Overview. What are operational policies? Development, adoption, implementation

Transcription

1 Practical Geospatial Policies: Resolving Operational Issues to Optimize Your SDI Ed Kennedy Hickling Arthurs Low Corporation and Cynthia Mitchell and Simon Riopel Division, Natural Resources Canada Overview and the CGDI Objectives Activities Geospatial Operational Policies What are operational policies? Development, adoption, implementation Recent Outputs Volunteered Geographic Information (VGI) Policy Implications Conclusions 2 1

2 and the CGDI 3 Program The program is a national initiative, led by Natural Resources Canada, designed to facilitate access to and use of authoritative geospatial information in Canada. Program Objectives: Create increased awareness of the benefits of using geospatial data and tools to achieve goals for social, economic and environmental priorities. Facilitate the integration and use of geospatial data to support effective decision making. Coordinate the development of national policies, standards and mechanisms and support their implementation to ensure maintenance and updating of geospatial data and compatibility with global standards. Keep Canada at the leading edge of accessing, sharing and using geospatial information via the Internet. 4 2

3 Program Key Program Activities: Geospatial Strategy and Leadership continued coordination of geomatics activities in Canada, requiring the development and implementation of long-term national geomatics strategies and policies, in partnership with stakeholders. Canadian Geospatial Data Infrastructure (CGDI) work with the geomatics community to advance the operational policies and standards needed to complete the CGDI and support the use of geospatial information. 5 Canadian Geospatial Data Infrastructure (CGDI) What is the CGDI? The CGDI is an online network of resources that improves the sharing, use and integration of information tied to geographic locations in Canada. In essence, the CGDI is the convergence of policies, standards, technologies, and framework data necessary to harmonize all of Canada s location-based information. Through the CGDI, Canadians can discover, access, visualize, integrate, apply and share quality location-based information. The CGDI allows citizens to gain new perspectives into social, economic, and environmental issues and make effective decisions. 6 3

4 and the CGDI What is the connection? is working on integrating the components of the CGDI ensuring that the infrastructure is comprehensive, usable, high-performing, relevant and poised for future growth and development. A complete CGDI includes a comprehensive suite of geospatial operational policies, fully supported and available for adoption and implementation by CGDI s national stakeholders. 7 Geospatial Operational Policies 8 4

5 Geospatial Operational Policies What are Geospatial Operational Policies? Operational Policies address topics related to the lifecycle of geospatial data (i.e. collection, management, dissemination, use). They apply to the day-to-day business of organizations. They include guidelines, directives, procedures and manuals that help facilitate access to and use of geospatial information. They support the development, operation and use of the CGDI. They are distinct from Strategic Policies, which address high level strategic issues and set high level directions for organizations. supports the integration and use of the CGDI and is working to advance the development of geospatial operational policies needed to complete the CGDI, and facilitate their adoption and implementation. 9 CGDI Operational Policy Roadmap Outreach, consultation and awareness Intensify outreach and awareness activities to promote policies, Adoption processes and showcase policy implementations SUPPORT CO-ORDINATE DEVELOP Consensus and common policy for F/P/T Smart, clear guidance and best practices Implementation Support and enable broad implementation and integration of geospatial operational policies Adoption Develop practical adoption processes to ease organizational integration and implementation of common geospatial policy Research and Development Monitor trends, perform research and consultation, develop geospatial operational policies, guidelines, best practices Privacy Licensing Intellectual Property Security Data Quality Data Integration Data Archiving Open Data Confidentiality Digital Rights Management Imagery 5

6 Needs for Operational Policies Key policy topics that impact spatial data infrastructure Legal/Administrative Ethical Legal Practices Confidentiality, Security, and Sensitive Information Privacy Intellectual Property Copyright Licensing Data Sharing Liability Archiving and Preservation Data Quality Technological/Trends Open Data Volunteered Geographic Information (VGI) Open Source Web 2.0 and the GeoWeb Cloud Computing Mobile and Location-based Services High Resolution Imagery Mass Market Geomatics Data Integration 11 Introduction to Geospatial Operational Policies Example Studies and Guides Privacy Public Opinion Research on Geospatial Privacy International Comparative Analysis of Geospatial Privacy Geospatial Privacy Awareness and Risk Management Guide for Federal Agencies Confidential and Sensitive Information and Security Best Practices for Sharing Sensitive Environmental Geospatial Data A Guide to Improved Emergency Management Confidential Business Information (i.e. Critical Infrastructure) 12 6

7 Introduction to Geospatial Operational Policies Example Studies and Guides Geospatial Data Policy Inventory and Classification Intellectual Property and Licensing IP Law Backgrounder Review of IP Law and Instruments (Copyright, Licensing) in the Context of Geospatial data The Dissemination of Government Geographic Data in Canada: Guide to Best Practices, Version 2 Geospatial Data Archiving and Preservation Archiving, Management and Preservation of Geospatial Data report Volunteered Geographic Information Volunteered Geographic Information (VGI) Primer 13 Introduction to Geospatial Operational Policies Example Studies and Guides Data Sharing and Integration Guide to Anonymizing Geospatial Public Health Information A Managers Guide to Public Health Geomatics Good Practices Guide - Success in building and keeping an Aboriginal mapping program Framework Data Guide Good Practices in Regional-Scale Information Integration How to Share Geospatial Data Cloud Computing 14 7

8 Volunteered Geographic Information (VGI) Primer 15 Volunteered Geographic Information (VGI) Primer 16 8

9 Volunteered Geographic Information (VGI) Primer Introduces key issues in geospatial operational policy, imperative to the success of any venture into VGI. Discusses the emerging trend of VGI and areas of related operational policy. Draws on good practices and lessons learned from Internet research and three Case Studies of VGI in use. 17 Volunteered Geographic Information (VGI) Primer Introduction to VGI 18 9

10 Volunteered Geographic Information (VGI) Primer Issues to address in quality benchmarking (Coleman et al, 2009) How to assess the credibility of a contributor How to assess the accuracy of VGI contributions (e.g., in-house quality assurance, a moderated on-line community, or the public) The best and quickest means of delivering credible input The control over content and quality given to contributors Decision-making on acceptability of updates Factors to help determine contributors credibility Location of contributed data versus location of contributor s IP address Timing of data contributions versus independent information (e.g., timing of the contribution of a new road feature compared to independent road construction reports) The degree of conformity between the same data element or attribute that has been submitted by multiple contributors 19 Volunteered Geographic Information (VGI) Primer Lessons learned regarding professional vs. amateur VGI contributors (Case Studies) In densely populated areas, contributions from amateurs produce data of equal quality to professionally produced data Using data custodians to vet VGI-notified changes can greatly enhance data quality Benchmarking VGI performance can improve throughput and help to isolate problem areas Patterns of individual user behaviour can be accessed if necessary for investigating malicious users who are damaging the quality of data Proper data preservation and archival methods (Case Studies) In data model design, use persistent identifiers for all features, so that feature changes over time can be easily tracked Store full details of each addition, deletion or change of features that is derived from VGI, including the identity of the contributor Ensure that data is fully backed up, either in singular offsite facilities or across multiple site locations, and can be accessed in the long term 20 10

11 Volunteered Geographic Information (VGI) Primer Ways to mitigate the risks of legal problems Require VGI contributors to confirm that they have the rights to contributed data and that they will indemnify the organization for any damages arising from law suits relating to the data Recognize contributions by posting names of contributors, while protecting privacy by not linking specific contributions to names Ensure that contributor and user license terms are consistent Rapidly remove any content that may potentially infringe copyright or privacy

12 23 Intended to assist CGDI stakeholders to better understand the emerging trend of cloud computing (CC) and areas of related operational policy. Policy areas include: security, privacy and confidentiality, copyright and licensing, legal/liability, archiving and preservation, and regulation and standards. Involved Internet research and two case studies of current, realworld instances of CC, to identify lessons learned and good practices in geospatial operational policies that help enable CC

13 Cloud Computing Deployment Options The figure below illustrates the types deployments and their associated levels of trust, from a data privacy and security perspective, and the relative cost/complexity levels. Solutions on the left are Internet-based, and those on the right reflect an increasing reliance on private or dedicated Intranet implementations. 25 Abuse and Nefarious Use of Cloud Computing Insecure Application Programming Interfaces Malicious Insiders Shared Technology Vulnerabilities Data Loss/Leakage Kinds of Security Risks in the Cloud Account, Service & Traffic Hijacking Complexity Delegation of Authority Encryption Challenges Unknown Risk Profile In a Trend Micro survey of 1,200 decision makers in May 2011, 43% globally (38% in Canada) who were using a cloud computing service reported a data security lapse or issue that year

14 Security Risk Mitigation Good Practices Opt for private clouds behind firewalls, on-premises, to control privacy, security and authentication issues. Insist that data not be stored on servers located in jurisdictions where there are concerns about security breaches. Implement security everywhere (e.g., encrypted transport into the cloud, secure coding and access control inside applications, etc.), rather than the normal perimeter approach to security. Ensure that all APIs and data sources are checked with penetration tests and thoroughly analyzed. Develop a policy statement and training materials covering the types of information allowed on CC services, and establish a process for conducting security reviews according to the policy. Strip off attributes related to sensitive data before sending geospatial data to the cloud. 27 Privacy and Confidentiality Risks in the Cloud Terms of service and privacy policy can vary significantly depending upon the CC provider. Disclosure of information to a cloud provider privacy and confidentiality rights, obligations, and status may change with disclosure. Legal status and protections disclosure and remote storage may have adverse consequences for personal or business information. Location of information in the cloud may have significant effects on information privacy and confidentiality protections and on privacy obligations. Legal obligations cloud providers may be required to examine user records for evidence of criminal activity and other matters. Legal uncertainties assessing the status of information in the cloud, as well as the privacy and confidentiality protections available to users, is difficult. Creation of new data streams CC providers may not use data for purposes beyond those for which consent was originally given. Intrusions into individuals data CC providers or cloud-based applications may be able to access, mine or otherwise commoditize the data they hold

15 Privacy and Confidentiality Risk Mitigation Good Practices Ensure that privacy staff are involved early in the process, to make certain that the privacy rights of individuals are identified and recognized and the potential risks when using cloud computing are addressed. Involve privacy staff in the evaluation of information moving to the cloud, the proposed service delivery model, the CC provider s proposal before a contract award takes place, and other areas of concern with specific legislation. Employ technologies to ensure privacy protection Data encryption prior to uploading to the cloud Hardware-based security initiatives such as the Trusted Platform Module Privacy verification services such as TRUSTe 29 Potential Legal/Liability Issues With Cloud Computing Contracts CC providers are notoriously inflexible on changes to their standard terms and conditions of service. SLAs often use vague language and narrow definitions regarding service guarantees, access to service quality statistics, dispute resolution, etc. Key issues with CC contracts: Cloud Contracting Issues Data ownership and access Loss of data Data integrity Data retention Licenses Privacy Representations, warranties and limitations Audits, certifications and inspections Indemnities Security Jurisdiction Contract changes ediscovery and Computer Forensics Dispute resolution 30 15

16 The choice of cloud model may be influenced by regulatory compliance considerations, such as: Business continuity and disaster recovery Security standards (e.g., ISO 27001) Logs and audit trails Payment Card Industry (PCI) and Health Insurance Portability and Accountability Act (HIPAA) in the US PIPEDA in Canada Compliancy requirements may limit organizations to hybrid or community cloud solutions, losing the full benefits of cloud use. Lack of CC standards presently may result in vendor lock-in. Recognition of the importance of standards has resulted in an array of cloud computing standards setting activities and bodies. 31 Implications of CC for SDI Benefits Emergence of geospatial CC will increase technology adoption and generate increased demand for high quality data. As the market continues to shift from prominence of professional users to non-professional users, web services access to data will replace data download as the primary consumption mode. SDI organizations are well-positioned to address this demand. Risks Operational policy challenges are relevant for SDI use of CC (especially security, and protection of personal, confidential and sensitive data). SDIs weak in providing data access via web services will not be able to meet growing demand in geospatial CC solutions for temporary use of data. Lack of CC standards may pose problems for SDI operations (i.e., vendor lock-in and interoperability issues)

17 Conclusions Canada has an operational SDI which is being used to support organizational operations and decision-making. Emphasis has now shifted to addressing some of the key challenges to the use of the CGDI and geospatial information more generally, and the impacts of emerging technologies, through the development of operational policies. During the next year, efforts will be directed to outreach and engagement with CGDI stakeholders and assistance with operational policy adoption and implementation. This presentation has provided a brief glimpse into operational policy work by highlighting the contents of two guidance documents. 33 For information on evolving Geospatial Operational Policy development, contact: Division Mapping Information Branch Natural Resources Canada 615 Booth Street Ottawa, Ontario K1A 0E9 [email protected] Tel: Fax: