Information Technology

Table of contents

• Defining the Activity
• Relationship to Other GVT
• Business Processes
• Retention
• Business Value and Retention Recommendations
  1. Plan and Organize
  2. Acquire and Implement
  3. Monitor and Evaluate
  4. Service Level Management
  5. IT Financial management
  6. Availability Management
  7. Capacity Management
  8. IT Service Continuity Management
  9. IT Security (risk) Management
  10. Service/Help Desk
  11. Incident Management
  12. Problem Management
  13. Change Management
  14. Release Management
  15. Configuration Management

How to use this tool

• This tool is designed for IM specialists to use with relevant business areas when identifying information resources of business value (IRBV) and retention specifications.
• The IRBV and retention specifications contained in this document are recommendations only and should be customized to apply in each institutional context. The complete document should be read before using any recommendations.
• This Generic Valuation Tool does not provide Government of Canada institutions with the authority to dispose of information. Generic Valuation Tools (GVT) are not Records Disposition Authorities (RDA) and do not replace the Multi-Institutional Disposition Authorities (MIDA).

Validation:The business processes and IRBV of this tool have been validated by subject matter experts from the following departments: Shared Services Canada (Spring 2014).

Defining the Activity

Information Technology Services are identified at the sub-program level of the Treasury Board Secretariat’s (TBS) Guide on Internal Services Expenditures: Recording, Reporting and Attributing ^Footnote1(Guide) and are common across the Government of Canada (GC). Information Technology Services involve activities undertaken to achieve efficient and effective use of information technology to support government priorities and program delivery, to increase productivity, and to enhance services to the public. The management of information technology includes planning, building (or procuring), operating and measuring performance ^Footnote2.

Information technology (IT) plays an important role in government operations, and is a key enabler in transforming the business of government. Information Technology is an essential component of the government’s strategy to address challenges of increasing productivity and enhancing services to the public for the benefit of citizens, businesses, taxpayers and employees ^Footnote3.

The creation of Shared Services Canada has resulted in some of the activities described below no longer being performed in certain organizations. However this GVT includes all of the activities listed in the Profile of Information Technology Services ^Footnote4 and departments are urged to use it for the IT related business processes that remain within their departments.

This tool may be used as a starting point for those organizations mandated to perform IT, or IT related services as they proceed with the identification of their IRBVs. In these cases, the business processes as defined in this GVT must be carefully compared to the processes undertaken within these organizations to ensure they are suitably aligned and address any additional activities that may be conducted.

Relationship to Other GVT

Business processes and activities often overlap. When the IRBV from an activity is identified in another GVT, there is a note in the table of IRBV and retention recommendations (below) to direct the user to the proper tool.

Management and Oversight: There is a strong relationship between the Management and Oversight GVTand the management of information technology. Many of the high level planning processes are already identified under the planning section of management and oversight, as is the development of all policies relating to operations. Additionally, IRBV created in the investment planning activities seen below in section 3.5 (IT Financial Management) are also captured in Management and Oversight.

Human Resources Management: As is commonly found in the internal services, training and disciplinary actions are common business processes that organizations undertake, and to maintain consistency in the management of IRBVs, these particular processes are found in the Human Resources Management GVT.

Communication Services: The communication of notices to staff of software or hardware updates or security notices are a common occurrence in the management of information technology, however, all IRBV related to this process are located in the Internal Communications section of the Communications Services GVT. Additionally, all a activities surrounding the collection and use of information resources related to web analytics are addressed in the Communication Services GVT.

Acquisition Services: The management of information technology involves the procurement of the hardware and software necessary for the organization to carry out its mandate. All activities related to the acquisition of new hardware and software, or the contracting of services to develop hardware or software are addressed in the  Acquisition Services GVT.

Materiel Management: As many of the operational activities of managing information technology also involves the management of the physical objects (servers, desktop or laptop computers, telephones, etc.), all activities related to the physical management (maintenance, disposal) of these items is located in the Materiel Management GVT.

Financial Management: The financial management process within IT have considerable overlap with the Financial Management GVT; the preparation of budgets, accounting summaries, etc. will all be captured in the Financial Management GVT. However, there are some elements of financial management within the management of information technology that are not captured in Financial Management, such as the setting of costing levels which are unique to IT, and remain within this tool.

Business Processes

The Profile of Information Technology Services (June 2008) is a TBS guideline that “provides an enterprise view and reference point for GC’s IT Programs that supports the development of consistent IT service descriptions and the basis for common planning, design and communications of GC IT Services across government.” ^Footnote5. The Profile describes both service groupings and business processes for IT, but places more emphasis on the service groupings rather than the processes; for the purposes of this document, that emphasis has been altered and the focus is on the processes and the IRBV created in order to provide clear guidance to users. As per the Directive on Management of Information Technology ^Footnote6, departments are to develop and maintain efficient and effective departmental IT practices as informed by Information Technology Infrastructure Library for Service Management (ITIL ^Footnote7) and Control Objectives for Information and Related Technology (COBIT ^Footnote8). Accordingly, the processes outlined in this document have been modelled on those described under ITIL and COBIT with additions to conform to TBS policy and procedure.

The Profile of Information Technology Services groups the processes into three broad categories: IT Program Management Process, IT Service Delivery Processes and IT Service Support Process. These broad groupings and the detailed processes described under them form the basis for the management of IT. 

The business processes listed below may not be performed by all service groupings, or they may not be performed in the order laid out here; however, these processes form a collective image for how IT is managed.

IT Services Program Management Processes ^Footnote9

This group of program management functions is dedicated to managing the direction, investment, and overall performance of the program. The IT Services Program Management Processes fall into three groups:

1. Plan and Organize:

This business process sets the direction and objectives for the IT services program. It also includes the processes required to manage the resources common to the program. Processes within this group include define a strategic IT plan; define the enterprise architecture; determine technological direction; define the IT processes, organisation and relationships; manage the IT investment; communicate management aims and direction; manage IT human resources; manage quality; assess and manage IT risks; and manage projects.

2. Acquire and Implement:

This business process develops and/or acquires and implements IT solutions and their enhancements or maintenance. Processes in this group include identify automated solutions; acquire and maintain application software; acquire and maintain technology infrastructure; enable operation and use (including user training); procure IT resources; manage program changes; and install and accredit solutions and changes.

3. Monitor and Evaluate:

This business process monitors and evaluates the overall effectiveness of an IT services program. Processes in this group include monitor and evaluate IT performance; monitor and evaluate internal control; ensure regulatory compliance; and provide IT governance.

IT Service Delivery Processes

This group of processes focuses on service-specific planning, provisioning, delivery, continuity, security and decommissioning processes for the services provided by the program.

4. Service Level Management:

Service Level Management involves the processes of planning, coordinating and reporting on Service Level Agreements (SLAs) between the IT service provider and customer/client group and the ongoing review of service achievements to ensure that service levels and quality are consistently delivered and maintained. Service Level Management should seek to ensure the quality of IT services by aligning technology with business processes in a way that is cost effective.

5. IT Financial Management:

IT Financial Management involves three main processes - budgeting, accounting, and cost recovery charging – to ensure the cost-effective stewardship of IT assets and resources used in providing IT services. Charging is an optional activity and is dependent on the charging policy of the organisation as a whole. The main objective of financial management is to evaluate and control the costs associated with IT services while customers are still offered a high quality of service and there is efficient use of the necessary IT resources.

6. Availability Management:

Availability Management is concerned with the design, implementation, measurement and management of the IT infrastructure to ensure the business requirements are consistently met, according to agreed levels. It is responsible for optimising and monitoring IT services so they can function reliably and without interruption so as to comply with service level agreements at a reasonable cost.

7. Capacity Management:

Capacity Management is the focal point for all IT performance and capacity issues. Capacity Management aims to optimize the amount of capacity needed to deliver a consistent level of current and future services. Capacity management ensures that the information technology processing and storage capacity is adequate to the evolving requirements of the organization as a whole in a timely and cost justifiable manner.

8. IT Service Continuity Management:

IT Service Continuity Management involves undertaking a systematic approach to the creation of a plan and or set of procedures (which are updated and tested regularly) used to prevent, cope with, and recover from the loss of critical services for extended periods, in line with business continuity plans. It is concerned with preventing any unexpected serious interruptions to IT services as a result of natural disasters or system attacks which may have a catastrophic impact on business. The processes captured in this activity only relate to IT, not organization wide business continuity planning.

9. IT Security Management:

IT Security Management involves organizing the collection, storage, handling, processing and management of data and services in such a way that the integrity, availability, and confidentiality of business conditions are satisfied. Security management activities must ensure that the electronic information is correct and complete, that it is always available for business purposes and is only used by those who are authorized to do so. In the GC, IT security management is a distinct process from the management of personnel and building security, the processes described here relate only to security for information technology.

IT Service Support Processes:

This group of processes focuses on the day-to-day operational services common to all IT services, and are ‘visible’ to clients/users. They include service/help desk processes which interact directly with IT program customers

10. Service/Help Desk:

The Service/Help Desk is the single contact point within the organization for all users to seek assistance and support for IT services and/or related problems, incidents, questions, and complaints.

11. Incident Management:

The primary goal of the Incident Management process is to restore normal service as quickly as possible following loss of service, and to minimize the adverse impact on business operations, thus ensuring that the best possible levels of service quality and availability are maintained.

Section 18 of the Operational Security Standard: Management of Information Technology Security ^Footnote10relates explicitly to response and recovery for IT security incidents and provides details on the actions a department is to take in the event of an IT security incident as well as a listing of the information resources a department is required to keep in the event of an incident. Section 18.3 states that “Departments must maintain operational records that show how incidents were handled, documenting the chain of events during the incident, noting the time when the incident was detected; the actions taken; the rationale for decisions; details of communications; management approval or direction; and external or internal reports” ^Footnote11. These requirements are not listed as individual IRBV, but it is anticipated that they will be captured as elements within the various IRBV.

12. Problem Management:

The goal of Problem Management is to minimize the adverse impact of incidents and problems on the business that may be caused by errors within the IT infrastructure, and to prevent recurrence of incidents related to these errors. Activities undertaken to find and analyse the underlying cause of a particular incident are addressed here.

13. Change Management:

The goal of Change Management is to ensure that standardized methods and procedures are used for the efficient and prompt handling of all changes, to minimize the impact of change-related incidents and improve day-to-day operations.  Change management evaluates and plans the change processes to ensure that if a change is made, it is done in the most efficient way possible, following established procedures and ensuring the quality and continuity of the IT service at all times.

14. Release Management:

Release Management is very closely linked with Configuration Management and Change Management, and undertakes the planning, design, build, and testing of hardware and software to ensure that all aspects of a release, both technical and non- technical, are considered together. Release management is responsible for the implementation and quality control of all hardware and software installed on the live environment.

15. Configuration Management:

Configuration Management covers the identification of significant components within the IT infrastructure and recording details of these components in the Configuration Management Database (CMDB). The main task for configuration management is to keep an up-to-date record of all the components in the IT infrastructure configuration and the interrelationships between them.

Retention

Recommended retention specifications in GVTs are determined based on traditional or best practices, a review of government-wide legislation and policy, and validation with subject matter experts. Retention periods are suggestions only; departments must take into account their own legislative requirements and business needs.

Business Value and Retention Recommendations

1. Plan and Organize

2. Acquire and Implement

3. Monitor and Evaluate

4. Service Level Management

5. IT Financial management

6. Availability management

7. Capacity management

8. IT Service Continuity management

9. IT Security (risk) management

10. Service/Help Desk

11. Incident Management

12. Problem Management

13. Change Management

14. Release Management

15. Configuration Management