MANAGING DIGITAL CONTINUITY

Transcription

1 MANAGING DIGITAL CONTINUITY Project Name Digital Continuity Project DRAFT FOR CONSULTATION Date: November 2009 Page 1 of 56

2 Contents Introduction... 4 What is this Guidance about?... 4 Who is this guidance for and how should I use it?... 5 What is the context of this guidance?... 5 What is the status of this guidance?... 6 Part 1: Understanding digital continuity Digital continuity: an introduction Digital continuity in brief Digital continuity in practice The impact of change on digital continuity Ensuring digital continuity The benefits of ensuring digital continuity Part 2: What you need to do Managing digital continuity Overview of managing digital continuity Stage 1: Understand digital continuity and recognise the need for action Why you need a whole organisation approach to ensuring digital continuity Actions to take Stage 2: Identify your information assets, IT environment and information utility Why you need to understand your information assets, IT environment and information utility Understanding the relationships between your information assets, utility requirements, and technical environment Actions to take Stage 3: Assess and manage risks to digital continuity Why you need to manage risks to digital continuity Actions to take Stage 4: Manage digital continuity through organisational and technological change Why managing change is key to digital continuity Actions to manage changes that could impact on digital continuity Actions to reduce the potential impact of change on digital continuity Actions to mitigate risks to digital continuity Actions to restore digital continuity Part 3: Who needs to do it Roles and responsibilities for ensuring digital continuity Digital Continuity Senior Responsible Owner (SRO) Senior Information Risk Owners (SIROs) Responsibility Chief Information Officers (CIO) Information Assurance (IA) programme managers and other IA professionals Risk Managers Page 2 of 56

3 3.6 Head of KIM KIM professionals working in the Information and Records Management areas Information Asset Owner (IAO) Chief Technology Officers (CTOs) Enterprise Architects/IT strategists IT Service Managers Procurement managers and commercial and contract managers Business Change Managers, Project and Programme Managers Part 4: How to measure success The digital continuity success model Further reading Page 3 of 56

4 Introduction What is this Guidance about? Digital continuity is the ability to use digital information for as long as you need to, and in the way that you need to, over time and through change. Ensuring digital continuity requires active intervention or information can easily become unusable a liability not an asset. Digital information is particularly vulnerable to loss of usability due to the fast pace of technological change, the complexity of digital systems and services, lock-in to proprietary formats, and the ever-increasing amounts of digital information we create and rely upon. Managing digital continuity should not be seen as a distinct activity, separate from what your business does now. It is not necessarily about new technology and expenditure; it is about managing digital information and business change in a way that ensures the continuity of your information so that you can use it as you want, when you want. Digital continuity means managing risks and maximising cost effectiveness This is pressing because, more than ever, change will be the only constant for Government departments and the wider public sector. And it is when your business needs, technical environments and organisational structures change that you can lose the effective use of essential digital information. Ensuring digital continuity must therefore be an integral part of change management, information management, IT management and information assurance. is developing a service for government, and the wider public sector, that will enable you to assess your specific digital continuity risks and issues, and to plan and take action. This includes a suite of practical, accessible guidance, and a commercial framework of tools and services. This guidance on provides an introduction to Digital Continuity, how it can be ensured, and the roles that need to be involved, and their responsibilities. Page 4 of 56

5 Who is this guidance for and how should I use it? This guidance is aimed at the person or role within an organisation that has been given overall responsibility for ensuring digital continuity the Senior Responsible Owner for digital continuity. The guidance provides an introduction to digital continuity and should be used to: Inform and educate staff on digital continuity Establish roles and responsibilities and a team for taking forward action to ensure digital continuity Begin preparation for assessing and managing risks to digital continuity Take the first steps to embedding digital continuity in Information Management and IT change management This guidance will also be of use for staff with a role in managing digital continuity, such as: Senior Information Risk Owners (SIROs) Chief Information Officers (CIOs) Chief Technology Officers (CTOs) and IT professionals Knowledge and Information Managers (KIM professionals) Information Assurance (IA) Programme Managers Information Asset Owners (IAOs) Change Managers, Programme and Project Managers What is the context of this guidance? This guidance on is part of a suite of practical, accessible guidance that is being delivered as part of the Digital Continuity service for government. We are producing guidance incrementally and in consultation with central government departments. This guidance is part of the high-level, first phase, designed to give you a clear overview of the types of activity and outcomes required to ensure digital continuity. As we work more closely with departments to understand their specific risks and issues, we will produce more detailed and specific guidance. For more information, visit Page 5 of 56

6 What is the status of this guidance? This is a consultation draft, and we welcome feedback to inform the next phase of guidance development. We are also keen to hear about examples of good practice and lessons learned. Please your comments to digitalcontinuity@nationalarchives.gsi.gov.uk. We will be developing more detailed guidance on how to undertake many of the actions outlined in this document in the next phase of guidance development Page 6 of 56

7 EXECUTIVE SUMMARY This guidance is for your organisation s senior responsible owner for digital continuity. It introduces you to the concept of digital continuity, why it is so important and the high level principles of managing it making sure that information essential to your business is complete, available and usable, and remains so over time and through periods of change. Digital continuity is firmly aligned with or embedded into wider government priorities and agendas, such as the operational efficiency programme, the National Information Assurance strategy and Information Assurance Maturity Model, and the revised Section 46 Code of Practice. This guidance suggests a four stage process your organisation could follow in order to assess and address digital continuity risks and issues, and gives more detailed actions in each section. You may find that you don t need to undertake every action given it will very much depend on the outcome of your digital continuity risk assessment, your risk appetite and your business requirements. But they should give you a clearer idea of the types of action you might consider. The guidance also outlines the types of roles you might want to involve in order to take the cross-organisational and cross-disciplinary actions required and outlines each role s responsibilities and drivers for action. Finally, it gives you success criteria so that, at each stage, you will be able to monitor progress against key performance indicators, and assess if you are successfully managing your digital continuity. By going through the four-stage approach outlined on the next page you can be confident that you are managing digital continuity coherently and effectively. You can tailor activities to suit your organisation s specific requirements and priorities, but each of the stages should help you to understand, assess and address risks to digital continuity, any existing issues, and embed digital continuity management in your organisation. Page 7 of 56

8 1. Understand digital continuity and recognise the need for action Ensure your Senior Information Risk Owner (or equivalent) is aware of digital continuity Assign a Senior Responsible Owner (SRO) for managing digital continuity Ensure Information Technology (IT), Information Assurance (IA) and Knowledge and Information Managers (KIM) managers understand digital continuity and their responsibilities Establish a multi-disciplinary team to take action Engage IT providers on the issues, and their responsibilities Include managing digital continuity as a driver in relevant strategies Build a business case for further action 2. Identify what information assets you have, their technical environment and how you want to use them Get SIRO agreement to use your Information Asset Register (IAR) to support managing digital continuity Identify your information assets Define the business utility of your information (how your business needs to use the information it has) Understand the technical environment supporting your information Compile a full Information Asset Register Ensure your information assets have accountable owners Identify areas of potential risk Identify savings and efficiencies 3. Assess and manage risks to maintaining digital continuity Create a framework for managing risk Undertake a risk assessment Create and implement a prioritised digital continuity action plan Embed ongoing digital continuity risk assessment Page 8 of 56

9 4. Manage digital continuity over time and through organisational and technological change Assess the impact of organisational or business change on digital continuity Assess the impact of asset, information management or IT change on digital continuity Reflect digital continuity in business plans and enterprise architectures Standardise your technical environment Embed digital continuity in the management of your information assets Take action to mitigate the risks to digital continuity Resolve issues and restore digital continuity We are developing guidance incrementally, in consultation with central government departments, and to reflect learning from the digital continuity risk assessments that we are carrying out. This guidance is intentionally high level it s only phase one. Its aim is to help you to understand what actions you may need to take in order to manage digital continuity. It does not tell you how to take those actions. This will be covered by the second and third phases of our guidance, which will be made available on our website in draft form as we produce them: If, after reading this document, you would like to put forward suggestions for the more detailed how to guidance you would like, please let us know. your suggestions to digitalcontinuity@nationalarchives.gsi.gov.uk marking your for the attention of the guidance workstream. Page 9 of 56

10 PART 1: UNDERSTANDING DIGITAL CONTINUITY 1. Digital continuity: an introduction This section of the guidance will help you to understand the concept of digital continuity and the high-level principles of how to manage it. Information is a valuable asset that must be safeguarded. In the case of information held by public authorities and businesses.people want to be certain that it is held securely, maintained accurately, available when necessary and used appropriately Sir Richard Mottram, Foreword, National Information Assurance Strategy. Authorities should know what records they hold and where they are, and should ensure that they remain usable for as long as they are required The Lord Chancellor s Code of Practice on the Management of Records Digital continuity in brief Digital continuity is the ability to use digital information for as long as you need to, and in the way that you need to, over time and through change. Ensuring digital continuity enables you to work efficiently and effectively, while safeguarding the information you rely on to operate legally, accountably and transparently. It s an essential part of good information, IT and business change management. The need to ensure digital continuity is now embedded into wider government priorities and agendas. For example, it is included in Section 46 Code of Practice; the National Information Assurance strategy and the Information Assurance Maturity Model and Assessment Framework, and the new Office of Government Commerce (OGC) model agreement for ICT services. For more detail, visit Page 10 of 56

11 1.1.2 Digital continuity in practice You have ensured your digital continuity when your digital information continues to be: Complete: Everything you need to use and understand the information is there including the content and context, such as metadata so, for example, you have still got links to external files or you have maintained important connections between files and metadata. Available: This means you can find what you need and it can be opened with available technology so, for example, your information is stored in formats or systems that are not obsolete, and in the right versions for processing using existing IT applications. Usable: That means that it is fit for purpose and can be used in a way that meets the business needs of the organisation so, for example information is not locked into formats or systems that restrict your ability to use or re-use it, or restrict the tools you can use to process it. Managing digital continuity means ensuring that the IT you have supports the information you have in the way you need to use it not just today, but as technology and business needs change and digital information ages. Page 11 of 56

12 1.1.3 The impact of change on digital continuity Digital information is particularly vulnerable to change. It is reliant on complex systems, formats and media to support it, and the expertise and understanding of the people who manage it. Ensuring digital continuity depends on managing change in a way that ensures you can continue to access your information assets - and managing your information assets and IT in a way that gives you flexibility to reduce the risks arising from change and seize on the opportunities it brings. The changes that pose a risk to digital continuity include those to: technology and the information assets themselves policies and processes that govern how the information is managed the organisational structures that create and use the information and the business drivers that determine how the information needs to be used For example, the software applications used to create most public sector information are constantly changing and evolving if these applications no longer support the information you have previously created then you have a continuity problem. If your business needs change, for example after machinery of government changes, or to respond to new opportunities and challenges, the way you need to use information could change too. You will have continuity issues if your information assets, information management and IT systems do not support the way you now need to use your information, or you lose vital expertise in the formats and systems in which they are managed. Information assets can also be changed by the way you manage them for example if you migrate information into new formats or systems you could change or lose essential metadata or functionality you will have a continuity issue if this leads you to being unable to find or use the file as you need to. Page 12 of 56

13 1.1.4 Ensuring digital continuity Ensuring digital continuity involves making sure that your information assets and your technical environment provide the use you need from your digital information and that this usability is maintained as your organisation and technology changes. Ensuring this drives operational efficiency because it helps to ensure that you are working optimally, and not supporting capability or resource that the business does not need. Digital continuity can only be ensured when your business utility, technical environment and information assets are aligned and continue to be aligned through change. In other words, when: You know what digital information assets you have and the nature of the technical environment that supports them. You understand how you need to use them the utility you need from the information, including what information to keep, who needs to use it and in what way now and in the future. And you then make sure that your technical environment and way you manage your information assets support and provide this utility, keeping this alignment through change thus ensuring that digital continuity is ensured and maintained Aligning your information assets, technical environment and business needs may sound obvious, but they can easily change relative to each other, and slip out of alignment if these changes are not effectively managed - leaving you with information assets you can t use, or technology supporting information in a way that doesn t meet your needs. At best this creates inefficiencies. At worst it can result in the loss of the information you need. This requires ongoing planning and action and collaboration between those responsible for information management, IT, business change and information assurance to manage the operational changes that could put your digital information at risk. The digital continuity service will provide guidance, and a framework of tools and services, to support you in this. Page 13 of 56

14 Information Assets Technical environment unrequired assets unnecessary support complete available usable: digital continuity unrequired capability unsupported assets unused capability unfulfilled utility Utility Diagram 1: ensuring digital continuity This diagram shows where you will need to manage these changes and ensure continuity through continued alignment and how ensuring digital continuity can deliver real efficiency benefits, with opportunities to dispose of the information and IT that you do not really need The benefits of ensuring digital continuity Ensuring Digital Continuity will enable you to realise a number of benefits, including: cashable savings and operational efficiency, for example by identifying and rationalising unrequired information assets and unrequired technical capability. avoiding future costs and risk by minimising the impact of change, reducing the risk of losing data and expensive recovery costs and building flexibility into your digital information environment. effective delivery of primary business outcomes by identifying where greater business value can be released from digital information assets to support effective service delivery and information re-use. Legal compliance and public accountability because the information you need is available and usable as and when you need it Page 14 of 56

15 For more information on the benefits, see our guidance on An Overview of the Benefits of Ensuring Digital Continuity 1. 1 See Page 15 of 56

16 PART 2: WHAT YOU NEED TO DO 2 Managing digital continuity This section of the guidance will help you understand the action you need to take to ensure digital continuity. It describes what high level actions are needed - more detailed guidance on how to take this action will be developed as the project progresses. 2.1 Overview of managing digital continuity This guidance will provide an introduction to managing digital continuity through the following stages: Stage 1 Understand digital continuity and recognise the need for action Stage 2 Identify what information assets you have, their technical environment and how want to use them Stage 3 Assess and manage risks to maintaining digital continuity Stage 4 Manage digital continuity over time and through organisational and technological change Diagram 2: Overview of managing digital continuity Page 16 of 56

17 2.2 Stage 1: Understand digital continuity and recognise the need for action This section of the guidance is to help you get started and ensure that digital continuity is widely understood across the organisation. It explains the importance of a collaborative and coherent approach between the relevant parts of the business. Build a business case for further action Ensure your SIRO is aware of digital continuity Assign an SRO for managing digital continuity Include managing digital continuity as driver in relevant strategies Stage 1 Understand digital continuity and recognise the need for action Ensure IT KIM and IA managers understand digital continuity and responsibilities Engage IT providers on issues and responsibilities Establish a multidisciplinary team to take action Diagram 4: Understand digital continuity and recognise the need for action Page 17 of 56

18 2.2.1 Why you need a whole organisation approach to ensuring digital continuity To ensure that digital continuity is managed effectively and comprehensively, and the associated benefits and efficiencies are realised, it needs to be addressed collaboratively at the right levels across the organisation. This means that it needs to be understood and owned by several disciplines, including Information Technology (IT), Information Assurance (IA), Enterprise Architecture (EA), and Knowledge and Information Management (KIM) professionals. This can only happen if senior managers have sufficient understanding of the benefits and risks to champion appropriate governance and action at the right levels in the organisation and across appropriate business units. It is also essential that senior managers understand how ensuring digital continuity can help support strategic priorities around business delivery and creating efficiencies, and that managing digital continuity is a core part of managing information risk. They will need to assess where existing work practices, policies and systems need to be amended to ensure that you are operating in a way that can deliver digital continuity and provide the resources you need to embed this as part of business as usual operation and change management. A Senior Responsible Owner with responsibility for championing digital continuity across professional groups and building a team to deliver digital continuity is crucial to ensure that this issue is understood across the organisation, managed effectively and eventually embedded by your operational teams Actions to take You can undertake these actions now, to kick start your organisation s approach to digital continuity management. 1. Ensure your Senior Information Risk Owner (SIRO) is aware of digital continuity and understands that ensuring it is managed forms part of their responsibility, as a key part of managing information risks. The SIRO needs to ensure a Senior Responsible Owner is appointed to take forward action on digital continuity. Page 18 of 56

