Internal Audit of Information Management
Prepared for: Office of the Privacy Commissioner of Canada
Date : June 2023
Prepared by: Raymond Chabot Grant Thornton, RCGT Consulting
Executive Summary
Background and Context
The Privacy Commissioner is an Officer of Parliament, who reports directly to the House of Commons and the Senate. The mandate of Office of the Privacy Commissioner (OPC) is to oversee compliance with both the Privacy Act (PA), which covers the personal information-handling practices of federal government institutions, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law.
The OPC’s mission is to protect and promote the privacy rights of individuals. The Commissioner is an advocate for the privacy rights of Canadians and his powers include:
- Investigating complaints, conducting audits and pursuing court action under two federal laws;
- Publicly reporting on the personal information-handling practices of public and private sector organizations;
- Supporting, undertaking and publishing research into privacy issues; and,
- Promoting public awareness and understanding of privacy issues.
The OPC’s strategic and operating environment is in a constant state of evolution. It is influenced by the unrelenting speed of technological change, the array of new business models and different means of collecting and manipulating data, which are outpacing privacy protections.
These elements combined with an increase in data breaches affecting millions and daily scandals relating to uses of Canadians’ personal information, are just a few realities of today’s privacy landscape.
The size and complexity of the OPC’s mandate, and a desire to address privacy issues at a more strategic level, has made the need for business intelligence (BI) vital. The OPC is in the process of developing its BI function in order to support the organization’s efforts to make better use of information for strategic decision-making, thereby supporting the OPC’s vision for a more proactive approach to protecting the privacy rights of Canadians. The OPC has several strategic priorities for which BI is a key success factor:
- Shift towards more proactive measures to empower individuals and guide organisations towards compliance
- Make more strategic use of enforcement powers to achieve greater compliance with federal privacy laws
- Optimize organizational capacity and agility to focus on results
An effective IM Framework and sound information management practices are foundational to the ability to leverage information for decision-making. Effective information management is a key enabler supporting BI objectives. As such, IM was identified as a priority area for auditing in 2021-2022.
An effective information management program includes appropriate governance, policies, tools, training and the application of compliance mechanisms to demonstrate the program’s effectiveness. Due to the sensitivity of the information held by the OPC (e.g. investigation-related documentation), it is important that the OPC has strong information management processes in place.
With the OPC’s increased focus on using BI for decision-making, new information assets and datasets will be developed, and it is important to ensure that the information assets are subject to a robust information management framework to efficiently and effectively support the OPC in the delivery of its mandate.
The IM audit was aimed at providing assurance on the adequacy and effectiveness of the Information Management Framework including governance, processes, and tools, to support the OPC’s BI objectives.
Summary of Findings
The Key findings with regards to the audit are provided below.
Strengths
Governance – Roles, Responsibilities, Accountabilities and Decision-Making
- An IM Organizational structure is in place with identified roles and responsibilities. The organizational chart is available to staff.
- The IM governance structure includes the Data Governance Working Group, the IM/IT Architecture Review Board, Privacy Accountability Working Group and Executive Management Board (EMB+ and EMB).
- Job descriptions for key IM positions (Director, IMIT and Manager, Information Management) and BI positions (BI Officer & Strategic Advisors) are approved by appropriate personnel evidenced by their sign offs.
- The IM/IT strategic and operational planning process is in place.
IM Processes including Controls
- The OPC classification of information chart and guide are available on the OPC collaboration (SharePoint and Intranet site) site and are easily accessible by employees.
- Procedural and training documents for Officium and Ci2 are available on the OPC collaboration (SharePoint) site and are easily accessible by employees.
- Naming Conventions - Guide and Best Practices' is available on the OPC collaboration (SharePoint and Intranet site) site and is easily accessible by employees.
- Request to make changes to Officium panels are reviewed by the IM team to ensure that they are in conformity with the existing taxonomy and the consistency of the metadata.
IM Resources
- IM provides individual training to new hires on Officium and IM best practices.
- Procedural and training documents for Officium, Ci2, Classification of Information and Naming Conventions are available on the OPC collaboration (SharePoint) site.
- As Officium training is mandatory, the IM team maintains a record of training date and refresher sessions undertaken by the employees.
- The Canada School of the Public Service’s Fundamentals of Information Management (COR501) course is part of the mandatory training in the employee’s learning roadmap. Completion of the training is tracked by Human Resources group.
Cloud Migration
- The OPC is migrating to the cloud will ensure that all metadata will be captured and fully automated through the information architecture in MS Teams. The information architecture will be reviewed periodically.
Findings
- While the OPC has distinct IM/IT and BI governance structures in place, the linkages between them have not been formally defined and communicated.
- Although the OPC has a guide and best practices for naming conventions, it is not consistently followed.
- While a classification of information chart, guide and procedural and training documents for Officium, Ci2 and Naming Conventions were readily available and accessible to employees, no evidence was provided to demonstrate that quality assurance, monitoring and data validation were performed to ensure that data classification and labelling were performed in alignment with the established chart and guidance materials.
- The OPC does not have a process or procedure in place to ensure complete and accurate data is available.
- The oversight and monitoring of training for Ci2, Classification of Information and Naming Conventions is not being conducted and/or documented on a regular basis.
Though the audit focused on IM as a foundational element of BI, and not the implementation of BI per se, the audit team provided some observations and considerations to management gathered in the context of this project, separate from this report, to assist the OPC as it works towards developing its BI capabilities.
Conclusion
Based on the aforementioned observations and overall scope of the audit, the OPC has moderate issues related to the effectiveness of its current IM practices in support of BI objectives. The recommendations included in this report are intended to further strengthen these processes. Management responses are included at the end of each finding.
This report and audit were conducted for OPC management purposes. Use of this report for other purposes may not be appropriate.
Statement of Conformance
In our professional judgement, sufficient and appropriate audit procedures were performed, and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions were based on observations and analyses at the time of our audit. The evidence was gathered in accordance with the Treasury Board Policy on Internal Audit and the International Standards for the Professional Practice of Internal Auditing.
Audit objective, Scope and Approach
Background
The Office of the Privacy Commissioner of Canada (OPC) is responsible for overseeing compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private-sector privacy law.
The OPC is an Officer of Parliament, who reports directly to the House of Commons and the Senate. The Commissioner works independently from any other part of the government to investigate complaints from individuals with respect to the federal public sector and the private sector.
The Commissioner is an advocate for the privacy rights of Canadians and his powers include:
- Investigating complaints, conducting audits and pursuing court action under two federal laws;
- Publicly reporting on the personal information-handling practices of public and private sector organizations;
- Supporting, undertaking and publishing research into privacy issues; and,
- Promoting public awareness and understanding of privacy issues.
The OPC conducted its 2021-2022/2023-2024 Risk-Based Audit and Advisory Plan to confirm the audit engagement to be undertaken in 2021-22 and it was decided that the next audit engagement would be the audit of the OPC’s Information Management Framework and practices to ensure they are adequate and effective, in support of the OPC’s BI objectives.
The OPC is in the process of developing its BI function to support the organization’s efforts to make better use of information for decision-making, OPC has continued to build internal capacity and invested in the groundwork for better use of information and BI to drive decision-making and resource allocations in the future. The Sector Heads have lead responsibilities for exercising leadership of the BI function and are supported by three BI Officer and Strategic Advisors that report directly to the Deputy Commissioners.
The information management function resides within the Information Management/Information Technology (IM/IT) Directorate and is part of the Corporate Management Sector. The 2020-21 funding for the IM/IT Directorate was $4.5M with 25 full time employees.Footnote 1 It is responsible for ensuring that effective IM governance, practices and policies are in place to safeguard information as a public trust and managed as a strategic asset to maximize its value in the service of Canadians.
A dedicated group within the IM/IT Directorate (7 FTEs) oversees day-to-day IM activities related to the management of electronic documents, records office, knowledge management (including training on collaboration tools) and other specific initiatives such as the implementation of Open Government. Adequate IM ensures that information is available to the right person, at the right time and in the right format. IM helps dictate how the OPC forms strategies and implement processes based on information. The OPC can achieve productivity gains by utilising effective IM.
The purpose of IM is to support decision making and achieve organizational objectives. Effective information management is a shared responsibility across all of the OPC. All employees are responsible for documenting their activities and decisions of business value in the OPC’s official record management systems in line with IM policy requirements.
Staff and management identified the Case Management System (CMS) - Ci2 Module and Officium as key IM tools being used at the OPC. The IM/IT roadmap for 2019-22Footnote 2 includes the redesign of Ci2 for Complaints and Investigations in the cloud, building of Ci2 in the cloud and migrating Ci2 data to cloud and migrating Officium information to the new Electronic Document and Records Management System (EDRMS) online.
Audit Objective
The objective of the audit was to provide assurance on the adequacy and effectiveness of the Information Management Framework including governance, processes, and tools in advancing the OPC’s BI objectives by assessing:
- The effectiveness of IM governance and roles, responsibilities, and accountabilities.
- The effectiveness of IM processes, tools (Ci2 and Officium) and controls.
- The effectiveness of IM resources including resource planning and training.
Audit Scope
The scope of this audit included assessments of the IM governance structure, processes including controls, tools, and IM resources and IM practices within all the sectors. While the audit covered the period from August 1st, 2020, to May 31st, 2022, additional information was provided to the audit team in the conduct phase of the audit.
The following areas were out of scope for this audit:
- Data and information managed by Shared Services Canada or any other external stakeholder; mainly, MyGCHR and GX (financial system) and Phoenix.
- Assessment of the documents related to security classification (i.e., Protected A, B or C and Confidential, Secret, Top Secret Classifications).
- Cyber security is a key risk. However, a third-party audit and assessment was conducted and there is a Framework and management action plan (MAP) in place.
Audit Approach and Methodology
The audit included an extensive Planning Phase, which initially considered the OPC’s IM-related Risk Universe. Based on risks identified in the Planning Phase of the audit, a risk-based audit program was developed to detail how the audit objective, criteria and risks would be addressed. The audit program included the following procedures:
- Documentation review and analysis.
- Interviews with OPC stakeholders and any other team or sector as required.
- Review of processes supporting IM decision making, IM governance, data quality and integrity, data classification, data access, naming conventions and training of IM employees.
The audit leveraged the following guidelines, directives, and standards by the federal government of Canada (Treasury Board) and an internationally recognized standard by Information Systems Audit and Control Association (ISACA). Refer to Appendix C for additional information.
The audit was conducted within the following timelines:
- Planning Phase: August 2021 – February 2022
- Conduct Phase: February 2022 – July 2022
- Reporting Phase: August-November 2022
- Presentation to the OPC Audit Committee: December 2022
Audit Team
- Marco Perron, Partner / Quality Assurance
- Zakaria Kamaly, Project Manager / Leader
- Sanjay Verma, Senior Auditor
- Karim Najjar, Auditor
- Ella Stevens, Junior Auditor
Audit Findings and Recommendations
Finding 1: Governance and Strategy
IM/IT Governance
COBIT is a comprehensive, internationally recognized framework developed to support the understanding, design and implementation of the management and governance of enterprise IT. According to COBIT 2019, governance over IM/IT includes and requires the development and implementation of formal processes, organizational structures, policies and procedures, information flows, skills and competencies, services, infrastructure, and applications. The governance structure help ensure that:
- Stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives.
- Direction is set through prioritization and decision making.
- Performance and compliance are monitored against agreed-on direction and objectives.
Within the OPC IM/IT team, strong governance structures and practices would help promote effective oversight and facilitate informed decision-making. As part of the audit, the audit team expected to find that the OPC has established an IM governance structure, with defined and communicated roles, responsibilities, and accountabilities. Given that IM/IT is a key enabler of BI, and given that IM/IT and BI are managed separately, the audit team expected to find strong linkages and integration between the governance structures of IM and BI. For an organization the size of OPC, governance and management activities do not necessarily require numerous processes and levels of approval, but should occur in a formal and integrated manner.
We found that the OPC IM/IT governance structure incorporated several working groups and bodies, including; the Data Governance Working Group, IM/IT Architecture Review Board, Privacy Accountability Working Group and Executive Management Board (EMB+ and EMB). The OPC’s BI analysts sit on the Data Governance Working Group and the Sector Heads, who have lead responsibilities for the BI function, sit on the EMB and EMB+. The audit team noted that monthly BI meetings are held between the three (3) BI officers, the three (3) Deputy Commissioners and Head of Legal Services and the Director of IM/IT sits on these monthly meetings.
A formal IM/IT organizational structure is in place with clearly identified and defined roles and responsibilities. Job descriptions for key IM/IT positions (Director, IM/IT and Manager, Information Management) are documented and approved by appropriate personnel, evidenced by formal sign offs. The audit team also examined the roles and responsibilities related to BI to ensure they are clearly defined. We found that the job descriptions for the three (3) BI Officers were documented and approved by appropriate personnel, evidenced by formal sign offs. While the BI-related job descriptions were in place, interviews noted that BI roles and responsibilities were not clearly understood. Opportunities exist to further clarify the roles and responsibilities of IM and BI and data stewardship across the organization in order to ensure the timely progression of key BI objectives and initiatives.
The combination of working groups/ bodies and organizational positions were found to provide leadership in planning, implementing, and maintaining an integrated IM/IT infrastructure, program, service capability and supported effective decision making and oversight of the IM/IT function.
IM Strategy in Support of BI
An IM strategy and plan allows an organization to (1) standardize and align its IM practices and (2) meet the requirements of an information governance framework. IM and IT planning is critical to ensure corporate priorities are achieved, as such, the team expected to find an overall IM/IT Strategy had been developed and implemented, aligned with the OPC’s corporate priorities and vision.
The integration of BI goals and strategy within the IM/IT Strategy is key to the advancement of BI in terms of technologies, applications and practices for the collection, integration, analysis, and presentation of data to support effective decision making. This linkage is of particular importance as the OPC has several strategic priorities for which BI is a key success factor. Under this context, the audit team expected that the OPC had developed and implemented an IM strategy and plan, which integrated and supported the OPC’s BI strategy and objectives, and that IM had sufficient capacity and expertise to support them.
We found that the OPC’s IM/IT strategy contained the expected key elements of a strategic document, including requirements related to IM/IT structures, processes, tools, and guidance. The Strategy is aligned with the OPC’s corporate priorities and vision, is developed through ongoing consultations with business areas, and is regularly updated and discussed at EMB+ at key points during the year.
Overall, the IM/IT Strategy and operational planning process was found to be sufficient and supported BI in general terms, but not explicitly. The OPC’s 2020-2021 IM/IT Roadmap and Infographic outline the priorities to which IM/IT investments are made, and this included enabling business intelligence. However, given that the OPC’s BI Strategy was not finalized and formally approved at the time of the audit, no specific BI initiative or investment were included in the IM/IT Strategy. The audit team could therefore not determine if the OPC had adequate IM capacity and capability to advance BI objectives.
A draft BI Strategy document dated July 2020 included the scope of the BI project, goals, and objectives, the key deliverables, target dates, stakeholders, and risks to the project (e.g., Covid-19 delays, technical and administrative issues, knowledge of Ci2 and Officium).
Impact
Without clearly defined and understood roles and responsibilities for IM, BI and data stewardship across the organization, the OPC may not be equipped to perform data analysis and manage business information in an efficient and timely manner, negatively impacting their ability to make information-driven decisions. The absence of an IM/IT Strategy that incorporates the OPC’s approved BI Strategy and Plan may negatively impact the timely progression of the OPC’s key BI objectives and initiatives.
Recommendations
- It is recommended that the OPC clarify and communicate IM and BI governance responsibilities at the OPC, including the relationship between IM, BI and data stewardship across the Office (i.e., overlaps and clear delineations).
- It is recommended that management finalize its BI Vision, Strategy and Plan and that it be used to inform the IM/IT Strategy and Plan.
Management Response and Action Plan
Management agrees with the above recommendations and will undertake the actions described in Annex E.
Finding 2: IM Processes Supporting Classification / Labelling / Accuracy and Availability of Information
Effective information management is a shared responsibility across all of the OPC. All employees are responsible for documenting their activities and decisions of business value in the OPC’s official record management systems in line with IM policy requirements. The audit team expected to find that guidance, processes and/or procedures were in place to support employees in ensuring the completeness, accuracy and availability of information.
Data Classification and Labelling
Data classification is the process of organizing data by categories. This organization of data enables data security, ease of access, regulatory compliance, along with other business or personal objectives. Data labeling is the process of identifying raw data (images, text files, videos, etc.) and adding one or more meaningful and informative labels to provide context.
Quality assurance (QA) is the process of establishing quality requirements, key controls, and quality control measures to ensure that appropriate quality standards and operational objectives are achieved. Under the context of classification and labelling, QA seeks to provide confidence that the classification and labelling are performed in a manner that meets specified requirements and expectations.
The audit team expected that data is accurately classified and labeled, in alignment with OPC requirements and that the OPC has established and implemented quality assurance/control, classification, and labelling processes to ensure that data is properly classified and labeled.
The audit team found that the OPC has developed a classification of information chart and guide for sensitive and non-sensitive information. These documents ensure appropriate security categorization of data. OPC also maintains procedural and training documents for the following:
- Officium, which is the official information repository for all information resources with a security classification of unclassified to Protected B. All request to make changes to Officium panels are reviewed by the IM team to ensure that they are in conformity with the existing taxonomy and the consistency of the metadata.
- Ci2, which is the Case Management System is used to manage all OPC case files including PIPEDA cases, Privacy Act cases, Legal cases, Correspondence and Tracking System for Commissioner correspondence cases. Officium documents related to a case file are linked via the case file number metadata field in Officium.
- Naming Conventions – Guide and Best Practices, which establishes the structure and consistency in the format of names assigned to documents. They provide complete and consistent search results, helping to identify the context of the documents, i.e., the subject of the document and the purpose for creating it.
We found that the classification of information chart and guide and procedural and training documents for Officium, Ci2 and Naming Conventions were readily available on OPC collaboration (SharePoint) and were easily accessible to employees.
File Naming Convention
More specific to the OPC, the benefits of using a naming convention for documents stored in Officium include the establishment of structure and consistency in the format of names assigned to documents. Naming conventions facilitate complete and consistent search results, helping to identify the context of the documents, (i.e., the subject of the document and the purpose for creating it).
The audit team expected to find that the OPC has established file naming conventions that are available to, and used by employees.
The audit team found that the OPC has developed and implemented a document titled 'Naming Conventions - Guide and Best Practices', which includes several good practices, such as generality (full, descriptive name, unique document title), length of document title, dates (formats for full date, fiscal year and calendar year), avoid the use of symbols, special characters, acronyms and abbreviations, English, French or Bilingual title depending on the language the document was written and avoid mentioning the format of the document (e.g., PDF, Power Point etc.). We found that the guide was available on the OPC collaboration (SharePoint) site and was easily accessible by employees.
The audit team tested a sample of files to determine whether they were named in accordance with the 'Naming Conventions - Guide and Best Practices'. The following observations were noted:
- 10 of the 21 files tested (50%) included a date format that was not in accordance with the naming conventions and/or had no date included at all.
- 2 of the 2 (100%) of past legal case files were missing the case number in the naming convention.
In addition to the file testing, interviewees stated that data, required by the authorized resources to perform their duties, was sometimes difficult to find due to naming convention inaccuracies pertaining to some files.
Accuracy and Availability of Data
Accuracy and availability of data is critical to the day-to-day performance of duties, to ensuring the productivity of operations and for leveraging BI in support of effective decision making.
The audit team expected that the OPC have processes in place to ensure complete and accurate data is available. This data would facilitate the performance of business operations, the monitoring of productivity of operations and inform effective decision making.
While the audit found that procedural and training documents for Officium, Ci2 and Naming Conventions were established and readily available on OPC collaboration (SharePoint) site and were easily accessible to employees, interviews noted that data required by the authorized resources were sometimes difficult to find due to naming convention inaccuracies pertaining to some files, lack of appropriately populating the data, incorrect labelling and/or misclassifying data.
At the time of the audit, no evidence was provided to demonstrate that quality assurance, monitoring and data validation were performed to ensure that data classification, labelling, naming, and data accuracy and availability were performed in alignment with the guidance materials.
Impact
Lack of appropriately populating the data, incorrect labelling and/or misclassifying data and not consistently applying naming conventions may result in the inability to retrieve the relevant information and leverage its value to support effective decision making. If accurate data is not readily available to users, this may adversely impact the productivity of operations and decision-making, including the ability to support the OPC's BI efforts
Recommendations
- The OPC should establish quality assurance and monitoring mechanisms to oversee the completeness, accuracy, correct classification and labelling of information. These mechanisms should include clear, actionable, timely and specific feedback to users, with evidence, to facilitate corrections as well as training and continuous improvements.
- It is also recommended that the OPC provide training and awareness to its employees on the 'Naming Conventions - Guide and Best Practices' on a regular basis.
Management Response and Action Plan
Management agrees with the above recommendations and will undertake the actions described in Annex E.
Finding 3: Training
Providing regular and relevant training helps facilitate and support the continuous improvement of business operations. Monitoring training completion for each employee ensures that required and recommended courses have been completed and encourages accountability for the training programs.
The audit team expected that employees with responsibilities for managing and using information have been provided with sufficient training to fulfil their IM responsibilities. It was also expected that staff were provided with appropriate training to enable consistent and effective use of the mechanisms to advance BI.
The audit team found that at the OPC, training was available within IM and BI and included topics such as data integration, data quality, data warehousing, master-data management, and data analytics.
Procedural and training documents for Officium, Ci2, Classification of Information and Naming Conventions were available on OPC collaboration (SharePoint).
IM provided individual training to new hires on Officium. As Officium training is mandatory, the IM team maintained a record of training dates and refresher sessions completed by the employees.
However, interviewees noted that the oversight and monitoring of training for Ci2, Classification of Information and Naming Conventions was not being conducted. As such, the audit could not validate training completion rates or the processes surrounding monitoring training completion for these systems and practices.
Finally, OPC management communicated plans to acquire Learning Management System (LMS) to facilitate and standardize the monitoring and oversight of all training programs.
Impact
If Ci2 and Classification of Information and Naming Conventions training is not consistently provided to all users, there is increased risk of errors in data classification, which may result in an inability to retrieve the relevant information to support effective decision making.
Further, if employees are not trained appropriately on data classification guide updates, there may be increased risk of the incorrect security categorization of data.
Recommendations
- Though the IM framework is the responsibility of the Corporate Management Sector, the entire organization is responsible for IM practices and appropriate use of IM/IT tools. The OPC should provide the required training on the appropriate use of IM/IT tools, which will help ensure accurate and reliable data in support of the implementation of BI.
- The OPC should regularly monitor training completion rates for Ci2, Classification of Information and Naming Conventions. The OPC should ensure that training is updated to reflect (1) the system upgrades undertaken at the OPC and (2) changes to TBS’ policies and guidelines.
- In addition, the OPC should continue to explore the possibility of acquiring the LMS, which will enable them to manage and perform oversight of training programs.
Management Response and Action Plan
Management agrees with the above recommendations and will undertake the actions described in Annex E.
Appendix A – Acronyms
| Acronym | Meaning |
|---|---|
| BI | Business Intelligence |
| Ci2 | Case management system |
| COBIT | Control Objectives for Information and Related Technology |
| EDRMS | Electronic Document and Records Management System |
| EMB | Executive Management Board |
| EMB+ | Executive Management Board Plus |
| HR | Human Resources |
| IM | Information Management |
| ISACA | Information Systems Audit and Control Association |
| IT | Information Technology |
| LMS | Learning Management Solution |
| MAP | Management Action Plan |
| PA | Privacy Act |
| PIPEDA | Personal Information Protection and Electronic Documents Act |
| QA | Quality Assurance |
Appendix B - Interviews
We interviewed the following individuals as part of this audit:
- Deputy Commissioner, Compliance Sector
- Privacy Act Compliance Directorate
- PIPEDA Compliance Directorate
- Compliance, Intake and Resolution Directorate
- Business Intelligence Officer and Strategic Advisor
- Deputy Commissioner, Policy, and Promotion
- Government Advisory Directorate
- Business Advisory Directorate
- Policy, Research and Parliamentary Affairs Directorate
- Technology Analysis Directorate
- Communications Directorate
- Business Intelligence Officer and Strategic Advisor
- Deputy Commissioner, Corporate Management
- IM/IT Directorate
- Business Intelligence Officer and Strategic Advisor
- Legal Services Directorate
- Executive Secretariat
Appendix C – Additional Information on Audit Approach
The audit leveraged the following guidelines, directives, and standards by the federal government of Canada (Treasury Board) and an internationally recognized standard by Information Systems Audit and Control Association (ISACA).
- Policy on Service and Digital
The Policy on Service and Digital and supporting instruments serve as an integrated set of rules that articulate how Government of Canada organizations manage service delivery, information and data, information technology, and cyber security in the digital era. Other requirements, including but not limited to, requirements for privacy, official languages, and accessibility, also apply to the management of service delivery, information and data, information management and cyber security.
The Policy on Service and Digital focuses on the client, ensuring proactive consideration at the design stage of key requirements of these functions in the development of operations and services. It establishes an enterprise-wide, integrated approach to governance, planning and management. Overall, the Policy on Service and Digital advances the delivery of services and the effectiveness of government operations through the strategic management of government information and data and leveraging of information technology, supporting the mandate of the Minister for Digital Government in leading the Government of Canada’s digital transition. The management of these functions is guided by a commitment to the guiding principles and best practices of the Government of Canada Digital Standards: design with users; iterate and improve frequently; work in the open by default; use open standards and solutions; address security and privacy risks; build in accessible from the start; empower staff to deliver better services; be good data stewards; design ethical services; collaborate widely.
- Treasury Board directive on security management. Appendix J: Standard on Security Categorization.
Directive on Security Management - Appendix J: Standard on Security Categorization took effect on July 1, 2019. It provides the process for security categorization. This includes single or multiple security categories and the considerations to apply when assigning a security category.
Information, assets, and services are categorized as “very high,” “high,” “medium” or “low” impact to reflect the degree of injury that could reasonably be expected as a result of a loss of confidentiality, loss of integrity, or loss of availability.
Information confidentiality categories are categorized as Classified (Top Secret, Secret, Confidential) and Protected (Protected C, Protected B, Protected A).
- Information Management guidelines by Treasury Board.
The Strategic Direction for Information Management describes the evolution that is occurring with respect to information management planning. Beginning with long-term plans for information technology, this planning has placed increasing emphasis on information holdings. This and converging technologies have led to greater coordination of the planning for all information-based resources.
The Treasury Board Secretariat ensures that common-service organizations coordinate their long-term strategies, develop a cohesive direction on government information management issues, and adopt a shared foundation for long-range planning. Institutions are advised about the plans of the common-service organizations so that they can take them into consideration in planning for their future needs. Interactions take place among the Treasury Board, institutions, and common-service organizations to coordinate government-wide information management. The coordination of information management planning government-wide results in benefits for all parties involved-institutions, central agencies, and common-service organizations. Some of the benefits that accrue are:
- information management plans are linked to the institution's corporate and operational planning processes and to overall government directions;
- information management investments are directly related to the institution's program results;
- an assessment is made of the technology infrastructure; and,
- the new investment is distinguished from the cost of maintaining the operating "plant."
- Information Management knowledge areas by Treasury Board.
- COBIT 2019.
COBIT (Control Objectives for Information Technologies) 2019 is a framework for the governance and management of enterprise information and technology (I&T) that supports enterprise goal achievement. It defines the components to build and sustain a governance system: processes, organizational structures, policies and procedures, information flows, culture and behaviours, skills, and infrastructure.
Appendix D – Audit Criteria
| Ref. No. |
Audit Criteria |
|---|---|
| Governance – Roles, Responsibilities, Accountabilities and Decision-Making | |
| A1 | It is expected that OPC has an effective IM, including BI governance structure with defined and communicated roles, responsibilities, and accountabilities supporting effective IM decision making and oversight. |
| It is expected that IM has an adequate strategy and plan in place in support of BI strategy and objectives and has enough capacity and expertise to advance BI. | |
| IM Processes including Controls | |
| B1 | It is expected that OPC has proper data/information quality control, classification, and labelling processes in place to ensure that data is properly classified and that authorized resources have access to required data to effectively perform their duties (need to know basis). |
| B2 | It is expected that OPC has established metadata including file naming conventions. The required guidelines are available to the employees. |
| B3 | It is expected that complete and accurate data is available for users to perform their duties and can be leveraged to ensure the productivity of operations and effective decision making. |
| B4 | Out of scope - The security of information was examined as part of last year’s cybersecurity audit and maturity assessment. Management action plans are being implemented at the moment and there is no need for follow-up auditing at this time. |
| IM Resources | |
| C1 | It is expected that Employees with responsibilities for managing and using information have been provided with sufficient training to fulfil their responsibilities. (Refer to Treasury Board's 'Information Management - Guidelines', section 6 - Education and training for the introduction of information technology and section 7 - Information technology in the workplace: planning for people) |
| C2 | It is expected that IM/IT has appropriate mechanisms and capacity in place to advance the BI strategy. Staff are provided with appropriate training to enable consistent and effective use of the mechanisms to advance BI. (Refer to Treasury Board's 'Information Management - Guidelines', section 6 - Education and training) |
Appendix E – Management Response and Action Plan
| Internal Audit Recommendations |
Management Response |
Action Plan | Responsibility (Position responsible to ensure Action Plan is carried out) |
||
|---|---|---|---|---|---|
| Action Items | Due date: Month/Year |
||||
| 1. | It is recommended that the OPC clarify and communicate IM and BI governance responsibilities at the OPC, including the relationship between IM, BI and data stewardship across the Office (i.e., overlaps and clear delineations). |
|
|
|
|
| 2. | It is recommended that management finalize its BI Vision, Strategy and Plan and that it be used to inform the IM/IT Strategy and Plan. |
|
|
|
|
| 3. | The OPC should establish quality assurance and monitoring mechanisms to oversee the completeness, accuracy, correct classification and labelling of information. These mechanisms should include clear, actionable, timely and specific feedback to users, with evidence, to facilitate corrections as well as training and continuous improvements. |
|
|
|
|
| 4. | It is also recommended that the OPC provide training and awareness to its employees on the 'Naming Conventions - Guide and Best Practices' on a regular basis. |
|
|
|
|
| 5. | Though the IM framework is the responsibility of the Corporate Management Sector, the entire organization is responsible for IM practices and appropriate use of IM/IT tools. The OPC should provide the required training on the appropriate use of IM/IT tools, which will help ensure accurate and reliable data in support of the implementation of BI. |
|
|
|
|
| 6. | The OPC should regularly monitor training completion rates for Ci2, Classification of Information and Naming Conventions. The OPC should ensure that training is updated to reflect (1) the system upgrades undertaken at the OPC and (2) changes to TBS’ policies and guidelines. |
|
|
|
|
| 7. | In addition, the OPC should continue to explore the possibility of acquiring the LMS, which will enable them to manage and perform oversight of training programs. |
|
|
|
|
- Date modified: