Presentation on theme: "Introduction to Guideline 25 – Managing Information Risk Samara McIlroy, Consultant, Government Recordkeeping 6165 6085."— Presentation transcript:
Introduction to Guideline 25 – Managing Information Risk Samara McIlroy, Consultant, Government Recordkeeping firstname.lastname@example.org 6165 6085
Overview Background and context New Guideline and Advice Applying Risk Management Request for feedback Questions
Don’t know the first thing about risk management?
Why? New technologies bring new threats to business information and continuity Information risk often mistakenly treated as IT risk Appraisal of digital records requires a new set of competencies
Background and context Tasmanian Government Project Management Guidelines AS/ISO Standards Other jurisdictions Guideline 1 – Records Management Principles
Tasmanian Government Project Management Guidelines In November 2011, the ICT Policy Board endorsed the Project Management Guidelines as Advice for Tasmanian Government Agencies Element 5 addresses Risk Management (p90-106) Guidelines on the e-Government website under Project Management – http://www.egovernment.tas.gov.au//project_management http://www.egovernment.tas.gov.au//project_management
Standards AS/NZS ISO 31000:2009 Risk management - Principles and guidelines and the companion Handbook - SA/SNZ HB 436:2013 Information and documentation - Risk assessment for records processes and systems - ISO/TR 18128:2014(E) Available from the eGovernment Standards Select portal on the website
Other jurisdictions Records and Risk Management (PROS 10/10 G6) - Public Records Office Victoria: strategic and operational alignment FutureProof blog - State Records NSW: digital information risks Linking business to records: Managing recordkeeping risks - National Archives of Australia (NAA): identifying high-risk business functions for more intensive information management activities
Guideline 1 – Records Management Principles New inclusions which relate to Information Risk: Information governance Risk analysis Policy alignment Records in business systems Regular compliance audits
The new Risk Management Guideline and Advice Guideline No. 25 – Managing Information Risk Advice No. 60: Part 1 - Introduction Part 2 – Applying Risk Management processes Part 3 – Templates and tools
Guideline No. 25 – Managing Information Risk – key concepts Managing information risk using risk analysis Aligning the functions of Risk Management and Records Management
MUSTS Agencies MUST apply risk management processes to all State records Agencies MUST undertake an information risk assessment for each of the agency's core business areas.
High-risk business areas: Public and media scrutiny Legal action or formal investigation Involve large amounts of money Relate to issues of security Outsourcing Administrative change Cloud-computing systems Relate to the health, welfare, rights and entitlements of citizens and/or staff Employment conditions of staff Involve organisational change and/or transitioning to new systems
MUSTS Risk management processes MUST cover records in all formats, including digital records outside formal recordkeeping systems, such as email, websites & business systems. Risk assessments MUST be carried out for all permanent records, including permanent records held in business systems.
Records in all formats: Permanent records Vital records Unscheduled records (not covered by a R&DS) Network drives Email Scanned or digitised records Business systems and cloud-computing applications Hybrid environments Websites Social media Mobile devices Etc, etc.
MUSTS Risk management processes MUST underpin records management operations, to ensure that risks to the agency's records and recordkeeping systems are minimised. Records management staff MUST ensure that risks to the agency's records and recordkeeping systems, especially vital records, are addressed as part of the agency’s Records Management Program.
MUSTS Agencies MUST align the functions of records management and risk management strategically and operationally. Agencies MUST review their Information Risk Register annually.
The new Guideline and Advice Guideline No. 25 – Managing Information Risk Advice No. 60: Part 1 – Introduction Part 2 – Applying Risk Management processes Part 3 – Information Risk Register Template
In practice: Information Risk Register Disaster Preparedness and Business Continuity plans Vital Records Plan Alignment with Risk Management Framework Internal and external audit programs Digital Records Preservation/ Continuity Plan Compliance with the Archives Act 1983 and with TAHO Guidelines
Request for feedback Closing date: Friday 31 st October