CRI Cloud Presentation

advertisement
Cloud computing
considerations
John Roberts
Director, Relationship Management
CRI Records Managers
11 June 2015
Department of Internal Affairs
The brief …
• What records managers should be thinking about
when looking at cloud based solutions?
• What issues we should be flagging with our
organisations?
• Overview of the tools and templates available from
DIA for assessing cloud computing solutions.
• The different levels of assessment that may be
needed in different types of situations.
Outline
• Context
• GCIO role
• Government ICT Strategy
• Cloud Computing requirements
• Process
• Guidance material
3
OUR VISION
A SINGLE, COHERENT ICT
ECOSYSTEM SUPPORTING A
RADICALLY TRANSFORMED
PUBLIC SERVICE.
It’s about:
Working differently to
transcend agency
boundaries and deliver
smarter, customercentred services.
4
The three characteristics at the transformation's heart
We work differently to transcend
agency boundaries and deliver
smarter, customer centred services.
A
ICT functional leadership
B
A system-wide approach
Integrated service delivery means that
agency platforms, information and
processes are shared and open by
default.
C
Transforming opportunities
Supporting new services and enabling
innovation across agencies.
5
A
ICT functional leadership
We work differently to transcend agency boundaries and
deliver smarter, customer centred services.
GCIO
Centrally guided, collaboratively
delivered.
Leading for the collective good,
with an ecosystem-wide perspective.
In order to reduce complexity, we’re building a
foundation for:
 Risk management
 Investment prioritisation
 Benefits realisation
 Better information management.
B
A system-wide approach
Integrated service delivery means that agency platforms, information
and processes are shared and open by default.
Agencies are
able to
CONSUME
ECOSYSTEM
CAPABILITIES.
AGENCY SOLUTIONS
are designed for
system-wide
benefits.
C
Transforming opportunities
Agency
Industry
Ministers
Agencies are freed
up to focus on
core business
Industry is
an innovative
integrator
Informed
government
Government ICT Strategy
Government ICT Strategy
What do we mean by Cloud?
•
•
•
•
•
On-demand self-service
Broad network access
Resource pooling
Rapid elasticity
Measured service
• Infrastructure aaS
• Platform aaS
• Software aaS
• Public Cloud
• Private Cloud
• Community Cloud
Archives’ preliminary advice
•
•
•
•
•
•
It may be difficult for agencies to administer information kept in the cloud
Cloud-based systems are not designed to manage information over long periods of
time
It is difficult to ensure that information is preserved
It is also difficult to ensure information is disposed of properly when no longer
required
The proprietary interfaces and programming languages used by cloud service
providers can make it difficult to transfer records to another environment.
For these reasons we recommend that agencies using cloud-based systems have
an appropriate exit strategy in place, before storing information in the cloud.
Department of Internal Affairs
Meeting the Records Management Standard
• Access to records must be managed appropriately (4.1)
– The GCIO Cloud guidance includes questions for vendors about
who will have access to the information in the cloud service.
• Records must be accessible when required (4.2)
– The GCIO Cloud guidance includes questions for vendors about
availability, to ensure business requirements can be met by the
cloud service.
• The value of records must be appraised (5.1)
– The GCIO Cloud guidance includes an assessment of the value of
the information stored in the cloud.
Department of Internal Affairs
Meeting the Records Management Standard
• The correct statutory process for disposing of records must be
followed (5.3)
– The GCIO Cloud guidance covers the end of the information’s life cycle and
disposal considerations.
• Records must be secure (6.1)
– The GCIO Cloud guidance includes a number of considerations on the
security of the information in the cloud service.
• Business continuity and disaster management planning must
address the protection and salvage of records (6.5)
– The GCIO Cloud guidance includes questions for vendors about their
backup and recovery processes.
Department of Internal Affairs
Assessment Process
• Use Government ICT Common capabilities where
they exist
• Information risk assessment using Cloud Computing:
Information Security and Privacy Considerations
• Excel template version available
Department of Internal Affairs
Questions 1-27 cover
• The classification of the information (value,
criticality, sensitivity)
• Presence of Personally Identifiable Information
(privacy)
• Data sovereignty and reputational issues
Department of Internal Affairs
• Complete other questions as required based on the
information risk
• If there is personal information, complete a Privacy
Impact Assessment
• Ensure suitable expertise
– In-house?
– GCIO (ICT Assurance and/or Architecture)
•
Register of agency cloud service reviews
– Security and Related Services Panel
Department of Internal Affairs
Sign-off
•
•
•
•
CE (or delegate) and
CSO or CISO sign off risks and mitigations
Cloud Endorsement by Agency template
Submit for GCIO review of appropriate sign-off, not
of risk assessment
Department of Internal Affairs
Some key points
• A case-by-case consideration
• CEs are responsible for the decision
• No information above RESTRICTED should be held in
public cloud (whether onshore or offshore)
Department of Internal Affairs
Some key questions
• Q2 – what are the business processes that are
supported by the information?
• Q6 – who are the users of the information?
• Q11 – what would the impact on the business be if
the integrity of the information was compromised?
• Q13 – what would the impact on the business be if
the information were unavailable?
Department of Internal Affairs
• Q14-22: Data Sovereignty – the key issue for
onshore/offshore considerations
• Q30 – will the agency retain ownership of its data?
• Q60-63: Encryption – does the use of encryption
compromise recordkeeping requirements?
Department of Internal Affairs
• Q69-70: Data persistence – robust and demonstrable
data destruction and disposal processes
• Q73-80:Data integrity, backup and archiving
• Q81 does the data backup and archiving strategy
support the agency in meeting PRA and OIA
obligations?
Department of Internal Affairs
Creating better public services
Getting the service
experience right
for the citizen in a
digital world
www.ict.govt.nz
gcio@dia.govt.nz
SECURE
AND
PRIVATE
PERSONAL
ACCESS
ANYWHERE
Download