Our Cloud Information Governance Policy

1. Purpose

Cloud Information Governance Policy sets out the information governance arrangements for the National Archives of Australia’s information assets created, stored, or managed through the use of cloud computing (cloud). Information assets of the National Archives include those created and received to support its business activities and the collection of the archival resources of the Commonwealth in the care of the National Archives. The policy covers the ownership and control, privacy, security, and roles and responsibilities for and related to this information.

2. Scope

2.1 Australian Government Definitions

The Cloud Information Governance Policy is in line with the policies and priorities of the Australian Government's Secure Cloud Strategy.

This strategy provides the framework for Australian Government agencies to move to cloud technology and services, while using cloud in a way that maintains security, integrity and availability for critical government systems. It moves towards a layered certification model, and outlines a common assessment framework to make cloud system requirements clearer. Ultimately, the strategy aims to provide assurance for citizens and agencies that their information and data stored in the cloud is secure, accurate and reliable.

Implementation of cloud services for the Australian Government will be guided by seven principles:

Make risk-based decisions when applying cloud security.
Design services for the cloud.
Use public cloud services at the default.
Use as much of the cloud as possible.
Avoid customisation and use cloud services as they come.
Take full advantage of cloud automation practices.
Monitor the health and usage of cloud services in real time.

Australian Government has adopted the US Government’s National Institute of Standards and Technology’s (NIST) definition of cloud:

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Cloud services allow agencies to procure infrastructure as a service, platform as a service or an application as a service.

2.2 Application for National Archives' Staff

The Policy applies to all National Archives’ staff, contractors and consultants, regardless of employment terms, position and location.

The Policy relates to all National Archives information assets using cloud hosted services, regardless of the reason information is stored there or the source of the information.

While the Policy relates to large technology and software projects, it also relates to everyday use of web services, some of which may be low-cost or free.

All National Archives staff must be aware that when they are using web services, they may be using cloud services. Web services are the tools and/or interfaces that allow users to enter data, and that data is stored in the cloud.

3. Policy Statement

As identified in the Archives' Information Governance Framework, the National Archives is committed to effective governance and management for all its information assets, including the archival resources of the Commonwealth in order to meet legal obligations, accountability requirements, business needs and stakeholders' expectations.

Information held in the cloud has the same information governance and cyber security requirements as information held on premise infrastructure.

However, using cloud services requires making different assessments and meeting additional criteria in order to achieve this outcome. This policy identifies these different assessments and additional criteria that will be included in any decision to use cloud services.

4. Assessments

Cloud service approval and delivery to host National Archives’ information cannot be obtained and procured at the National Archives without firstly completing the following assessments:

Assessment	Description	Completed by	Template
Cloud Security Assessment	Assessment of Cloud Security Provider (CSP) security fundamentals and its cloud services	Cyber Security or IRAP Assessor[1]	Cloud Security Assessment Report Template
Privacy Impact Statement/Assessment	Identifies information that could impact the privacy of individuals within a CSP environment	Business Owner – Privacy Officer	Impact Assessment (PIA) Template
Work Take-on Assessment	The Work Take-on process is used to assess, prioritise and action non-standard requests. Also provides details and requirements for determining security and controls for the proposed system	Emerging Technologies & Business Engagement – Business Owner	IT Requirements Summary Software Security Review Questions
Information Management Functionality Checklist	Assessment of the system and information management functionality and risk of business systems and software	Information Governance Emerging Technologies & Business Engagement	Information Management Functionality Checklist
Product Risk Assessment	Determines the viability of using the cloud service. Additional cyber security controls may be required. An incident response plan also needs to be developed for each instance of cloud services. The Cloud Computing Security Considerations provides assistance.	Business Owner with: Cyber Security Emerging Technologies & Business Engagement Information Governance Privacy Officer	Risk Assessment Template
Information Management Plan	Developed as part of implementation. Outlines the value of information and data assets and identify strategies to manage them over time	Information Governance	Information Management Plan Template

^[1]The Cloud Security Assessment can be undertaken as either a self-assessment or by an IRAP assessor. The IRAP Assessor must be from the Information Security Registered Assessors Program. This may require a procurement process to obtain services. ASCS recommends the use of an IRAP assessor: “A cloud environment presents a complex technology stack that can involve multiple parties responsible for the end-to-end solution. This creates a uniquely challenging solution to assess, and necessitates a suitably qualified and skilled assessor, such as an IRAP assessor to perform the assessment.” (Australian Cyber Security Centre (ACSC), 2020, p. 21).

