Final | January 2017 | v2.0.0 | PUBLIC | QGCIO
This Queensland Government Enterprise Architecture (QGEA) policy ensures that departments adopt adequate risk management and governance procedures when making decisions associated with offshore storage of departmental data.
For the purpose of this policy, ‘ICT-as-a-service’ includes all forms of externally provisioned ICT services, ranging from managed services to cloud services.
Examples of external provisioned managed services include:
- an ICT service or function such as application, network or server management
- application hosting
- web hosting
- managed capacity for the provisioning of ICT assets
- combinations of the above.
Examples of cloud service include:
- software as-a-service, e.g. social media, on-line collaboration
- platform as-a-service
- infrastructure as-a-service
- business process as-a-service
- customer relationship management as-a-service
- identity as-a-service
- storage as-a-service.
For the purpose of this policy, ‘data’ includes raw data, metadata, information, digital records, as well as any secondary copies taken for data protection, business continuity or for any other purpose.
This policy should be read in conjunction with the Queensland Government ICT-as-a-service Decision Framework. This tool stipulates assessment criteria addressing key areas of risk, in particular availability, performance, security, and offshoring of data, with suggested treatments to ensure a consistent approach to ICT decision-making across Queensland Government.
The Queensland Government performs proper due diligence and adherence to information security policies and standards prior to storing or processing Queensland Government data outside of Australia as part of an ICT-as-a-service.
Using ICT-as-a-service providers located outside Australia (offshore) introduces additional risks beyond those of Australian based providers. Of particular note is that data would be subject to the privacy and security laws of the country that the data is being stored or processed in. Assessing and managing these associated risks and issues will ensure that departments will be able to:
- understand data offshoring implications that inform decision making relating to ICT as-a-service
- include appropriate contractual terms and conditions to ensure the service provider’s compliance, which enable:
- compliance with relevant legislation, standards, and policies
- protection of offshored data from unauthorised access
- protection of offshored data from loss
- retrieval of offshored data.
- obtain the necessary approval to proceed with offshore services from an accountable officer representing the business.
This policy applies to all Queensland Government departments and internal Queensland Government ICT service providers.
The policy also applies to both to data owners and data custodians.
Policy requirement 1: Offshoring data must be subject to an information security classification assessment
Departments must use the Queensland Government Information Security Classification Framework (QGISCF) to determine the data’s information security classification and implement the necessary classification management controls. The following table provides the restrictions based on the classification outcome (relevant to both the Queensland and Federal classification schemas):
|Information security classification||Restrictions|
|Above PROTECTED||Data must not be stored offshore.|
|PROTECTED or CABINET-IN-CONFIDENCE and below||Data can be stored offshore subject to a risk assessment and appropriate approvals (refer to policy requirements 2 and 4).|
The first step in determining whether offshoring is an option is to understand the information security classification of the data in question. This classification helps to identify whether the data is suitable for cloud storage and what controls, such as encryption, are necessary.
Further information is provided by the Queensland Government Network Transmission Security Assurance Framework (NTSAF), which assists agencies in securing network transmission in line with the QGISCF. Further information on the importance of information security classification for offshore decision making can be found in the Queensland Government ICT-as-a-service Decision Framework.
Information classification looks at the requirement for confidentiality. However, an overall risk assessment must be performed for information classified as PROTECTED and below to be able to understand the impact and probability of other issues associated with offshoring.
Policy requirement 2: A risk assessment must be conducted prior to offshoring information classified as PROTECTED and below
At a minimum, departments must address the following issues as part of their risk assessment:
- ability to comply with legislation that is specific to that department
- maintaining data ownership
- recovery of data that cannot be retrieved or is lost by the service provider
- inappropriate disclosure of data by the service provider
- unauthorised access to data
- availability and integrity of data
- business continuity
- compliance with other relevant state and commonwealth legislation
- laws in the hosting country that may have an adverse impact on data management
- information privacy (as per the Information Privacy Act 2009 (Qld) in particular Section 33)
- recordkeeping (as per the Public Records Act 2002, and Records governance policy)
- reporting breaches of privacy and security requirements.
In moving to external as-a-service provisioning, departments are still responsible for examining any legislation, standards and other compliance requirements that are relevant to their data. The ICT-as-a-service risk assessment guideline (part of the ICT-as-a-service Decision Framework) is designed to assist departments in developing a risk assessment when considering the use of external services. This guideline outlines the key as-a-service considerations/risks that departments should address as part of their existing risk management processes. The guideline incorporates advice from a range of key sources and also directs departments to relevant guidance provided by others, including:
Policy requirement 3: Offshored data must be adequately protected through contractual arrangements
Departments must ensure that ICT-as-a-service contracts or service level agreements include sufficient and binding clauses to ensure that identified risk and compliance matters associated with offshore storage of data are adequately addressed. In addition, contracts must also provide for mechanisms to ensure the service provider maintains adequate and transparent levels of assurance (e.g. access to audit reports).
Contracts and service level agreements are a legal recourse available to departments to ensure that suppliers are appropriately managing issues and adequately undertaking compliance activities. The practicalities of enforcing legal contractual arrangements drafted in foreign jurisdictions should be carefully assessed. As an example, privacy laws in foreign jurisdictions may be less stringent than those required by Australian law.
New or existing ICT contract templates should address ICT-as-a-service implications in the following key areas during drafting.
|Protection of data/information (including mandatory breach reporting)||Confidentiality and privacy|
|Audit||Compensation: data loss and/or misuse|
|End the arrangement including termination||Change of control|
|Dispute resolution||Rights and obligation transfers|
|Intellectual property ownership||Automatic updating|
|Performance management||Terms changeable at provider discretion|
|Mandatory breach reporting|| |
The Queensland Government ICT-as-a-service risk assessment guideline and ICT-as-a-service Decision Framework can provide further guidance on common ICT-as-a-service contractual issues that may relate to an ‘ICT as a service’ initiative. The Queensland Information Technology Contracting (QITC) framework includes Module 3 – As-a-service and Module 6 – Managed Services that can be used with the Comprehensive Contract Conditions. In addition, the Australian Government Information Management Office (AGIMO) has published a better practice guide: Negotiating the Cloud: Legal Issues in Cloud Computing Agreements that details a number of core legal issues including implications relating to offshore data storage.
Policy requirement 4: Decisions to use offshore ICT-as-a-service must be approved by the appropriate authority
Departments must ensure that the decision to offshore data is governed appropriately within its ICT Governance programs. The approval processes must be commensurate with the data classification and risk assessment findings (as outlined in policy requirement 1 and 2).
The appropriate approval authority is as follows:
|Information security classification||Agency approval authority||Whole-of-government endorsement authority|
|PROTECTED or CABINET-IN-CONFIDENCE||Department’s Chief Executive Officer||Chief Executive Officer (or nominated delegate) of HPW|
|Below PROTECTED||Department’s Chief Executive Officer (or nominated delegate)||N/A|
Prior to seeking final approval from the business, Departments should incorporate decision-making concerning use of offshore services as part of their existing governance processes. This will provide unified stakeholder endorsement between the business and IT and will also ensure all issues are thoroughly considered. Departments need to clearly document the business impact, risks, issues and mitigation strategies concerning offshoring of data so that informed decisions can be made. This will include not only the risk of offshoring, but also the risks of not progressing to a suitable ICT-as-a-service as these may outweigh any risks of offshoring.
The Chief Executive Officer remains accountable for the proper management of the department’s data.
Issue and review
Issue date: 6 January 2017
Next review date: January 2018
This QGEA policy is published within the QGEA which is administered by the Queensland Government Chief Information Office. It was developed by the Queensland Government Chief Information Office and approved by the Queensland Government Chief Information Officer.
This policy comes into effect from the issue date.