A new risk management policy has further formalised the use of cloud computing by the Australian Government by establishing a mandatory approval framework for agencies looking to procure offshore or domestically outsourced cloud services.
The Australian Government Policy and risk management guidelines for the processing and storage of Australian Government information in outsourced or offshore ICT arrangements builds on the National Cloud Computing Strategy released in May 2013.
However, where the National Cloud Computing Strategy focused on promoting the use of cloud among agencies, the new risk management policy has set out mandatory approval structures to mitigate the risk of Government cloud use.
Where agencies are looking to store personal or private information in outsourced or offshore cloud facilities, they are now required to gain authorization from both the relevant portfolio minister and the Attorney-General.
The Policy has also created a separate category for the use of cloud services for storing information that is not subject to the Privacy Act 1988. The Policy allows for a more simplified approval process in these cases, where agency heads are responsible for calculating and accepting security risks.
Agencies can also forgo seeking ministerial approval where they are procuring ICT services in a private or community cloud, which only requires the approval of agency heads following a documented risk assessment. This covers many of the data centre arrangements currently in use by agencies, which involve offsite facilities operated by the private sector for exclusive use by Government departments.
The continuation of these shared cloud services agreements between Government departments is encouraged, and may even expand to offshore arrangements in the future.
Agencies are to advise the Secretaries ICT Governance Board if they plan to procure outsourced or offshore cloud services, in order to support “potential whole-of-government ICT procurement arrangements”, according to the document.
The Policy also recommends that agencies add security requirements into the terms and conditions of contractual documents with suppliers when procuring cloud services.
The risk management policy joins a growing framework of guidelines for the use of cloud computing in the public sector. As well as a number of policies at the Federal level, including the National Cloud Computing Strategy and the Australian Government Information Management Office’s (AGIMO) Australian Government Cloud Computing Policy, several states have also indicated forthcoming cloud strategies.
The NSW Department of Finance and Services is expected to release its Policy and Guidelines relating to the use of cloud by the end of 2013. The Victorian Government’s recently-released whole-of-government ICT Strategy required all agencies to demonstrate the use of cloud solutions by December 2013. The Northern Territory also released a Cloud Computing Policy and Guidelines in July 2011.
Although it currently has no cloud policy in place, the Queensland Government has also indicated its plans to adopt the technology, with Minister for Science, IT, Innovation and the Arts Ian Walker recently announcing a ‘cloud first’ approach to ICT services.
For more information, please contact the Editor (02) 9955 9896.