Business system records management assessment
Public sector organisations must consider records and information management functionality and risk mitigation strategies when they design and implement new business systems or upgrade existing business systems.
The following assessment questions can assist with this process.
The assessment is designed to be conducted in 3 phases. Some business systems may not require a full assessment if phase 1 determines that the business system does not generate records.
Phase 1 questions identify:
- the risk and value of the information in the business system
- the business systems ability to dispose of the records
- data migration capabilities
- reporting functionality
- information security capabilities.
Phase 2 questions identify:
- the potential issues associated with managing the system
- gaps and risks in managing the information generated and/or stored within the system.
Phase 3 questions identify:
- solutions to manage any shortfalls, gaps or risks identified in phase 2
- recommendations that can be used in a formal risk management plan.
Assessment questions
Below is a list of assessment questions to consider.
- Does the system hold unique information or data that is not duplicated elsewhere?
- Is the information or data created/stored in the system the authoritative source of truth?
- Is the risk or value of the information/data high enough to warrant additional controls to ensure that it is trustworthy?
- Is there sufficient business benefit for managing disposal within the system before decommissioning?
- Are there legislative or other requirements to destroy records, such as around privacy?
- Does the information or data need to be accessed and/or kept longer than the expected life of the system?
If no to these questions, you may not need to continue further assessment.
Can you trust the information in the system, and does it have the appropriate security?
- Can you prove the information or data is authentic?
- Are records and information protected from unauthorised or unlawful access, destruction, loss, deletion or alteration?
- Does the system meet the minimum metadata requirements for records management?
- Are records and information systems monitored and controlled?
- Do staff accessing records and information systems have an approved security profile mapped to the record and information systems to which they have access?
Is there a business need to manage disposal within the business system?
- Are records and information kept for as long as they are needed for business, legal and accountability requirements, including community expectations?
- Are records, including records in business systems covered by a current and authorised records disposal schedule?
Is there a business requirement to import long-term temporary or permanent information into a new system when the existing system is no longer supported, or the cost of maintaining the system over time is significant?
- Is the business system able to export information with attachments, metadata, and audit trails in a usable format?
- Is the business system able to import information or data? (This is especially important if this system will be replacing an existing system)
- Are the identified gaps or risks acceptable to the PSO's risk tolerance?
- For identified gaps or risks, will building in new functionality reduce the risks to an acceptable level and address the functionality gaps?
- Is the system capable of integrating with TRM to manage the gap or risk?
- Can the gap or risk be managed by exporting the necessary data so it can be managed in TRM?
- Can the gap or risk be mitigated by implementing governance processes?
Suggested solutions to mitigate risks and address gaps:
- adding new functionality or making modifications to existing functionality
- integration with the approved records management system (TRM)
- external (export) of metadata and objects
- external (governance).
Contact
To find out more contact ntg.recordspolicy@nt.gov.au.