The Long-term Access to Trusted Digital Information: Risk Identification Tool is a tool to assist public sector agencies to identify risks that may apply to digital information that is owned or managed by them.
The risks identified using this tool affect the day to day operation of agencies’ business in addition to the long term strategic goal of enabling long term access to their digital information. A key benefit of this tool to agencies will be identifying shorter term operational risks.
The Risk Identification Tool is intended to be used by public sector agencies. Within agencies it may be of particular of use to the following groups:
The Risk Identification Tool is intended to be used as a checklist to identify risks to long term access to digital information in public sector agencies.
To use the checklist follow these steps:
The output of applying the checklist will be an identified set of risks that apply to your agency in the categories chosen and, either an identified set of mitigations, or an identified set of risks for which mitigations are not yet known.
It may also be useful to identify relevant risk indicators. Indicators are measurable attributes or characteristics that can be used to determine whether particular risks are relevant to your agency. Once risk indicators have been identified that are applicable to your agency, they can be incorporated into regular risk assessments and risk planning activities.
|
|
| 23 |
Back-up copies fail leading to information loss |
| Category(s): |
|
| Example(s): |
- Back-up copies of important digital information are only held in cities that are on the same earthquake fault line leaving a high probability that both will be lost in the event of an earthquake.
- Back-up copies of important digital information are only held within the same secure network so that a malicious attack could destroy the content in all copies through a single point of entry
|
| Indicator(s): |
- Backups not regularly tested
- Testing of back-ups shows issues
|
| Mitigation(s): |
- Distribute Back-up copies of important digital information widely to varied physical environments
- Test disaster recovery/Back-up plans/strategies.
- Pre-empt media obsolescence with anticipatory investment
- Allocate a proportion of staff time to monitoring the expected lifetime of storage media and assessing the potential value of emerging technologies
- Maintain system technologies and security to limit likelihood of data corruption or malfeasance
- Record and compare checksum information corresponding to redundant packages on a regular basis
- Distribute Back-up copies of important digital information widely to varied secure Network environments
|
| Other Government Mitigation(s): |
|
| 25 |
Large-scale natural or man-made disaster leads to information being lost because proper precautions were not taken or the precautions taken were not comprehensive enough |
| Category(s): |
|
| Example(s): |
- Earthquake, Cyclone, Tsunami or Flood causes damage to facilities holding digital information
- Temporary disruption to Agency's electrical supplies due to substation failure
- Back-up copies of important digital information are only held in cities that are on the same earthquake fault line leaving a high probability that both will be lost in the event of an earthquake.
- Back-up copies of important digital information are only held within the same secure network so that a malicious attack could destroy the content in all copies through a single point of entry
|
| Indicator(s): |
- Official Disaster warning
- Information residing in a disaster prone area such as on an earthquake fault line
- Information residing is a leaky building
|
| Mitigation(s): |
- Monitor for likelihood of applicable environmental concerns
- Use strategies and plans from other similar areas that have been tested thoroughly
- Test disaster recovery/Back-up plans/strategies.
- Establish internal means to nullify disruption wherever possible, such as installing a petrol electricity generator and UPS systems
- Establish redundant storage facilities at remote location
- Take physical precautions against the most locally profound likely such as installing earthquake bracing.
|
| Other Government Mitigation(s): |
|
| 27 |
Untested disaster recovery plans lead to information being lost in the event of a disaster |
| Category(s): |
|
| Example(s): |
- Back-up tape drive not actually plugged in so tape backups are empty of content when original copies are lost due to disaster
|
| Indicator(s): |
- Disaster recovery plans do not exist
- Disaster recovery plans have never been tested
- Lack of awareness of disaster recovery plans
|
| Mitigation(s): |
- Test disaster recovery/Back-up plans/strategies.
- Use strategies and plans from other similar areas that have been tested thoroughly
|
| Continuum Mitigation(s): |
|
| Other Government Mitigation(s): |
|
|
|
| 13 |
Information becomes practically inaccessible because it lacks documentation or metadata to enable it to be discovered or accessed |
| Category(s): |
|
| Example(s): |
- Agency does not know that it has valuable information that requires a particular piece of software to render it. It throws away the software thinking it is unneeded and later discovers the important information and can no longer access it
- Agency fails to document the changes made to high value or important records such as budget documents.
- Agency preserving social science data documents information about the SPSS format within which much of its content is encoded but fails to record the meaning of the acronyms used as field headings throughout these files
- A geophysical data centre records discovery metadata to facilitate searching only by name of data set, but researchers within the community wish to search based on the physical location where the data was acquired and the name of the instrument used. The information the researchers need is then effectively inaccessible as a result
- Many applications create "*.bat" files as part of their data storage file standards. These are often structured in unique ways that cannot be understood without comprehensive documentation.
- Agency preserving social science data documents information about the SPSS format within which much of its content is encoded but fails to record the meaning of the acronyms used as field headings throughout these files
- Without knowing that a document contains important confidential information an agency classifies it as open and releases it to the public.
|
| Indicator(s): |
- Lack of metadata standard in use for your important digital information
- Lack of metadata creation policy
- Reports of information being lost in your agency
|
| Mitigation(s): |
- Solicit community feedback as to the extent to which information remains understandable
- Record appropriate representation information such as file format information, taking into account community understandability requirements
- Use standard applications and file formats and document the file formats and applications used at point of creation of files
- Determine documentation and metadata needs including searchable fields in consultation with designated community
- Define policy to respond to fracturing of relationship between metadata and information
- Define and review policies and procedures describing the metadata schema that will be used within the Agency's activities
- Define, document and review policies and procedures describing the means by which metadata are associated with corresponding information packages and communicate this information widely within the organisation
- Ensure software and hardware systems and preservation strategies are capable of maintaining and recording provenance information
- Maintain and review policies and procedures to record the origins and lifecycle of information packages and any transactions or interactions that they have been subject to
|
| Continuum Mitigation(s): |
|
| Other Government Mitigation(s): |
|
| 20 |
Migration of data from one environment to another causes information to be lost |
| Category(s): |
|
| Example(s): |
- Contextual information is lost when a document is moved from one management system to another
- The rounding in a spreadsheet changes when the content is moved from one file format to another, dramatically affecting the information content of the spreadsheet
|
| Indicator(s): |
- Software upgraded in your agency
- Change of media used to store information in your agency
- Organisational restructure is occurring in your agency
|
| Mitigation(s): |
- Maintain redundant copies of information objects
- Document all information pre-migration and check that it has been preserved post-migration before destroying original copy
- Have a data management plan prepared pre-migration and implement it
|
| Continuum Mitigation(s): |
|
| 24 |
Information authenticity cannot be proven leading to information not being trusted |
| Category(s): |
|
| Example(s): |
- Agency fails to document the changes made to high value or important information such as budget documents.
- Information within a meteorological data centre is regarded as being insufficiently reliable to form the basis for scientific research
- A court of law refuses to admit information as evidence on the grounds that it is unreliable
|
| Indicator(s): |
- No recordkeeping policy
- A security vulnerability is known to exist in your agency's IT infrastructure
|
| Mitigation(s): |
- Ensure policies and procedures are conceived with due consideration of provenance requirements
- Ensure software and hardware systems and preservation strategies are capable of maintaining and recording provenance information
- Maintain and review policies and procedures to record the origins of information packages and any transactions or interactions that they have been subject to
|
| Continuum Mitigation(s): |
|
| Other Government Mitigation(s): |
|
| 34 |
Documentation of hardware/software is lost leading to information stored using that technology being inaccessible |
| Category(s): |
|
| Example(s): |
|
| Indicator(s): |
- Lack of hardware/software documentation library
- Lack of disposal authority for hardware/software documentation
|
| Mitigation(s): |
- Maintain multiple electronic and hard copies of documentation stored in multiple locations
- Define, document and review policies and procedures describing the means by which metadata and documentation are associated with corresponding information packages and communicate this information widely within the organisation
|
| 40 |
Lack of ability to prove the provenance of information leads to it being not trusted |
| Category(s): |
|
| Example(s): |
- Agency fails to maintain appropriate documentation describing the origins and lifecycle of a record and any transactions or interactions that it has been subject to
- Agency is unable to demonstrate the authenticity of records that purport to describe government departmental expenditure
- Agency fails to document the changes made to high value or important records such as budget documents.
