MANAGING DIGITAL CONTINUITY Project Name Digital Continuity Project DRAFT FOR CONSULTATION Date: November 2009 Page 1 of 56
Contents Introduction... 4 What is this Guidance about?... 4 Who is this guidance for and how should I use it?... 5 What is the context of this guidance?... 5 What is the status of this guidance?... 6 Part 1: Understanding digital continuity... 10 1. Digital continuity: an introduction... 10 1.1.1 Digital continuity in brief... 10 1.1.2 Digital continuity in practice... 11 1.1.3 The impact of change on digital continuity... 12 1.1.4 Ensuring digital continuity... 13 1.1.5 The benefits of ensuring digital continuity... 14 Part 2: What you need to do... 16 2 Managing digital continuity... 16 2.1 Overview of managing digital continuity... 16 2.2 Stage 1: Understand digital continuity and recognise the need for action... 17 2.2.1 Why you need a whole organisation approach to ensuring digital continuity... 18 2.2.2 Actions to take... 18 2.3 Stage 2: Identify your information assets, IT environment and information utility... 21 2.3.1 Why you need to understand your information assets, IT environment and information utility... 21 2.3.2 Understanding the relationships between your information assets, utility requirements, and technical environment... 23 2.3.3 Actions to take... 26 2.4 Stage 3: Assess and manage risks to digital continuity... 30 2.4.1 Why you need to manage risks to digital continuity... 30 2.4.2 Actions to take... 31 2.5 Stage 4: Manage digital continuity through organisational and technological change... 34 2.5.1 Why managing change is key to digital continuity... 34 2.5.2 Actions to manage changes that could impact on digital continuity... 35 2.5.3 Actions to reduce the potential impact of change on digital continuity... 37 2.5.4 Actions to mitigate risks to digital continuity... 38 2.5.5 Actions to restore digital continuity... 38 Part 3: Who needs to do it... 40 3 Roles and responsibilities for ensuring digital continuity... 40 3.1 Digital Continuity Senior Responsible Owner (SRO)... 41 3.2 Senior Information Risk Owners (SIROs)... 41 Responsibility... 41 3.3 Chief Information Officers (CIO)... 42 3.4 Information Assurance (IA) programme managers and other IA professionals... 43 3.5 Risk Managers... 44 Page 2 of 56
3.6 Head of KIM... 44 3.7 KIM professionals working in the Information and Records Management areas... 45 3.8 Information Asset Owner (IAO)... 46 3.9 Chief Technology Officers (CTOs)... 46 3.10 Enterprise Architects/IT strategists... 47 3.11 IT Service Managers... 47 3.12 Procurement managers and commercial and contract managers... 48 3.13 Business Change Managers, Project and Programme Managers... 49 Part 4: How to measure success... 51 4 The digital continuity success model... 51 Further reading... 55 Page 3 of 56
Introduction What is this Guidance about? Digital continuity is the ability to use digital information for as long as you need to, and in the way that you need to, over time and through change. Ensuring digital continuity requires active intervention or information can easily become unusable a liability not an asset. Digital information is particularly vulnerable to loss of usability due to the fast pace of technological change, the complexity of digital systems and services, lock-in to proprietary formats, and the ever-increasing amounts of digital information we create and rely upon. Managing digital continuity should not be seen as a distinct activity, separate from what your business does now. It is not necessarily about new technology and expenditure; it is about managing digital information and business change in a way that ensures the continuity of your information so that you can use it as you want, when you want. Digital continuity means managing risks and maximising cost effectiveness This is pressing because, more than ever, change will be the only constant for Government departments and the wider public sector. And it is when your business needs, technical environments and organisational structures change that you can lose the effective use of essential digital information. Ensuring digital continuity must therefore be an integral part of change management, information management, IT management and information assurance. is developing a service for government, and the wider public sector, that will enable you to assess your specific digital continuity risks and issues, and to plan and take action. This includes a suite of practical, accessible guidance, and a commercial framework of tools and services. This guidance on provides an introduction to Digital Continuity, how it can be ensured, and the roles that need to be involved, and their responsibilities. Page 4 of 56
Who is this guidance for and how should I use it? This guidance is aimed at the person or role within an organisation that has been given overall responsibility for ensuring digital continuity the Senior Responsible Owner for digital continuity. The guidance provides an introduction to digital continuity and should be used to: Inform and educate staff on digital continuity Establish roles and responsibilities and a team for taking forward action to ensure digital continuity Begin preparation for assessing and managing risks to digital continuity Take the first steps to embedding digital continuity in Information Management and IT change management This guidance will also be of use for staff with a role in managing digital continuity, such as: Senior Information Risk Owners (SIROs) Chief Information Officers (CIOs) Chief Technology Officers (CTOs) and IT professionals Knowledge and Information Managers (KIM professionals) Information Assurance (IA) Programme Managers Information Asset Owners (IAOs) Change Managers, Programme and Project Managers What is the context of this guidance? This guidance on is part of a suite of practical, accessible guidance that is being delivered as part of the Digital Continuity service for government. We are producing guidance incrementally and in consultation with central government departments. This guidance is part of the high-level, first phase, designed to give you a clear overview of the types of activity and outcomes required to ensure digital continuity. As we work more closely with departments to understand their specific risks and issues, we will produce more detailed and specific guidance. For more information, visit www.nationalarchives.gov.uk/digitalcontinuity Page 5 of 56
What is the status of this guidance? This is a consultation draft, and we welcome feedback to inform the next phase of guidance development. We are also keen to hear about examples of good practice and lessons learned. Please email your comments to digitalcontinuity@nationalarchives.gsi.gov.uk. We will be developing more detailed guidance on how to undertake many of the actions outlined in this document in the next phase of guidance development Page 6 of 56
EXECUTIVE SUMMARY This guidance is for your organisation s senior responsible owner for digital continuity. It introduces you to the concept of digital continuity, why it is so important and the high level principles of managing it making sure that information essential to your business is complete, available and usable, and remains so over time and through periods of change. Digital continuity is firmly aligned with or embedded into wider government priorities and agendas, such as the operational efficiency programme, the National Information Assurance strategy and Information Assurance Maturity Model, and the revised Section 46 Code of Practice. This guidance suggests a four stage process your organisation could follow in order to assess and address digital continuity risks and issues, and gives more detailed actions in each section. You may find that you don t need to undertake every action given it will very much depend on the outcome of your digital continuity risk assessment, your risk appetite and your business requirements. But they should give you a clearer idea of the types of action you might consider. The guidance also outlines the types of roles you might want to involve in order to take the cross-organisational and cross-disciplinary actions required and outlines each role s responsibilities and drivers for action. Finally, it gives you success criteria so that, at each stage, you will be able to monitor progress against key performance indicators, and assess if you are successfully managing your digital continuity. By going through the four-stage approach outlined on the next page you can be confident that you are managing digital continuity coherently and effectively. You can tailor activities to suit your organisation s specific requirements and priorities, but each of the stages should help you to understand, assess and address risks to digital continuity, any existing issues, and embed digital continuity management in your organisation. Page 7 of 56
1. Understand digital continuity and recognise the need for action Ensure your Senior Information Risk Owner (or equivalent) is aware of digital continuity Assign a Senior Responsible Owner (SRO) for managing digital continuity Ensure Information Technology (IT), Information Assurance (IA) and Knowledge and Information Managers (KIM) managers understand digital continuity and their responsibilities Establish a multi-disciplinary team to take action Engage IT providers on the issues, and their responsibilities Include managing digital continuity as a driver in relevant strategies Build a business case for further action 2. Identify what information assets you have, their technical environment and how you want to use them Get SIRO agreement to use your Information Asset Register (IAR) to support managing digital continuity Identify your information assets Define the business utility of your information (how your business needs to use the information it has) Understand the technical environment supporting your information Compile a full Information Asset Register Ensure your information assets have accountable owners Identify areas of potential risk Identify savings and efficiencies 3. Assess and manage risks to maintaining digital continuity Create a framework for managing risk Undertake a risk assessment Create and implement a prioritised digital continuity action plan Embed ongoing digital continuity risk assessment Page 8 of 56
4. Manage digital continuity over time and through organisational and technological change Assess the impact of organisational or business change on digital continuity Assess the impact of asset, information management or IT change on digital continuity Reflect digital continuity in business plans and enterprise architectures Standardise your technical environment Embed digital continuity in the management of your information assets Take action to mitigate the risks to digital continuity Resolve issues and restore digital continuity We are developing guidance incrementally, in consultation with central government departments, and to reflect learning from the digital continuity risk assessments that we are carrying out. This guidance is intentionally high level it s only phase one. Its aim is to help you to understand what actions you may need to take in order to manage digital continuity. It does not tell you how to take those actions. This will be covered by the second and third phases of our guidance, which will be made available on our website in draft form as we produce them: www.nationalarchives.gov.uk/digitalcontinuity If, after reading this document, you would like to put forward suggestions for the more detailed how to guidance you would like, please let us know. Email your suggestions to digitalcontinuity@nationalarchives.gsi.gov.uk marking your email for the attention of the guidance workstream. Page 9 of 56
PART 1: UNDERSTANDING DIGITAL CONTINUITY 1. Digital continuity: an introduction This section of the guidance will help you to understand the concept of digital continuity and the high-level principles of how to manage it. Information is a valuable asset that must be safeguarded. In the case of information held by public authorities and businesses.people want to be certain that it is held securely, maintained accurately, available when necessary and used appropriately Sir Richard Mottram, Foreword, National Information Assurance Strategy. Authorities should know what records they hold and where they are, and should ensure that they remain usable for as long as they are required The Lord Chancellor s Code of Practice on the Management of Records 1.1.1 Digital continuity in brief Digital continuity is the ability to use digital information for as long as you need to, and in the way that you need to, over time and through change. Ensuring digital continuity enables you to work efficiently and effectively, while safeguarding the information you rely on to operate legally, accountably and transparently. It s an essential part of good information, IT and business change management. The need to ensure digital continuity is now embedded into wider government priorities and agendas. For example, it is included in Section 46 Code of Practice; the National Information Assurance strategy and the Information Assurance Maturity Model and Assessment Framework, and the new Office of Government Commerce (OGC) model agreement for ICT services. For more detail, visit www.nationalarchives.gov.uk/digitalcontinuity Page 10 of 56
1.1.2 Digital continuity in practice You have ensured your digital continuity when your digital information continues to be: Complete: Everything you need to use and understand the information is there including the content and context, such as metadata so, for example, you have still got links to external files or you have maintained important connections between files and metadata. Available: This means you can find what you need and it can be opened with available technology so, for example, your information is stored in formats or systems that are not obsolete, and in the right versions for processing using existing IT applications. Usable: That means that it is fit for purpose and can be used in a way that meets the business needs of the organisation so, for example information is not locked into formats or systems that restrict your ability to use or re-use it, or restrict the tools you can use to process it. Managing digital continuity means ensuring that the IT you have supports the information you have in the way you need to use it not just today, but as technology and business needs change and digital information ages. Page 11 of 56
1.1.3 The impact of change on digital continuity Digital information is particularly vulnerable to change. It is reliant on complex systems, formats and media to support it, and the expertise and understanding of the people who manage it. Ensuring digital continuity depends on managing change in a way that ensures you can continue to access your information assets - and managing your information assets and IT in a way that gives you flexibility to reduce the risks arising from change and seize on the opportunities it brings. The changes that pose a risk to digital continuity include those to: technology and the information assets themselves policies and processes that govern how the information is managed the organisational structures that create and use the information and the business drivers that determine how the information needs to be used For example, the software applications used to create most public sector information are constantly changing and evolving if these applications no longer support the information you have previously created then you have a continuity problem. If your business needs change, for example after machinery of government changes, or to respond to new opportunities and challenges, the way you need to use information could change too. You will have continuity issues if your information assets, information management and IT systems do not support the way you now need to use your information, or you lose vital expertise in the formats and systems in which they are managed. Information assets can also be changed by the way you manage them for example if you migrate information into new formats or systems you could change or lose essential metadata or functionality you will have a continuity issue if this leads you to being unable to find or use the file as you need to. Page 12 of 56
1.1.4 Ensuring digital continuity Ensuring digital continuity involves making sure that your information assets and your technical environment provide the use you need from your digital information and that this usability is maintained as your organisation and technology changes. Ensuring this drives operational efficiency because it helps to ensure that you are working optimally, and not supporting capability or resource that the business does not need. Digital continuity can only be ensured when your business utility, technical environment and information assets are aligned and continue to be aligned through change. In other words, when: You know what digital information assets you have and the nature of the technical environment that supports them. You understand how you need to use them the utility you need from the information, including what information to keep, who needs to use it and in what way now and in the future. And you then make sure that your technical environment and way you manage your information assets support and provide this utility, keeping this alignment through change thus ensuring that digital continuity is ensured and maintained Aligning your information assets, technical environment and business needs may sound obvious, but they can easily change relative to each other, and slip out of alignment if these changes are not effectively managed - leaving you with information assets you can t use, or technology supporting information in a way that doesn t meet your needs. At best this creates inefficiencies. At worst it can result in the loss of the information you need. This requires ongoing planning and action and collaboration between those responsible for information management, IT, business change and information assurance to manage the operational changes that could put your digital information at risk. The digital continuity service will provide guidance, and a framework of tools and services, to support you in this. Page 13 of 56
Information Assets Technical environment unrequired assets unnecessary support complete available usable: digital continuity unrequired capability unsupported assets unused capability unfulfilled utility Utility Diagram 1: ensuring digital continuity This diagram shows where you will need to manage these changes and ensure continuity through continued alignment and how ensuring digital continuity can deliver real efficiency benefits, with opportunities to dispose of the information and IT that you do not really need. 1.1.5 The benefits of ensuring digital continuity Ensuring Digital Continuity will enable you to realise a number of benefits, including: cashable savings and operational efficiency, for example by identifying and rationalising unrequired information assets and unrequired technical capability. avoiding future costs and risk by minimising the impact of change, reducing the risk of losing data and expensive recovery costs and building flexibility into your digital information environment. effective delivery of primary business outcomes by identifying where greater business value can be released from digital information assets to support effective service delivery and information re-use. Legal compliance and public accountability because the information you need is available and usable as and when you need it Page 14 of 56
For more information on the benefits, see our guidance on An Overview of the Benefits of Ensuring Digital Continuity 1. 1 See http://www.nationalarchives.gov.uk/digitalcontinuity Page 15 of 56
PART 2: WHAT YOU NEED TO DO 2 Managing digital continuity This section of the guidance will help you understand the action you need to take to ensure digital continuity. It describes what high level actions are needed - more detailed guidance on how to take this action will be developed as the project progresses. 2.1 Overview of managing digital continuity This guidance will provide an introduction to managing digital continuity through the following stages: Stage 1 Understand digital continuity and recognise the need for action Stage 2 Identify what information assets you have, their technical environment and how want to use them Stage 3 Assess and manage risks to maintaining digital continuity Stage 4 Manage digital continuity over time and through organisational and technological change Diagram 2: Overview of managing digital continuity Page 16 of 56
2.2 Stage 1: Understand digital continuity and recognise the need for action This section of the guidance is to help you get started and ensure that digital continuity is widely understood across the organisation. It explains the importance of a collaborative and coherent approach between the relevant parts of the business. Build a business case for further action Ensure your SIRO is aware of digital continuity Assign an SRO for managing digital continuity Include managing digital continuity as driver in relevant strategies Stage 1 Understand digital continuity and recognise the need for action Ensure IT KIM and IA managers understand digital continuity and responsibilities Engage IT providers on issues and responsibilities Establish a multidisciplinary team to take action Diagram 4: Understand digital continuity and recognise the need for action Page 17 of 56
2.2.1 Why you need a whole organisation approach to ensuring digital continuity To ensure that digital continuity is managed effectively and comprehensively, and the associated benefits and efficiencies are realised, it needs to be addressed collaboratively at the right levels across the organisation. This means that it needs to be understood and owned by several disciplines, including Information Technology (IT), Information Assurance (IA), Enterprise Architecture (EA), and Knowledge and Information Management (KIM) professionals. This can only happen if senior managers have sufficient understanding of the benefits and risks to champion appropriate governance and action at the right levels in the organisation and across appropriate business units. It is also essential that senior managers understand how ensuring digital continuity can help support strategic priorities around business delivery and creating efficiencies, and that managing digital continuity is a core part of managing information risk. They will need to assess where existing work practices, policies and systems need to be amended to ensure that you are operating in a way that can deliver digital continuity and provide the resources you need to embed this as part of business as usual operation and change management. A Senior Responsible Owner with responsibility for championing digital continuity across professional groups and building a team to deliver digital continuity is crucial to ensure that this issue is understood across the organisation, managed effectively and eventually embedded by your operational teams. 2.2.2 Actions to take You can undertake these actions now, to kick start your organisation s approach to digital continuity management. 1. Ensure your Senior Information Risk Owner (SIRO) is aware of digital continuity and understands that ensuring it is managed forms part of their responsibility, as a key part of managing information risks. The SIRO needs to ensure a Senior Responsible Owner is appointed to take forward action on digital continuity. Page 18 of 56
2. Assign a Senior Responsible Owner (SRO) who is responsible for overseeing digital continuity management in your organisation, ensuring that the right systems and structures are in place, that risks are managed and that the business requirement for digital continuity is expressed in any relevant strategies and plans. The SRO will drive forward action on digital continuity and establish a multi-disciplinary team to deliver digital continuity and identify risks. They should have a clear route for elevating issues to board level as necessary. 3. Ensure that relevant managers across the Information Management (KIM), Information Technology (IT), Enterprise Architecture (EA), Information Assurance (IA) and business change functions understand digital continuity and their roles in exploring the issues. This could be via specific training programmes, presentations on the subject or distribution of fact sheets and other guidance about digital continuity (which is available from www.nationalarchives.gov.uk/digitalcontinuity). 4. Organise a meeting of relevant KIM, IT, EA, IA and business change, such as programme and project management functions, so that they can start to develop a shared understanding of the business utility your organisation needs from its digital information, and how their decision-making and planning need to align to deliver this over time and through change. 5. Agree with the SRO a core project group to take forward work to ensure and embed digital continuity (including meeting the requirements of the Information Assurance Maturity Model) 2 that includes representation from the relevant functions and is appropriately resourced. 6. Engage with your IT providers so that they understand digital continuity and that they may have a role in maintaining the usability of your digital information. 7. Include maintaining digital continuity as a key business requirement and driver in your organisation s strategic vision for KIM, IT and IA and incorporate into relevant policies, projects and business planning. 2 See http://www.cesg.gov.uk/products_services/iacs/iamm/media/iamm assessment framework_v2.pdf Page 19 of 56
8. Build the business case you need to secure the resource to undertake a digital continuity risk assessment and embed digital continuity in the organisation. This should set out the compelling business reasons why your organisation needs information to remain usable over time. For more help with the benefits and drivers behind digital continuity, see An Overview of the Benefits of Ensuring Digital Continuity. Page 20 of 56
2.3 Stage 2: Identify your information assets, IT environment and information utility This section of the guidance explains how understanding what information assets you have, the business value and technical profile of those assets, and the nature of the technical environment that supports them enables digital continuity. The actions in this section will support you in using your information asset register (IAR) to manage digital continuity. Diagram 5: Identify your information assets, IT environment and information utility 2.3.1 Why you need to understand your information assets, IT environment and information utility Digital continuity can only be ensured when your information utility needs, technical environment and information assets are aligned (see diagram 1). Page 21 of 56
To do this, you must first understand what information assets you have, from the perspective of information content and business use rather than systems or media. Understanding and describing your information as assets will help you to ensure that your organisation recognises the value of information and the need to manage and protect its investment in creating it. This will have the added benefit that it will start to drive the culture change you need to become an organisation that values its information, rather than seeing it as a liability. You need to understand what digital information you need to keep, who needs to use it, and how you need to use it, defining the utility you need from it now and over time. Once you understand this utility requirement, you can ensure that your technical environment and the way you manage your information assets, support and provide this utility, and do so in the most efficient way. This will allow you to understand the potential impact of change on the continuity of your digital assets, and to make informed decisions about where to prioritise investment in ensuring the continued usability of your information. This is the route to ensuring digital continuity. It should also highlight where savings can be made by not maintaining information or technical support unnecessarily By business utility of information we mean: a) the digital functionality that you need from your information asset in order for your business to benefit from using it for example, the ability to find it, open it, read it, copy it, edit it, move it, print it off. This functionality is delivered by the technical environment in which the information assets sit. b) the inherent value that can be derived from the information asset as a result of being able to rely on its provenance, and as a result of being able to understand its full meaning and significance from the context it has. This is delivered both by the technical environment and by the implementation of information management business rules that specify audit trails and metadata standards for example. c) the actual or potential relevance and usefulness of the information asset over time, given a) and b), to business or public use, reuse or analysis, legal retention or discovery, to public accountability or to the historic record. Page 22 of 56
To build this understanding of your utility, you will need to answer the following questions: What types of information do we create and manage? Who creates which types of information and who is responsible for them, now and over time? How is that responsibility defined? How does the organisation need to use its information, now and in the future? What is its utility both to your organisation and to third parties? Which types of information need to be kept and for how long? Where is each type of information stored and in what format or system? Do we need the functionality these provide? What does our information cost to maintain through its lifecycle to disposal, including creating, using or recreating? 2.3.2 Understanding the relationships between your information assets, utility requirements, and technical environment In order to manage the alignment of your information assets, utility requirements and technical environment, you need the capability to map the relationships between the three. You need to be able to relate all relevant elements to each other, in order to understand the impact of change in any one area and identify the most efficient way of ensuring that you get the utility you require from the information you need. We suggest that you exploit your Information Asset Register (IAR) as the primary mechanism for documenting what you know about your information assets, utility requirements and technical environment, and for understanding the relationships between them. The term Information Asset Register has been used to describe both a register of information systems and a register of public sector information available for re-use. A broader Information Asset Register for your organisation, encompassing both of these and more, can play a major role in helping you to address digital continuity. Page 23 of 56
In most organisations the IAR has been set up as an Information Assurance tool, championed by the Senior Information Risk Owner (SIRO) and with a focus on information security. However Information Assurance is also concerned with availability and integrity, not just security, and availability and integrity are key outcomes of digital continuity. There should therefore be good synergy between your digital continuity and information assurance objectives, allowing you to develop the IAR for the purposes of digital continuity. An all-encompassing IAR is a conceptual entity rather than a physical entity. In practice, your Information Asset Register is likely to consist of a number of separate registers, documenting particular aspects of your digital information and its environment. It might build on existing Information Asset Registers or use a configuration management system to link the various elements as long as you can understand what information assets you have, what the utility requirements and technical dependencies those assets have, and identify the information assets dependent on each component of your technical environment. In developing your IAR to support the management of digital continuity, you will probably want to take an incremental approach, prioritising information most important to the business. The level of detail you provide depends on your needs, so you may want to start with a highlevel overview, and take a phased approach to developing the underlying detail. At a minimum, you need to identify what information assets you have and who their owners are. Ownership and accountability are key success factors. For every information asset, or sub component of the IAR, there will be an information asset owner. You need to engage this group and explain their digital continuity roles and responsibilities. In many government organisations, the information assets described on the IAR will be managed and/or hosted by a commercial supplier. It is important they understand the digital continuity aspects of the information assets they manage, as a prelude to any action you might want to agree with them on digital continuity going forward. You may also oblige your IT provider to maintain your IAR, and provisions requiring this are included in the new OGC Model Contract for IT Services (you can find guidance on this at: http://www.nationalarchives.gov.uk/electronicrecords/digitalcontinuity/guidance-on-digitalcontinuity.htm) Diagram 6 illustrates our suggested components of an Information Asset Register, and the way in which they map to the alignment needed for digital continuity. Page 24 of 56
INFORMATION ASSET LIST Describes information assets, including: Information asset name and description Current format and/or schema Current location Information Asset Owner TECHNICAL ENVIRONMENT REGISTER Describes the current technical environment, including: File Formats Desktop Applications Operating Systems Enterprise Applications Databases File Storage Information Assets Technical Environment unrequired assets unsupported assets unnecessary support complete available usable = digital continuity unused capability unrequired capability unfulfilled utility Utility STATEMENT OF UTILITY REQUIREMENTS: Defines the business utility required from information assets, now and over time - who needs to be able to do what, with which information assets, when, and why? Includes: Information asset business value over time Retention/disposal requirement Required utility over time Diagram 6: A conceptual model of what your Information Asset Register should tell you about your information assets, technical environment and utility requirements Page 25 of 56
2.3.3 Actions to take 1. Secure agreement from your SIRO to use your Information Asset Register (IAR) to support digital continuity, developing it to allow you to understand your information assets, their utility and desired usability and their technical environment 2. Identify your information assets o Identify what information assets you have not in terms of the IT system that holds it, but categorise your information from the perspective of its content and business use. o Be sure to address all forms of information generated by your organisation, including that which exists primarily on web platforms 3. Understand your technical environment 3.1 Develop and maintain an understanding of your technical environment. This could be using a specific Technical Environment Register. (The Digital Continuity Project has developed a Technical Environment Register spreadsheet to support risk assessment that may also provide a useful starting point for this). But you could also use outputs from enterprise architecture tools, a configuration management system or other technology management tools you already have in place. These need to allow you to understand: the software applications you use (both desktop and enterprise applications) the platforms and infrastructure on which this software is running planned changes to the technical environment and its expected end of life 3.2 Profile the file formats you are using and creating to understand which are at risk of obsolescence and how soon. You will need to understand: the volume of data you hold its location, its age and technical characteristics of each information asset eg its format, metadata schema Page 26 of 56
The Digital Continuity Project is developing its file characterisation tool (DROID) to assist you by identifying file formats and versions. The existing version of DROID is at http://www.nationalarchives.gov.uk/aboutapps/pronom/tools.htm, and a new version should be available by the summer of 2010. 3.3 Ensure you have processes in place and have defined ownership responsibilities to keep information about your technical environment, for example your Technical Environment Register, updated and reviewed regularly for completeness. 4. Define your information utility o Determine how information flows through your organisation and what information is needed to support your business operations, and when, and by whom. Consider the impact of losing the information, or its essential characteristics. This will tell you what information is of business value (both to your organisation and to third parties) and which is not. o Identify what information you will continue to need, how you will need to use it, and for how long. This will ensure you are capturing and keeping the right information and can define its utility and can implement appropriate what to keep retention schedules. o Define the utility you require of your information assets, including what characteristics the information will need to retain in order to meet your business requirements (content, context, functionality etc). 5. Compile a comprehensive mechanism for mapping your information assets, utility requirements and technical environment. You may be able to exploit and develop your IAR to do this. This does not have to be a single document - you can hold this information in multiple places, but you need to ensure you can crossreference various sources of information in the way you need to. o Document the information asset content and context, where the information is located, its current format and structure, and relate this to the technical environment that supports it. Page 27 of 56
o o o Ensure that your information asset register allows you to link what you know about the business value and utility requirements of your information asset with what you know about its technical characteristics, to inform decisions about how to manage the continuity of your digital information assets through change. Ensure that you can also understand what information assets are dependent on each component of your technical environment, so that you can see which information assets may be affected by changes to your technology. Establish a process for updating the IAR, with regular review periods to assess completeness and assigned responsibilities for maintaining it. 6. Ensure accountability and ownership through existing information governance structures o Appoint an Information Asset Owner (IAO) for each information asset o Ensure that your utility requirements are agreed and understood by the IAO, who is responsible for championing the requirements and ensuring that they are updated as appropriate. o Ensure that ownership and responsibility for maintaining the IAR itself is clear 7. Use your IAR when contracting with new IT service providers o The Office of Government Commerce (OGC) model agreement for IT services now includes reference to an information asset register as one of registers to be maintained as part of the service configuration management. The IAR needs to be created by the contracting Authority. It is then maintained by the Contractor, who has to assess the impact of any changes on the usability requirements defined for the information assets. 8. Identify misalignments these are risks to digital continuity o Use the work to understand how your information assets, technology environment and utility requirements align to identify information assets that you need to use, but which are currently unsupported by the right technology and so don t meet your business utility requirements this is an area of risk to your digital continuity. 9. Take the opportunity to identify and plan the realisation of savings and efficiencies through providing the right level of continuity for the right information. Page 28 of 56
o o o o o Use the work to understand how your information assets, technology environment and utility requirement align to identify unrequired information assets, unrequired technology capability and unnecessary support. Dispose of any information assets that you no longer need Dispose of any technology capability that you no longer need Identify opportunities to downgrade the technology you use to access information or migrate information to different formats, so that your technology mirrors your needs, saving money on expensive systems, unnecessary functionality or high availability. Move the information assets to cheaper, more efficient and effective storage, de-duplicating assets. Page 29 of 56
2.4 Stage 3: Assess and manage risks to digital continuity This section of the guidance sets out approaches to help you ensure that you are managing the risk of losing digital continuity. The actions in this section will support you in establishing appropriate governance and risk management structures, assigning responsibility for the management of risk to digital continuity, and assessing your current level of risk. Create a framework for managing risk Embed ongoing digital continuity risk assessment Stage 3 Assess and manage risks to maintaining digital continuity Undertake a risk assessment Create and implement a prioritised digital continuity action plan Diagram 7: Assess and manage risks to digital continuity 2.4.1 Why you need to manage risks to digital continuity Risk to digital continuity is an information risk. It should be managed in line with your general information risk management procedures and (for government departments) the CESG Information Assurance Maturity Model 3, and be included in your annual Statement on Control. 3 http://www.cesg.gov.uk/products_services/iacs/iamm/index.shtml Page 30 of 56
Risks to digital continuity should be recognised at an organisational level, and at a more granular level in the areas of information management, IT management, information assurance and business change. If you do not have appropriate risk management and information governance processes in place, you cannot know whether you are identifying and managing your risk to digital continuity effectively. Undertaking a comprehensive digital continuity risk assessment for your organisation will enable you to quantify the risk you face, identify key areas of concern, and prioritise actions to mitigate your risks. Larger organisations may wish to take a phased approach to risk assessment, tackling priority areas first. Embedding ongoing digital continuity risk management will ensure that you continue to identify and manage your risk to digital continuity. 2.4.2 Actions to take 1. Ensure that there is a clear framework of roles and responsibilities for identifying and managing risk to digital continuity within your organisation: o Ensure the SIRO recognises risks to digital continuity as an information risk to be managed through the established governance structures. o Ensure your organisational risk appetite is informed by a good understanding of the business value of your information and the consequences of losing it. o Ensure that the assigned Senior Responsible Owner for digital continuity understands the need to manage risks to digital continuity o Identify the specific responsibilities of the KIM, IT and IA teams for managing risks to digital continuity. o Ensure each of your information assets has an Information Asset Owner with responsibility for managing risks to their information asset. Page 31 of 56
2. Undertake a comprehensive digital continuity risk assessment for your organisation o Direct the multi-disciplinary digital continuity project team to carry out an initial risk assessment and action planning exercise. This team needs to identify your risks to digital continuity, develop and implement mitigation strategies, and initiate appropriate action. o Organise and undertake an assessment of risks to digital continuity and ensure outputs are reflected in information risk registers 3. Prioritise action you need to take to ensure digital continuity o Identify and prioritise key risks to digital continuity and any existing issues arising from the assessment o Develop an action plan to address these risks to be taken forward by your digital continuity project team, with timescales and resources as appropriate o Monitor the progress of actions to manage risks to digital continuity to ensure they are appropriately implemented and that mitigations have been effective 4. Establish and embed ongoing digital continuity risk assessment and incident management o Incorporate digital continuity into your Information Risk Policy and risk management processes o Maintain a schedule of risks and mitigations for each individual information asset o Develop procedures to periodically test that the accessibility and usability of information assets meets your stated business requirement, testing whether or not you have maintained digital continuity, the effectiveness of mitigations, and whether it faces new risk o Establish a process for the systematic and regular review of risks to the digital continuity of your information assets as part of their lifecycle management o Identify and document any risks to digital continuity that are within your risk appetite and therefore have no planned mitigation o Identify any risks where mitigation or management is dependent on third parties or external suppliers and establish a mechanism for monitoring their progress and compliance o Agree the timing and process for reviewing and repeating your comprehensive digital continuity risk assessment Page 32 of 56
o Manage digital continuity incidents and problems through your information assurance incident and problem management procedures, and include them in your incident reporting and metrics Page 33 of 56
2.5 Stage 4: Manage digital continuity through organisational and technological change This section explains the importance of managing change in a way that maintains your digital continuity, whether this is minor local change or major organisational change, and outlines how you can manage change to deliver digital continuity. Resolve issues and restore digital continuity Take action to mitigate risks to digital continuity Assess imapact of organisational or business change on digital continuity Stage 4 Manage digital continuity over time and through organisational and technological change Assess impact of asset, IM or IT change on digital continuity Reflect digital continuity in business plans and architecture Embed digital continuity in management of your assets Standardise your technical environment Diagram 8: Manage digital continuity through organisational and technological change 2.5.1 Why managing change is key to digital continuity Change is the main context in which digital continuity problems arise. This might be major organisational of machinery of government change, or a series of minor local changes to priorities, IT systems, or ways of working. It might affect the alignment of information assets, technical environment and utility (see diagram 1), or the organisational structures and responsibilities that support the management of risks to digital continuity. Page 34 of 56
Anyone who is managing change at any level should consider the impact on digital continuity. KIM and IT teams need to take particular responsibility for safeguarding your organisation s information assets through organisational and technological change by incorporating digital continuity into their change management processes. The ability to access and use information when and how you need to is important to the functioning of your organisation, and digital continuity should therefore be regarded as an aspect of business continuity. Significant change offers the opportunity to identify better ways of doing things. If digital continuity is considered properly in the planning stages, you could realise savings and efficiencies through providing the right level of continuity for the right information. This will enhance your ability to use and re-use your information, and avoid the need to take expensive mitigating actions in future. 2.5.2 Actions to manage changes that could impact on digital continuity 1. Consider digital continuity when planning and managing business change, including Machinery of Government changes and changing business requirements: o Ensure business change policies and processes identify the information risks that arise in the event of organisational changes and changes to business requirements o Add risk to digital continuity to your change management and project and programme risk registers as appropriate o Include a digital continuity impact assessment in the planning and implementation of business change projects. This must consider whether the business change impacts on the utility you need from the information (how and when information is to be used and by whom), how the information assets are managed and the technical environment that supports them. o Ensure that any new business requirement for using information now or in the future is identified and reflected in the way you manage your information assets and IT. o Ensure that any new information assets received as the result of machinery of government change are incorporated into your digital continuity risk management processes and Information Asset Register. Page 35 of 56
o o Ensure that Information Asset Owners are accountable for the stewardship and safe handover of information assets through organisational changes, including machinery of government change Ensure that digital continuity is addressed in your Business Contingency Plan. Refer to Guidance on the Transfer of Records, Information and Knowledge for a step-by-step guide to planning and managing machinery of government change. 2. Consider digital continuity when planning and managing change to your information assets, information management and technical environment: o Maintain an understanding of your IT contracts and licensing, warranties and support periods, and expected end-of-life, in order to predict and plan for change. o Establish policies and processes for assessing the impact on digital continuity from any changes to your information assets, management procedures or technology include it in your impact assessments, operational change control and configuration management processes before the implementation of proposed changes. o Assess the impact on digital continuity from your strategic development plans and the implementation of new projects, including implementing new information systems and technologies, procedures and ways of working and legislative requirements o Ensure that your IT suppliers similarly undertake a digital continuity impact assessment before making changes that could affect the information assets they manage. o Plan and implement mitigations for any risks you identify through these processes to ensure that the usability of your information assets is not affected by the change o Test the digital continuity of affected information assets following any changes to the information management or technology environment can you still use the information asset in the way you need to? Page 36 of 56
