Steps to completing an IM assessment
Completing an Information Management (IM) Assessment is a foundational component to developing and maturing the IM Program within your Unit. By completing the assessment, you are taking a risk-based approach to managing information that enables you to identify key areas in which to focus your efforts.
There are four main steps to completing an IM Assessment, click on the steps below for more detailed information:
Step 1: Understand IM legal and regulatory framework.
An IM Legal and Regulatory framework is a compilation of all legislation, policies, procedures, regulations, contracts, and agreements (i.e. collective agreements) that contain IM requirements within which the University, or specifically your Unit, must comply. Once documented and understood, these become your IM Compliance Requirements. To assist with this step, complete the IM Legal and Regulatory Framework Worksheet.
Once the Legal and Regulatory Framework and applicable IM Compliance Requirements have been defined, correlate them to the information within your Unit. Use a risk-based approach to developing your IM program – focus your efforts on the records of highest value. Ask yourself:
- What records does my Unit have overall responsibility for?
- What records produce the greatest volume?
- Note: Volume doesn’t always dictate importance.
- What records does my Unit retrieve for Access to Information Requests?
- What records contain personal and/or personal health information?
- What records contain confidential information?
- Think about university confidences, research, third party confidences, etc.
- What records contain information related to health and safety?
- What records support business continuity?
- What records keep me up at night?
Once you have answered the questions above, consider these Level 1 – Critical. These are the records where the most effort needs to be placed. The following is a detailed breakdown of Level 1 and Level 2 records to assist with this step.
Level 1 - Critical
Level 1 records require a high level of accountability and must have a high level of reliability. These records should have the greatest priority with regards to having the proper information controls in place (i.e. Retention and Disposal Schedules, access controls, secure handling and disposal practices, etc.).
Level 1 records are generally:
- Critical/valuable to the Unit
- Core to the Unit’s overall mandate
- Support decision making within the Unit
- Contain personal/confidential information
- Related to health and safety matters
- Support business continuity
Level 2 - Supportive
Level 2 records are valuable to the Unit but should not take priority until Level 1 records are properly managed. Level 2 records are generally:
- Not core to the Unit’s mandate
- Would not be considered critical in a business continuity scenario
- Transitory records
- Copies of convenience (i.e. copies of invoices/POs),
- Reference material
While Level 2 records may not be as high a priority as Level 1, they still need to be managed securely throughout their lifecycle. Once a Unit feels its Level 1 records are being properly managed, Level 2 should be the next area of focus.
Once your Level 1 records have been defined, begin to assess the controls you have in place to properly manage this information from creation to final disposition. Ask yourself – ‘Are there reasonable controls in place to maintain the confidentiality, integrity and availability of these records?’.
Things to consider:
- Who in the Unit has overall accountability for these records?
- Who is responsible for managing these records throughout the lifecycle?
- What procedures are in place for managing these records?
- Where are these records stored? (In a system, on an individual's machine, on a shared drive, in a filing cabinet, offsite commercial records storage, cloud storage, etc...)
- Are the records organized and easily retrieved?
- Are the records backed up?
- Are the records properly secured?
- Are these records accessible by only one individual?
- Is there an approved Retention and Disposal Schedule for these records?
- Are the records being securely disposed of at the end of their lifecycle?
- Does the Unit have an exit procedure for departing employees? As employees leave your Unit, ensure your Unit’s information is staying with the Unit.
Use the Information Controls Inventory Worksheet as a starting point to begin an inventory of your information controls and also to identify where additional focus is required. This can become the start of your roadmap to maturing the IM Program within your Unit.
Step 4: ContactIM&P to determine next steps.
The Information Management and Protection (IM&P) Office is here to help you, your Unit and your staff. The IM&P Office offers a number of services, tools, and resources to assist Units in developing and maturing their IM Programs:
IM&P Advisory Services– we are available to come to your locations and do site visits, review your records and provide overall IM advice and recommendations.
MUNCLASS – The IM&P Office is developing, in consultation with Units all across the university, a classification and retention plan as a model file plan and common records schedule intended to provide Units with a starting point when designing or revising their file classification systems, called MUNCLASS.
IM&P Website – Our website was launched in July 2016. It highlights resources and tools that have been developed specifically to address common IM challenges and concerns of Units across the university. Managing email, considerations when scanning paper records, cleaning up shared drives, and how to create good records are examples of the topics covered. We continue to add to the website on a regular basis.
Information Risk Assessments– The IM&P Office has introduced a Cloud Assessment. The assessment is a risk-based approach to assessing cloud providers from an information management, protection, and privacy perspective. Before moving Memorial’s data/services to the cloud, contact us so we can assist your Unit with making an informed decision (ideally the Cloud Assessment can be incorporated into a tender or Request for Proposal). The Cloud Assessment also identifies the necessary contract requirements to ensure Memorial’s data is being properly managed and hidden fees are identified and documented.
IM Community – IM&P is building a university-wide information management (IM) community to share what’s new in information management and protection, including resources and tools, current projects, latest trends, opportunities for education, training and career development. Encourage you staff to sign up by emailing IM&P and they will be added to our subscription list.