Our Cloud Information Governance Policy

Information Governance

Version 1.0

30 October 2020

1. Purpose

Cloud Information Governance Policy sets out the information governance arrangements for the National Archives of Australia’s information assets created, stored, or managed through the use of cloud computing (cloud). Information assets of the National Archives include those created and received to support its business activities and the collection of the archival resources of the Commonwealth in the care of the National Archives. The policy covers the ownership and control, privacy, security, and roles and responsibilities for and related to this information.

2. Scope

3. Policy Statement

As identified in the Archives' Information Governance Framework, the National Archives is committed to effective governance and management for all its information assets, including the archival resources of the Commonwealth in order to meet legal obligations, accountability requirements, business needs and stakeholders' expectations.

Information held in the cloud has the same information governance and cyber security requirements as information held on premise infrastructure.

However, using cloud services requires making different assessments and meeting additional criteria in order to achieve this outcome. This policy identifies these different assessments and additional criteria that will be included in any decision to use cloud services.

4. Assessments

Cloud service approval and delivery to host National Archives’ information cannot be obtained and procured at the National Archives without firstly completing the following assessments:

Assessment

Description

Completed by

Template

Cloud Security Assessment

Assessment of Cloud Security Provider (CSP) security fundamentals and its cloud services

Cyber Security or IRAP Assessor[1]

Cloud Security Assessment Report Template

Privacy Impact Statement/Assessment

Identifies information that could impact the privacy of individuals within a CSP environment

Business Owner – Privacy Officer

Impact Assessment (PIA) Template

Work Take-on Assessment

The Work Take-on process is used to assess, prioritise and action non-standard requests. Also provides details and requirements for determining security and controls for the proposed system

Emerging Technologies & Business Engagement – Business Owner

  • IT Requirements Summary
  • Software Security Review Questions

Information Management Functionality Checklist

Assessment of the system and information management functionality and risk of business systems and software

Information Governance
Emerging Technologies & Business Engagement

Information Management Functionality Checklist

Product Risk Assessment

Determines the viability of using the cloud service. Additional cyber security controls may be required. An incident response plan also needs to be developed for each instance of cloud services. The Cloud Computing Security Considerations provides assistance.

Business Owner with:

  • Cyber Security
  • Emerging Technologies & Business Engagement
  • Information Governance
  • Privacy Officer

Risk Assessment Template

Information Management Plan

Developed as part of implementation. Outlines the value of information and data assets and identify strategies to manage them over time

Information Governance

Information Management Plan Template

[1]The Cloud Security Assessment can be undertaken as either a self-assessment or by an IRAP assessor. The IRAP Assessor must be from the Information Security Registered Assessors Program. This may require a procurement process to obtain services. ASCS recommends the use of an IRAP assessor: “A cloud environment presents a complex technology stack that can involve multiple parties responsible for the end-to-end solution. This creates a uniquely challenging solution to assess, and necessitates a suitably qualified and skilled assessor, such as an IRAP assessor to perform the assessment.” (Australian Cyber Security Centre (ACSC), 2020, p. 21).

These assessments will take considerable time and should be taken into consideration as part of project planning.

Assessing cloud options for the National Archives’ information assets aims to:

  • ensure adherence to maintaining the official record of the nation, as per the National Archives' Corporate Plan 2019–20 to 2022–23;
  • ensure that the National Archives meets the requirements of the Australian Government’s Secure Cloud Strategy;
  • affirm the National Archives’ commitment to effective information governance for all information assets in order to meet legal obligations, accountability requirements, business needs and stakeholders’ expectations;
  • comply with the necessary Australian Government Information Security Manual (ISM) controls for the protection, management and monitoring of all information stored externally to the National Archives’ infrastructure;
  • ensure staff are aware of the definition and scope of cloud computing and cloud services, and how storing information in the cloud has specific information governance considerations;
  • allow the National Archives to keep pace with cloud trends as a forward looking, innovative and exemplar Australian Government agency employing better practice approaches for managing information;
  • increase the National Archives’ maturity in using cloud services, with improved understanding and implementation, in line with Australian Government priorities;
  • ensure all staff understand when they are using cloud services and their information management responsibilities; and
  • provide assurance that appropriate risk management has been applied to cloud-based solutions.

The National Archives uses cloud services in a considered and secure way to:

  • adopt modern technologies using agile methods;
  • support communication of National Archives’ business;
  • leverage current capabilities and improve business continuity;
  • offer flexibility by design;
  • innovate in more strategic ways and pursue new opportunities; and
  • potentially reduce ongoing costs.

These services can support and enhance the opportunities available to the National Archives in realising whole-of-government efficiencies and achieving business goals.

National Archives will implement cloud services in accordance with whole-of-government policy and advice. Each use case will be assessed for suitability using the criteria listed below.

