Managing Information Risk

advertisement
Managing Information Risk
Allegra Huxtable
Manager Government Recordkeeping
Tasmanian Archive and Heritage Office
Overview
•
•
•
•
•
•
•
•
•
•
•
Definition of information risk
Information risk Vs. Information Security
Common information risks
Identify information risk
Determine whether being impacted by risk
Examples
Risk mitigation strategies
Remedial actions
Develop a risk register
Why do we want you to start managing information risk
How might you go about it
What is Information Risk?
Information risk
Is any risk which relates to the inherent
characteristics and value of information in any
form that is maintained by an agency and
which may be transmitted, manipulated, and
stored.
Records are the subset of information that
constitutes any evidence of activities.
Information Risk Management Vs.
Information Security
Information Risk Management is a broader management of all
information related risk
Information security risks are threats or vulnerabilities that
introduce uncertainty regarding the availability, confidentiality or
integrity of information
Would you be able to pick up on data loss risks that result from
inactive management or ineffective data migration processes?
Focuses on all areas of information management and highlights
high risk areas of the business
Defining information risks?
Common information risks that could be occurring in
high risk business areas include:
• Information that cannot be generated in a useable
form
• Information that cannot be maintained in a useable
form
• Information that is incomplete
• Information that is meaningless
• Information that cannot be trusted
Defining information risks?
• Information that cannot be authenticated
• Information that is inaccessible
• Information that does not survive for as long as it is
needed by the business
• Information that is overwhelming and unmanaged
and inhibits rather than enables business process
Information risks can hamper government business and
accountability, particularly when these risks occur
within high risk areas of business.
Identify High risk areas of business
• Perform core, strategic, highly accountable or high value business
• Receive a high level of public and media scrutiny
• Instigate or are subject to litigation
• Allocate or spend large amounts of money
• Relate to issues of security
• Are outsourced
• Experience administrative change
• Are conducted in cloud-computing systems
• Relate to the health, welfare, rights and entitlements of citizens and/or
staff
• Involve organisational change management and/or transitioning to new
systems/services
• Relate to employment conditions of staff
Know what information is required to
support high risk business processes
• Talk to staff
• Authorised disposal schedule
• Legislation and standards that apply
• Quality controls or procedure statements
• Identify the information needed to support clients,
projects and cases
Know the technology used to
support high risk business areas
Cloud, BYOD, Social media
Collaborative environments - SharePoint, Office 365
Complex datasets as the basis for decision making
Systems including legacy applications
Large uncontrolled network environments
Personal storage networks
Diverse applications to perform different aspects of
their operations
• Backup systems as information storage environments.
•
•
•
•
•
•
•
Determine whether information is being
impacted by information risk?
•
•
•
•
•
•
•
•
Usable
Complete
Meaningful
Trusted
Authenticated
Inaccessible
Missing
Lost within overwhelming and unmanaged data
volumes
Examples of information Risks
Jake Kovco
A CD containing a draft of the confidential report into the bungled
repatriation of the remains of Private Jake Kovco from Iraq was left in the
Qantas Club at Melbourne airport. This caused public embarrassment,
personal distress and reputational damage as the disc found its way into the
hands of talkback radio host Derryn Hinch.
Transcend
Inadvertently published personal details of contractors working for them on
their website. Details of this incident were published in the Mercury
Newspaper and reported on the news.
They apologised publically it caused embarrassment, personal distress and
reputational damage.
Examples of information Risks
Aurora Energy
Accidently destroyed Personnel records before they were time expired leading
to an investigation by the Ombudsman and mention in his Annual Report.
Aurora failed to effectively manage personal information a breach of the Personal
Information Protection Act (PIP) 2004.
Ombudsman's Conclusions:
• It is not possible to determine that the information destroyed was
information no longer needed for any purpose.
• failed to take reasonable steps to protect the personal information from
misuse, loss, unauthorised access, modification or disclosure.
• failed to take reasonable steps to obtain the approval of the State Archivist
prior to destroying personal information.
• have not met its obligations under the Personal Information Protection Act
2004 and the Archives Act 1983
Examples of information Risks
Aurora Energy
Some of the Ombudsman's Recommendations:
• Immediate audit of all records holdings
• Determine they are meeting its Personal Information Protection Act
and Archives Act obligations, take any necessary action to meet those
obligations where it is currently failing to do so
• All employment contracts contain a requirement to foster a culture of
best-practice information management These contracts should
include appropriate key performance indicators to ensure that a bestpractice information management culture is regularly measured
Determine appropriate risk mitigation
strategies
What strategies can you adopt to mitigate
information risk?
Key points at which you can mitigate information
risk are:
• In the implementation of strong information
governance frameworks
• At system specification, design and
configuration
• At system transition.
Examples of risk mitigation information
governance frameworks
• Promote a broad corporate understanding of the high risk/high
value information generated and needed by your organisation
• Communicate specific information management requirements
applying to high risk areas of business to staff, management, ICT,
contractors
• Deploy change management strategies and training to develop an
organisational culture which values information management.
Remedial actions
• System transition if you are not migrating all the data then evaluate
the need to keep and maintain legacy data
• Moving to cloud, planning should include support, maintenance and
re-transitioning if required so information continues to be available
• Implement record disposal programs to destroy time-expired
records and to focus corporate attention on the management of
high risk/high value business information
Develop and information risk register
• key information and metadata fields in System X are required for
business process and must be maintained through the system’s migration
• If business information needs to be kept long term, ensure that this is
identified and flagged for any system or service offering or process
review associated with this information
• If a core business system is unable to export data of its transactions,
identify that manual workarounds are necessary to provide reporting /
information needed for service delivery and continuity
• If information requirements were not built into contracts with services
providers and data portability is not guaranteed, identify that alternate
strategies for maintaining access to information of long term business
value
Why do we want you to start identifying &
managing information risk?
• Information risks are not always obvious to
corporate risk managers
• Put your effort where it counts – high risk business
areas
• High volumes of digital records being created in
unstructured environments means we need to look
for new ways to appraise and sentence digital
records
How might you go about it?
Select aspects of your current service provision where you could
analyse risk:
• Off site storage
• Records in your business systems
• Use of technology – particularly use cloud for example your
agency may be looking to implement office 365
• Records on network drives
Tap into your agency existing risk management processes are their any
information risks on the corporate risk register?
Identify high risk areas of your business and concentrate on those.
Escalate high level information risks and make sure they are put on
the corporate risk register
Questions
Sources
TAHO Guidelines and advice on managing Information Risk
Identifying information risks that might be impacting on high risk
business, State Records NSW, April 2014
Managing Record keeping risk, Keeping good companies March 2010,
Authors Barbara Reed, Director and Kerry Gordon, Director, Recordkeeping
Innovation
Download