2.5.3 Actions to reduce the potential impact of change on digital continuity 1. Reflect the utility you need from your information in business planning, architectures and procurement cycles o Include digital continuity as a key business outcome that must be supported by your new IT and information management systems and processes and procurement projects o Ensure that your enterprise architecture planning and implementation reflects the business utility you need from your information and the need to ensure digital continuity. o Build a consideration of the long-term utility of information into IT system design and development, to minimise the impact and cost of change. o Ensure that service requirements and outcomes developed in the procurement or development of new IT solutions define in full both the information assets covered by the contract/solution and the utility you need from them. o Include the need to maintain the utility of your digital information assets in contracts with IT service providers, obliging them to assess the impact of any changes on this utility over the duration of the contract. (See guidance on using the OGC Model Agreement for ICT Services for more information). 4 2. Standardise your technical environment o Standardise your technology software, environment and formats used to minimise reliance on bespoke systems, proprietary software or complex formats. This will make your technology environment easier to manage and ensure that changes have minimal impact on digital continuity. o Maximise the use of open standards o Migrate information assets to standardised technology and open standards wherever possible to ensure it is future-proofed and less at risk of future change o Implement configuration management systems to ensure you maintain a good understanding of your technology, its relationships and the information assets it supports 4 See http://www.nationalarchives.gov.uk/electronicrecords/digitalcontinuity/guidance on digitalcontinuity.htm Page 37 of 56
3. Embed digital continuity in the way you manage your information assets o Maintain the context of your information assets, including managing its metadata appropriately model the metadata you create and need, use metadata standards and implement a policy for metadata completion and compliance and maintenance through change. o Manage the audit data for your information assets understand what audit data you might need to demonstrate the provenance or authenticity of your information or to manage it through changes. Then implement a plan for creating, capturing and maintaining the audit data you need. o Manage the accessibility of your information assets implement policies on managing the access and location of your information, use search tools effectively and ensure the organisation can easily locate and identify unstructured information assets or those in hard to find locations. o Improve the data quality of information assets, improving metadata or content to ensure it is easier to find, migrate and manage. 2.5.4 Actions to mitigate risks to digital continuity The action you will need to take to mitigate risks to digital continuity will vary depending on your requirements, but the following outlines a number of actions you may need to take to minimise the potential impact of change from a technical perspective: 1. Migrate information assets to a different format, system or database or hardware 2. Install viewing software to provide continued access to obsolete, unavailable or little-used formats and systems 3. Use hardware virtualisation to provide an environment for using information in obsolete or unavailable formats and systems 4. Archive information assets that you need to keep but no longer need for everyday business use 5. Reduce overall data volumes and improve efficient use of storage 2.5.5 Actions to restore digital continuity 1. Identify where you can no longer use your information asset as you need to, and the likely cause of failure Page 38 of 56
2. Ensure that the incident is recorded and that there is a process for managing and monitoring resolution of digital continuity incidents 3. Implement action to restore the usability of the information as appropriate, which may include: o Undertaking data recovery and restoration o Migrating the information to an alternative format or system o Improving or enhancing data quality o Implementing new technology eg viewer software, or virtualised environment Page 39 of 56
PART 3: WHO NEEDS TO DO IT 3 Roles and responsibilities for ensuring digital continuity This section of the guidance identifies how different roles across the organisation have specific responsibilities for ensuring digital continuity, and why digital continuity is important for them. Every organisation is different and roles, responsibilities and job titles may vary so you may assign responsibilities differently in practice. But this section should give you a generic overview of who needs to do what. The types of roles covered are: Digital Continuity Senior Responsible Owner (SRO) Senior Information Risk Owners (SIROs) Chief Information Officer (CIO) Information Assurance (IA) programme managers and other IA professionals Risk Managers Head of Knowledge and Information Management (KIM) KIM professionals working in Information and Records Management areas Information Asset Owners Chief Technology Officers (CTOs) Enterprise Architects/IT strategists IT service managers Procurement managers, Commercial/contract managers Business Change Managers, Project and Programme managers Heads of e-comms Page 40 of 56
The Senior Responsible Owner for digital continuity will need to pull together a crossdisciplinary team from the relevant areas that can address all of the roles described here. Although the roles are generic and may not necessarily match the team members exactly, it is critical to success that an identified member of the digital continuity team accepts ownership and accountability for each of the responsibilities described against the roles. 3.1 Digital Continuity Senior Responsible Owner (SRO) Responsibility To own the business objective of digital continuity i.e. the ability to use information for as long as the business needs to, in the way it needs to. To be the operational lead on ensuring digital continuity is ensured and embedded across the organisation To form and lead a multi-disciplinary project team to understand and take action on risks to digital continuity and embed it in business processes across KIM, IT, IA and any other relevant function. Why this role is important for ensuring digital continuity Digital continuity requires action and intervention from various functions across the business and a Senior Responsible Owner is needed to drive these actions, secure collaboration and deliver benefits Who takes this role will depend on your organisation it could be CIO; Head of KIM; CTO or another person with responsibility and remit for managing digital information, IT or information risk. 3.2 Senior Information Risk Owners (SIROs) Responsibility To ensure that risk to digital continuity is adequately identified and mitigated, as an integral part of the departmental information assurance and risk management strategy Page 41 of 56
To ensure that the digital continuity requirements of the Information Assurance Maturity Model and Assessment Framework (IAMM) 5 are implemented. To ensure that a Senior Responsible Owner for digital continuity is assigned, with overall responsibility for ensuring digital continuity and to take forward actions to achieve this Why this is important for SIROs Continued information availability is a central aspect of digital continuity and an essential component of information assurance; it is recognised as such in the National Information Assurance Strategy (NIAS) 6. SIRO support for digital continuity within the organisation will help deliver a more comprehensive and business-led approach to information assurance. Continuity measures are now included in the Information Assurance Maturity Model (IAMM): http://www.cesg.gov.uk/products_services/iacs/iamm/media/iammassessment-framework_v2.pdf; SIROs have a responsibility to ensure that continuity is addressed as part of the IA framework Loss of digital continuity can affect departmental reputation in respect of assurance. 3.3 Chief Information Officers (CIO) Responsibility To own and champion the business outcomes and benefits of ensuring the continuity of information assets (the CIO may be the person in your organisation who appoints the SRO for Digital Continuity in practice) To ensure the right people in the organisation understand the digital continuity issue and to ensure resource and priority is given to take forward and embed action on digital continuity To steer or validate work on ensuring digital continuity and defining the desired business utility of information assets To champion the process of defining the organisation s information assets and their utility through the information asset register 5 See: http://www.cesg.gov.uk/products_services/iacs/iamm/media/iamm assessment framework.pdf 6 See: http://www.cabinetoffice.gov.uk/media/cabinetoffice/csia/assets/nia_strategy.pdf Page 42 of 56
Why this is important for CIOs Digital continuity is an essential attribute of information and impacts on your organisation s ability to achieve its strategic objectives Digital continuity supports a business-led approach to the information domain. It is a reference point which encourages the right collaborative relationship between information management (IM), information technology and systems (IT/IS/ICT), information assurance (IA), information asset owners, business area owners and business change teams There can be efficiency gains from adopting a digital continuity approach, including cost savings, and it supports the effective exploitation and reuse of your information. Using the information asset register to define assets at the level of the information itself, not just at systems level, is a powerful tool for culture change, encouraging a business-led rather than technical approach to effective information and knowledge management. 3.4 Information Assurance (IA) programme managers and other IA professionals Responsibility To ensure that digital continuity is addressed as part of the spectrum of Information Assurance and risk management measures within the organisation Why this is important for Information Assurance managers and specialists Digital continuity provides a framework for articulating a wider approach to information assurance to include availability It encourages collaboration from other parts of the business and roots managing information risks firmly in the business IM and IT actions to ensure continuity will help achieve IA objectives in respect of the security and performance of information assets. Page 43 of 56
3.5 Risk Managers Responsibility To ensure that any risks to digital continuity identified by digital continuity risk assessment processes are properly managed through their organisation's risk management framework Why this is important for Risk Managers Digital continuity needs to be considered as part of the organisation s spectrum of risks. Given the cross-disciplinary nature of digital continuity, the proper management of risks associated with it can often help mitigate risks in other areas e.g. business change, asset management. Conversely a failure to address risks in these areas can negatively impact on wider business risks. 3.6 Head of KIM Responsibility To lead work to define what business utility the organisation needs to achieve from its information assets and over what timescale To ensure business utility and continuity requirements are articulated and integrated into relevant Knowledge and Information Management/Record Management strategies and policies, and business change processes To play a key role in the operational work to ensure digital continuity is ensured and addressed on an ongoing basis by the organisation Why this is important for head of KIM Digital continuity is essential to the delivery of Knowledge and Information Management and Record Management business outcomes Conversely, loss of digital continuity will directly affect the ability of the business to use information to achieve its objectives, and will therefore impact directly on the effectiveness of the information management function Page 44 of 56
Because it demands an integrated relationship between the information management and IT functions, it promotes the role of the information manager in determining business outcomes that IT needs to enable It supports knowledge management over time and organisational change Ensuring digital continuity directly helps KIM professionals at the levels of strategist, leader and manager, to achieve the outcomes on the Government KIM Professional Skills Framework, particularly in respect of business continuity, lifecycle management and information risk management 3.7 KIM professionals working in the Information and Records Management areas Responsibility To work with head of KIM in identifying risks to digital continuity and issues for the organisation To ensure that what to keep and other information retention decisions are made and implemented, and are used to help define the ongoing utility of information assets to the organisation, so that the organisation only prioritises the digital continuity of the information assets it really needs To ensure that information and records management processes adequately cover digital information e.g. as outlined in the FOIA section 46 code of practice To help undertake the operational work to ensure digital continuity is addressed on an ongoing basis by the organisation Why this is important for KIM professionals working in the Information and Records Management areas Digital continuity is essential to the long term effectiveness and sustainability of the information and records management process. Because digital continuity demands an integrated relationship between the information management and IT functions, it promotes the role of the information/records manager in determining business outcomes that IT needs to enable Ensuring digital continuity directly helps KIM professionals at the levels of leader, manager and practitioner, to achieve the outcomes on the Government KIM Page 45 of 56
Professional Skills Framework, particularly in respect of business continuity, lifecycle management and information risk management 3.8 Information Asset Owner (IAO) Responsibility To act as the business owner of an information asset, as described in the Cabinet Office Guidance on Mandatory Roles 7 To understand what information assets they are responsible for, the utility needed from that asset and the risks to continuity of the asset To maintain information about those assets in the information asset register To ensure that processes are in place to support the digital continuity of their information asset so that it can be used as needed over time and through change Why this is important for Information Asset Owners Without a properly granular understanding of their information assets, Information Asset Owners will be unable to make the right business decisions about the value of those assets and how they want to keep and use them in the future. Loss of access to those assets, or loss of the ability to rely on them, would seriously hamper the objectives of the IAO s area of business. Risks to digital continuity of information assets are significant information risks that the IAO needs to manage as part of the information governance and risk management structure 3.9 Chief Technology Officers (CTOs) Responsibility To ensure the organisation s technical environment enables the continuity of information assets in line with the business requirement, over time and through change 7 See http://www.cabinetoffice.gov.uk/media/45149/guidance_on_mandatory_roles.pdf Page 46 of 56
Why this is important to CTOs Digital continuity supports IT/IS in delivering business benefits by providing a framework where the business drivers which need enabling technology can be more clearly defined. That makes for greater efficiency, a better business planning process, and best use of technology. It can help drive a more efficient technical architecture. It also defines a collaborative process which improves communication between the technical and non-technical parts of the business Taking digital continuity actions could help save resource and lead to cash savings It mitigates the loss of information through obsolescence, incompatibility or a lack of interoperability 3.10 Enterprise Architects/IT strategists Responsibility To ensure that enterprise architecture and/or IT strategies properly account for the ongoing business need to use information over time and through change To maintain a close dialogue with other colleagues from KIM, IA and business change who are involved in digital continuity Why this is important for Enterprise Architect/IT strategists Ensuring digital continuity is a core business requirement for all organisations. If it is not taken into account in enterprise architectures or IT strategies, their value will be deficient. Conversely, understanding the continuity requirement of business information helps give focus and clarity to the information aspects of enterprise architectures and IT strategies, and lends them traction within the business 3.11 IT Service Managers Responsibility To ensure technology is delivered and maintained to enable continuity of information assets in line with the business requirement Page 47 of 56
To ensure that IT service change management processes take account of the impact on the digital continuity of information assets To maintain a close dialogue with other colleagues from KIM, IA and business change who are involved in digital continuity Why this is important for IT Service Managers Digital continuity supports IT in delivering business benefits by providing a framework where the business drivers which need enabling technology can be more clearly defined. This can help ensure a more efficient and effective use of technology which keeps meeting the business requirement over time and through change Digital Continuity also will also improve configuration management and transition of IT services over time, reducing the risk of inadvertent impact on information assets. 3.12 Procurement managers and commercial and contract managers Responsibility To ensure that new supplier contracts refer to an information asset register, with defined service outcomes describing the utility required for each information asset. To ensure that appropriate responsibility for identifying and managing continuity issues is clearly defined in supplier contracts, obliging the supplier to maintain the IAR and assess the impact of any contract change on the information assets. To ensure that suppliers deliver on their obligations To maintain a close dialogue with colleagues in IT. IM, IA and business change areas that are involved in defining the business continuity requirements Why this is important for procurement/commercial/contract managers Ensuring digital continuity will drive departments to identify the information assets and clearly articulate the accessibility and usability (business utility) requirements from these assets in the procurement and contractual context. This will help suppliers identify their costs, risks and responsibilities more clearly. Suppliers can be clear about what information assets they hold and what responsibilities they have for maintaining them during the lifetime of the contract. This helps contract managers understand more clearly the business requirement that the supplier needs to deliver, giving them better control over supplier performance management, and can drive cost effectiveness. Page 48 of 56
Suppliers and contract managers are better able to identify and manage the impact of change on the usability and utility of information assets, so that the costs and benefits of any change in requirements during the contract can be properly measured and evaluated. 3.13 Business Change Managers, Project and Programme Managers Responsibility To ensure that continuity is appropriately taken into account in any business change process To ensure that continuity is taken account of in any relevant changes to the business as the result of new project/programme implementation. To ensure that this is considered with relevant colleagues (e.g. from the KIM team/ocio) at the start of projects and programmes and at relevant change points thereafter Why this is important for business change managers Disruption to, or loss of continuity as a result of business change can lead to loss of operational capability, or loss of assets, or to a deterioration in public service delivery, or to a loss of reputation and public confidence. Ensuring continuity is taken account of in change processes helps ensure their success in delivering business benefits Some project and programme implementation could impact on the continuity of information, either by changing the business requirement for ongoing information access, or by changing the technical or business environment in which that information can be accessed. Considering this aspect of the impact of a new project or programme should be a core part of the project/programme management function. 3.14 Heads of e-comms Responsibility To work with head of KIM in identifying risks to digital continuity and issues for the organisation. To work with the head of KIM to define what business utility the organisation needs to achieve from its information assets and over what timescale. Page 49 of 56
To ensure business utility and continuity requirements are articulated and integrated into relevant Knowledge and Information Management and IT strategies and policies, and business and technological change processes. To play a key role in the operational work to ensure digital continuity is ensured and addressed on an ongoing basis by the organisation. Why this is important for the head of e-comms Digital continuity is essential to the delivery of the Communication strategy in departments. Conversely, loss of digital continuity will directly affect the ability of the business to make information available to the public, thus undermining confidence in the effectiveness of the information management function. Because it demands an integrated relationship between the information management and IT functions, it promotes the role of the information and communications managers in determining business outcomes that IT needs to enable. Page 50 of 56
PART 4: HOW TO MEASURE SUCCESS 4 The digital continuity success model This section of the guidance explains where to start. It outlines some actions to take now, and lays out the path for progressing towards fully embedded management of digital continuity (summarising the actions covered earlier in this guidance) The success model allows an organisation to monitor its progress in managing digital continuity. It provides a chronological sequence of actions that may be required to manage digital continuity and the key indicators for successful completion of each action. This model is recommended by as best practice for managing digital continuity. However, it is not prescriptive and organisations should draw from it to create a suitable digital continuity management plan that fits their own business requirements. 1: Understand digital continuity and recognise the need for action Action Ensure your SIRO is aware of digital continuity Assign a Senior Responsible Owner (SRO) for managing digital continuity SRO ensures IT, KIM and IA managers understand digital continuity and their responsibilities SRO establishes a multi-disciplinary team to take action SRO engages IT providers on the issues and their responsibilities Key Performance Indicators Digital continuity is incorporated into information risk management processes SIRO has appointed Digital Continuity SRO SRO has been identified and given appropriate resource, and has a clear route for elevating issues. Key managers have been briefed and have defined steps to address digital continuity as outlined in this guidance A complete and appropriately resourced project team has been established and given a remit to act Project governance and reporting structure has been agreed IT providers have been briefed on digital continuity and their responsibilities in the context of the service they provide Page 51 of 56
Include managing digital continuity as a driver in relevant strategies The need to manage digital continuity is explicitly referenced in IT, IA, KIM, Change Management, and any other relevant strategies Build a business case for further action Risk assessment has been agreed to and resource allocated 2: Identify what information assets you have, their technical environment and how you want to use them Action Secure SIRO agreement to use the Information Asset Register (IAR) to support managing digital continuity Key Performance Indicators Requirements specifications for changes to IAR agreed by SIRO Identify your information assets You know what information assets you have (from the perspective of content and business use) Define the business utility of your information Understand the technical environment supporting your information You understand what information you need to keep, how you will need to use it, and for how long You understand the nature of your technical environment and planned changes to it, the formats you are using and their obsolescence risk. Compile a full IAR You can understand the links between your information assets, utility requirements and technical environment and identify dependencies between these elements You have a process in place for ensuring the IAR is kept up to date, with clear ownership Ensure information assets have accountable owners All assets have an Information Asset Owner (IAO) IAO responsibilities for managing digital continuity are reflected and monitored through your information governance structures Identify misalignments You know which of the Information assets that you need are currently not supported by the right technology Page 52 of 56
Identify savings and efficiencies Information assets are held in optimum formats and efficient storage Unneeded assets have been identified and disposed of Unneeded technology has been identified and disposed of Stage 3: Assess and manage risks to maintaining digital continuity Action Key Performance Indicators Create a framework for managing risk A clear framework of roles and responsibilities has been defined for your organisation Undertake a risk assessment Digital continuity risk assessment completed and report signed off by SIRO and SRO Create and implement a prioritised digital continuity action plan Results of risk assessment incorporated into appropriate risk registers Actions and priorities agreed Embed ongoing digital continuity risk assessment Process for regular review of risks to digital continuity in place Digital continuity incident reporting structure in place Procedures in place to test the completeness, availability and usability of information assets periodically, and after action or change Stage 4: Manage digital continuity over time and through organisational and technological change Action Manage information through organisational change Assess impact of asset, IM or IT change on digital continuity Page 53 of 56 Key Performance Indicators Digital continuity is included in business change policies and processes Procedures in place to test the completeness, availability and usability of information assets after change Digital continuity is included in policies and processes for managing change to assets, IM and IT Procedures in place to test the completeness, availability and usability of information assets after change
Ensure IT suppliers maintain utility of information assets Reflect digital continuity in business planning, architectures and procurement cycles OGC model agreement used in future IT procurement Digital continuity impact assessment included in all IT supplier change procedures Digital continuity is specified as a key business outcome to be supported by new systems and architectures, and included in acceptance testing Standardise your technical environment You have identified where open standards and technical standardisation can help deliver digital continuity, and implemented necessary changes Embed digital continuity in the management of your information assets Take action to mitigate risks to digital continuity You have identified where changes to the way you manage your information can better support digital continuity, and implemented them You have identified where changes to your information assets and technical environment can reduce the risk to digital continuity, and implemented them Resolve issues and restore digital continuity You have identified which information assets can no longer be used as needed and taken appropriate action to restore their usability Incidents have managed in accordance with your incident management process Page 54 of 56
Further reading Having read this guidance, you may also find it useful to refer to: 8.1 Other Digital Continuity guidance: Digital Continuity: an Introduction to the Wider Context An Overview of the Benefits of Ensuring Digital Continuity Managing Digital Obsolescence Risks: Guidance for SIROs Use of the Information Asset Register in ICT Services Procurement and Contract Management All Digital Continuity Project guidance is available at http://www.nationalarchives.gov.uk/electronicrecords/digitalcontinuity/guidance-ondigital-continuity.htm 8.2 Other publications on information and records management Guidance on the Transfer of Records, Information and Knowledge 8 Information Matters: government s strategy for building capability in managing knowledge and information 9 Information Assurance Maturity Model 10 National Information Assurance Strategy 11 8 See http://www.nationalarchives.gov.uk/documents/mog.pdf 9 See http://www.nationalarchives.gov.uk/documents/information matters strategy.pdf 10 See http://www.cesg.gov.uk/products_services/iacs/iamm/media/iamm assessment framework_v2.pdf 11 See http://www.cabinetoffice.gov.uk/media/cabinetoffice/csia/assets/nia_strategy.pdf Page 55 of 56
The Lord Chancellor s Code of Practice on the Management of Records (issued under Section 46 of the Freedom of Information Act). 12 Managing Information Risk: A guide for Accounting Officers, Board members and Senior Information Risk Owners 13 [ends] Published November 2009 in draft for review 12 See http://www.justice.gov.uk/guidance/foi guidance codes practice.htm 13 See http://www.nationalarchives.gov.uk/services/publications/information risk.pdf Page 56 of 56