Records and Information Management - Internal Audit Report

July 2006

Table of Contents

Executive Summary
1. Introduction
2. Approach and Methodology
3. Criteria
4. Background
5. Key Risk Factors
6. Observations
7. Recommendations
8. Management Action Plan

Executive Summary

The primary objectives of the audit were to: assess the CIHR's current records and information management practices; identify areas at risk of not meeting legal and legislated requirements (i.e., compliance with the Management of Government Information (MGI) Policy); identify the gap between current state (as is) and MGI compliance, and provide advice on how to address the gap. The audit addressed records and information management practices and processes for all operational functions and for the entire life cycle of records and information-from creation through to final disposition.

IT/net used the Information Management Capacity Check (IMCC) methodology and tool originally developed by the Library and Archives of Canada (LAC), in partnership with BearingPoint. This methodology and tool resulted in the plotting of capacity against pre-defined elements and evaluation criteria for each key element across a maturity model scale of 1-5. The elements and evaluation criteria used to complete the audit, together, formed a comprehensive baseline against which the CIHR could compare themselves against MGI compliance. A summary of the 'as is' and 'MGI compliance' state ratings are provided in the Figure below. The 'as is' state is represented by ovals. The state of MGI compliance is represented by the 'stars'.

Legend:  As is: dot     MGI Compliance: star

Element Evaluation Criteria 1 Initial 2 Defined 3 Repeatable 4 Managed 5 Optimizing
Organizational Context Culture  

dot

 star    
  Change Management   dot star    
  External Environment   dot star    
Organizational Capabilities IM Community   dot star    
  Expert Advice   dot star    
  IM Tools   dot star    
  Technology Integration   dot star    
  Portfolio Management dot   star    
  Project Management   dot star    
  Relationship Management   dot star    
Management of IM Leadership dot star    
  Strategic Planning   dot star    
  Principles, Policies and Standard s   dot star    
  Roles and Responsibilities   dot star    
  Program Integration   dot star    
  Risk Management   dot star    
  Performance Management dot   star    
Compliance and Quality Information Quality   dot star    
  Security   dot star    
  Privacy   dot star    
  Business Continuity     dotstar    
  Compliance   dot star    
Records and Information Life Cycle Planning   dot star    
  Collect, Create, Receive and Capture   dot star    
  Organization   dot star    
  Use and Dissemination   dot star    
  Maintenance, Protection and Preservation   dot star    
  Disposition     star dot  
  Evaluation   dot star    
User Perspective User Awareness   dot star    
  User Training and Support   dot star    
  User Satisfaction   dot star    

Key Recommendations

  1. Ensure the development of an IM strategic plan includes an information management framework.
  2. Develop a policy framework to address the management of information throughout the lifecycle, whether paper or electronic (e.g., how information is to be collected and captured; how information is to be organized; how information is to be disposed of; duplication reduction; data quality, etc.).
  3. Leverage good practices and processes within recognized pockets of expertise within the CIHR (e.g., Records Management, Web Services, Analysis and Evaluation) to support the building of organizational capability through expert advice. Data collection showed that capacities, competencies and best practices exist in 'pockets' throughout CIHR. Begin by identifying each 'best practice' and assessing its viability to be used across CIHR in support of consistency and standardization. Similarly, examine ResearchNET to identify best practices and assess the viability of using these best practices elsewhere in the CIHR.
  4. Strategic partnerships with the three GoC IM central agencies (i.e., TBS, LAC, and PWGSC) should be nurtured to support the implementation of these recommendations.
  5. Even though there was a relatively small gap between current security capacity and that required to meet MGI compliance, there were some issues identified regarding information security, and compliance and quality. As a result of these issues, CIHR should evaluate whether Threat and Risk Assessments (TRA) and Privacy Impact Assessments (PIA) would be advisable on all corporate systems. In addition, CIHR's business continuity plans should be tested.
  6. In two years time, the IMCC evaluation criteria should be re-rated by CIHR to assess progress towards the desired 'to 'be" state, and, if necessary, the corresponding action plan adjusted accordingly. Table of Contents

Return to top

1. Introduction

The primary objectives of the audit were to: assess the CIHR's current records and information management practices; identify areas at risk of not meeting legal and legislated requirements (i.e., compliance with the Management of Government Information (MGI) Policy); identify the gap between current state and MGI compliance, and provide advice on how to address the gap. The audit addressed records and information management practices and processes for all operational functions and for the entire life cycle of records and information-from creation through to final disposition.

Return to top

2. Approach and Methodology

IT/net used the Information Management Capacity Check (IMCC) methodology and tool originally developed by the Library and Archives of Canada (LAC), in partnership with BearingPoint. This methodology and tool resulted in the plotting of capacity against pre-defined elements and evaluation criteria for each key element across a maturity model scale of 1-5 (refer to the next Section, 3.0, for a listing of the elements and evaluation criteria used for this audit). The analysis of the CIHR records and information management program current ('as is') and future, desired (MGI compliance) states then enabled the gap analysis to be performed. IT/net followed a broad 3-step approach to complete the audit:

First, IT/net reviewed the current state of records and information management practices at CIHR. The primary output from this Step was a picture of the current state (or 'as is' state) of RECORDS AND INFORMATION MANAGEMENT in the CIHR and an identification of opportunities and issues. This was accomplished through interviews with key stakeholders and workshops to validate the findings.

Second, Treasury Board Secretariat of Canada had completed a comparative analysis of the evaluation criteria used for this audit to the Management of Government Information (MGI) Policy statements and determined that a rating of '3', or 'repeatable', on the capability maturity model scale achieved basic compliance with the MGI policy. It is then reasonable to assume a desired, future state of 3 for CIHR to achieve (i.e., repeatable).

Third, IT/net completed a GAP analysis between the current and future target states (i.e., MGI compliance) in order to determine the work required to meet the MGI requirements. IT/net then made recommendations to address the gaps identified.

Return to top

3. Criteria

There were six elements used to conduct the audit: organizational context; organizational capabilities; management of IM; compliance and quality; records and information lifecycle management; and user perspective. Within each element were a combined total of 32 evaluation criteria. Refer to Figure 1 in Section 6 for a detailed list of all evaluation criteria.

Return to top

4. Background

The responsibility for the CIHR Records Management function comes under the Vice-President, Services and Operations and is delegated through the Chief Information Office (CIO) to the Manager, Records Management. In managing its corporate information, the CIHR must comply with both the Treasury Board Policy on the Management of Government Information (MGI) and CIHR's Records Management Policy.

The CIHR identified the need to assess the current records and information management practices by identifying areas at risk of not meeting legal requirements and the gap between current practices and those practices needed to meet MGI requirements. This assessment also needed to determine the extent to which information under CIHR's control was managed effectively and efficiently throughout its lifecycle, in a privacy-protected manner, that supports informed policy and decision-making and the delivery of high-quality programs, services, and information through a variety of channels and in both official languages.

Return to top

5. Key Risk Factors

There were many issues documented as a result of the audit. In some cases, there were significant gaps between the current state of capacity for a given evaluation criteria and that required to meet MGI compliance. In some cases, gaps were significant but efforts were being made, or initiatives in place, to address the gaps. For example, analysis showed a significant gap in the current state of leadership and that required to meet MGI compliance. However, current leadership acknowledged their commitment to improving records and information management leadership and demonstrated activities and initiatives to address the gap.

Of all the issues documented throughout the audit, the following key risk factors were identified. The key risk factors documented below were chosen either because of their application and importance to complying with GoC legislation or Policy (i.e., MGI), and/or the operational necessities to address the risk to ensure a sustainable records and information management program.

Portfolio Management - Portfolio management refers to the management of a group of related projects. Together, the group of related projects is referred to as a 'portfolio'. For example, there may be projects ongoing to develop IM policies, develop information classification systems, create a database, or implement a technology system. Together, these four projects constitute a 'portfolio'. If there are no mechanisms to plan, track, and evaluate the overall records and information management project portfolio, there may be less than rigorous management of requirements, scope, costs, schedule, quality, risk and communications which may lead to project performance shortfalls.

Strategic Planning - Strategic planning is one of CIHR's management responsibilities. Planning should link the organization's vision and strategic objectives to its overall management of recorded information, including its portfolio of IM projects, and its information products and services. If strong linkages do not exist between CIHR strategic objectives and priorities, and records and information management plans, the CIHR is at risk of misaligning records and information management products and services with corporate strategic priorities. Furthermore, records and information management will be at risk of not demonstrating its value to the organization.

Roles and Responsibilities - Defining roles and responsibilities in the context of governance is a fundamental aspect to successful operations and a key and fundamental requirement of the MGI policy. Without clearly defined roles and responsibilities, and a corresponding governance structure, CIHR's records and information management program cannot mature to meet its operational requirements to CIHR and legislative requirements to the GoC.

Performance Management - Without performance measures, and processes to track performance against established metrics, there is no way to determine how well the records and information management program is actually performing and if it is contributing to the success of the CIHR.

Security and Privacy - Failure to provide adequate security and privacy infrastructure, and to demonstrate compliance with applicable legislation, puts CIHR at risk of media scrutiny, compromised business relationships, and potential legal action and proceedings.

Return to top

6. Observations

A summary of the 'as is' and 'MGI requirements' state ratings are provided in the Figure below. The 'as is' state is represented by ovals. The 'MGI requirements' state is represented by the 'stars'. The complete 'as is' and 'MGI' IMCC assessment findings can be found in Section 3.2 of the Reference Document to the Internal Audit Report and in Appendix I of the Records and Information Management Audit Appendices document. Included are the six IMCC capacity elements, their evaluation criteria, and the assessed 'as is' and 'to be' capacity ratings for CIHR, each presented in a separate table.

Figure 1: 'As Is' and 'To Be' RM/IM Capacity Ratings

Legend:  As is: dot     MGI Compliance: star

Element Evaluation Criteria 1 Initial 2 Defined 3 Repeatable 4 Managed 5 Optimizing
Organizational Context Culture  

dot

 star    
  Change Management   dot star    
  External Environment   dot star    
Organizational Capabilities IM Community   dot star    
  Expert Advice   dot star    
  IM Tools   dot star    
  Technology Integration   dot star    
  Portfolio Management dot   star    
  Project Management   dot star    
  Relationship Management   dot star    
Management of IM Leadership dot star    
  Strategic Planning   dot star    
  Principles, Policies and Standard s   dot star    
  Roles and Responsibilities   dot star    
  Program Integration   dot star    
  Risk Management   dot star    
  Performance Management dot   star    
Compliance and Quality Information Quality   dot star    
  Security   dot star    
  Privacy   dot star    
  Business Continuity     dotstar    
  Compliance   dot star    
Records and Information Life Cycle Planning   dot star    
  Collect, Create, Receive and Capture   dot star    
  Organization   dot star    
  Use and Dissemination   dot star    
  Maintenance, Protection and Preservation   dot star    
  Disposition     star dot  
  Evaluation   dot star    
User Perspective User Awareness   dot star    
  User Training and Support   dot star    
  User Satisfaction   dot star    

Overall, the CIHR is at a 'defined' state of capacity regarding its records and information management program. To meet basic MGI compliance, the CIHR needs to achieve a 'repeatable' or higher state of capacity. Other than the key risks noted in Section 5 of this Internal Audit Report, several other findings and issues were noted.

  1. Mechanisms to plan, track, and evaluate the overall records and information management project portfolio are limited, and standard tools and techniques do not exist to support planning, tracking, and oversight.
  2. Desired results, strategic priorities and resources were not clearly stated in records and information management functional plans. Strong linkages were not reported to exist between strategic objectives and priorities, and the records and information management functional plans, operational plans and budgets. Results achieved in the records and information management function were not reported to be monitored against strategic priorities.
  3. Records and information management roles and responsibilities are not clearly defined and understood, and that overlaps and gaps in records and information management responsibilities exist.
  4. High-level strategic measures for records and information management were not in place in the organization, and linkages between records and information management and organizational measures were not evident.
  5. CIHR could not demonstrate compliance with all aspects of records and information management security and privacy requirements. For example, Threat and Risk Assessments (TRAs) and Privacy Impact Assessments (PIAs) are not conducted for the records and information management infrastructure (i.e., systems and processes).
  6. Consultation participants noted that from a cultural perspective there is a lack of interest in records and information management on the part of senior management and, therefore, records and information management is not seen as a priority for the CIHR. As a result, consultation participants felt there will be a challenge to change the current culture to one that needs to adhere to rules, corporate standards and compliance measures. Generally, records and information management is not recognized as a strategic asset and senior management are not aware of the need to think of information as a strategic asset.

    However, the CIO is increasingly getting calls from senior management to demonstrate the sustainability and value of records and information management in research for Health. Furthermore, the CIO believes there is more commitment than ever to records and information management at CIHR. With international reviews, increases in ATIP requests, research outcomes, the transition of the Institutes, and ResearchNET, records and information management has become more important to CIHR; but there is much work to be done to ensure records and information are seen as a strategic asset for CIHR.
  7. Change management implications related to records and information management were not well understood. The lack of change management in records and information management will be addressed with an upcoming strategy being developed for records and information management.
  8. From a resource perspective, there is a lack of records and information specialists and a lack of a records management system to support the management of all records to ensure compliance with the MGI policy. Consultation participants expressed the need for more records and information management formal training for all CIHR staff.
  9. CIHR records and information management capabilities with respect to grants and award records were assessed as quite good and very efficient. Corporately, there was a gap with the management of electronic documents (especially email management) with no naming conventions for files on common drives and no inventory of available electronic records and associated documents. Senior management needs to support records and information management by ensuring a corporate electronic document and records management system is deployed to everyone and by making sure that the system's use is compulsory.
  10. New programs need to work closely with records and information management staff to assess space, workload, budget and system requirements are taken in to consideration. Records and information management experts should be represented on projects to provide cross-project expertise.

Return to top

7. Recommendations

The following are recommendations the Canadian Institutes of Health Research (CIHR) may wish to consider in moving forward to develop an action plan.

1. Ensure the development of an IM strategic plan currently being undertaken by ITMS includes an information management framework that would consist of:

  1. IM definition
    1. Vision
    2. Goals
    3. Principles
    4. Scope
  2. Products and Services
  3. Governance
    1. Structure
    2. Roles and Responsibilities
  4. Service Delivery Model
  5. Implementation Plan or Roadmap
    1. Required resources
    2. Operational organizational structure
    3. Professional development plan for records/information specialists and practitioners
    4. Training/orientation plan for end-users

The IM vision and strategy that is developed should include a holistic information architecture for the Canadian Institutes of Health Research consisting of an integrated business, data, application, and technology architecture. The CIHR should leverage the work the ITMS and ResearchNET groups have completed in creating an enabling technology architecture. The IM vision and strategy needs to be linked to corporate-level strategic planning efforts.

The IM vision and strategy that is developed should include a change management strategy to support implementation of the recommendations. The change management strategy should focus primarily on communication of any action plan developed to address the recommendations. This would include the identification of quick hits and measurable results (i.e., performance measures, role profiles, and transition from paper-based records to electronic) to promote successes and to build on the momentum throughout the implementation of the action plan. Make sure the Institutes are included in the communication to help build consensus across the Institutes and ultimately the CIHR.

2. Develop a policy framework to address the management of information throughout the lifecycle, whether paper or electronic (e.g., how information is to be collected and captured; how information is to be organized; how information is to be disposed of; duplication reduction; data quality, etc.). The framework should incorporate audit, evaluation and compliance components that are based on standards and performance indicators.

3. Leverage good practices and processes within recognized pockets of expertise within the CIHR to support the building of organizational capability through expert advice. Data collection showed that capacities, competencies and best practices exist in 'pockets' throughout CIHR. Begin by identifying each 'best practice' and assessing its viability to be used across CIHR in support of consistency and standardization. For example, the following disciplines or areas within CIHR should be looked at carefully to support records management and information management capacity/capability building:

Records Management:

  • Provide support for records and information lifecycle management through requirements identified in policies, programs, services and systems.
  • Provide ATIP and privacy training.

Web Services:

  • Demonstrate solid level of understanding as it relates to content management, taxonomy, and metadata.

Analysis and Evaluation:

  • Provide leadership in the development of corporate-wide data management policies, programs, services and systems.

ResearchNET:

  • Provide the CIHR with an enterprise-wide structure and process to manage change on an ongoing basis, versus on a project-by-project basis.

4. Strategic partnerships with the three GoC IM central agencies (i.e., TBS, LAC, and PWGSC) should be nurtured to support the implementation of these recommendations. Each of the central agencies is working on significant initiatives which have the potential to benefit all GoC departments. For example, PWGSC's DIMES (Document and Information Management Executive Services) Project Management Office (PMO) can provide RDIMS resources to the CIHR when the CIHR is ready to move forward with their EDMS initiative. TBS is continually developing its Framework for the Management of Information (FMI) and the FMI offers GoC Departments valuable tools to help them manage their information resources. LAC is currently engaged in significant metadata initiatives that are intended to produce useful guidelines and standards for GoC undertaking their own metadata initiatives. These are just a few examples; there are many more. The CIHR needs to leverage the fine work going on in the three GoC IM central agencies to support the implementation of any action plan they develop to address these audit findings.

5. Even though there was a relatively small gap between current security capacity and that required to meet MGI compliance, there were some issues identified regarding information security, and compliance and quality. As a result of these issues, CIHR should evaluate whether Threat and Risk Assessments (TRA) and Privacy Impact Assessments (PIA) would be advisable on all corporate systems. In addition, CIHR's business continuity plans should be tested.

6. In two years time, the IMCC evaluation criteria should be re-rated by CIHR to assess progress towards the desired 'to 'be" state, and, if necessary, the corresponding action plan adjusted accordingly.

Return to top

8. Management Action Plan

Recommendation Action Plan Responsibility Time Frame

Recommendation 1: Ensure the development of an IM strategic plan currently being undertaken by ITMS includes an information management framework that would consist of:

a. IM definition

  1. Vision
  2. Goals
  3. Principles
  4. Scope

b.Products and Services

c.Governance

  1. Structure
  2. Roles and Responsibilities

d. Service Delivery Model

e. Implementation Plan or Roadmap

  1. Required resources
  2. Operational organizational structure
  3.  Professional development plan for records/information specialists and practitioners
  4. Training/orientation plan for end-users

CIHR'S Information and Technology Management Services (ITMS) Branch is in the process of developing a three-year strategic plan. The result of consultations with key senior executives confirms the business need identified in this audit: an IM framework is one of the senior executives' top three business priorities. As a result, IM will be a priority within the ITMS strategic plan. ITMS will lead the development of a business case to support the implementation of an IM program at CIHR. In preparation, ITMS has recently completed an analysis of the cost and process to implement and operate RDIMS, an electronic document management system, one component of information management. In addition, ITMS is in the process of recruiting a Meta-Data Architect who will provide the in-house expertise to assist in the development and maintenance of CIHR's information architecture.

In addition to the framework table of contents that is recommended in this audit, CIHR's IM Strategic Plan will include consultations with staff to determine the priorities of within the IM definition, products and services, governance, the IM/IT technology impact and the gaps in our current capacity. These will the basis for the Service Delivery Model and Implementation Roadmap. The training/orientation plan for end-users will be expanded to encompass a complete change management and communication plan.

CIO

IM strategic plan to be completed by September 2007

This is a large undertaking for CIHR and as evidenced by this audit, there are limited experts resident at CIHR in this field. Business Cases will be submitted to assist in the development of the plan and in its execution. The plan for realizing this recommendation is broken down as follows:

Fall 06: Delivery of CIHR's ITMS Strategic Plan (IM is one of the 3 top priorities)

Feb 07: Delivery of business case to support the development of the IM strategic plan

Apr - May 07: Consultations on contents of plan

Jun - Aug 07: Analysis of consultations, development of options and plan

Aug - Sept 07 - Submit plan for approval to EEMC

Fall 07 - Business case submission for funding to implement plan.

Recommendation 1 (cont'd):

The IM vision and strategy that is developed should include a holistic information architecture for the Canadian Institutes of Health Research consisting of an integrated business, data, application, and technology architecture. The CIHR should leverage the work the ITMS and ResearchNET groups have completed in creating an enabling technology architecture. The IM vision and strategy needs to be linked to corporate-level strategic planning efforts.

The IM vision and strategy that is developed should include a change management strategy to support implementation of the recommendations. The change management strategy should focus primarily on communication of any action plan developed to address the recommendations. This would include the identification of quick hits and measurable results (i.e., performance measures, role profiles, and transition from paper-based records to electronic) to promote successes and to build on the momentum throughout the implementation of the action plan. Make sure the Institutes are included in the communication to help build consensus across the Institutes and ultimately the CIHR.

These final two paragraphs are also listed in Recommendation #3. Action plans are provided in Response to Recommendation #3.    
Recommendation 2: Develop a policy framework to address the management of information throughout the lifecycle, whether paper or electronic (e.g., how information is to be collected and captured; how information is to be organized; how information is to be disposed of; duplication reduction; data quality, etc.). The framework should incorporate audit, evaluation and compliance components that are based on standards and performance indicators. A policy framework will be part of the IM Strategy. Policies covering our current information management services such as archiving and retention and document disposal are presently under development and will be included in the IM policy framework. CIO The framework will be delivered by Sept 07 (to be confirmed by IM Strategic plan)

Recommendation 3: Leverage good practices and processes within recognized pockets of expertise within the CIHR to support the building of organizational capability through expert advice. Data collection showed that capacities, competencies and best practices exist in 'pockets' throughout CIHR. Begin by identifying each 'best practice' and assessing its viability to be used across CIHR in support of consistency and standardization. For example, the following disciplines or areas within CIHR should be looked at carefully to support records management and information management capacity/capability building:

Records Management:

  • Provide support for records and information lifecycle management through requirements identified in policies, programs, services and systems.
  • Provide ATIP and privacy training.
 Records Management: The Manager, Records Management and Access to Information and Privacy (ATIP), currently gives training sessions to employees, available usually on a monthly basis and primarily to new employees. However, the staffing of a dedicated Access to Information and Privacy (ATIP) Coordinator (currently in progress) will allow for an increase in the number of sessions given to new employees as well as refresher sessions. The ITMS Branch is presently evaluating the possibility of implementing an electronic document management system for CIHR. This would provide an effective means for the identification, location and administration of the overall inventory of information holdings. Until such time of the implementation of such a system, the Records Management Unit will develop an education campaign to increase employee awareness of sound record management practices. CIO

Support: Ongoing

ATIP staffing to be completed by December 2006

An electronic document management system implementation to be completed by March 2009 (to be confirmed by IM strategic plan, subject to business case approval and funding availability).

Increased training: June 2007

Web Services: Demonstrate solid level of understanding as it relates to content management, taxonomy, and metadata.

 

 

Web Services
The Web Services Centre has developed expertise in content management, while its soon to be hired Meta-Data Information Architect will provide the expertise in taxonomy and meta-data.

 

 

 

 CIO in collaboration with Director of Communications March 2007 (Metadata Information Architect position staffed)
Analysis and Evaluation: Provide leadership in the development of corporate-wide data management policies, programs, services and systems. Analysis and Evaluation
The Analysis and Evaluation team is currently being expanded to include experts to work with ITMS to develop corporate wide data management policies, services and systems as they will be defined in the IM Strategic Plan. The roles and responsibilities will be defined for each approved project with the IM framework. 		CIO and Director, Evaluation and Analysis On going
ResearchNET: Provide the CIHR with an enterprise-wide structure and process to manage change on an ongoing basis, versus on a project-by-project basis. ResearchNet
ResearchNet is a large three-year project (April 05- March 08) to develop eServices for the research community to conduct business with CIHR. It is transforming the way the research community interacts with CIHR and how staff administers its programs. As such, there is a strong change management component which has been one of ResearchNet's critical success factors.		 CIO March 2008 (end date of current funding for ResearchNet project)
  CIHR does not have an ongoing enterprise-wide change management program and there are no current plans to initiate a corporate change management office. Lessons have been learned and good practices developed through the ResearchNet project. The IM framework and business plan will incorporate these approaches and consider the lessons learned in developing its own change management activities. The IM business case will include a request for the staff and activities needed to ensure change management.   Identification of IM change management approach and activities to be completed with the IM Strategic Plan in Sept. 2007.

Recommendation 4: Strategic partnerships with the three GoC IM central agencies (i.e., TBS, LAC, and PWGSC) should be nurtured to support the implementation of these recommendations. Each of the central agencies is working on significant initiatives which have the potential to benefit all GoC departments. For example, PWGSC's DIMES (Document and Information Management Executive Services) Project Management Office (PMO) can provide RDIMS resources to the CIHR when the CIHR is ready to move forward with their EDMS initiative. TBS is continually developing its Framework for the Management of Information (FMI) and the FMI offers GoC Departments valuable tools to help them manage their information resources. LAC is currently engaged in significant metadata initiatives that are intended to produce useful guidelines and standards for GoC undertaking their own metadata initiatives.

These are just a few examples; there are many more. The CIHR needs to leverage the fine work going on in the three GoC IM central agencies to support the implementation of any action plan they develop to address these audit findings.

 As part of the IM Strategy, specific alliances will be identified to leverage existing Government of Canada expertise, action and products. Currently, the records office works closely with Library and Archives Canada (LAC) for the retention and disposition of files. It has also been in contact with PWGSC to gather additional information from DIMES. These and other contacts will continue to be helpful as CIHR develops its IM framework. Records Management Ongoing
Recommendation 5: Even though there was a relatively small gap between current security capacity and that required to meet MGI compliance, there were some issues identified regarding information security, and compliance and quality. As a result of these issues, CIHR should evaluate whether Threat and Risk Assessments (TRA) and Privacy Impact Assessments (PIA) would be advisable on all corporate systems. In addition, CIHR's business continuity plans should be tested.
  1. Under the Management of Information Technology Security standards (MITS), there is requirement for the completion of Threat and Risk Assessments (TRA) on all systems. TRAs will be conducted on all critical systems by December 2006 and the remaining systems in 2007-2008.
  2. CIHR is in the process of staffing the position of ATIP Coordinator. Upon arrival at CIHR, the Coordinator will evaluate the need for Privacy Impact Assessments and whether or not they are required on all systems.
  3. CIHR's business continuity plan is in revision, and our IT disaster recovery plan will be finalized, including testing by March 2007.
 CIO
  1. March 2008
  2. December 2006
  3. March 2007
Recommendation 6: In two years time, the IMCC evaluation criteria should be re-rated by CIHR to assess progress towards the desired 'to 'be" state, and, if necessary, the corresponding action plan adjusted accordingly. The IM Strategy will include all recommendations with a detailed plan with a description of milestones for evaluation on a yearly basis until completion. Ongoing monitoring will also be included to ensure that CIHR is on track. A re-rating of the IMCC evaluation criteria will be conducted in September 2008. CIO September 2008