Cloud services Information and records management considerations

Transcription

1 Clud services Infrmatin and recrds management cnsideratins December 2018 Part f the Department f Internal Affairs

2 Dcument details Dcument Identifier: 18/G15 Versin Date Descriptin Revisin due 0.1 Oct 2018 Develpment draft 1.0 Dec 2018 Published Dec 2021 Cntact fr enquiries Gvernment Recrdkeeping Directrate Archives New Zealand Phne: rkadvice@dia.gvt.nz Licence Crwn cpyright. This cpyright wrk is licensed under the Creative Cmmns Attributin 3.0 New Zealand licence. In essence, yu are free t cpy, distribute and adapt the wrk, as lng as yu attribute the wrk t Archives New Zealand, Department f Internal Affairs and abide by the ther licence terms. T view a cpy f this licence, visit

3 CONTENTS 1 Overview Gvernment clud first plicy Use f the clud in relatin t the Public Recrds Act Assessing the risks Assessment: key things t check in relatin t infrmatin and recrds management...6 Printed cpies are uncntrlled 3

4 1 Overview Clud based services are any internet based IT services where the rganisatin s infrmatin and recrds are created, stred and/r managed. They are increasingly used by public sectr rganisatins in New Zealand, as they ffer efficient and cst-effective slutins. These benefits must hwever be weighed up against the risks assciated with privacy, security, and infrmatin and recrds management. This dcument utlines cnsideratins fr rganisatins decisins n using clud based services. 2 Gvernment clud first plicy The New Zealand gvernment requires public sectr rganisatins t accelerate their adptin f clud services in a balanced way s they can drive digital transfrmatin. The clud first plicy requires rganisatins t: adpt clud services in preference t traditinal IT systems make adptin decisins n a case-by-case basis fllwing a risk assessment nly stre data classified as RESTRICTED r belw in a clud service, whether it is hsted nshre r ffshre. Requirements fr public sectr rganisatins when adpting clud services have been issued by the Gvernment Chief Digital Officer (GCDO). Public sectr rganisatins must undertake an infrmatin risk assessment f clud services, including privacy and security issues, fllwing GCDO guidelines. The aim f this assessment is t systematically and regularly check, identify, analyse and mitigate all risks in a service level agreement r cntract. 3 Use f the clud in relatin t the Public Recrds Act The use f clud based services t create, stre and manage infrmatin and recrds des nt diminish r remve the statutry respnsibilities f public sectr rganisatins in relatin t the Public Recrds Act 2005 (the Act) and the mandatry Infrmatin and recrds management standard. The requirements apply t infrmatin stred in a clud based service. Therefre it is critical fr infrmatin and recrds management staff t be invlved in the clud prvider assessment prcess and the final decisin-making, t guarantee the rganisatin meets the legislative requirements f bth the Act and the mandatry standard. 4 Assessing the risks While the risk assessment prcess may seem lengthy, it is imprtant fr rganisatins t remember that the chice f a clud prvider is ultimately their decisin, and therefre their respnsibility t dedicate time and resurces t it. Infrmatin and recrds management knwledge is required t ensure that infrmatin and recrds management requirements are taken int cnsideratin during the assessment prcess. 4 Printed cpies are uncntrlled

5 A clud service prvider shuld be able t answer questins regarding functinality, reliability, availability, security, privacy, infrmatin and recrds wnership/stewardship, integratin and custmisatin. Infrmatin management staff must be invlved, with thers, in the initial risk assessment and planning as well as during business-as-usual peratin. Once an rganisatin has started with a service prvider, it needs t make sure that there is a prcess in place fr regularly mnitring hw well the infrmatin and recrds management needs f the rganisatin are being met by the clud services used. Key cnsideratins fr using clud services are utlined belw. Printed cpies are uncntrlled 5

6 5 Assessment: key things t check in relatin t infrmatin and recrds management The key questins listed belw are indicative nly; rganisatins shuld cnsider whether there are any additinal questins that reflect their specific circumstances. Cntent The value, imprtance and sensitivity f the infrmatin and recrds t be held in the clud shuld be accurately assessed t ensure it is adequately prtected. Risks shuld be assessed based n cntent r subject matter f the infrmatin and recrds and the level f sensitivity and imprtance t the business f the rganisatin. What kind f infrmatin and recrds will be created? What is the level f sensitivity? Have they been identified fr lng-term retentin? Have they been classified pen r restricted access recrds under the Act? Ownership Infrmatin and recrds utsurced t a clud envirnment shuld remain the legal and intellectual prperty f the rganisatin. Des the cntract clearly specify wnership f infrmatin and recrds? If the service prvider subcntracts parts f their peratin t ther prviders, is wnership f the infrmatin and recrds dcumented and understd by all invlved parties?

7 Lcatin f prvider Assess, with help f legal experts, the jurisdictinal risk f using a clud prvider based ff shre, as it is likely t be subject t the law f the hst cuntry, and legislatin may be different. Fllw the advice f the jurisdictinal assessment dcumentatin prvided by the GCDO: Where will the infrmatin and recrds be stred/hsted? Which legislatin, r ther jurisdictinal requirements, will the infrmatin and recrds becme subject t? If the prvider is nt able t supprt the requirements f the New Zealand legislatin and standards in relatin t infrmatin and recrds management, the rganisatin may be unable t cmply with its New Zealand regulatry requirements. Fr rganisatins with stewardship fr iwi and hapū infrmatin and recrds, extra cnsideratin shuld be given t their lcatin. Printed cpies are uncntrlled 7

8 Prtectin, Security and Privacy Infrmatin and recrds in the clud are mre expsed t unauthrised access; mre s if the clud service prvider subcntracts parts f its peratin t ther cmpanies. Therefre rganisatins shuld assess the clud prvider against the risk f illegal release f infrmatin, and level f reputatin damage that this culd cause. Als infrmatin and recrds stred and managed in a clud envirnment must be prtected frm unauthrised deletin r alteratin. What kind f security framewrk is prvided? Hw des the prvider prevent unauthrised dispsal? Will the rganisatin be cnsulted regarding a third party seeking access t its infrmatin and recrds? If the prvider stres the rganisatin s infrmatin and recrds with thse f anther rganisatin, what kinds f cntrls are in place t guarantee secure partitining? Hw are access and identities f users managed? Check the way infrmatin and recrds will be managed and accessed by third parties, especially if there is persnal infrmatin invlved. Where infrmatin and recrds have access restrictins, the rganisatin must ensure these are managed apprpriately in the clud envirnment. Business cntinuity Take business cntinuity int cnsideratin when assessing the risks; check that back-ups are accessible at all times, and the cst invlved retrieving infrmatin frm thse back-ups. Is there a business cntinuity plan in place in the event f an incident/utage? What are the practicalities f it? And the cst? Are the infrmatin and recrds discverable at all times, n matter what? As clud services are prvided ver the internet, it is mre likely that there may be sme perids f service disruptin where infrmatin and recrds are inaccessible. Fr critical activities where access t infrmatin and recrds is essential, the impact f lss f access even fr a shrt time may be severe. 8 Printed cpies are uncntrlled

9 Prtability and Interperability Check that prprietary interfaces and prgramming languages used by clud service prviders wn t create barriers t migrating infrmatin and recrds t anther envirnment. Als system updates shuld be applied with detailed cnsultatin with every rganisatin r individual using the system, s there is n lss f cntrl ver the integrity f infrmatin and recrds. In a clud envirnment, a lack f prtability standards may make it hard t remve business infrmatin and recrds t meet retentin requirements at cntract terminatin. What are the prcesses in place fr migratin, and hw infrmatin and recrds will be accessible and readable after the migratin t anther prvider? What is the level f interperability between the different clud applicatins used by the rganisatin? What is the pssible impact f system updates n the integrity f infrmatin and recrds? Des the clud system have the ability t easily migrate the infrmatin and recrds t anther envirnment? What is the impact f migratin decisins by the clud prvider n the reliability and cmpleteness f infrmatin and recrds, and assciated metadata? T avid the evidential nature f the recrds being cmprmised an rganisatin must be able t prve that recrds culd nt have been altered in any way while stred in the clud; therwise this will negate their value as evidence. Metadata Infrmatin and recrds created, stred and managed in a clud envirnment must be able t link with their relevant metadata, prviding cntext and thus ensuring their reliability as evidence. Have the minimum requirements fr metadata been applied? Have the infrmatin and recrds been classified in accrdance with the rganisatin s business classificatin schemes? Printed cpies are uncntrlled 9

10 Search, audit and reprting functinalities Infrmatin and recrds hsted in the clud shuld be easily discverable fr infrmatin requests, as the Official Infrmatin Act 1982 and the Privacy Act 1993 legislatin applies regardless f the lcatin f infrmatin and recrds. Reprting functinality shuld als be cnsidered t facilitate internal and external audit prcesses. The evidential value f infrmatin and recrds may be affected if apprpriate audit trails and descriptins f management prcesses perfrmed n recrds while in clud systems are nt maintained. What are the clud prvider s capabilities fr search acrss infrmatin and recrds? What kind f reprting and audit trail functinality exists? Will infrmatin and recrds remain easily and quickly discverable fr audits, legal inquiry r release? Is the prvider able t reprt easily n the management and use f the recrds, and prvide sufficient infrmatin abut it? Are the clud services auditable? Preservatin T ensure infrmatin and recrds are maintained fr as lng as required by the rganisatin, cnsider if the frmat will allw fr cntinued accessibility lng term. Preservatin methds, sftware, system and/r infrastructure used by the prvider must be carefully assessed. What kind f preservatin activities will be perfrmed by the prvider t guarantee the infrmatin and recrds remain accessible and usable vertime? Des the preservatin activity perfrmed include metadata as well? 10 Printed cpies are uncntrlled

11 Dispsal Use f clud services is nt a frm f dispsal. Organisatins need t mnitr the retentin, dispsal and transfer f the recrds held in the clud. While dispsal cverage is nt a prerequisite fr signing-up with a clud service prvider, it is strngly recmmended t apply the dispsal authrity (DA) at the pint f creatin when using a clud service. Als rganisatins shuld check hw easy it is t update thse settings when changes t the rganisatin s DA ccur. Fr public ffices, recrds held in the clud must have retentin perids and the dispsal actin f either destry r transfer t Archives New Zealand applied t them. Prviders are nt necessarily bund t fllw the rganisatin s dispsal schedule retentin perids and culd unintentinally expse the rganisatin t greater litigatin risk and lead t additinal csts, by retaining infrmatin and recrds lnger than the dispsal schedule prescribes. Cnversely, infrmatin and recrds intended fr lng term retentin might be illegally deleted r verwritten by the prvider s server, thereby breaching the Act. There is als the risk f infrmatin and recrds nt being dispsed f in a timely manner, after authrisatin by the rganisatin. It is cmmn fr service prviders t replicate recrds fr multiple backup, sending cpies t sites in different lcatins r even different jurisdictins. This can mean that infrmatin and recrds due fr destructin are nt prperly deleted frm every server held in every site, which pses a serius risk fr infrmatin and recrds such as thse cntaining persnal r sensitive infrmatin. Prviders must delete and digitally shred when required by a dispsal schedule. Certificates f destructin shuld be asked fr. Fr public ffices, what exprt / extract functinality will be available (bulk/individual items, drag and drp) when lng term / permanent value infrmatin and recrds are due t be transferred t Archives New Zealand? Hw will yu cnfirm the destructin f files frm servers nt under yur direct cntrl? Can the clud service ffer destructin f infrmatin and recrds due fr destructin (including any cpies) in a manner that ensures that the infrmatin and recrds are nt able t be recnstructed? Hw much resurce will be needed frm the rganisatin t cnfirm destructin by the clud service prvider? Are the retentin perids fr backups aligned with rganisatinal retentin perids? Printed cpies are uncntrlled 11

12 Terminatin f The cntract terms and cnditins shuld state that, if the cntract is The bligatins f the clud prvider shuld be specified in the cntract. cntract terminated, the infrmatin and recrds will be returned in a useable What are the cnditins if the rganisatin terminates the cntract? Will the frm, and remved permanently frm the service prvider s systems. rganisatin be stuck, r lcked-in (infrmatin lck-in, platfrm lck-in, tl lck-in), with their current prvider because f the cmplicatins and csts f Check that the cntract includes specific details abut terminatin, switching t a new prvider? and fate f infrmatin and recrds hsted. Is there a clause specifying that the terms cannt be changed in regards t IM requirements when a prvider is declared bankrupt, sld t a new service prvider r terminates its services? If necessary, can the infrmatin and recrds be easily migrated t anther prvider, withut the integrity f the infrmatin and recrds being cmprmised? In the event that a prvider is changed, wuld the new prvider have an bligatin t hnur the cnditins in the previus cntract? Wuld the rganisatin be guaranteed cntinued access t their infrmatin and recrds? What frmat will the infrmatin and recrds be exprted back t the rganisatin in (such as an pen frmat), and hw lng it will take befre the infrmatin and recrds can be accessed again fllwing terminatin f the cntract? What csts wuld be invlved fr the rganisatin? If the service prvider enhances yur infrmatin and recrds in the clud, will yu als get a cpy f thse? Or is the agreement slely fr the riginal versins? Will the service prvider be required t keep the infrmatin and recrds n its systems during a transitin perid? 12 Printed cpies are uncntrlled