guideline information m (im) program · pdf fileinformation management and protection policy,...

Government of Newfoundland and Labrador Office of the Chief Information Officer

Information Management Branch

GUIDELINE – INFORMATION MANAGEMENT (IM) PROGRAM PLAN

Guideline (Definition): OCIO Guidelines derive from Information Management and Protection Policy, TBM 2009-335 approved by Treasury Board on November 19, 2009. Guidelines are recommended actions, general approaches and operational behaviors. They recommend actions and are not compulsory, as they take into consideration the varying nature of the information management programs. Guidelines are generally a description that clarifies what should be done and how to achieve the objectives set out in policies and directives (source: ISO/IEC 17799:2005).

Issuing Branch Information Management Branch

Approval Date

Review Date 2015 04 01

OCIO TRIM Number DOC04592/2011

Authorizing Directive

(Where applicable)

Information Management and Protection Policy, TBM 2009-335

GRC Approval Date 2011 06 15

Related Directives

Related Standards

Related Guidelines See References

APPROVAL AND SIGN OFF

Executive Director, Information Management Branch

(name) (signature) (date)

Note: Questions related to this guideline should be forwarded to [email protected]

mailto:[email protected]

Guideline – IM Program Plan

DOC04592/2011 of 13

TABLE OF CONTENTS

1.0 Overview ................................................................................................................ 3

2.0 Scope ..................................................................................................................... 3

3.0 Background ............................................................................................................ 3

4.0 Recommended Approach ....................................................................................... 4

4.1 Review IM Drivers and Requirements: ................................................................................ 5

4.2 Identify Business Alignment Requirements ......................................................................... 5

4.3 Perform Current State Assessment ..................................................................................... 6

4.4 Set Goals and Objectives .................................................................................................... 6

4.5 Identify Services .................................................................................................................. 6

4.6 Define Service Management Processes ............................................................................. 8

4.7 Plan Education and Awareness .......................................................................................... 8

4.8 Define Resource Requirements and Allocation .................................................................. 9

4.9 Establish Governance and Organization ............................................................................. 9

4.10 Establish Program Management Framework ...................................................................... 9

4.11 Identify Performance Management and Reporting Requirements .................................... 10

4.12 Obtain Program Plan Approval .......................................................................................... 10

5.0 Glossary ............................................................................................................... 10

5.1 Acronyms ........................................................................................................................... 10

6.0 References ........................................................................................................... 11

7.0 Revision History ................................................................................................... 11

Appendix A: Sample Information Management (IM) Goals and Objectives Tracking Table .......... 12

Appendix B: OCIO Information Management Branch Service Catalog .......................................... 13


DOC04592/2011 of 13

INFORMATION MANAGEMENT (IM) PROGRAM PLAN

GUIDELINE

1.0 Overview

An Information Management (IM) Program Plan outlines how IM works in a department. This includes governance, organization, management, services, performance management and reporting. This guideline is designed to assist public bodies in the Government of Newfoundland and Labrador to develop an appropriate Information Management (IM) Program Plan that will serve to drive the design, implementation, operation and management of an effective IM Program.

2.0 Scope

This Guideline applies to or may be used by all public bodies (hereafter referred to as departments), as defined in the Management of Information Act. The audience for this guideline includes all individuals responsible for the operation of an IM program within their department.

3.0 Background

The IM Program Plan brings to life how the IM capabilities and services are created, delivered and managed. It is a blueprint for IM within the department and a very useful guide for the typical employee in fulfilling their job responsibilities. Put simply, the IM Program Plan has an operational perspective and describes:

What IM services, projects, activities and events are provided to whom, when and why;

How they are provided or delivered, and by whom; and

How they are planned and managed to ensure end user and management satisfaction.

Implementing an IM Program Plan will contribute to the following desired outcomes:

Increased quality of IM Program planning, service delivery, management and related decision-making;

Increased confidence that the department is implementing a reasonable IM Program, including policies, services, procedures, standards and guidelines in accordance with requirements of the Management of Information Act and the Information Management and Protection Policy;

Better-managed, aligned and mission-enabling IM services;

Greater relevance and effectiveness of IM through the implementation of the IM Program Plan;

Better collaboration and coordination among the IM organization, its IM service delivery partners, the end user community and other stakeholders; and

Increased confidence that IM stakeholders’ requirements are being satisfied.

http://www.assembly.nl.ca/Legislation/sr/statutes/m01-01.htm



DOC04592/2011 of 13

4.0 Recommended Approach

IM Program planning follows a similar process to business and strategic planning, but is entirely focused on the development and delivery of an IM Program that supports the business mission and business operations of the department. The approach described in this document can be tailored by the department as required to meet its unique mandate and lines of business. This process consists of the following activities:

Review IM Drivers and Requirements - Identify what is driving IM including the business, legal, regulatory and other compliance requirements;

Identify Business Alignment Requirements - Identify how the IM Program must align with internal and external linkages;

Perform Current State Assessment - Examine how IM is currently functioning within the department, in other similar organizations and what various external IM public bodies and standards setting bodies are doing in IM. Identify any gaps, deficiencies, lessons learned elsewhere and opportunities for improvement;

Set Goals and Objectives - Set goals, objectives and priorities for IM for the planning period to lay out what IM must do to support the business strategy and business operations of the department;

Identify Services – Identify what IM services will be provided to whom, when, where including externally supplied and internal services. Consider also what IM projects and other IM activities and events will be undertaken as part of the IM Program;

Define Service Management Processes – Outline how services will be delivered as a part of the program;

Plan Education and Awareness – What training and awareness activities and events will be undertaken;

Define Resource Requirements – What resources will be required to deliver the IM Program, including people, funding and facilities;

Establish Governance and Organization – Explain the structure of IM in the department and how it will be governed;

Establish IM Program Management Framework – How will the IM Program be managed and delivered, including resource allocation and management and IM Service Delivery;

Identify Performance Measurement and Reporting Requirements – IM Performance Measurement and Reporting requirements track how the program is progressing according to the plan;

Obtain Program Plan Approval – Once completed, the IM Program Plan is presented to the Executive for consideration and approval.

The following sections include detailed descriptions of what needs to be done at each step in the IM Program planning process.


DOC04592/2011 of 13

4.1 Review IM Drivers and Requirements:

IM Drivers and Requirements identify what is driving IM including the business, legal, regulatory and other compliance requirements. Completing this step will enable those developing the IM plan to know what it is that the business intends to do and how IM can best support the business strategy and operations with the right IM services.

This is usually done by reviewing the following sources of information:

Business Strategy – Since IM must support the business operations of the department, IM needs to understand the business strategy and objectives as set out in the department’s business plan. Ideally, the business plan should contain direction from Senior Management on policy, plans, priorities, objectives, desired outcomes, and may also include specific direction or objectives for IM;

IM Vision and Guiding Principles – Defines the strategic direction and guidance for IM. The guideline Information Management (IM) Vision, Mission and Guiding Principles details how to establish these foundational components of the IM Program;

Business Requirements – what IM requirements need to be fulfilled and what IM services do the various stakeholders require;

IM Legal and Regulatory Framework – review all of the IM Legal and Regulatory requirements, including all IM Compliance requirements and how the IM Legal and Regulatory Framework and other IM compliance requirements are to be managed. The guideline Information Management (IM) Legal and Regulatory Framework outlines how to establish this at a departmental level.

4.2 Identify Business Alignment Requirements

IM needs to be aligned within the department and with external suppliers and stakeholders in order to best support the department. This is usually done by aligning and harmonizing the IM Program Plan with the department’s strategic / business plan, strategic HR plan, Business Continuity Plan and other similar plans and undertakings such that IM is part of the essential business fabric of the department and supports the department’s mission.

Good practice would be to develop the IM Program Plan in parallel with the department’s business plan to ensure alignment and synchronization of objectives and services. In this approach, the department would follow this process:

First, the business planners publish business planning guidance including the business planning process and schedule for all elements of the department;

Second, the Executive or Senior Management may also provide specific IM guidance that must be considered in the development of the IM Program Plan;

Third, IM and the other business areas of the department coordinate their planning activities such that the business requirements are known to IM and such that IM can plan to support the business requirements;

Fourth, the Executive or Senior Management would review and approve the IM Program Plan before it is reviewed and integrated as part of the department’s business planning process; and

Fifth, the department’s business planners would review business plans and the IM Program Plan to ensure adequate alignment and synchronization.


DOC04592/2011 of 13

4.3 Perform Current State Assessment

Departments that have recently completed an assessment using the Information Management Capacity Assessment Tool (IMCAT) will have identified:

How IM is currently functioning within the department and in other similar organizations;

Various external IM bodies and standards setting bodies are doing in IM; and

Gaps, deficiencies, lessons learned elsewhere and opportunities for improvement.

The findings summarized in the IMCAT report may need to be updated to reflect changes that have occurred since its completion or any department specific requirements. This information will be used to support the requirements described in subsequent sections.

4.4 Set Goals and Objectives

The IM Program Plan must define the goals and objectives for IM within the department and explain how these will be attained. It will describe how the business requirements, IM legal and regulatory requirements and the business operations of the department will be supported through the provision of IM services and the completion of IM projects and activities.

This approach will enable the IM Program planner to map IM objectives to each specific IM driver or business requirement, to explain what are the measures and indicators to evaluate the achievement of that objective, and to define what services and resources are required for IM to attain that objective. A sample “IM Goals and Objectives Tracking Table” is includes in Appendix A.

4.5 Identify Services

The IM Program Plan must identify the IM services that are available externally and internally. This can be thought of as the IM service catalogue for the department, and would serve as a useful reference for staff at all levels.

4.5.1 Internal Services

The IM Program Plan should describe the IM services that are provided by the department, including those supplied by its IM organization and any other IM services that are provided from other parts of the department. The IM Program Plan should provide the following information:

IM Service Description - Describe each internal IM service, as provided by the supplier of that service (normally the IM organization);

IM Service Provisioning - Identify who provides the IM service, the IM service manager and any conditions of use;

IM Service Management – Identify who in the department’s IM organization is the point of contact for that service, how service management will work, and how problems or issues will be handled and managed;

The “OCIO Information Management Branch Service Catalog”, included in Appendix B, provides and example of the type of information, level of detail, etc that should be included. Examples of internal IM services include:


DOC04592/2011 of 13

IM Advisory Services – advice and guidance on IM Policy, procedures, standards and guidelines;

Electronic Documents and Records Management System - TRIM management and scanning of paper-based documents

Records Management

o Classification System

o Records Retention and Disposal Schedule development and management

o Collections management – records rooms, storage containers, shelving

o Libraries – publication collections

IM Facilities – file and records rooms, mail distribution system,

Storage – physical and electronic

Information Protection / Information Security Management – services related to the protection and security of information assets created, used and managed by the department. This should address the four component parts of Security:

o Information Security – the policies and procedures based on sensitivity and confidentiality for the creation, handling, use, storage, conveyance and disposition of information, including:

– Security / Sensitivity System – criteria for determining what constitutes a confidential or sensitive record;

– Access Controls and Access Management – control of the assignment of access permissions to individuals such that they may access sensitive or confidential information held in physical and / or electronic records;

– Vital Records - Vital records are “records that are vital to the continuing functioning of the organization.” These records are essential for preserving, continuing or reconstructing the operations of a department and protecting the rights of the organization, its employees and its stakeholders;

– Access to Information Requests – a service governed by the Access to Information and Protection of Privacy Act (ATIPPA) that provides access to, but also specific protections for, government records (including personal information) in the custody and control of a department;

o Physical Security – of facilities (offices, rooms and work areas) and storage containers used to store information (such as filing cabinets and lockable compartments in work stations);

o Personnel Security – may include background checking of selected employees who handle certain sensitive and / or confidential information

4.5.2 External Services

External services fall into two categories. These are services provided by the OCIO and services provided by third party vendors. The IM Program Plan should describe the externally supplied IM services that the department will use, explaining:

IM Service Description and Specifications – Provided for each external IM service, as provided by the supplier of that service;


DOC04592/2011 of 13

Basis - Under what contract, arrangement or agreement is the IM service being provided, including conditions of use;

IM Service Provisioning - Identify who provides the IM service, the IM service manager and any conditions of use; and

IM Service Management – Identify who in the department’s IM organization is the point of contact for that service, how service management will work, and how problems or issues will be handled and managed, and how the contract / agreement itself will be managed.

The OCIO supplies core IM and Information Technology (IT) services to government departments. See the “OCIO Information Management Branch Service Catalog” included in Appendix B for a detailed description of the services provided by the IM Branch, which focus on policies, standards and best practices for IM. Descriptions of IT services are available on the OCIO Website. All services are provided and managed under the terms of the Service Level Agreement that exists between the OCIO and the department.

External IM Services are also be provided by third party vendors. In many cases, contracting for these external IM services is managed by central agencies (such as the OCIO or Government Purchasing Agency) through Master Standing Agreements. All departments are able to access IM services under such agreements. Examples include:

Offsite Storage – for records, backup media and Vital Records;

Physical Destruction – such as shredding services.

Contact your manager of financial operations to access master standing offer agreements related to IM.

4.6 Define Service Management Processes

The IM Program Plan must define how IM services will be managed within the department. IM Service Management should define for each service:

Service Description – see above;

Roles and Responsibilities - in service delivery and management

Service Standards – including for example availability of services

Service Management / Service Level Management – how changes, problems and issues are managed; and

Service Continuity Management – to what extent and how the IM service will respond to disruptive events and to what extent service continuity will be provided during a disruptive event. The IM Service Continuity Plan must be closely aligned with the department’s Business Continuity Plan and must describe the arrangements that will be enacted to provide for a required and continuing level of IM service that supports business needs during a disruptive event.

4.7 Plan Education and Awareness

The IM Program Plan must contain an IM education and awareness component to accommodate the needs of both departmental employees and IM practitioners. Education and awareness must be recognized as an important component of the IM program. Without education and awareness:

http://www.ocio.gov.nl.ca/index.html


DOC04592/2011 of 13

Employees may not understand their IM responsibilities as public employees

IM practices may be inconsistent across the department

Employees may not be aware of new policies, standards and guidelines related to IM

The following guidelines are used to develop departmental IM Education and Awareness Plans:

“Information Management (IM) Education and Awareness for Government Employees”

“Education and Awareness for Information Management (IM) Practitioners”

4.8 Define Resource Requirements and Allocation

The IM Program Plan should present the resource requirements necessary to deliver the program, including:

Funding - requirements for all costs for internal and external IM services, operating costs, personnel costs, and other costs for facilities, equipment and supplies;

Human Resources - Requirements for the numbers and types of staff, including:

o Salary; and

o Training and development costs;

Facilities – the facilities and space required, including any fit up costs for shelving, physical security and environmental controls (for paper based records).

These resource requirements should be developed and presented in the format required by the business planning process for ease of integration with other budgets and cost projections.

4.9 Establish Governance and Organization

The IM Program Plan should describe the IM Governance and Organization model, Development of this model is described in the Guideline Information Management (IM) Governance, Accountability and Organization. For the purpose of the plan, this information can be summarized and updated as required.

4.10 Establish Program Management Framework

The IM Program Management Framework should describe how IM is managed within the department. It should explain:

IM Program Management – how the management of the IM Program Plan and its various components, including IM services, projects, activities, events, training, professional development, career planning, performance appraisal and other undertakings are managed, such as:

o A regular recurring IM organization management team meeting to review IM Program results, performance, status, issues and problems;

o Regular reporting of IM Program results to senior management.


DOC04592/2011 of 13

Resource Management, including human resources, funding and facilities – how budgets are planned, approved, and managed

Coordination Mechanisms – how the management and delivery of the IM Program will be coordinated within the department. These mechanisms are usually found in the planning process, in governance mechanisms, in recurring department management meetings where the IM director or manager will participate, and in special task teams formed to address a specific problem.

4.11 Identify Performance Measurement and Reporting Requirements

The IM Program Plan must include performance measurement and reporting requirements to track how the program is progressing according to the plan. This includes what gets reported, how it gets reported, and to whom it gets reported, including to senior management, the Executive, IM management, the end user community and other stakeholders. The Guideline Information Management (IM) Performance Measurement outlines how to develop IM performance management and reporting requirements.

4.12 Obtain Program Plan Approval

The IM Program plan must be reviewed as appropriate by departmental stakeholders as per established departmental protocols. The final IM Program Plan must be approved by the Executive.

5.0 Glossary

Information Management

IM Vision

TRIM

5.1 Acronyms

ATIPPA Access to Information and Protection of Privacy Act

GNL Government of Newfoundland and Labrador

IM Information Management

IMCAT Information Management Capacity Assessment Tool

OCIO Office of the Chief Information Officer

http://www.ocio.gov.nl.ca/ocio/im/glossary.html




DOC04592/2011 of 13

6.0 References

Management of Information Act

Information Management and Protection Policy, TBM 2009-335

Guideline – Education and Awareness for Information Management (IM) Practitioners

Guideline – Information Management (IM) Education and Awareness for Government Employees

Guideline – Information Management (IM) Governance, Accountability and Organization

Guideline – Information Management (IM) Legal and Regulatory Framework

Guideline – Information Management (IM) Performance Measurement

Guideline – Information Management (IM) Vision, Mission and Guiding Principles

7.0 Revision History

Date Reviewed Reviewed By

2011-01-19 Iris Power, Director of Information Services

2011-03-08 Shelley Smith, Executive Director Information Management

2011-03-17 Information Management Standards Board (IMSB)

2011-04-04 Government Records Committee (GRC)

2015-04-01 Bun Power, IM Consultant, IM Services



DOC04592/2011 of 13

Appendix A: Sample Information Management (IM) Goals and Objectives Tracking Table

S:\Information Management\IMCASample Information Management Goals and Objectives Tracking Table 20XX.doc

http://www.ocio.gov.nl.ca/ocio/im/practitioners/guideline_docs/Goals_and_Objectives_Tracking_Table.doc


DOC04592/2011 of 13

Appendix B: OCIO Information Management Branch Service Catalog

S:\Information Management\IMCAT Bundle Guidelines\OCIO Service Catalog.pdf

http://www.ocio.gov.nl.ca/ocio/im/OCIO_Information_Management_and_Protection_(IM&P)_External_Service_Catalog.pdf