Directive on Management of Information Technology
- Enterprise Resource Planning Systems, Standard on
- Operational Security : Management of Information Technology Security (MITS), Standard
- Optimizing Websites and Applications for Mobile Devices, Standard on
- TBITS 03: Coded Character Set for Information Interchange - Implementation Criteria
- TBITS 05 : Canadian Government Keyboard Standard for Information Technology Equipment - Implementation Criteria
- TBITS 06.11: Naming and Addressing for Government Handling Applications - Implementation Criteria
- TBITS 06.9: Canadian Open Systems Application Criteria (COSAC), Telecommunications wiring system in Government-Owned and leased buildings - Implementation Criteria
- TBITS 12: Codes for the Representation of Currencies and Funds - Implementation Criteria
- TBITS 23: Information Technology Vocabulary - Implementation Criteria
- TBITS 25: Materiel Coding - Implementation Criteria
- TBITS 26: Software Product Evaluation, Quality Characteristics and Guidelines for their Use - Implementation Criteria
- TBITS 30: Business Number - Implementation Criteria
- TBITS 36: All-Numeric Representation of Dates and Times -Implementation Criteria
- TBITS 38: Advanced card technologies - Physical parameters and appearance of the Government of Canada employee technology card - Implementation Criteria
- Web Accessibility, Standard on
- Web Usability, Standard on
1. Effective date
1.1 This directive takes effect on April 1, 2009.
1.2 Departments have until March 31, 2012, to fully implement this directive.
2.1 This directive applies to all departments as defined in section 2 of the Financial Administration Act (FAA), unless excluded by specific acts, regulations or Orders in Council.
2.2 Sections 6.2.2 and 7.1 of this directive do not apply to the Office of the Auditor General, the Office of the Privacy Commissioner, the Office of the Information Commissioner, the Office of the Chief Electoral Officer, the Office of the Commissioner of Lobbying, the Office of the Commissioner of Official Languages and the Office of the Public Sector Integrity Commissioner. In these organizations, deputy heads are solely responsible for monitoring and ensuring compliance with this directive and for responding to cases of non-compliance in accordance with any Treasury Board instruments providing principles and guidance on the management of compliance.
3.1 Information technology (IT) enables the federal government to effect operations and service transformation. IT is strategically critical to increasing government productivity and enhancing government services to the public for the benefit of citizens, businesses, taxpayers and employees. This directive provides essential support for the management of IT in the areas of IT governance, IT planning and IT strategy.
3.2 The federal government invests a significant portion of its annual budget on information technology and supporting infrastructure. Rapidly developing technology, incompatible business practices and the fragmented approach to IT investments undermine effective and efficient delivery of government programs and services. Multiple data centres and networks also pose significant security risks. A more strategic approach to IT investments is needed to ensure interoperability of departmental systems and compatible business practices.
3.3 This directive supports the Policy on Management of Information Technology by providing departmental chief information officers (CIO) or equivalents or other officials supporting the management of IT with additional requirements to ensure consistency in IT management processes.
3.4 This directive is to be read in conjunction with the Policy Framework for Information and Technology, the Policy on Management of Information Technology and the Policy on Information Management. The directive is also related to the Policy on Investment Planning – Assets and Acquired Services and the Policy on the Management of Projects. The departmental IT plan is a component of the broader departmental investment plan that has a five-year horizon (as required under the Policy on Investment Planning – Assets and Acquired Services). To keep up with the pace of technological changes, however, the departmental CIO or equivalent reviews the departmental IT plan annually and updates it, as required, at the time of the review. The departmental IT plan covers the strategic, tactical and operational aspects of the management of IT.
3.5 Additional requirements for IT governance, IT planning and IT strategy will be set out in the standards. The Chief Information Officer Branch (CIOB) of the Treasury Board Secretariat (TBS) will also publish guidelines and tools to assist departments if required.
3.6 The Treasury Board has delegated authority to the Secretary of the Treasury Board to issue this directive and to make administrative and technical changes.
4.1 Definitions to be used in the interpretation of this directive are attached in Appendix A.
5. Directive statement
The objectives of this directive are to:
5.1.1 Ensure efficient and effective use of information technology to support federal government priorities, program delivery, increased innovation, productivity and enhanced services to the public; and
5.1.2 Support the management of IT on a government-wide basis by providing more robust and mature management practices to reduce duplication, enable the adoption of alternate service delivery models, including common and shared services, promote alignment and interoperability and optimize service delivery.
5.2 Expected results
The expected results of this directive are the following:
5.2.1 Stakeholders will exercise their roles and responsibilities in the management of IT more effectively by participating in designated governance, advisory and working group forums;
5.2.2 Efficiency and effectiveness in IT management will increase along with better decision making at all levels, thus ensuring that IT supports program delivery and provides value for money;
5.2.3 The use of common or shared IT assets and services by departments will increase and ensure efficiency gains;
5.2.4 IT will enable more innovative and responsive services; and
5.2.5 The consistency of security practices will improve as a result of the increased consolidation of systems and services.
6.1 Departmental CIO or equivalent
The departmental CIO or equivalent is responsible for the following:
6.1.1 IT governance
- Developing, for deputy head approval, departmental governance structures to support effective IT decision making;
- Coordinating, promoting and directing IT and collaborating on IT-enabled business transformation with the business owner and other stakeholders;
- Participating in federal government IT governance forums, including the Chief Information Officer Council (CIOC) and other designated governance and advisory forums, related to IT and federal government IT architecture matters;
- Balancing individual departmental interests with government-wide interests and aligning IT to government-wide directions and strategies;
- Advising the CIOC on the decisions, plans, strategies, directions, progress, risks and challenges related to the initiatives that affect the provision or use of IT services in or across departments;
- Monitoring and measuring departmental IT management performance using both government-wide and departmental key performance indicators as appropriate; and
- Advising the deputy head, as well as the business owner and other stakeholders, of the effect of new or amended legislation and policies on departmental IT plans.
6.1.2 IT planning
- Developing, implementing and sustaining an effective departmental IT planning process that is integrated with the overall departmental corporate planning process and aligned with the investment planning process to support business, enable transformation and guide IT decision making;
- Preparing an IT plan and an IT progress report against the plan as established in Appendix B and submitting it to TBS (CIOB) as requested; and
- Ensuring that the IT plan is aligned to support both departmental business and government-wide strategic directions by communicating with and engaging departmental and external stakeholders, as appropriate.
6.1.3 IT strategies
- Developing and maintaining efficient and effective departmental IT management practices and processes, as informed by ITIL (Information Technology Infrastructure Library) and COBIT (Control Objectives for Information and related Technology), with priority on IT asset management, the IT service catalogue and IT service costing and pricing, as appropriate;
- Aligning departmental IT management practices, processes and technology architecture with federal government strategy, directions, standards and guidelines as they become available and as they evolve under the guidance of the CIOC;
- Participating, as a service provider or a service user, in the conception, planning, evolution and oversight of common or shared IT services and solutions;
- Developing, implementing and sustaining departmental strategies for producing or using appropriate common or shared IT services and solutions, based on the IT plans;
- Aligning and documenting IT services, whether planned or currently offered to recipients, according to the Policy on Management, Resources and Results Structure (MRRS). The Profile of GC Information Technology Services provides additional guidance for the alignment and documentation of IT services; and
- Reviewing and assessing IT services periodically to identify opportunities for enhancing efficiency, effectiveness and innovation as determined by governance and in collaboration with service providers, service users and other stakeholders.
6.2 Monitoring and reporting requirements
6.2.1 Within departments
- The departmental CIO or equivalent is responsible for monitoring compliance with this directive and advising the deputy head of reporting results in the annual departmental performance report (DPR) and the Management Accountability Framework (MAF).
- TBS (CIOB) will monitor compliance with this directive through the MAF assessment process, examination of Treasury Board submissions, DPRs, and requested departmental evaluations and studies.
- TBS (CIOB) will review this directive and its effectiveness at the five-year mark of implementation. When substantiated by risk analysis, TBS (CIOB) will also ensure that an evaluation of this directive is conducted.
7.1 Consequences of non-compliance can include an informal follow-up or request for information from TBS, such as an external audit or report on corrective measures.
8. Roles and responsibilities of government organizations
Note: This section identifies other departments that have a role in IT management. In and of itself, the section does not confer authority.
