Introduction to
Guideline 25 –
Managing
Information Risk
Samara McIlroy,
Consultant, Government
Recordkeeping
grk@education.tas.gov.au
6165 6085
Overview
•
•
•
•
•
Background and context
New Guideline and Advice
Applying Risk Management
Request for feedback
Questions
Don’t know the first thing
about risk management?
Why?
• New technologies bring new threats to
business information and continuity
• Information risk often mistakenly treated
as IT risk
• Appraisal of digital
records requires a
new set of
competencies
Background and context
• Tasmanian Government Project
Management Guidelines
• AS/ISO Standards
• Other jurisdictions
• Guideline 1 – Records
Management Principles
Tasmanian Government
Project Management
Guidelines
• In November 2011, the ICT Policy Board
endorsed the Project Management
Guidelines as Advice for Tasmanian
Government Agencies
• Element 5 addresses Risk Management
(p90-106)
• Guidelines on the e-Government
website under Project Management –
http://www.egovernment.tas.gov.au//project_management
Standards
• AS/NZS ISO 31000:2009 Risk
management - Principles and guidelines
and the companion Handbook - SA/SNZ
HB 436:2013
• Information and documentation - Risk
assessment for records processes and
systems - ISO/TR 18128:2014(E)
• Available from the eGovernment
Standards Select portal on the website
Other jurisdictions
• Records and Risk Management (PROS
10/10 G6) - Public Records Office
Victoria: strategic and operational
alignment
• FutureProof blog - State Records NSW:
digital information risks
• Linking business to records: Managing
recordkeeping risks - National Archives
of Australia (NAA): identifying high-risk
business functions for more intensive
information management activities
Guideline 1 – Records
Management Principles
New inclusions which relate to
Information Risk:
• Information governance
• Risk analysis
• Policy alignment
• Records in business systems
• Regular compliance audits
The new Risk
Management Guideline
and Advice
• Guideline No. 25 – Managing
Information Risk
• Advice No. 60:
 Part 1 - Introduction
 Part 2 – Applying Risk Management
processes
 Part 3 – Templates and tools
Guideline No. 25 –
Managing Information
Risk – key concepts
• Managing information risk using
risk analysis
• Aligning the functions of Risk
Management and Records
Management
MUSTS
• Agencies MUST apply risk
management processes to all
State records
• Agencies MUST undertake an
information risk assessment for
each of the agency's core business
areas.
High-risk business areas:
Public and media scrutiny
Legal action or formal investigation
Involve large amounts of money
Relate to issues of security
Outsourcing
Administrative change
Cloud-computing systems
Relate to the health, welfare, rights and
entitlements of citizens and/or staff
• Employment conditions of staff
• Involve organisational change and/or
transitioning to new systems
•
•
•
•
•
•
•
•
MUSTS
• Risk management processes MUST
cover records in all formats,
including digital records outside
formal recordkeeping systems,
such as email, websites & business
systems.
• Risk assessments MUST be carried
out for all permanent records,
including permanent records held
in business systems.
Records in all formats:
• Permanent records
• Vital records
• Unscheduled records (not covered by a
R&DS)
• Network drives
• Email
• Scanned or digitised records
• Business systems and cloud-computing
applications
• Hybrid environments
• Websites
• Social media
• Mobile devices
• Etc, etc.
MUSTS
• Risk management processes MUST
underpin records management
operations, to ensure that risks to the
agency's records and recordkeeping
systems are minimised.
• Records management staff MUST ensure
that risks to the agency's records and
recordkeeping systems, especially vital
records, are addressed as part of the
agency’s Records Management Program.
MUSTS
• Agencies MUST align the functions
of records management and risk
management strategically and
operationally.
• Agencies MUST review their
Information Risk Register annually.
The new Guideline and
Advice
• Guideline No. 25 – Managing Information
Risk
• Advice No. 60:
 Part 1 – Introduction
 Part 2 – Applying Risk Management
processes
 Part 3 – Information Risk Register
Template
Catastrophic
Major
Moderate
Minor
Information Risk Consequence Scale
Service
Delivery,
Operations
Financial,
Insurance
Personnel,
OHS
Minor impact on
budget/ loss that
can be replaced
from budget
Insurance up to
$1m required.
Serious impact on
budget/ resource
reallocation
required
Insurance
between $1-5m
required.
Injury report
and/or first aid
only
May include
substantial stress
but no lost time.
Medical treatment
for Injury
Substantial stress
event requiring
professional
clinical support.
Work processes
would be
inefficient but
decisions could
still be made and
actions taken.
Service delivery
interruptions of
more than 24
hours.
Unlikely to result
in adverse
regulatory
response or
action.
No media attention
Credibility may be
questioned.
Incident
reportable to
regulatory
authorities with
potential for
formal notice or
fine.
Local media coverage
Senior management
damage control
required.
Critical impact on
budget/ external
recovery required
Insurance
between $5-20m
required.
Hospital
treatment for
injury
Serious
temporary
disability/ minor
permanent
disability.
Service delivery
interruptions
longer than 3
days but less than
a month.
Recovery would
be expensive and
time consuming.
The agency would
incur huge
financial losses
Insurance of more
than $20m
required.
Single death
Permanent
disabilities for
multiple persons.
Agency
operations would
be rendered
dysfunctional and
not be able to
recover from
consequences.
Investigation,
prosecution and
major fine
possible
Actions or
decisions cannot
be explained to
courts or
regulatory bodies.
May result in
serious litigation
including class
actions.
Compliance
Reputation,
Political
Environment
Information
Loss of information or records of shortterm administrative value (e.g. routine
advice)
Unauthorised access to UNCLASSIFIED &
PUBLIC agency information.
Significant media
coverage
Political
embarrassment
would occur. May
jeopardise future
funding.
Minor damage to a localised
area or that ceases once the
event is over
Environmental liability or
remediation cost $050,000.
Measurable impairment on
biological or physical
environment
Ecosystem will recover
without intervention.
Environmental liability or
remediation cost $50,000500,000
Serious environmental
effects
Ecosystem will recover over
time once clean-up has been
completed. Environmental
liability or remediation cost
$0.5m - $5m
National and
international media
coverage
Total loss of
confidence in agency.
Very serious environmental
effects
Remediation required.
Environmental liability or
remediation cost >$5m
Loss or irreparable damage to vital
records essential for the ongoing business
of an agency, and without which the
agency could not operate effectively.
Loss of information or irreparable damage
to records of enduring value recognised
by a broader audience than the original
creating agency, including future
generations (e.g. PERMANENT records)
Unauthorised access to HIGHLY
PROTECTED agency information
Loss of information or damage to records
of moderate value (e.g. minor contracts or
project records, or required for audit
purposes)
Unauthorised access to IN CONFIDENCE
agency information.
Loss of information or damage to records
of high value records that relate to long
term or ongoing rights, obligations and
entitlements (e.g. employee health
monitoring and incident management
records)
Unauthorised access to PROTECTED
agency information.
In practice:
• Information Risk Register
• Disaster Preparedness and Business
Continuity plans
• Vital Records Plan
• Alignment with Risk Management
Framework
• Internal and external audit programs
• Digital Records Preservation/ Continuity
Plan
• Compliance with the Archives Act 1983
and with TAHO Guidelines
Request for feedback
Closing date:
Friday 31st October