19 2. Assign a Senior Responsible Owner (SRO) who is responsible for overseeing digital continuity management in your organisation, ensuring that the right systems and structures are in place, that risks are managed and that the business requirement for digital continuity is expressed in any relevant strategies and plans. The SRO will drive forward action on digital continuity and establish a multi-disciplinary team to deliver digital continuity and identify risks. They should have a clear route for elevating issues to board level as necessary. 3. Ensure that relevant managers across the Information Management (KIM), Information Technology (IT), Enterprise Architecture (EA), Information Assurance (IA) and business change functions understand digital continuity and their roles in exploring the issues. This could be via specific training programmes, presentations on the subject or distribution of fact sheets and other guidance about digital continuity (which is available from 4. Organise a meeting of relevant KIM, IT, EA, IA and business change, such as programme and project management functions, so that they can start to develop a shared understanding of the business utility your organisation needs from its digital information, and how their decision-making and planning need to align to deliver this over time and through change. 5. Agree with the SRO a core project group to take forward work to ensure and embed digital continuity (including meeting the requirements of the Information Assurance Maturity Model) 2 that includes representation from the relevant functions and is appropriately resourced. 6. Engage with your IT providers so that they understand digital continuity and that they may have a role in maintaining the usability of your digital information. 7. Include maintaining digital continuity as a key business requirement and driver in your organisation s strategic vision for KIM, IT and IA and incorporate into relevant policies, projects and business planning. 2 See assessment framework_v2.pdf Page 19 of 56

20 8. Build the business case you need to secure the resource to undertake a digital continuity risk assessment and embed digital continuity in the organisation. This should set out the compelling business reasons why your organisation needs information to remain usable over time. For more help with the benefits and drivers behind digital continuity, see An Overview of the Benefits of Ensuring Digital Continuity. Page 20 of 56

21 2.3 Stage 2: Identify your information assets, IT environment and information utility This section of the guidance explains how understanding what information assets you have, the business value and technical profile of those assets, and the nature of the technical environment that supports them enables digital continuity. The actions in this section will support you in using your information asset register (IAR) to manage digital continuity. Diagram 5: Identify your information assets, IT environment and information utility Why you need to understand your information assets, IT environment and information utility Digital continuity can only be ensured when your information utility needs, technical environment and information assets are aligned (see diagram 1). Page 21 of 56

22 To do this, you must first understand what information assets you have, from the perspective of information content and business use rather than systems or media. Understanding and describing your information as assets will help you to ensure that your organisation recognises the value of information and the need to manage and protect its investment in creating it. This will have the added benefit that it will start to drive the culture change you need to become an organisation that values its information, rather than seeing it as a liability. You need to understand what digital information you need to keep, who needs to use it, and how you need to use it, defining the utility you need from it now and over time. Once you understand this utility requirement, you can ensure that your technical environment and the way you manage your information assets, support and provide this utility, and do so in the most efficient way. This will allow you to understand the potential impact of change on the continuity of your digital assets, and to make informed decisions about where to prioritise investment in ensuring the continued usability of your information. This is the route to ensuring digital continuity. It should also highlight where savings can be made by not maintaining information or technical support unnecessarily By business utility of information we mean: a) the digital functionality that you need from your information asset in order for your business to benefit from using it for example, the ability to find it, open it, read it, copy it, edit it, move it, print it off. This functionality is delivered by the technical environment in which the information assets sit. b) the inherent value that can be derived from the information asset as a result of being able to rely on its provenance, and as a result of being able to understand its full meaning and significance from the context it has. This is delivered both by the technical environment and by the implementation of information management business rules that specify audit trails and metadata standards for example. c) the actual or potential relevance and usefulness of the information asset over time, given a) and b), to business or public use, reuse or analysis, legal retention or discovery, to public accountability or to the historic record. Page 22 of 56

23 To build this understanding of your utility, you will need to answer the following questions: What types of information do we create and manage? Who creates which types of information and who is responsible for them, now and over time? How is that responsibility defined? How does the organisation need to use its information, now and in the future? What is its utility both to your organisation and to third parties? Which types of information need to be kept and for how long? Where is each type of information stored and in what format or system? Do we need the functionality these provide? What does our information cost to maintain through its lifecycle to disposal, including creating, using or recreating? Understanding the relationships between your information assets, utility requirements, and technical environment In order to manage the alignment of your information assets, utility requirements and technical environment, you need the capability to map the relationships between the three. You need to be able to relate all relevant elements to each other, in order to understand the impact of change in any one area and identify the most efficient way of ensuring that you get the utility you require from the information you need. We suggest that you exploit your Information Asset Register (IAR) as the primary mechanism for documenting what you know about your information assets, utility requirements and technical environment, and for understanding the relationships between them. The term Information Asset Register has been used to describe both a register of information systems and a register of public sector information available for re-use. A broader Information Asset Register for your organisation, encompassing both of these and more, can play a major role in helping you to address digital continuity. Page 23 of 56

24 In most organisations the IAR has been set up as an Information Assurance tool, championed by the Senior Information Risk Owner (SIRO) and with a focus on information security. However Information Assurance is also concerned with availability and integrity, not just security, and availability and integrity are key outcomes of digital continuity. There should therefore be good synergy between your digital continuity and information assurance objectives, allowing you to develop the IAR for the purposes of digital continuity. An all-encompassing IAR is a conceptual entity rather than a physical entity. In practice, your Information Asset Register is likely to consist of a number of separate registers, documenting particular aspects of your digital information and its environment. It might build on existing Information Asset Registers or use a configuration management system to link the various elements as long as you can understand what information assets you have, what the utility requirements and technical dependencies those assets have, and identify the information assets dependent on each component of your technical environment. In developing your IAR to support the management of digital continuity, you will probably want to take an incremental approach, prioritising information most important to the business. The level of detail you provide depends on your needs, so you may want to start with a highlevel overview, and take a phased approach to developing the underlying detail. At a minimum, you need to identify what information assets you have and who their owners are. Ownership and accountability are key success factors. For every information asset, or sub component of the IAR, there will be an information asset owner. You need to engage this group and explain their digital continuity roles and responsibilities. In many government organisations, the information assets described on the IAR will be managed and/or hosted by a commercial supplier. It is important they understand the digital continuity aspects of the information assets they manage, as a prelude to any action you might want to agree with them on digital continuity going forward. You may also oblige your IT provider to maintain your IAR, and provisions requiring this are included in the new OGC Model Contract for IT Services (you can find guidance on this at: Diagram 6 illustrates our suggested components of an Information Asset Register, and the way in which they map to the alignment needed for digital continuity. Page 24 of 56

25 INFORMATION ASSET LIST Describes information assets, including: Information asset name and description Current format and/or schema Current location Information Asset Owner TECHNICAL ENVIRONMENT REGISTER Describes the current technical environment, including: File Formats Desktop Applications Operating Systems Enterprise Applications Databases File Storage Information Assets Technical Environment unrequired assets unsupported assets unnecessary support complete available usable = digital continuity unused capability unrequired capability unfulfilled utility Utility STATEMENT OF UTILITY REQUIREMENTS: Defines the business utility required from information assets, now and over time - who needs to be able to do what, with which information assets, when, and why? Includes: Information asset business value over time Retention/disposal requirement Required utility over time Diagram 6: A conceptual model of what your Information Asset Register should tell you about your information assets, technical environment and utility requirements Page 25 of 56

26 2.3.3 Actions to take 1. Secure agreement from your SIRO to use your Information Asset Register (IAR) to support digital continuity, developing it to allow you to understand your information assets, their utility and desired usability and their technical environment 2. Identify your information assets o Identify what information assets you have not in terms of the IT system that holds it, but categorise your information from the perspective of its content and business use. o Be sure to address all forms of information generated by your organisation, including that which exists primarily on web platforms 3. Understand your technical environment 3.1 Develop and maintain an understanding of your technical environment. This could be using a specific Technical Environment Register. (The Digital Continuity Project has developed a Technical Environment Register spreadsheet to support risk assessment that may also provide a useful starting point for this). But you could also use outputs from enterprise architecture tools, a configuration management system or other technology management tools you already have in place. These need to allow you to understand: the software applications you use (both desktop and enterprise applications) the platforms and infrastructure on which this software is running planned changes to the technical environment and its expected end of life 3.2 Profile the file formats you are using and creating to understand which are at risk of obsolescence and how soon. You will need to understand: the volume of data you hold its location, its age and technical characteristics of each information asset eg its format, metadata schema Page 26 of 56

27 The Digital Continuity Project is developing its file characterisation tool (DROID) to assist you by identifying file formats and versions. The existing version of DROID is at and a new version should be available by the summer of Ensure you have processes in place and have defined ownership responsibilities to keep information about your technical environment, for example your Technical Environment Register, updated and reviewed regularly for completeness. 4. Define your information utility o Determine how information flows through your organisation and what information is needed to support your business operations, and when, and by whom. Consider the impact of losing the information, or its essential characteristics. This will tell you what information is of business value (both to your organisation and to third parties) and which is not. o Identify what information you will continue to need, how you will need to use it, and for how long. This will ensure you are capturing and keeping the right information and can define its utility and can implement appropriate what to keep retention schedules. o Define the utility you require of your information assets, including what characteristics the information will need to retain in order to meet your business requirements (content, context, functionality etc). 5. Compile a comprehensive mechanism for mapping your information assets, utility requirements and technical environment. You may be able to exploit and develop your IAR to do this. This does not have to be a single document - you can hold this information in multiple places, but you need to ensure you can crossreference various sources of information in the way you need to. o Document the information asset content and context, where the information is located, its current format and structure, and relate this to the technical environment that supports it. Page 27 of 56

28 o o o Ensure that your information asset register allows you to link what you know about the business value and utility requirements of your information asset with what you know about its technical characteristics, to inform decisions about how to manage the continuity of your digital information assets through change. Ensure that you can also understand what information assets are dependent on each component of your technical environment, so that you can see which information assets may be affected by changes to your technology. Establish a process for updating the IAR, with regular review periods to assess completeness and assigned responsibilities for maintaining it. 6. Ensure accountability and ownership through existing information governance structures o Appoint an Information Asset Owner (IAO) for each information asset o Ensure that your utility requirements are agreed and understood by the IAO, who is responsible for championing the requirements and ensuring that they are updated as appropriate. o Ensure that ownership and responsibility for maintaining the IAR itself is clear 7. Use your IAR when contracting with new IT service providers o The Office of Government Commerce (OGC) model agreement for IT services now includes reference to an information asset register as one of registers to be maintained as part of the service configuration management. The IAR needs to be created by the contracting Authority. It is then maintained by the Contractor, who has to assess the impact of any changes on the usability requirements defined for the information assets. 8. Identify misalignments these are risks to digital continuity o Use the work to understand how your information assets, technology environment and utility requirements align to identify information assets that you need to use, but which are currently unsupported by the right technology and so don t meet your business utility requirements this is an area of risk to your digital continuity. 9. Take the opportunity to identify and plan the realisation of savings and efficiencies through providing the right level of continuity for the right information. Page 28 of 56

29 o o o o o Use the work to understand how your information assets, technology environment and utility requirement align to identify unrequired information assets, unrequired technology capability and unnecessary support. Dispose of any information assets that you no longer need Dispose of any technology capability that you no longer need Identify opportunities to downgrade the technology you use to access information or migrate information to different formats, so that your technology mirrors your needs, saving money on expensive systems, unnecessary functionality or high availability. Move the information assets to cheaper, more efficient and effective storage, de-duplicating assets. Page 29 of 56

30 2.4 Stage 3: Assess and manage risks to digital continuity This section of the guidance sets out approaches to help you ensure that you are managing the risk of losing digital continuity. The actions in this section will support you in establishing appropriate governance and risk management structures, assigning responsibility for the management of risk to digital continuity, and assessing your current level of risk. Create a framework for managing risk Embed ongoing digital continuity risk assessment Stage 3 Assess and manage risks to maintaining digital continuity Undertake a risk assessment Create and implement a prioritised digital continuity action plan Diagram 7: Assess and manage risks to digital continuity Why you need to manage risks to digital continuity Risk to digital continuity is an information risk. It should be managed in line with your general information risk management procedures and (for government departments) the CESG Information Assurance Maturity Model 3, and be included in your annual Statement on Control. 3 Page 30 of 56

31 Risks to digital continuity should be recognised at an organisational level, and at a more granular level in the areas of information management, IT management, information assurance and business change. If you do not have appropriate risk management and information governance processes in place, you cannot know whether you are identifying and managing your risk to digital continuity effectively. Undertaking a comprehensive digital continuity risk assessment for your organisation will enable you to quantify the risk you face, identify key areas of concern, and prioritise actions to mitigate your risks. Larger organisations may wish to take a phased approach to risk assessment, tackling priority areas first. Embedding ongoing digital continuity risk management will ensure that you continue to identify and manage your risk to digital continuity Actions to take 1. Ensure that there is a clear framework of roles and responsibilities for identifying and managing risk to digital continuity within your organisation: o Ensure the SIRO recognises risks to digital continuity as an information risk to be managed through the established governance structures. o Ensure your organisational risk appetite is informed by a good understanding of the business value of your information and the consequences of losing it. o Ensure that the assigned Senior Responsible Owner for digital continuity understands the need to manage risks to digital continuity o Identify the specific responsibilities of the KIM, IT and IA teams for managing risks to digital continuity. o Ensure each of your information assets has an Information Asset Owner with responsibility for managing risks to their information asset. Page 31 of 56

32 2. Undertake a comprehensive digital continuity risk assessment for your organisation o Direct the multi-disciplinary digital continuity project team to carry out an initial risk assessment and action planning exercise. This team needs to identify your risks to digital continuity, develop and implement mitigation strategies, and initiate appropriate action. o Organise and undertake an assessment of risks to digital continuity and ensure outputs are reflected in information risk registers 3. Prioritise action you need to take to ensure digital continuity o Identify and prioritise key risks to digital continuity and any existing issues arising from the assessment o Develop an action plan to address these risks to be taken forward by your digital continuity project team, with timescales and resources as appropriate o Monitor the progress of actions to manage risks to digital continuity to ensure they are appropriately implemented and that mitigations have been effective 4. Establish and embed ongoing digital continuity risk assessment and incident management o Incorporate digital continuity into your Information Risk Policy and risk management processes o Maintain a schedule of risks and mitigations for each individual information asset o Develop procedures to periodically test that the accessibility and usability of information assets meets your stated business requirement, testing whether or not you have maintained digital continuity, the effectiveness of mitigations, and whether it faces new risk o Establish a process for the systematic and regular review of risks to the digital continuity of your information assets as part of their lifecycle management o Identify and document any risks to digital continuity that are within your risk appetite and therefore have no planned mitigation o Identify any risks where mitigation or management is dependent on third parties or external suppliers and establish a mechanism for monitoring their progress and compliance o Agree the timing and process for reviewing and repeating your comprehensive digital continuity risk assessment Page 32 of 56

33 o Manage digital continuity incidents and problems through your information assurance incident and problem management procedures, and include them in your incident reporting and metrics Page 33 of 56

34 2.5 Stage 4: Manage digital continuity through organisational and technological change This section explains the importance of managing change in a way that maintains your digital continuity, whether this is minor local change or major organisational change, and outlines how you can manage change to deliver digital continuity. Resolve issues and restore digital continuity Take action to mitigate risks to digital continuity Assess imapact of organisational or business change on digital continuity Stage 4 Manage digital continuity over time and through organisational and technological change Assess impact of asset, IM or IT change on digital continuity Reflect digital continuity in business plans and architecture Embed digital continuity in management of your assets Standardise your technical environment Diagram 8: Manage digital continuity through organisational and technological change Why managing change is key to digital continuity Change is the main context in which digital continuity problems arise. This might be major organisational of machinery of government change, or a series of minor local changes to priorities, IT systems, or ways of working. It might affect the alignment of information assets, technical environment and utility (see diagram 1), or the organisational structures and responsibilities that support the management of risks to digital continuity. Page 34 of 56

35 Anyone who is managing change at any level should consider the impact on digital continuity. KIM and IT teams need to take particular responsibility for safeguarding your organisation s information assets through organisational and technological change by incorporating digital continuity into their change management processes. The ability to access and use information when and how you need to is important to the functioning of your organisation, and digital continuity should therefore be regarded as an aspect of business continuity. Significant change offers the opportunity to identify better ways of doing things. If digital continuity is considered properly in the planning stages, you could realise savings and efficiencies through providing the right level of continuity for the right information. This will enhance your ability to use and re-use your information, and avoid the need to take expensive mitigating actions in future Actions to manage changes that could impact on digital continuity 1. Consider digital continuity when planning and managing business change, including Machinery of Government changes and changing business requirements: o Ensure business change policies and processes identify the information risks that arise in the event of organisational changes and changes to business requirements o Add risk to digital continuity to your change management and project and programme risk registers as appropriate o Include a digital continuity impact assessment in the planning and implementation of business change projects. This must consider whether the business change impacts on the utility you need from the information (how and when information is to be used and by whom), how the information assets are managed and the technical environment that supports them. o Ensure that any new business requirement for using information now or in the future is identified and reflected in the way you manage your information assets and IT. o Ensure that any new information assets received as the result of machinery of government change are incorporated into your digital continuity risk management processes and Information Asset Register. Page 35 of 56