Doc 5(4) - WIS Information Management -...

World Meteorological OrganizationCommission for Basic SystemsTechnical Conference Geneva, Switzerland, 26 - 29 March, 2018

CBS TECO 2018/Inf 5(4)Submitted by:

Chair OPAG ISS9.Mar.2018

DRAFT 1

DRAFT FRAMEWORK FOR INFORMATION MANAGEMENT IN THE WIS

(Submitted by Chair OPAG ISS)

SUMMARY AND PURPOSE OF DOCUMENT

The document contains draft text for the Manual on the WMO Information System and the Guide to the WMO Information System on Information Management.

Background

1 Seventeenth World Meteorological Congress asked the Commission for Basic Systems to develop Part C of the WMO Information System (WIS) on information management. The WMO Workshop on Information Management was held 2-4 October 2018 with the intention of collecting information on the requirements and current practices for information management across WMO and partner programmes. The information gathered during that workshop has been used by the Task Team on Information Management (TT-IM) to guide its development of standards and best practices for information management for use by WMO programmes.

2 The goal of the information management component of WIS is to provide standards, best practice and guidance for Members so that information provided to WMO Programmes is consistent and reliable. TT-IM is using a maturity model approach to specifying WIS information management (see https://en.wikipedia.org/wiki/Maturity_model for an introduction to the concept of a maturity model). An example of a maturity model that is used in the climate community is that of the National Center for Environmental Information (https://datascience.codata.org/articles/abstract/10.2481/dsj.14-049/).

3 A maturity model is a tool for improving and aspect of organizational performance and is often described as a two dimensional matrix. One dimension identifies typical processes contributing to that aspect, while the second described typical behaviours demonstrated by organizations as their skill in the process increases (typically a maturity model uses five levels). Using a maturity model approach to specifying the information management aspects of WIS:

Divides information management activities into a manageable set of aspects that can be addressed by Members;

Allows Members to assess their information management practices to identify those aspects that would benefit most from process improvement activities;

https://datascience.codata.org/articles/abstract/10.2481/dsj.14-049/

https://en.wikipedia.org/wiki/Maturity_model

CBS-TECO-2018/Inf 5(4), p. 2

Provides a method for measuring progress with improving information management activities in support of WMO Programmes;

Allows Members to identify an appropriate level of process maturity that should be used for the information they are managing;

With a knowledge of the maturity needs of Members and their actual level of maturity, the maturity model approach allows the priorities areas for guidance and other support for Members to be identified.

4 Key to the implementation of the maturity model approach is that Members assess their own level of maturity and identify the required level of maturity for managing their information. A simple example illustrates why the required level of maturity might not be the highest level in the model. Consider the process of organizing an event. At level 1, the behaviours might include thinking of where and when the event should be held, and telling people about it as you think of them. At the highest level, there would be a wide range of complex activities that were repeatable between events (budgeting, advertising, communications, risk management, venue selection, crowd management….). Organizing for a group of friends to meet at a local cafe is likely only to need the lowest level of maturity; organizing the Olympic Games needs the very highest level of process maturity. This example also illustrates why it may be appropriate for Members to reduce the maturity level of activities in some situations: applying the highest level of maturity is likely to mean that the friends spend all their time managing the process, rather than chatting over coffee.

5 TT-IM is still developing the elements in the maturity model for information management. Proposals for the categorization of process have been prepared, but expansion of these into the maturity levels will be developed during the first three quarters of 2018.

6 Annex 1 provides an initial draft of text for WMO-No. 1060 Manual on the WMO Information System and Annex 2 an illustration of the text that might go into WMO-No. 1061 Guide to the WMO Information System.

7 Members are encouraged to provide feedback to TT-IM using the email address [email protected] to assist the team in the preparation of the final drafts.

mailto:[email protected]

mailto:[email protected]

CBS-TECO-2018/Inf 5(4), p. 3

Annex 1: Amendment to WMO-No. 1060 Manual on the WMO Information System

Amend WMO-No. 1060 Manual on Codes as follows.

Add the following paragraphs to Part VI – Information Management

6.1 All Members shall use appropriate information management processes to manage creation, storage, sharing, use, archiving and destruction of information supporting WMO and partner organization programmes.

6.2 Information management practices shall include: documentation, governance, storage and preservation, quality management, access and sharing, discoverability, change management and, competencies.

6.3 Members shall assess the maturity of their information management practices against the maturity levels specified in Part VI of WMO-No. 1061 Guide to the WMO Information System, compare that maturity with the maturity appropriate to the information being handled, and report both the actual and appropriate maturity to the WMO Secretariat.

6.4 Members should use the guidance in their information management practices against the maturity levels specified in Part VI of WMO No. 1061 Guide to the WMO Information System when designing, operating and improving their processes for managing information.

6.5 Members shall manage their Information and Communication Technologies (ICT ) to a standard consistent with the requirements of the services that depend on that ICT.

Note: Guidance on managing ICT is provided in Part VII of WMO-No. 1061 Guide to the WMO Information System.

CBS-TECO-2018/Inf 5(4), p. 4

Annex 2: Amendment to WMO-No. 1061 Guide to the WMO Information System

Amend Part VI of WMO No. 1061 Guide to the WMO Information System

Add the following text to Part VI of WMO No. 1061 Guide to the WMO Information System before the text starting “Guidance on management of information about climate….”

6.1 Information management processes

WMO information management standard practices cover seven main processes supported by definitions of the competencies required by organizations to implement them.

6.1.1 Documentation

6.1.1.2 Documentation is needed so that:

users can find, understand and use the information and associated services (metadata);

information is processed / produced in a consistent way (including guidance for new staff)

users can trust the information they use and the information provider can provide evidence that the information was handled correctly (provenance);

6.1.1.3 Documentation of information should include: how it is produced and processed; how it is managed; ownership; how it is accessed; who can use it and what how they may use it; what application areas it is intended to support; services available; its quality and how that is assured; what it contains; what data were used to create it; where to go for help.

6.1. 2 Governance

6.1.2.1 Governance is needed so that:

The investment in gathering, processing, storing and exchanging data delivers value;

Irreplaceable information is available for future generations;

Risks associated with information production and use are managed;

Effort to manage information is reduced and operational efficiency is improved through clear understanding by staff of what is expected and permissible;

Information assets are managed so they achieve what is required at reduced levels of risk.

6. 1.2.2 Governance should include: consistent approaches to processes; accountabilities and responsibilities; data policy; clarity on standards to be used (national and international); funding model and; meeting national and international commitments.

6.1.3 Storage and Preservation

6.1.3.1 Managed storage and preservation is needed so that:

Information content and associated contextual information are trustworthy, available and usable when needed, now and in the future;

CBS-TECO-2018/Inf 5(4), p. 5

Policies on use and retention can be applied.

6.1.3.2 Managed storage and preservation should include: backup; restore; redundant copies; retention; technology migration; capacity management; long term accessibility; storage strategy; controlled ingestion process; access controls; archive; deletion of information no longer to be retained; accountabilities and responsibilities and; technology exit strategies.

6.1.4 Quality Management

6.1.4.1 Quality management is needed so that:

Information and related contextual information is, and can be demonstrated to be, fit for purpose.

6.1.4.2 Quality management should include: documentation of decisions concerning the information and its content; audit; quality related procedures; algorithms; definition of quality measures; required contextual information (quality managed using same principles as the information itself); monitoring information throughout its lifetime; feedback mechanisms to providers; metrics on quality control findings; assessment of uncertainty; verification; standards applied; ease of access and use of the information; provenance of data and software used in creating products and; peer review of data, algorithms and processes where appropriate.

6.1.5 Access and Sharing

6.1.5.1 Access and sharing is needed so that:

Information can be used by the appropriate people and software systems where and when it is needed;

Information can support delivery of societal benefits.

6.1.5.2 Access and sharing should include: exchange conventions such as open formats, data models, machine-to-machine interactions, web services among others; community agreed ways of working together using open standards; protection of information in transit; access control (supporting usage constraints); methods of access suitable for intended user communities; tracking delivery and use; compliance with policies and regulations; cost recovery models; controlled vocabularies.

6. 1.6 Discoverability

6. 1.6.1 Discoverability is needed so that:

Information providers can deliver additional societal value through reuse by others of their information, and their contribution can be recognized;

Information providers can publicize the data and associated services that they are offering;

Users can find efficiently the data most suitable for their needs;

Duplication of effort in creating data can be avoided.

6.1.5.1 Discoverability has should include: inventory; contextual information; user focus; controlled vocabularies; catalogues searchable by commercial search engines; access to documentation and data; meeting community conventions; web page; operating a catalogue; catalogue-catalogue interaction; usage statistics and feedback on search experience; currency of information in catalogue.

CBS-TECO-2018/Inf 5(4), p. 6

6.1.7 Change Management

6.1.7.1 Change management is needed so that:

• Users can have confidence in the information;

• Users know when and why changes are made to information they use;

• Changes have been made can be understood and there is traceability of those changes.

6.1.7.1 Change management should include: prevention of corruption or change in the meaning of information resulting from changes in the Information and Communications Technology (ICT) environment; appropriate levels of change management and provenance recording to the information being managed; authority to change and controls over change; recording of changes; notifications of changes; retention of original values when information has to is modified.

6.1.8 Competencies

6.1.8.1 Competencies are needed to ensure that people and suppliers supporting information:

• Have the knowledge to do the tasks required of them;

• Have the ability to apply the knowledge to deliver the tasks required of them.

6.1.8.2 Competencies for information management are specified in Appendix A to this guide.

Note for TT-IM: to include - Quality management, Storage/database management, Data change management, Documentation/ context information management , Data governance.

6.2 Maturity model for information management

6.1.1 Each of the seven information management processes in 6.1 is further sub-divided into components for which actions and behaviours can be described.

6.1.2 Maturity of information management processes is assessed against a five-level scale:

• Level 1: “Ad Hoc”. Not managed;

• Level 2: “Minimal”. Limited management;

• Level 3: “Intermediate”. Activities managed, defined processes that are partly implemented;

• Level 4: “Advanced”. Well defined, fully implemented and managed processes;

• Level 5: “Optimal”. Process performance measured, controlled and audited.

6.1.3 Tables 6.1 to 6.7 define organizational behaviours that are indicative of each level of maturity for the seven information management processes.

Table 6.1: Maturity level indicators for the Documentation process

Sub-processes Level 1 Level 2 Level 3 Level 4 Level 5

Table 6.2: Maturity level indicators for the Governance process


Asset management

Asset management is important to ensure that data management operations are properly resourced, accountable and sustainable.

Aspects include:

- Adequate funding for system sustainability,

Data assets not tracked, hard to find.

Some program areas have some of their assets recorded and documented .

Data-and information sets are documented at enterprise level with at least basic information, such as contact point.

All relevant aspects of information and datasets are fully documented and available.

Full documentation on data assets is widely communicated and accessible.

Little or no accountability for Data Assets.

Program areas have defined accountabilities, but inconsistent concept of

Planning underway to define accountabilities and responsibilities.

Accountabilities and responsibilities are defined, communicated and documented .

Accountabilities monitored and audited on regular basis.


maintenance and upgrades, etc.;

- Asset lifecycle management (creation through to disposal).

responsibilities.

Uncoordinated, ad-hoc funding.

Some funding available after "higher priorities" met, but often inadequate.

Active planning for systems to proactively plan and manage costs of assets .

Well-defined and effective system for planning and funding assets.

Full public accountability and disclosure.

No coherent retention policy, or "keep everything".

Irreplaceable assets retained, but little or no guidance on the rest.

Developing retention policies.

Binding legal retention periods defined and enforced.

Retention periods publicly advertised.

Accountability and responsibility

Accountability and responsibility are important to ensure that expectations are clearly understood, and to ensure traceability and security.

Aspects include:

- Clearly-defined roles and responsibilities for staff managing the data/information ;

Roles and responsibilities not defined or are poorly defined.

Some understanding of roles and responsibilities, but they are not documented .

Roles and responsibilities are clear and partly documented; training provided.

Roles and responsibilities are fully documented and monitored; training is provided.

Fulfilment of roles and responsibilities accords with industry best-practice.

No, or minimal, controls on access to information.

Authorisations exist, passwords assigned, but are not well policed; it may still be easy to get unauthorised access.