5. Cloud Information Governance Requirements

To ensure adequate information governance for cloud-hosted information assets, Advice for cloud clause contract/agreements provides wording to ensure information governance requirements are covered.

The following key requirements provide a summary of these requirements:

6. Implementation

All staff are responsible for following the National Archives’ Cloud Information Governance Policy.

The policy will be delivered by the Information Governance section through engagement across the National Archives. Business areas will be responsible for working with Information Governance, Cyber Security, and Emerging Technology and Business Engagement sections, as well as the Privacy Officer, to assess and evaluate cloud service providers against the requirements.

Business areas should receive and analyse regular reports on business performance and integrity checks. Changes to terms of service must be reviewed to ensure information governance requirements continue to be met. Any subcontractors used by a cloud service provider must meet the same information governance requirements.

Before acquiring and implementing any cloud services business areas of the National Archives must ensure that all necessary assessments are completed by Information Governance, Cyber Security, and the Privacy Officer. If this is not done, the system owner will be directly responsible for any risks associated with the cloud service.

Cloud services will be registered in the Information Systems Architecture Register and will be monitored by the Information Governance section to ensure compliance with this Policy.

An Infonet page will be created with simple guidelines and advice on using cloud services at the National Archives. The advice will define cloud services and outline the National Archives decided approach to these services.

7. Roles and Responsibilities

The Director-General of the National Archives of Australia (also Chair of the National Archives’ Information Governance Committee) is responsible for:

  • the standard of information management within the National Archives.

The Information Governance Committee(which comprises members of the Executive Board) is responsible for:

  • providing sufficient support and resources for ensuring the successful implementation of the policy and guidance.

The Chief Information Officer (CIO) will:

  • authorise the Cloud Information Governance Policy;
  • have final responsibility for the self-assessment of National Archives’ cloud services to inform a risk-informed decision about the Cloud Service Provider’s suitability to store, process and communicate data;
  • be responsible for the efficient, effective and ethical use of information resources within the National Archives;
  • promote compliance with the National Archives’ information management policies and procedures;
  • represent the National Archives in its implementation of whole-of-government initiatives, such as promoting and assessing the suitability of cloud services, and reporting; and
  • be responsible for the National Archives’ secure and responsible use of cloud services.

The Chief Information Governance Officer (CIGO) will:

  • with the Chief Information Office, ensure the efficient, effective and ethical use of information resources within the National Archives;
  • with the Chief Information Officer, promote compliance with the National Archives’ information management policies and procedures;
  • ensure the necessary information governance processes, mechanisms and documentation exist for the National Archives to successfully use cloud services;
  • support the Chief Information Officer in representing the National Archives for whole-of-government initiatives and reporting; and
  • once notified of any incidences involving cloud services, report to the Chief Information Officer and liaise with Security Advisory Unit, ICT teams and Privacy Officer to discuss remediation and mitigation strategies.

Information Governance section (operating under the supervision of the Chief Information Governance Officer) will:

  • assess the risks associated with creating, managing and hosting information in the cloud in consultation with the identified areas;
  • provide input and advice on the appropriate use of cloud services;
  • monitor the use of cloud services across the National Archives on the Information Systems Architecture Register and the Digital Assets Register (R840082020); and
  • develop information management plans and supporting documentation, such as information architecture, for the transparent and accountable management of the National Archives’ information assets stored in the cloud.

The Director, Cyber Security will:

  • conduct security assessments according to the ACSC requirements;
  • promote and support secure use of cloud services to National Archives’ business areas; and
  • ensure that technologies are developed and implemented efficiently and that they support cloud information governance as outlined in this document.

The Chief Technology Officer (CTO) will:

  • promote and support secure use of cloud services to National Archives’ business areas; and
  • ensure National Archives’ self-assessment of cloud service providers (CPS) is undertaken in consultation with business owners, Cyber Security and Emerging Technologies and Business Engagement sections.

IT teams, including system administrators, will:

  • conduct change management and implementation of any infrastructure changes required to enable the use of cloud services (e.g. firewall exceptions);
  • provide Information Technology support; and
  • promote accessibility, usability and interoperability of the use of cloud services.

The Privacy Officer will:

  • in accordance with the Privacy (Australian Government Agencies – Governance) APP Code 2017, handle all internal and external privacy enquiries, privacy complaints, and requests for access to and correction of personal information stored in the cloud;
  • maintain a record of the National Archives’ personal information holdings;
  • assist with the preparation of and review PIAs for assessing cloud options for the National Archives’ information assets, including the assessment of any new cloud service;
  • maintain the National Archives’ register of PIAs, including for cloud services, as required; and
  • measure and document the National Archives’ performance against the privacy management plan at least annually as required.

Business areas will:

  • undertake risk assessments and initiate documentation of information governance and management needs with the responsible area (Information Governance Section) before the procurement of cloud services;
  • immediately report suspected or confirmed security incidences involving cloud services to the Cyber Security Advisor (ITSA), Security Advisory Unit, and Information Governance;
  • develop incident response plans for any procured cloud services;
  • monitor cloud performance and service levels; and
  • update the relevant business continuity plans.

National Archives staff and contractors will:

  • understand the definition and scope of cloud computing and cloud services, such as web-hosted services;
  • immediately report suspected or confirmed security incidences involving cloud services to the ITSA, Security Advisory Unit, and Information Governance;
  • be familiar with the National Archives’ Cloud Information Governance Policy; and
  • seek guidance from the Information Governance Section if there is any uncertainty over the use of the Policy.

8. Communication and Guidance

Communication on the Cloud Information Governance Policy will occur via email correspondence to all National Archives employees and notification on the Infonet.

Further guidance can be obtained from the Information Governance Section via the Service Desk Portal.

9. Monitoring and Review

This Policy will be regularly monitored for emerging information governance risks and reviewed every two years from the date of approval, unless required earlier.

10. Authorisation

Approved by:

Yaso Arumugam
Chief Information Officer
National Archives of Australia

30 October 2020

Appendix 1 – Related Documents

Relevant legislation

  • Archives Act 1983
  • Privacy Act 1988
  • Australian Privacy Principles
  • Freedom of Information Act 1982
  • Electronic Transactions Act 1999
  • Cybercrime Legislation Amendment Act 2012
  • Crimes Act 1914
  • Evidence Act 1995
  • Copyright Act 1968
  • Public Governance Performance and Accountability Act 2013

Relevant Australian Government policies

Relevant Australian Government strategies

Relevant Australian Government guidelines

Relevant National Archives strategic documents

Appendix 2 – Service Provider Obligations Checklist

In undertaking contracts or agreements with cloud service providers, the business owner should be familiar with the PSPF. Cloud services may also be implemented by agreeing to terms and conditions as part of signing up for web-hosted services.

National Archives’ business owners must document the following information governance requirements in any terms and conditions, agreements, and/or contracts that are approved as part of using cloud services.

Ownership

The National Archives must retain ownership over its information hosted in the cloud. This ownership includes copyright and proprietary interests.  The National Archives’ information cannot be used for any other purposes or disposed of without the National Archives’ permission

    

Location

The location of the information must be specifically identified in an agreement

    

Availability

Information must be available as and when it is needed to support business

    

Right to Access

Specify who has the right to access information and when, such as external appointed commercial auditors

    

Access

Information must be accessible for the duration of the contract, and accessible to authorised persons as needed or requested

    

Metadata

Metadata requirements for the management of the National Archives’ business information as part of the contract– this includes the Minimum Metadata Set and any additional metadata that may be required

    

Retention

All National Archives’ information must be maintained by the service provider unless otherwise notified by the National Archives or outlined in the contractual obligations. The National Archives will ensure retention of information is in line with the relevant records authorities

    

Disposal

Appropriate destruction is specified at the end of a service agreement, including all back-ups and copies. Certification must be provided by the service provider

    

Formats

Specify the format the information and associated metadata is returned to the National Archives, formats used in storage, and processes to be followed when information is migrated. Preferably the provider should use open formats to support readability over time

    

Migration

Must comply with the National Archives’ standards and clauses addressing future migration. This must be part of service agreements to prevent obsolesce and issues with migration at the cessation of a contract

    

Incidences

Specify the process for loss of control (cloud service provider business operations change), security incidents and disaster recovery processes

    

Notification

The Archives must be notified of any security incidents or issues by the service provider, including denial of service attacks or unauthorised access

    

Backups

Regular backups to be undertaken by the provider to maintain access to information

    

Audit Logs

Service providers must be able to provide for and maintain system audit logs to provide confirmation that required information protection requirements are being met.

    

Auditing

Each contract should specify a right by the National Archives to audit a provider’s compliance with the agreement, and audit the provider’s IT services. Consideration for audit purposes should be given to restricting the locations where data may be held; any other audit rights for the National Archives, the Auditor-General and the Information Commissioner; a right for the National Archives to appoint a commercial auditor and where technically available the right to remotely monitor access to data.

    

Reporting

Must provide reports on business performance, integrity checks and faults

    

Changes

Review any changes to terms of service for providers to ensure information governance requirements are met

    

Subcontractors

Be aware of the use of third party contractors. Cloud service providers may work with subcontractors; specify the responsibilities of a sub-contractor, including the need to meet the same information governance requirements as the primary holder

    

Return

Information must be returned to the National Archives when requested

    

Failure to meet the requirements of, or breaches to, the Cloud Information Governance Policy will require the business owner to notify the Chief Information Governance Officer when the failure occurs.

All confirmed or suspected security incidents must be reported to the Security Advisory Unit. All cloud services will have an incident response plan in place, and may also have a security risk management plan.

Was this page helpful?
Please tell us why you selected 'Yes'
Please tell us why you selected 'No'