Information Technology
Table of contents
How to use this tool
- This tool is designed for IM specialists to use with relevant business areas when identifying information resources of business value (IRBV) and retention specifications.
- The IRBV and retention specifications contained in this document are recommendations only and should be customized to apply in each institutional context. The complete document should be read before using any recommendations.
- This Generic Valuation Tool does not provide Government of Canada institutions with the authority to dispose of information. Generic Valuation Tools (GVT) are not Records Disposition Authorities (RDA) and do not replace the Multi-Institutional Disposition Authorities (MIDA).
Validation:The business processes and IRBV of this tool have been validated by subject matter experts from the following departments: Shared Services Canada (Spring 2014).
Defining the Activity
Information Technology Services are identified at the sub-program level of the Treasury Board Secretariat’s (TBS) Guide on Internal Services Expenditures: Recording, Reporting and Attributing Footnote1(Guide) and are common across the Government of Canada (GC). Information Technology Services involve activities undertaken to achieve efficient and effective use of information technology to support government priorities and program delivery, to increase productivity, and to enhance services to the public. The management of information technology includes planning, building (or procuring), operating and measuring performance Footnote2.
Information technology (IT) plays an important role in government operations, and is a key enabler in transforming the business of government. Information Technology is an essential component of the government’s strategy to address challenges of increasing productivity and enhancing services to the public for the benefit of citizens, businesses, taxpayers and employees Footnote3.
The creation of Shared Services Canada has resulted in some of the activities described below no longer being performed in certain organizations. However this GVT includes all of the activities listed in the Profile of Information Technology Services Footnote4 and departments are urged to use it for the IT related business processes that remain within their departments.
This tool may be used as a starting point for those organizations mandated to perform IT, or IT related services as they proceed with the identification of their IRBVs. In these cases, the business processes as defined in this GVT must be carefully compared to the processes undertaken within these organizations to ensure they are suitably aligned and address any additional activities that may be conducted.
Relationship to Other GVT
Business processes and activities often overlap. When the IRBV from an activity is identified in another GVT, there is a note in the table of IRBV and retention recommendations (below) to direct the user to the proper tool.
Management and Oversight: There is a strong relationship between the Management and Oversight GVTand the management of information technology. Many of the high level planning processes are already identified under the planning section of management and oversight, as is the development of all policies relating to operations. Additionally, IRBV created in the investment planning activities seen below in section 3.5 (IT Financial Management) are also captured in Management and Oversight.
Human Resources Management: As is commonly found in the internal services, training and disciplinary actions are common business processes that organizations undertake, and to maintain consistency in the management of IRBVs, these particular processes are found in the Human Resources Management GVT.
Communication Services: The communication of notices to staff of software or hardware updates or security notices are a common occurrence in the management of information technology, however, all IRBV related to this process are located in the Internal Communications section of the Communications Services GVT. Additionally, all a activities surrounding the collection and use of information resources related to web analytics are addressed in the Communication Services GVT.
Acquisition Services: The management of information technology involves the procurement of the hardware and software necessary for the organization to carry out its mandate. All activities related to the acquisition of new hardware and software, or the contracting of services to develop hardware or software are addressed in the Acquisition Services GVT.
Materiel Management: As many of the operational activities of managing information technology also involves the management of the physical objects (servers, desktop or laptop computers, telephones, etc.), all activities related to the physical management (maintenance, disposal) of these items is located in the Materiel Management GVT.
Financial Management: The financial management process within IT have considerable overlap with the Financial Management GVT; the preparation of budgets, accounting summaries, etc. will all be captured in the Financial Management GVT. However, there are some elements of financial management within the management of information technology that are not captured in Financial Management, such as the setting of costing levels which are unique to IT, and remain within this tool.
Business Processes
The Profile of Information Technology Services (June 2008) is a TBS guideline that “provides an enterprise view and reference point for GC’s IT Programs that supports the development of consistent IT service descriptions and the basis for common planning, design and communications of GC IT Services across government.” Footnote5. The Profile describes both service groupings and business processes for IT, but places more emphasis on the service groupings rather than the processes; for the purposes of this document, that emphasis has been altered and the focus is on the processes and the IRBV created in order to provide clear guidance to users. As per the Directive on Management of Information Technology Footnote6, departments are to develop and maintain efficient and effective departmental IT practices as informed by Information Technology Infrastructure Library for Service Management (ITIL Footnote7) and Control Objectives for Information and Related Technology (COBIT Footnote8). Accordingly, the processes outlined in this document have been modelled on those described under ITIL and COBIT with additions to conform to TBS policy and procedure.
The Profile of Information Technology Services groups the processes into three broad categories: IT Program Management Process, IT Service Delivery Processes and IT Service Support Process. These broad groupings and the detailed processes described under them form the basis for the management of IT.
The business processes listed below may not be performed by all service groupings, or they may not be performed in the order laid out here; however, these processes form a collective image for how IT is managed.
IT Services Program Management Processes Footnote9
This group of program management functions is dedicated to managing the direction, investment, and overall performance of the program. The IT Services Program Management Processes fall into three groups:
1. Plan and Organize:
This business process sets the direction and objectives for the IT services program. It also includes the processes required to manage the resources common to the program. Processes within this group include define a strategic IT plan; define the enterprise architecture; determine technological direction; define the IT processes, organisation and relationships; manage the IT investment; communicate management aims and direction; manage IT human resources; manage quality; assess and manage IT risks; and manage projects.
2. Acquire and Implement:
This business process develops and/or acquires and implements IT solutions and their enhancements or maintenance. Processes in this group include identify automated solutions; acquire and maintain application software; acquire and maintain technology infrastructure; enable operation and use (including user training); procure IT resources; manage program changes; and install and accredit solutions and changes.
3. Monitor and Evaluate:
This business process monitors and evaluates the overall effectiveness of an IT services program. Processes in this group include monitor and evaluate IT performance; monitor and evaluate internal control; ensure regulatory compliance; and provide IT governance.
IT Service Delivery Processes
This group of processes focuses on service-specific planning, provisioning, delivery, continuity, security and decommissioning processes for the services provided by the program.
4. Service Level Management:
Service Level Management involves the processes of planning, coordinating and reporting on Service Level Agreements (SLAs) between the IT service provider and customer/client group and the ongoing review of service achievements to ensure that service levels and quality are consistently delivered and maintained. Service Level Management should seek to ensure the quality of IT services by aligning technology with business processes in a way that is cost effective.
5. IT Financial Management:
IT Financial Management involves three main processes - budgeting, accounting, and cost recovery charging – to ensure the cost-effective stewardship of IT assets and resources used in providing IT services. Charging is an optional activity and is dependent on the charging policy of the organisation as a whole. The main objective of financial management is to evaluate and control the costs associated with IT services while customers are still offered a high quality of service and there is efficient use of the necessary IT resources.
6. Availability Management:
Availability Management is concerned with the design, implementation, measurement and management of the IT infrastructure to ensure the business requirements are consistently met, according to agreed levels. It is responsible for optimising and monitoring IT services so they can function reliably and without interruption so as to comply with service level agreements at a reasonable cost.
7. Capacity Management:
Capacity Management is the focal point for all IT performance and capacity issues. Capacity Management aims to optimize the amount of capacity needed to deliver a consistent level of current and future services. Capacity management ensures that the information technology processing and storage capacity is adequate to the evolving requirements of the organization as a whole in a timely and cost justifiable manner.
8. IT Service Continuity Management:
IT Service Continuity Management involves undertaking a systematic approach to the creation of a plan and or set of procedures (which are updated and tested regularly) used to prevent, cope with, and recover from the loss of critical services for extended periods, in line with business continuity plans. It is concerned with preventing any unexpected serious interruptions to IT services as a result of natural disasters or system attacks which may have a catastrophic impact on business. The processes captured in this activity only relate to IT, not organization wide business continuity planning.
9. IT Security Management:
IT Security Management involves organizing the collection, storage, handling, processing and management of data and services in such a way that the integrity, availability, and confidentiality of business conditions are satisfied. Security management activities must ensure that the electronic information is correct and complete, that it is always available for business purposes and is only used by those who are authorized to do so. In the GC, IT security management is a distinct process from the management of personnel and building security, the processes described here relate only to security for information technology.
IT Service Support Processes:
This group of processes focuses on the day-to-day operational services common to all IT services, and are ‘visible’ to clients/users. They include service/help desk processes which interact directly with IT program customers
10. Service/Help Desk:
The Service/Help Desk is the single contact point within the organization for all users to seek assistance and support for IT services and/or related problems, incidents, questions, and complaints.
11. Incident Management:
The primary goal of the Incident Management process is to restore normal service as quickly as possible following loss of service, and to minimize the adverse impact on business operations, thus ensuring that the best possible levels of service quality and availability are maintained.
Section 18 of the Operational Security Standard: Management of Information Technology Security Footnote10relates explicitly to response and recovery for IT security incidents and provides details on the actions a department is to take in the event of an IT security incident as well as a listing of the information resources a department is required to keep in the event of an incident. Section 18.3 states that “Departments must maintain operational records that show how incidents were handled, documenting the chain of events during the incident, noting the time when the incident was detected; the actions taken; the rationale for decisions; details of communications; management approval or direction; and external or internal reports” Footnote11. These requirements are not listed as individual IRBV, but it is anticipated that they will be captured as elements within the various IRBV.
12. Problem Management:
The goal of Problem Management is to minimize the adverse impact of incidents and problems on the business that may be caused by errors within the IT infrastructure, and to prevent recurrence of incidents related to these errors. Activities undertaken to find and analyse the underlying cause of a particular incident are addressed here.
13. Change Management:
The goal of Change Management is to ensure that standardized methods and procedures are used for the efficient and prompt handling of all changes, to minimize the impact of change-related incidents and improve day-to-day operations. Change management evaluates and plans the change processes to ensure that if a change is made, it is done in the most efficient way possible, following established procedures and ensuring the quality and continuity of the IT service at all times.
14. Release Management:
Release Management is very closely linked with Configuration Management and Change Management, and undertakes the planning, design, build, and testing of hardware and software to ensure that all aspects of a release, both technical and non- technical, are considered together. Release management is responsible for the implementation and quality control of all hardware and software installed on the live environment.
15. Configuration Management:
Configuration Management covers the identification of significant components within the IT infrastructure and recording details of these components in the Configuration Management Database (CMDB). The main task for configuration management is to keep an up-to-date record of all the components in the IT infrastructure configuration and the interrelationships between them.
Retention
Recommended retention specifications in GVTs are determined based on traditional or best practices, a review of government-wide legislation and policy, and validation with subject matter experts. Retention periods are suggestions only; departments must take into account their own legislative requirements and business needs.
Business Value and Retention Recommendations
1. Plan and Organize
| Business Processes |
Recommendations: Information Resources of Business Value (IRBVs) |
Recommendations: Retention Period |
|
Define strategic IT plan
Determine the technological direction
Manage IT investment
Assess and manage IT risks
Manage projects
|
For IRBV please see Management and Oversight GVT
|
For retention please see Management and Oversight GVT
|
|
Define the enterprise architecture
Identify and categorize IT assets
Define the IT work processes, organization and relationships
|
Enterprise architecture maps
List of IT Services and systems
IT process maps
|
2 years after last administrative action
|
|
Manage IT human resources
|
For IRBV please see Human Resources Management GVT
|
For retention please see Human Resources Management GVT
|
|
Communicate management aims and direction
|
For IRBV please see Communications Services GVT
|
For retention please see Communications Services GVT
|
2. Acquire and Implement
3. Monitor and Evaluate
| Business Processes |
Recommendations: Information Resources of Business Value (IRBVs) |
Recommendations: Retention Period |
|
Monitor IT performance
Monitor internal controls (inventory, physical access, logical access)
Ensure compliance with international standards
Report to TBS names of officers involved in standards activities
|
Performance reports
Reports on internal control systems
List of officer names and responsibilities
|
2 years after last administrative action |
| Provide IT governance |
For IRBV please see Management and Oversight GVT |
For retention please see Management and Oversight GVT |
4. Service Level Management
| Business Processes |
Recommendations: Information Resources of Business Value (IRBVs) |
Recommendations: Retention Period |
|
Plan Service Level Agreements
Identify IT services and service requirements
Define, build and manage the IT Service Catalog
Define, build and negotiate Service Level Agreements (SLAs)
Define, build and negotiate Operational Level Agreements (OLAs)
Prepare Service Level Requirements (SLR), Service Specification Sheets, and Service Quality Plans (SQP)
Identify Underpinning Contract service requirements (UCs) Coordinate and implement Service Level Agreements
|
Catalogue of services
Service level requirements
Service specification sheets
Service Level Agreements
Operational level agreements
Memorandum of Understanding
Underpinning contract service requirements
Service quality plans
|
2 years after last administrative action |
|
Report on Service Level Agreements
Review service achievements
Preparing performance reports.
Monitor and manage SLAs, OLAs and UCs
Preparing Service Improvement Programmes (SIP)
Provide management information about Service Level Management quality and operations
|
Performance Statistics Reports
Progress, Benchmark or Monitoring Reports
Improvement Plans
|
2 years after last administrative action |
5. IT Financial management
| Business Processes |
Recommendations: Information Resources of Business Value (IRBVs) |
Recommendations: Retention Period |
|
Budget
Undertake budgeting for IT services
|
For IRBV please see Financial Management GVT |
For retention please see Financial Management GVT |
|
Account
Identify costs
Define cost elements
Monitor costs
Perform IT charging and billing activities
|
For IRBV please see Financial Management GVT |
For retention please see Financial Management GVT |
|
Charge
Define a price setting policy
|
For IRBV please see Management and Oversight GVT |
For retention please see Financial Management GVT |
| Establish a tariff for services provided or products offered |
Tariff lists |
6 years after the end of the fiscal year to which the resource corresponds
|
6. Availability management
| Business Processes |
Recommendations: Information Resources of Business Value (IRBVs) |
Recommendations: Retention Period |
|
Design infrastructure availability
Determine availability requirements
Compile availability plans
|
Availability Plan
Metrics for service interruptions
Notices to clients of service interruptions
|
2 years after last administrative action |
|
Implement infrastructure availability
Run diagnostics on the availability of systems and services.
|
Diagnostic reports |
2 years after last administrative action |
|
Measure infrastructure availability
Monitor availability
Monitor maintenance obligations
|
Availability Reports |
2 years after last administrative action |
|
Manage IT infrastructure availability
Report on Incident management quality and operations
Prepare progress reports
Evaluate the impact of security policies on availability
Advise Change Management about the possible impact of a change on availability
|
Progress reports
Component Failure Impact Analysis
Failure Tree Analysis
Service Outage Analysis
Notifications to Change Management
|
2 years after last administrative action |
7. Capacity management
| Business Processes |
Recommendations: Information Resources of Business Value (IRBVs) |
Recommendations: Retention Period |
|
Develop the Capacity Plan
Model and simulate various capacity scenarios
Monitor the use and performance of the IT infrastructure
Solve problems caused by the degradation of service due to increases in demand and partial interruptions to service due to hardware or software faults
Create and maintain the Capacity Database (CDB)
Implement capacity-related changes
|
Capacity plan
Capacity database
Input into Service Level Agreements
Evaluations of the IT infrastructure
Request for change
Capacity Management Performance Reports
|
2 years after last administrative action |
8. IT Service Continuity management
| Business Processes |
Recommendations: Information Resources of Business Value (IRBVs) |
Recommendations: Retention Period |
|
Define scope of IT Service Continuity Management
Conduct Business Impact Analysis
Conduct IT Risk Assessment.
Create IT business continuity plan and procedures
Define IT Service Continuity Strategy in line with Business Continuity strategy
Perform IT Service Continuity organization and implementation planning activities
Implement standby arrangements and risk reduction measures
Develop IT recovery plans and procedures
Perform Testing of IT recovery plans and procedures
Revise plans following changes to the IT infrastructure
Validate ongoing ability of IT Service Continuity strategies to meet business requirements
|
IT Service continuity management policy
Risk assessment on IT infrastructure
Risk prevention plan
Emergency management plan (for IT)
Business resumption plan (for IT)
(Disaster) Recovery plan (for IT)
Information resources informing users of an interruption or service degradation, procedures and protocols in the case of an incident
Changed plans as a result of changed infrastructure
Risk analysis reports
Risk analysis assessments
Disaster drill evaluations
Reports on costs associates with prevention and recovery plans
Prevention and recovery procedures
|
2 years after last administrative action |
| Perform IT Service Continuity educational training and awareness activities |
For IRBV please see Human Resources Management GVT |
For retention please see Human Resources Management GVT |
| Review and audit IT recovery plans and procedures |
For IRBV please see Management and Oversight GVT |
For retention please see Management and Oversight GVT |
9. IT Security (risk) management
| Business Processes |
Recommendations: Information Resources of Business Value (IRBVs) |
Recommendations: Retention Period |
|
Plan
Establish Security Policy or Standards (response procedures)
Create Security Plan
|
For IRBV please see Management and Oversight GVT |
For retention please see Management and Oversight GVT |
| Request of Communications Security Establishment (CSE) to review departmental security procedures and telecommunications systems |
Management of Information Technology Self-Assessment
Correspondence with CSE (request)
Action plan resulting from CSE review
Schedule of changes resulting from CSE review
|
2 years after last administrative action
|
| Share and exchange IT assets |
Written security arrangements |
2 years after last administrative action |
|
Assess
Conduct threat and risk assessment
Certify and or accredit systems or services
Review Requests for Proposals, and other contracting documentation when IT security is implicated
|
Incident reports
Threat and Risk Assessment
Privacy Impact Assessment
Vulnerability Assessment
Business Impact Assessment
Statement of Sensitivity
Comments on requests for proposals
|
2 years after last administrative action |
|
Implement
Implement the Security Plan
Appoint a COMSEC custodian
Coordinate implementation of IT Security Management people, process and technologies
Maintain Security Management people, processes and technical infrastructure
|
Implementation reports
Notification to TBS of COMSEC custodian contact information
|
2 years after last administrative action |
| Implement training on security measures |
For IRBV please see Human Resources Management GVT |
For retention please see Human Resources Management GVT |
|
Monitor
Monitor and evaluate compliance with the plan
Review all policies with security implications
Supervise the levels of security by analysing trends, new risks and vulnerabilities
Notify staff of security risks
Monitor compliance with the TBS policy “Operational Security Standard: Management of Information Technology Security (MITS)”
|
Compliance monitoring reports and evaluations
Copies of Security audit reports
Requests for change as a result of the audit/self-assessment
Communications with staff regarding security risks
|
2 years after last administrative action |
|
Respond
Incident response coordination
Incident reporting
|
Incident reports |
2 years after last administrative action |
| Take sanctions when contraventions to IT policy occur |
For IRBV please see Human Resources Management GVT |
For retention please see Human Resources Management GVT |
|
Report
Monitor the networks and online services to detect intruders and attacks
Provide management information about Security Management quality and operations
|
Monitoring reports |
2 years after last administrative action |
| Evaluate and audit the Security Management supporting infrastructure |
For IRBV please see Management and Oversight GVT |
For retention please see Management and Oversight GVT |
10. Service/Help Desk
| Business Processes |
Recommendations: Information Resources of Business Value (IRBVs) |
Recommendations: Retention Period |
|
Log and monitor incidents
Prepare incident reports/responses
Classify problem and document diagnosis
Apply temporary solutions to known errors in collaboration with Problem Management
Work with Configuration Management to ensure that the relevant databases are up-to-date
Manage changes requested through service requests in collaboration with Change Management and Version Management
Check that the support service required is included in the associated service level agreement
Communicate with users
Notify IT Security Coordinator when a security related issue has been reported
Close the incident
|
Call log / Operational events log / database
Incident / issue reports
Notification to Security Coordinator
|
2 years after last administrative action |
11. Incident Management
| Business Processes |
Recommendations: Information Resources of Business Value (IRBVs) |
Recommendations: Retention Period |
|
Plan
Establish mechanisms to respond to IT incidents and to exchange information with designated lead departments
Establish procedure for notifying the appropriate operational personnel of incidents
Communicate bulletins and advisories to staff as necessary
|
Copy of contact information provided to TBS / Public Safety (IT Security Coordinator/designate and secondary contact) – (SPIN 2002-23)
Up to date contact lists
Copies of RCMP IT bulletins
Copies of CSE information bulletins and advisories
Copies of communications to staff
|
2 years after last administrative action |
|
Identify
Detect and record incidents
Classify incidents
Provide initial incident support
|
Results from incident detection tools
Monitoring logs
Incident log / database
|
2 years after last administrative action |
|
Respond
Investigate and diagnose incidents
Resolve incidents and recover service per agreed service levels
Close incidents
|
Incident response procedures
Documentation regarding the management of incidents including:
Details of incident
Actions taken
Rationale for decisions
Communications
Management approval or direction
Internal and external reports
|
2 years after last administrative action |
|
Report
Report incidents or threats
Participate in threat and risk briefings or teleconferences
Consult legal services when suspicion of criminal activity
|
Incident or threat report
Correspondence with Public Safety on incident or threat
Notification to appropriate Law Enforcement Agency
Correspondence with legal services Notice to users
Request for change resulting from an incident
|
2 years after last administrative action |
|
Recover
Perform regular backups of all systems (data, software, configuration data)
Test backups
Develop restoration procedures
Test restoration procedures
Determine retention periods
Document arrangements for off-site backup (3rd parties)
Communicate with Public Safety as necessary
|
Backup tapes
Restoration procedures
Documentation of retention periods
Agreements with 3rd parties
Correspondence with Public Safety
|
2 years after last administrative action |
|
Analyze
Provide management information about Incident Management quality and operations
|
Incident Closure and Evaluation Report
Post incident analysis
|
2 years after last administrative action |
12. Problem Management
| Business Processes |
Recommendations: Information Resources of Business Value (IRBVs) |
Recommendations: Retention Period |
|
Investigate the underlying causes of any real or potential anomalies in the IT service.
Define possible solutions to anomalies.
Submit requests for changes needed to re-establish quality of service.
Conduct post-implementation reviews
|
Incident database
Problem log
Problem (management) record
Analysis reports on infrastructure
Requests for change
Knowledge base (database)
Reports on classified incidents
Post implementation reviews
|
2 years after last administrative action |
13. Change Management
| Business Processes |
Recommendations: Information Resources of Business Value (IRBVs) |
Recommendations: Retention Period |
| Develop Change Management Policy |
For IRBV please see Management and Oversight GVT |
For retention please see Management and Oversight GVT |
|
Monitor and direct the change process
Record, evaluate and accept or reject the requests for changes received
Hold meetings of the Change Advisory Board
Coordinate the development and implementation of the change
Evaluate the results of the change
Close the change
|
Approved and rejected requests for change (authorization, documentation and control of changes)
Revised approved request for change
Change log
Hardware configuration chart
Change Advisory Board Terms of Reference, roles and responsibilities
Change Advisory Board records of decision
Schedule of changes
Evaluation reports
|
2 years after last administrative action |
14. Release Management
| Business Processes |
Recommendations: Information Resources of Business Value (IRBVs) |
Recommendations: Retention Period |
| Establish a planning policy for the implementation of new versions |
For IRBV please see Management and Oversight GVT |
For retention please see Management and Oversight GVT |
| Purchase or build new software |
For IRBV please see Acquisition Services GVT for purchase of new software or contracting out the build of software when not performed in house
|
For retention please see Acquisition Services GVT |
|
Test new versions in an environment that simulates the live environment as closely as possible
Validate the new versions
Implement new versions in the live environment
Carry out back-out plans to remove the new version if necessary
Update the Definitive software library, the Definitive hardware storage and the Configuration Database
Inform and train users about the functionality of the newly released version
|
Definitive software library (inventory)
Definitive hardware storage (inventory)
Configuration Database
Version implementation policy
Back-out plan
Testing reports
Test protocol
User acceptance testing (UAT) case studies
Reports from UAT
Implementation/release schedule
Release/rollout plan
Release/rollout procedure
Communication with Service Desk
Communications with users
Training materials
Reports on release/rollout
|
2 years after last administrative action |
15. Configuration Management
| Business Processes |
Recommendations: Information Resources of Business Value (IRBVs) |
Recommendations: Retention Period |
|
Identify items within the information technology infrastructure
Record items in the IT infrastructure in the configuration management database
Monitor items in the configuration management database
Report on items in the configuration management database
|
Configuration management database including a register of software licenses
Reports on the configuration management database
|
2 years after last administrative action |