Policy Summary No.
28
Importance of
Information Security
Protection of information
assets is the primary goal of
information security. This
includes practicing safe
computing behaviours to reduce
the overall occurrence of theft,
loss, or misuse of government
information assets.
A breach in information
security or loss of information
assets can have serious
consequences, depending on
the sensitivity and value of the
information and the extent of the
breach. The consequences can
include:
- disclosure of personal
information,
- interruption in
government’s ability to
deliver services,
- financial losses related to
correcting the situation,
- threats to public safety or
individuals’ health and
well-being,
- legal actions, and
- erosion of the public trust
in the government.
Personnel action is the
KEY to protecting
government information
assets. Technology and policies
are only effective if personnel are
aware of their responsibilities to
use the processes enforcing
the policies. Education and
awareness are essential to
promote an understanding of
the importance of information
security.
The purpose of this document is
to provide guidance about
security-related aspects of
a subject area of interest to
the government community.
It outlines the subject area
background, related security
concerns, responsibilities, and
relevant information security
policy.
PS#28: Capacity Management
Capacity Management
Information Security Branch, Office of the Chief Information Officer
Ministry of Citizens’ Services, Province of British Columbia
http://www.cio.gov.bc.ca/cio/informationsecurity/index.page?
Subject Area Description
Capacity management refers to the processes for managing the size, amount, load and scalability
of information systems and resources. The primary goal is to ensure the capacity of information
technology resources meets current and future business requirements in a cost effective manner.
Capacity management processes include planning, monitoring, evaluating, controlling, budgeting
and implementing the capacity necessary for uninterrupted and responsive service delivery.
Capacity requirements are established by analyzing business driven performance specifications
and projected resource utilization (e.g., transaction volume or network throughput). The use
of a well-defined process for capacity management helps ensure system performance meets
business needs and reduces the likelihood of limited availability caused by insufficient capacity
for processing, storing or transmitting information.
Future capacity needs are projected by business area management at least annually and
communicated to personnel or agencies responsible for managing and maintaining information
technology resources that provide the enabling infrastructure. Significant changes in capacity
requirements have budgetary implications.
This Policy Summary offers guidance on capacity management. It is particularly intended to help
and guide those involved in managing business processes or capacity of technology resources and
help them understand their responsibilities and obligations according to policy.
Areas of Concern
The primary area of concern is the potential for interruption or degradation to the delivery of
government services. Weaknesses in capacity management processes may reduce the availability
of government services reliant upon information resources.
Many factors amplify these concerns:
• Business requirements for normal business conditions, maximum capacity, peak demand
and failover conditions may be incorrectly estimated.
• Specifications for new or enhanced services may contain incomplete or inaccurate capacity
requirements.
• Implementation of new or significantly enhanced information systems may not have
included appropriate capacity testing. (PS#27 Change Management)
• Increased capacity may require acquisition of additional hardware and associated software
licenses.
• Service Level Agreements may have to be revised when capacity requirements change.
(PS#22 Contracted Services)
• Inadequate capacity may lead to operational interruptions, loss of productivity and a
potential loss of information. (PS#21 Operational Security, PS#16 Protection of Sensitive
Information)
• Unplanned and unbudgeted capacity requirements may have financial and availability
implications.
• Monitoring of capacity utilization may be inadequate. (PS#11 Monitoring and Logging)
• Performance tuning to ensure efficient capacity utilization may be inadequate.
• Disaster recovery requirements may not be updated concurrent with changes to system
capacity. (PS#17 Business Continuity Planning)
1/2 CIO-SPS-2010-000-V3
Intended Outcomes Resources

The policies associated with capacity management are intended • Information Technology Infrastructure Library (ITIL)
to: http://www.itil-officialsite.com/home/home.asp
• Ensure the availability and integrity of the information • General Incident or Loss Report (GILR)
technology infrastructure. http://gww.eforms.gov.bc.ca/
• Ensure that the capacity of information technology resources • Information Incident Reporting - Shared Services BC Service
meet current and future business needs. Desk at 250 387-7000 or 1-866 660-0811, Select Option 3
• Ensure that the availability and performance of information
resources is maintained at agreed service levels.
• Ensure processes for managing capacity utilization and References
performance are implemented.
Document Description
Responsibilities of all Personnel
Core Policy and Procedures Manual
http://www.fin.gov.bc.ca/ocg/fmb/manuals/CPM/CPMtoc.htm
Things to do:
• Use established processes for estimating and monitoring 12 Information Management and Information Technology
capacity requirements. Management
• Include capacity requirements in specifications for new or 13 Financial Systems and Controls
enhanced information systems.
• Initiate revisions to Disaster Recovery Plans when capacity Information Security Policy
requirements change. http://www.cio.gov.bc.ca/local/cio/informationsecurity/policy/isp.pdf
• Ensure that capacity management testing is done for normal 5.2.2 Supporting Utilities
and peak utilization periods.
6.2.1 Service Delivery
Things to avoid:
• Implementing new or significant changes to information 6.3.1 Capacity Management
systems prior to completion of capacity tests. 6.3.2 System Acceptance
Things to report: 6.10.3 Protection of Log Information
• Unexplained degradation or outage of service.
• Actual and suspected security incidents and events as 8.4.1 Control of Operational Software
required by the Information Incident Management Process. Standards and Guidelines
• File a General Incident or Loss Report (GILR) within 24 Chapt. 3 IM/IT Standards Manual
hours of a security incident. http://www.cio.gov.bc.ca/local/cio/standards/
documents/standards/standards_manual.pdf
Responsibilities of Management Business Application Security Standards (BASS-DRAFT)
Contact Information Security Branch
Things to do:
Information Incident Management Process
• Ensure that the Service Level Agreements define capacity
http://www.cio.gov.bc.ca/local/cio/information_
requirements. incident/information_incident_management_process.
• Ensure capacity requirements are planned, defined, tested pdf
and managed throughout the life cycle of information
technology resources.
• Ensure that capacity is tested during system acceptance. Key Contacts
• Ensure Disaster Recovery Plans are updated and tested.
• When a security or privacy breach has occurred, review and
revise related policies and processes as needed. Contact Link
Things to pay attention to: Office of the Chief Information http://www.cio.gov.bc.ca/
• Unanticipated changes to capacity requirements. Officer
Things to establish procedures for: Information Security Branch, http://www.cio.gov.bc.ca/cio/
• Reviewing and projecting capacity requirements prior to the Office of the Chief Information informationsecurity/index.page?
annual budget cycle. Officer
Things to report:
• Unexplained degradation or outage of service.
Things to reinforce with personnel:
• The importance of managing capacity.
• The importance of understanding and following policies,
standards and processes.
• Ensure the use of the Information Incident Management
Process when required.

PS#28: Capacity Management 2/2 CIO-SPS-2010-000-V3