Cloud Information Governance Policy

Information Governance

Version 1.0

18 September 2018

1. Purpose

The Cloud Information Governance Policy sets out the information governance arrangements for the National Archives of Australia’s information assets created, stored, or managed through the use of cloud computing (cloud). Information assets of the Archives include those created and received to support its business activities and the collection of the archival resources of the Commonwealth in the care of the Archives. The policy covers the ownership and control, privacy, security, and roles and responsibilities for and related to this information.

2. Scope

2.1 Australian Government Definitions

The Cloud Information Governance Policy is in line with the policies and priorities of the Australian Government's Secure Cloud Strategy.

The Australian Government has adopted the US Government's National Institute of Standards and Technology's (NIST) definition of cloud:

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

The Digital Transformation Agency looks at cloud as how you get the technology platforms you need to run a digital service in a modern and flexible way.

Cloud services allow agencies to procure infrastructure as a service, platform as a service or an application as a service.

2.2 Application for Archives' Staff

The Policy applies to all Archives' staff, contractors and consultants, regardless of employment terms, position and location.

The Policy relates to all Archives information assets using cloud hosted services, regardless of the reason information is stored there or the source of the information.

While the Policy relates to large technology and software projects, it also relates to everyday use of web services, some of which may be low-cost or free.

All Archives staff must be aware that when they are using web services, they may be using cloud services. Web services are the tools and/or interfaces that allow users to enter data, and that data is stored in the cloud.

Throughout this document, all Archives records, information and data holdings are described holistically by the term 'information'.

3. Policy Statement

As identified in the Archives' Information Governance Framework, the Archives is committed to effective information management practices in order to meet legal obligations, accountability requirements, business needs and stakeholders' expectations.

Information held in the cloud has the same information governance and cyber security requirements as information held on premise.

However, using cloud services requires making different assessments and meeting additional criteria in order to achieve this outcome. This policy identifies these different assessments and additional criteria that will be included in any decision to use cloud services.

4. Assessments

Assessing cloud options for the Archives' information assets aims to:

  • ensure adherence to maintaining the official record of the nation, as per the Archives' Corporate Plan 2018–19 to 2021–22;
  • ensure that the Archives meets the requirements of the Australian Government's Secure Cloud Strategy;
  • affirm the Archives' commitment to effective information governance for all information assets in order to meet legal obligations, accountability requirements, business needs and stakeholders' expectations;
  • comply with the necessary Information Security Manual (ISM) controls for the protection, management and monitoring of all information stored externally to the Archives' infrastructure;
  • ensure staff are aware of the definition and scope of cloud computing and cloud services, and how storing information in the cloud has specific information governance considerations;
  • position the Archives as a forward looking, innovative and exemplar Australian Government agency employing better practice approaches for managing information;
  • increase the Archives' maturity in using cloud services, with improved understanding and implementation, in line with Australian Government priorities;
  • ensure all staff understand when they are using cloud services and their information management responsibilities; and
  • provide assurance that appropriate risk management has been applied to cloud-based solutions.

The Archives uses cloud services in a considered and secure way to:

  • agilely adopt modern technologies;
  • support communication of Archives' business;
  • leverage current capabilities;
  • offer flexibility; and
  • innovate in more strategic ways.

These services can support and enhance the opportunities available to the Archives in realising whole-of-government efficiencies and achieving business goals.

The Archives will implement cloud services in accordance with whole-of-government policy and advice. Each use case will be assessed for suitability using the criteria listed below.

4.1 Ownership of information

The Archives will retain absolute control over and responsibility for information assets created, managed, and hosted in the cloud. Australian Government information hosted in the cloud is subject to the Archives Act 1983. The Archives has legislative and policy obligations to protect and manage its information regardless of where it is stored.

4.2 Information management

Information created, managed, and hosted in the Cloud must remain:

  • authentic, accurate and trusted;
  • audited and monitored with positive control;
  • complete and unaltered by unauthorised means;
  • secure from unauthorised access and deletion;
  • findable, readable, usable and re-usable; and
  • related to other relevant information stored in other locations.

Cloud services should have the appropriate information management functionality and should meet the requirements identified in the Archives' Information Management Functionality Checklist and the Australian Signals Directorate's cloud certification policies. The checklist should be completed before selection and implementation of any cloud service.

4.3 Security and privacy

Cyber security is a significant concern when procuring and implementing cloud services. The Archives must ensure that controls and protections appropriately match the value of information created, managed, and hosted in the cloud. The ISM identifies cloud services as a new technology with new vulnerabilities, and one of the most significant shifts affecting ICT services: 'the use of cloud services diminishes customer control over threat mitigation and response and increases the threat from malicious insiders' (p.14). Whole-of-government protective and cyber security requirements and Archives' security policy and procedures must be followed as appropriate. Risk mitigations must be implemented as identified in the ASCS's Cloud Computing Security for Tenants.

All detected or suspected security incidents involving cloud services must be immediately reported to the Security Advisory Unit. All cloud services must have an incident response plan, which identifies:

  • the data held in the system;
  • the controls for each system;
  • all staff who access the system and their level of access;
  • the key users of the system; and
  • a communication plan for a security incident.

As part of contractual arrangements, the Archives will maintain the right to audit IT services for its cloud providers; this condition should be part of any contract for cloud-based services.

The Archives must also take thorough steps to any protect personal information stored in cloud-hosted services through appropriate assessments and safeguards. The use of cloud services must be in accordance with the Archives' Privacy Policy. The Office of Australian Information Commissioner's Guide to Securing Personal Information provides further information on these requirements.

4.4 Monitoring and reporting

The Information Governance section, together with the business owners, will monitor the use of cloud services within the Archives through the Information Systems Architecture Register (the Register) and Information Management Plans (the plans). The Register and the plans will be maintained by the Information Governance section to track the use of cloud services, completed checklists, plans and assessments, and the business owners responsible for these services.

The IT Security Advisor (ITSA) will also monitor the use of cloud services through the Archives, keeping the CIO updated on developments and concerns on the use of cloud services for specific business purposes.

The Information Governance section will report to the Information Governance Committee regularly on information governance compliance in the use of cloud services.

5. Archives' Cloud Information Governance Requirements

To ensure adequate information governance for cloud-hosted information assets, the following key requirements should be satisfied:

5.1 Metadata

Information hosted in the cloud should have sufficient metadata to confirm information is complete, authentic, findable and useable. Information should have the metadata elements identified in the Archives' Minimum Metadata Set for agencies in the Australian Government.

Business owners of information stored in the cloud should ensure that information has sufficient metadata to satisfy access and retention requirements. Information in the cloud should be related to relevant information stored in other locations and additional metadata needs to be applied to information stored in the cloud to maintain its relationship links. The evidential value of information may be affected if appropriate controls are not maintained.

Metadata needs to be treated with the same security controls as the information it describes.

5.2 Access

The following issues should be considered when assessing options for using cloud services:

  • The Archives' information must be accessible for the duration of the contract for cloud services.
  • Information must be available and returned to the Archives as needed or on request. For example, information must be accessible for FOI requests, audits, and discovery orders as needed.
  • Information must be stored, retrieved, and returned in a format that can be migrated to another service or back to the Archives.
  • The migration, conversion and refreshment techniques used by the cloud service provider need to be understood and assessed. Information must not be amended by the service provider.
  • Backup processes must be identified and suitable.
  • No access to information that needs to be destroyed in accordance with the Archives retention policies should be possible. This information must be destroyed from the cloud hosting sites when requested by the Archives.

5.3 Control

The failure to properly control and secure the use of the cloud will pose a vulnerability to the Archives' information.The following issues should be considered when assessing options for using cloud services:

  • Information needs to be assessed for suitability to be stored in the cloud. The DTA's Secure Cloud Strategy (p.7) recommends that in the first instance cloud services be used for low complexity information (routine operational processes that are not classified and not contain any sensitive data), such as document management and development/test environments. If more complex information assets are considered for managing in the cloud, suitable risk assessments must be undertaken.
  • Information hosted in the cloud must be matched to the appropriately certified cloud architecture and services. The Archives either selects cloud service providers from ASD's Certified Cloud Services List (CCSL) or undertakes an assessment in accordance with the Secure Cloud Strategy and security requirements. Careful consideration of information and network security matters ensure that the Archives' information assets are safe and maintain long-term trustworthiness and sustainability over time.
  • Generally, information in aggregate is more valuable than the individual data elements. The classification may also change in aggregate. Security, privacy and risk assessments must all take into consideration the aggregation of information to be held by a cloud service. See PSPF Management of Aggregated Information Guidelines.
  • To protect information hosted in the cloud administrator and user roles must be restricted to relevant staff only.
  • A process must be specified for any loss of control, security incidents, or disaster recovery. The Archives must be notified of denial of service attacks, unauthorised access or other security incidents or issues by the service provider. Unauthorised access to information may result in breaches to the Privacy Act 1988 and or Cybercrime Legislation Amendment Act 2012.
  • Audit logs, including access, must be provided and maintained.
  • While the DTA has identified there is no requirement for information to be stored in Australia, the geographic location of data and backup storage must be identified and included in any assessments.

In addition to the issues identified above, detailed guidance on issues of a security nature can be found in the ASD's Cloud Computing Security Considerations.

5.4 Retention and disposal

The Archives retains control of records retention and disposal practices on information hosted and managed in the cloud. Existing records authorities provide the only legal instrument that allows for the disposal and retention of Commonwealth information, regardless of its storage location. As service providers may replicate information for multiple backups, secure and complete data deletion must be identified as a contractual obligation. Destruction certificates may also be requested by the Archives.

5.5 Risk

Business areas must conduct a risk assessment when evaluating the use of cloud services. The risk assessment must be conducted with the IT Security Advisor, Business Engagement section, Information Governance section, and Privacy Officer.  Any data sharing arrangements involving cloud services will also need to undergo a risk assessment.

The risk assessment must take into consideration:

  • risks specific to using cloud services, particularly the risks associated with having information located outside the Archives' network;
  • cloud service providers compliance with the Protective Security Policy Framework and the Information Security Manual;
  • the Archives' level of risk tolerance – the Archives currently has a moderate tolerance level for data and information management;
  • the viability of the service provider; and
  • strategies to mitigate identified risks.

An incident response plan needs to be developed for each instance of cloud services. If determined, the system may also require a security risk management plan.

Where the risk tolerance is assessed to be above moderate, additional cyber security controls may be required by the ITSA and any the Accreditation Authority.

The Information Security Management Guidelines should also be used for these assessments.

6. Implementation

All staff are responsible for following the Archives' Cloud Information Governance Policy.

The policy will be delivered by the Information Governance section through engagement across the Archives. Business areas will be responsible for working with Information Governance and Business Engagement sections, as well as the IT Security Advisor and Privacy Officer, to assess and evaluate cloud service providers against the requirements.

Business areas should receive and analyse regular reports on business performance and integrity checks. Changes to terms of service must be reviewed to ensure information governance requirements continue to be met. Any subcontractors used by a cloud service provider must meet the same information governance requirements.

Before acquiring and implementing any cloud services business areas of the Archives must ensure that all necessary assessments are completed by Information Governance, IT Security Advisor, and the Privacy Officer. If this is not done, the system owner will be directly responsible for any risks associated with the cloud service.

Cloud services will be registered in the Information Systems Architecture Register and will be monitored by the Information Governance section to ensure compliance with this Policy.

An Infonet page will be created with simple guidelines and advice on using cloud services at the Archives. The advice will define cloud services and outline the Archives decided approach to these services.

7. Roles and Responsibilities

The Director-General of the National Archives of Australia (also Chair of Archives' Information Governance Committee) is responsible for:

  • the standard of information management within the Archives;
  • the efficient, effective and ethical use of information resources within the Archives;
  • authorising the Cloud Information Governance Policy; and
  • promoting compliance with the Archives' information management policies and procedures.

The Information Governance Committee (which comprises members of the Executive Board) is responsible for:

  • providing sufficient support and resources for ensuring the successful implementation of the policy and guidance.

The Chief Information Officer shall:

  • represent the Archives in its implementation of whole-of-government initiatives, such as promoting and assessing the suitability of cloud services, and reporting; and
  • be responsible for the Archives' use of cloud services securely and responsibly.

The Chief Information Governance Officer shall:

  • support the Chief Information Officer in representing the Archives for whole-of-government initiatives and reporting;
  • ensure the necessary information governance processes, mechanisms and documentation exist for the Archives to successfully use cloud services;
  • once notified of any incidences involving cloud services, report to the Chief Information Officer and liaise with Security Advisory Unit, ICT teams and Privacy Officer to discuss remediation and mitigation strategies.

Assistant Directors, Information Governance (operating under the supervision of the Chief Information Governance Officer) shall:

  • assess the risks associated with creating, managing and hosting information in the cloud in consultation with the identified areas;
  • provide input and advice on the appropriate use of cloud services;
  • monitor the use of cloud services across the Archives on the Information Systems Architecture Register; and
  • develop information management plans and supporting documentation, such as information architecture, for the transparent and accountable management of the Archives' information assets stored in the cloud.

IT Security Advisor (ITSA) shall:

  • conduct security assessments according to the ASD and ACSC requirements;
  • promote and support secure use of cloud services to Archives' business areas; and 
  • ensure that technologies are developed and implemented efficiently and that they support cloud information governance as outlined in this document.

ICT teams, including system administrators, shall:

  • conduct change management and implementation of any infrastructure changes required to enable the use of cloud services (e.g. firewall exceptions);
  • provide Information Technology support; and
  • promote accessibility, usability and interoperability of the use of cloud services.

Business areas shall:

  • undertake risk assessments and initiate documentation of information governance and management needs with the responsible area (Information Governance Section) before the procurement of cloud services;
  • immediately report suspected or confirmed security incidences involving cloud services to the ITSA, Security Advisory Unit, and Information Governance;
  • develop incident response plans for any procured cloud services;
  • monitor cloud performance and service levels; and
  • update the relevant business continuity plans.

