department of internal affairs cloud computing considerations john roberts director, relationship...

Department of Internal Affairs

Cloud computing considerations

John RobertsDirector, Relationship Management

CRI Records Managers11 June 2015

The brief …• What records managers should be thinking about

when looking at cloud based solutions?• What issues we should be flagging with our

organisations?• Overview of the tools and templates available from

DIA for assessing cloud computing solutions.• The different levels of assessment that may be

needed in different types of situations.

3

• Context• GCIO role• Government ICT Strategy

• Cloud Computing requirements• Process• Guidance material

Outline

4

OUR VISIONA SINGLE, COHERENT ICT ECOSYSTEM SUPPORTING A RADICALLY TRANSFORMED PUBLIC SERVICE.

It’s about: Working differently to transcend agency boundaries and deliver smarter, customer-centred services.

5

We work differently to transcend agency boundaries and deliver smarter, customer centred services.

Integrated service delivery means that agency platforms, information and processes are shared and open by default.

Supporting new services and enabling innovation across agencies.

The three characteristics at the transformation's heart

ICT functional leadershipA

Transforming opportunities C

A system-wide approachB

We work differently to transcend agency boundaries and deliver smarter, customer centred services.

Centrally guided, collaboratively delivered.Leading for the collective good, with an ecosystem-wide perspective.In order to reduce complexity, we’re building a foundation for: Risk management Investment prioritisation Benefits realisation Better information management.

GCIO

ICT functional leadershipA

Integrated service delivery means that agency platforms, information and processes are shared and open by default.

Agencies are able to CONSUME ECOSYSTEM CAPABILITIES.

AGENCY SOLUTIONS are designed for system-wide benefits.

A system-wide approachB

Industry MinistersAgency

Agencies are freed up to focus on core business

Industry is an innovative

integrator

Informed government

Transforming opportunities C

Government ICT Strategy

Government ICT Strategy

Refresh

under way

What do we mean by Cloud?• On-demand self-service• Broad network access• Resource pooling• Rapid elasticity• Measured service

• Infrastructure aaS• Platform aaS• Software aaS

• Public Cloud• Private Cloud• Community Cloud


Archives’ preliminary advice• It may be difficult for agencies to administer information kept in the cloud• Cloud-based systems are not designed to manage information over long

periods of time• It is difficult to ensure that information is preserved• It is also difficult to ensure information is disposed of properly when no longer

required• The proprietary interfaces and programming languages used by cloud service

providers can make it difficult to transfer records to another environment.• For these reasons we recommend that agencies using cloud-based systems

have an appropriate exit strategy in place, before storing information in the cloud.


Meeting the Records Management Standard

• Access to records must be managed appropriately (4.1)– The GCIO Cloud guidance includes questions for vendors about who will

have access to the information in the cloud service.

• Records must be accessible when required (4.2)– The GCIO Cloud guidance includes questions for vendors about

availability, to ensure business requirements can be met by the cloud service.

• The value of records must be appraised (5.1)– The GCIO Cloud guidance includes an assessment of the value of the

information stored in the cloud.


Meeting the Records Management Standard

• The correct statutory process for disposing of records must be followed (5.3)– The GCIO Cloud guidance covers the end of the information’s life cycle and

disposal considerations.

• Records must be secure (6.1)– The GCIO Cloud guidance includes a number of considerations on the security of

the information in the cloud service.

• Business continuity and disaster management planning must address the protection and salvage of records (6.5)– The GCIO Cloud guidance includes questions for vendors about their backup and

recovery processes.


Assessment Process• Use Government ICT Common capabilities where

they exist• Information risk assessment using Cloud Computing:

Information Security and Privacy Considerations• Excel template version available


Questions 1-27 cover• The classification of the information (value, criticality,

sensitivity)• Presence of Personally Identifiable Information

(privacy)• Data sovereignty and reputational issues


• Complete other questions as required based on the information risk

• If there is personal information, complete a Privacy Impact Assessment

• Ensure suitable expertise– In-house?– GCIO (ICT Assurance and/or Architecture)

• Register of agency cloud service reviews

– Security and Related Services Panel


Sign-off• CE (or delegate) and• CSO or CISO sign off risks and mitigations• Cloud Endorsement by Agency template• Submit for GCIO review of appropriate sign-off, not

of risk assessment


Some key points• A case-by-case consideration• CEs are responsible for the decision• No information above RESTRICTED should be held in

public cloud (whether onshore or offshore)


Some key questions• Q2 – what are the business processes that are

supported by the information?• Q6 – who are the users of the information?• Q11 – what would the impact on the business be if

the integrity of the information was compromised?• Q13 – what would the impact on the business be if

the information were unavailable?


• Q14-22: Data Sovereignty – the key issue for onshore/offshore considerations

• Q30 – will the agency retain ownership of its data?• Q60-63: Encryption – does the use of encryption

compromise recordkeeping requirements?


• Q69-70: Data persistence – robust and demonstrable data destruction and disposal processes

• Q73-80:Data integrity, backup and archiving• Q81 does the data backup and archiving strategy

support the agency in meeting PRA and OIA obligations?

Creating better public services

Getting the service experience rightfor the citizen in a digital world PERSONAL SECURE

ANDPRIVATE

ACCESSANYWHERE

www.ict.govt.nz

[email protected]

http://www.ict.govt.nz/

department of internal affairs cloud computing considerations john roberts director, relationship...

Documents

cloud cloudbased systems

way slide

cloud service providers

cloud computing solutions

government ict strategy

gcio cloud guid

opportunities c slide

systemwide approach