These assessments will take considerable time and should be taken into consideration as part of project planning.

Assessing cloud options for the National Archives’ information assets aims to:

ensure adherence to maintaining the official record of the nation, as per the National Archives' Corporate Plan 2019–20 to 2022–23;
ensure that the National Archives meets the requirements of the Australian Government’s Secure Cloud Strategy;
affirm the National Archives’ commitment to effective information governance for all information assets in order to meet legal obligations, accountability requirements, business needs and stakeholders’ expectations;
comply with the necessary Australian Government Information Security Manual (ISM) controls for the protection, management and monitoring of all information stored externally to the National Archives’ infrastructure;
ensure staff are aware of the definition and scope of cloud computing and cloud services, and how storing information in the cloud has specific information governance considerations;
allow the National Archives to keep pace with cloud trends as a forward looking, innovative and exemplar Australian Government agency employing better practice approaches for managing information;
increase the National Archives’ maturity in using cloud services, with improved understanding and implementation, in line with Australian Government priorities;
ensure all staff understand when they are using cloud services and their information management responsibilities; and
provide assurance that appropriate risk management has been applied to cloud-based solutions.

The National Archives uses cloud services in a considered and secure way to:

adopt modern technologies using agile methods;
support communication of National Archives’ business;
leverage current capabilities and improve business continuity;
offer flexibility by design;
innovate in more strategic ways and pursue new opportunities; and
potentially reduce ongoing costs.

These services can support and enhance the opportunities available to the National Archives in realising whole-of-government efficiencies and achieving business goals.

National Archives will implement cloud services in accordance with whole-of-government policy and advice. Each use case will be assessed for suitability using the criteria listed below.

4.1 Ownership of information

4.2 Information management

Information created, managed, and hosted in the Cloud must remain:

authentic, accurate and trusted;
audited and monitored with positive control;
complete and unaltered by unauthorised means;
secure from unauthorised access and deletion;
findable, readable, usable, and re-usable;
accessible and available; and
related to other relevant information stored in other locations.

Cloud services should have the appropriate information management functionality and should meet the requirements identified in the National Archives’ Information Management Functionality Checklist. The checklist should be completed before selection and implementation of any cloud service.

4.3 Security and privacy

The ACSC advises that cloud computing offers a range of potential cyber security benefits and can significantly enhance an organisation’s cyber security. However, it can also introduce other risks that need to be considered, such as multi-tenancy architectures, reduction in visibility of the physical and virtualisation layers, and possible foreign influence. The ACSC recommends cloud consumers use CSP’s and cloud services located in Australia for handling their sensitive and security-classified information.

The National Archives has responsibility for the assessment of it CSP’s using whole-of-government protective and cyber security requirements and National Archives’ security policy and procedures as appropriate. Controls and protections must appropriately match the value of information created, managed, and hosted in the cloud

The ACSC’s Anatomy of a Cloud Assessment and Authorisation supports the self-assessment and secure adoption of cloud services including:

providing the requirements and security controls to use in the assessment of a Cloud Service Provider (CSP); and
using the security requirements and cloud guidance detailed in the Attorney-General’s Department's Protective Security Policy Framework (PSPF), the ISM, and the Secure Cloud Strategy.

The assessment methodology for performing an agency self-assessment or an IRAP assessor assessment of a CSP’s security fundamentals and its cloud services, provides a set of procedures. These assessment steps involve:

confirming the intended security classification of the data;
gaining an understanding of the CSP, its cloud services and any third-parties that are in scope;
identifying sources of information, assessment methods, and shared security responsibilities;
documenting any non-implemented or ineffective security controls and making recommendations to mitigate the risk; and
documenting the assessment using the Cloud Security Assessment Report Template and the Cloud Security Controls Matrix.

Commonwealth entities who perform their own supplementary, new and updated cloud services assessments are encouraged to share these reports with other Commonwealth entities and the assessed CSP. The National Archives will make use of these security assessments where available.

Risk mitigations must be implemented as identified in the Cloud Computing Security for Tenants. This provides assistance for the National Archives’ Cyber Security team, cloud architects and business representatives to jointly perform a risk assessment for the use of secure cloud services.

All detected or suspected security incidents involving cloud services must be immediately reported to the Security Advisory Unit. All cloud services must have an incident response plan, which identifies:

the data held in the system;
the controls for each system;
all staff who access the system and their level of access;
the key users of the system; and
a communication plan for a security incident.

As part of contractual arrangements, the National Archives will maintain the right to audit IT services for its cloud providers; this condition should be part of any contract for cloud-based services.

The National Archives must also take steps to protect personal information stored in cloud-hosted services through appropriate assessments and safeguards. The use of cloud services must be in accordance with the National Archives’ Privacy Policy. The Office of Australian Information Commissioner’s (ONDC) Guide to Securing Personal Information provides further information on these requirements.

4.4 Monitoring and reporting

The Information Governance section, together with the business owners, will monitor the use of cloud services within the National Archives through the Information Systems Architecture Register (the Register) and the Digital Assets Register and Information Management Plans (the plans). The Register and the plans will be maintained by the Information Governance section to track the use of cloud services, completed checklists, plans and assessments, and the business owners responsible for these services.

The Director, Cyber Security will also monitor the use of cloud services through the National Archives, keeping the Chief Information Officer (CIO) updated on developments and concerns on the use of cloud services for specific business purposes and may choose to conduct their own assessment as a part of cyber governance role.

The Information Governance section will report to the Information Governance Committee regularly on information governance compliance in the use of cloud services.

5. Cloud Information Governance Requirements

To ensure adequate information governance for cloud-hosted information assets, Advice for cloud clause contract/agreements provides wording to ensure information governance requirements are covered.

The following key requirements provide a summary of these requirements:

5.1 Metadata

Information hosted in the cloud should have sufficient metadata to confirm the information and data is complete, uncorrupted, authentic, findable and useable. Information should have the metadata elements identified in the National Archives’ Minimum Metadata Set for agencies in the Australian Government.

Business owners of information stored in the cloud should ensure that information has sufficient metadata to satisfy access and retention requirements. Information in the cloud should be related to relevant information stored in other locations and additional metadata needs to be applied to information stored in the cloud to maintain its relationship links. The evidential value of information may be affected if appropriate controls are not maintained.

Metadata needs to be treated with the same security controls as the information it describes.

5.2 Access

The following issues should be considered when assessing options for using cloud services:

The National Archives’ information must be accessible for the duration of the contract for cloud services.
Information must be available and returned to the National Archives as needed or on request. For example, information must be accessible for FOI requests, audits, and discovery orders as needed.
Information must be stored, retrieved, and returned in a format that can be migrated to another service or back to the National Archives.
The migration, conversion and refreshment techniques used by the cloud service provider need to be understood and assessed. Information must not be amended by the service provider.
Backup processes must be identified and suitable.
No access to information that needs to be destroyed in accordance with the National Archives retention policies should be possible. This information must be destroyed from the cloud hosting sites when requested by the National Archives.

5.3 Control

The failure to properly control and secure the use of the cloud will pose a vulnerability to the National Archives’ information. The following issues must be considered when assessing options for using cloud services:

Information needs to be assessed for suitability to be stored in the cloud. The Secure Cloud Strategy recommends that in the first instance cloud services be used for low complexity information (routine operational processes that are not classified and not contain any sensitive data), such as document management and development/test environments. If more complex information assets are considered for managing in the cloud, suitable risk assessments must be undertaken.
The National Archives has responsibility to ensure that its information assets are safe and maintain long-term trustworthiness and sustainability over time. This requires careful consideration and assessment of information, data and network security matters.
Information in aggregate is generally more valuable than the individual data elements. The classification may also change in aggregate. Security, privacy, and risk assessments must all take into consideration the aggregation of information to be held by a cloud service.
A process must be specified for any loss of control, security incidents, or disaster recovery. The National Archives must be notified of denial of service attacks, unauthorised access or other security incidents or issues by the service provider. Unauthorised access to information may result in breaches to the Privacy Act 1988 and or Cybercrime Legislation Amendment Act 2012.
Audit logs, including access, must be provided and maintained.
While the DTA has identified there is no requirement for information to be stored in Australia, the geographic location of data and backup storage must be identified and included in any assessments.

In addition to the issues identified above, detailed guidance on issues of a security nature can be found in the Cloud Computing Security Considerations.

5.4 Retention and disposal

The National Archives retains control of records retention and disposal practices on information hosted and managed in the cloud. Existing records authorities provide the only legal instrument that allows for the disposal and retention of Commonwealth information, regardless of its storage location. As service providers may replicate information for multiple backups, secure and complete data deletion must be identified as a contractual obligation. Destruction certificates may also be requested by the National Archives.

5.5 Risk

The DTA outlines the main risks when using cloud as: cost; security; and internal processes slowing delivery.

A risk assessment is performed as a necessary part of the procuring a CSP. The ISM has drawn on the Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy to develop a risk management framework which identifies six steps for the identification of security risks and security controls.

(Australian Cyber Security Centre (ACSC), 2020, p. 13)

Along with the six steps illustrated the risk assessment must also take into consideration:

risks specific to using cloud services, particularly the risks associated with having information located outside the National Archives’ network;
cloud service providers compliance with the PSPF and the ISM;
the National Archives’ level of risk tolerance – the National Archives currently has a moderate tolerance level for information management; and
the viability of the service provider.

The PSPF’s requirements on Information Security should also be used for these assessments.

6. Implementation

All staff are responsible for following the National Archives’ Cloud Information Governance Policy.

The policy will be delivered by the Information Governance section through engagement across the National Archives. Business areas will be responsible for working with Information Governance, Cyber Security, and Emerging Technology and Business Engagement sections, as well as the Privacy Officer, to assess and evaluate cloud service providers against the requirements.

Business areas should receive and analyse regular reports on business performance and integrity checks. Changes to terms of service must be reviewed to ensure information governance requirements continue to be met. Any subcontractors used by a cloud service provider must meet the same information governance requirements.

Before acquiring and implementing any cloud services business areas of the National Archives must ensure that all necessary assessments are completed by Information Governance, Cyber Security, and the Privacy Officer. If this is not done, the system owner will be directly responsible for any risks associated with the cloud service.

Cloud services will be registered in the Information Systems Architecture Register and will be monitored by the Information Governance section to ensure compliance with this Policy.

An Infonet page will be created with simple guidelines and advice on using cloud services at the National Archives. The advice will define cloud services and outline the National Archives decided approach to these services.

7. Roles and Responsibilities

The Director-General of the National Archives of Australia (also Chair of the National Archives’ Information Governance Committee) is responsible for:

the standard of information management within the National Archives.

The Information Governance Committee(which comprises members of the Executive Board) is responsible for:

providing sufficient support and resources for ensuring the successful implementation of the policy and guidance.

The Chief Information Officer (CIO) will:

authorise the Cloud Information Governance Policy;
have final responsibility for the self-assessment of National Archives’ cloud services to inform a risk-informed decision about the Cloud Service Provider’s suitability to store, process and communicate data;
be responsible for the efficient, effective and ethical use of information resources within the National Archives;
promote compliance with the National Archives’ information management policies and procedures;
represent the National Archives in its implementation of whole-of-government initiatives, such as promoting and assessing the suitability of cloud services, and reporting; and
be responsible for the National Archives’ secure and responsible use of cloud services.

The Chief Information Governance Officer (CIGO) will:

with the Chief Information Office, ensure the efficient, effective and ethical use of information resources within the National Archives;
with the Chief Information Officer, promote compliance with the National Archives’ information management policies and procedures;
ensure the necessary information governance processes, mechanisms and documentation exist for the National Archives to successfully use cloud services;
support the Chief Information Officer in representing the National Archives for whole-of-government initiatives and reporting; and
once notified of any incidences involving cloud services, report to the Chief Information Officer and liaise with Security Advisory Unit, ICT teams and Privacy Officer to discuss remediation and mitigation strategies.

Information Governance section (operating under the supervision of the Chief Information Governance Officer) will:

assess the risks associated with creating, managing and hosting information in the cloud in consultation with the identified areas;
provide input and advice on the appropriate use of cloud services;
monitor the use of cloud services across the National Archives on the Information Systems Architecture Register and the Digital Assets Register (R840082020); and
develop information management plans and supporting documentation, such as information architecture, for the transparent and accountable management of the National Archives’ information assets stored in the cloud.

The Director, Cyber Security will:

conduct security assessments according to the ACSC requirements;
promote and support secure use of cloud services to National Archives’ business areas; and
ensure that technologies are developed and implemented efficiently and that they support cloud information governance as outlined in this document.

The Chief Technology Officer (CTO) will:

promote and support secure use of cloud services to National Archives’ business areas; and
ensure National Archives’ self-assessment of cloud service providers (CPS) is undertaken in consultation with business owners, Cyber Security and Emerging Technologies and Business Engagement sections.

IT teams, including system administrators, will:

conduct change management and implementation of any infrastructure changes required to enable the use of cloud services (e.g. firewall exceptions);
provide Information Technology support; and
promote accessibility, usability and interoperability of the use of cloud services.

The Privacy Officer will:

in accordance with the Privacy (Australian Government Agencies – Governance) APP Code 2017, handle all internal and external privacy enquiries, privacy complaints, and requests for access to and correction of personal information stored in the cloud;
maintain a record of the National Archives’ personal information holdings;
assist with the preparation of and review PIAs for assessing cloud options for the National Archives’ information assets, including the assessment of any new cloud service;
maintain the National Archives’ register of PIAs, including for cloud services, as required; and
measure and document the National Archives’ performance against the privacy management plan at least annually as required.

Business areas will:

undertake risk assessments and initiate documentation of information governance and management needs with the responsible area (Information Governance Section) before the procurement of cloud services;
immediately report suspected or confirmed security incidences involving cloud services to the Cyber Security Advisor (ITSA), Security Advisory Unit, and Information Governance;
develop incident response plans for any procured cloud services;
monitor cloud performance and service levels; and
update the relevant business continuity plans.

National Archives staff and contractors will:

understand the definition and scope of cloud computing and cloud services, such as web-hosted services;
immediately report suspected or confirmed security incidences involving cloud services to the ITSA, Security Advisory Unit, and Information Governance;
be familiar with the National Archives’ Cloud Information Governance Policy; and
seek guidance from the Information Governance Section if there is any uncertainty over the use of the Policy.

8. Communication and Guidance

Communication on the Cloud Information Governance Policy will occur via email correspondence to all National Archives employees and notification on the Infonet.

Further guidance can be obtained from the Information Governance Section via the Service Desk Portal.

9. Monitoring and Review

This Policy will be regularly monitored for emerging information governance risks and reviewed every two years from the date of approval, unless required earlier.

10. Authorisation

Approved by:

Yaso Arumugam

Chief Information Officer

National Archives of Australia

30 October 2020

Appendix 1 – Related Documents

Relevant legislation

Archives Act 1983
Privacy Act 1988
Australian Privacy Principles
Freedom of Information Act 1982
Electronic Transactions Act 1999
Cybercrime Legislation Amendment Act 2012
Crimes Act 1914
Evidence Act 1995
Copyright Act 1968
Public Governance Performance and Accountability Act 2013

Relevant Australian Government policies

Relevant Australian Government strategies

Relevant Australian Government guidelines

Cloud Computing Security Considerations
National Archives' Advice on cloud computing and information management
Anatomy of a Cloud Assessment and Authorisation
Using Cloud in Government
Cloud Computing Security for Tenants
GRA 31 (destruction of source or original records after digitisation, conversion or migration)
GRA 40 (transfer of custody of records under Australian Government outsourcing arrangements)

Relevant National Archives strategic documents

Information and Data Governance Framework
Information Systems Architecture Register
Information Security Policy (ISP)
Business Continuity Policy and Plan
Computer Use Policy
Risk Management Framework
Privacy Policy

Appendix 2 – Service Provider Obligations Checklist

In undertaking contracts or agreements with cloud service providers, the business owner should be familiar with the PSPF. Cloud services may also be implemented by agreeing to terms and conditions as part of signing up for web-hosted services.

National Archives’ business owners must document the following information governance requirements in any terms and conditions, agreements, and/or contracts that are approved as part of using cloud services.

Ownership	The National Archives must retain ownership over its information hosted in the cloud. This ownership includes copyright and proprietary interests. The National Archives’ information cannot be used for any other purposes or disposed of without the National Archives’ permission
Location	The location of the information must be specifically identified in an agreement
Availability	Information must be available as and when it is needed to support business
Right to Access	Specify who has the right to access information and when, such as external appointed commercial auditors
Access	Information must be accessible for the duration of the contract, and accessible to authorised persons as needed or requested
Metadata	Metadata requirements for the management of the National Archives’ business information as part of the contract– this includes the Minimum Metadata Set and any additional metadata that may be required
Retention	All National Archives’ information must be maintained by the service provider unless otherwise notified by the National Archives or outlined in the contractual obligations. The National Archives will ensure retention of information is in line with the relevant records authorities
Disposal	Appropriate destruction is specified at the end of a service agreement, including all back-ups and copies. Certification must be provided by the service provider
Formats	Specify the format the information and associated metadata is returned to the National Archives, formats used in storage, and processes to be followed when information is migrated. Preferably the provider should use open formats to support readability over time
Migration	Must comply with the National Archives’ standards and clauses addressing future migration. This must be part of service agreements to prevent obsolesce and issues with migration at the cessation of a contract
Incidences	Specify the process for loss of control (cloud service provider business operations change), security incidents and disaster recovery processes
Notification	The Archives must be notified of any security incidents or issues by the service provider, including denial of service attacks or unauthorised access
Backups	Regular backups to be undertaken by the provider to maintain access to information
Audit Logs	Service providers must be able to provide for and maintain system audit logs to provide confirmation that required information protection requirements are being met.
Auditing	Each contract should specify a right by the National Archives to audit a provider’s compliance with the agreement, and audit the provider’s IT services. Consideration for audit purposes should be given to restricting the locations where data may be held; any other audit rights for the National Archives, the Auditor-General and the Information Commissioner; a right for the National Archives to appoint a commercial auditor and where technically available the right to remotely monitor access to data.
Reporting	Must provide reports on business performance, integrity checks and faults
Changes	Review any changes to terms of service for providers to ensure information governance requirements are met
Subcontractors	Be aware of the use of third party contractors. Cloud service providers may work with subcontractors; specify the responsibilities of a sub-contractor, including the need to meet the same information governance requirements as the primary holder
Return	Information must be returned to the National Archives when requested

Failure to meet the requirements of, or breaches to, the Cloud Information Governance Policy will require the business owner to notify the Chief Information Governance Officer when the failure occurs.

All confirmed or suspected security incidents must be reported to the Security Advisory Unit. All cloud services will have an incident response plan in place, and may also have a security risk management plan.