Archives staff and contractors shall:

  • understand the definition and scope of cloud computing and cloud services, such as web-hosted services;
  • immediately report suspected or confirmed security incidences involving cloud services to the ITSA, Security Advisory Unit, and Information Governance;
  • be familiar with the Archives' Cloud Information Governance Policy; and seek guidance from the Information Governance Section if there is any uncertainty over the use of the Policy.

8. Communication and Guidance

Communication on the Cloud Information Governance Policy will occur via email correspondence to all Archives employees and notification on the Infonet.

Further guidance can be obtained from the Information Governance Section via the Service Desk Portal.

9. Monitoring and Review

This Policy will be regularly monitored for emerging information governance risks and reviewed every two years from the date of approval, unless required earlier.

10. Authorisation

Approved by:

David Fricker
Director-General
National Archives of Australia

18 September 2018

Appendix 1 – Related Documents

Relevant legislation

  • Archives Act 1983
  • Privacy Act 1988
  • Australian Privacy Principles
  • Freedom of Information Act 1982
  • Electronic Transactions Act 1999
  • Cybercrime Legislation Amendment Act 2012
  • Crimes Act 1914
  • Evidence Act 1995
  • Copyright Act 1968
  • Public Governance Performance and Accountability Act 2013

Relevant Australian Government policies

Relevant Australian Government strategies

Relevant Australian Government guidelines

Appendix 2 – Service Provider Obligations Checklist

In undertaking contracts or agreements with cloud service providers, the business owner should be familiar with Negotiating the Cloud – Legal Issues in Cloud Computing Agreements. Cloud services may also be implemented by agreeing to terms and conditions as part of signing up for web-hosted services.

Archives' business owners must document the following information governance requirements in any terms and conditions, agreements, and/or contracts that are approved as part of using cloud services.

Ownership

The Archives must retain ownership over its information hosted in the cloud. This ownership includes copyright and proprietary interests.  The Archives' information cannot be used for any other purposes or disposed of without the Archives permission.

Location

The location of the information must be specifically identified in an agreement.

Availability

Information must be available as and when it is needed to support business.

Right to Access

Specify who has the right to access information and when, such as external appointed commercial auditors.

Access

Information must be accessible for the duration of the contract, and accessible to authorised persons as needed or requested.

Metadata

Metadata requirements for the management of the Archives business information as part of the contract– this includes the Minimum Metadata Set and any additional metadata that may be required.

Retention

All Archives' information must be maintained by the service provider unless otherwise notified by the Archives or outlined in the contractual obligations. The Archives will ensure retention of information is in line with the relevant records authorities.

Disposal

Appropriate destruction is specified at the end of a service agreement, including all back-ups and copies. Certification must be provided by the service provider.

Formats

Specify the format the information and associated metadata is returned to the Archives, formats used in storage, and processes to be followed when information is migrated. Preferably the provider should use open formats to support readability over time.

Migration

Must comply with the Archives' standards and clauses addressing future migration. This must be part of service agreements to prevent obsolesce and issues with migration at the cessation of a contract.

Incidences

Specify the process for loss of control (cloud service provider business operations change), security incidents and disaster recovery processes.

Notification

The Archives must be notified of any security incidents or issues by the service provider, including denial of service attacks or unauthorised access.

Backups

Regular backups to be undertaken by the provider to maintain access to information.

Audit Logs

Service providers must be able to provide for and maintain system audit logs to provide confirmation that required information protection requirements are being met.

Auditing

Each contract should specify a right by the Archives to audit a provider's compliance with the agreement, and audit the provider's IT services. Consideration for audit purposes should be given to restricting the locations where data may be held; any other audit rights for the Archives, the Auditor-General and the Information Commissioner; a right for the Archives to appoint a commercial auditor and where technically available the right to remotely monitor access to data.

Reporting

Must provide reports on business performance, integrity checks and faults.

Changes

Review any changes to terms of service for providers to ensure information governance requirements are met.

Subcontractors

Be aware of the use of third party contractors. Cloud service providers may work with subcontractors; specify the responsibilities of a sub-contractor, including the need to meet the same information governance requirements as the primary holder.

Return

Information must be returned to the Archives when requested.


Failure to meet the requirements of, or breaches to, the Cloud Information Governance Policy will require the business owner to notify the Chief Information Governance Officer when the failure occurs.

All confirmed or suspected security incidents must be reported to the Security Advisory Unit. All cloud services will have an incident response plan in place, and may also have a security risk management plan.

Copyright National Archives of Australia 2018