guideline information m (im) program · pdf fileinformation management and protection policy,...
TRANSCRIPT
Government of Newfoundland and Labrador Office of the Chief Information Officer
Information Management Branch
GUIDELINE – INFORMATION MANAGEMENT (IM) PROGRAM PLAN
Guideline (Definition): OCIO Guidelines derive from Information Management and Protection Policy, TBM 2009-335 approved by Treasury Board on November 19, 2009. Guidelines are recommended actions, general approaches and operational behaviors. They recommend actions and are not compulsory, as they take into consideration the varying nature of the information management programs. Guidelines are generally a description that clarifies what should be done and how to achieve the objectives set out in policies and directives (source: ISO/IEC 17799:2005).
Issuing Branch Information Management Branch
Approval Date
Review Date 2015 04 01
OCIO TRIM Number DOC04592/2011
Authorizing Directive
(Where applicable)
Information Management and Protection Policy, TBM 2009-335
GRC Approval Date 2011 06 15
Related Directives
Related Standards
Related Guidelines See References
APPROVAL AND SIGN OFF
Executive Director, Information Management Branch
(name) (signature) (date)
Note: Questions related to this guideline should be forwarded to [email protected]
Guideline – IM Program Plan
DOC04592/2011 Page 2 of 13
TABLE OF CONTENTS
1.0 Overview ................................................................................................................ 3
2.0 Scope ..................................................................................................................... 3
3.0 Background ............................................................................................................ 3
4.0 Recommended Approach ....................................................................................... 4
4.1 Review IM Drivers and Requirements: ................................................................................ 5
4.2 Identify Business Alignment Requirements ......................................................................... 5
4.3 Perform Current State Assessment ..................................................................................... 6
4.4 Set Goals and Objectives .................................................................................................... 6
4.5 Identify Services .................................................................................................................. 6
4.6 Define Service Management Processes ............................................................................. 8
4.7 Plan Education and Awareness .......................................................................................... 8
4.8 Define Resource Requirements and Allocation .................................................................. 9
4.9 Establish Governance and Organization ............................................................................. 9
4.10 Establish Program Management Framework ...................................................................... 9
4.11 Identify Performance Management and Reporting Requirements .................................... 10
4.12 Obtain Program Plan Approval .......................................................................................... 10
5.0 Glossary ............................................................................................................... 10
5.1 Acronyms ........................................................................................................................... 10
6.0 References ........................................................................................................... 11
7.0 Revision History ................................................................................................... 11
Appendix A: Sample Information Management (IM) Goals and Objectives Tracking Table .......... 12
Appendix B: OCIO Information Management Branch Service Catalog .......................................... 13
Guideline – IM Program Plan
DOC04592/2011 Page 3 of 13
INFORMATION MANAGEMENT (IM) PROGRAM PLAN
GUIDELINE
1.0 Overview
An Information Management (IM) Program Plan outlines how IM works in a department. This includes governance, organization, management, services, performance management and reporting. This guideline is designed to assist public bodies in the Government of Newfoundland and Labrador to develop an appropriate Information Management (IM) Program Plan that will serve to drive the design, implementation, operation and management of an effective IM Program.
2.0 Scope
This Guideline applies to or may be used by all public bodies (hereafter referred to as departments), as defined in the Management of Information Act. The audience for this guideline includes all individuals responsible for the operation of an IM program within their department.
3.0 Background
The IM Program Plan brings to life how the IM capabilities and services are created, delivered and managed. It is a blueprint for IM within the department and a very useful guide for the typical employee in fulfilling their job responsibilities. Put simply, the IM Program Plan has an operational perspective and describes:
What IM services, projects, activities and events are provided to whom, when and why;
How they are provided or delivered, and by whom; and
How they are planned and managed to ensure end user and management satisfaction.
Implementing an IM Program Plan will contribute to the following desired outcomes:
Increased quality of IM Program planning, service delivery, management and related decision-making;
Increased confidence that the department is implementing a reasonable IM Program, including policies, services, procedures, standards and guidelines in accordance with requirements of the Management of Information Act and the Information Management and Protection Policy;
Better-managed, aligned and mission-enabling IM services;
Greater relevance and effectiveness of IM through the implementation of the IM Program Plan;
Better collaboration and coordination among the IM organization, its IM service delivery partners, the end user community and other stakeholders; and
Increased confidence that IM stakeholders’ requirements are being satisfied.
Guideline – IM Program Plan
DOC04592/2011 Page 4 of 13
4.0 Recommended Approach
IM Program planning follows a similar process to business and strategic planning, but is entirely focused on the development and delivery of an IM Program that supports the business mission and business operations of the department. The approach described in this document can be tailored by the department as required to meet its unique mandate and lines of business. This process consists of the following activities:
Review IM Drivers and Requirements - Identify what is driving IM including the business, legal, regulatory and other compliance requirements;
Identify Business Alignment Requirements - Identify how the IM Program must align with internal and external linkages;
Perform Current State Assessment - Examine how IM is currently functioning within the department, in other similar organizations and what various external IM public bodies and standards setting bodies are doing in IM. Identify any gaps, deficiencies, lessons learned elsewhere and opportunities for improvement;
Set Goals and Objectives - Set goals, objectives and priorities for IM for the planning period to lay out what IM must do to support the business strategy and business operations of the department;
Identify Services – Identify what IM services will be provided to whom, when, where including externally supplied and internal services. Consider also what IM projects and other IM activities and events will be undertaken as part of the IM Program;
Define Service Management Processes – Outline how services will be delivered as a part of the program;
Plan Education and Awareness – What training and awareness activities and events will be undertaken;
Define Resource Requirements – What resources will be required to deliver the IM Program, including people, funding and facilities;
Establish Governance and Organization – Explain the structure of IM in the department and how it will be governed;
Establish IM Program Management Framework – How will the IM Program be managed and delivered, including resource allocation and management and IM Service Delivery;
Identify Performance Measurement and Reporting Requirements – IM Performance Measurement and Reporting requirements track how the program is progressing according to the plan;
Obtain Program Plan Approval – Once completed, the IM Program Plan is presented to the Executive for consideration and approval.
The following sections include detailed descriptions of what needs to be done at each step in the IM Program planning process.
Guideline – IM Program Plan
DOC04592/2011 Page 5 of 13
4.1 Review IM Drivers and Requirements:
IM Drivers and Requirements identify what is driving IM including the business, legal, regulatory and other compliance requirements. Completing this step will enable those developing the IM plan to know what it is that the business intends to do and how IM can best support the business strategy and operations with the right IM services.
This is usually done by reviewing the following sources of information:
Business Strategy – Since IM must support the business operations of the department, IM needs to understand the business strategy and objectives as set out in the department’s business plan. Ideally, the business plan should contain direction from Senior Management on policy, plans, priorities, objectives, desired outcomes, and may also include specific direction or objectives for IM;
IM Vision and Guiding Principles – Defines the strategic direction and guidance for IM. The guideline Information Management (IM) Vision, Mission and Guiding Principles details how to establish these foundational components of the IM Program;
Business Requirements – what IM requirements need to be fulfilled and what IM services do the various stakeholders require;
IM Legal and Regulatory Framework – review all of the IM Legal and Regulatory requirements, including all IM Compliance requirements and how the IM Legal and Regulatory Framework and other IM compliance requirements are to be managed. The guideline Information Management (IM) Legal and Regulatory Framework outlines how to establish this at a departmental level.
4.2 Identify Business Alignment Requirements
IM needs to be aligned within the department and with external suppliers and stakeholders in order to best support the department. This is usually done by aligning and harmonizing the IM Program Plan with the department’s strategic / business plan, strategic HR plan, Business Continuity Plan and other similar plans and undertakings such that IM is part of the essential business fabric of the department and supports the department’s mission.
Good practice would be to develop the IM Program Plan in parallel with the department’s business plan to ensure alignment and synchronization of objectives and services. In this approach, the department would follow this process:
First, the business planners publish business planning guidance including the business planning process and schedule for all elements of the department;
Second, the Executive or Senior Management may also provide specific IM guidance that must be considered in the development of the IM Program Plan;
Third, IM and the other business areas of the department coordinate their planning activities such that the business requirements are known to IM and such that IM can plan to support the business requirements;
Fourth, the Executive or Senior Management would review and approve the IM Program Plan before it is reviewed and integrated as part of the department’s business planning process; and
Fifth, the department’s business planners would review business plans and the IM Program Plan to ensure adequate alignment and synchronization.
Guideline – IM Program Plan
DOC04592/2011 Page 6 of 13
4.3 Perform Current State Assessment
Departments that have recently completed an assessment using the Information Management Capacity Assessment Tool (IMCAT) will have identified:
How IM is currently functioning within the department and in other similar organizations;
Various external IM bodies and standards setting bodies are doing in IM; and
Gaps, deficiencies, lessons learned elsewhere and opportunities for improvement.
The findings summarized in the IMCAT report may need to be updated to reflect changes that have occurred since its completion or any department specific requirements. This information will be used to support the requirements described in subsequent sections.
4.4 Set Goals and Objectives
The IM Program Plan must define the goals and objectives for IM within the department and explain how these will be attained. It will describe how the business requirements, IM legal and regulatory requirements and the business operations of the department will be supported through the provision of IM services and the completion of IM projects and activities.
This approach will enable the IM Program planner to map IM objectives to each specific IM driver or business requirement, to explain what are the measures and indicators to evaluate the achievement of that objective, and to define what services and resources are required for IM to attain that objective. A sample “IM Goals and Objectives Tracking Table” is includes in Appendix A.
4.5 Identify Services
The IM Program Plan must identify the IM services that are available externally and internally. This can be thought of as the IM service catalogue for the department, and would serve as a useful reference for staff at all levels.
4.5.1 Internal Services
The IM Program Plan should describe the IM services that are provided by the department, including those supplied by its IM organization and any other IM services that are provided from other parts of the department. The IM Program Plan should provide the following information:
IM Service Description - Describe each internal IM service, as provided by the supplier of that service (normally the IM organization);
IM Service Provisioning - Identify who provides the IM service, the IM service manager and any conditions of use;
IM Service Management – Identify who in the department’s IM organization is the point of contact for that service, how service management will work, and how problems or issues will be handled and managed;
The “OCIO Information Management Branch Service Catalog”, included in Appendix B, provides and example of the type of information, level of detail, etc that should be included. Examples of internal IM services include:
Guideline – IM Program Plan
DOC04592/2011 Page 7 of 13
IM Advisory Services – advice and guidance on IM Policy, procedures, standards and guidelines;
Electronic Documents and Records Management System - TRIM management and scanning of paper-based documents
Records Management
o Classification System
o Records Retention and Disposal Schedule development and management
o Collections management – records rooms, storage containers, shelving
o Libraries – publication collections
IM Facilities – file and records rooms, mail distribution system,
Storage – physical and electronic
Information Protection / Information Security Management – services related to the protection and security of information assets created, used and managed by the department. This should address the four component parts of Security:
o Information Security – the policies and procedures based on sensitivity and confidentiality for the creation, handling, use, storage, conveyance and disposition of information, including:
– Security / Sensitivity System – criteria for determining what constitutes a confidential or sensitive record;
– Access Controls and Access Management – control of the assignment of access permissions to individuals such that they may access sensitive or confidential information held in physical and / or electronic records;
– Vital Records - Vital records are “records that are vital to the continuing functioning of the organization.” These records are essential for preserving, continuing or reconstructing the operations of a department and protecting the rights of the organization, its employees and its stakeholders;
– Access to Information Requests – a service governed by the Access to Information and Protection of Privacy Act (ATIPPA) that provides access to, but also specific protections for, government records (including personal information) in the custody and control of a department;
o Physical Security – of facilities (offices, rooms and work areas) and storage containers used to store information (such as filing cabinets and lockable compartments in work stations);
o Personnel Security – may include background checking of selected employees who handle certain sensitive and / or confidential information
4.5.2 External Services
External services fall into two categories. These are services provided by the OCIO and services provided by third party vendors. The IM Program Plan should describe the externally supplied IM services that the department will use, explaining:
IM Service Description and Specifications – Provided for each external IM service, as provided by the supplier of that service;
Guideline – IM Program Plan
DOC04592/2011 Page 8 of 13
Basis - Under what contract, arrangement or agreement is the IM service being provided, including conditions of use;
IM Service Provisioning - Identify who provides the IM service, the IM service manager and any conditions of use; and
IM Service Management – Identify who in the department’s IM organization is the point of contact for that service, how service management will work, and how problems or issues will be handled and managed, and how the contract / agreement itself will be managed.
The OCIO supplies core IM and Information Technology (IT) services to government departments. See the “OCIO Information Management Branch Service Catalog” included in Appendix B for a detailed description of the services provided by the IM Branch, which focus on policies, standards and best practices for IM. Descriptions of IT services are available on the OCIO Website. All services are provided and managed under the terms of the Service Level Agreement that exists between the OCIO and the department.
External IM Services are also be provided by third party vendors. In many cases, contracting for these external IM services is managed by central agencies (such as the OCIO or Government Purchasing Agency) through Master Standing Agreements. All departments are able to access IM services under such agreements. Examples include:
Offsite Storage – for records, backup media and Vital Records;
Physical Destruction – such as shredding services.
Contact your manager of financial operations to access master standing offer agreements related to IM.
4.6 Define Service Management Processes
The IM Program Plan must define how IM services will be managed within the department. IM Service Management should define for each service:
Service Description – see above;
Roles and Responsibilities - in service delivery and management
Service Standards – including for example availability of services
Service Management / Service Level Management – how changes, problems and issues are managed; and
Service Continuity Management – to what extent and how the IM service will respond to disruptive events and to what extent service continuity will be provided during a disruptive event. The IM Service Continuity Plan must be closely aligned with the department’s Business Continuity Plan and must describe the arrangements that will be enacted to provide for a required and continuing level of IM service that supports business needs during a disruptive event.
