The Information Management and Protection (IM&P) Glossary of Terms is provided to establish a common understanding of terms that are essential to building an overall understanding of IM&P. Where possible, industry standards or authoritative sources have been referenced. Terms that do not include a reference have been developed internally by the OCIO. This glossary is updated as required. Please forward suggestions or comments to IM@gov.nl.ca.
Abandoned Record: a record to which ownership cannot be established and which has been determined to be an abandoned record by the Chief Information Officer (CIO) of the Office of the Chief Information Officer (OCIO). (Source: Management of Information Act SNL2005 c.M-1.01)
Active Record: a record needed to perform current operations or ongoing business matters. It is consulted frequently, and it must be conveniently available for immediate reference, either manually or via a computer system. (Source: Making the Transition from Paper to Electronic, David O. Stephens, ARMA International, 2007)
Archival Appraisal: the process of determining the long term value of records after they have completed the primary purpose(s) for which they were created. Approximately 95% of all records created have no archival value and should be destroyed at the end of their life cycle.
Archival Records: records preserved because of their continuing value. The Rooms Provincial Archives is the organization mandated to collect, preserve, present, exhibit and make available for research the archival records that represent and illustrate the significant history, culture and natural heritage of the province of Newfoundland and Labrador. (Source: The Rooms Act, 2016)
Archives: facilities where records of an organization are preserved because of their continuing value. The Rooms Provincial Archives is the organization mandated to collect, preserve, present, exhibit and make available for research the archival records that represent and illustrate the significant history, culture and natural heritage of the province of Newfoundland and Labrador. (Source: The Rooms Act, 2016)
Authentication: the verification of the identity of a user, process, or device, often as a prerequisite to allowing access to resources in a system. (Source: NIST 800-27 Rev-A)
Authenticity: a record that can be proven to be what it purports to be, to have been created or sent by the person purported to have created or sent it, and to have been created or sent at the time purported. (Source: ISO 15489: 2016)
Authoritative Record: a record of authenticity, reliability and integrity created by or received by a department or public body that can be depended on because its contents can be trusted as a full and accurate representation of the activities, which it attests.
Availability: being accessible and useable upon demand by an authorized entity. (Source: ISO 13335-1:2004) It is the ability of a component or service to perform its required function at a stated instant or over a stated period of time. Availability is usually expressed as the availability ratio, i.e. the proportion of time that the service is actually available for use by the customers within the agreed service hours. (Source: ITIL)
Cabinet Record: a record that:
- Is a memorandum, the purpose of which is to present proposals or recommendations to Cabinet;
- Is a discussion paper, policy analysis, proposal, advice or briefing material, including all factual and background material prepared for Cabinet;
- Is an agenda, minute or other record of Cabinet recording deliberations or decisions of Cabinet;
- Is used for or reflects communications or discussions among ministers on matters relating to the making of government decisions or the formulation of government policy;
- Is created for or by a minister for the purpose of briefing that minister on a matter for Cabinet;
- Is created during the process of developing or preparing a submission for Cabinet;
- Is draft legislation or a draft regulation;
- Contains information about the contents of a cabinet record as described above. (Source: Management of Information Act SNL2005 c.M-1.01)
Classification Plan: the systematic identification and arrangement of business activities and/or records into categories according to logically structured conventions, methods and procedural rules and represented in a classification system. (Source: ISO 15489:2001)
Confidential Information: includes, but is not necessarily limited to the following types of information:
- Cabinet Records as defined in the Management of Information Act SNL2005 c.M-1.01;
- Draft legislation, policies and procedures;
- Legal opinions;
- Communications plans and collateral materials (e.g., draft news releases, Qs and As);
- Sensitive reports, strategies or proposals under development;
- Planning documents;
- Industrial trade secrets or 3rd party business information submitted in confidence;
- As a general rule, any information which would be exempt from public access under the Access to Information and Protection of Privacy Act, 2015 should be considered confidential.
Corporate Records: often referred to as administrative records, are those created by all organizations to support administrative functions, including human resources, general administration, facilities management, financial management, information and information technology management, and equipment and supplies (material) management. Because the value of these records is consistent across Government Departments, C-RIMS has been developed by the Office of the Chief Information Officer (OCIO) as a standard for their management. (Source: Corporate Records and Information Management Standard (C-RIMS))
Corporate Records and Information Management (C-RIMS): a standard classification plan and records retention and disposal schedule used for the management of corporate records of the Government of Newfoundland and Labrador. (Source: Corporate Records and Information Management Standard (C-RIMS))
Destruction: the process of eliminating or deleting records, beyond any possible reconstruction. (Source: ISO 15489:2001)
Directive: an official authoritative instruction or order to the organization supporting an existing policy. Compliance is mandatory. Example: Instant Messaging Directive.
Disposition: the range of processes associated with implementing the final stage in the life cycle of a record. Disposition could include destruction, transitory, transfer decisions and permanent retention by departments or other public bodies. (Source: OCIO)
Disposition Authority: written authorization for a public body to carry out the range of processes associated with the final stage in the lifecycle of a record, including retention, destruction, transfer, or transitory activities. (Source: OCIO)
Electronic Mail (Email): defined as messages created, sent and received electronically between computers and other devices. For the purposes of OCIO policy instruments, email is inclusive of all items contained within the email account including, but not limited to: messages, invites and other calendar items, tasks, contacts, posts, notes, all attachments as well as system metadata. ‘Email’, ‘email messages’ and ‘email items’ (as terms) are often used interchangeably within the OCIO’s policy instruments.
Electronic Records Management Software (ERMS): software designed to manage physical and electronic records in accordance with Records and Information Management Principles. As their core objective, ERMS systems provide a method for managing the life cycle of electronic records from the point at which work in progress documents are declared as records until their final disposition, under approved records retention rules and policies. (Source: Making the Transition from Paper to Electronic, David O. Stephens, ARMA International, 2007)
Encryption: the operation by which plain text is modified with an unintelligible, non-exploitable text making it non-retrievable except by authorized users that have the key to bring it back to its original form. (Source: CAN/CGSB-72.34-2005)
Governance: set of responsibilities and practices exercised by executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly. (Source: IT Governance Institute)
Government: refers to public bodies as defined under the Management of Information Act (Management of Information Act SNL2005 c.M-1.01) and in some cases may be used interchangeably with the term departments and other public bodies.
Government Record: a record created by or received by a public body in the conduct of its affairs and includes a Cabinet record, transitory record and an abandoned record disposal of a government record must be sanctioned by a records retention and disposal schedule that has been approved by the Government Records Committee (GRC). (Source: Management of Information Act SNL2005 c.M-1.01)
Government Records Committee (GRC): the official body that mandated to:
- establish and revise schedules for the retention, disposal, destruction or transfer of records;
- make recommendations to the minister respecting government records to be forwarded to the archives;
- establish disposal and destruction standards and guidelines for the lawful disposal and destruction of government records; and
- make recommendations to the minister regarding the removal, disposal and destruction of records. (Source: Management of Information Act SNL2005 c.M-1.01)
Guideline: recommended actions, general approaches and operational behaviors that allows some discretion or leeway in its interpretation, implementation, or use. Compliance is not mandatory but recommended. Example: Email Guideline.
Guiding Principles: the fundamental values that provide overall direction to a program throughout its operation irrespective of changes in its goals, requirements or resources.
IM Compliance: applied to Information Management, this means meeting any compliance requirement that applies to information, its management and its protection in the Government of Newfoundland and Labrador.
IM Compliance Management: the process by which organizations manage and demonstrate fulfillment of their IM Compliance responsibilities and accountabilities that are defined in their IM Legal and Regulatory Framework.
IM Education and Awareness: the process of communicating IM knowledge, skills and judgment to an individual while also supporting an individual’s knowledge about the components of an IM Program and IM best practices. Education generally results in new or enhanced skills that permit an individual to perform their job with greater competency and confidence. Awareness is often used to reinforce education or best practices.
IM Governance Framework: comprised of the defining, documenting and publishing of the governance, accountability and organization for information management within the department or other public body. For example, one component of the framework is program management, which includes establishing the “who” is providing oversight of the program, “who” is responsible for daily elements in the program, and “where/how” the program information is captured/stored.
IM Guiding Principles: used to help formulate the initial IM Program and IM Governance model, as well as to provide a framework for decision making.
IM Inventory: a detailed survey of the organization’s records, including descriptions, scope, volume, frequency of use, method of organization and retention periods. It is used as the basis for developing a records management system.
IM Legal and Regulatory Framework: a compilation of all of the legislation, policy, regulations and agreements that contain IM requirements with which the department or other public body must demonstrate compliance.
IM Mission: a concise, formal statement of the purpose of the IM Program within an organization. It should indicate how the Information Management programs and services will enable the mandate of a public body and support its compliance requirements.
IM Mission Statement: the inspiration and framework for IM strategic planning and IM Program development. Features of an effective IM vision statement include a description of a desired state for IM that features clear wording, lack of ambiguity, realistic aspirations and alignment with organizational values and culture.
IM Policy Instruments: policies, directives, standards, guidelines and procedures that provide direction or guidance on the management and protection of information aligned with the principles set forth in the Information Management and Protection (IM&P) Policy. OCIO extends the definition to include policy instrument supports such as Webpages, FYIs, FAQs, Quick Reference or Re-Use Materials as items to include in an IM policy instrument inventory.
IM Program: a records and information management system (also referred to as an IM Program) as a four-part system that includes Management Framework, Core IM Capability, Enablers, and Monitoring and Verifying IM.
IM Program Plan: an approved and published document that outlines how IM works in a department or other public body. This includes governance, organization, management, services, performance management and reporting.
IM Vision: the inspiration and framework for IM strategic planning and IM Program development. Features of an effective IM vision statement include a description of a desired state for IM that features clear wording, lack of ambiguity, realistic aspirations and alignment with organizational values and culture.
IM Vision Statement: the inspiration and framework for IM strategic planning and IM Program development. Features of an effective IM vision statement include a description of a desired state for IM that features clear wording, lack of ambiguity, realistic aspirations and alignment with organizational values and culture.
Individual: refers to all staff, contractors, consultants, partners, students, temporary workers, volunteers, vendors, agents, third parties and other persons working on behalf of the Government of Newfoundland and Labrador, including all departments and other public bodies as defined under the Management of Information Act.
Information Classification: a system of designating security categories for information based on the impact to the business mission from loss of information confidentiality, integrity or availability. (Source: Deloitte)
Information Governance: specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals. (Source: Gartner)
Information Management: the field of management responsible for establishing and implementing policies, systems, and procedures to capture, create, access, distribute, use, store, secure, retrieve, and ensure disposition of an organization’s records and information. (Source: ARMA)
Information Management and Protection (IM&P) Policy: provides authority for the OCIO to establish mandatory Information Management and Protection directives and standards for the Government of Newfoundland and Labrador and its public bodies. The IM&P Policy establishes the overall framework for IM&P within the Government of Newfoundland and Labrador and its public bodies in accordance with MOIA, ATIPPA, 2015, the Rooms Act and forms the basis for departments and other public bodies to develop their own supporting policy instruments aligned with the IM&P Principles.
Information Management Capacity Assessment Tool (IMCAT): developed by the Office of the Chief Information Officer (OCIO) in 2006 as a planning tool for departments and agencies. It enables organizations to assess their current IM state against legislative and policy compliance, and to identify gaps and areas for improvement. It also provides a 3 year plan with high level budget estimates.
Information Management System for Administrative Records (IMSAR): a records retention and disposal schedule for administrative records that was used by government departments. IMSAR was replaced in 2009 with the release of the Corporate Records and Information Management Standard (C-RIMS).
Information Protection: an area of practice focused on the protection of information from inappropriate access or use, using a variety of means as required, including, but not limited to, policy and standards; physical and electronic security measures; and compliance monitoring and reporting. IP represents the point at which the management of information converges with security policy and measures. In the Government of Newfoundland and Labrador, public bodies are required to protect information as part of their accountability under Section 6 of the Management of Information Act SNL2005 c.M-1.01.
Information Security: the process of preserving the confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved. (Source: ISO/IEC 17799:2005)
Information Security Architecture: security principles and an overall approach for complying with the principles that drive the system design, i.e.: guidelines on the placement and implementation of specific security services within various distributed computing environments. (Source: NIST 800-27)
Information Security Framework: the collection of processes and artifacts that are used to manage the definition and ongoing operation and management of the information security controls for the enterprise. (Source: Deloitte)
Information Security Governance: efficient and effective measurable improvements in related enterprise processes by providing the structure that links processes, IT resources and information to enterprise strategies and objectives. (Source: COBITÒ, Management Guidelines)
Information Security Program: the comprehensive, organized collection of documented artifacts and processes that are used to continuously deliver information security across the enterprise. (Source: Deloitte)
Information Security Program Framework: the superset of the information security framework, the information security drivers and the information security services that describe and control all of the elements of information security for the enterprise. (Source: Deloitte)
Information Security Strategy: a documented specification that links all necessary organizational, technical and administrative information security controls to a strategic combination of business drivers, legal requirements, threat scenarios and design to ensure information security is operationally integrated with the overall IT architecture, business processes and business culture. (Source: Deloitte)
Information Technology: the development, maintenance, and use of technology to acquire, process, store and distribute digital information. (Source: ISO/IEC 19770-1:2017)
Instant Messaging: a form of real-time direct text-based communication between two or more people using personal computers or other devices. The user’s text is conveyed over a network, such as the Internet.
Integrity: the property of safeguarding the accuracy and completeness of assets. Integrity demonstrates that the record is complete and has been unaltered. It is necessary that a record be protected against unauthorized alteration. Records management policies and procedures should specify what additions or annotations may be made to the record after it is created, under what circumstances additions or annotations may be authorized, and who is authorized to make them. Any authorized annotation, addition or deletion to a record should be explicitly indicated and traceable. (Source: ISO 15489:2001 and ISO 13335-1:2004)
Legal Hold: a process which an organization uses to preserve all forms of relevant information when litigation is reasonably anticipated. This duty to preserve information arises regardless of whether the organization is the initiator or the target of litigation. It includes an obligation to identify, locate and maintain, information that is relevant to specific, predictable and identifiable litigation.
Life Cycle: the stages through which information is managed. Information management strives to manage the records in a manner that facilitates authenticity, reliability, integrity and usability throughout all stages including:
- Planning;
- Creation and organization;
- Receipt and capture of data;
- Retrieval, processing, dissemination and distribution of data;
- Storage, maintenance and protection;
- Archival preservation or destruction or expungement. (Source: CAN/CGSB-72.34-2005)
Metadata: data about data elements including data descriptions, and data about data, access paths, access rights and data volatility describing records, records systems, documents or data, including but not limited to the evidentially significant facts of:
- Their contents, definition, function, logical and physical structure, retention and disposition;
- Their sources and origins;
- Their relationships with other entities;
- Any additional evidentially significant facts regarding their creation, acquisition, modification, maintenance and use including those individuals or organizations that have been active in or otherwise responsible for those activities and their mandate or purpose for having been so engaged. (Source: CAN/CGSB-72.34-2005)
Migration: act of moving records from one system to another, while maintaining the records authenticity, integrity, reliability and usability. (Source: ISO 15489:2001)
Mission: a brief measurable long-term outcome statement which defines where an organization is going to and why.
Mission Statement: a formal, short, written statement of the purpose of a company or organization. The mission statement should guide the actions of the organization, spell out its overall goal, provide a sense of direction, and guide decision-making. It provides “the framework or context within which the company’s strategies are formulated.”
Office of Primary Responsibility (OPR): the organization and/or position within an organization that is responsible for maintaining the integrity of a record. (Source: Corporate Records and Information Management Standard (C-RIMS))
One Time Disposal: an alternative to the use of a records retention and disposal schedule to dispose of a backlog of inactive records. This option may be used when records are the result of an activity no longer in progress (e.g., organizational unit, service or function that no longer exists) or where the value of the records supports a high-level decision on their disposal (e.g., administrative records that are 7+ years old).
One Time Disposal Submission: a disposition authority, which applies to records in any format and authorizes, once approved, disposal of records in a legal manner. The OTD can be for records of a specific branch, division or program within a department or other public body. It can encompass all types of records within an organization, or may be limited to specific record types or record series but does not include active or semi active records.
Operational Records: records that reflect the unique mandate of their creators. Records of programs, projects, and service delivery are examples of operational records. Unlike corporate records, these will be different in each organization.
Personal Information: recorded information about an identifiable individual, including:
- The individual’s name, address or telephone number;
- The individual’s race, national or ethnic origin, colour, or religious or political beliefs or associations;
- The individual’s age, sex, sexual orientation, marital status or family status;
- An identifying number, symbol or other particular assigned to the individual;
- The individual’s fingerprints, blood type or inheritable characteristics;
- Information about the individual’s health care status or history, including a physical or mental disability;
- Information about the individual’s educational, financial, criminal or employment status or history;
- The opinions of a person about the individual;
- The individual’s personal views or opinions. (Source: Access to Information and Protection of Privacy Act, 2015)
Phishing: a type of fraud that uses deceptive emails, websites and/or text messages to gather personal, financial and confidential information for fraudulent purposes and/or unauthorized access.
Policy: high level, strategic statements, authorized by Senior Executive that dictate what type of position the organization has taken on specific issues. Compliance is mandatory. Example: Information Management and Protection Policy.
Principle: a statement of fundamental value, a rule, or belief tied to business objectives and requirements, and establishes constraints on the manner in which business is conducted.
Privacy: the right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed. (Source: ISO/IEC 7498-2)
Procedure: a fixed, step-by-step task level sequence of activities or course of action (with start and end points) that must be followed in the same order to correctly perform a task. Compliance is mandatory but exceptions may occur. Example: Business Process/Forms, such as the New Account Request Form.
Public Body: a department created under the Executive Council Act or a branch of the executive government of the province, a corporation, the ownership of which, or a majority of shares of which, is vested in the Crown, a corporation, commission, board or other body, the majority of the members of which, or the majority of members of the board of directors of which, are appointed under an Act of the province, the Lieutenant-Governor in Council or a minister of the Crown, a court established under an Act of the province, or the House of Assembly and committees of the House of Assembly. (Source: Management of Information Act SNL2005 c.M-1.01)
Record: a correspondence, memorandum, form, paper, parchment, manuscript, map, plan, drawing, painting, print, photograph, magnetic tape, computer disc, microform, electronically produced document and other documentary material regardless of physical form or characteristic. (Source: Management of Information Act SNL2005 c.M-1.01)
Record Series: a group of records (regardless of format) arranged according to a common filing system or grouped together because they relate to a particular subject or function; result from the same activity or document the same type of transaction. Record series should be able to be grouped under a common title and should have a common retention and disposal plan. Examples: personnel records, procurement records, and complaint files.
Records Management: See Information Management.
Records Retention and Disposal Schedule (RRDS): a legal document that guides the management of a government record. A RRDS will:
- Define the content of the record series or types;
- Link the records to the organizational unit and business process;
- Dictate how long the records need to be retained in active and semi-active storage to meet operational and legislative requirements;
- Authorizing the disposal of information in a legal manner including either secure destruction or transfer to the Rooms Provincial Archives.
Security Council (OCIO): a governance body of the OCIO consisting of Director-level representatives from all OCIO branches. Its mandate is to oversee the effectiveness of the OCIO’s Information Security Strategy and to recommend policies and procedures for information protection and security. It also addresses information protection and security issues as required to either ensure adherence to the OCIO’s Information Protection and Security Framework and Strategy or to recommend changes as required to the Senior Leadership Team (SLT). It is Chaired by the Director of Information Protection, Networks and Security, Operations and Security Branch.
Security Policy: See Policy.
Security Threat: a potential cause of unwanted incident, which may result in harm to a system or organization. (Source: ISO 13335-1 GMITS) Assets are subject to many kinds of threats. A threat has the potential to cause an unwanted incident, which may result in harm to a system or organization and its assets. This harm can occur from a direct or indirect attack on the information being handled by an information technology system or service (e.g., unauthorized destruction, disclosure, modification, corruption, and unavailability or loss). A threat needs to exploit an existing vulnerability of the asset in order to successfully cause harm to the asset. Threats may be of natural or human origin and can be accidental or deliberate. Both accidental and deliberate threats should be identified and their level and likelihood assessed. Examples:
- Denial of critical services;
- Destruction, modification or unauthorized disclosure of information;
- Destruction or loss of the use of IT assets;
- Fire;
- Labour unrest.
Semi-Active Records: records that do not have to be readily available in primary offices but which still need to be kept for the possibility of use or reference. These records should be stored in appropriate offsite storage facilities.
SPAM: electronic junk mail or junk newsgroup postings. It is defined in more general terms as any unsolicited email. In addition to being a nuisance, spam also eats up a lot of network bandwidth.
Spoliation: unauthorized destruction or alteration of a record.
Stakeholders: the people or organizations with an interest or share in an undertaking.
Standard: requirements that dictate uniform ways of operating and provide tactical blueprints for implementation of policies and directives. Compliance is mandatory. Example: Corporate Records Information Management Standard (CRIMS).
Third Party (Service Provider): the subset of contractors, service providers or independent incorporated business entities engaged to provide services for OCIO. Services and deliverables are outlined in a written agreement between the entity and OCIO. Individuals performing the services are engaged by the business entity, which provides the business infrastructure to manage its workforce. Service providers are generally companies selected to perform a service without specifying the individuals who will provide the service. Service providers may conduct their work onsite at OCIO facilities or offsite from their own facilities. A person or body that is recognized as being independent of the parties involved, as concerns the issues in question. (Source: ISO/IEC Guide 2:1996)
Threat: a potential cause of an unwanted incident, which may result in harm to a system or organization. (Source: ISO/IEC 13335-1:2004)
Transitory Record: a government record of temporary usefulness in any format or medium having no ongoing value beyond an immediate and minor transaction or the preparation of a subsequent record. Transitory records can be securely destroyed when no longer of value without authorization of the Government Records Committee. (Source: Management of Information Act SNL2005 c.M-1.01)
Vision: the desired or intended future state of an organization or program in terms of its fundamental objective and/or strategic direction. Vision is a long-term view, describing how the organization or program would like to be and what it would look like.
Vision Statement: outlines what the organization wants to be. It concentrates on the future, is a source of inspiration and provides clear focus.
Vital Record: a record that is indispensable to a mission critical business operation or a record identified as essential for the continuation of an organization during or following a disaster. Such records are required to recreate the organizations legal and financial status and to support the rights and obligations of employees, customers, shareholders and citizens. (Source: Making the Transition from Paper to Electronic, David O. Stephens, ARMA International, 2007)
Vulnerability: weakness of an asset or group of assets that can be exploited by one or more threats. (Source: ISO/IEC 13335-1:2004)