Guideline - Public Record Office Victoria - Victorian Government

ignoredmoodusDéveloppement de logiciels

21 févr. 2014 (il y a 3 années et 5 mois)

231 vue(s)

© State of Victoria 2012

Version

1.0







Cloud Computing: Implications for
Records Management

Version Number:
1.0

Issue date: 04/04/2012

Closing for comments: 31/05/201
2




Recordkeeping Policy




Public Record Office Victoria

Standards and Policy



© State of Victoria 2012

Version
1.0

Page
2

of
43




Acronyms

The
following acronyms are used throughout the entirety of this document.

1


ADRI

Australian Digital Recor
dkeeping Initiative

CRM

Customer Relationship Management

FOI

Freedom of Information

IaaS

Infrastructure as a Service

ICT

Information and Communication Technology

ISP

Internet Service Provider

IT

Information Technology

NIST

National Institute of

Science and Technology

PaaS

Platform as a Service

PROS

Public Record Office Standard

PROV

Public Record Office Victoria

RICC

Recordkeeping Implications for Cloud Computing

SLA

Service Level Agreement

VPS

Victorian Public Service


© State of Victoria 2012

Version
1.0

Page
3

of
43




Table o
f Contents

1.

Introduction

................................
................................
................................
.....................

6

1.1

Overview of the Recordkeeping Issues Paper

on Cloud Computing

...........................

7

1.2

Purpose of this issues paper

................................
................................
......................

7

1.3

Scope of the Issues paper

................................
................................
.........................

7

1.4

Responding to the issues paper

................................
................................
.................

8

2.

Cloud computing basics

................................
................................
................................

9

2.1

What is cloud computing?

................................
................................
..........................

9

2.2

Common recordkeeping characteristics of cloud computing

................................
......
10

2.3

Categories of cloud computing

................................
................................
..................
10

3.

Vendor Issues

................................
................................
................................
................
17

3.1

Managing Risk

................................
................................
................................
..........
17

3.2

Selecting a provider

................................
................................
................................
..
17

3.3

Contractual Arrangements

................................
................................
........................
19

4.

Recordkeeping issues of cloud computing

................................
................................
.
22

4.1

Unauthorised

Access to Data

................................
................................
....................
22

4.2

Loss of Access to Data

................................
................................
.............................
29

4.3

Inability to Ensure Data Integrity and Authenticity

................................
.....................
34

4.4

Understanding the practical aspects of cloud services

................................
..............
37

5.

Summary

................................
................................
................................
........................
38

6.

Defini
tions

................................
................................
................................
......................
39

7.

Appendix Two: Federal Government Strategy

................................
.............................
41

8.

References

................................
................................
................................
.....................
42


© State of Victoria 2012

Version
1.0

Page
4

of
43




Copyright Statement

©

State of Victoria 2012

2

This work is copyright. Apart from any use as permitted under the
Copyright Act 1968
, no
3

part may be reproduced through any process without prior written permission from the
4

publisher. Enquiries should be directed to the Manager, St
andards and Policy, Public Record
5

Office
Victoria
, PO Box 2100, North Melbourne, Victoria 3051 or email:
6

agency.queries@prov.vic.gov.au


7

Disclaimer

The State of Victoria gives no warranty that the informa
tion in this version is correct or
8

complete, error free or contains no omissions. The State of Victoria shall not be liable for any
9

loss howsoever caused whether due to negligence or otherwise arising from the use of this
10

Guideline
.

11

Use of Terminology

For
the purposes of this Issues paper the term data is used to refer to records within a cloud
12

environment
. Data mea
ns a Public Record as defined in the
Public Records Act 1973

(here
13

after referred to as the act)
.

14

Records Management Standards Application

The
R
ecordkeeping Standards apply to all records in all formats, media or systems (including
15

business systems). This Issues Paper identifies records management risks that are specific
16

to
cloud computing

and identified within this paper as being major issues. A
gencies are
17

advised to conduct an independent assessment to determine what other records
18

management requirements
may
apply and seek independent legal advice should they wish
19

to enter into contractual arrangements with a cloud vendor.

20


© State of Victoria 2012

Version
1.0

Page
5

of
43




Executive Summary

Th
is Issues paper was commissioned

by the Public
R
ecord Office Victoria (PROV)

to
21

examine
the recordkeeping implications of operating in a
cloud

computing

environment
. In
22

that past two years the uptake of cloud services has i
ncreased dramatically and in last

year
,
23

several
federal

government agencies
, including the Australian Taxation Office (ATO)
have

24

adopted this approach.
Cloud vendors have alluring
offerings that no longer require agencies
25

to maintain the burden of capital investment

in hardware and infras
tructure
. A
lthough the
26

attraction of up
-
taking or entering into service agreements may

present significant cost
27

savings,

Victorian government agenc
ies need to undertake a thorough risk assessment

in
28

line with the Federal governments Protective Security Pol
icy Framework (PSPF)
. Agencies

29

should be aware that the move into
cloud computing
involves a risk based approach.

30

Victorian government
agencies,
regardless of the environment that records are stored in,
31

must comply with the
mandatory Standards and Specific
ation issue
d

by PROV. In a recent
32

report into
Cloud Computing Security Consideration

undertaken by the Department of
33

Defence
, the Defence Signals Directorate (DSD) recommended against the outsourcing of
34

information technology services and functions outside

of Australia, unless agencies are
35

dealing with data that is publically available. DSD encouraged agencies to choose either a
36

locally owned vendor or a foreign owned vendor that is locally based and stores, process and
37

manages data within Australian jurisd
ictions. PROV reiterates this recommendation
38

throughout this document

with regard to a recordkeeping context
.

39

This issues paper offers PROV’s stakeholders an opportunity to consider and comment on
40

the following:

41



Unauthorised access to classified informati
on
;

42



Loss of access to data
;

43



Inability to ensure data integrity and authenticity
; and


44



Understanding the practical aspects of cloud services
.

45

The issues paper also proposes recommendations to help Victorian government agencies in
46

dealing with cloud vendors
. In particular proposed recommendations are made
in the
47

following areas:

48



Managing risks;

49



Selecting a provider; and

50



Contractual arrangements

51

The issue
s paper provides

an opportunity for PROV to directly engage
its stakeholder’s who
52

are
considering
,

or

wh
o have made the transition to re
cordkeeping in a cloud envi
ronment
.

53

The comments and feedback received from the issues paper will result in PROV finalising its
54

policy direction on the
Recordkeeping Implications of Cloud Computing Policy
.

55


Yours Sincerely

56



David Brown

57

Acting Director and Keeper of Public Records

58


© State of Victoria 2012

Version
1.0

Page
6

of
43




1.


Introduction

The Public Record Office Victoria (PROV) is the state record authority for Victoria.
59

Established under the
Public Records Act 1973

(hereafter referred to as the Act), PROV’s
60

object
ives are to:

61



Issue mandatory Standards and Specifications regulating the creation, maintenance,
62

security and disposal of public records;

63



Advise and assist agencies in achieving compliance with issued standards;

64



Preserve public records of permanent value as

the State
A
rchives; and

65



Ensure that archives are accessible to the people and government of Victoria.

66

PROV has a duty in advising those required to comply with the
Act

(hereafter referred to as
67

agencies) on appropriate management of records. The cloud com
puting policy will align with
68

the
recently revised
Recordkeeping Standards issued by PROV. The purpose of this issues
69

paper is to identify implementable solutions to the recordkeeping issues of cloud computing.
70

The aim of the paper is to ensure that data i
s managed properly in a cloud computing
71

environment.

72

Cloud computing is a means of enabling ‘
on
-
demand network access to a shared pool of
73

configurable computing resources
’ that may be ‘
rapidly provisioned and released with
74

minimal management effort or serv
ice provider interaction

1
.
Cloud computing is currently
75

being used by Federal and State government organisations in Australia.
It promises to offer
76

significant cost savings by reducing the outlay of capital and investment in information
77

technology, includ
ing software and hardware.

78

Benefits of using cloud computing lie in the opportunities for
better agency service delivery

79

including
:

80



Lower costs (capital equipment, operational costs, proprietary software);

81



Scalable, self
-
service provisioning with no large

upfront capital outlays. Customers
82

are able to attain a ‘custom fit’
2
, as they can request services from the provider with
83

relative ease
;

84



Reduced pressure on Information Technology (IT)
teams
to provide increased
85

storage capacity;

86



Redirection of resources

as server maintenance and related IT tasks are reduced;

87



Access to services available outside traditional office environments; and

88



Adaptability (the flexibility of the cloud offers an IT based solution for almost any
89

operating environment)
.

90

Broadly stated,

potential r
isks

of implementing a cloud system

include:

91



Unauthorised access to classified information
;;

92



Privacy breaches
;

93



Data alteration
(
either by unintentional data degradation, or by an unauthorised user
);
94

and

95



Loss of access to data
.

96






1

P Mell & T Grance 2010,
The NIST Definition

of Cloud Computing
, National Institute of Standards and
Technology, Gaithersburg, viewed 22 November 2011, <

http://csrc.nist.gov/publications/nistpubs/800
-
145/SP800
-
145.pdf
>

2

“Custom Fit” refers to services that are tailored to an agency’s needs.


© State of Victoria 2012

Version
1.0

Page
7

of
43




1.1

Overview of the R
ecordkeeping Issues Paper on Cloud Computing

This issues paper will form the base of a
Recordkeeping Implications for Cloud Computing

97

(RICC) policy.

98

A RICC policy will:

99



Establish an approach to records management in a cloud computing environment that
100

is ba
sed on assessment of the risks;

101



Identify recordkeeping risks and suggest practical solutions to mitigate identified risk
s
;

102



Provide direction on recordkeeping in the cloud environment that is in line with PROV
103

Recordkeeping Standards;

104



Make recommendations f
or agencies undertaking or proposing to undertake
105

recordkeeping in the cloud environment.

106

1.2

Purpose of this issues paper

The purpose of the issues paper

is to obtain feedback on cloud computing issues. This will
107

assist PROV to
identify solutions in a recordk
eeping context

and establish PROV’s policy
108

direction
. Feedback may also ensure that solutions pro
po
sed by PROV are viable and
109

practical.

This Issues paper will:

110



Set standards that
are
mandatory in Victorian
government a
gencies
;

111



Define the issues;

112



Identify
practical solutions

and m
ake recommendations that will
be detailed further in
113

the RICC; and

114



Invite stakeholder comment in order to become more aware of issues and solutions of
115

relevance to Victorian government.

116

The constraints of the issues paper are as fo
llows:

117



Recommendations made will be in line with best recordkeeping practice;

118



Issues will be based on risks to the secure capture, preservation, use and appropriate
119

disposal of data; and

120



Solutions will comply with the legislative requirements of the Victor
ian government
121

jurisdiction.

122

1.3

Scope of the Issues paper

Th
e issues

p
aper

explores the following recordkeeping risks and benefits from a transition to
123

a cloud based infrastructure:

124



Systems limitations (section 2.3);

125



Managing risks (section 3.1);

126



Selecting a
provider (section 3.2);

127



Limitations of vendors terms of service (section3.3);

128



Contractual Arrangements (section 3.3);

129



Unauthorised access to data (section

4.1)
;

130



Loss of access to data (section
4.2
)
;

131



Difficulties in tracking and controlling data storage (se
ction
4.3
);

and

132



Understanding the practical aspects of cloud services (section
4.4
)
.

133

Areas outside the scope of this document include:

134



Cloud computing issues that are not directly relevant to recordkeeping
;

135



Technical aspects of setting up a cloud service
;

136



Cloud service delivery in lieu of onsite information technology investment
; and

137



Vendor business arrangements for adopting the cloud.

138


© State of Victoria 2012

Version
1.0

Page
8

of
43




1.4

Responding to the issues paper

Please respond to those questions or aspects of the issues paper to which you may have
139

part
icular views about. In your response please identify both the section of the issues paper
140

and the questions, issues and paragraphs to which you are responding. Additional ideas or
141

comments on matters not addressed in the issues paper are welcome. Please in
clude them
142

at the end of your response to a particular matter raised in the issues paper.

143

In responding to

this
i
ssues paper agencies should be aware that PROV may be legally
144

required to release the content and details of any response. If you have any conc
erns about
145

information provided in your response, it is suggested that you seek legal advice.

146

Please email your responses to:
Standards@prov.vic.gov.au

147

The closing date for responding to the issues paper is:
31

May
2012

148

If you have any questions, pleases c
ontact Christopher Wallace
,

Manager, Standards and
149

Policy at
Christopher.Wallace@prov.vic.gov.au

or 03 9348 5720.

150


© State of Victoria 2012

Version
1.0

Page
9

of
43




2.

C
loud computing

basics

In order to assess whether or not a cloud computing soluti
on will address recordkeeping
151

responsibilities,
agencies

will need to understand something about the technological
152

environment within which the cloud operates. This includes
understanding
the software
153

applications used by cloud service providers.

154

2.1

What is
cloud computing?

The National Institute of Standards and Technology (NIST), a United States Department of
155

Commerce agency, defines cloud computing as:

156


a model for enabling ubiquitous, convenient, on
-
demand network access to a shared pool of
157

configurable c
omputing resources (e.g., networks, servers, storage, applications and
158

services) that can be rapidly provisioned and released with minimal management effort or
159

service provider interaction
3
”.

160

This definition is adopted by the Commonwealth Government of Aus
tralia. The
161

characteristics of cloud computing as identified by NIST are described below:

162



On
-
demand self
-
service:

A user can access computing resources as required (such
163

as server time or storage) with no or incidental service provider interaction.

164



Broad n
etwork access:

Resources are made available over the network and
can be
165

accessed through diverse media (
for example,

mobile phones, tablets, laptops and
166

workstations)
.

167



Resource pooling:

‘The provider’s computing resources are pooled to serve multiple
168

consu
mers using a multi
-
tenant model’
4
, with resources dynamically provisioned
169

based on demand
.

170



Rapid elasticity:

Users can access computing capabilities as they require them, with
171

resources scaling inward and outward to meet demand
.

172



Measured Service:

Resources

are controlled and optimised through a metering
173

process. Resource usage can be monitored, controlled, and reported on, providing
174

transparency for both the provider and consumer of the utili
s
ed service.

175

As the NIST definition is being widely accepted acros
s
Federal

government, PROV is
176

accepting this definition as applicable
for Victorian

government
.

177

Question


Q 2.1
-
1: Is this definition of cloud computing still current in terms of your agency and
178

are the characteristics still relevant?

179


Q 2.1
-
2: Does it a
pply to the recordkeeping aspect of cloud computing?

180


Q 2.1
-
3: If the definition was to be changed to match the needs of Victorian
181

government, how would you define cloud computing?

182






3

P Mell & T Grance 2010,
The NIST Definition

of Cloud Computing
, Nat
ional Institute of Standards and
Technology, Gaithersburg, viewed 22 November 2011, <

http://csrc.nist.gov/publications/nistpubs/800
-
145/SP800
-
145.pdf
>

4

Mell & Grance 2010 p. 2


© State of Victoria 2012

Version
1.0

Page
10

of
43




2.2

Common recordkeeping characteristics of cloud computing

The following are
characteristics that are shared by all forms of cloud computing
,

that

have
183

implications for recordkeeping:

184



Victorian government information

may be
held
outside direct government control
;

185



location may not be known to the agency

or
,

if known, not accessible
;

186



Information may be held outside the Victorian or Australian jurisdiction
;

187



Infrastructure may be shared with other users
;

and

188



The more difficulty in replacing the vendor offering,
the
higher the risk for agencies.

189

2.3

Categories of cloud computing

Various type
s of cloud environments may be provided by a service provider. Cloud services
190

in most case fall under one or more of the following three categories:

191



Software
-
as
-
a
-
Service (SaaS)
;

192



Platform
-
as
-
a
-
Service (PaaS)
; and

193



Infrastructure
-
as
-
a
-
Service (IaaS)
.

194

In ess
ence, the cloud is delivered as a service to clientele encompassing either one or more
195

of the three service models above. It is the service nature of the cloud that offers benefits to
196

agencies. Cloud computing capabilities are rented and require no investm
ent (short term or
197

long term) in asset hardware or software
5
.

198

Software
-
as
-
a
-
Service (SaaS)

Software
-
as
-
a
-
Service provides complete business applications delivered over the web.
6

The
199

b
usiness applications are hosted by a provider and delivered as a service

term

(such as
200

email or financial applications).

201

Applications are accessed from various devices through a client interface such as a web
202

browser or through a program interface. The cloud infrastructure, including applications,
203

servers, operating systems an
d storage, is managed by the provider.

204

Table 2.3.1 Controls within SaaS
7

205



Hardware

Operating
Systems

Support
Environment

Applications

Agency





Vendor







√ (primary)


206






5

Dr M Williams 2010,
New Tools for Business, A Quick Start Guide to Cloud Computing, Moving Your Business
into the Cloud
.

6

Williams 2010
.

7

Department of Defence 2011,
Cloud Computing Security Considerations
, p3


© State of Victoria 2012

Version
1.0

Page
11

of
43




The benefits of Software
-
as
-
a
-
Service include:

207



The ability to o
btain software on a per
-
use basis
, as t
here are no upfront costs from
208

the service provider. However, upfront work is needed to load data or records into the
209

application dat
abase and ongoing work is needed to integrate data and records
210

between internal and external cloud data stores
;

211



Agencies can u
se common business applications without a requirement for in
-
house
212

expertise in those applications;

213



There is a r
educ
tion in agency

capital expenditure almost immediately; and

214



Agencies may
t
est new software on a rental basis, with the option to continue to use
215

and adopt software if it proves suitable.

216

Potential risks of Software
-
as
-
a
-
Service for an agency include the following:

217



The v
e
ndor may not be receptive to altering service offering or contract to take into
218

account
Victorian requirements
;

219



Application software may be incompatible with agency recordkeeping systems
220

resulting in hybrid systems that require a large amount of user inter
vention to ensure
221

data is kept and managed appropriately;

222



Lack of control over software, hardware, operating systems and applications make it
223

difficult for legislative and regulatory compliance to be met;

224



If the service is unavailable for lengthy periods t
he agency will be unable to continue
225

operations until the service is restored; and

226



Long
-
term preservation of data may be compromised if the service offered uses
227

formats with a limited lifespan.

228

Many applications do not include recordkeeping functionality o
r considerations. This means
229

that certain service and deployment models may not meet all of the records management
230

requirements for compliance and regulatory demands under the Act. For example:

231



Maintenance of the records integrity for their full lifecycle;

232



Maintenance of links between records and their metadata; and

233



Transfer of records (for example, to PROV as State Archives) or destruction of
234

temporary records according to approved disposal authorities.

235

PROV considers SaaS to be a high risk model as the ve
ndor has the majority of control over
236

agency data.

SaaS has a higher risk in that it is more difficult to replace the vendor offering.

237

Example


In late 2008 Guardian Media Group (GMG) began a switch from Lotus Notes e
-
238

mail and Microsoft Office applications

to Google based applications. Within the
239

first six months 300 Google sites had been set up for internal collaborations and
240

70 per cent of users had accessed their accounts. GMG adopted a system that
241

would address their needs for a more productive and coll
aborative workplace.
242

The decision to switch to SaaS and place their data in the public cloud was not
243

taken lightly. GMG conducted a detailed risk assessment that addressed security
244

concerns and potential security risks. There was also concern about the
245

sen
sitivity of information being stored in the United States (US), where the
Patriot
246

Act

allows the government to inspect any data stored on its shores. Google
247

systems allowed Google full control of GMG’s information, including setting
248

access permission and d
eleting data.
8

249







8

Williams 2010
.


© State of Victoria 2012

Version
1.0

Page
12

of
43




Note:

The US
Patriot Act

may not be as simple to overcome as illustrated in the
example above. If agencies adopt a cloud service provider whose SaaS infrastructure
is based in the US, then at some point agencies may be liable for privacy b
reaches if
records and data are accessed under the
Patriot Act
(US
A
)
. Any organisation that has
US ownership may be required to supply access to data under the Patriot Act,
regardless of where the server concerned is actually located.

In the recordkeeping
context software
-
as
-
a
-
service is most beneficial when

the software is
a
250

commodity
, all email programs for example provide such functions.
It is least beneficial
251

where
mature IT
-
based infrastructure

and mission critical applications are in use
. Software
-
252

as
-
a
-
Service almost inherently will require data to be maintained elsewhere.

253

Platform
-
as
-
a
-
Service (PaaS)

Platform
-
as
-
a
-
Service is the online delivery of a

custom

application development or
254

deployment environment
s

in which applications can be built and run on

service provider
255

systems. Developers can build

custom

web applications without installing any tools on
256

agency

compute
rs

and then
,

deploy those applications without requiring specialised system
257

administration skills. The infrastructure required is supplied

by the cloud service provider.
258

The
agency

has control over the deployed applications and possibly the configuration
259

settings for the environment.

260

Table 2.3.2 Controls within PaaS
9

261



Hardware

Operating Systems

Support
Environment

Applications

Agency






(operating
environment)

Vendor








Benefits of P
latform
-
as
-
a
-
Service
include

the ability for an agency to
:

262



Redirect f
inances from infrastructure to the creation of applications
;

263



T
ake advantage of easy
-
to
-
use
process
es

for

developing, maintaining and
deploying
264

applications
;

and

265



Not to acquire
s
pecialised expertise in
website
development (
such as

server
266

development

or

website administration)
.

267

Potential risks of Platform
-
as
-
a
-
Service for the agency include the following:

268



Business applications may not be
portable
as they are built in the
vendor’s

269

environment
,

and
mov
ing

to another cloud vendor if required, may be difficult
;

270



Contracts may lock the agency into using the one vendor for all services, limiting the
271

agency’s ability to take advantage of software
or applications that are more suited to
272

the agency’s needs
;

273



If circumstances change, the agency may not be able to adjust the service provided
274

to suit



for example, new legislation may require services that the cloud provider can
275

not accommodate
;
and

276



Sett
ing up a service that meets the needs of the agency can be expensive.

277

PROV considers PaaS to be a high risk model as the
re is a high risk of locking agency
278

applications to vendor environment, which means data is locked to vendor’s servers.


279






9

Department of Defence
201
1
, p3


© State of Victoria 2012

Version
1.0

Page
13

of
43




Example


Menu
mate is a provider of point
-
of
-
sale hardware and software for the hospitality
280

in
dustry across Australasia. Menu
mate has taken advantage of PaaS to migrate
281

over time a series of legacy applications used in business. The PaaS
282

infrastructure has allowed
M
enum
ate to centrali
s
e, modernize and integrate
an

in
283

house software toolkit. Connectivity and security issues are inherently provided.
284

Using a PaaS approach has meant that Menumate can
take
advantage of both
285

existing integrations and automated deployment tools
, creating customer records
286

which are integral to the business
10
.

287

Infrastructure
-
as
-
a
-
Service (IaaS):

Infrastructure
-
as
-
a
-
Service is the online delivery of virtual infrastructure components (such as
288

servers, storage and network access). It provides consume
rs with generic computing
289

resources, such as the infrastructure needed for users to deploy and run their own software
290

applications. IaaS can be seen in the development of the Internet Service Provider (ISP)
291

model, where service providers rent infrastructur
e for the purpose of running applications
292

instead of buying and installing them in their own data centre.

293

Table 2.3.3 Controls within IaaS
11

294



Hardware

Operating Systems

Support
Environment

Applications

Agency







Vendor







Benefits of utilising Ia
aS include:

295



Agency provides application and support environment
, allowing the
agency
the
296

opportunity to

build in its requirements
;

297



The ability to migrate easily

from vendor to vendor
;

298



Agencies can
c
ontrol what computer resources are used and how they are u
sed,
299

making it easier to comply with legislative and regulatory requirements;

300



When s
eek
ing

compatibility with agency recordkeeping systems as it may be possible
301

to configure systems and applications to enable integration; and

302



Agencies can m
anage data prese
rvation so that information is retained for the
303

duration it is required to be kept.

304

Potential risks of Infrastructure
-
as
-
a
-
Service for the agency include:

305



M
ultiple organisations
may
be using
the same
infrastructure;

there is a possibility for
306

data security

to be breached
.

307

PROV considers IaaS to be the model most commonly used across Victorian government.
308

As the majority of control rests with the agency rather than the vendor, it is considered to be
309

relatively low risk. Care should be taken to prevent others

using the same service from
310

accidentally gaining access to the agency’s data.

311






10

Williams 2010
.

11

Department of Defence 2011 p2


© State of Victoria 2012

Version
1.0

Page
14

of
43




Example


In November 2007 Derek Gottfrid, a developer from the New York Times used
312

Amazon Web Services (an IaaS environment) and technical skill to solve a
313

difficult problem for

his employers. The newspaper wanted to make all its public
314

domain articles from 1851
-
1922 available on the web free of charge, but the
315

articles were broken up into individual images scanned from the original paper
316

that had to be pieced together. This coul
d be done on a website but if the website
317

proved popular then the web server could be overloaded with processes and
318

grind to a halt. There were 11 million articles to process and a tight deadline to
319

meet. Gottfrid’s solution was to use open source tools to

process the four
320

terabytes of image data on 100 Amazon virtual machines (IaaS). The whole
321

process took 24 hours and cost USD $240.

322

Question


Q 2.3
-
1: Is the use of services offered by the cloud likely to relieve your agency’s
323

IT management burden and en
hance your business?

324


Q 2.3
-
2 Is the use of services offered by the cloud likely to create complex and
325

new issues in your IT management?

326


Q 2.3
-
3 Are there any other cloud services being offered that have not been
327

identified?

328


2.3.1.1

Cloud Deployment Models

Clou
d
c
omputing is provided in the following deployment models:

329



Private Cloud;

330



Public
Cloud; and

331



Community
C
loud

332

Initially cloud referred to software accessed over the internet
12
.

It was quickly realised that
333

cloud environments could be setup internally as well

as externally
, which

lead to
the
334

development of
three broad deployment models
.

335

Private Cloud
:
The
c
loud infrastructure is provisioned for exclusive use by a single
336

organisation (such as an agency) comprising
of
multiple consumers (such as various
337

business

units). It may be owned, managed and operated by the
agency
, a third party, or a
338

combination of both, and it may exist on or off premises.
13
.

The private cloud gives an
339

organisation more control over their Information and Communication Technology (ICT)
340

env
ironment by offering increased privacy and security for data.
T
he private cloud
341

deployment model can be broken down into:

342



Private Cloud
:

in house: uses cloud technology to provide flexibility but retains
343

security
.

344



Private Cloud
:

service provider:
the priva
te cloud is provided by a service provider. I
n
345

theory

this

retains security but have to check what is really provided.

346






12

Oracle White Paper (2009)
,

Platform as a Service, Private Cloud with Oracle Fusion Middleware
.

13

NIST, p.3.


© State of Victoria 2012

Version
1.0

Page
15

of
43




The P
rivate cloud deployment model

can be recognised by the characteristic that

the
347

resources are only used by the
agency.
This means tha
t the risk of unauthorised access is
348

reduced. A private cloud deployment model could be provided by a third party over the
349

internet. In such cases, the differences between private and public clouds can be difficult to
350

distinguish

as it is not clear what re
sources
are shared.

351

Benefits of a private cloud include the ability for an agency to:

352



Provide IT services to internal users in a self service manner;

353



Automat
e

management tasks

(
software and desktop updates), and individually bill
354

business units for service
s consumed;

355



Enable a well
-
managed business specific ICT environment
;
and

356



Optimise
the
use of

agency

resources, including servers.

357

Potential risks in using a private cloud deployment model for an agency include the following:

358



The level of technical skill re
quired for the agency to implement and operate a private
359

cloud may be greater than anticipated and result in the need to provide additional
360

resources to maintain; and

361



The costs required to set up and operate a private cloud may be larger than the
362

available

or anticipated budget.

363

S
ervice providers may offer the capacity to set up either a private or public cloud
364

environment. In many situations the services provided are very similar. Care should be taken
365

to ensure that in a private cloud it is the agency that

holds
,

and has full control over
,

its data
366

and the systems within which it operates.

367

Public Cloud:

Services delivered using a pool of shared resources to any organisation over
368

a public internet connection.

Public clouds are likely to be cheaper than priva
te clouds to use.
369

The distinction between a public and a private cloud may not be clear if a private cloud is run
370

by a third party as their characteristics and risks will be very similar. The risk is linked to who
371

is holding the data.

372

Benefits of a public
cloud include the ability for an agency to:

373



Scale the
cloud environment to
agenc
y’s

business needs;

374



P
ay for deployment as it is used;

375



A
ccess a larger pool of resources;

376



Shared joint costs

across public cloud users
;

and

377



Ensure certainty
that the cloud servi
ces are available and reliable.

378

Potential risks in using a public cloud deployment model for an agency include the following:

379



As multiple organisations use the same
infrastructure
, there is a possibility for data
380

security to be breached; and

381



Contracts may
lock the agency into using the one vendor for all services, limiting the
382

agency’s ability to take advantage of software or applications that are more suited to
383

the agency’s needs.

384

Community Cloud:

The

cloud infrastructure is shared by more than one group i
n a specific
385

community (such as Cen
ITex
, or a group of

agencies

with similar operating, security and
386

compliance considerations). The goal of a community cloud is to have participating
387

organisations realise the benefits of a
public cloud
,
multi
-
tenancy

and a pay
-
as
-
you
-
go billing
388

structure but with the added level of privacy,
security

and policy compliance usually
389

associated with a
private cloud
. It may be managed by those using the cloud service or
a
390

third party. Infrastructure may exist remotely or on the premises of one or more agencies.

391

Benefits of a community cloud include the ability for an agency to:

392



Reduce IT costs and resources due to their being shared between agencies; and

393


© State of Victoria 2012

Version
1.0

Page
16

of
43






Increase security

of information services as the need for external interaction with
394

agency data is reduced.

395

Potential risks in using a community cloud deployment model for an agency include the
396

following:

397



Meeting privacy requirements may require an additional level of secu
rity across
398

centralised systems that reduce their usefulness as shared resources; and

399



Not all computing needs may be met as an agency may find some computing
400

resource needs to be specialised and not required by other agencies in the
401

community.

402

A fourth dep
loyment model, the
Hybrid Cloud

consisting of a combination of the above three
403

models, may also be used. Benefits and risks concerned will match those of the specific
404

deployment models used to create the hybrid cloud.

405

A comparison of private and public clo
ud environments

The main difference between a private and public cloud is control over the environment. In a
406

private cloud, the agency (or a trusted partner) controls the service management
407

agreements, whereas in a public cloud these agreements are control
led by the service
408

provider. Be sure that the deployment model offered is what it appears to be and not a
409

marketing ploy whereby a vendor offers differently priced packages of the same services.

410

Both the
p
ublic and private clouds

in theory

offer the follow
ing benefits

to
the

agency
:


411



Efficiency;

412



High availability; and

413



Elastic capacity.

414

In addition to the above benefits, public clouds offer the following to an agency:

415



Low
er

upfront cost;

416



No hardware investment for setup of infrastructure or services; and

417



M
inimal systems management by the user.

418

Public clouds have risks that an agency should be aware of, including the following:

419



Potentially more difficult in integrating with agency systems
;

420



Difficult integration constraints depending on your recordkeeping sy
stem; and

421



Loss of control over security and quality of systems in which data is held.

422

Private clouds require minimal investment in hardware when compared to full IT based
423

infrastructure as well as setup and ongoing maintenance. The benefits of maintaining

records
424

in a private cloud could potentially reduce the risks that may be experienced in a public
425

environment. At a minimum private clouds offer:

426



G
reater control of data over time;

427



Full access and flexibility to integrate with agency EDRMS;
and

428



Direct co
ntrol over quality and security.

429

Recommendation 1:
As private clouds and community clouds offer less risk
for higher risk



430

records, agencies should deploy either the private or community cloud model.

431

Question


Q 2.3
-
4: Which service and deployment mod
el is most appropriate for your
432

agency’s needs?

433


Q 2.3
-
5: Why does the agency consider the service and deployment models
434

identified at Q2.2
-
4 to be the most appropriate?

435


© State of Victoria 2012

Version
1.0

Page
17

of
43




3.

Vendor Issues

Unless the vendor is the agency or Victorian Government, a third par
ty will be needed
436

provide cloud services.

437

It is the responsibility of the agency to ensure that the service provider can adequately look
438

after the records and the system
they are stored in
. The best way to determine what
439

recordkeeping risks may be involve
d with implementing a cloud computing solution is to
440

conduct a thorough risk assessment prior to engaging a third party. Key risks include the
441

breach of legislative requirements, such as those imposed by the
Act,

the
Information
442

Privacy Act

2000
, the
Freed
om of Information Act

1982

(FOI), the
Evidence Act

2008
, and
443

the
Crimes Act

1958
. They also include loss of valuable business information, as well as the
444

possibility of embarrassment
or even placing people’s lives in danger
due to
the
445

inappropriate release

of information

in extreme cases
.

446

Recommendation 2:
Agencies should conduct a thorough risk assessment prior to adopting
447

a cloud computing environment and consider
risk mitigation strategies,

as

some data may be
448

so sensitive that it should n
ever b
e stored
in a cloud. Agencies should be familiar with the
449

Protective Security Policy Framework (PSPF)
.

450

3.1

Managing Risk

The Standards and Specifications issued by PROV are mandatory. Regardless of the
451

jurisdiction in which the records are held, agencies may be held ac
countable against PROV’s
452

Standards and Specifications by regulatory authorities, including the Victorian Ombudsman
453

and Victorian Auditor General’s Office. Agencies need to ensure that the evidential nature of
454

records will not be compromised.

455

Managing risk
should include the following actions:

456



Identify the records to be stored and processed using cloud service providers;

457



If possible attend the location of the services to ensure adequate measures are in
458

place (including disaster preparation, management and re
covery);

459



Ensure ‘due diligence’ is performed when selecting a provider;

460



Manage identified risks through contractual arrangements; and

461



Monitor cloud computing services offered by the provider
.

462

Recommendation

3
: Agencies should ensure that
vendors
are able t
o demonstrate

and
463

exhibit

due diligence (a thorough investigation or audit of the cloud service provider, prior to
464

signing the contract).


465

3.2

Selecting a provider

When performing due diligence checks, Agencies are advised to consider the questions and
466

key act
ions identified in Table 3.2.1 (below).

467

468


© State of Victoria 2012

Version
1.0

Page
18

of
43




Table 3.2.1 Questions and key Actions to Consider when selecting a service provider

469


Question

Key Actions

Where will the records be stored?

-

Determine the processes around reporting
storage location changes to th
e agency
.


Can the cloud service provider meet
the requirements of the PROV
Recordkeeping Standards?

-

Provide vendors with
copies of the

PROV

Recordkeeping Standards.


-

Include in the contract or agreement a requirement to meet PROV Standards.


Is the
service provider aware of the
requirements of the

I
nformation
P
rivacy
A
ct 2001
?

-

Establish the
level of compliance

with the

IPA privacy principles
.


-

Determine the jurisdictional legislation that the records may be subjected to.


Will all records

be ret
urned to the
agency
, by the service provider
within an agreed timeframe once the
contract has ended?


-

Establish

the processes involved in
completely
returning a copy of

agency specific
data.

-

Establish the process for completely erasing the data from th
e vendors system.

-

Include

in the contract
any c
osts involved in removal of data
.

What assurance can the provider
supply to the agency that no copy of
agency data has been retained after
the termination of the contract?

-

Determine effective ‘take down’

procedure
s

for
potential compliance breaches.


-

Verify vendor certification of

the total and permanent removal of the requested records
from the provider’s systems (including back

up copies)
.


Is the service provider subject to
external auditing, certif
ication or
monitoring processes?

-

D
etermine
whether vendors

are subject to external auditing or certification processes.


-

Establish

whether the
external monitoring is sufficient to mitigate or reduce data
access or storage risks
.


How will third party
access to the
agency’s records be managed by
the service provider?

-

Determine how Freedom of Information (FOI) request
s of agency

records can be
effectively managed
.


-

Identify
provisions
for third party access
to data
stored in non
-
Australian jurisdicti
ons.


What back
-
up arrangements does
the service provider have in place to
ensure the restoration of agency
data?

-

Obtain vendor

guarantee
that

the structure of agency records and associated
metadata are maintained when restoring data.


-

Verify

back
-
up

arrangements are in place, how long it would take to do a complete
restoration of agency records, and any ad
ditional costs.

-
Testing.


What risk assessments does the
cloud service provider conduct in
relation to the storages of an
agency’s records.

-

Est
ablish if the provider guarantees service provision parameters

and levels of liability
for failure to operate within the given
parameter
.


-

Direct vendor to conduct risk assessment of
storages of an agency’s records.


What subcontracting arrangements
doe
s the service provider
undertake?

-

Ensure the agency will be notified of any subcontractor access to agency records
(including what

level
)
.


-

Determine
the extent the vendor

subcontracts

services

and
the impact this may have
on agency data
.



© State of Victoria 2012

Version
1.0

Page
19

of
43




3.3

C
ontractual

A
rrangements

Where computing resources are provided as a service, much of the relationship between the
470

agency and the provider will be governed by a contract. This will require

both
:

471



IT contract negotiation skills to establish the terms of the relationsh
ip; and

472



Records management knowledge to ensure that recordkeeping requirements
473

regarding management of data are adequately met
.

474

Contracts or agreements with service providers based or owned outside of Australia can be
475

problematic to enforce. Even if an ag
ency is able to take the service provider to court over a
476

breach of contract,
it is likely to be difficult

to
enforce their
findings on an overseas vendor
.

477

Furthermore agencies should recognise that they may have little leverage over vendors.

478

Service Leve
l Agreements

Service level agreements (SLAs) should be included in the contract to outline specific
479

parameters and minimum levels for each aspect of the service provided. SLAs must be
480

enforceable and specify remedial actions for when they are not met, incl
uding corrections
481

and penalties.

482

Examples of measurable services that may need to be covered in an SLA include:

483



Uptime, the availability of service and who determines whether the service level was

484

met;

485



Performance and response time, including the speed of

the service;

486



Capacity and efficiency (non speed related) of the service;

487



Error correction
,

maintenance time and the availability of a help desk. A root cause
488

analysis should be supplied by the service provider after any service failure;

489



Compensation and t
he right to terminate the SL
A
;

490



Restoration of the data
; and

491



Maximum time for return of all data in a usable form
.

492

PROV Requirements and Contracts

Ensuring appropriate records management clauses in contracts with cloud computing service
493

providers can assist

in meeting the requirements relating to outsourced activities and
494

privatisation in the PROV
Strategic Management

Specification
. For agencies to meet the
495

requirements of the
PROS

10/10 S1

Strategic Management Specification

when engaging a
496

cloud service provider, agencies must ensure

the contract covers
:

497



The ownership and custody of records is determined and documented (see
498

Requirement 21)
;

499



The service provider must be required to
comply with records management
500

requirements determined by the agency (see Requirement 22);

501



Records must only be disposed of in accordance with the Act and other relevant
502

legislation (see Requirement 23
)
;

503



The same level of access to records must be availabl
e to the public, regardless of
504

who is delivering or provisioning the service (see Requirement 24);

505



To specify appropriate standards of storage for any records of outsourced or
506

privatised activities which are not in government custody (see Requirement 25);

507



To specify appropriate standards of security for any records of outsourced or
508

privatised activities which are not in government custody (see Requirement 26);

509



Arrangements for monitoring and audit of service provider records management
510

practices agreed and
specified (see Requirement 27);

511



All outstanding records management issues (including disposal) must be addressed
512

by the service provider prior to the completion of the contract (see Requirement
513

28)
;
an
d

514


© State of Victoria 2012

Version
1.0

Page
20

of
43






The total budget for the contract includes sufficient
resources to fund the cost of the
515

specified recordkeeping requirements (see Requirement 29
)
.

516

Recommendation 4
:

Agencies must ensure that outsourced contracts or agreements with
517

cloud service providers meet requirements 21 to 29 of
PROS 10/10 S1 Strategic
518

M
anagement Specification
.

519

Agencies must ensure that any contractual arrangements and service level agreements
520

address the relevant recordkeeping requirements identified in PROV’s Recordkeeping
521

Standards and Specifications. More information about how the Sta
ndards and Specifications
522

relate to cloud computing is provided in Section 5.

523

Data Processing and Storage

As the agency’s data will reside on the service provider’s infrastructure, it is important for the
524

agency to affirm its ownership of that data

in cont
racts or agreements
. It may also be
525

necessary
for evidential and business purposes
to affirm agency ownership of any
526

transactional data created as a result of data being processed on the cloud computing
527

provider’s system.

528

The agency should establish itself

within the contract as the controller and determine the
529

purpose and means of processing data. The cloud service provider’s role within the contract
530

should be defined as the processor
,

processing data on behalf of the controller
14
.

531

The contract should
null
ify “vendor lock in”
(
locked into a particular vendor’s cloud). The
532

agency
must have the
right to

change to a different
offering

when a contract ends. The
533

agency may want to move data back in
-
house or to a new
vendor
.
Compatibility and
534

interoperability of
data should be ensured after the termination of contractual agreements.

535

T
he agency’s ongoing rights to access its data and the process by which data will be
536

migrated ba
ck to the agency should be stated within the contract. It should

outline the
537

timeframe w
ithin which the vendor needs to
return data

and
specify
the format of the data.

538

T
he service provider’s obligations in the event of unauthorised access of agency data

must

539

be covered within the contract
.

This

include
s

the requirement to notify the agency of

any data
540

breaches, the timeframe for notification and the disclosure of breach details.
It also includes
541

provision of
compensation if the agency’s data is accessed inappropriately.

542

Due to the range of legal
and regulatory
issues that can arise if data is
stored in another
543

state or country, it
is important to specify and
document the geographic locati
on of the data
544

centre
.

Any proposed changes to the data storage arrangements should be approved by the
545

agency.
This is particularly important when
records are
stored and
transmitted outside of
546

Australia.

547

Infrastructure and Security

The cloud provider’s security measures should be clearly documented in the contract,
548

including specific infrastructure and security requirements and practices. This may include
549

busine
ss continuity, disaster recovery, firewalls and physical security.

550

A right
-
to
-
audit contract clause should state requirements for third party audits or
551

certifications and the provision of any reports generated from these activities to the agency.
552






14

Dr M Williams 2010, New Tools for Business, A Quick Start Guide to Cloud Computing, M
oving Your Business
into the Cloud,


© State of Victoria 2012

Version
1.0

Page
21

of
43




Vendor’s
infrastructure and security practices would ideally be confirmed via on
-
site
553

inspection. Alternatively the agency could obtain the provider’s infrastructure and security
554

specifications in writing and have in
-
house experts review and confirm their suitabili
ty.

An
555

agency must have the right to break the contract if a vendor does not meet the contractual
556

obligations as a result of subsequent changes to their service delivery.

557

Cloud computing services could be disrupted by disasters or other unforseen circumsta
nces.
558

The contract should state the provider’s disaster recovery procedures and business
559

continuity plans to ensure the agency has ongoing access to its data. The contract should
560

also outline the service provider’s obligations if any of the agency’s data b
ecomes lost or
561

damaged due to vendor error. It should outline the notification process, corrective actions to
562

be taken, timeframes, plans for ongoing service provision and the vendor’s obligation to
563

reimburse costs.

564

Vendor Relationship

Establish

the terms
under which the agency can continue to use the service as well as those
565

under which it can make changes or terminate the service. This can help to avoid large costs
566

associate with changing to another solution.

567

It may be necessary to negotiate the costs for

expansion of volume or usage. One of the
568

major benefits of cloud computing is scalability
.

I
t is important to ensure the contract doesn’t
569

specify minimum purchase volumes or long
-
term commitments.

570

Cloud computing is a constantly evolving field where featu
res and functionality can be added
571

and removed. It may be pertinent to include a requirement for notice to be given to the
572

agency prior to the removal of a feature or functionality or the cloud computing service. The
573

notification period should take into ac
count the time it would take for the agency to move to a
574

new solution.

575

The contract should detail terms under which the agreement can be terminated either by the
576

agency or the vendor. Considerations for the agency would be whether cause would have to
577

be sh
own or fees or penalties incurred. Agencies may wish to negotiate a clause that
578

restricts the vendor’s right to terminate the service. This could include a suitable period of
579

advance notice.

580

Mergers and acquisitions present risks to the ownership of data a
nd the maintenance of data
581

integrity and ongoing access
to that data
by
the agency
.
Agencies must ensure that
break
582

clauses

in the contract provide the agency with an opportunity to break the contract.

583

It is common for cloud computing providers to subcontr
act services to third parties, for
584

example,
vendors
may
subcontract the
data centre infrastructure. This has the potential to
585

create confusion over which vendor is responsible for which acti
ons. The contract should
586

oblig
e the vendor to identify any functio
nality that is being outsourced and to whom. It should
587

be made clear that the contracted provider remains directly responsible for complying with
588

the terms of their contract

irrespective of subcontracting
.

589

Question


Q 3.3
-
1: Is your agency subject to regu
latory compliance or internal governance
590

restrictions?

591


Q 3.3
-
2: If so what are they?

592


Q 3.3
-
3: Do they prevent your agency form using a cloud service provider?

593


© State of Victoria 2012

Version
1.0

Page
22

of
43




4.

Recordkeeping
i
ssues of cloud computing

Agencies seeking to implement cloud computing servi
ces are advised to consider the
594

implications for their records management program.
It is the agency’s responsibility to
ensure
595

that data stored in a cloud compl
ies

with Victorian legislation and regulations. This means
596

having clearly assigned and documente
d

lines of authority and accountability with regard to
597

the
data stored in a cloud environment. Personnel, including contractors and volunteers,
598

must be made aware of what needs to be done to ensure that the agency’s recordkeeping
599

responsibilities are met.

600

Recordkeeping responsibilities are identified in legislation, regulations, policies and
601

Standards (including PROV’s Recordkeeping Standards). Agency data stored or created in
602

any cloud are subject to the same records management standards and obligations as

agency
603

data stored in other environments within the State of Victoria.

Agencies
must ensure that
604

they are compliant with
PROV’s mandatory Standards and specifications.

605

An element of strategic planning is required to ensure that different sections of the a
gency
606

are aligned. Key areas include information technology, records management, risk
607

management and contract management. This will ensure that risks are identified and
608

mitigated as part of the agency’s risk management framework and that contracts include
609

clauses related to the various recordkeeping responsibilities the service provider is to meet.

610

PROV also recommends that agencies familiarise themselves with
the
Commonwealth
611

Government

s, Department of Defence Intelligence and Security discussion paper on

Cloud
612

Computing Security Considerations.

Agencies must be aware must be of the sensitivity of the
613

data they are proposing to store in the cloud environment. Risks will vary depending on the
614

sensitivity of this data
15
.

615

As cloud computing will most likely be

offered as a service by a third party, recordkeeping
616

responsibilities will need to be managed through a contract or agreement to meet the
617

principles of
PROS 10/10 Strategic Management
. Section 2.4 of the associated Specification
618

(PROS 10/10 S1) identifies

the recordkeeping requirements that contract clauses will need to
619

cover.
Strategic Management Guideline 2: Managing Records of Outsourced Activity

620

provides some sample clauses that may be useful when considered clauses to manage
621

cloud computing risk.

622

This

section of the issues paper explores some of the significant recordkeeping implications
623

for agencies choosing to adopt a cloud computing model. There will be other issues
,

both
624

general and unique
,

to a particular agency that are not discussed in this pape
r.

625

4.1

Unauthorised Access to Data

The first recordkeeping issue with cloud computing is the prevention of unauthorised access
626

to data stored in a cloud server. Unauthorised access could be by:

627



Eavesdropping on the network traffic between the agency and the c
loud server;

628



Staff at the cloud service supplier using administrative tools to obtain data. This could
629

be for personal purposes, or required by local laws (e.g. the US Patriot Act);

630



Other users of the shared cloud server deliberately or inadvertently acces
sing agency
631

data;

632






15

Australian Government, Department of Defence (2011) Cloud Computing Security Considerations


© State of Victoria 2012

Version
1.0

Page
23

of
43






Outsiders breaking the service provider’s security. These outsiders could be
633

individuals, organisations, or governments. Outsiders could be extremely well
634

resourced and knowledgeable; and

635



Leakage of data

from decommissioned media.

636

It is t
he agency’s responsibility to ensure that the service provider implements adequate
637

security measures to protect their data, in particular agencies must consider the risks
638

associated with handing over control of records to external vendors
.

639

The level of sec
urity measures required will depend on the sensitivity of the data. Data that is
640

publically available will need little or no security measures. Data that is sensitive or personal
641

will require substantial security measures. Security related data will requir
e very substantial
642

security measures, and it is likely that this type of data would not be appropriate for storage
643

in a public or community cloud.

644

Security requirements for private clouds operated in
-
house will not be considered in this
645

document, as the se
curity would be little different to that required by any web accessible
646

agency system.

647

When identifying security measures for cloud computing solutions, the following constraints
648

must be met:

649



Compliance with the
Information
Privacy Act 2000
(Victoria)
.

650



The

Protective Security Policy Framework (PSPF) provisions may also need to be
651

complied with.

652



PROV Storage Standard Principle 6 that public records must be protected from theft,
653

misuse, and inappropriate or unauthorised access or modification, whil
e

they are
654

being stored, or in transit to or from a storage facility or area.

655



PROV Access Standard Principle 4 that public records must only be used for
656

authorised purposes; taking into account all relevant legislation, access, copyright or
657

licensing conditions.

658



PROV

Access Standard Principle 5 that the security of public records must be
659

assured, preventing unauthorised access, alteration, destruction or release of
660

records.

661



PROV Disposal Standard Principle 1: Disposal of public records must be conducted
662

in a lawful ma
nner.

663



PROV Disposal Standard Principle 8: The destruction of public records in accordance
664

with a disposal authority must be undertaken using a secure method to ensure the
665

content of the records is not released inadvertently.

666


© State of Victoria 2012

Version
1.0

Page
24

of
43




Privacy

Regardless of where ag
ency data is stored, it is subject to the
Information Privacy Act 200
0

667

(Vic) (IPA).

668

Example


Data stored in overseas jurisdictions may be subject to that jurisdiction’s privacy
669

laws (which may differ considerably from privacy data protection laws within
670

Vi
ctoria). For example, the US Patriot Act and its associated anti
-
terrorism
671

legislation permit the US government to access data under specified
672

circumstances without providing any notification. This is likely to breach the
673

Information Privacy Act 2000 (IPA)
; in particular the requirement of IPP 4, to
674

protect personal information from unauthorised access. Information Privacy
675

Principle 9 prevents the transfer of personal information outside Victoria unless
676

the recipient protects privacy under standards similar

to Victoria’s IPPs. Many
677

countries do not have
legislation

governing the protection and

management of
678

personal informati
on
.

679

The IPA sets a standard for the protection of the privacy of personal
16

information held by the
680

State and local Government of Victor
ia. The IPA only applies to data that contains personal
681

information about, or that can be used to identify, any individual. Agencies
must

ensure that
682

contracted service providers have procedures in place to comply with the Information Privacy
683

Principles (I
PPs)
that
form the core of the IPA. Contractor and service provider agreements
684

must
enforce contracted providers to abide by the IPPs
17
.

685

Security

It is the agency’s responsibility to ensure that the service provider implements adequate
686

security measures to

protect their data.

687

Clearly the level of security measures required will depend on the sensitivity of the data. Data
688

that is publically available will need little or no security measures. Data that is sensitive or
689

personal will require substantial securit
y measures. Security related data will require very
690

substantial security measures, and it is likely that this type of data would not be appropriate
691

for storage in a public or community cloud

at all
.

692

Security requirements for private clouds operated in
-
hous
e will not be considered in this
693

document, as the security would be little different to that required by any web accessible
694

agency system.

695

It is understood that the Victorian government will move to adopt the
Commonwealth
696

Government’s Protective Security P
olicy Framework

(PSPF). PROV considers this
697

framework to be good practice in analysing what data can be held outside control of an
698

agency.

699

The PSPF identifies a number of mandatory requirements regarding developing and
700

implementing a security plan. For ex
ample, the application of a security classification to all
701






16

The
Information Privacy Act 2000

defines ‘personal information’ as ‘information or an opinion (including
information or a
n opinion forming part of a database) that is recorded in any form and whether true or not, about
an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion, but
does not include information of a kind to whi
ch the
Health Records Act 2001

applies.

17

http://www.privacy.vic.gov.au/privacy/web2.nsf/files/dont
-
let
-
privacy
-
get
-
lost
-
in
-
the
-
cloud/$file/media_release_03_05_11.pdf


© State of Victoria 2012

Version
1.0

Page
25

of
43




data is required. Only those who have security clearance for a particular security
702

classification may see the associated data. It is the agency’s responsibility to ensure that
703

contractors and servi
ce providers abide by the requirements of PSPF. Commonwealth
704

agencies are currently required to provide the results of an assessment against the PSPF
705

requirements in their annual report.

706

An area that may inadvertently lead to security breaches is the dispo
sal of media on which
707

data is stored. Service providers may routinely dispose of back up tapes and
708

decommissioned systems and discs that contain agency data without removing the data prior
709

to destruction or ensuring that the total destruction of the data h
as been achieved. Total
710

removal of agency data from the service provider’s systems may not be possible.

711

Disposal of data includes disposal of back up tapes and decommissioned discs that contain
712

the data. To be lawful, disposal must be conducted in accordan
ce with a PROV Disposal
713

Authority. Some data will need to be transferred to PROV once it has reached its retention
714

period. This should be done by the agency in accordance with PROV processes. Some data
715

should be destroyed once the retention period has ende
d.

716

Decisions to destroy agency data in a cloud environment, including destruction of back

up
717

tapes and decommissioned disks, must only occur after consideration of the facts involved.
718

This includes the disposal class and sentence relating to the data, the
person authorised to
719

approve disposal actions, and approved methods of disposal. The disposal class and
720

sentence provide information on how long the data will need to be retained prior to its
721

disposal and whether the data is to be destroyed or transferred
to PROV.

722

Copies of data (such as those on back up tapes or decommission discs once the data has
723

been migrated to other systems) may be destroyed under normal administrative practice
724

(NAP). A record of destroyed data must be kept that includes the disposal

authority under
725

which the data was destroyed. This record does not include destruction under NAP.

726

Destruction of data, if it occurs, should be complete so that no reconstruction is possible.
727

This includes destruction of back

up tapes and decommissioned d
iscs containing agency
728

data. Secure destruction is needed to prevent private information from being accidentally
729

released through inappropriate disposal methods. If the data being destroyed has restricted
730

access due to a security classification assigned un
der the
PSPF
, the destruction may need
731

to be witnessed by an authorised representative.

732

The capacity, and appropriate procedures and systems, required for disposal actions to be
733

implemented include the following:

734



Retention of data that

is
retrievable and
understandable for the duration of
its
735

lifecycle;

736



Transfer of data into the custody of another agency if required (for example, if a
737

machinery of government change requires data relating to a specific function to be
738

transferred to a different agency);

739



P
erm
anent

value

records

transferred

to Public Record Office Victoria
; and

740



Destruction of time
-
expired data (including any copies of the data)

in a manner that
741

ensures that the data is
not be able to be reconstructed.

742

Regardless of where it is stored, agency d
ata is subject to the PROV recordkeeping
743

standards. These standards include requirements covering the security of agency data.
744

Agency data may also soon be subject to the requirements of PSPF, regardless of where it is
745

stored.

746

Cloud computing services must

be able to ensure that the data is protected from theft,
747

misuse, and inappropriate access or modification whilst they are being stored as well as
748

when they are in transit to or from the storage facility or area. For cloud computing services,
749


© State of Victoria 2012

Version
1.0

Page
26

of
43




this means th
at the online interface between the server and the agency must protect the data
750

from unauthorised access as well as

the systems used to store the data. Where data is
751

subject to security classifications (such as the protective security policy or its equival
ent) the
752

level of protection required for the security classification must be ensured by the cloud
753

service provider.

Protection from hacking and unauthorised release of restricted data will also
754

need to be ensured.

755

Under
PROS 11/10 Access Standard
, if data

stored in a cloud environment has an access
756

status of open, the level of protection required for the data is minimised. This is because
757

anyone is allowed to view and use the data.

758

Where data has restrictions to access, the agency must ensure that the acce
ss restrictions
759

are applied in the cloud environment. The level of support needed to administer the cloud
760

services provided should be considered, including who will be providing the support and what
761

data they will be able to access.

762

Questions


Q 4.1
-
1: Are

there any other data access concerns that have not been identified
763

in this paper?

764


Q 4.1
-
2: Are there any other constraints on solutions other than those identified in
765

this paper?

766

Recommendations

Recommendation
5
:
PROV is proposing to require all agencie
s storing data on a cloud
767

server to categorise the sensitivity of the data.

768

This analysis must consider:

769



Whether the data is personal information as defined in the IPA
; and

770



The level of security required under the
PSPF.

771

The risk analysis must be signed off

by a senior business owner.

772

Security classification of agency data is already covered by the Capture, Storage and Access
773

Standards, and includes the following:

774



Records that carry security classifications are created and captured in compliance
775

with the req
uirements of that classification (Capture Specification 3, Requirement 17).

776



Records that carry security classifications are handled and stored in compliance with
777

the requirements of the classification (Storage Specification 1, Requirement 37).

778



Policies gov
erning access to records align with legislation and Victorian government
779

policy (Access Specification 1, Requirement 2).

780



Documented criteria, based on legislation and policy, are used to justify restrictions
781

on records (Access Specification 1, Requirement
5).

782



Access restrictions for records are implemented in all appropriate systems (Access
783

Specification 1, Requirement 6).

784



Security measures, procedures and protocols relating to access to records are
785

established, documented, and designed to prevent unauthori
sed access, alteration,
786

destruction or release (Access Specification 1, Requirement 14).

787

The above recommendation is an extension of the existing requirements and would be
788

covered in a Guideline on how to implement the Standards in a cloud computing
789

enviro
nment. The Guideline would fit under Storage.

790


© State of Victoria 2012

Version
1.0

Page
27

of
43




Questions


Q 4.1
-
3: Would there be any problem in implementing this recommendation in
791

your agency?

792


Q 4.1
-
4: Are there any other criteria that should be considered in performing a
793

sensitivity analysis?

794

Recommen
dation
6
:
PROV is proposing to recommend that agencies storing personal or
795

sensitive
data on a cloud server use servers located in an Australian jurisdiction. The
796

company that operates the server must be registered in an Australian jurisdiction, although i
t
797

may be a subsidiary of an overseas company.

798

Choosing a provider who delivers a service from within Australia would ensure that most
799

privacy risks associated with recordkeeping are mitigated. This is due to the similarity of
800

privacy legislation across the

different Australian jurisdictions. A service provider based in
801

Victoria is the preferred option due to other PROV recordkeeping requirements.

802

PROV would caution agencies seeking cloud service providers based offshore and would
803

recommend that a comprehen
sive risk assessment is conducted. Using cloud computing
804

services will impact on the degree of control an agency has over the way its data is managed
805

and accessed by third parties.

It may not be possible to adequately protect personal
806

information stored ou
tside of Australia. If data is stored offshore it could be difficult to enforce
807

and monitor access and security provisions.

808

Third party storage of agency data is currently covered by the Storage Standard, and
809

includes the following:

810



Any commercially operat
ed storage areas and facilities which store public records
811

have been assessed as being compliant with this Specification by the Keeper of
812

Public Records under the Approved Public Record Office Storage Supplier
813

(APROSS) programme, and any conditions or limi
tations have been noted in the
814

certification (Storage Specification 1, Requirement 3).

815



APROSS storage areas and facilities have been inspected and assessed for
816

compliance with this Specification by an APROSS representative and a report of
817

compliance has be
en attested by the head of the APROSS annually and submitted to
818

the Keeper of Public Records (Storage Specification 1, Requirement 7).

819



The location
of

each storage area or facility has

been subjected to a risk assessment
820

to identify
and mitigate
possible r
isks
to the preservation of and access to the public
821

records stored there, and t
he results
have

demonstrate
d

that the level of risk is
low
822

(Storage Specification 1, Requirement 10)
.

823



Storage Specification 1 Requirement 11: Storage facilities have been asses
sed as
824

being compliant with the Building Code of Australia and associated codes (Storage
825

Specification 1, Requirement 11).

826

The above recommendation would require amendment of the PROV APROSS Programme
827

to enable assessment of Australian storage facilities a
nd areas outside of Victoria.

828

Questions


Q 4.1
-
5: Would recommending the use of a server located in an Australian
829

jurisdiction unreasonably limit the use of cloud services, or unreasonably
830

increase the cost?

831

Q 4.1
-
6: Would recommending the use of a company

registered in an Australian
832

jurisdiction unreasonably limit the use of cloud services, or unreasonably
833

increase the cost?

834


© State of Victoria 2012

Version
1.0

Page
28

of
43




Recommendations

Recommendation
7
:
PROV is proposing to recommend that, where agencies store data on
835

a cloud server located outside an

Australian jurisdiction, the agency has ensured that:

836



The circumstances have been assessed by a Victorian legal expert on behalf of the
837

agency with a documented recommendation from the legal expert that it is acceptable
838

for the agency to store its data ou
tside an Australian jurisdiction.

839



The contract with the service provider follows industry best practi
c
e regarding records
840

management in accordance with the legislative and regulatory requirements for the
841

Victorian jurisdiction;

842



Data is easily migrated to t
he agency or another service provider; and

843



The provider will provide compensation for any breaches in privacy and make the
844

necessary changes to its systems to ensure that the breach does not reoccur.

845

In executing a contract with a company registered outsid
e an Australian jurisdiction, agencies
846

should consider that

847



Once data has been leaked the damage has been done. Any compensation will not
848

repair the damage, or retrieve the data.

849



It is likely to be extremely difficult to enforce any judgement.

850

Third party
storage of agency data is currently covered by the Storage Standard, and
851

includes the following:

852



Any commercially operated storage areas and facilities which store public records
853

have been assessed as being compliant with this Specification by the Keeper o
f
854

Public Records under the Approved Public Record Office Storage Supplier
855

(APROSS) program
me
, and any conditions or limitations have been noted in the
856

certification (Storage Specification 1, Requirement 3).

857



APROSS storage areas and facilities have been ins
pected and assessed for
858

compliance with this Specification by an APROSS representative and a report of
859

compliance has been attested by the head of the APROSS annually and submitted to
860

the Keeper of Public Records (Storage Specification 1, Requirement 7).

861



T
he location
of

each storage area or facility has

been subjected to a risk assessment
862

to identify
and mitigate
possible risks
to the preservation of and access to the public
863

records stored there, and t
he results
have

demonstrate
d

that the level of risk is
l
ow
864

(Storage Specification 1, Requirement 10)
.

865



Storage Specification 1 Requirement 11: Storage facilities have been assessed as
866

being compliant with the Building Code of Australia and associated codes (Storage
867

Specification 1, Requirement 11).

868

Implementing
recommendation
7

would require amendment of the PROV APROSS
869

Programme to enable attestation by Victorian legal experts that overseas storage facilities
870

and areas are compliant with Victorian jurisdictional requirements.

871

Questions


Q 4.1
-
7: Does this recomm
endation satisfy data protection and Victorian industry
872

compliance requirements?

873


Q 4.1
-
8: Would there be any problem in implementing this recommendation in
874

your agency?

875


Q 4.1
-
9: Are there any specific criteria that agencies should build into contracts
876

wi
th vendors outside Australian
jurisdiction?

877


© State of Victoria 2012

Version
1.0

Page
29

of
43




Recommendations

Recommendation
8
:
PROV is proposing to recommend that where personal or sensitive
878

data is stored in a public or community cloud, a Protective Security Policy

Framework
879

analysis be performed.

880

Quest
ions


Q 4.1
-
10: Would there be any problem in implementing this recommendation in
881

your agency?

882

4.2

Loss of Access to Data

The second recordkeeping issue with cloud computing is the prevention of loss of access to
883

data stored in a cloud server. Loss of access c
ould be by:

884



Scheduled or unscheduled network shutdown periods
;

885



Vendor bankruptcy or sale to new service provider
;

886



A disaster that destroys the vendor’s systems
; and

887



Hackers or other internet criminal activity.

888

The use of cloud computing services
relies on
access to the internet and the continuity of
889

access to data and applications.
Agency data contain evidence of citizen entitlements,
890

enable business continuity, assist with investigations, and enable an understanding of
891

history. Prolonged loss of agency dat
a may have severe consequences in one of these
892

areas.

893

Cloud computing issues related to the loss of access to data include the following:

894



Data held remotely can increase risk of loss of access to data due to network failure;

895



There is a danger that access
to agency data may be lost when contractual
896

arrangements expire or cease between an agency and cloud service provider; and

897



It can be difficult to access and audit the cloud computing provider to ensure that
898

services provided meet requirements intended to p
revent loss of access to data.

899

Cloud providers comprise an emergent sector. That means that some providers will
900

undoubtedly fail or be required for financial reasons to alter their business model, perhaps
901

reducing the functionality they offer in the proces
s. This could result in the loss of access to
902

vital business information.

903

Some cloud computing models have greater risks than others in relation to loss of access.
904

The risk is less with IaaS especially as the agency will most likely have a copy of the data
.
905

With bankruptcy and receivership, the problem may be the amount of time to sort out and
906

regain access to the data. Potential seizure of assets is an extension of this.

907

Mitigating risks related to loss of access to data include having plans in place to re
duce the
908

possibility of valuable business data being lost. Mitigation of risks may include the following:

909



Determining what data the agency cannot afford to lose and ensuring that the data
910

identified is not placed in a cloud environment;

911



Requiring the servi
ce provider to notify the agency of any proposed change in
912

ownership as part of the contractual obligations;

913



Ensuring that data is always available by having several copies, including one held
914

locally; and

915



Ensuring that the risk of loss is low through havi
ng clear processes and regular
916

auditing of cloud computing service and supply.

917


© State of Victoria 2012

Version
1.0

Page
30

of
43




Plans may include performing due diligence when selecting a provider and ensuring that the
918

agency’s rights are clearly documented in contractual agreements and understood by bot
h
919

parties. Clauses in contracts may be used to ensure the agency’s right to terminate the
920

agreement, migrate to another service or fall back to a pre
-
cloud contract. A thorough
921

selection process would look at the reputation and track record of the provider

and their level
922

of experience in implementing records management solutions in the cloud.

923

Clauses in contracts should specify that the cloud service provider:

924



Creates and maintains proper back

up systems;

925



D
emonstrates
the effectiveness of

their
disaster re
covery and business continuity
926

plans
to the agency
on an agreed basis;

927



A
grees to the agency’s access requirements (
such as

ongoing business use

or
928

Freedom of Information requests);

929



Agrees to notify

the agency prior to any hardware or software upgrades. The

930

notification period should take into account the time it would take for the agency to
931

move to a new solution; and

932



I
mplement
s

disposal actions in line with agency specifications.

933

Continuity of service is likely to be disrupted at some point in time. Servic
e level agreements
934

should explicitly contain details about:

935



Sufficient notification of and what constitutes scheduled downtime
18
;

936



Maintenance programmes, including definitions of complete and partial outages;

937



Systems upgrades;

938



Alternate arrangements for acc
essing data during prolonged outages; and

939



Expected levels of uptime
19
.

940

When identifying methods to prevent loss of access to data for cloud computing solutions,
941

the following constraints must be met:

942



Capture Principle 1:
Full and accurate records of all ag
ency activities and decisions
943

are systematically created by authorised people or systems to meet business needs,
944

accountability requirements and community expectations
.

945



Storage Principle 3: Public records must be stored away from known and
946

unacceptable ris
k.

947



Storage Principle 4: Public records must be stored in conditions that ensure their
948

preservation for as long as the records are required, and the safety of the people
949

handling the records.

950



Strategic Management Principle 1:
Responsibilities, authorities a
nd accountabilities
951

for records management must be clearly assigned, documented, communicated and
952

assessed on an annual basis.

953



Strategic Management Principle 4:
Contracts, agreements or legislative instruments
954

for outsourcing or privatisation must specify
records management and monitoring
955

practices that meet government and legislative records management requirements
.

956



Operations Management Principle 1: Recordkeeping procedures must cover
all
957

processes required to create and maintain full and accurate records

consistently,
958

adequately and appropriately
.

959



Operations Management Principle 2:
All systems which contain public records must
960

be effectively managed over their life, from acquisition to decommissioning, to ensure
961

the system’s integrity, reliability and per
formance quality
.

962






18

Downtime refers to periods of time when a system is unavailable.

19

Uptime refers to per
iods of time when a system is available.


© State of Victoria 2012

Version
1.0

Page
31

of
43






Operations Management Principle 4:
Recordkeeping frameworks, procedures and
963

practices must be audited at least every two years to ensure the agency is operating
964

in compliance with its’ recordkeeping procedures
.

965

The processes for the creat
ion and maintenance of data stored and managed in a cloud
966

computing environment are to be supported by documented procedures to meet the
967

principles of
PROS 10/17 Operations Management Standard
. Procedures would include
968

determining what data can be placed i
n the cloud, appropriate management of data in a
969

cloud environment, and retrieval of data from a cloud.

970

Systems used to manage and store data in a cloud environment will need to be managed
971

throughout their lifecycle to meet the principles of
PROS 10/17 Op
erations Management
972

Standard
. This includes the decommissioning of systems and appropriate methods for the
973

removal or migration of data.

974

Auditing cloud computing practice against the agency’s recordkeeping requirements should
975

be undertaken to meet the prin
ciples of
PROS 10/17 Operations Management Standard
.
976

This includes audits of the service provider’s recordkeeping practices undertaken on behalf
977

of the agency as well as of agency practices.

978

Facilities and storage areas used to house Victorian government d
ata must be authorised by
979

the Keeper of Public Records to comply with
PROS 11/01 Storage Standard
. Where these
980

facilities are commercially owned, the service provider must ensure that their facilities and
981

storage areas are assessed under the Approved Publi
c Record Office Storage Supplier
982

(APROSS) Program. Cloud computing services run by a commercial third party are
983

considered to be an APROSS and will need to be assessed and approved in accordance
984

with this scheme. Regular inspection of APROSS facilities by
a PROV representative is also
985

required. The proposed APROSS facility must therefore be located within Victoria.

986

Where the cloud computing services are owned and operated by the agency (or Victorian
987

Government), and therefore housed in an agency facility, t
he facility will need to be assessed
988

by the agency representative for compliance with
PROS 11/01 S1 Agency Custody Storage
989

Specification

as per Requirement 2 of that Specification.

990

There are a number of risks to data that are associated with cloud computin
g. The level of
991

risk and possible consequences will need to be carefully assessed by the agency in order to
992

determine whether the risks are unacceptable. Where there is an unacceptable level of risk,
993

the agency must not use the cloud computing service. An
alternative solution must be
994

sought.

995

Systems used for cloud computing services must enable the data to be tracked, identified,
996

and retrieved when required. Freedom of Information and other requests for data will need to
997

be addressed efficiently and effecti
vely, which can only occur in a cloud environment if the
998

data is easily tracked, identified, and retrieved when required.

999

Agencies should ensure that the facilities used to store data in a cloud environment are
1000

regularly maintained. This includes support t
o maintain software applications, infrastructure,
1001

and hardware as well as early identification and mitigation of preservation risks for the data
1002

stored.

1003

Disaster preparedness, management and recovery plans must cover data contained within a
1004

cloud environme
nt. The longer that data stored in a cloud environment is unavailable the
1005

larger the impact on the agency’s ability to conduct business, and the impact on individuals
1006

who need access to the data. The agency may be able to minimise the effect that a disaste
r
1007

will have by being aware of the anticipated level of impact, and the processes involved in
1008

managing a disaster before it occurs.

1009


© State of Victoria 2012

Version
1.0

Page
32

of
43




Any level of use of data stored by the agency in a cloud environment by the service provider
1010

will need to be determined to en
sure that any conditions of use need to be conveyed.

1011

Recommendations

Recommendation 9
:
PROV is proposing that agencies obtain evidence that the cloud
1012

service provider has had their internal controls and IT systems and processes independently
1013

audited
to ens
ure a suitable standard of service delivery
. This should be undertaken prior to
1014

the selection of the service provider, and at regular intervals throughout the provision of
1015

service. Audits should include the inspection and testing of services provided.

1016

Audi
ting data management and systems is currently covered by the Operations Management
1017

Standard, and includes the following:

1018



New or upgraded systems have been acquired, developed or integrated to meet the
1019

agency’s business needs and recordkeeping requirements
(Operations Management
1020

Specification 1, Requirement 7).

1021



Processes and controls have been established to ensure the day
-
to
-
day reliability of
1022

systems for all users (Operations Management Specification 1, Requirement 8).

1023



Systems are monitored and maintained
to ensure the integrity and performance
1024

quality of the system over their life

(Operations Management Specification 1,
1025

Requirement 9)
.

1026



R
ecord
keeping

procedures

to be assessed by
internal
or external
audits
have been
1027

identified (Operations Management Specifi
cation 1, Requirement 16).

1028



A recordkeeping

audit program
has been developed and endorsed by the senior
1029

executive with recordkeeping responsibility (Operations Management Specification 1,
1030

Requirement 17).

1031



Recordkeeping audit

procedures and criteria

have bee
n developed, and assessed
1032

following each audit (Operations Management Specification 1, Requirement 18).

1033



R
esults of
recordkeeping
audits and
any
audit
recommendations

have been
1034

documented, presented and reported to senior executives and
relevant stakeholder
s

1035

(Operations Management Specification 1, Requirement 19).

1036



T
he
progress

of
recordkeeping
audit
recommendations are monitored and reported to
1037

senior executives (Operations Management Specification 1, Requirement 20).

1038

Implementing the above recommendation wo
uld be covered in a Guideline on how to
1039

implement the Standards in a cloud computing environment. The Guideline would fit under
1040

Storage. The
Operations Management Guideline 3: Recordkeeping and Systems Lifecycle
1041

Management

(currently under development) wou
ld be amended to refer to the cloud
1042

computing Guideline regarding managing systems within a cloud environment.

1043

Questions


Q 4.2
-
1: Would there be any problem in implementing this recommendation in
1044

your agency?

1045

Recommendations

Recommendation

10
:
PROV
is pro
posing that agencies are able to demonstrate knowledge
1046

of what data is being stored in the cloud and the impact of it being unavailable for various
1047

periods of time.

1048

Awareness of what data an agency manages is currently covered by the Capture and
1049

Storage S
tandards, and includes the following:

1050



An assessment has been undertaken to determine:

1051



What types of records are to be created and captured by the agency; and

1052


© State of Victoria 2012

Version
1.0

Page
33

of
43






The technology, systems, format and structure that business records are to be
1053

created and capture
d in

(Capture Specification 3, Requirement 1)
.

1054



Processes have been developed and communicated to all staff (including volunteers
1055

and contractors) to ensure that records are complete, meaningful, consistent with
1056

legislative requirements and comprehensive, w
hich cover:

1057



What records are to be created and captured;

1058



When records are to be created and captured;

1059



What systems they are to be captured in;

1060



Who are to create and capture them (this includes systems if records creation
1061

and capture is automated);

1062



How reco
rds are to be created and captured; and

1063



When a new version of a record is to be created, captured, and how it is to be
1064

identified

(Capture Specification 3, Requirement 2).

1065



The minimum level of detail required to ensure that business records are complete,
1066

m
eaningful and comprehensive has been determined, built into processes and
1067

systems, and communicated to all staff (including volunteers and contractors)

1068

(Capture Specification 3, Requirement 3)
.

1069



Preservation risks have been identified, assessed and mitigate
d from the point of
1070

creation or capture as part of the agency’s overall risk management framework
1071

(Capture Specification 3, Requirement 9).

1072



Systems for the intellectual control of public records within
storage areas and facilities

1073

have been implemented to
aid item level retrieval of records within storage containers

1074

(Storage Specification 1, Requirement 32).

1075

The above recommendation would be covered in a Guideline on how to implement the
1076

Standards in a cloud computing environment. The Guideline would fit un
der Storage.

1077

Questions


Q 4.2
-
2: Would there be any problem in implementing this recommendation in
1078

your agency?

1079

Recommendations

Recommendation 11
:

PROV is proposing that agencies be required to keep a copy (such
1080

as a back

up) of the data stored in a cloud
in a separate location (that is, somewhere other
1081

than with the service provider).

1082

Back up copies of agency data is currently covered by the Capture and Storage Standards,
1083

and includes the following:

1084



Preservation risks have been identified, assessed and mit
igated from the point of
1085

creation or capture as part of the agency’s overall risk management framework
1086

(Capture Specification 3, Requirement 9).

1087



The location
of

each storage area or facility has

been subjected to a risk assessment
1088

to identify
and mitigate
possible risks
to the preservation of and access to the public
1089

records stored there, and t
he results
have

demonstrate
d

that the level of risk is
low
1090

(Storage Specification 1, Requirement 10)
.

1091

The above recommendation would be covered in a Guideline on how
to implement the
1092

Standards in a cloud computing environment. The Guideline would fit under Storage.

1093

Questions


Q 4.2
-
3: Would there be any problem in implementing this recommendation in
1094

your agency?

1095


© State of Victoria 2012

Version
1.0

Page
34

of
43




4.3

Inability to Ensure Data Integrity and Authenticity

The
third recordkeeping issue with cloud computing is the means to ensure data integrity and
1096

authenticity. Such issues primarily occur in relation to SaaS. This is because the application
s

1097

in PaaS and IaaS
are
the responsibility of the agency, which should ens
ure that
1098

requirements for data integrity are met. Lack of data integrity and authenticity could be by:

1099



Insufficient audit controls that make it difficult to accurately track what happened to
1100

the data when, or if the data has been altered and by who;

1101



Lack o
f appropriate metadata describing the contextual environment by which the
1102

data is managed; or

1103



No documented procedures or evidence that sequences of actions relating to data
1104

management are normal practice and in line with requirements.

1105

C
loud applications m
ay lack sufficient recordkeeping functionality, making it difficult or
1106

impossible for agencies to meet their records management obligations. T
his may include

1107

recordkeeping requirements contained in PROV’s Standards and Specifications.

1108

A change of ownership

at a cloud provider could result in new owners not honouring previous
1109

contractual arrangements. Consequently, the agency may not know who has access to their
1110

information and the integrity of the data may be compromised.

1111

It is important to ensure that data

can be easily migrated to other providers (if the provider
1112

has gone out of business or because an agency wishes to change providers at the end of a
1113

contract). It should be established whether there are costs involved, what format the
1114

information will be e
xported in (such as an open format), and how long it will take before data
1115

can be accessed again.

1116

Some cloud architectures do not

have formal technical standards governing how data is
1117

stored and manipulated. This may lead to the inability for data to be su
ccessfully migrated to
1118

another system due to differences in the technical operating systems that manage and store
1119

the data.

1120

The

PROS 11/07 Capture Standard
requires that authentic records
be

captured consistently
1121

by robust and compliant systems. Authentici
ty can be demonstrated by
data

resulting from
1122

comprehensive auditing processes and systems.
Having these systems in place will enable
1123

agencies to know where their business data are and what actions ar
e taking place
.

1124

To meet the principles in
PROS 11/07 Cap
ture Standard

records must be created and kept
1125

of the actions and decisions related to storing and managing data in a cloud computing
1126

environment. This includes data created in a cloud computing environment. Procedures and
1127

systems automation are two method
s that may be used.

1128

Systems used to store and manage data in the cloud must be capable of consistently
1129

capturing records of agency activities and decisions. This includes activities such as who
1130

adjusted what data on what date and decisions such as why a pa
rticular data set was
1131

deleted or destroyed and who authorised its destruction.

1132

Data created, stored and managed in a cloud computing environment must be able to link
1133

with their relevant context in order to ensure their reliability as evidence.

1134

In order to
ensure that data are preserved for the duration of their retention period, the
1135

formats and methods used to create and capture data in a cloud environment must be
1136

carefully assessed. If additional strategies are needed to ensure the preservation of the data
,
1137


© State of Victoria 2012

Version
1.0

Page
35

of
43




the agency should ensure that the strategies have been identified and implemented. For
1138

example, the agency may need to state in the contract that the service provider keep and
1139

maintain agency data using an approved long
-
term preservation format.
20


1140

Data s
tored and managed in a cloud computing environment must be protected from
1141

unauthorised and undetected deletion.

1142

Data migration is the transfer of data between storage types, formats or computer systems. It
1143

may be required when an agency moves to a new comp
uter system or upgrades an existing
1144

system. In a cloud environment, a lack of portability standards may make it hard to remove
1145

business data to meet retention requirements at contract termination.

1146

Metadata capture

Metadata is ‘data describing context, cont
ent and structure of records and their management
1147

through time’.
21

Metadata helps ensure the authenticity and integrity of
data

by enabling them
1148

to be retrieved and interpreted more easily. It can support business processes and reflect the
1149

management of
dat
a

over time.

1150

Metadata issues associated with cloud computing includes the following:

1151



The functionality of the service provider’s systems may not be sufficient to
1152

accommodate the required metadata fields or to

enable future customisation
; and

1153



Transactional
metadata may not be automatically captured by the service provider’s
1154

systems and associated with the relevant data.

1155

Principal 2.1 of
PROS 11/09
Control Standard

states that metadata needed for the structure,
1156

context and management of business data is to be

captured, maintained and connected with
1157

the data. It also states that ‘the type and amount of metadata connected with a record will be
1158

limited by the boundaries of specific records, business and information systems’. Agencies
1159

would need to ensure that min
imum metadata requirements are met and that it is possible to
1160

add customised metadata fields as required. Digital records can be connected with metadata
1161

in accordance with the Victorian Electronic Records Strategy (VERS).

1162

Metadata is ideally assigned at po
int of creation,
which may be
prior to the
data

being stored
1163

with a service provider. Further transactional metadata will need to be captured at various
1164

additional points during the retention period and maintained for the duration of the records’
1165

lifecycle
. This includes metadata elements regarding the business processes in which the
1166

data

was used, the context of the management of the
data

and structural changes to the
data

1167

(including its appearance).

1168

The software, systems and infrastructure used for cloud
computing must ensure the
1169

preservation of the data for the duration of the data’s retention period. Preservation includes
1170

the ability for the data to be accessed and understood. Preservation must include the
1171

contextual metadata as well as the data concerne
d.

1172

Under
PROS 10/10 S1 Strategic Management Specification

Requirement 22, contracted
1173

service providers must be required to comply with records management requirements
1174

determined by the agency. This should include any metadata, classification and tracking
1175

r
equirements needed for compliance with the
PROS 11/09 Control Standard
. Agencies will
1176

need to be able to locate and report on actions relating to data held in a cloud environment.
1177






20

Information about acceptable long
-
term preservation formats for electronic records is located in
PROS 99/007
Standard on the Management of Electronic Records
, which is available from PROV’s website
<
http://prov.vic.gov.au/government/vers/standard
-
2/vers
-
specification
-
4
>.

21

AS ISO 15489:1, ss, 3, 12, p.3.


© State of Victoria 2012

Version
1.0

Page
36

of
43




The minimum metadata set will need to be applied and the data will need to b
e classified in
1178

accordance with the agency’s business classification schemes.

1179

Agencies will need to specify to the cloud service provider’s their responsibilities for creating
1180

and maintaining metadata. It should also be clear that the agency becomes the ow
ner of all
1181

metadata at the end of the contract or if either party terminates the agreement. Cloud service
1182

agreements need to ensure that providers are aware of the importance of metadata to
1183

maintaining the integrity of the
data

and that metadata created as

part of the operations of
1184

the cloud service provider remains the property of the agency.

1185

Constraints regarding metadata and cloud computing includes the following:

1186



The requirements of Standards and Specifications associated with the Victorian
1187

Electronic R
ecords Strategy (VERS).

1188



Operations Management Principle 1: Recordkeeping procedures must cover
all
1189

processes required to create and maintain full and accurate records consistently,
1190

adequately and appropriately
.

1191



Operations Management Principle 2:
All system
s which contain public records must
1192

be effectively managed over their life, from acquisition to decommissioning, to ensure
1193

the system’s integrity, reliability and performance quality
.

1194



Operations Management Principle 4:
Recordkeeping frameworks, procedures
and
1195

practices must be audited at least every two years to ensure the agency is operating
1196

in compliance with its’ recordkeeping procedures
.

1197



Capture Principle 1:
Full and accurate records of all agency activities and decisions
1198

are systematically created by a
uthorised people or systems to meet business needs,
1199

accountability requirements and community expectations
.

1200



Capture Principle 2:
Authentic records of all agency activities and decisions are
1201

consistently captured by robust and compliant systems
.

1202



Capture Pri
nciple 3:
Public records are correctly and clearly connected to the relevant
1203

times, people, systems, processes and events to ensure they are reliable evidence of
1204

what occurred
.

1205



Capture Principle 5:
Systems that capture public records maintain the integrity

of the
1206

records as evidence, protecting them from undetected and unauthorised alteration
.

1207



Control
Principle1: Metadata elements needed for the structure, context and
1208

management of business records to be used and understood over time are captured,
1209

maintaine
d and connected with the records.

1210



Control Principle 3:
Business records are accurately tracked using systems that
1211

create, capture and maintain information about the movement of and actions on
1212

records
.

1213

Agencies should develop and implement procedures regard
ing creating and ca
pturing
1214

records,
recordkeeping controls, storing, accessi
ng and disposing of records in the cloud
.

1215

A
genc
ies

should

ensure that their cloud service provider has the ability to provide the
1216

required auditing
and tracking
services
.
Contract
provisions regarding the lifecycle of the
1217

system, such as provisions for what happens when the system is decommissioned
, may be
1218

used to manage the systems. The service provider may supply the agency with regular
1219

reports on the operations, design specificat
ions and other documentation that demonstrates
1220

the reliability, integrity and performance quality of the systems used.

1221

Agencies can mitigate risks by ensuring that contractual obligations regarding recordkeeping
1222

requirements are clearly specified and inclu
de migration of data. Contractual service provider
1223

agreements should clearly identify:

1224



The ownership of the data, including any intellectual property rights or copyright;

1225


© State of Victoria 2012

Version
1.0

Page
37

of
43






Data migration requirements, including those to address the possible failure,
1226

expirat
ion, or cessation of service agreements, or new ownership of
the cloud. D
oes
1227

the data need to be mig
rated to a new provider or
to the agency?

1228



The format that the data is to be migrated in.

1229

Information gathered in auditing and tracking processes may include
:

1230



Date and time of movement;

1231



Physical location of the data;

1232



Who has custody of the data;

1233



How and why the data was moved; and

1234



Actions taken place on the data.

1235

4.4

Understanding the practical aspects of cloud services

Cloud computing is a relatively new term tha
t is constantly being redefined as new
1236

technologies are created

or augmented. T
here may be considerable differences in
1237

understanding what is meant by t
he term, which may have

recordkeeping implications.

1238

Software
-
as
-
a
-
service is usually defined as applicat
ions hosted in the cloud and acces
sed
1239

over the internet. A comprehensive

understanding of what this means is needed to be able to
1240

assess the recordkeeping risks that may be involved. For example:

1241



Whose application is it?
Is it the agency’s application
host
ed in the cloud solely for
1242

their use? If so, would this constitute a
p
rivate
c
loud scenario?

1243



Is it a shared application
hosted ‘in the cloud’ where multiple clients share the same
1244

software code but each client’s data is secure and not accessible by other c
lients? If
1245

so, does this constitute a
p
ublic
c
loud scenario?

1246



In either of these scenarios, how would an agency go about confirming whether the
1247

system will adequately meet their recordkeeping requirements?

1248

These questions have significant implications for r
ecordkeeping issues as they directly
1249

impact the degree of control an agency
will have

over the applications and their data. The
1250

greater
the
level of control and input that an agency can have into the customisation and
1251

configuration of an application, the m
ore likely they are to be able to meet their
1252

recordkeeping obligations.

1253

When talking about customisation and configuration, what does this actually mean? What are
1254

the differences
in difficulty
between configuring an implementation on your own server
1255

compar
ed with accessing an implementation
configured
on a cloud provider’s server(s)
1256

through online access?

1257

Agencies should conduct research to determine what they want from a cloud computing
1258

environment, and what a service provider can offer, to ensure that a s
hared, balanced and
1259

consistent understanding is reached by all parties.

1260

Question


Q 4.4
-
1: Are the above issues problems for you?

1261


Q 4.4
-
2: After reading this section, which of the above issues of cloud computing
1262

are most relevant to your agency?

1263


Q 4.4
-
3: Are there other issues that PROV has not considered?

1264


Q 4.4
-
4: What issues for your agency take precedent over the need to migrate to
1265

the cloud?

1266


© State of Victoria 2012

Version
1.0

Page
38

of
43




5.

Summary

The transition to a cloud based service provider needs to be carefully considered as a risk
1267

based

approach. Although PROV ideally would hope that agencies are able to maintain and
1268

service business records themselves, onsite and on premises or using Approved Public
1269

Record Office Storage Suppliers (APROSS) and Places Of Deposit (POD), PROV cannot
1270

ignore

the ongoing cost associated with this initiative and the attractive alternative that cloud
1271

computing service providers may provide Victorian State and local government agencies. It
1272

is imperative that agencies ensure they are meeting their recordkeeping o
bligations under
1273

the Act and PROV’s Standards and Specifications regardless of the environment. Agencies
1274

should anticipate the release of the
Recordkeeping Implications for Cloud Computing

policy.

1275

Question


Q
5
-
1: After reviewing this issues paper from PRO
V Is your agency still
1276

considering a move to the cloud environment?

1277


Q
5
-
2: Is your decision based on an assessment of the risks involved?

1278


Q
5
-
3: Will you be sourcing a provider from within Victoria or Australia?

1279


Q
5
-
4: If not what steps has your agency
taken your to ensure the cloud service
1280

provider will comply with the requirements of PROV?

1281


© State of Victoria 2012

Version
1.0

Page
39

of
43




6.

Definitions

The following terms are the major

general recordkeeping

terms of relevance for this
paper
.
1282

For terms specific to cloud computing, see Section 2.
For a
full list of records management
1283

and PROV terminology, see the
Master Glossary
.

1284

Authenticity

‘An authentic record is one that can be proven:



To 扥 w桡t it 灵r灯rts to 扥;





桡v攠扥敮 cr敡t敤 慮搠獥湴 批 t桥 灥r獯s w桯 灵r灯rt敤 to
桡v攠捲敡t敤 慮搠獥dt it; 慮d



To have been created or sent at the time purported.’
22

Disposal

A range of processes associated with implementing appraisal decisions
which are documented in disposal
authorities or other instruments.
These include the retention, destruction or deletion or records in or from
recordkeeping systems. They may also include the migration or
transmission of records between recordkeeping systems, the transfer of
ownership or t
he transfer of custody of records, e.g., to Public Record
Office Victoria.

Due Diligence

a thorough investigation or audit of the cloud service provider, prior to
signing the contract
.

Government
Agency

Any department, agency or office of the Government
of Victoria.
23

It
includes:



A湹 摥灡rtm敮t br慮捨 潲ooffi捥f t桥 G潶敲em敮t of Vi捴ori愻



A湹 灵扬i挠獴慴畴ory 扯dy 捯牰潲慴e 潲 畮i湣nr灯r慴敤;



A St慴a
-
潷湥搠敮d敲eris攠eit桩渠n桥 m敡湩n朠gf t桥 St慴攠Ow湥搠
E湴敲灲楳ps A捴 ㄹ㤲;



A湹 m畮i捩灡l 捯c湣nl;



A湹

潴桥o l潣ol g潶敲湩湧 扯摹 捯牰潲cte 潲 畮i湣nr灯rat敤; 慮d



A湹 Vi捴潲楡渠捯畲t or 灥r獯s 慣ting j畤i捩潵獬y.

Integrity

‘The integrity of a record refers to its being complete and unaltered.’
24

Keeper of
Public Records

The Keeper is the Director of Publi
c Records Office Victoria. The Keeper
of Public Records (‘the Keeper’) is responsible for the establishment of
pt慮摡r摳d f潲 t桥 effici敮t m慮agem敮t of p畢li挠 r散er摳 慮搠 f潲
慳獩獴i湧 ag敮捩敳e t漠 a灰ly t桯獥s pt慮摡r摳 t漠 r散erd猠 畮摥r t桥ir
捯ctr潬K
25

Permanent
Records

A public record which has been appraised by the Keeper of Public
Records as required to be kept as part of Victoria’s State Archives.
m敲e慮敮t r散er摳d 慲a 獰s捩fi敤 i渠
Retention & Disposal Authorities

issued by the Keeper.






22

Standards Australia,
AS ISO 15489 Australian
s
tandard on
r
ecords
m
anagement
, Standards Australia, Sydney,
2002, p. 7.

23

Public Records Act 1973
, s. 2

24

AS ISO 15489
,

p. 7.

25

Public Records Act 1973
, ss. 6
-
7.


© State of Victoria 2012

Version
1.0

Page
40

of
43




Personal
Info
rmation

Information or an opinion that is recorded in any form and whether true
or not, about an individual whose identity is apparent, or can be
reasonably ascertained, from the information or opinion.
26

Public Record

(a)

any record made or received by a
public officer in the course of
his duties; and

(b)

any record made or received by a court or person acting judicially
in Victoria


but does not include


(c)

a record which is beneficially owned by a person or body other
than the Crown or a public office o
r a person or body referred to in s. 2B
[of the Public Records Act 1973]; or

(d)

a prescribed record held for the purpose of preservation by a
public office to which it was transferred before the commencement of the
Arts Institutions (Amendment) Act 1994 b
y a person or body other than
the Crown or a public office; or

(e)

a record, other than a prescribed record, held for the purpose of
preservation by a public office to which it was transferred, whether before
or after the commencement of the Arts Instituti
ons (Amendment) Act
1994, by a person or body other than the Crown or a public office.
27

Reliability

‘A reliable record is one whose contents can be trusted as a full and
accurate representation of the transactions, activities or facts to which
they attest

and can be depended upon in the course of subsequent
transactions or activities.’
28

State Archives

Records identified as being of permanent significance to the government
and people of Victoria and maintained and controlled by Public Records
Office Victor
ia.

System

‘Information system which captures, manages and provides access to
records through time.’
29

Transfer
(Custody)

Change of custody, ownership and/or responsibility for records.
30

Useability

‘A useable record is one that can be located, retrieved,

presented and
interpreted.’
31






26

State Records Authority of New South Wales,
Guideline 12: Implementing a disposal authority
, State
Government of

NSW, Sydney, 2004.

27

Public Records Act 1973
, s. 2.

28

AS ISO 15489
,

p. 7.

29

AS ISO 15489
, p. 3

30

AS ISO 15489:1
, s. 3.20.

31

AS ISO 15489
, p. 7.


© State of Victoria 2012

Version
1.0

Page
41

of
43




7.

Appendix Two: Federal Government Strategy

The Australian Federal Government has been circumspect in

its approach of
adopting cloud

1285

computing, due to their uncertainty over storing data in offs
hore data centres
32
. Given the
1286

de
cline in
ICT budgets
attributed
to the economic crises,
a number of Federal government
1287

agencies
have adopted

specific
cloud computing services.

The following agencies have
1288

undertaken work involving cloud computing
:

1289



Australian Taxation Office (ATO) has move
d eTax, Electronic Lodgement System
1290

(ELS) and Tax Agent Board administrative support systems into the cloud.

1291



Australian Bureau of Statistics has implemented a virtualization solution to enable
1292

transition to a private cloud environment.

1293



Treasury / ATO has m
igrated Standard Business Reporting (SBR) and Business
1294

Names projects into the Cloud.

1295



Department of Immigration and Citizenship (IMMI) initiated a proof of concept for the
1296

provisioning of an end
-
to
-
end online client lodgement process on a cloud platform.

1297



A
ustralian Maritime Safety Authority has implemented a Public Cloud for SaaS and
1298

PaaS deployments from Salesforce.com.

1299



Department of Immigration and Citizenship (DIAC) has implemented a Hybrid Cloud
1300

for IaaS as a proof of concept.

1301



West Australian Health has

opted for a p
rivate cloud for

IaaS deployment. The data
1302

centres are expected to be completed

mid 2011.

1303

In terms of a more broad
-
based adoption, the
Federal
government has recently put together
1304

a framework to guide its cloud computing strategy. The Austral
ian
Federal
Government has
1305

already adopted a Whole of Government approach toward data centres to consolidate all its
1306

data centres requirements for the next 10
-
15
years with an

expected
savings of

$1 billion
1307

during that time period.

1308

The
Federal
Government
has adopted a three step process:

1309



Enabling

(Early 2011 onwards)
. This consists of e
stablish
ing

a Cloud Information
1310

Community to facilitate knowledge sharing and monitor international adoption trends
,
1311

and p
repar
ing

the Whole of Government Cloud adoption fra
mework.

1312



Public Cloud

(Early 2011 onwards)
. This consists of i
ncreasing adoption of the Public
1313

Cloud owing to maturing of services
(
public facing websites, such as
1314

data.australia.gov.au,
www.data.gov.au
, are

to be the

first to be transitioned
)
.

Based
1315

on its performance, government will identify a panel of Cloud service providers.

1316



Private and Community Clouds

(2012 onwards)
. This consists of i
ntegration of the
1317

Data Centre strategy with
the C
loud
S
trategy
, and e
stablish
i
ng

a Whole of
1318

Government Cloud storefront

a
doption of Private and Community Clouds based on
1319

costs and risks analysis.

1320






32
http://www.egov.vic.gov.au/trends
-
and
-
issues/information
-
and
-
communications
-
technology/cloud
-
computing.html



© State of Victoria 2012

Version
1.0

Page
42

of
43




8.

References

Australian Recordkeeping Initiative (ADRI) 2010,
Advice on managing the recordkeeping
1321

risks associated with cloud computing
, A
DRI, Canberra,
1322

<
http://www.adri.gov.au/products/Advice%20on%20managing%20the%20recordkeeping%20
1323

risks%20associated%
20with%20cloud%20computing.pdf
>
.

1324

Department of Business and Employment 2011,
Cloud computing and recordkeeping
,
1325

Department of Business and Employment, Darwin.

1326

Department of Defence 2011,
Cloud Computing Security Considerations,

Australian
1327

Government, Canb
erra.

1328

Hurwitz J, Bloor R, Kaufman M, Halper F 2010,
Cloud Computing for Dummies
, Wiley
1329

Publishing, Inc., New Jersey.

1330

Lateral Economics 2011,
The potential for cloud computing services in Australia
, Lateral
1331

Economics, Melbourne.

1332

National Archives of Austral
ia 2011,
Outsourcing digital data storage
, NAA, Canberra,
1333

<
http://www.naa.gov.au/records
-
management/agency/secure
-
and
-
stor
e/naa
-
1334

storage/outsourcing
-
digital
-
data
-
storage/index.aspx
>
.

1335

National Archives of Australia 2011,
Records management and the cloud
, NAA, Canberra,
1336

<
http://www.naa.gov.au/records
-
management/agency/secure
-
and
-
store/naa
-
storage/rm
-
1337

cloud/index.aspx
>
.

1338

National Archives of Australia 2011,
A
C
hecklist for records management and the cloud
,
1339

NAA, Canberra,
1340

<
http://www.naa.gov.au/Images/Cloud_checklist_with_logo_and_cc_licence_tcm16
-
1341

44279.pdf
>
.

1342

Queensland State Archives 2010, Managing the recordkeeping risk associated with cloud
1343

computing, Queensland State Archi
ves, Brisbane,
1344

<
http://www.archives.qld.gov.au/publications/publicrecordsbriefs/managing_recordkeeping_ri
1345

sks_cloud_computing.pd
f

>
.

1346

State Records NSW 2011,
Managing recordkeeping risk in the cloud
, State Records, State
1347

Records NSW, Sydney, <
http://futurepr
oof.records.nsw.gov.au/wp
-
1348

content/uploads/2010/06/Managing
-
recordkeeping
-
risk
-
in
-
the
-
cloud.pdf
>
.

1349

Williams, Dr Mark I, 2010,
A Quick Start Guide to Cloud Computing, Moving your Business
1350

into the Cloud,

Anthony Rowe Publishing, United Kingdom
.

1351

Legislation

C
rimes Act 1958
(Victoria)

1352

Evidence Act 1958
(Vic
toria
)

1353

Freedom of Information Act 1982
(Vic
toria
)

1354

Health Records Act 2001
(Vic
toria
)

1355

Inf
ormation Privacy Act 2000
(Vic
toria
)

1356


© State of Victoria 2012

Version
1.0

Page
43

of
43




Local Government Act 1989

(
Victoria)

1357

Occupational Health and Safety Act 2004
(Vic
to
ria
)

1358

Public Administration Act 2004

(Vic
toria
)

1359

Public Records Act

1973

(Victoria)

1360

All current Victorian legislation is available at
http://www.legislation.vic.gov.au

1361

Standards

Public Record Office Victoria (
PROV) 2010,
Recordkeeping Standard PROS 10/
10

Strategic

1362

Management
, PROV Melbourne Victoria.

1363

Public Record Office Victoria (PROV) 2010,
Recordkeeping Standard PROS 10/1
3

Disposal
,
1364

PROV Melbourne Victoria.

1365

Public Record Office Victoria (PROV) 2010,
Recordke
eping Standard PROS 10/17
1366

Operations Management
, PROV Melbourne Victoria.

1367

Public Record Office Victoria (PROV) 2011,
Recordkeeping Standard PROS
11/01

Storage
,
1368

PROV Melbourne Victoria.

1369

Public Record Office Victoria (PROV) 2011,
Recordkeeping Standard PROS
11/07

Capture
,
1370

PROV Melbourne Victoria.

1371

Public Record Office Victoria (PROV) 2011,
Recordkeeping Standard PROS
11/09

Control
,
1372

PROV Melbourne Victoria.

1373

Public Record Office Victoria (PROV) 2011,
Recordkeeping Standard PROS
11/10

Access
,
1374

PROV Melbourne Victo
ria.

1375


1376

Other Resources

For more information about recordkeeping, please contact:

1377

Government Services

1378

Public Record Office Victoria

1379

Ph: (03) 9348 5600

1380

Fax: (03) 9348 5656

1381

Email:
agency.queries@prov.vic.gov.a
u

1382

Web:
www.prov.vic.gov.au

1383