4.7 Plan Education and Awareness
The IM Program Plan must contain an IM education and awareness component to accommodate the needs of both departmental employees and IM practitioners. Education and awareness must be recognized as an important component of the IM program. Without education and awareness:
Guideline – IM Program Plan
DOC04592/2011 Page 9 of 13
Employees may not understand their IM responsibilities as public employees
IM practices may be inconsistent across the department
Employees may not be aware of new policies, standards and guidelines related to IM
The following guidelines are used to develop departmental IM Education and Awareness Plans:
“Information Management (IM) Education and Awareness for Government Employees”
“Education and Awareness for Information Management (IM) Practitioners”
4.8 Define Resource Requirements and Allocation
The IM Program Plan should present the resource requirements necessary to deliver the program, including:
Funding - requirements for all costs for internal and external IM services, operating costs, personnel costs, and other costs for facilities, equipment and supplies;
Human Resources - Requirements for the numbers and types of staff, including:
o Salary; and
o Training and development costs;
Facilities – the facilities and space required, including any fit up costs for shelving, physical security and environmental controls (for paper based records).
These resource requirements should be developed and presented in the format required by the business planning process for ease of integration with other budgets and cost projections.
4.9 Establish Governance and Organization
The IM Program Plan should describe the IM Governance and Organization model, Development of this model is described in the Guideline Information Management (IM) Governance, Accountability and Organization. For the purpose of the plan, this information can be summarized and updated as required.
4.10 Establish Program Management Framework
The IM Program Management Framework should describe how IM is managed within the department. It should explain:
IM Program Management – how the management of the IM Program Plan and its various components, including IM services, projects, activities, events, training, professional development, career planning, performance appraisal and other undertakings are managed, such as:
o A regular recurring IM organization management team meeting to review IM Program results, performance, status, issues and problems;
o Regular reporting of IM Program results to senior management.
Guideline – IM Program Plan
DOC04592/2011 Page 10 of 13
Resource Management, including human resources, funding and facilities – how budgets are planned, approved, and managed
Coordination Mechanisms – how the management and delivery of the IM Program will be coordinated within the department. These mechanisms are usually found in the planning process, in governance mechanisms, in recurring department management meetings where the IM director or manager will participate, and in special task teams formed to address a specific problem.
4.11 Identify Performance Measurement and Reporting Requirements
The IM Program Plan must include performance measurement and reporting requirements to track how the program is progressing according to the plan. This includes what gets reported, how it gets reported, and to whom it gets reported, including to senior management, the Executive, IM management, the end user community and other stakeholders. The Guideline Information Management (IM) Performance Measurement outlines how to develop IM performance management and reporting requirements.
4.12 Obtain Program Plan Approval
The IM Program plan must be reviewed as appropriate by departmental stakeholders as per established departmental protocols. The final IM Program Plan must be approved by the Executive.
5.0 Glossary
Information Management
IM Vision
TRIM
5.1 Acronyms
ATIPPA Access to Information and Protection of Privacy Act
GNL Government of Newfoundland and Labrador
IM Information Management
IMCAT Information Management Capacity Assessment Tool
OCIO Office of the Chief Information Officer
Guideline – IM Program Plan
DOC04592/2011 Page 11 of 13
6.0 References
Management of Information Act
Information Management and Protection Policy, TBM 2009-335
Guideline – Education and Awareness for Information Management (IM) Practitioners
Guideline – Information Management (IM) Education and Awareness for Government Employees
Guideline – Information Management (IM) Governance, Accountability and Organization
Guideline – Information Management (IM) Legal and Regulatory Framework
Guideline – Information Management (IM) Performance Measurement
Guideline – Information Management (IM) Vision, Mission and Guiding Principles
7.0 Revision History
Date Reviewed Reviewed By
2011-01-19 Iris Power, Director of Information Services
2011-03-08 Shelley Smith, Executive Director Information Management
2011-03-17 Information Management Standards Board (IMSB)
2011-04-04 Government Records Committee (GRC)
2015-04-01 Bun Power, IM Consultant, IM Services
Guideline – IM Program Plan
DOC04592/2011 Page 12 of 13
Appendix A: Sample Information Management (IM) Goals and Objectives Tracking Table
S:\Information Management\IMCASample Information Management Goals and Objectives Tracking Table 20XX.doc
Guideline – IM Program Plan
DOC04592/2011 Page 13 of 13
Appendix B: OCIO Information Management Branch Service Catalog
S:\Information Management\IMCAT Bundle Guidelines\OCIO Service Catalog.pdf