IM/IT Standards Frequently Asked Questions
What is the difference between an IM/IT Standard and Information Security Policy or Core Policy?
A policy is a statement of intent, whereas a standard is a convention or requirement. As an example, a policy may state that "you must encrypt sensitive traffic" and a corresponding standard may specify to use "128-bit SSL encryption". Contact us directly via email for questions related to Information Security Policy or IM/IT Standards. For questions on Chapter 12 of Core Policy, contact IM.ITPolicy@gov.bc.ca.
What if I am unable to comply with a standard or policy?
In some cases, agencies are unable to comply with a standard or policy and occasionally need more time to come into compliance. If so, they must request an exemption from the standard or policy. Before submitting a request for exemption, please review the Exemption FAQs. Once you have reviewed the FAQs, you can request an exemption.
How are standards developed?
The Office of the Chief Information Officer (OCIO) is responsible for leading the development, maintenance and communication of government-wide IM/IT architectures and standards. Details about this process can be found in the Standards Development Lifecycle document (currently being reviewed).
Who oversees standards?
The Architecture and Standards Review Board (ASRB) is responsible for reviewing and recommending for approval to the OCIO and the CIO Council proposed architecture and standards as well as changes to existing architecture and standards. Details about the ASRB's purpose, how it is organized and how it operates can be found in the ASRB operations document.
Where can I get previous versions of standards?
What is the difference between exemptions to IM/IT Standards and exemptions to Information Security Policy or Chapter 12 of Core Policy?
The submission process is the same for an exemption to a standard or a policy. OCIO staff work collaboratively to process every exemption request.
How do I know if I need an exemption?
What will I need to include with my exemption?
Note: a Privacy Impact Assessment and a Security Threat and Risk Assessment are not required for exemptions to Section 12.3.5 of Chapter 12 of Core Policy.
- Privacy Impact Assessment (PIA)
- Security Threat and Risk Assessment (STRA)
- Approvals from your: Ministry Information Security Officer and Ministry Chief Information Officer (pdf)
- A completed request form
Who can submit an exemption? What approvals do I need?
Only core government staff can submit an exemption; however, they can do it on behalf of contractors. You will need approval from your Ministry Information Security Officer and Ministry Chief Information Officer (pdf).
After submitting an exemption, how can I find the status?
We are in the process of a review of this. In the interim, please contact us.
How long will it take to process my exemption?
Exemption processing times vary depending on the complexity of the request. We are working on streamlining his process and will update this page during the process.