Ontario Regional Office
Regulatory Law Section
March 2010


4. INFORMATION SYSTEMS

4.1 Reliability of Information Systems

Information systems are reliable and provide the required information for decision making.

The ORO Head of IT Operations and Support (O&S) confirmed that roles and responsibilities for IT management in the ORO are clear. The ORO Head of IT O&S reports to the Director IM/IT, who is located in the Halifax Regional Office. The Director IM/IT is involved in the daily decision making and remains in contact with ORO staff via telephone and e-mail. We were informed that the Director, IM/IT is in attendance on ORO premises on a monthly and “as needed” basis.

iCase is the main operational system used in the ORO. It is used by legal counsel to manage information on a case-by-case basis. For example, iCase is used to store core documents, letters, and memos. We were told that the system performs well, with adequate support from headquarters. There are no significant technical issues with the case management aspect of the iCase system.

The timekeeping component of iCase allows employees to record the hours worked on different case files. We were told that the system works well and there are no technical issues with this system. During our interviews with RLS legal counsel, we were informed that they found time reporting to be time consuming, although they did acknowledge the importance of this task.

Ringtail, a web-based application, is used by ORO legal counsel to obtain litigation support information. Counsel informed the audit team that the application performs well.

The ORO Corporate Services Unit uses RDIMS, a web-based application, as a records management tool. The Head of IT O&S informed the auditors that there are many software issues with the system at the application level and that it is not user-friendly. The current hardware is sufficient to support the application and there are no technical issues with it. It should be noted that the system is in the process of being replaced.

It is our opinion that the information systems used by the RLS are reliable for decision making.

4.2 Level of support from the Information Management Branch

The RLS receives appropriate support from the ORO Operations and Support section.

Departmental IT systems should be appropriately supported by the functional authorities in order to ensure their ongoing functionality and availability to users.

According to the RLS Director and Deputy Director, the RLS is satisfied with the support it receives from the ORO IT Operations and Support (O&S) section. Furthermore, the audit team met with the Head of IT O&S and reviewed documentation to assess the extent of information systems support provided by HQ. The audit examination determined that ORO IT O&S receives sound support from the Information Management Branch (IMB), Business Support, Applications and Services (BSAS) Directorate. The ORO IT O&S reports to the BSAS Directorate regularly and conducts monthly conference calls with this group. The Director IM/IT in the ORO also indicated that the support received from the BSAS Directorate in IMB is sound.

It is our view that the support received by RLS from ORO Operations and Support is appropriate.

4.3 Security of Electronic Information

Effective measures are in place for the security of electronic information, with the exception of a documented and approved ORO IM/IT contingency plan.

Managers should have mechanisms in place to ensure the security of information managed electronically.

The ORO Manager, Information Holdings has functional responsibility for the security of electronic information. The audit team confirmed that the ORO has instituted a rigorous password regime for accessing systems. For example, the ORO uses SecureDoc for the encryption of documents on laptops, and servers are secured by using Entrust. The audit team further noted that the security standards are well-documented on the Intranet and are available to all employees who have access to the Intranet.

We determined that regular backup practices are sound. For example, incremental backups take place on a daily basis and full backups are completed weekly. Also, backup files are properly secured in a safe off-site location.

We were informed, however, that there is no ORO IM/IT contingency plan in place to respond to a disaster situation. On the other hand, the ORO Manager, Information Holdings advised us that a Business Continuity Plan was currently under development in the ORO. In our view, contingency plans for IM/IT related disasters should be developed as a stand-alone document and incorporated in the overall ORO Business Continuity Plan. The IM/IT contingency plan would provide detailed information regarding the alternative arrangements available to maintain continuity of IM/IT services.

Our examination of the security of electronic information also included an inspection of the ORO computer room. Our inspection revealed that the room is satisfactory (i.e. air-conditioned, fire extinguishers readily available) and access to the room is rigidly controlled via keypad access. Password codes are changed on a regular basis.

It is our view that appropriate measures have been taken in the ORO to secure electronic information with the exception of a documented and approved ORO IM/IT contingency plan.

Recommendation and Management Response

5. It is recommended that the ORO Regional Director General ensure that an ORO IM/IT contingency plan is developed and approved.

I agree. As noted in the draft audit findings, an updated ORO Business Continuity Plan was currently under development. An updated written BCP for the ORO Information Management Group, with specific application to information management and information technology recovery, was implemented effective January 4, 2010. A copy of the ORO IM/IT Business Continuity Plan will be made available if required.

Date modified: