Internal Audit of Information Management 2014
Table of contents
- Executive summary
- Conformance with professional standards
- Detailed findings
- Recommendations and conclusion
- Appendix A – EMC response and action plan overview
- Appendix B – Management action plan
- Appendix C – Audit criteria
- Appendix D – Glossary
To assess whether the processes in place for managing information in the PSC are adequate to support policies, programs and services, and are in compliance with government acts, regulations and policies.
Why this is important
The amount of information that the Public Service Commission (PSC) holds keeps compounding annually. The ability to manage this information effectively so that it is available for use is central to the PSC's operations.
Effective information management (IM) that enables PSC employees to access the information they need to do their jobs affects all branches and is important to all lines of business. Problems with collecting, classifying, organizing, retrieving and destroying information can lead to inefficiencies, and negatively affect the PSC's decision-making.
IM at the PSC is currently in a period of transition. Changes include the move away from the primacy of paper to electronic documents, a reorganization that places the Information Management Office (IMO) within the Information Technology Services Directorate (ITSD), and a pending shift in technology from the current Records Documents and Information Management System (RDIMS) application into the Government of Canada Documents (GCDocs) application.
Key governance structures for information management are in place. The PSC has demonstrated its capacity to comply with Treasury Board (TB) requirements in that it has made electronic systems the preferred means of managing information. The IMO has also proven itself capable of implementing key strategic decisions, such as the decision to reduce paper holdings. Most branches have developed processes that are adequate to the security and findability aspects of their business; however, an integrated, comprehensive, and documented information architecture framework is only partly implemented. Many branch processes are based on undocumented “best practices” without the benefit of IMO oversight. Each branch, and indeed every individual employee, is working within the constraints of the tools provided to come up with their own solutions. The consequences are evident in the inconsistencies within the RDIMS repository.
PSC information management could be improved through additional employee training, including management follow-up to ensure that mandatory training is actually taken. Most users see the IMO as a service and are unaware of their own information management responsibilities as outlined in the TB Policy on Information Management. Employees lack understanding of the use of RDIMS search tools and the appropriate use of e-mail, RDIMS, and virtual drives when sharing, storing and working on documents. Nor are users aware of their responsibilities in marking documents for disposition. As a result, electronic documents are being stored, often inappropriately, in a number of different repositories. The RDIMS repository, in particular, is becoming cluttered with documents that are inaccessible, transitory, and have incorrect levels of protection.
The PSC is only partly meeting requirements for classifying information according to its importance to operations. Classification shortcomings have a major impact on document findability, which is further hampered by several additional factors. These factors include RDIMS naming conventions that are inconsistent from branch to branch, overly restrictive access rights, and failure to understand the contextual options that define the currency of RDIMS documents and the completeness of document collections.
The auditors noted that some corrective measures were already in advanced stages of planning, notably, the integration of the IMO into ITSD, the transition from RDIMS to GCDocs, the elimination of private e-mail repositories, the zoning of RDIMS to meet Protected B standards and the addition of new IM resources to ensure that all essential IM functions can be delivered.
Management has provided action plans, which we believe will fully address the issues raised in this audit.
Conformance with professional standards
This audit engagement conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.
Greg Nesbitt, CPA, CMA, CIA
Chief Audit Executive
Public Service Commission
The arrival of the electronic age has complicated the management of information. Every e-mail or draft document has the potential for being an electronic record that must be preserved. Thus, information is being accumulated throughout the Government of Canada at a rate that is compounding annually. Without the ability to effectively manage this information, organizations – including the PSC – may be at risk of being unable to identify and retrieve information in an organized and timely fashion so as to meet their business needs and legal obligations.
In 2007, the Treasury Board (TB) published a new Policy on Information Management, followed by the Directive on Information Management Roles and Responsibilities (2007) and the Directive on Recordkeeping (2009). In addition, the Government of Canada's Information Management Strategy (2008) was published with a view to aligning information management goals and providing clear objectives for the government as a whole. In 2010, with a view to the future, the TB published the Standard for Electronic Documents and Records Management Solutions (EDRMS), which provides for implementation of government-wide, automated and comprehensive information management. The Access to Information Act and Privacy Act set further requirements on how information is kept and used.
In these documents, the TB implicitly defines “information” or at least “information resource” by listing examples: “textual records (memos, reports, invoices, contracts, etc.), electronic records (e-mails, databases, Internet, Intranet, data etc.), new communication media (instant messages, wikis, blogs, podcasts, etc.), publications (reports, books, magazines), films, sound recordings, photographs, documentary art, graphics, maps, and artefacts.” Of primary interest for the purposes of information management are “information resources of business value” which are defined as materials that “enable and document decision-making in support of programs, services and ongoing operations, and support departmental reporting, performance and accountability requirements.”
The PSC continues to strive for compliance with government policy while meeting business requirements:
- The Office of the Comptroller General (OCG) issued the results of a government-wide audit of electronic recordkeeping in December 2011 on the successes and challenges for information management in large departments and agencies. Recommendations were made on government shared systems, roles and responsibilities, and management of information throughout its life cycle. Although the PSC did not participate in the OCG's audit, the Corporate Management Branch (CMB) reviewed the recommendations for relevance to the PSC, and results were reported to the IAC in May 2012. There were some actionable items; however, it was found that the PSC was generally meeting the OCG's recommendations.
- Also included in the CMB report to the IAC in May 2012, were results of a record-keeping self-assessment using a tool from the Treasury Board Secretariat (TBS). The results indicated that the PSC was meeting, and in some cases exceeding, recordkeeping requirements of the Directive on Recordkeeping.
- The PSC must prepare for 2017 when Library and Archives Canada (LAC) will no longer accept or will accept very little in the way of paper government records. Documents will be ingested in an electronic format and LAC will become a Trusted Digital Repository.
- The PSC's move to Gatineau at the end of 2013 will limit the space available to store paper documents. Hence, paper holdings are being reduced through digitization (conversion to electronic format by scanning) and disposition.
- By the end of 2014, PSC would like to replace the Records Documents and Information Management System (RDIMS) recordkeeping application with the Government of Canada Documents (GCDocs) application. This will require a change in the e-mail system from GroupWise to Outlook in order to take advantage of GCDocs' capacity to more efficiently store e-mails.
Information management within the PSC is accomplished through multiple independently managed special purpose databases. Large unstructured databases include:
- RDIMS, which is the main document repository;
- An Access database, which holds information gathered from audits performed by Audit and Data Services Branch (ADSB);
- PrivateSoft, which holds documents relating to Access to Information and Privacy (ATIP) requests;
- CcmMercury for ministerial correspondence;
- Virtual drives, such as F:, U: or S:;
- E-mail, which serves as a default database for many important documents; and,
- Paper documents.
Audit objective and scope
To assess whether the processes in place for managing information in the PSC are adequate to support policies, programs, and services, and are in compliance with government acts, regulations, and policies.
The audit examined the processes that supported information management at the PSC from creation to ultimate disposal. Focus was on the management of documents known as unstructured information, which is the largely text-heavy information that does not fit well into tables. The audit focussed on the IM environment in effect at the PSC in 2013-14, using data holdings of the second quarter of this year.
Excluded from the scope were management of Intracom (the PSC's intranet) and all externally focused tools and processes, including Internet and Web 2.0 tools and services. Neither did this audit cover specific compliance to the Access to Information Act and Privacy Act.
Based on a review of Government of Canada policy, concerns expressed during interviews with senior management, and a review of key information management processes, the Internal Audit Directorate (IAD) developed audit criteria that covered these key risk areas:
Compliance: This criteria refers to the risk of not meeting the requirements of government policies, directives and standards. This risk has increased in recent years, due to many new government-wide requirements coming into effect.
Findability: This criteria refers to the risk that metadata and data structures are insufficient to facilitate searching, that the search tools are inadequate to the task or not understood by employees, or that documents have quality problems (outdated, inappropriate access rights, multiple unrelated versions, etc.). This risk increases as the information management (IM) functional specialists are challenged by resource constraints.
Security: This criteria refers to the risk that systems and procedures for accessing, storing and transporting information resources are not adequately secured against unauthorized access that threatens destruction of data and breach of confidentiality. This risk must be controlled through continuing vigilance and diligence of all staff.
Governance: This criteria refers to the risk that the governance structure is inadequate to handle both strategic and tactical concerns, that roles and responsibilities of employees are not defined, that an information architecture framework is not articulated, and that concerns of stakeholders are not being addressed. If PSC employees do not understand their roles or receive appropriate feedback, the probability of missteps will increase.
This audit was conducted in accordance with the standard PSC internal audit process, and in line with the International Standards for the Professional Practice of Internal Auditing. Our audit process consists of three principal phases: planning, initiated February 2013; detailed examination, initiated July 2013 and completed September 2013; and reporting, completed when a final report is approved.
The planning phase began with interviews of clients who were responsible for information management at the PSC and vice-presidents or their representatives in each branch. These interviews resulted in a list of what managers perceived to be the highest risks to achievement of the PSC's information management objectives. These areas of potential interest were presented to the client in the Terms of Reference. IAD then reviewed various documents both internal and external to the PSC.
Risks were analyzed in detail in the Preliminary Survey Report, which was shared with the clients. These risks were used as the basis for the audit criteria that were reviewed by auditee management and served as the basis for the audit program.
During the examination phase, the audit program was executed. Methods included interviews with managers and employees from all branches, walkthroughs of processes, document review, sampling and review of information holdings, and examination of metadata. Preliminary observations were validated by auditee management.
Project deliverables were reviewed and signed off by the Director of Internal Audit.
Observation 1: Compliance
Information management at the PSC should comply with Government of Canada laws, policies, directives, regulations, code of conduct and standards.
The internal auditors expected to find compliance with all Government of Canada policy requirements. We also expected to find compliance with PSC policies that had been put in place to meet government requirements.
Of particular relevance to the audit are the following policies, directives and standards:
- The Treasury Board (TB) Policy on Information Management (2007)
- The TB Directive on Information Management Roles and Responsibilities (2007)
- The TB Directive on Recordkeeping (2009)
- The TB Security Organization and Administration Standard (1995)
- The PSC's RDIMS Business Rules document.
Roles and responsibilities
To meet the requirements of the TB Directive on Information Management Roles and Responsibilities, roles and responsibilities have been put in place at the senior management level. Information management is a standing item on many senior management committees, including the Information Management/Information Technology Committee (IM/ITC), which is a subcommittee of the Executive Management Committee (EMC). PSC-specific policies and directives that originate in the Information Management Office (IMO) are passed to the IM/ITC for review, before submission to EMC for final review and approval. The IMO and the Information Technology Services Directorate (ITSD) regularly review new Government of Canada policies and guidelines related to information management for applicability to the PSC. To this end, a PSC representative regularly attends Chief Information Officer Branch (CIOB) meetings of the TB where IM issues are discussed.
Use of electronic systems
To meet the requirements of the TB Policy on Information Management, electronic systems are definitely the preferred means of creating, using, and managing information. Concerns about the legal status of scanned documents have been addressed and all branches worked very collaboratively with the IMO to significantly reduce their paper holdings.
Senior management generally recognized that the IMO lacked both the capacity and skill sets to deal with the complexities of electronic documents. One consequence of this lack of capacity was that at the operational level, the structures, mechanisms, and resources were insufficient to ensure effective management of electronic information, its monitoring, and oversight. For example, the Business Objects Enterprise metadata tool for monitoring the state of the RDIMS database is underutilized. (The report on RDIMS usage per directorate was last run September 24, 2010, and new report types were not being created.) To correct this capacity shortage, the IMO organization was moved into ITSD in mid-2013, and requirements for additional resources have been explicitly identified.
Establishment of business rules
Key to management of information and records as valuable assets under the Policy on Information Management is the establishment of business rules that require employees to take responsibility for managing their own documents. However, although RDIMS Business Rules are handed out in the basic RDIMS course, these rules are substantially forgotten or ignored by PSC employees. Because of this noncompliance with business rules, RDIMS now contains a large number of transitory documents of no business value, documents that have inappropriate security profiles, documents with no ownership because the custodian has left the PSC, and documents that are not marked for disposition, among other non-conformities. For example, the auditors found that 26% of 259 randomly sampled RDIMS documents were transitory (not valuable assets). Similarly, based on metadata analysis, 34.6% of RDIMS documents held in August 2013 had no active custodian and were essentially orphaned.
Handling of copyrights and licenses may present an opportunity for improvement
The Policy on Information Management stipulates that deputy heads are responsible for the monitoring of user agreements and licensing conditions that apply to information resources. Copyrights and licenses on externally purchased materials used in the PSC's Personal Psychology Center (PPC) testing are managed at the director level and no central monitoring is exercised. In addition, copyrighted documents purchased for single use by a PSC employee are sometimes stored in RDIMS, which is open to multiple users.
Increased training on information management is required
To meet the training requirements specified in the TB Directive on Information Management Roles and Responsibilities, the IMO each month offers basic training in RDIMS to all new employees. However, refresher training is not offered. An RDIMS advanced training course is available by special request, but is unadvertised because of lack of facilitation capacity.
Many PSC employees have not received the information management training they need to function competently. The IMO lacks the capacity to provide general training on such topics as employee responsibilities in information management, electronic information security, or advanced search techniques. The problem is exacerbated by inadequate management follow-up. Despite reminders of mandatory training, the training logs showed that only slightly more than half of new employees (95 out of 179 from April 2012 to August 2013) attended their mandatory basic RDIMS training sessions.
Assessment of IM policy and its instruments presents an opportunity for improvement
The TB Directive on Information Management Roles and Responsibilities requires that IM policy and instruments be regularly assessed against departmental objectives. To meet this requirement, the IMO has recently done several self-assessments using IMO staff resources. Of note, the IMO self-assessed against the criteria of the Office of the Controller General (OCG)'s 2011 horizontal Electronic Recordkeeping audit and the IMO also recently self-assessed using the TBS Recordkeeping Compliance Maturity Model. Both self-assessment results were generally favourable although the scope of these broad self-assessment tools is limited to the design and existence of standard controls without considering effectiveness of practices.
Disposal and retention of electronic documents
To meet the information cycle requirements of the TB Directive on Recordkeeping, the major concern is timely disposition of electronic documents. Otherwise, the risks associated with the storage and management of documents accumulate over time. Searches take longer, adoption of new technologies becomes more difficult, and security problems increase.
Disposition occurs at the end of a time period that is triggered when a document is designated as “read-only” (finalized); however, users are unaware of their responsibility to designate a document as “read only” once it is finalized. With the approval of the client, the IMO will make any documents that it scans “read only”. (For example, this is done with all political activities files.) However, not only are most RDIMS documents not being disposed of in a timely fashion, few have even had their disposition cycle triggered. Only 7% of documents in a sample of 259 were marked “read-only”.
Classification of documents
To systematically classify information by its importance to operations in accordance with the Directive on Recordkeeping, PSC branches are generally using the PSC file plan as the basis for classification. However, according to the IMO, the purpose of the file plan, originating from Library and Archives Canada (LAC), is to determine government-wide retention and disposition periods for documents rather than to classify documents by activity and subject, as required at the organization level. Hence, many branches have worked with the IMO to adapt the LAC file plan structure by adding subcategories and by adopting naming conventions that suit their purposes. Over time, this has resulted in a plethora of subcategories, many now disused, and a variety of naming conventions that differ from branch to branch. Some branches have opted to make do with the LAC categories, sometimes forcing a fit. This has resulted in some arbitrary filing decisions. (For example, Investigations Branch has no category for “Appeals” and so files them under “Investigations”.)
Documentation of information management practices
As required by the TB Directive on Recordkeeping, IMO business rules, policies, and procedures are substantially documented. However, the transition to electronic systems has resulted in many changes to practices, and the IMO has not had the capacity to adequately update the documentation. For example, despite having obvious editorial problems and a broken link (identified by the auditor) on the Key Policies and Documents page, most employees were aware of the PSC's Information Designation and Classification Guide and knew where to find a copy on Intracom. However, the Guide does not provide information on key electronic processes such as when documents need to be encrypted, when they can be sent by e-mail, and whether they should be protected when stored in RDIMS.
To accommodate these system changes, some branches have developed their own process documentation. However, many of the process changes have been adopted as undocumented “good practices”. When questions arise, employees simply contact the IMO. Nonetheless, during interviews, employees exhibited a good understanding of their processes and managers indicated that they could exercise adequate supervision. This process informality presents a challenge for IMO oversight. Each branch has its own unique information management set of practices that allow it to meet its objectives – albeit not always optimally – using paper files, RDIMS, shared drives, and e-mail.
Security of documents
With regard to the TB Security Organization and Administration Standard, managers expressed concern that users do not understand the purpose of the security categorizations, especially of Protected A and B. In practice, we found that documents tend to be designated to a higher level than needed (although sometimes to a lower one as well). In addition, despite regular corrective action by the IMO, protected documents are sometimes stored in RDIMS without a security profile, which leaves them open to access and modification by any PSC user. Our review of a sample of protected RDIMS documents echoes this concern and a metadata-based count of the number of protected files in RDIMS illustrates the extent of the problem:
- 65% of the 314 648 documents placed in RDIMS since July 2011 are Protected A or B
- Over 50% of a random sample of 161 protected documents were incorrectly designated
- 100 Protected A and B documents in RDIMS on July 18, 2013 had no security profile.
Rarely does a user downgrade the security level on a document once the need for protection has passed. In fact, the downgrade date should appear along with the designation. On this point the PSC's Information Designation and Classification Guide is definitive: “The date or event at which downgrading of the security level is to occur may be included in the marking. If it is not, it should be.” However, the downgrade date did not appear on any of the protected documents we sampled.
Overall conclusion on compliance with IM policies
Organizational structure at the senior management level appears to comply with TB requirements. However, important weaknesses exist in compliance to RDIMS Business Rules at the operational level. This noncompliance is a consequence of the IMO's lack of capacity for dealing with the complexities of electronic documents and for not giving PSC employees the information management training they need. Employees carry out their responsibilities inconsistently in areas such as electronic information security, document disposition, or advanced search techniques. In addition, operational roles and responsibilities are informally defined, with much dependence on undocumented “good practice” to record IM processes. These shortcomings prevent the PSC from efficiently and economically meeting government policy by having a common approach.
Observation 2: Findability
Information resources should be found efficiently when needed, and once found, will be of good quality and have appropriate access rights, and their release date and relationship to other documents can be known.
RDIMS document “profiles” are designed to contain information about draft or final quality, access rights, release date, relationship to other documents, and other useful metadata that enhance the findability of Information Resources of Business Value (IRBVs). Hence, we expected that IRBVs would be extensively and consistently saved in RDIMS with profiles defined so that users could confidently make use of this information in searching for documents.
Retrieval of documents using electronic tools
Employees and managers generally agreed that findability of documents was an important consideration. However, they also stated that the search tools were inefficient and they expressed a lack of confidence in their ability to use metadata when searching in RDIMS. Most employees interviewed affirmed that even though a Title search usually generated too many invalid hits, they used this approach almost exclusively. The use of Title as a search field is complicated by inconsistency across branches; for example, some include the file plan category name after the file plan number and some do not. Of 259 RDIMS documents in a random sample, 11% (29) had an apparently incorrect file plan number. To compensate for poor confidence in searching, some RDIMS users keep external lists of important documents.
Accessing electronic records
Necessary for findability is that users have access rights to the documents they are trying to find. RDIMS Business Rule 18 states that, to the extent possible, all PSC users should be able to find the profile of any document. However, the RDIMS default is to grant access only to the author and custodian. The result is that many RDIMS documents that do not need protection are invisible to the rest of the organization. Consequently, a search will not necessarily identify all relevant documents in existence. Of 98 unclassified RDIMS documents in a random sample, 54% (53) had an inaccessible profile.
Use of related documents
Findability depends on contextual information, a key context being a document's capability to relate to other documents. RDIMS provides many options for relating documents. For example, a workspace function is provided in RDIMS to support keeping an index of the documents in a collection, but workspaces cannot be shared so instead users frequently create such indexes in Microsoft (MS) Word. RDIMS also provides a “related” function that can be used to relate documents to each other; a folder function, to relate documents hierarchically; and a quick search function, to relate documents using the formula used to search for them. However, based on user interviews, review of samples, and analysis of metadata, we concluded that users do not have a good understanding of these options and their appropriate usage. For example, out of the 760 000 documents stored in RDIMS in August 2013, only 8.6% (65 701) were related to others. As well, only 14% (8) of a sample of 59 RDIMS documents were related to their translations despite being identified by the auditor as having a high probability of being translated.
Use of e-mail storage
Many PSC employees use e-mail as their personal repository for IRBVs. Findability advantages of e-mail are that it can be easily organized into folders that suit the user's purposes, it can be searched easily, and it comes complete with crucial “who” and “when” metadata. However, a private e-mail repository cannot meet recordkeeping requirements for the findability of information of business value, and becomes even more of an issue when an employee leaves the PSC. To discourage the use of e-mail repositories, the new TBS Standard on E-mail Management will restrict the amount of saved data to 2 GB. However, this restriction will nonetheless allow many documents to be saved in an e-mail repository. Employees may still want to create e-mail repositories unless the corporate repository provides comparable findability advantages.
In fact, because a large percentage of e-mail is by its nature transitory and of business value only to the user who has saved it (e.g. a record of approval for training), identifying the documents that can be deleted without consequence from an e-mail repository can be a daunting task. This task must nonetheless be undertaken for transitioning from GroupWise to Outlook by December 2013 in preparation for replacing RDIMS with GCDocs. (As of May 2014, this transition was still pending).
It is worth noting that if properly implemented, the transition to GCDocs should present an opportunity for improvement in the findability advantages of storing e-mail in the corporate repository.
Overall conclusion on findability
Although employees appreciated the importance of findability, the employees interviewed believed that the current search tools were inefficient and ineffective for searches. As well, by default document access rights are highly restrictive; thus, RDIMS users often do not know if a document is not present in RDIMS or is just invisible to them. It was further observed that users do not have a good understanding of the RDIMS metadata options and their appropriate usage. Hence, many users are drawn to the e-mail application, where they create personal folders to help organize and relate important documents to one another; however, these private e-mail repositories lead to retrievability problems, especially when an employee leaves the PSC.
Observation 3: Security of information
Systems and procedures for accessing, storing, transporting, and disposing information resources should provide security against unauthorized access and adequate protection of privacy, confidentiality, and work-in-progress.
We expected that there would be well-established procedures for handling sensitive paper and electronic information, that electronic systems would meet the required security standards, that procedures would be understood and followed by employees, and that access to information repositories would be adequately managed, as well as controlled and monitored.
Procedures for handling sensitive paper documents are well-established while procedures for handling sensitive electronic documents are in the process of consolidation.
RDIMS Business Rule 3 states: “All electronic documents created, collected, or received in the course of conducting PSC business up to and including PROTECTED B are to be managed in RDIMS.” Notably, 36% (114 214) of the 314 648 documents placed in RDIMS since July 2011 are Protected B. However, despite this significant number, RDIMS will not be moved into the PSC restricted zone, as required for Protected B, until early 2014.
Management of access to RDIMS documents presents an opportunity for improvement.
Access to RDIMS is managed at the document level rather than the system level, which means that RDIMS documents can be individually protected, providing added security. However, for document-level access, changes in access rights (for example, a change of custodian when an employee departs) require what is referred to in the RDIMS Business Rules as a “mass update”, which is often not done, leaving many documents with inappropriate access or even no active custodian.
Because the IMO regards RDIMS as a repository for documents of business value rather than a collaboration tool, many branches have opted to store transitory documents, including sensitive ones, on virtual drives rather than in RDIMS. According to the current Chief Information Officer (CIO), virtual drives require special controls, such as an encryption module, to meet the standards for protected documents. However, only some units have these special controls on their virtual drives.
Though about 50% of employees have Entrust and myKey encryption software installed on their computers, proper use of encryption in sending sensitive documents by e-mail is not well understood by employees. According to the IMO, any level of protected document sent externally by e-mail must be encrypted. Internally, Protected A documents can be sent without encryption, but Protected B documents must still be encrypted. Interviews with managers and employees indicated that this encryption requirement for Protected B documents is often not respected.
Protection of documents is a serious enough concern that it was discussed at an EMC meeting. Specifically, a common practice is to send an RDIMS link by e-mail (rather than the document itself). However, recipients have been known to download the document and then resend it by e-mail, both exposing the document in the e-mail system and thwarting any level of protection that might have been inherent in the RDIMS metadata.
ITSD is also looking into the security of tablets and considering ways to introduce additional security based on the Communications Security Establishment Canada (CSEC) ITSB-65 standard.
For monitoring access, electronic information systems have an advantage over paper in that most user activity, including unauthorized access attempts, is captured in logs and available. The PSC formerly performed its own monitoring, but presently this capability exists solely within the infrastructure that is managed by Shared Services Canada (SSC). The CIO has indicated that restoring some level of monitoring capability to the PSC represents an opportunity for improvement, and to this end, there have been some negotiations with the SSC to purchase a system that would perform limited automatic checking of logs; however, this requires funding.
Overall conclusion on security of information
Both employees and management are concerned about security procedures for sensitive electronic information. Though many employees have Entrust and myKey installed on their computers, encryption in sending sensitive documents is not always performed by employees. Many branches have opted to store sensitive transitory documents on virtual drives, which often lack the special controls required to make them secure. Many Protected B documents are stored in RDIMS even though RDIMS will only be secure for Protected B documents early in 2014. Monitoring of access to electronic information is currently under the control of the SSC.
Observation 4: Governance
Processes and structures should be in place to adequately inform, direct, manage, and monitor the activities required to meet information management objectives.
We expected to find committees and teams supporting the information management framework operating at both the strategic and operational/tactical levels, with strategic levels making high-level decisions that are then implemented at the operational and tactical levels. We expected procedures would be rational and consistent with a common framework that is optimized for efficiency. Requirements of employees and managers would be clearly communicated, and efforts to integrate and adapt tools and work processes would be evident. At the same time we expected to find feedback flowing from the operational level to the strategic level, something important to oversight. Finally, to conform with TB security standards, including the Operational Security Standard - Business Continuity Planning (BCP), we expected to find regular updates to the information management Business Impact Assessment (BIA) included in the strategic planning cycle.
At the strategic level, required governance structures are in place
Information and information processes are managed by one or more committees that communicate decisions to the branch vice-presidents. We found evidence of extensive strategic planning, including comprehensive documents such as:
- Information Management Strategic Action Plan 2013-2015
- Restructure PSC – Information Management Office Business Case (2013)
- infor Plan for Document & Records Management FY 2011/12 - 2014/15
Planning for important initiatives, such as the move to Gatineau and the transition to GCDocs, was also evident.
Nonetheless, the business case acknowledges that strategic planning is insufficiently resourced to develop an information management framework that defines roles and responsibilities and supports change management. In fact, though managers often commended the IMO for the support provided when requested, a common observation they made was that the IMO was not sufficiently “proactive”.
Information management requires individual responsibility
Overall, interviews indicated that employees do not regard information management as their responsibility, but as a service provided by the IMO. With no guiding framework, employees resolve problems on a case-by-case ad hoc basis by contacting the IMO when an intolerable level of criticality is reached. In addition, without a framework that defines how operational levels are to provide feedback, the strategic level is hampered in its decision-making. Some practical consequences of this lack of an adequate information management framework are provided below.
The auditors noted a lack of rigor in defining information types, along with inconsistencies in how they were handled by various working units. This meant that the information management framework lacked a process whereby significant types of information resources are identified and policies and procedures are developed on handling these various information types. The goal is not a uniform process across the PSC; rather, appropriate information types need to be identified in order to create the foundation for an information architecture that associates policies, procedures, roles, and responsibilities to the various information types. The list of RDIMS document types available in the Profile menu exemplifies this lack of rigor in identifying information types. The list, in fact, comprises multiple different document dimensions that have been conflated into one flat list; for example, COMMITTEE, MEETING, and E-MAIL. Selecting the type of an e-mail about a committee meeting can thus be problematic. Some common document types are simply not available in the list, e.g., DIAGRAM.
Collaborating and sharing of work in progress presents an opportunity for improvement
Although RDIMS is primarily a document repository and not a collaboration tool, it does have a rudimentary check-in/check-out utility that allows sharing of work-in-progress. This utility prevents overwriting when another author is working on the same document. However, advanced formal co-authoring to allow multiple authors to work simultaneously on the same document is not available. From within RDIMS, it is not even possible to use the MS Word Compare function to combine the work of several authors. Hence, many units prefer to share work-in-progress on a virtual drive, which allows work to be more easily combined even though it does not have check-in/check-out. The final document is then converted to Portable Document Format (PDF) and imported into RDIMS, not however without potential loss of IRBVs. One manager summed it up: “If people really need to collaborate, we need a better tool.”
Saving of e-mails is inconsistently handled.
The RDIMS Business Rule 31 defines who should save e-mail attachments; however, many employees are not aware of this rule. As a result, a widely distributed e-mail with lengthy attachments may be saved multiple times in various repositories, contributing to database clutter. In addition, many employees are unaware of the functionality of the “Save to eDocs” button, which allows e-mails to be stored in RDIMS in locked Rich Text Format (RTF). Hence, to prevent manipulation they convert their e-mails to PDF format, requiring the additional effort of importing them if they store them in RDIMS at all.
Business impact assessments
Even though it is a requirement of information systems handling Protected B documents, we found that the information management Business Impact Assessment (BIA) was not being updated regularly. Although a BIA process was started during the examination phase of the audit, most of the branches had not participated in any form of BIA since 2009, before the introduction of RDIMS.
Overall conclusion on governance
Most necessary high-level elements of a governance structure are in place, although shortcomings are noted in the information management framework at the operational level in failure to define roles and responsibilities. Even though IM business rules, policies, and procedures are substantially documented, these documents are seldom referred to. When employees encounter problems, they contact the IMO, and issues are resolved on an ad-hoc basis. This reactive approach poses a challenge for IMO oversight, hindering its capacity to enhance efficiency by seeking common solutions to shared problems, e.g., handling the different types of information resources, collaborating on work-in-progress, saving e-mails, and keeping the BIA up to date.
Recommendations and conclusion
The audit team has identified six recommendations based on the above findings.
The IMO should strengthen governance structures such that:
- Policies and procedures reflect the transition to an electronic environment;
- The Information Designation and Classification Guide is applicable also to electronic documents;
- It has documented in collaboration with the branches the various types of information management processes;
- Compliance with IM polices and business rules is controlled and monitored; and
- Mechanisms are in place to provide feedback on operational issues.
The IMO should ensure that all employees have taken mandatory introductory and second-level training on:
- Handling of sensitive documents, including work-in-progress;
- Use of e-mail, RDIMS, and virtual drives;
- Categorizing, classifying, and naming documents and using search tools effectively; and
- Employees' IM responsibilities, including responsibility for raising problems to the appropriate level where they can be dealt with strategically if necessary.
The IMO should establish appropriate mechanisms to:
- Help users monitor the disposition status of their documents;
- Help users manage document profiling and downgrading of document protection; and
- With the approval of the EMC, set the default access level to confirm with RDIMS Business Rule 18, such that without action on the part of the author or custodian, all users are given view profile access.
The IMO should develop an information classification scheme:
- With categories that better support collections and searches; and
- That supports Library and Archive Canada (LAC)'s retention requirements and the PSC's requirements for an activity and subject classification.
The IMO should ensure that RDIMS is upgraded to meet Protected B security standards, which will require zoning and updates to the information management BIA.
The Director General, Information Technology Services Directorate (ITSD), should ensure that the IMO is adequately resourced to deliver essential IM functions.
Key governance structures for information management are in place. The PSC has demonstrated its capacity to comply with Treasury Board (TB) requirements in that it has made electronic systems the preferred means of managing information. The IMO has also proven itself capable of implementing key strategic decisions, such as the decision to reduce paper holdings. Most branches have developed processes that are adequate to the security and findability aspects of their business; however, an integrated, comprehensive, and documented information architecture framework is only partly implemented. Many branch processes are based on undocumented “best practice” without the benefit of IMO oversight. Each branch, and indeed every individual employee, is working within the constraints of the tools provided to come up with their own solutions. The consequences are evident in the inconsistencies within the RDIMS repository.
PSC information management could be improved through additional employee training, including management follow-up to ensure that mandatory training is actually taken. Most users see the IMO as a service and are unaware of their own information management responsibilities as outlined in the TB Policy on Information Management. Employees lack understanding of the use of RDIMS search tools and of the appropriate use of e-mail, RDIMS, and virtual drives when sharing, storing, and working on documents. Nor are users aware of their responsibilities in marking documents for disposition. As a result, electronic documents are being stored, often inappropriately, in a number of different repositories. The RDIMS repository, in particular, is becoming cluttered with documents that are inaccessible, transitory, and have incorrect levels of protection.
The PSC is only partly meeting requirements for classifying information in accordance with its importance to operations. Classification shortcomings have a major impact on document findability, which is further hampered by several additional factors, including RDIMS naming conventions that are inconsistent from branch to branch, overly restrictive access rights, and failure to understand the contextual options that define the currency of RDIMS documents and the completeness of document collections.
The auditors noted that some corrective measures were already in advanced stages of planning, notably, the integration of the IMO into ITSD, the transition from RDIMS to GCDocs, the elimination of private e-mail repositories, the zoning of RDIMS to meet Protected B standards, and the addition of new IM resources to ensure that all essential IM functions can be delivered.
Management has provided action plans, which we believe will fully address the issues raised in this audit.
Appendix A – EMC response and action plan overview
PSC's Executive Management Committee (EMC) welcomes these recommendations and considers them essential in shaping the strategic direction of IM/IT in the next Integrated Business Plan. Improving the PSC's Information Management (IM) capabilities will need to go beyond addressing specific recommendations, and will require enabling an organizational culture shift. Response to the following recommendations will not only address the specific issues identified in the audit, but will also be incorporated in a more comprehensive overhaul of IM as a corporate function.
Broad elements of this work will include the following:
- Review, update and promotion of IM policies to ensure that they reflect current best practices and technological capabilities including departmental compliance with the Directive on Recordkeeping.
- The Enhanced Integration of Policy and Oversight Initiative will be continuously consulted to ensure facilitation of integration and collaboration within the PSC.
- Implementation of monitoring and control tools to provide useful metrics and decision-making information for continuous improvement.
- An update to central IM tools such as e-mail system (to Outlook), office suite (to Office 2013) and information management system (to GCDocs), following Shared Services Canada support requirements.
Organization and capacity
- A more central role for Information Management as central architect and stakeholder for all information holdings within the PSC, allowing for better protection of the organization's information assets regarding privacy and security issues.
- Strong integration between the information management and information technology functions of the organization following the reorganization of the Information Management Office (IMO) within ITSD.
- A broad environmental scan of information holdings within the PSC, their value to the organization and the way they would be managed more effectively and efficiently.
Training and awareness
- Evergreen training of PSC employees in the areas of Information Management and Information Security.
- Launch of a communications program to ensure that the Information Management Office is easily reachable, and perceived as a valuable partner by PSC employees and business units.
- Adequate resourcing, with new employees sought for skills in areas currently underserved by the organization.
The following actions and completion dates depend on the assumption that the PSC will migrate from its current RDIMS information management system to GCDocs in 2014-2015 and any delay in this implementation will require adjustments to the completion dates provided.
Appendix B – Management action plan
|Recommendations||Management response & planned action||Management accountability||Status & completion date|
|1. The IMO should strengthen governance structures such that:
• Policies and procedures reflect the transition to an electronic environment;
• The Information Designation and Classification Guide is applicable also to electronic documents;
• It has documented in collaboration with the branches the various types of information management processes;
• Compliance with IM polices and business rules is controlled and monitored; and
• Mechanisms are in place to provide feedback on operational issues.
|The Department will review and update, through a systematic collaboration with and input from branches and the Corporate Secretariat/ATIP, the PSC's IM policies, classification guide and processes to reflect the operational and cultural transition to an electronic environment. Further it will put in place mechanisms, including the use of PSC communication tools, to increase awareness within the PSC and to solicit feedback from users and provide timely resolution of any issues.
The Department will build expertise and capacity in electronic document and record management tools.
The Department will analyze the requirements related to compliance monitoring for information management and will propose an approach for consideration by EMC.
IM compliance metrics will be gathered and used to support operational changes, focusing on operational issues.
|PSC CIO||Reviewed policies, classification guide and associated processes will be available by October 1, 2014.
The first employees with complementary skills will be in place by July 31, 2014. A revised IMO staffing plan will be available by March 15, 2014 and will examine the possibility of short-term project-specific staffing.
The updated approach will be available by September 30, 2014.
A first set of defined metrics will be available by August 31, 2014.
|2. The IMO should ensure that all employees have taken mandatory introductory and second-level training on:
• Handling of sensitive documents, including work-in-progress;
• Use of e-mail, RDIMS, and virtual drives;
• Categorizing, classifying, and naming documents and using search tools effectively; and
• Employees' IM responsibilities, including responsibility for raising problems to the appropriate level where they can be dealt with strategically if necessary.
|The IMO will work with the Human Resources Management Directorate and the Corporate Secretariat/ATIP to create and provide updated IM training to all PSC employees. This PSC-specific training will:
- complement the training provided by CSPS on tools such as Outlook and GCDocs, and
- focus on the four priorities identified in the Recommendation.
The IMO will work with the Communications and Parliamentary Affairs Directorate (CPAD) to maintain online help resources and discussion forums so that PSC employees have always-available resources to refresh introductory training and provide second-level training. This online presence will include explicit mechanisms to report problems to the IMO so that they can be corrected appropriately.
|PSC CIO||A syllabus will be available by September 1, 2014. Training will start by October 15, 2014.
A new Intracom site structure will be available by October 1, 2014.
|3. The IMO should establish appropriate mechanisms to:
• Help users monitor the disposition status of their documents;
• Help users manage document profiling and downgrading of document protection; and
• With the approval of the EMC, set the default access level to confirm with RDIMS Business Rule 18, such that without action on the part of the author or custodian, all users are given view profile access.
|With the introduction of GCDocs, the IMO will ensure departmental access to automated tools and clear policies to assist users in monitoring the disposition status, document profiling and protection downgrading of their documents.
An analysis will be conducted, in consultation with appropriate stakeholders, on the implications of defaulting to open-profile policies and will present its finding and recommendations to EMC.
|PSC CIO||Tools implementation will occur with the introduction of GCDocs in Q3 2014-2015. GCDocs-specific policies will be available by January 15, 2015.
This analysis will be available by June 30, 2014.
|4. The IMO should develop an information classification scheme:
• With categories that better support collections and searches; and
• That supports Library and Archive Canada (LAC)'s retention requirements and the PSC's requirements for an activity and subject classification.
|Anticipating the implementation of GCDocs, the IMO, in collaboration with the Corporate Secretariat/ATIP, will develop and implement an information classification scheme that will support the PSC’s requirements for activity and subject classification, PSC information collections and searches, as well as LAC’s retention requirements.
GCDocs implementation will ensure that complementary methods (such as search boxes, folders structure and personal bookmarks) will be available to classify, search and retrieve information according to user preferences within well-defined corporate standards.
|PSC CIO||The scheme definition will be available by December 1, 2014.
Implementation will occur with the introduction of GCDocs in Q3 2014-2015.
|5. The IMO should ensure that RDIMS is upgraded to meet Protected B security standards, which will require zoning and updates to the information management BIA.||Due to the anticipated decommissioning of RDIMS in fall 2014, it’s not advisable to spend resources re-zoning an end-of-life application. In the meantime, RDIMS will be reviewed in order to implement appropriate security standards until the migration to GCDocs. Concurrently, with our partner Shared Services Canada (SSC), the department is exploring the feasibility of the moving RDIMS to the Protected B zone this fiscal year. Level of effort estimate is underway by SSC.
The implementation of GCDocs by the PSC will be guided by sound security principles to ensure that the new system is appropriately classified. A draft Statement of Sensitivity document will outline the steps to follow to migrate to a fully secure GCDocs environment.
|PSC CIO||A plan of actions to manage RDIMS security until its decommissioning will be available by August 31, 2014.
A plan for secure GCDocs implementation will be available by December 31, 2014.
|6. The Director General, Information Technology Services Directorate (ITSD), should ensure that the IMO is adequately resourced to deliver essential IM functions.||The Vice-President Corporate Management Branch (CMB) has approved a new IMO structure that provides the structure for the delivery of essential IM functions and addresses the need for improved electronic document and information management. To date, EMC has approved the staffing of one new position. As opportunities arise, the IMO will recruit personnel with appropriate skills.
Further Information Management resourcing actions will be guided by the Integrated Business Plan, which will provide a unified approach to information management and technology, and consider the complementary skills best suited to current information management needs. Project-specific short-term resourcing will be a priority.
|PSC CIO||The position will be staffed by July 31, 2014.
A revised IMO staffing plan will be available by March 31, 2014.
Appendix C – Audit criteria
|Line of enquiry||Audit criteria|
|1. Information management at the PSC complies with Government of Canada laws, policies, directives, regulations, code of conduct, and standards.||Compliance
1.1 The governance structure in place complies with key Treasury Board policy requirements..
1.2 The PSC complies with Treasury Board policies and directives regarding workforce capacity to fulfill information management roles.
1.3 The PSC complies with Treasury Board requirements for an operational framework that identifies and manages information resources as valuable assets.
1.4 The PSC complies with Treasury Board requirements for methodologies, methods, and tools that support the entire information life cycle.
1.5 The PSC complies with Treasury Board requirements for the identification, marking, storage, and transmission of sensitive information
1.6 Information management activities at the PSC comply with PSC-specific policies and business rules.
|2. Information resources can be found efficiently when needed, and once found, will be of good quality and have appropriate access rights, and their release date and relationship to other documents can be known.||Findability
2.1 Information resources are unique and relevant to those who need them, and are stored with the metadata and in the data structures that are adequate to facilitate efficient findability.
2.2 The search tools are functionally adequate and understood by employees.
|3. Systems and procedures for accessing, storing, transporting, and disposing information resources provide security against unauthorized access and adequate protection of privacy, confidentiality, and work-in-progress.||Security
3.1 3Appropriate procedures for storing, transferring, and sharing sensitive information have been established and are being followed by employees.
3.2 Access to sensitive documents is controlled and monitored.
|4. Processes and structures are in place to adequately inform, direct, manage, and monitor the activities required to meet information management objectives.||Governance
4.1 An established framework for information architecture determines who can take what actions with which information resources (including final documents, drafts, approvals, and notes, and collections of such documents), when and how.
4.2 Roles and responsibilities are adequately defined to ensure effective oversight of the framework for information architecture.
4.3 Strategic planning is adequate to accommodating the needs of stakeholders, reacting to unforeseen circumstances, and ensuring a smooth transition when new technology or processes are introduced
Appendix D – Glossary
- ADSB – Audit and Data Services Branch
- ATIP – Access to Information and Privacy
- BCP – Business Continuity Program
- BIA – Business Impact Assessment
- CIO – Chief Information Officer
- CIOB – Chief Information Officer Branch (a branch of the TB)
- CMB – Corporate Management Branch
- CSEC – Communications Security Establishment Canada
- EMC – Executive Management Committee
- GCDocs – Government of Canada Documents (replacement for RDIMS)
- IAC – Internal Audit Committee
- IAD – Internal Audit Directorate
- IM/ITC – Information Management/Information Technology Committee
- IMO – Information Management Office
- IRBV – Information Resource of Business Value
- ITSD – Information Technology Services Directorate (part of CMB)
- LAC – Library and Archives Canada
- OCG – Office of the Comptroller General
- PDF – Portable Document Format (from Adobe)
- PPC – Personnel Psychology Centre
- PSC – Public Service Commission
- RDIMS – Records Documents and Information Management System
- RTF – Rich Text Format (from Microsoft)
- SSC – Shared Services Canada
- TB – Treasury Board
- TBS – Treasury Board Secretariat
Report a problem or mistake on this page
- Date modified: