Advice 10
Table of Contents
Purpose
The purpose of this Records Management Advice issued in accordance with s.131A(c) of the Information Act, is to inform NTG agencies of the issues they need to consider when using cloud computing technology and infrastructure in the conduct of business and the recordkeeping implications.
The National Institute of Standards and Technology (NIST) defines cloud computing as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (for example, networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort of the service provider.” (1)
The increasing use of this technology to store and make information available has enabled greater mobility in the workforce. With the ability to access more information via portable web enabled devices (including laptop computers, iPads and iPhones), the need to ensure records security when using such devices is becoming increasingly important.
Notwithstanding the increased benefits to the conduct of business, there are a number of risks associated with the use of cloud computing to the security and sovereignty of NTG information and records when utilising this technology:
Security and privacy of information in a shared environment may increase the risk of unauthorised access, particularly when service providers subcontract operations to other companies.
Ownership and control of data and/or infrastructure that does not reside within the NTG domain may impact on an agency’s ability to access records as required.
If a service provider goes out of business or is sold to another company, an agency’s access to its records may change.
As cloud computing relies on delivery via the Internet there is a risk that IT performance issues may impact on maintaining high levels of accessibility to records.
Data protection measures may be inadequate or non-existent.
Difficulties migrating data in and out of cloud environments into other systems may generate issues when contracts end and records need to be returned to the NTG domain or another provider’s system.
If stored in other jurisdictions, NTG records may become subject to other legislative requirements and practices. This is of particular importance if the records are stored in facilities located in a foreign country, and therefore subject to non-Australian legislation, for example, privacy and security risks.
Public records may not be disposed of appropriately when required as a result of multiple backups in different locations.
The evidential value of records may be damaged if it cannot be proven that such records have remained inviolate and if appropriate audit trails and descriptions of management processes performed are not maintained by the service provider (i.e. outside the mandated NTG records management system, HP TRIM).
Cloud applications may not include recordkeeping functions with the result that records may not be managed in accordance with the Information Act and the Records Management Standards for Public Sector Organisations in the NT.
Use of iPads and iPhones or Smartphones
There is software in smartphones that keeps the documents and data synchronised between the Smartphone and the desktop machine or laptop. In order for the synchronisation to happen the data will be stored in the Internet cloud since NTG does not have an automatic synchronisation service for data. A synchronisation service is available for email within NTG. The above risks exist when the Smartphones are used for data synchronisation.
It is recommended that NTG users do not use the cloud for synchronising data at IN-CONFIDENCE or above levels. It is recommended to use the USB cable to synchronise data if the information is at or above IN-CONFIDENCE level. For information to classify data please refer to the 'NTG Records Security Model'. A copy can be obtain using the contact details below. If the information is classified below IN-CONFIDENCE then cloud services may be considered after the risks as above have been taken into account.
Agencies need to seriously consider the security of the information that is being stored or transmitted from outside the protection of the NTG firewall, network and systems.
Information contained in systems within the firewall are subject to rigorous and published security and access controls. These same controls must be observed whenever cloud computing is utilised by the NTG to store and transmit records.
If use is made of cloud computing technology, agencies must ensure that the following recommendations are observed:
- Use will not compromise published NTG standards and guidelines on information security
- Information cannot be stored or transmitted if it is classified to the security level of IN CONFIDENCE or above (2)
- Where there is a need to synchronise portable devices with each other this should take place utilising an appropriate cable between devices
- It is important to note that in accordance with the Records Management Standards for Public Sector Organisations in the NT, as soon as possible, records need to be stored in the NTG mandated records management system (HP TRIM).
Considering the above recommendations, the following table may assist in deciding whether NTG agencies can utilise cloud computing technology:
| 1. |
Can you confirm that ownership of the records will remain with your agency? |
|
|
| 2. |
Can you specify record keeping functionality and metadata requirements for the records to the service provider in order to meet your regulatory and business record keeping requirements? |
|
|
| 3. |
Will the information be physically stored in a jurisdiction that is acceptable to your agency (that have, for example, legal frameworks more compatible with the Northern Territory’s)? |
|
|
| 4. |
Will the service provider make a commitment to obey local privacy requirements on your agency’s behalf? |
|
|
| 5. |
Can you obtain an assurance that no copy of your agency’s records or information is retained by the service provider after the termination of the contract? |
|
|
| 6. |
Is the service provider regularly subjected to external security audit or certification processes? |
|
|
| 7. |
Does the service provider have offsite back-up and disaster recovery measures in place? |
|
|
| 8. |
Is a full restoration of your information possible within a reasonable timeframe in the event of an incident? |
|
|
| 9. |
Is a partial restoration of your information possible within a reasonable timeframe in the event of an incident? |
|
|
| 10. |
Will you be consulted regarding any third party seeking to have access to your records (eg during a subpoena not directly issued to your agency)? |
|
|
| 11. |
Can you obtain assurance that your records cannot be used for applications not specified in the contract (for example, to data match with databases owned by other clients of the contractor)? |
|
|
| 12. |
Will the service provider undertake, at the conclusion of the agency’s use of the services, to return all specified records and associated metadata to the agency in an accessible/nominated format/s? |
|
|
| 13. |
Will the service provider guarantee acceptable parameters for service provision in respect to possible disruptions? |
|
|
Acknowledgement
Parts of the following documents were used in the preparation of this advice:
Australian Government Department of Defence, Cyber Security Operations Centre - Using iPads in Government Networks, March 2011
Australasian Digital Recordkeeping Initiative, Advice on managing the recordkeeping risks associated with cloud computing, July 2010
Other documents consulted in the preparation of this advice were:
DRAFT NTG ICT Policy – iPad and iPhone Policy and Standards, April 2011
DRAFT NTG ICT Policy – ICT Security Framework, March 2011
NTG ICT Policy – End User ICT Services, March 2011
This advice has been issued by the NT Records Service of the ICT Policy and Strategy Division, Department of Business and Employment. The NT Records Service is responsible for developing, managing and implementing Records Management Standards for the NT Government. The regulatory basis for records management is the Information Act, Part 9 - Records and Archives Management.
For further information please contact:
Footnotes
- National Institute of Standards and Technology (NIST), Definition of Cloud Computing Version 15
- Records Management Standards for Public Sector Organisations in the Northern Territory, Standard 4 – Security, August 2010