18 September 2018
The Cloud Information Governance Policy sets out the information governance arrangements for the National Archives of Australia’s information assets created, stored, or managed through the use of cloud computing (cloud). Information assets of the Archives include those created and received to support its business activities and the collection of the archival resources of the Commonwealth in the care of the Archives. The policy covers the ownership and control, privacy, security, and roles and responsibilities for and related to this information.
The Cloud Information Governance Policy is in line with the policies and priorities of the Australian Government's Secure Cloud Strategy.
The Australian Government has adopted the US Government's National Institute of Standards and Technology's (NIST) definition of cloud:
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
The Digital Transformation Agency looks at cloud as how you get the technology platforms you need to run a digital service in a modern and flexible way.
Cloud services allow agencies to procure infrastructure as a service, platform as a service or an application as a service.
The Policy applies to all Archives' staff, contractors and consultants, regardless of employment terms, position and location.
The Policy relates to all Archives information assets using cloud hosted services, regardless of the reason information is stored there or the source of the information.
While the Policy relates to large technology and software projects, it also relates to everyday use of web services, some of which may be low-cost or free.
All Archives staff must be aware that when they are using web services, they may be using cloud services. Web services are the tools and/or interfaces that allow users to enter data, and that data is stored in the cloud.
Throughout this document, all Archives records, information and data holdings are described holistically by the term 'information'.
As identified in the Archives' Information Governance Framework, the Archives is committed to effective information management practices in order to meet legal obligations, accountability requirements, business needs and stakeholders' expectations.
Information held in the cloud has the same information governance and cyber security requirements as information held on premise.
However, using cloud services requires making different assessments and meeting additional criteria in order to achieve this outcome. This policy identifies these different assessments and additional criteria that will be included in any decision to use cloud services.
Assessing cloud options for the Archives' information assets aims to:
The Archives uses cloud services in a considered and secure way to:
These services can support and enhance the opportunities available to the Archives in realising whole-of-government efficiencies and achieving business goals.
The Archives will implement cloud services in accordance with whole-of-government policy and advice. Each use case will be assessed for suitability using the criteria listed below.
The Archives will retain absolute control over and responsibility for information assets created, managed, and hosted in the cloud. Australian Government information hosted in the cloud is subject to the Archives Act 1983. The Archives has legislative and policy obligations to protect and manage its information regardless of where it is stored.
Information created, managed, and hosted in the Cloud must remain:
Cloud services should have the appropriate information management functionality and should meet the requirements identified in the Archives' Information Management Functionality Checklist and the Australian Signals Directorate's cloud certification policies. The checklist should be completed before selection and implementation of any cloud service.
Cyber security is a significant concern when procuring and implementing cloud services. The Archives must ensure that controls and protections appropriately match the value of information created, managed, and hosted in the cloud. The ISM identifies cloud services as a new technology with new vulnerabilities, and one of the most significant shifts affecting ICT services: 'the use of cloud services diminishes customer control over threat mitigation and response and increases the threat from malicious insiders' (p.14). Whole-of-government protective and cyber security requirements and Archives' security policy and procedures must be followed as appropriate. Risk mitigations must be implemented as identified in the ASCS's Cloud Computing Security for Tenants.
All detected or suspected security incidents involving cloud services must be immediately reported to the Security Advisory Unit. All cloud services must have an incident response plan, which identifies:
As part of contractual arrangements, the Archives will maintain the right to audit IT services for its cloud providers; this condition should be part of any contract for cloud-based services.
The Information Governance section, together with the business owners, will monitor the use of cloud services within the Archives through the Information Systems Architecture Register (the Register) and Information Management Plans (the plans). The Register and the plans will be maintained by the Information Governance section to track the use of cloud services, completed checklists, plans and assessments, and the business owners responsible for these services.
The IT Security Advisor (ITSA) will also monitor the use of cloud services through the Archives, keeping the CIO updated on developments and concerns on the use of cloud services for specific business purposes.
The Information Governance section will report to the Information Governance Committee regularly on information governance compliance in the use of cloud services.
To ensure adequate information governance for cloud-hosted information assets, the following key requirements should be satisfied:
Information hosted in the cloud should have sufficient metadata to confirm information is complete, authentic, findable and useable. Information should have the metadata elements identified in the Archives' Minimum Metadata Set for agencies in the Australian Government.
Business owners of information stored in the cloud should ensure that information has sufficient metadata to satisfy access and retention requirements. Information in the cloud should be related to relevant information stored in other locations and additional metadata needs to be applied to information stored in the cloud to maintain its relationship links. The evidential value of information may be affected if appropriate controls are not maintained.
Metadata needs to be treated with the same security controls as the information it describes.
The following issues should be considered when assessing options for using cloud services:
The failure to properly control and secure the use of the cloud will pose a vulnerability to the Archives' information.The following issues should be considered when assessing options for using cloud services:
In addition to the issues identified above, detailed guidance on issues of a security nature can be found in the ASD's Cloud Computing Security Considerations.
The Archives retains control of records retention and disposal practices on information hosted and managed in the cloud. Existing records authorities provide the only legal instrument that allows for the disposal and retention of Commonwealth information, regardless of its storage location. As service providers may replicate information for multiple backups, secure and complete data deletion must be identified as a contractual obligation. Destruction certificates may also be requested by the Archives.
Business areas must conduct a risk assessment when evaluating the use of cloud services. The risk assessment must be conducted with the IT Security Advisor, Business Engagement section, Information Governance section, and Privacy Officer. Any data sharing arrangements involving cloud services will also need to undergo a risk assessment.
The risk assessment must take into consideration:
An incident response plan needs to be developed for each instance of cloud services. If determined, the system may also require a security risk management plan.
Where the risk tolerance is assessed to be above moderate, additional cyber security controls may be required by the ITSA and any the Accreditation Authority.
The Information Security Management Guidelines should also be used for these assessments.
All staff are responsible for following the Archives' Cloud Information Governance Policy.
The policy will be delivered by the Information Governance section through engagement across the Archives. Business areas will be responsible for working with Information Governance and Business Engagement sections, as well as the IT Security Advisor and Privacy Officer, to assess and evaluate cloud service providers against the requirements.
Business areas should receive and analyse regular reports on business performance and integrity checks. Changes to terms of service must be reviewed to ensure information governance requirements continue to be met. Any subcontractors used by a cloud service provider must meet the same information governance requirements.
Before acquiring and implementing any cloud services business areas of the Archives must ensure that all necessary assessments are completed by Information Governance, IT Security Advisor, and the Privacy Officer. If this is not done, the system owner will be directly responsible for any risks associated with the cloud service.
Cloud services will be registered in the Information Systems Architecture Register and will be monitored by the Information Governance section to ensure compliance with this Policy.
An Infonet page will be created with simple guidelines and advice on using cloud services at the Archives. The advice will define cloud services and outline the Archives decided approach to these services.
The Director-General of the National Archives of Australia (also Chair of Archives' Information Governance Committee) is responsible for:
The Information Governance Committee (which comprises members of the Executive Board) is responsible for:
The Chief Information Officer shall:
The Chief Information Governance Officer shall:
Assistant Directors, Information Governance (operating under the supervision of the Chief Information Governance Officer) shall:
IT Security Advisor (ITSA) shall:
ICT teams, including system administrators, shall:
Business areas shall:
Archives staff and contractors shall:
Communication on the Cloud Information Governance Policy will occur via email correspondence to all Archives employees and notification on the Infonet.
Further guidance can be obtained from the Information Governance Section via the Service Desk Portal.
This Policy will be regularly monitored for emerging information governance risks and reviewed every two years from the date of approval, unless required earlier.
National Archives of Australia
18 September 2018
In undertaking contracts or agreements with cloud service providers, the business owner should be familiar with Negotiating the Cloud – Legal Issues in Cloud Computing Agreements. Cloud services may also be implemented by agreeing to terms and conditions as part of signing up for web-hosted services.
Archives' business owners must document the following information governance requirements in any terms and conditions, agreements, and/or contracts that are approved as part of using cloud services.
The Archives must retain ownership over its information hosted in the cloud. This ownership includes copyright and proprietary interests. The Archives' information cannot be used for any other purposes or disposed of without the Archives permission.
The location of the information must be specifically identified in an agreement.
Information must be available as and when it is needed to support business.
Specify who has the right to access information and when, such as external appointed commercial auditors.
Information must be accessible for the duration of the contract, and accessible to authorised persons as needed or requested.
Metadata requirements for the management of the Archives business information as part of the contract– this includes the Minimum Metadata Set and any additional metadata that may be required.
All Archives' information must be maintained by the service provider unless otherwise notified by the Archives or outlined in the contractual obligations. The Archives will ensure retention of information is in line with the relevant records authorities.
Appropriate destruction is specified at the end of a service agreement, including all back-ups and copies. Certification must be provided by the service provider.
Specify the format the information and associated metadata is returned to the Archives, formats used in storage, and processes to be followed when information is migrated. Preferably the provider should use open formats to support readability over time.
Must comply with the Archives' standards and clauses addressing future migration. This must be part of service agreements to prevent obsolesce and issues with migration at the cessation of a contract.
Specify the process for loss of control (cloud service provider business operations change), security incidents and disaster recovery processes.
The Archives must be notified of any security incidents or issues by the service provider, including denial of service attacks or unauthorised access.
Regular backups to be undertaken by the provider to maintain access to information.
Service providers must be able to provide for and maintain system audit logs to provide confirmation that required information protection requirements are being met.
Each contract should specify a right by the Archives to audit a provider's compliance with the agreement, and audit the provider's IT services. Consideration for audit purposes should be given to restricting the locations where data may be held; any other audit rights for the Archives, the Auditor-General and the Information Commissioner; a right for the Archives to appoint a commercial auditor and where technically available the right to remotely monitor access to data.
Must provide reports on business performance, integrity checks and faults.
Review any changes to terms of service for providers to ensure information governance requirements are met.
Be aware of the use of third party contractors. Cloud service providers may work with subcontractors; specify the responsibilities of a sub-contractor, including the need to meet the same information governance requirements as the primary holder.
Information must be returned to the Archives when requested.
Failure to meet the requirements of, or breaches to, the Cloud Information Governance Policy will require the business owner to notify the Chief Information Governance Officer when the failure occurs.
All confirmed or suspected security incidents must be reported to the Security Advisory Unit. All cloud services will have an incident response plan in place, and may also have a security risk management plan.