introduction to guideline 25 – managing information risk samara mcilroy, consultant, government...
TRANSCRIPT
Introduction to Guideline 25 –Managing Information Risk Samara McIlroy,
Consultant, Government Recordkeeping
6165 6085
Overview
• Background and context• New Guideline and Advice• Applying Risk Management• Request for feedback• Questions
Why?• New technologies bring new
threats to business information and continuity
• Information risk often mistakenly treated as IT risk• Appraisal of digital records requires a new set of competencies
Background and context
• Tasmanian Government Project Management Guidelines
• AS/ISO Standards • Other jurisdictions• Guideline 1 – Records
Management Principles
Tasmanian Government Project Management Guidelines
• In November 2011, the ICT Policy Board endorsed the Project Management Guidelines as Advice for Tasmanian Government Agencies
• Element 5 addresses Risk Management (p90-106)
• Guidelines on the e-Government website under Project Management –http://www.egovernment.tas.gov.au//project_management
Standards
• AS/NZS ISO 31000:2009 Risk management - Principles and guidelines and the companion Handbook - SA/SNZ HB 436:2013
• Information and documentation - Risk assessment for records processes and systems - ISO/TR 18128:2014(E)
• Available from the eGovernment Standards Select portal on the website
Other jurisdictions
• Records and Risk Management (PROS 10/10 G6) - Public Records Office Victoria: strategic and operational alignment
• FutureProof blog - State Records NSW: digital information risks
• Linking business to records: Managing recordkeeping risks - National Archives of Australia (NAA): identifying high-risk business functions for more intensive information management activities
Guideline 1 – Records Management Principles
New inclusions which relate to Information Risk: • Information governance • Risk analysis• Policy alignment• Records in business systems• Regular compliance audits
The new Risk Management Guideline and Advice
• Guideline No. 25 – Managing Information Risk
• Advice No. 60: Part 1 - Introduction Part 2 – Applying Risk
Management processes Part 3 – Templates and tools
Guideline No. 25 – Managing Information Risk – key concepts
• Managing information risk using risk analysis
• Aligning the functions of Risk Management and Records Management
MUSTS
• Agencies MUST apply risk management processes to all State records
• Agencies MUST undertake an information risk assessment for each of the agency's core business areas.
High-risk business areas:
• Public and media scrutiny• Legal action or formal
investigation• Involve large amounts of money • Relate to issues of security• Outsourcing• Administrative change • Cloud-computing systems• Relate to the health, welfare,
rights and entitlements of citizens and/or staff
• Employment conditions of staff• Involve organisational change
and/or transitioning to new systems
MUSTS
• Risk management processes MUST cover records in all formats, including digital records outside formal recordkeeping systems, such as email, websites & business systems.
• Risk assessments MUST be carried out for all permanent records, including permanent records held in business systems.
Records in all formats:• Permanent records• Vital records• Unscheduled records (not
covered by a R&DS) • Network drives • Email• Scanned or digitised records• Business systems and cloud-
computing applications• Hybrid environments • Websites• Social media• Mobile devices• Etc, etc.
MUSTS
• Risk management processes MUST underpin records management operations, to ensure that risks to the agency's records and recordkeeping systems are minimised.
• Records management staff MUST ensure that risks to the agency's records and recordkeeping systems, especially vital records, are addressed as part of the agency’s Records Management Program.
MUSTS
• Agencies MUST align the functions of records management and risk management strategically and operationally.
• Agencies MUST review their Information Risk Register annually.
The new Guideline and Advice
• Guideline No. 25 – Managing Information Risk
• Advice No. 60: Part 1 – Introduction Part 2 – Applying Risk
Management processes Part 3 – Information Risk
Register Template
Financial, Insurance
Personnel, OHS
Service Delivery, Operations
Compliance Reputation, Political Environment Information
Min
or
Minor impact on budget/ loss that can be replaced from budget Insurance up to $1m required.
Injury report and/or first aid only May include substantial stress but no lost time.
Work processes would be inefficient but decisions could still be made and actions taken.
Unlikely to result in adverse regulatory response or action.
No media attention Credibility may be questioned.
Minor damage to a localised area or that ceases once the event is over Environmental liability or remediation cost $0- 50,000.
Loss of information or records of short-term administrative value (e.g. routine advice) Unauthorised access to UNCLASSIFIED & PUBLIC agency information.
Mode
rate
Serious impact on budget/ resource reallocation required Insurance between $1-5m required.
Medical treatment for Injury Substantial stress event requiring professional clinical support.
Service delivery interruptions of more than 24 hours.
Incident reportable to regulatory authorities with potential for formal notice or fine.
Local media coverage Senior management damage control required.
Measurable impairment on biological or physical environment Ecosystem will recover without intervention. Environmental liability or remediation cost $50,000- 500,000
Loss of information or damage to records of moderate value (e.g. minor contracts or project records, or required for audit purposes) Unauthorised access to IN CONFIDENCE agency information.
Maj
or
Critical impact on budget/ external recovery required Insurance between $5-20m required.
Hospital treatment for injury Serious temporary disability/ minor permanent disability.
Service delivery interruptions longer than 3 days but less than a month. Recovery would be expensive and time consuming.
Investigation, prosecution and major fine possible Actions or decisions cannot be explained to courts or regulatory bodies.
Significant media coverage Political embarrassment would occur. May jeopardise future funding.
Serious environmental effects Ecosystem will recover over time once clean-up has been completed. Environmental liability or remediation cost $0.5m - $5m
Loss of information or damage to records of high value records that relate to long term or ongoing rights, obligations and entitlements (e.g. employee health monitoring and incident management records) Unauthorised access to PROTECTED agency information.
Cat
astr
oph
ic
The agency would incur huge financial losses Insurance of more than $20m required.
Single death Permanent disabilities for multiple persons.
Agency operations would be rendered dysfunctional and not be able to recover from consequences.
May result in serious litigation including class actions.
National and international media coverage Total loss of confidence in agency.
Very serious environmental effects Remediation required. Environmental liability or remediation cost >$5m
Loss or irreparable damage to vital records essential for the ongoing business of an agency, and without which the agency could not operate effectively. Loss of information or irreparable damage to records of enduring value recognised by a broader audience than the original creating agency, including future generations (e.g. PERMANENT records) Unauthorised access to HIGHLY PROTECTED agency information
Information Risk Consequence Scale
In practice:
• Information Risk Register• Disaster Preparedness and
Business Continuity plans • Vital Records Plan• Alignment with Risk Management
Framework• Internal and external audit
programs • Digital Records Preservation/
Continuity Plan• Compliance with the Archives Act
1983 and with TAHO Guidelines