Introduction to Guideline 25 –Managing Information Risk Samara McIlroy,

Consultant, Government Recordkeeping

grk@education.tas.gov.au

6165 6085

Overview

• Background and context• New Guideline and Advice• Applying Risk Management• Request for feedback• Questions

Don’t know the first thing about risk management?

Why?• New technologies bring new

threats to business information and continuity

• Information risk often mistakenly treated as IT risk• Appraisal of digital records requires a new set of competencies

Background and context

• Tasmanian Government Project Management Guidelines

• AS/ISO Standards • Other jurisdictions• Guideline 1 – Records

Management Principles

Tasmanian Government Project Management Guidelines

• In November 2011, the ICT Policy Board endorsed the Project Management Guidelines as Advice for Tasmanian Government Agencies

• Element 5 addresses Risk Management (p90-106)

• Guidelines on the e-Government website under Project Management –http://www.egovernment.tas.gov.au//project_management

Standards

• AS/NZS ISO 31000:2009 Risk management - Principles and guidelines and the companion Handbook - SA/SNZ HB 436:2013

• Information and documentation - Risk assessment for records processes and systems - ISO/TR 18128:2014(E)

• Available from the eGovernment Standards Select portal on the website

Other jurisdictions

• Records and Risk Management (PROS 10/10 G6) - Public Records Office Victoria: strategic and operational alignment

• FutureProof blog - State Records NSW: digital information risks

• Linking business to records: Managing recordkeeping risks - National Archives of Australia (NAA): identifying high-risk business functions for more intensive information management activities

Guideline 1 – Records Management Principles

New inclusions which relate to Information Risk: • Information governance • Risk analysis• Policy alignment• Records in business systems• Regular compliance audits

The new Risk Management Guideline and Advice

• Guideline No. 25 – Managing Information Risk

• Advice No. 60: Part 1 - Introduction Part 2 – Applying Risk

Management processes Part 3 – Templates and tools

Guideline No. 25 – Managing Information Risk – key concepts

• Managing information risk using risk analysis

• Aligning the functions of Risk Management and Records Management

MUSTS

• Agencies MUST apply risk management processes to all State records

• Agencies MUST undertake an information risk assessment for each of the agency's core business areas.

High-risk business areas:

• Public and media scrutiny• Legal action or formal

investigation• Involve large amounts of money • Relate to issues of security• Outsourcing• Administrative change • Cloud-computing systems• Relate to the health, welfare,

rights and entitlements of citizens and/or staff

• Employment conditions of staff• Involve organisational change

and/or transitioning to new systems

MUSTS

• Risk management processes MUST cover records in all formats, including digital records outside formal recordkeeping systems, such as email, websites & business systems.

• Risk assessments MUST be carried out for all permanent records, including permanent records held in business systems.

Records in all formats:• Permanent records• Vital records• Unscheduled records (not

covered by a R&DS) • Network drives • Email• Scanned or digitised records• Business systems and cloud-

computing applications• Hybrid environments • Websites• Social media• Mobile devices• Etc, etc.

MUSTS

• Risk management processes MUST underpin records management operations, to ensure that risks to the agency's records and recordkeeping systems are minimised.

• Records management staff MUST ensure that risks to the agency's records and recordkeeping systems, especially vital records, are addressed as part of the agency’s Records Management Program.

MUSTS

• Agencies MUST align the functions of records management and risk management strategically and operationally.

• Agencies MUST review their Information Risk Register annually.

The new Guideline and Advice

• Guideline No. 25 – Managing Information Risk

• Advice No. 60: Part 1 – Introduction Part 2 – Applying Risk

Management processes Part 3 – Information Risk

Register Template

Financial, Insurance

Personnel, OHS

Service Delivery, Operations

Compliance Reputation, Political Environment Information

Min

or

Minor impact on budget/ loss that can be replaced from budget Insurance up to $1m required.

Injury report and/or first aid only May include substantial stress but no lost time.

Work processes would be inefficient but decisions could still be made and actions taken.

Unlikely to result in adverse regulatory response or action.

No media attention Credibility may be questioned.

Minor damage to a localised area or that ceases once the event is over Environmental liability or remediation cost $0- 50,000.

Loss of information or records of short-term administrative value (e.g. routine advice) Unauthorised access to UNCLASSIFIED & PUBLIC agency information.

Mode

rate

Serious impact on budget/ resource reallocation required Insurance between $1-5m required.

Medical treatment for Injury Substantial stress event requiring professional clinical support.

Service delivery interruptions of more than 24 hours.

Incident reportable to regulatory authorities with potential for formal notice or fine.

Local media coverage Senior management damage control required.

Measurable impairment on biological or physical environment Ecosystem will recover without intervention. Environmental liability or remediation cost $50,000- 500,000

Loss of information or damage to records of moderate value (e.g. minor contracts or project records, or required for audit purposes) Unauthorised access to IN CONFIDENCE agency information.

Maj

or

Critical impact on budget/ external recovery required Insurance between $5-20m required.

Hospital treatment for injury Serious temporary disability/ minor permanent disability.

Service delivery interruptions longer than 3 days but less than a month. Recovery would be expensive and time consuming.

Investigation, prosecution and major fine possible Actions or decisions cannot be explained to courts or regulatory bodies.

Significant media coverage Political embarrassment would occur. May jeopardise future funding.

Serious environmental effects Ecosystem will recover over time once clean-up has been completed. Environmental liability or remediation cost $0.5m - $5m

Loss of information or damage to records of high value records that relate to long term or ongoing rights, obligations and entitlements (e.g. employee health monitoring and incident management records) Unauthorised access to PROTECTED agency information.

Cat

astr

oph

ic

The agency would incur huge financial losses Insurance of more than $20m required.

Single death Permanent disabilities for multiple persons.

Agency operations would be rendered dysfunctional and not be able to recover from consequences.

May result in serious litigation including class actions.

National and international media coverage Total loss of confidence in agency.

Very serious environmental effects Remediation required. Environmental liability or remediation cost >$5m

Loss or irreparable damage to vital records essential for the ongoing business of an agency, and without which the agency could not operate effectively. Loss of information or irreparable damage to records of enduring value recognised by a broader audience than the original creating agency, including future generations (e.g. PERMANENT records) Unauthorised access to HIGHLY PROTECTED agency information

Information Risk Consequence Scale

In practice:

• Information Risk Register• Disaster Preparedness and

Business Continuity plans • Vital Records Plan• Alignment with Risk Management

Framework• Internal and external audit

programs • Digital Records Preservation/

Continuity Plan• Compliance with the Archives Act

1983 and with TAHO Guidelines

Request for feedback

Closing date: Friday 31st October