Managing Information Risk Allegra Huxtable Manager Government Recordkeeping Tasmanian Archive and Heritage Office Overview • • • • • • • • • • • Definition of information risk Information risk Vs. Information Security Common information risks Identify information risk Determine whether being impacted by risk Examples Risk mitigation strategies Remedial actions Develop a risk register Why do we want you to start managing information risk How might you go about it What is Information Risk? Information risk Is any risk which relates to the inherent characteristics and value of information in any form that is maintained by an agency and which may be transmitted, manipulated, and stored. Records are the subset of information that constitutes any evidence of activities. Information Risk Management Vs. Information Security Information Risk Management is a broader management of all information related risk Information security risks are threats or vulnerabilities that introduce uncertainty regarding the availability, confidentiality or integrity of information Would you be able to pick up on data loss risks that result from inactive management or ineffective data migration processes? Focuses on all areas of information management and highlights high risk areas of the business Defining information risks? Common information risks that could be occurring in high risk business areas include: • Information that cannot be generated in a useable form • Information that cannot be maintained in a useable form • Information that is incomplete • Information that is meaningless • Information that cannot be trusted Defining information risks? • Information that cannot be authenticated • Information that is inaccessible • Information that does not survive for as long as it is needed by the business • Information that is overwhelming and unmanaged and inhibits rather than enables business process Information risks can hamper government business and accountability, particularly when these risks occur within high risk areas of business. Identify High risk areas of business • Perform core, strategic, highly accountable or high value business • Receive a high level of public and media scrutiny • Instigate or are subject to litigation • Allocate or spend large amounts of money • Relate to issues of security • Are outsourced • Experience administrative change • Are conducted in cloud-computing systems • Relate to the health, welfare, rights and entitlements of citizens and/or staff • Involve organisational change management and/or transitioning to new systems/services • Relate to employment conditions of staff Know what information is required to support high risk business processes • Talk to staff • Authorised disposal schedule • Legislation and standards that apply • Quality controls or procedure statements • Identify the information needed to support clients, projects and cases Know the technology used to support high risk business areas Cloud, BYOD, Social media Collaborative environments - SharePoint, Office 365 Complex datasets as the basis for decision making Systems including legacy applications Large uncontrolled network environments Personal storage networks Diverse applications to perform different aspects of their operations • Backup systems as information storage environments. • • • • • • • Determine whether information is being impacted by information risk? • • • • • • • • Usable Complete Meaningful Trusted Authenticated Inaccessible Missing Lost within overwhelming and unmanaged data volumes Examples of information Risks Jake Kovco A CD containing a draft of the confidential report into the bungled repatriation of the remains of Private Jake Kovco from Iraq was left in the Qantas Club at Melbourne airport. This caused public embarrassment, personal distress and reputational damage as the disc found its way into the hands of talkback radio host Derryn Hinch. Transcend Inadvertently published personal details of contractors working for them on their website. Details of this incident were published in the Mercury Newspaper and reported on the news. They apologised publically it caused embarrassment, personal distress and reputational damage. Examples of information Risks Aurora Energy Accidently destroyed Personnel records before they were time expired leading to an investigation by the Ombudsman and mention in his Annual Report. Aurora failed to effectively manage personal information a breach of the Personal Information Protection Act (PIP) 2004. Ombudsman's Conclusions: • It is not possible to determine that the information destroyed was information no longer needed for any purpose. • failed to take reasonable steps to protect the personal information from misuse, loss, unauthorised access, modification or disclosure. • failed to take reasonable steps to obtain the approval of the State Archivist prior to destroying personal information. • have not met its obligations under the Personal Information Protection Act 2004 and the Archives Act 1983 Examples of information Risks Aurora Energy Some of the Ombudsman's Recommendations: • Immediate audit of all records holdings • Determine they are meeting its Personal Information Protection Act and Archives Act obligations, take any necessary action to meet those obligations where it is currently failing to do so • All employment contracts contain a requirement to foster a culture of best-practice information management These contracts should include appropriate key performance indicators to ensure that a bestpractice information management culture is regularly measured Determine appropriate risk mitigation strategies What strategies can you adopt to mitigate information risk? Key points at which you can mitigate information risk are: • In the implementation of strong information governance frameworks • At system specification, design and configuration • At system transition. Examples of risk mitigation information governance frameworks • Promote a broad corporate understanding of the high risk/high value information generated and needed by your organisation • Communicate specific information management requirements applying to high risk areas of business to staff, management, ICT, contractors • Deploy change management strategies and training to develop an organisational culture which values information management. Remedial actions • System transition if you are not migrating all the data then evaluate the need to keep and maintain legacy data • Moving to cloud, planning should include support, maintenance and re-transitioning if required so information continues to be available • Implement record disposal programs to destroy time-expired records and to focus corporate attention on the management of high risk/high value business information Develop and information risk register • key information and metadata fields in System X are required for business process and must be maintained through the system’s migration • If business information needs to be kept long term, ensure that this is identified and flagged for any system or service offering or process review associated with this information • If a core business system is unable to export data of its transactions, identify that manual workarounds are necessary to provide reporting / information needed for service delivery and continuity • If information requirements were not built into contracts with services providers and data portability is not guaranteed, identify that alternate strategies for maintaining access to information of long term business value Why do we want you to start identifying & managing information risk? • Information risks are not always obvious to corporate risk managers • Put your effort where it counts – high risk business areas • High volumes of digital records being created in unstructured environments means we need to look for new ways to appraise and sentence digital records How might you go about it? Select aspects of your current service provision where you could analyse risk: • Off site storage • Records in your business systems • Use of technology – particularly use cloud for example your agency may be looking to implement office 365 • Records on network drives Tap into your agency existing risk management processes are their any information risks on the corporate risk register? Identify high risk areas of your business and concentrate on those. Escalate high level information risks and make sure they are put on the corporate risk register Questions Sources TAHO Guidelines and advice on managing Information Risk Identifying information risks that might be impacting on high risk business, State Records NSW, April 2014 Managing Record keeping risk, Keeping good companies March 2010, Authors Barbara Reed, Director and Kerry Gordon, Director, Recordkeeping Innovation