the cyber security landscape of government.

The “Digital Policy Suite” is comprised of 40 policy instruments:

  • 2 Policies
  • 6 Directives
  • 16 Standards
  • 7 Mandatory Procedures
  • 9 Configuration Requirements

Here are some statistics around the number of requirements each senior official is accountable for.

Some needed ESDC context (that may be different in other departments):

  • The Departmental Official responsible for Cyber Security (DOCS) reports to the CIO.
  • the Chief Security Officer (CSO) reports to the Assistant Deputy Minister (ADM) that is responsible for Identity Management (a different ADM than the one holding the role of CIO). So in the statistics below, we have indicated that Identity Management requirements fall under the CSO.
  • The CIO is currently the one signing-off Algorithmic Impact Assessments (AIA), not the Business-level ADM. In addition, ESDC has a Chief Data Officer (CDO) that is heavily involved in the ethical use of data. The CDO does not report to the CIO. As such, we have indicated that the Directive on Automated Decision Making and its AIA requirements fall under a mix of CDO and CIO responsibilities.

Statistics

Number of requirements by type of policy instrument (see Notes for acronyms).

Instrument Type ALL CDO CIO COMS CSB(?) CSO DOCS DM HR SERV
Policy               54    
Directive 8   103     29 17   2 7
Standard 6   164 7 14 57 1      
Mandatory Procedures     15     32 63      
Configuration Requirements   7 34     10 96      
Grand Total 14 22 303 7 14 128 177 54 2 10

Number of requirements by policy instrument.

Instrument ALL CDO CIO COMS CSB(?) CSO DOCS DM HR SERV
Policy on Service and Digital 44
Policy on Government Security 10
Directive on Service and Digital 64 4 7
Directive on Security Management 8 5 13 13
Directive on Open Government 7
Directive on Identity Management 16 2
Directive on Business Number 2
Directive on Automated Decision-Making 15 12 3
Standard on Web Usability 13 5 2
Standard on Web Interoperability 10
Standard on Web Accessibility 3
Standard on Security Event Reporting 12 1
Standard on Security Categorization 26
Standard on optimizing Websites and Apps for Mobile 27 2 12
Standard on Metadata 3 10
Standard on Information Technology User and Workpoint Profiles 20
Standard on Information Technology Provisions 42
Standard on Identity and Credential Assurance 19
Standard on Geospatial Data 3 2
Mandatory Release of Government Information 2
Mandatory Procedures for Security Screening Control 1
Mandatory Procedures for Security Event Management Control 27
Mandatory Procedures for Security Awareness and Training Control 4
Mandatory Procedures for Privacy and Monitoring of Network and Device Use Information Notices 6
Mandatory Procedures for IT Security Control 5 57
Mandatory Procedures for IM Security Control 8
AIA Appendix C - Impact Level Requirements 7
Standard on Enterprise Information Technology Service Usage Restrictions 13
Standard on Enterprise Information Technology Service Common Configurations 5
Standard on At-Risk Information Technology 7
Interim Standard on Enterprise Resource Planning Solutions 5
Standard on Systems that Manage Information and Data 7
Endpoint Management Configuration Requirements 23
Email Management Services Configuration Requirements
Account Management Configuration Requirements 29
Remote Access Configuration Requirements 8
Portable Data Storage Requirements 10 37
Workplace Service Configuration Requirements 1
Web Sites and Services Management Configuration Requirements 8 15
Domain Name System (DNS) Services Management Configuration Requirements 2
System Management Configuration Requirements 7
(Grand Total) 14 22 303 7 14 128 177 54 2 10

The Digital Policy Suite

Below is the list of policy instruments that was analyzed to produce the above statistics (source to the data here).

Digital Standards
Policy on Service and Digital Policy on Government Security
Directive on Service and Digital Directive on Security Management
Directive on Open Government Directive on Identity Management
Directive on Business Number Standard on Identity and Credential Assurance
Directive on Automated Decision-Making Standard on Security Event Reporting
Standard on Information Technology User and Workpoint Profiles Standard on Security Categorization
Standard on Information Technology Provisions Mandatory Procedures for Security Awareness and Training Control
Standard on Enterprise Information Technology Service Usage Restrictions Mandatory Procedures for IT Security Control
Standard on Enterprise Information Technology Service Common Configurations Mandatory Procedures for IM Security Control
Standard on At-Risk Information Technology Mandatory Procedures for Security Event Management Control
Interim Standard on Enterprise Resource Planning Solutions Mandatory Procedures for Security Screening Control
Standard on Systems that Manage Information and Data  
Standard on Geospatial Data  
Standard on Metadata  
Standard on optimizing Websites and Apps for Mobile  
Standard on Web Accessibility  
Standard on Web Interoperability  
Standard on Web Usability  
Mandatory Procedures for Privacy and Monitoring of Network and Device Use Information Notices  
Mandatory Release of Government Information  
AIA Appendix C - Impact Level Requirements  
Endpoint Management Configuration Requirements  
Email Management Services Configuration Requirements  
Account Management Configuration Requirements  
Remote Access Configuration Requirements  
Portable Data Storage Requirements  
Workplace Service Configuration Requirements  
Web Sites and Services Management Configuration Requirements  
Domain Name System (DNS) Services Management Configuration Requirements  
System Management Configuration Requirements  

Notes

Glossary

  • CDO: Chief Data Officer
  • CIO: Chief Information Officer
  • COMS: Head of communications
  • CSB: Citizenship Services Branch. Part of Service Canada and where the Principal Publisher resides (see requirement 8.4 of this directive).
  • CSO: Chief Security Officer
  • DOCS: Departmental Official responsible for Cyber Security
  • DM: Deputy Minister (deputy head)
  • HR: Head of Human Resources
  • SERV: Departmental Official responsible for Service
View this page on GitHub