Skip to main content

Information Technology Strategy Team

A CIO is accountable for 411 requirements

2021-06-02 - Written by Rémy Bernard, in collaboration with the IT Strategy team

Last modified: 2021-06-02

This blog highlights the amount of requirements that Treasury Board (TB) policy instruments puts on the different senior officials, the CIO in particular, in enabling the transition towards digital.

A number of TB policy instruments were re-adjusted as part of the Policy Suite Reset exercise, some of which encompasses the broad “Digital” policy suite of instruments. We see a clear indication that lines of business need to develop strong technical acumen to understand digital and plan their digital products roadmaps. We also see how technologists need to foster greater empathy towards their business partners regarding how technology is to enable all service delivery and how it affects the cyber security landscape of government.

We’ve analyzed a total of 31 policy instruments (Policies, Directives, Standards, and Mandatory Procedures). Here are some statistics around the number of requirements each senior official is accountable for.

Some needed ESDC context (that may be different in other departments):

  • The person holding the role of CIO also holds the role of a Departmental Official responsible for Cyber Security (DOCS). As such, that person is effectively accountable for both CIO and DOCS requirements.
  • the Chief Security Officer (CSO) reports to the Assistant Deputy Minister (ADM) that is responsible for Identity Management (a different ADM than the one holding the role of CIO/DOCS). So in the statistics below, we have indicated that Identity Management requirements fall under the CSO.
  • The CIO is currently the one signing-off Algorithmic Impact Assessments (AIA), not the Business-level ADM. As such, we have indicated that the Directive on Automated Decision Making and its AIA requirements fall under the CIO.
  • Policy instruments do not mention the role of a Chief Data Officer (CDO). Instead they put the accountability of data under the CIO. At ESDC, we have a CDO that reports to a different ADM than the CIO. We have placed accountability to the CDO within the context of the Mandatory Procedures for Enterprise Architecture Assessment.

Statistics

Number of requirements by type of policy instrument (see Notes for acronyms).

Instrument Type ALL CDO CIO COMS CSB(?) CSO DOCS DM HR SERV
Policy               54    
Directive 8   103     29 17   2 7
Mandatory Procedure   18 141     32 80      
Standard 14   167 7 14 57 1   1  
Grand Total 22 18 411 7 14 118 98 54 3 7

Number of requirements by policy instrument.

Instrument ALL CDO CIO COMS CSB(?) CSO DOCS DM HR SERV
Policy on Service and Digital 44
Policy on Government Security 10
Directive on Service and Digital 59 4 7
Directive on Security Management 8 5 13 13
Directive on Open Government 7
Directive on Identity Management 16 2
Directive on Business Number 2
Directive on Automated Decision-Making 30
Standard on Web Usability 13 5 2
Standard on Web Interoperability 10
Standard on Web Accessibility 3
Standard on Security Event Reporting 12 1
Standard on Security Categorization 26
Standard on optimizing Websites and Apps for Mobile 27 2 12
Standard on Metadata 3 10
Standard on IT User and Workpoint Profiles 20
Standard on IT Provisions 57
Standard on Identity and Credential Assurance 19
Standard on Geospatial Data 3 2
Standard on Email Management 8 19 1
Standard on EDRMS 6
Mandatory Release of Government Information 2
Mandatory Procedures on API 71 10
Mandatory Procedures for Security Screening Control 1
Mandatory Procedures for Security Event Management Control 27
Mandatory Procedures for Security Awareness and Training Control 4
Mandatory Procedures for Privacy and Monitoring of Network and Device Use Information 8
Mandatory Procedures for IT Security Control 5 57
Mandatory Procedures for IM Security Control 8
Mandatory Procedures for EA Assessment 18 48 5
AIA Appendix C - Impact Level Requirements 7
(Grand Total) 22 18 411 7 14 118 98 54 3 7

The Digital Policy Suite

Below is the list of policy instruments that was analyzed to produce the above statistics (source to the data here).

Digital Standards
Policy on Service and Digital Policy on Government Security
Directive on Service and Digital Directive on Security Management
Directive on Open Government Directive on Identity Management
Directive on Business Number Mandatory Procedures for IT Security Control
Directive on Automated Decision-Making Mandatory Procedures for IM Security Control
Mandatory Procedures for EA Assessment Mandatory Procedures for Security Screening Control
Mandatory Procedures on API Mandatory Procedures for Security Event Management Control
Mandatory Procedures for Privacy and Monitoring of Network and Device Use Information Mandatory Procedures for Security Awareness and Training Control
Mandatory Release of Government Information Standard on Identity and Credential Assurance
Standard on IT User and Workpoint Profiles Standard on Security Event Reporting
Standard on IT Provisions Standard on Security Categorization
Standard on EDRMS  
Standard on Email Management  
Standard on Geospatial Data  
Standard on Metadata  
Standard on optimizing Websites and Apps for Mobile  
Standard on Web Accessibility  
Standard on Web Interoperability  
Standard on Web Usability  
AIA Appendix C - Impact Level Requirements  

Notes

Glossary

  • CDO: Chief Data Officer
  • CIO: Chief Information Officer
  • COMS: Head of communications
  • CSB: Citizenship Services Branch. Part of Service Canada and where the Principal Publisher resides (see requirement 8.4 of this directive).
  • CSO: Chief Security Officer
  • DOCS: Departmental Official responsible for Cyber Security
  • DM: Deputy Minister (deputy head)
  • HR: Head of Human Resources
  • SERV: Departmental Official responsible for Service
View this page on GitHub