8.1 TBS (CIOB), in consultation with other departments, is responsible for the following:
8.1.1 Developing policy instruments, including frameworks, policies, directives, standards, guidelines and tools, and providing interpretive advice and guidance on these instruments;
8.1.2 Setting government-wide strategic directions for IT, including areas of IT that offer significant government-wide benefits or enable government to take the lead in achieving these benefits;
8.1.3 Coordinating implementation of government-wide IT strategic directions;
8.1.4 Communicating and engaging the government-wide IT community on plans, progress, risks and challenges associated with the management of IT in the federal government;
8.1.5 Developing competency and other professional standards for the federal government's IT specialists as required; and
8.1.6 Providing support to the CIOC and other committees and working groups, as necessary, to address government-wide strategic IT directions and issues.
8.2 The Department of Public Works and Government Services (PWGSC) is a key provider of a number of common and shared IT infrastructure products and services to departments. PWGSC is responsible for establishing governance for the delivery of its services to client departments.
8.3 The Office of the Chief Human Resources Officer (OCHRO), TBS is responsible for providing advice and guidance to stakeholders on a full range of sound human resources (HR) management strategies, including integrated business and HR planning. OCHRO representatives are available to advise TBS (CIOB) on recruitment and retention strategies and to share lessons learned.
8.4 The Canada School of Public Service is responsible for the development and delivery of a government-wide core learning strategy and program – consistent with the Policy on Learning, Training and Development and based on consultation with the relevant functional authority centres for all public service employees involved in IT management.
9.1 Relevant legislation
9.2 Related policy instruments and publications
- Common Services Policy
- Directive on Privacy Impact Assessment (not yet approved)
- Directive on Privacy Practices (not yet approved)
- Framework for the Management of Compliance (not yet approved)
- Government Security Policy
- Policy on Evaluation
- Policy on Information Management
- Policy on Internal Audit
- Policy on Investment Planning – Assets and Acquired Services
- Policy on Learning, Training, and Development
- Policy on Management of Information Technology
- Policy on Management, Resources and Results Structures
- Policy on the Management of Projects
- Policy on Privacy Protection
- Policy on Service (not yet approved)
9.3 Other publications
Please address enquiries about this directive to the departmental CIO or equivalent. For assistance in interpreting this directive, the departmental CIO or equivalent should contact:Chief Information Officer Branch
Treasury Board Secretariat
Ottawa ON K1A 0R5
Appendix A - Definitions
- activity (activité)
- Is the work that is done to achieve an output, such as a product or service. It is a component of a program and may include several levels of activity (i.e., activity, subactivity and sub-subactivity) at the level of detail needed to manage a program and its services successfully.
- applications (applications)
- Are a subclass of computer software that employs the capabilities of a computer directly and thoroughly for a task that the user wishes to perform.
- assets (biens)
- Are tangible and intangible items of value that have a life span beyond one year, whether they are Crown-owned, leased or accessed through other arrangements.
- Chief Information Officer Council (CIOC) (Conseil des dirigeants principaux de l'information (CDPI))
- Refers to the forum for the departmental CIO or his or her equivalent to participate in shared decision making by recommending government-wide information technology options to the Chief Information Officer of Canada. This forum also ensures that departments collectively support decisions made by the CIOC. Details on its operations can be found in the CIOC's Terms of Reference.
- client (client)
- Is the intended recipient of a service. Clients may be external to the federal government (e.g., citizens, businesses, non-Canadians and non-profit organizations) or internal to government (e.g., departments).
- COBIT (COBIT)
- Stands for “Control Objectives for Information and related Technology” and represents a set of best practices that provide guidance for the management of IT processes. (Source: IT Governance Institute)
- common service (service commun)
- Is a service provided by a common service organization.
- common service organization (organisme de service commun)
- Refers to a department or organization designated as a central supplier of particular services that support the requirements of departments. Common service organizations are listed in Appendix B of the Common Services Policy.
- departments (ministères)
- Has the same meaning as in section 2 of the Financial Administration Act and includes all departments, agencies, branches and departmental corporations listed in Schedules I, I.1 and II of the Act.
- departmental CIO or equivalent (DPI du ministère ou équivalent)
- Refers to the senior official designated by the deputy head, as established under Section 6.1.6 of the Policy on Management of Information Technology, to represent the department to TBS on matters relating to IT management. The requirements in this directive do not include all the duties and responsibilities of departmental CIO or equivalent; in addition to IT management, other responsibilities could include information management or IT security.
- information technology (technologies de l'information)
- Involves both technology infrastructure and IT applications. Technology infrastructure includes any equipment or system that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data or information. IT applications include all matters concerned with the design, development, installation and implementation of information systems and applications to meet business requirements.
- investment (investissement)
- Is the use of resources with the expectation of a future return, such as an increase in output, income or assets or the acquisition of knowledge or capacity.
- interoperability (interopérabilité)
- Refers to the ability of departments to operate in synergy through consistent IT management policies, practices, processes and technologies.
- IT decision making (prise de décisions en matière de TI)
- Refers to the process and actions involved in making decisions on IT management.
- IT services (services de TI)
- Are services that clients and end user recipients understand as IT service provider outputs. Services may be delivered by providers through one or more internal activities.
- ITIL (ITIL)
- Stands for “Information Technology Infrastructure Library” and represents a set of best practices that guide IT service management. (Source: ITIL)
- management of information technology (gestion des technologies de l'information)
- Is planning, acquiring, building, implementing and operating IT assets, systems or services, measuring their performance and arranging their disposal.
- service (service)
- Refers to a means, administered by a program, of producing a final valued output that addresses one or more target group needs.
- service catalogue (catalogue de services)
- Is a database or structured document for users that is published by a service provider and includes a full description of individual IT services or, at a minimum, information on cost, quality and service levels. The service catalogue may also include service request processes and contact points.
- service costing (établissement du coût des services)
- Refers to cost estimating that assists senior management in making decisions on services. (See the TBS Guide to Costing)
- shared service (service partagé)
- Is a service that is shared by more than one client.
- stakeholder (intervenant)
- Is an entity that may be internal or external to the federal government, such as a citizen, business, service provider, service consumer, partner or employee, and has an interest in an IT service, project or organization or their related activities, resources or deliverables.
Appendix B - Content of IT plan and IT progress report
12.1 IT plan
The IT plan is a practical document that defines departmental IT directions, strategies, architecture and HR capacity and how these work together to achieve departmental business and government-wide strategic objectives. The IT plan is to support the effective resource allocation and investment planning decisions of the department through the departmental investment planning process. The IT plan reflects departmental priorities and outlines planned investments, including any acquired services, for the upcoming five-year period (at a minimum) in the following areas:
- New IT projects, systems, services or large enhancements to existing projects, systems and services;
- Planned maintenance of or enhancements to existing IT systems or services; and
- IT operations.
The IT plan is reviewed annually and updated as required at the time of the review. The plan, at a minimum, addresses governance, IT business, performance measures and risk management.
- Governance includes decision processes for the following areas:
- IT strategies and policies;
- Applications and systems; and
- Resource allocations.
- IT resource allocation decisions are guided by governance selection and prioritization criteria and methodology.
12.1.2 IT business
- IT plays a role in enabling departmental business outcomes in the context of Section 12.1.
- IT architecture, including but not limited to defined core IT competencies, technology choices and services, should support business outcomes.
- IT should be aligned with departmental and government-wide IT priorities, technology, and common and shared services, when such services are available and appropriate.
- Resource allocation targets are to be organized into the following four portfolio classes:
- Innovation – resource allocations that focus on transforming the department's business model;
- Business opportunity – resource allocations that realize measurable business benefits (e.g., revenue or service growth);
- Maintenance – resource allocations designed to maintain existing service levels (e.g., ongoing operation of IT); and
- Mandatory – resource allocations required for legal or regulatory compliance.
12.1.3 Performance measures
- Business outcomes and key performance indicators (KPI) are required to measure delivery of core services.
- Performance measures support continuous improvement by monitoring and gating planned IT activities.
12.1.4 IT risk management across the planned activities, which includes the processes and strategies to manage the following:
- Resource allocation;
- Business risks (e.g., confidentiality, integrity, availability of core infrastructure and services, and infrastructure renewal); and
- Capacity and sustainability.
12.2 IT progress report
An annual IT progress report addresses resource allocation, schedule changes and the progress achieved against planned activities as well as offers recommendations for the next planning cycle.