The Information Management (IM) and Information Protection (IP) Glossary of Terms is provided to establish a common understanding of terms that are essential to building an overall understanding of IM and IP. Where possible, industry standards or authoritative sources have been referenced. Terms that do not include a reference have been developed internally by the Information Management Branch. This glossary is updated as required. Please forward suggestions or comments to IM@gov.nl.ca.
Abandoned Record – An abandoned record is a record to which ownership cannot be established and which has been determined to be an abandoned record by the Chief Information Officer (CIO) of the Office of the Chief Information Officer (OCIO) (source: Management of Information Act SNL2005 c.M-1.01 ).
Active Record – An active record is a record needed to perform current operations or ongoing business matters. It is consulted frequently, and it must be conveniently available for immediate reference, either manually or via a computer system (source: Making the Transition from Paper to Electronic, David O. Stephens, ARMA International, 2007).
Archival Appraisal – Archival appraisal is the process of determining the long term value of records after they have completed the primary purpose(s) for which they were created. Approximately 95% of all records created have no archival value and should be destroyed at the end of their life cycle.
Archives – Archives are facilities where records of an organization are preserved because of their continuing value. The Rooms Provincial Archives is the organization mandated to collect, preserve, present, exhibit and make available for research the archival records that represent and illustrate the significant history, culture and natural heritage of the province of Newfoundland and Labrador (source: The Rooms Act, 2016).
- To be what it purports to be;
- To have been created or sent by the person purported to have created or sent it;
- To have been created or sent at the time purported (source ISO 15489:2001).
Authentication – Authentication refers to the verification of the identity of a user, process, or device, often as a prerequisite to allowing access to resources in a system (source: NIST 800-27 Rev-A).
Availability – Availability is the property of being accessible and useable upon demand by an authorized entity (source ISO 13335-1:2004). It is the ability of a component or service to perform its required function at a stated instant or over a stated period of time. Availability is usually expressed as the availability ratio, i.e. the proportion of time that the service is actually available for use by the customers within the agreed service hours (source: ITIL).
Backup – The saving of information onto off-line and/ or on-line mass storage device(s) for the purpose of preventing loss of data in the event of equipment failure or destruction. Backups are primarily used to restore a computer to anoperational state following a disaster. Backups differ from archives in the sense that archives are the primary copy of data and backups are a secondary convenience copy of data (Source: Government of Newfoundland and Labrador Backup Policy).
Business Continuity Management – Business continuity management is the business process that sets the objectives, scope and requirements for IT service continuity management. Business Continuity Management (BCM) is responsible for managing risks that could seriously impact the business. BCM ensures that the business can operate to a minimum agreed level, by reducing the risk to an acceptable level and planning to restore business processes (source: ITIL).
- Is a memorandum, the purpose of which is to present proposals or recommendations to Cabinet
- Is a discussion paper, policy analysis, proposal, advice or briefing material, including all factual and background material prepared for Cabinet;
- Is an agenda, minute or other record of Cabinet recording deliberations or decisions of Cabinet
- Is used for or reflects communications or discussions among ministers on matters relating to the making of government decisions or the formulation of government policy
- Is created for or by a minister for the purpose of briefing that minister on a matter for Cabinet
- Is created during the process of developing or preparing a submission for Cabinet
- Is draft legislation or a draft regulation
- Contains information about the contents of a cabinet record as described above (source: Management of Information Act SNL2005 c.M-1.01 ).
Case File – A “case” is any project, transaction, service or response that is “opened” and “closed” over a period of time to achieve resolution of a problem, claim, request, proposal, development or other complex activity. It is likely to involve multiple persons inside and outside of the organization, with varying relationships to each other, as well as multiple documents and messages (Source Aiim.org). Case files often represent a core function or service of the public body. Examples may include client management, license processing or claims processing. Case Files Advisory.
Classification Plan – A classification plan is the systematic identification and arrangement of business activities and/or records into categories according to logically structured conventions, methods and procedural rules and represented in a classification system (source ISO 15489:2001).
- Cabinet Records as defined in theManagement of Information Act SNL2005 c.M-1.01
- Draft legislation, policies and procedures
- Legal opinions
- Communications plans and collateral materials (e.g. draft news releases, Qs and As)
- Sensitive reports, strategies or proposals under development
- Planning documents
- Industrial trade secrets or 3rd party business information submitted in confidence
As a general rule, any information which would be exempt from public access under the Access to Information and Protection of Privacy Act, 2015 should be considered confidential.
Control Means – Control means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of administrative, technical, management, or legal nature. Note: Control is also use as a synonym for safeguard or countermeasure (source: ISO/IEC 17799:2005).
Corporate Records – Corporate records, often referred to as administrative records, are those created by all organizations to support administrative functions, including human resources, general administration, facilities management, financial management, information and information technology management, and equipment and supplies (material) management. Because the value of these records is consistent across Government Departments, C-RIMS has been developed by the Office of the Chief Information Officer (OCIO) as a standard for their management (Source: C-RIMS).
Corporate Records and Information Management (C-RIMS) – The Corporate Records and Information Management (C-RIMS) is a standard classification plan and records retention and disposal schedule used for the management of corporate records of the Government of Newfoundland and Labrador (Source: C-RIMS). C-RIMS Standard.
Directive – directives provide specific direction to Government and derive their authority from the “Information Management and Protection Policy”. The OCIO has the authority to develop and release directives upon internal review and approval by the OCIO Security Council in the case of Information Protection directives. The Government Records Committee will review and approve Information Management directives. Compliance with OCIO directives is mandatory, except if the Legislature or the Courts are determined, through their own governance and authority, to be exempt.
Disaster Recovery – Any measures instituted to plan for and/ or recover from an event that significantly interrupts normal business operations (Source: Government of Newfoundland and Labrador Backup Policy).
Discovery – Discovery is part of the pre-trial litigation process during which each party requests relevant information and documents from the other side in an attempt to “discover” pertinent facts. Generally, discovery devices include depositions, interrogatories, requests for admissions, document production requests and requests for inspection.
Disposal – Disposal of records is the range of processes associated with implementing records retention, destruction or transfer decisions, which are documented in disposal authorities or other instruments (source: CAN/CGSB-72.34-2005). As required by the Management of Information Act SNL2005 c.M-1.01 , the recommended disposal authority for government records is a Records Retention and Disposal Schedule (RRDS). Records Retention and Disposal.
E-discovery – E-discovery is the preservation, retrieval, exchange and production of documents from electronic sources in electronic form. It refers to discovery in litigation which deals with information in electronic format also referred to as Electronically Stored Information (ESI). Electronic information is different from paper information because of its intangible form, volume, transience and persistence.
Electronic Information: Information created, recorded, transmitted or stored in digital form or in another intangible form by electronic, magnetic or optical means or by any other means that has capabilities for creation, recording, transmission or storage similar to those means (Source: Evidence Act).
Electronic Records Management Software (ERMS) – An ERMS is software designed to manage physical and electronic records in accordance with Records and Information Management Principles. As their core objective, ERMS systems provide a method for managing the life cycle of electronic records from the point at which work in progress documents are declared as records until their final disposition , under approved records retention rules and policies. HPRM(TRIM) is an example of an ERMS (source: Making the Transition from Paper to Electronic, David O. Stephens, ARMA International, 2007).
Email – Email is defined as messages, including attachments sent and received electronically between personal computers or terminals linked by communications facilities. This includes address information (to, from, cc, bc, subject and date) and the message content. Email Management Page.
Encryption – Encryption is the operation by which plain text is modified with an unintelligible, non-exploitable text making it non-retrievable except by authorized users that have the key to bring it back to its original form (source: CAN/CGSB-72.34-2005). FYI: Encrypting Files with 7-Zip and WinZip.
External Party – An external party is an entity with a business relationship with the organization that the organization has no direct control over other than by agreement or contract (source: Deloitte).
File – A file in the physical or analog environment is a collection of related records grouped together usually in reverse chronological order. In the digital environment, a named set of records stored or processed as a unit electronically (Source: ARMA, Glossary of Records and Information Management Terms).
Governance – Governance is the set of responsibilities and practices exercised by executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly (source: IT Governance Institute).
Government Record – A government record is a record created by or received by a public body in the conduct of its affairs and includes a Cabinet record, transitory record and an abandoned record disposal of a government record must be sanctioned by a records retention and disposal schedule that has been approved by the Government Records Committee (GRC) (source: Management of Information Act SNL2005 c.M-1.01).
- Review and revise schedules for the retention, disposal, destruction or transfer of government records;
- Make recommendations to the minister respecting public records to be forwarded to The Rooms, Provincial Archives;
- Authorize disposal and destruction standards and guidelines for the lawful disposal and destruction of public records;
- Make recommendations to the minister regarding the removal, disposal and destruction of records (source: Management of Information Act SNL2005 c.M-1.01 ).
Guideline – guidelines represent recommended actions, general approaches and operational behaviours. Guidelines are not mandatory. They are often used as templates to write procedures. Guidelines support policy and directives by providing a “how to” approach. They may be internal to the OCIO or meant to be used across all of Government. The OCIO has the authority to develop and release guidelines upon internal review and approval by the OCIO Security Council in the case of Information Protection standards. The Government Records Committee will review and approve Information Management guidelines. Compliance with OCIO guidelines is not mandatory.
Guiding Principles – Guiding principles articulate the fundamental values that provide overall direction to a program throughout its operation irrespective of changes in its goals, requirements or resources.
HPRM (TRIM) – HPRM (TRIM) is the standard Electronic Records Management Software (ERMS) used by the Government of Newfoundland and Labrador. HPRM (TRIM) Support
IM Compliance is compliance applied to Information Management. This means meeting any compliance requirement that applies to information, its management and its protection in the Government of Newfoundland and Labrador.
IM Compliance Management is the process by which organizations manage and demonstrate fulfillment of their IM Compliance responsibilities and accountabilities that are defined in their IM Legal and Regulatory Framework.
IM Legal and Regulatory Framework An IM legal and regulatory framework is simply a compilation of all of the legislation, policy, regulations and agreements that contain IM requirements that the public body must satisfy.
IM Mission Statement – An IM mission statement is a concise, formal statement of the purpose of the IM Program within an organization. It should indicate how the Information Management programs and services will enable the mandate of a public body and support its compliance requirements.
IM Vision Statement An IM vision statement is the inspiration and framework for IM strategic planning and IM Program development. Features of an effective IM vision statement include a description of a desired state for IM that features clear wording, lack of ambiguity, realistic aspirations and alignment with organizational values and culture.
Information Classification – Information classification refers to a system of designating security categories for information based on the impact to the business mission from loss of information confidentiality, integrity or availability (source: Deloitte).
Information Management – Information management (IM) is a program of records and management of information practices instituted to provide an economical and efficient system for the creation, maintenance, retrieval and disposal of government records. Under the Management of Information Act SNL2005 c.M-1.01 , the permanent head of a public body shall develop, implement and maintain a record management system for the creation, classification, retention, storage, maintenance, retrieval, preservation, protection, disposal and transfer of government records.
Information Management Capacity Assessment Tool (IMCAT) was developed by the Office of the Chief Information Officer (OCIO) in 2006 as a planning tool for departments and agencies. It enables organizations to assess their current IM state against legislative and policy compliance, and to identify gaps and areas for improvement. It also provides a 3 year plan with high level budget estimates.
Information Management System for Administrative Records – Information Management System for Administrative Records (IMSAR) was a records retention and disposal schedule for administrative records that was used by government departments. IMSAR was replaced in 2009 with the release of the Corporate Records and Information Management Standard (C-RIMS).
Information Protection – Information protection (IP) is an area of practice focused on the protection of information from inappropriate access or use, using a variety of means as required, including, but not limited to, policy and standards; physical and electronic security measures; and compliance monitoring and reporting. IP represents the point at which the management of information converges with security policy and measures. In the Government of Newfoundland and Labrador, public bodies are required to protect information as part of their accountability under Section 6 of the Management of Information Act SNL2005 c.M-1.01.
Information Security – Information security is the process of preserving the confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved (source: ISO/IEC 17799:2005).
Information Security Architecture – Information security architecture is a description of security principles and an overall approach for complying with the principles that drive the system design, i.e., guidelines on the placement and implementation of specific security services within various distributed computing environments (source NIST 800-27).
Information Security Framework – An Information security framework is the collection of processes and artifacts that are used to manage the definition and ongoing operation and management of the information security controls for the enterprise (source Deloitte).
Information Security Governance – Information security governance provides efficient and effective measurable improvements in related enterprise processes by providing the structure that links processes, IT resources and information to enterprise strategies and objectives (source: COBITÒ, Management Guidelines).
Information Security Program – An information security program is the comprehensive, organized collection of documented artifacts and processes that are used to continuously deliver information security across the enterprise (source Deloitte).
Information Security Program Framework – The information security program framework is the superset of the information security framework, the information security drivers and the information security services that describe and control all of the elements of information security for the enterprise (source Deloitte).
Information Security Strategy – An information security strategy is a documented specification that links all necessary organizational, technical and administrative information security controls to a strategic combination of business drivers, legal requirements, threat scenarios and design to ensure information security is operationally integrated with the overall IT architecture, business processes and business culture (source: Deloitte).
Instant Messaging – Instant messaging is a form of real-time direct text-based communication between two or more people using personal computers or other devices. The user’s text is conveyed over a network, such as the Internet. Instant Messaging Directive.
Integrity – Integrity is the property of safeguarding the accuracy and completeness of assets. Integrity demonstrates that the record is complete and has been unaltered. It is necessary that a record be protected against unauthorized alteration. Records management policies and procedures should specify what additions or annotations may be made to the record after it is created, under what circumstances additions or annotations may be authorized, and who is authorized to make them. Any authorized annotation, addition or deletion to a record should be explicitly indicated and traceable (source ISO 15489:2001 and ISO 13335-1:2004).
Inventory – An Inventory is a detailed survey of the organization’s records, including descriptions, scope, volume, frequency of use, method of organization and retention periods. It is used as the basis for developing a records management system.
Key Performance Indicator – Key performance indicator is a measure of a particular organizational performance activity or an important indicator of a precise health condition within the organization. KPIs are used as an indication of the current state of a component of the business (source: IT Governance Institute).
Legal Hold – Legal Hold is a process which an organization uses to preserve all forms of relevant information when litigation is reasonably anticipated. This duty to preserve information arises regardless of whether the organization is the initiator or the target of litigation. It includes an obligation to identify, locate and maintain, information that is relevant to specific, predictable and identifiable litigation. Guideline: Discovery and Legal Hold.
Life Cycle – The life cycle refers to the stages through which information is managed. Information management strives to manage the records in a manner that facilitates authenticity, reliability, integrity and usability throughout all stages including:
- Creation and organization;
- Receipt and capture of data;
- Retrieval, processing, dissemination and distribution of data;
- Storage, maintenance and protection;
- Archival preservation or destruction or expungement (source: CAN/CGSB-72.34-2005).
Metadata – Metadata is data about data elements including data descriptions, and data about data, access paths, access rights and data volatility describing records, records systems, documents or data, including but not limited to the evidentially significant facts of:
- Their contents, definition, function, logical and physical structure, retention and disposition;
- Their sources and origins;
- Their relationships with other entities;
- Any additional evidentially significant facts regarding their creation, acquisition, modification, maintenance and use including those individuals or organizations that have been active in or otherwise responsible for those activities and their mandate or purpose for having been so engaged (source: CAN/CGSB-72.34-2005).
Office of Primary Responsibility (OPR) – The Office of Primary Responsibility (OPR) is the organization and/or position within an organization that is responsible for maintaining the integrity of a record (source: Corporate Records and Information Management Standard (C-RIMS)).
Operational Records – Operational records are records that reflect the unique mandate of their creators. Records of programs, projects, and service delivery are examples of operational records. Unlike corporate records, these will be different in each organization.
- The individual’s name, address or telephone number;
- The individual’s race, national or ethnic origin, colour, or religious or political beliefs or associations;
- The individual’s age, sex, sexual orientation, marital status or family status;
- An identifying number, symbol or other particular assigned to the individual;
- The individual’s fingerprints, blood type or inheritable characteristics;
- Information about the individual’s health care status or history, including a physical or mental disability;
- Information about the individual’s educational, financial, criminal or employment status or history;
- The opinions of a person about the individual;
- The individual’s personal views or opinions (Source: Access to Information and Protection of Privacy Act, 2015).
Phishing – Phishing is a type of fraud that uses deceptive emails, websites and/or text messages to gather personal, financial and confidential information for fraudulent purposes and/or unauthorized access. How to Identify and Avoid Phishing.
Policy – a policy is a high level, strategic statement, authorized by the executive management that dictates what type of position the organization has taken on specific issues. Treasury Board approval of Government-wide policy is required, except for policies established by the Legislature and the Courts. Treasury Board approved policies are recognized by all Government departments and compliance with them by departments is mandatory. Information Management and Protection Policy.
Practice – A practice is a universally applied standard defining the corporation’s execution expectations relative to one or more corporate policies. Approval by one or more members of the executive team.
Principle – A principle is a principle is a statement of fundamental value, a rule, or belief, that is tied to business objectives and requirements, and establishes constraints on the manner in which information security and/or business is conducted. The information security principles define the philosophy of the organization that in turn influences the definition of the information security policies and practices (source: Deloitte).
Privacy – Privacy is the right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed (source: ISO/IEC 7498-2).
Procedure – a procedure is a detailed step-by-step, task-level definition of actions required to achieve a certain result. The procedure answers the “How” question and is generally used in an operating environment. They may be internal to the OCIO or meant to be used across all of Government.
Public Body – A public body is a department created under the Executive Council Act or a branch of the executive government of the province, a corporation, the ownership of which, or a majority of shares of which, is vested in the Crown, a corporation, commission, board or other body, the majority of the members of which, or the majority of members of the board of directors of which, are appointed under an Act of the province, the Lieutenant-Governor in Council or a minister of the Crown, a court established under an Act of the province, or the House of Assembly and committees of the House of Assembly (source: Management of Information Act SNL2005 c.M-1.01 ). Public Bodies Under the Management of Information Act.
Record – A record means a correspondence, memorandum, form, paper, parchment, manuscript, map, plan, drawing, painting, print, photograph, magnetic tape, computer disc, microform, electronically produced document and other documentary material regardless of physical form or characteristic (Source: Management of Information Act SNL2005 c.M-1.01 ).
Record Series – Record series are a group of records (regardless of format) arranged according to a common filing system or grouped together because they relate to a particular subject or function; result from the same activity or document the same type of transaction. Record series should be able to be grouped under a common title and should have a common retention and disposal plan.
Examples include personnel records, procurement records, and complaint files.
Records Management – see Information Management
- Define the content of the record series or types;
- Link the records to the organizational unit and business process;
- Dictate how long the records need to be retained in active and semi-active storage to meet operational and legislative requirements;
- Authorizing the disposal of information in a legal manner including either secure destruction or transfer to the Rooms Provincial Archives.
Reliability – A reliable record is one whose contents can be trusted as a full and accurate representation of the transactions, activities or facts to which they can attest and can be depended on in the course of subsequent transactions or activities. Records should be created at the time of the transaction or incident to which they relate, or soon afterwards, by individuals who have direct knowledge of the facts or by instruments routinely used with the business to conduct the transaction (source ISO 15489:2001).
Restore – The process of bringing information back from a back-up storage media to its original state (Source: Government of Newfoundland and Labrador Backup Policy).
Security Council (OCIO) – The OCIO Security Council is a governance body of the OCIO consisting of Director-level representatives from all OCIO branches. Its mandate is to oversee the effectiveness of the OCIO’s Information Security Strategy and to recommend policies and procedures for information protection and security. It also addresses information protection and security issues as required to either ensure adherence to the OCIO’s Information Protection and Security Framework and Strategy or to recommend changes as required to the Senior Leadership Team (SLT). It is Chaired by the Director of Information Protection, IM Branch.
Security Policy – Security Policy, See Policy.
Security Practice – Security Practice, See Practice.
Security Threat – A security threat is a potential cause of unwanted incident, which may result in harm to a system or organization (source: ISO 13335-1 GMITS). Assets are subject to many kinds of threats. A threat has the potential to cause an unwanted incident, which may result in harm to an system or organization and its assets. This harm can occur from a direct or indirect attack on the information being handled by an information technology system or service (e.g., unauthorized destruction, disclosure, modification, corruption, and unavailability or loss). A threat needs to exploit an existing vulnerability of the asset in order to successfully cause harm to the asset. Threats may be of natural or human origin and can be accidental or deliberate. Both accidental and deliberate threats should be identified and their level and likelihood assessed. Examples include:
- Denial of critical services;
- Destruction, modification or unauthorized disclosure of information;
- Destruction or loss of the use of IT assets;
- Labour unrest.
Semi-Active Records – Semi-Active Records are those records that do not have to be readily available in primary offices but which still need to be kept for the possibility of use or reference. These records should be stored in appropriate offsite storage facilities.
Service Provider – See Third Party
SPAM – Spam refers to electronic junk mail or junk newsgroup postings. It is defined in more general terms as any unsolicited email. In addition to being a nuisance, spam also eats up a lot of network bandwidth. FYI: Safe Email Practices.
Standard – standards are generally mandatory requirements that support individual policies and directives and dictate uniform ways of operating. Standards provide tactical blueprints for implementation of policies and directives. They may be internal to the OCIO, or meant to be used across all of Government. The OCIO has the authority to develop and release standards upon internal review and approval by the OCIO Security Council in the case of Information Protection standards. The Government Records Committee will review and approve Information Management standards. Compliance with OCIO standards may be mandatory or optional if the Legislature or the Courts are determined, through their own governance and authority, to be exempt.
Structured Data – Structured data is data that resides in fixed fields (rows and columns) within a record or file in a database (source: Making the Transition from Paper to Electronic, David O. Stephens, ARMA International, 2007). Structured data may constitute a government record when generated or received to complete government business transactions.
Third Party – A third party is the subset of contractors, service providers or independent incorporated business entities engaged to provide services for OCIO. Services and deliverables are outlined in a written agreement between the entity and OCIO. Individuals performing the services are engaged by the business entity, which provides the business infrastructure to manage its workforce. Service providers are generally companies selected to perform a service without specifying the individuals who will provide the service. Service providers may conduct their work onsite at OCIO facilities or offsite from their own facilities. A person or body that is recognized as being independent of the parties involved, as concerns the issues in question (ISO/IEC Guide 2:1996).
Transitory Record – A transitory record is a government record of temporary usefulness in any format or medium having no ongoing value beyond an immediate and minor transaction or the preparation of a subsequent record. Transitory records can be securely destroyed when no longer of value without authorization of the Government Records Committee (source: Management of Information Act SNL2005 c.M-1.01 ). FYI: Identifying and Disposing of Transitory Records.
Unstructured Data – Unstructured data are defined data that does not reside in fixed fields of a database; e.g. word processing documents, email, and other non-database records Unstructured records are created via common desktop applications, such as Microsoft Outlook, Word and Excel, etc. to support ongoing business activity. An ERMS like TRIM is often used to manage unstructured records. (source: Making the Transition from Paper to Electronic, David O. Stephens, ARMA International, 2007).
Usability – A useable record is one that can be located, retrieved, presented and interpreted. It should be capable of subsequent presentation as directly connected to the business activity or transaction that produced it. The contextual linkages of records should carry the information needed for an understanding of the transactions that created and used them. It should be possible to identify a record within the context of broader business activities and functions. The links between records that document a sequence of activities should be maintained (source ISO 15489:2001).
Vision A vision defines the desired or intended future state of an organization or program in terms of its fundamental objective and/or strategic direction. Vision is a long-term view, describing how the organization or program would like to be and what it would look like.
Vital Record – A vital record is defined as one that is indispensable to a mission critical business operation or a record identified as essential for the continuation of an organization during or following a disaster. Such records are required to recreate the organizations legal and financial status and to support the rights and obligations of employees, customers, shareholders and citizens (source: Making the Transition from Paper to Electronic, David O. Stephens, ARMA International, 2007).