Appendix H: Standard on At-Risk Information Technology
Hierarchy
Appendix H. Standard on At-Risk Information Technology (IT)
H.1 Effective date
- H.1.1This standard takes effect on May 4, 2022.
H.2 Standards
Technology management
- H.2.1This standard provides details on the requirements set out in subsection 4.4.3.16 and subsection 4.4.2.2 of the Directive on Service and Digital.
- H.2.2Departmental CIOs must:
- H.2.2.1Update and keep departmental business applications current, such that they have an aging IT assessment value of “Minimal attention required,” as recorded in the TBS Application Portfolio Management tool;
- H.2.2.2Identify the version state for all software and hardware as either future, current, supported or unsupported; and
- H.2.2.3Apply major and minor updates, and keep technologies patched according to the departmental patch management plan.
IT progress reporting
- H.2.2.4Complete for inclusion in the departmental plan, for the integrated management of service, information, data, IT and cyber security:
- H.2.2.4.1A migration activity report for technologies that are no longer a current version;
- H.2.2.4.2A rationalization report, which identifies opportunities for the department to leverage common departmental or enterprise architectures and to reduce the overall number of departmental platforms; and
- H.2.2.4.3The departmental patch management plan, which aligns with the GC Patch Management Guidance.
Use of unsupported technologies
- H.2.2.5Prohibit the use of unsupported technologies and the technologies listed on the Deprecated Government of Canada Technologies page.
Definitions
- current version
-
This is the version of the technology that the provider markets, promotes and supports. The provider could be a company that sells a particular technology, a department (for a tool that it has built for itself) or a community that maintains an open-source technology. For in-house applications, this is the version that is used in the production environment and for which most updates, patches and other maintenance efforts are designed. This version is also known as the production version, release-to-manufacture version, general availability release or gold build.
- supported version
-
This is the version of the technology that the provider continues to support with updates, patches, fixes and improvements to the product. The provider of the technology has not stopped support. The provider’s product roadmap is used as the authoritative source for determining whether a technology is supported.
Extended support refers to the situation where the provider of the technology continues to provide updates, patches and fixes at a negotiated, and usually additional, cost. The provider has stopped all commercial support. The provider’s product roadmap is used as the authoritative source for determining whether a technology is supported.
- future version
-
A version of the technology that:
- Is not yet fully released;
- Contains new or modified features; and
- May not have undergone full quality control.
This version is also known as the alpha version, pre-alpha version, beta version, pre-release candidate or prototype.
- unsupported version
-
An older version of the technology that has been replaced, eliminated or deprecated, and is no longer supported by the provider.