- Records documenting government expenditure have been subjected to unauthorised or unanticipated changes, rendering them no longer representative of originally deposited content
|
| Indicator(s): |
- Inability to prove information provenance
- Lack of policy on information provenance
|
| Mitigation(s): |
- Maintain and review policies and procedures to ensure adequate recording of provenance information to demonstrate that archived material represents authentic representation of what was initially created
- Ensure policies and procedures are conceived with due consideration of provenance requirements
- Ensure software and hardware systems and preservation strategies are capable of maintaining and recording provenance information
- Maintain and review policies and procedures to record the origins and lifecycle of information packages and any transactions or interactions that they have been subject to
|
| Continuum Mitigation(s): |
|
| Other Government Mitigation(s): |
|
|
|
| 14 |
Lack of communication and awareness of value of information leads to it being lost |
| Category(s): |
- Organisational Infrastructure
|
| Example(s): |
- Database administrator deletes a database after a system upgrade as the "important stuff" has been moved to the new system. The deleted database contained important older information of which that database was the only copy.
- Staff do not consider certain information to be valuable as it has no direct business value to the organisation. However in conjunction with the information from another agency their information is extremely valuable. The information gets lost as staff do not take steps to adequately manage it over time
|
| Indicator(s): |
- A restructure or institutional change
- Lack of disposal authority for information held by your agency
|
| Mitigation(s): |
- Document all information assets and have a disposal authority for them
|
| Continuum Mitigation(s): |
|
| 15 |
Lack of ownership/responsibility for information leads to it being lost |
| Category(s): |
- Organisational Infrastructure
|
| Example(s): |
- Three different people appear to have the responsibility of maintaining access to information over time and as a result it does not get maintained as they each think the other two are maintaining it.
|
| Indicator(s): |
- A restructure or institutional change
|
| Mitigation(s): |
- Assign owners to all information assets held by your agency
|
| Continuum Mitigation(s): |
|
| Other Government Mitigation(s): |
|
| 17 |
Technology surpasses systems for capturing information created using it leading to important information being lost |
| Category(s): |
- Organisational Infrastructure
|
| Example(s): |
- An agency decided to give instant messaging technology to their staff to facilitate communication. A number of staff made important decisions using the technology and that information was lost as the application didn't support capturing it.
|
| Indicator(s): |
- New technology being implemented in an organisation
|
| Mitigation(s): |
- Do not implement new technology without having appropriate information management procedures in place to enable information created using it to be managed appropriately
|
| Continuum Mitigation(s): |
|
| 21 |
Information is not physically controlled by your organisation (such as information in a cloud based or other remote application) leading to information being lost or inaccessible. |
| Category(s): |
- Organisational Infrastructure
|
| Example(s): |
- Online survey company goes bankrupt and destroys all user data held on its servers.
- Cloud provider account expires after period of time and data held by provider is destroyed
|
| Indicator(s): |
- Information only accessible using remote or cloud based service
- Significant change in service provider stock price
- Service provider buy-out occurs
|
| Mitigation(s): |
- Make regular, local backups of information held remotely
- Have an exit strategy to enable you to get information out of a remote service before it is discontinued
- Monitor service provider license agreement and data management policy
- Monitor service provider stock price
- Established meaningful and appropriate exit arrangements in service provider contracts to enable you information to be fully migrated to alternative solutions.
|
| Other Government Mitigation(s): |
|
| 32 |
Lack of resources (financial or human) for information management leads to information being lost |
| Category(s): |
- Organisational Infrastructure
|
| Example(s): |
- Shortcoming in Agency's security provisions due to lack of resourcing is identified and used to gain unauthorised access.
- Insufficient resource to facilitate migration of content from an obsolete database to a current database leads to it being lost as the hardware it was running on failed.
|
| Indicator(s): |
- Inability to fund important information management projects
- lack of staff for important information management projects
- Information management projects behind schedule
|
| Mitigation(s): |
- Actively plan for adequate resourcing for information management activities
|
| Continuum Mitigation(s): |
|
| 42 |
Inability to assert control over information assets due to not being aware of their existence leads to information being lost or inaccessible. |
| Category(s): |
- Organisational Infrastructure
|
| Example(s): |
- Agency created a lot of information digitally 10 years ago, that information is no longer in use and nobody in the agency is aware of its existence. The information is lost or released inadvertently as a result
|
| Indicator(s): |
- Lack of documentation of information
- Data storage is fuller than it ought to be given the known information holdings of the organisation
|
| Mitigation(s): |
- Audit your agency's information holdings and catalogue/track all information assets that your organisation owns.
|
| 41 |
Inability to assert control over information assets due to not being able to locate them leads to information being lost or inaccessible |
| Category(s): |
- Organisational Infrastructure
|
| Example(s): |
- Documentation describing the Agency's directory structure, which represents relationships between metadata and corresponding objects, is irretrievably lost
- Inadequate or non existent naming conventions leads to information not being named correctly causing it to not be discoverable
- Inadequate classification system cause information not to be arranged correctly causing it not to be discoverable.
|
| Indicator(s): |
- Lack of metadata/documentation
- Lack of metadata creation policy
- Lack of metadata standard
|
| Mitigation(s): |
- Define, document and review policies and procedures describing the means by which metadata are associated with corresponding information packages and communicate this information widely within the organisation
- Solicit community feedback as to the extent to which preserved information remains understandable
- Create and maintain information classification, and give regular training about it.
- Define policy to respond to fracturing of relationship between metadata and information
- Define and review policies and procedures describing the metadata schema that will be used within the Agency's activities
|
| Continuum Mitigation(s): |
|
| Other Government Mitigation(s): |
|
| 43 |
Information systems and value are connected to those of other agencies leading to information being lost when those connections are broken or one agency neglects to maintain their information. |
| Category(s): |
- Organisational Infrastructure
|
| Example(s): |
- Agency 'A' has geographic data that must be layered on top of agency 'B's data in order to be understood. Agency B changes the structure of their data leading to Agency A's data effectively being lost.
- Agency use the API (Application Programming Interface) of another agency to create a information asset in real time based on both agency's data and has no way to capture the combined result. This information asset is the lost.
|
| Indicator(s): |
- Information held by agency is dependent upon another agency's information for value and meaning
|
| Mitigation(s): |
- Map information relationships and develop information maintenance agreements with agency's that hold information vital to the use and understanding of your agency's information.
- Retain copies of information from other agencies that your agency's information is reliant on
|
|
|
| 1 |
Unauthorised external Intrusion into information system leading to information being accessed inappropriately or altered |
| Category(s): |
|
| Example(s): |
- System is hacked and key logger installed without knowledge of systems staff
- Unpatched software security loophole hack
- An Intruder gains physical access to Agency through a security door that is wedged open
- e-Terrorism or physical terrorism
|
| Indicator(s): |
- Low awareness of technological security loopholes in your agency
- A security vulnerability is known to exist in your agency's IT infrastructure
- An intrusion has occurred in the past in your own or a similar system
|
| Mitigation(s): |
- Ensure availability of redundant copies of system state and archived information at remote geographical location
- Ensure as far as possible that all system interactions are reversible
- Monitor for suspicious network activity or physical activity that appears unusual
- Maintain, test and revise physical and software security in accordance with relevant standards
- Rebuild system to ensure there are no residual effects of system compromise
- Compel users to change passwords frequently
- Allocate staff time to analyse attempted security compromises and monitor security sources for details of known vulnerabilities
- Update software with latest security patches
- Limit execution of non-essential services
- Establish and regularly evaluate policies and procedures for physical and software security in accordance with relevant standards
- Allocate staff time to analyse system logs for details of security compromises
- Undertake appropriate measures to limit likelihood of system compromises, and implement monitoring to detect where attempts have taken place in accordance with relevant standards
|
| Other Government Mitigation(s): |
|
| 3 |
Information is inappropriately classified leading to it being inaccessible |
| Category(s): |
|
| Example(s): |
- No one is given the task of assigning access restrictions to a set of information and it is automatically made available. It contains details that shouldn't be made public and the reputation of the agency is damaged leading to the information it produces subsequently being not trusted.
|
| Indicator(s): |
- Inappropriate access restriction classification has been applied to information held by your agency
- Report of unexpected access to information in your agency
|
| Mitigation(s): |
- Regularly test access controls and security systems
- Ensure all information has an access classification associated with it
|
| Continuum Mitigation(s): |
|
| Other Government Mitigation(s): |
|
| 7 |
Deliberate internal disruption to system leading to information being lost or not trusted |
| Category(s): |
|
| Example(s): |
- e-Terrorism or physical (conventional) terrorism
- Disaffected staff members maliciously vandalise systems
|
| Indicator(s): |
- Security vulnerability is known to exist in your agency
- Staff dissatisfaction or disengagement
- Negative external perception of your agency's activities
|
| Mitigation(s): |
- Maintain, test and revise physical and software security in accordance with relevant standards
- Ensure availability of backup copies of information at remote geographical location
- Ensure as far as possible that all system interactions are reversible
- Remove staff members or ex-staff members that are likely to be disaffected and immediately revoke system privileges
- Monitor for suspicious network activity or physical activity that appears unusual
|
| Other Government Mitigation(s): |
|
|
|
| 5 |
Degradation of physical media that information is stored on leading to that information being lost |
| Category(s): |
|
| Example(s): |
- Faced with the loss of primary archival information, the Agency discovers that it is unable to restore content because backup tapes are irreparably corrupted
- Tape-stored content is inaccessible or corrupted due to physical deterioration of magnetic tape
|
| Indicator(s): |
- Checksum miss-match in stored data
- Data storage tapes smell vinegary
- observable damage to media such as scratches to optical media, water damage or bent hard drives
|
| Mitigation(s): |
- Recover as much content as possible, exploiting techniques such as digital archaeology and digital forensics
- Undertake regular 'fire-drill' tests to determine whether systems and data can be restored from backup
- Maintain multiple copies of backups
- Establish redundant storage facilities at remote locations
- Take physical precautions against the most locally likely disasters such as earthquake strengthening
- Monitor for likelihood of applicable environmental concerns
- Seek formal assurances or Service Level Agreements from hardware suppliers or providers of third-party hardware services
- Pre-empt hardware failure with anticipatory investment
|
| 6 |
Corruption of digital information content due to bit-rot leading to the information being lost |
| Category(s): |
|
| Example(s): |
- Faced with the loss of primary archival information, the Agency discovers that it is unable to restore content because backup tapes are irreparably corrupted
- Stat storage bits flip in a magnetic hard drive due to local atmospheric conditions leading to information being lost
|
| Indicator(s): |
- Checksum miss match in stored data
- Errors when accessing information via known working application
|
| Mitigation(s): |
- Allocate a proportion of staff time to monitoring the ongoing suitability of Agency hardware
- Undertake regular 'fire-drill' tests to determine whether systems and data can be restored from backup
- Store backed-up content in remote locations
- Maintain multiple copies of backups
- Establish redundant storage facilities at remote location
|
| 9 |
Accidental disruption of system leading to information being lost or not trusted |
| Category(s): |
|
| Example(s): |
- Staff member accidentally stops integral Agency software services
- Content is inadvertently deleted during business activities
|
| Indicator(s): |
- Lack of staff training in appropriate procedures
- Lack of physical access restrictions
|
| Mitigation(s): |
- Maintain, test and revise physical and software security in accordance with relevant standards
- Ensure availability of redundant copies of system state and archived information at remote geographical location
- Ensure as far as possible that all system interactions are reversible
- Monitor and train staff in use of systems
|
| Other Government Mitigation(s): |
|
| 18 |
Inability to access information because it requires a software application to render it that no longer exists |
| Category(s): |
|
| Example(s): |
- Agency stores information in many different formats and format variations. Overtime the ability to access the information stored in some of these formats is lost as support for the applications needed to render the information is discontinued.
|
| Indicator(s): |
- Obsolete file formats in use in your agency
- Software upgraded in your agency
|
| Mitigation(s): |
- Document and monitor software requirements for all information and have a plan in place to ensure software obsolescence does not affect your ability to render your information. For example, plan to make your information renderable through different software by migrating the content of files in obsolete formats to new formats. Or plan to virtualise/emulate your old software so as to maintain your ability to render the content in the obsolete file formats without any loss of information (e.g. formatting/macros etc).
|
| 19 |
Hardware failure or obsolescence causes information to be inaccessible |
| Category(s): |
|
| Example(s): |
- Back-up tape drive not actually plugged in so tape backups are empty of content when original copies are lost due to disaster
- Contemporary tape drives are incapable of reading dated storage media which is prolific throughout your agency
|
| Indicator(s): |
- Obsolete IT hardware in use in your agency
- Unsupported hardware in use
|
| Mitigation(s): |
- Use strategies and plans from other similar areas that have been tested thoroughly
- Test disaster recovery/Back-up plans/strategies
- Maintain redundant copies of information objects
|
| 22 |
Lack of awareness of the software needed to render files stored causes information stored in files to be inaccessible or lost |
| Category(s): |
|
| Example(s): |
- Documentation describing the Agency's directory structure, which represents relationships between metadata and corresponding objects, is irretrievably lost
- Many applications create "*.bat" files as part of their data storage file standards. These are often structured in unique ways that cannot be understood without proper and comprehensive documentation.
|
| Indicator(s): |
- Unknown file formats in use
- Lack of awareness of file formats in use
- Lack of policy on file formats
|
| Mitigation(s): |
- Define, document and review policies and procedures describing the means by which metadata are associated with corresponding information packages and communicate this information widely within the organisation
- Use standard applications and file formats and document the file formats and applications used at point of creation of files
|
| Other Government Mitigation(s): |
|
| 28 |
Inappropriate use of Digital Rights Management (DRM) technology leads to information being inaccessible in the future. |
| Category(s): |
|
| Example(s): |
- A document has DRM associated with it that requires connection to a server in order to unlock, the server went offline in 2007 and the information in the document can no longer be retrieved
- A DRM encumbered journal is purchased by a departmental library and a policy decision is made based on that purchased journal. Access to the journal is time-limited and expires after a certain period of time. The full and complete record of the policy decision becomes unavailable as a result.
- Information assets rely on particular software to be rendered. The software application requires regular connections to an external registration service. The service is discontinued and the information assets can no longer be accessed.
|
| Indicator(s): |
- Digital Rights Management (DRM) technology in use in agency
- Lack of policy on Digital Rights Management (DRM) technology
|
| Mitigation(s): |
- Limit use of DRM where possible
- Maintain an exist strategy to enable you to remove information from DRM technology
- Monitor DRM technology changes and ensure that infrastructure and documentation is always available to ensure you can access DRM encumbered information (e.g. monitor whether DRM authentication servers are still active)
|
| Continuum Mitigation(s): |
|
| Other Government Mitigation(s): |
|