Authorisations exist, passwords are effective, but not continuously monitored.

Access and permissions are fully defined and backed up by security features; they are monitored.

Monitoring of permissions is thorough, and is carried out routinely.


- Ensuring only staff with correct authorization are able to perform certain actions within or on a database or information source;

- Appropriate sign-off and approval procedures are in place;

- Actions on, and modifications to, a database or information source align with policies and strategy;

No formal sign-off or approval processes.

Delegations exist, but only for major projects or activities.

Formal approval process is in place, but not always complied with.

Formal approval processes are in place, monitored and enforced, for all defined activities.

Approval and sign-off processes are fully transparent and auditable.

Ad-hoc developments not aligned with overall strategy; no controls on technology.

Developments are sometimes cognisant of overarching strategy; some guidance on technology.

Developments are consistent with strategy; some stakeholder consultation to assess dependencies.

Developments align with over-all plan, are aligned with strategy; there is clear direction on allowed technologies.

All developments and project plans fit within a clearly-articulated "roadmap", with provision for exceptions.

Defined standard procedures

Defined standard procedures are important to ensure that each centre performs data and information-related activities in a consistent way.

Aspects include:

- Data backup and frequency, ingest

Individual programs make their own arrangements, and some actions are seldom (if ever) carried out.

Some guidance exists on most practices, but it is poorly documented and inconsistently executed.

Standard procedures are defined and documented, but compliance is not consistently monitored.

Standard procedures are well defined, documented, scheduled and monitored.

Monitoring and audits demonstrate that practices regularly carried out, and comply with industry-best practices.

No standard practices are imposed, or standards are ad

Good practices are adhered to in some cases, but they are poorly documented

A framework for good practices is developed and documented, but

A framework for good practices is in place, well understood, and defensible.

Good practices are embedded into the centre’s culture, are routinely followed,


procedures, quality assurance processes, incident management processes, retention & disposal policy etc.;

- Ensure that best-practice is followed, so that actions taken are defensible if challenged;

- Different procedures may apply to different types of information, or at different stages of the information life-cycle;

- All such standard procedures should be well documented, and new staff fully trained in their application.

hoc. and unevenly executed.

compliance is not uniform.

and the centre serves as an exemplar of best practice.

No concept of data and information life-cycles, and no or little discrimination in management of different types of data and information.

Currently-valuable data and information are managed, other data are not.

Plans and procedures exist for different stages of the data and information life-cycle , but they are not followed consistently.

As 3, but well-defined "rules" and procedures are in place. Compliance is monitored.

Management of information is efficient, as resources appropriately matched to value along data lifecycle.

Documentation not available, or of poor quality. No organised training.

Documentation may be drafted, but is not readily available.

Documentation available, but is not routinely updated.

Staff training partly effective.

Documentation is clear, accessible, well-managed and up to date. Training is based on required competencies.

Procedures accord with recognized best-practice.

Highly effective training.

Alignment with national and WMO policies

Alignment with national and WMO policies is important to ensure that information management practices do not

Limited understanding or oversight of legislative, Government or WMO directives or regulations.

Some programs are aware of national and international policies, but this is not general practice across the centre.

Guidance has been developed for the organisation, but measures to ensure compliance not completely effective.

Guidance is routinely applied throughout the centre, with effective safeguards to prevent infringements.

The centre's systems can be ported to other agencies or centres; training and instruction provided externally.


infringe relevant national legislation and international agreements or conventions.

Aspects include:

- Legislated policy or Government directives such as open data, privacy, freedom of information, national records policies, etc.;

- Compliance with WMO regulations and requirements (such as submission of CLIMAT messages), and/or bilateral/multilateral agreements;

- As well as complying with national and international policy, the actual operations are informed by needs of individual business areas and their clients.

Unable to comply, or compliant with only some directives, regulations and requirements.

Compliant with most WMO regulations and requirements most of the time.

Fully compliant with directives and regulations, reliably delivered.

Dedicated staff in place to manage commitments.

Fully compliant. Takes leadership role within Region or in bilateral/multilateral projects.

Fully compliant, and assists other centres to build capacity.

Centre does not engage actively with clients and stakeholders. Static, inflexible delivery models.

Stakeholder needs are understood, but data operations often do not support needs of service providers and clients efficiently.

Data operations are planned to meet needs of service providers and clients.

Data operations fully aligned with the needs of service providers and clients.

Data operations consistent with the roles of regional leader or international data centre, serving international needs.

Principles and policies Principles are not defined. There is no formal policy

A plan for centre--wide policy on development and

Principles have been defined. Policy development and

Policy development, approval, communication and

Policy framework is mature, working well, and


Principles and policies are important because these reflect the strategic basis and “rules” that form the framework for operational processes and guidelines around IM.

Aspects:

- NMHS has a well-defined policy development process based on high-level principles;

- Policies should align with broader NMHS strategy, and national/international requirements, be high-level (i.e., not technology-or process-dependent), and integrated.

Policies should cover all aspects of information acquisition, management and access, and cover, among others, data licensing/charging; retention periods; metadata; storage and security; third party data.

development and approval process. There are few policies, that are confined to individual application areas that often operate under different "rules".

relevant instruments needed to implement has been developed.

associated consultation is underway.

compliance processes are well understood and effective.

monitored.

Policies (if any) are confined to individual application areas and are technology or process-dependent.

The centre has made concerted efforts to identify policies needed to efficiently support strategy, operations and national and international requirements.

Policies are under development, and these explicitly address strategic needs and /or national or international requirements .

Policies are fully compliant with strategy and national and international requirements .

Policies and procedures represent benchmark for other centres or agencies.

Policies and guidelines

A roadmap for policy development

A policy development

Policies have been developed and

Effectiveness of policies is routinely


Processes and other artefacts to implement policies should be developed.

developed only for limited aspects and have not been endorsed.

is defined that identifies needed policies and a policy development process.

process is underway, and links are made to arrangements needed to implement the policies.

implemented. monitored and revisited as necessary, or routinely reviewed.

Compliance mechanisms

Compliance mechanisms are important to ensure that procedures and policies are followed. Aspects include:

- A written compliance process is in place (e.g., sign-off, registration, independent review, self-assessment, physical restrictions until compliance conditions met), and communicated to IM managers and their staff;

- Compliance is actively monitored and documented,

There is no compliance process.

Compliance mechanisms are defined but not enforced.

Policies and processes have written compliance and sign-off requirements for many processes.

Compliance is enforced for all policies and processes.

As 4, plus there is a process for monitoring compliance and a mechanism to adjust the compliance mechanism as needed.

Compliance is not monitored.

Compliance is monitored, but not documented, and some cases of non-compliance are missed.

Compliance is monitored and documented, but not in a fully effective or consistent manner.

The compliance mechanism is fully effective and documented.

As 4, plus the documentation is retained and analysed, and used to assess the effectiveness of the compliance process.

No consequences defined, as there is no compliance process

Non-compliance consequences are defined, but are ineffective.

Consequences defined, are understood, but not fully enforced

Consequences defined and endorsed

Processes in place so that non-compliance is imposssible


with processes to detect non-compliance, and an audit trail is maintained..

The consequences of non-compliance are clearly set out.

Table 6.3: Maturity level indicators for the Storage and Preservation process


Storage management

At least locally installed database or file system resource. The resource is not necessarily communicated to or shared by other stakeholders.

At least locally installed database or file system resource.

Shared resource(s) with established role or access model.

All services are available.

Established process of continuous improvement and error resolving.

No standards (naming conventions, protocols, file system layout, etc.) are defined or verified.

Common standards, configurations and role model are defined, managed and shared.

Common standards, configurations and role model are defined, managed and shared. Major services are available. Standards are reviewed and shared across organization. Resources are

All standards are met. Quality of resources are reviewed or improved by audit or certifications.


monitored, changes are recorded.

Table 6.4: Maturity level indicators for the Quality Management process


Table 6.5: Maturity level indicators for the Access and Sharing process


Table 6.6: Maturity level indicators for the Discoverability process


Table 6.7: Maturity level indicators for the Change Management process


6.2 Specialized guidance for management of information in support of individual WMO and partner programmes

Doc 5(4) - WIS Information Management -...

Documents

Transcript of Doc 5(4) - WIS Information Management -...