Foreword INFORMATION MANAGEMENT PRINCIPLES DOMAIN

Information management principles domain

The five principles discussed below underpin the work behind the modelling and are intended to serve as guidelines for those involved with the design and operation of information systems, irrespective of the technology being deployed.

The principles bring together the high-level internal policy issues and the detailed operational levels of any business.  They are intended to provide a framework within which managers and others can develop detailed operational procedures.  Alternatively they may be used as a template to check for the completeness or adequacy of an existing set of procedures and job descriptions.

The five principles take the form of a set of statements of objectives for information management.  These are intended to act as guidelines for a set of procedures that any institution should be capable of devising and operating as an extension of their current standard operating procedures, or of their quality management processes.  In other cases some of the recommended controls may already exist as part of a set of industry regulations.

Thus, instead of attempting to specify in detail what these procedures should be, it is understood that different industry sectors will have different requirements and may only need to use the principles as a checklist to test the completeness of their current regulations.  

Five Principles of Information Management

The Five Principles are: 

1    Recognise and understand all types of information

2    Understand the legal issues and execute "duty of care" responsibilities

3    Identify and specify business processes and procedures

4    Identify enabling technologies to support business processes and procedures

5    Monitor and audit business processes and procedures

The ordering of the principles also reflects a cascade from the high level classification of information streams to responsibilities, and then on to technology and operational considerations. 

Information

To ensure that the institution: 

1. Recognises, understands and controls data and information through its classification, structure and the way it is represented 

2. Chooses appropriate methods to capture, store and transmit data within the institution and across its boundaries to, and from, its business partners 

3. Evaluates the information that it holds and takes appropriate measures to protect its information resources. 

4. Implements appropriate levels of security for managing its information. 

Duty of Care

To ensure that the institution: 

1. Informs appropriate staff of pertinent legislation and regulations which apply to the way information and data is handled within their industry and business activities 

2. Executes its responsibilities under the duty of care principle. 

Processes and procedures

To ensure that the institution: 

1. Identifies, documents and describes its processes and procedures. 

2. Monitors and controls changes to standard procedures using the documented descriptions of its operations. 

Enabling technologies

To ensure that the institution: 

1. Identifies, assesses and applies appropriate technologies to support and enable its business processes and procedures 

2. Establishes procedures to monitor and control potential exposure to risks arising from the misuse or failure of its computer systems 

1. Auditing

   Auditing

To ensure that the institution: 

1. Employs appropriate measures to monitor and document its operations and any deviations from its designated standards and methods of operation as established by its industry’s regulatory bodies.