Tuesday, January 04, 2011

recordkeeping risks associated with cloud computing

The Council of Australasian Archives and Records Authorities has produced a useful document: "Advice on managing the recordkeeping risks associated with cloud computing" (Cassie Findlay, Australasian Digital Recordkeeping Initiative, 29 July 2010). This is a 17 page Microsoft Word document. It is intended for Austrlaian and NZ government agencies, but the advice give will also be of value to non-government organisations. The risks in cloud computing should give members of boards, office holders, CIOs and CEOs pause to think before decided to move records into the cloud to save costs. Decision makers in government and non-government organisation should be aware that they may be subject to civil and criminal law in the jurisdiction where the cloud service operates, as well as where their organisation is based:
Contents

1 Purpose 5

2 Background 6

3 Scope 8

4 Managing the recordkeeping risks associated with cloud computing 9

4.1 Identify risks 9

4.2 Assessing risks for different records 11

4.3 Perform ‘due diligence’ when selecting a cloud computing provider 11

4.4 Establish contractual arrangements to manage known risks 12

4.5 Monitor arrangements with cloud computing service providers 14

5 Bibliography 15

Appendix A: Recordkeeping checklist for government organisations considering using cloud computing service providers 16

Records and archives authorities have a role to play in advising government organisations appropriately on the use of cloud computing for the storage and processing of government information. Government organisations need to ensure this advice is followed when entering into cloud computing arrangements so that recordkeeping risks can be properly managed. ...

The act of sending or storing of records outside a State, Territory or Country might be, in itself, a breach of local laws ...

Provider might fail to comply with legislation or standards of the record-creating jurisdiction ...

Records may be subject to legislation and other requirements of the storage jurisdiction ...

There may be risks associated with unauthorised access to records ...

There may be a risk of a loss of access to records ...

There may be a risk of record destruction or loss ...

The evidential value of records may be damaged...


From: Advice on managing the recordkeeping risks associated with cloud computing, Cassie Findlay, CAARA, ADRI, 29 July 2010).


No comments: