Management Action Plan - Information Management Privacy and Compliance Audit

Internal Audit of Information Management Privacy and Compliance

Management Action Plan - April 2014

 

(back to audit)

ObservationsActionsOffice of Primary Interest and Estimated Timeframe
Recommendation A (Medium Impact):
PSIC should develop and administer ongoing training on information management and privacy risks and best practices.
  • Develop a training package and deliver training at least once a year.

 

  • Content to be integrated into PSIC standard procedures, which will then become part of the Operations Manual.
  • May 2014 - Executive Director and Director of Operations
     
  • September 2014 - Director of Operations
Recommendation B (Low impact):
PSIC should update its policy suite by:
  • Formalizing and documenting the PSIC Department Security Officer; and
  • Developing disposal procedures and practices.
  • Hold discussion with CHRC to agree on roles & responsibilities and amend the MOU with CHRC to reflect the changes.
     
  • Develop disposal procedures and practices
  • Complete - Executive Director
     
  • September  2014 - Chief Financial Officer
Recommendation C (Medium impact):
PSIC should strengthen the design and effectiveness of information management and privacy controls with a focus on:
  • Defining and strengthening controls in the areas of receipt of information, password protection and T-Drive structure and access controls; and
  • Implementing quality assurance measures to help ensure established processes and controls are being adhered to.
  • New recording machines with password protection to be purchased
  • Reviewing the procedures regarding the receipt of information
  • Documenting the access controls process
     
  • Implement the assurance quality process
  • Complete - Director of Operations
  • Complete - Director of Operations
  • September 2014 - Director of Operations
  • September 2014 - Director of Operations
Recommendation D (Medium impact):
PSIC should consider:
  • Updating the MOU with CHRC to reflect expected roles and responsibilities captured in the internal policies and directives; and
  • Establishing general monitoring procedures as well as develop controls to help prevent the risk of internal threats.
  • Hold discussion with CHRC and amend the MOU
  • Discuss with CHRC and establish the procedures and controls
  • Complete - Executive Director
  • September 2014 - Executive Director
2017-05-12