Digital Continuity: An introduction
Digital continuity… The ability to use your information in the way you need for as long as you need
Information is usable if you can… Find it when you need it Open it as you need it Work with it in the way that you need to Understand what it is and what its about Trust that it is what it says it is
It does make the headlines…
We havent made this up… Any electronic data degrades over time. Some of this information is more than 20 years old. I'm not even sure that the xxx still has the tools needed to retrieve data from that era. You're talking about technology that would qualify as museum pieces now. The transition to the new system has, however brought to light discrepancies in our existing records and this is resulting in a number of incorrect notices being issued. The only evidence beyond surmise that Dept X rely upon to support their assertion that the document is not held, is their failure to locate it. Transfer of records from Dept Y to Depts Z and A has resulted in two scenarios that have effectively rendered metadata captured in the EDRMS as lost.
Digital information is vulnerable… Risks are inherent in change o Organisational change o Technology change o Process and policy change in how information is managed
The impact of change… o information ownership becomes unclear - risks are missed or unmanaged o information is not disposed of appropriately o information is not migrated to new technologies effectively o information is trapped in legacy IT systems – or locked in a format that cant be opened or used o information is no longer understood by the organisation – or cannot be trusted
Why it matters… o Efficiency and effectiveness o Transparency and accountability o Managing information risk
Managing digital continuity… 10 Plan for action Define what you need Assess and manage risks Maintain digital continuity
The Digital Continuity Service… 11 Guidance Risk Assessment Self-Assessment Tool Procurement Framework DROID
Stage 1: Planning
Managing digital continuity… 13 Define what you need Assess and manage risks Maintain digital continuity Plan for action
Plan for Action… Key roles understand risk and responsibilities SRO for digital continuity Multi-disciplinary team Embed approach in business as usual
Role of the SRO… Champion digital continuity Lead action to manage risk and embed Co-ordinate across disciplines Prioritise resources Escalate issues
Introducing DoRA… You are the SRO Who do you need to be involved in managing digital continuity? What are their drivers for taking action?
Roles and responsibilities… SIRO and information risk management IAOs Information assurance Information management Information technology Change and project management
Stage 2: Define Requirements
Managing digital continuity… 19 Assess and manage risks Maintain digital continuity Plan for action Define what you need
Information Assets Technical Environment Business Needs Digital Continuity
21
Information Assets Technical Environment Business Needs Digital Continuity
Information Assets Technical Environment Business Needs
Information Assets Technical Environment Business Needs
Information Assets Technical Environment Business Needs
Information Assets Technical Environment Business Needs
Information Assets Technical Environment Business Needs
Understand what information you have and how its managed… What information do you have? Where is it? How is it organised and managed? Have you defined all your information assets?
An information asset is a body of information defined and managed as a single unit so that it can be understood, shared, protected and exploited effectively Understand what information you have and how its managed…
Understand how you need to use your information… Who needs to be able to find it? What do they need to be able to open it? How do they need to work with it? Can they understand what it is and what it is about? Can they trust that it is what they think it is?
Understand your technical environment… What IT systems do you have? What is their lifecycle? What hardware are they reliant on? What is their lifecycle? What file formats is your information in? What storage media are you using?
Define what you need for digital continuity… Usable = complete + available
Documenting what you know… Information Asset Register Configuration Management Database Maintenance as important as capture
Understanding DoRA… You have to build an: o Information Asset Register o Configuration Management Database What information do you need to capture? How can you maintain the relationships between the information assets and technology?
IAR Name and description Owners and users Retention period Usability requirements Technology dependencies CMDB Lifecycle Support and warranties Dependencies and relationships Owners and users Information assets
Over lunch…. Questions Confessions DROID demo
Stage 3: Risk Assessment
Managing digital continuity… 38 Maintain digital continuity Plan for action Define what you need Assess and manage risks
Information Assets Technical Environment Business Needs Digital Continuity
Identify your risks (and opportunities)… Do you know what information you have, where it is, what its for? Does the way you manage your information and IT environment keep your information usable as you need? Are there opportunities to get rid of information and technology you dont need?
Risk assessment… You can assess your whole organisation You can assess risks to particular assets – perhaps at point of change Regularly review and update risk assessments
Risk assessing DoRA… What risks to digital continuity is DoRA facing? How can you mitigate against them? Can you identify just FIVE mitigations to address all of the risks youve found? Feedback: What is your highest priority mitigation and what risks will this address?
Mitigation strategies… Change your : o technology o information o policies and procedures o Governance And test for continuity
Stage 4: Maintaining
Managing digital continuity… 45 Plan for action Define what you need Assess and manage risks Maintain digital continuity
Maintain your digital continuity… Plan for change o Build your digital continuity and usability requirements into your plans and processes o Manage your IT and information for future flexibility and agility Manage digital continuity through change o Change Projects to assess impact on information
Technology Change at DoRA… Supplier is withdrawing support for BlackHole 2.0. Three choices of what to do now: o Keep using the legacy system o Buy an off-the-shelf product o Build another bespoke system Assess the risk to digital continuity of your information from each option Identify potential mitigations in each case Feedback - Decide what option you would choose and why
Assessing the risks… Legacy technology hard to maintain – risks increase over time Bespoke technology becomes legacy eventually Bespoke technology requires specialist knowledge to maintain Off-the-shelf may not meet all business needs Off –the-shelf might still bring interoperability issues – can you migrate data in?
Organisational change at DoRA… Review of ALBs prompts reorganisation of DoRA with its agencies being closed, transferred or merged. Assess the risks to digital continuity from these changes Identify possible mitigations in each case Decide how you will tackle the operational process of managing this change Feedback – what are the key elements of your action plan?
Managing change … Think about prevention and preparation for change Manage the process Learn lessons Key things to remember: o Ownership o Usability requirements o Relationships between technology and information o Knowledge and skills needed o Mapping policies and procedures o Maintaining governance
Final Thoughts
What to take home with you… 1) Ownership is important – digital continuity needs to be a strategic objective recognised at the highest level. An SRO is needed to drive and co-ordinate action.
What to take home with you… 2) Cross-disciplinary approach – digital continuity can only be managed with collaboration across IT, IM, IA and change and project teams.
What to take home with you… 3) Prevention not restoration – preventing a loss of digital continuity is easier than restoring it – but learn from incidents to improve your risk management.
What to take home with you… 4) Focus on information usability – put how the business needs to use its information at the centre of your approach to managing digital continuity.
What to take home with you… 5) Embed in operational processes – make sure digital continuity management is part of existing IT, IM, IA, project and change management policies and processes.
And what to do now… 1) Find out more about digital continuity – understand the issues and how they affect your own organisation.
And what to do now… 2) Find out more about your organisation – understand the policies and processes in place for managing information, risk, technology and change.
And what to do now… 3) Build bridges and ask questions – identify who needs to work on digital continuity related issues and start connecting with them.
And what to do now… 4) Manage digital continuity as a key information risk – talk to the SIRO or information risk team and find out if they are aware of digital continuity and their responsibility to manage it.
And what to do now… 5) Advocate and influence upwards – influence as best you can, and push for a digital continuity SRO to be identified to drive this forwards.
62 Guidance Risk Assessment Self-Assessment Tool Procurement Framework DROID And how we can help…
nationalarchives.gov.uk/digitalcontinuity
Digital continuity… The ability to use your information in the way you need for as long as you need