Mangement response and action plan: Audit of Information Technology Systems Development at the Public Health Agency of Canada and Health Canada

Download the alternative format (PDF format, 78 Kb, 3 pages)

Recommendation 1

The Chief Information Officer should develop a management framework that documents:

Since IT development may occur in all branches, the CIO should share this CIO-approved management framework with the Executive Committees of both PHAC and HC, and clients to ensure their compliance with the framework.

Management response and planned actions Deliverable Completion date Responsibility

CSB will develop a management framework, leveraging pre-defined CIO accountabilities and delegation authorities found in new TBS policies. The framework will include all system development methodologies currently in place within HC and PHAC.

CSB will communicate the new framework to ensure branches are aware of their responsibilities when applications and systems are developed outside of IMSD.

CSB will leverage existing HC and PHAC governance to ensure that project gating decisions take architecture review into consideration.

CIO-approved Management Framework

Communications Plan

June 2020

CSB/IMSD

CSB/BREAD

CSB/CFOB

PHAC/OSPP

Management agrees with the recommendation.

Recommendation 2

The Chief Information Officer should define the key process controls for the “Agile” methodology.

Management response and planned actions Deliverable Completion date Responsibility
CSB will clarify and refine the process controls related to the “Agile” methodology.

System Development Life Cycle (SDLC) Checklist for Agile methodology

Communications Plan

September 2020 CSB/IMSD

Management agrees with the recommendation.

Recommendation 3

The Chief Information Officer should implement mandatory quality assurance processes that provides oversight and reporting to all parties who have been delegated accountability for the implementation of mandatory systems development controls. This includes business requirements, options analysis, User Acceptance Testing, and IT Security.

Management response and planned actions Deliverable Completion date Responsibility
CSB will implement mandatory risk-based quality assurance (QA) processes with tools and processes in place to ensure that the right artefacts are created at the right time in the SDLC, and that they support the successful delivery of a quality application, regardless of who is responsible for system development. SDLC Compliance checklist for Waterfall and Agile methodologies June 2020 CSB/IMSD
Communications Plan October 2020 CSB/IMSD
Draft QA Process Document December 2020 CSB/IMSD
CIO-approved QA Process May 2021 CSB/IMSD

Management agrees with the recommendation.

Recommendation 4

The Chief Information Officer should raise SGBA+ awareness and consider where SGBA+ considerations may be applicable in the process of designing IT-enabled business solutions.

Management response and planned actions Deliverable Completion date Responsibility
CSB will enhance SGBA+ awareness. Awareness Sessions April 2021 CSB/IMSD

Management agrees with the recommendation.

Page details

Date modified: