Types of information risks
Public offices need to consider various factors when managing records, information, and data risks, including:
- reliability and integrity
- accessibility and retrieval
- safe custody
- retention
- ownership.
Examples of information risks
Here are some risk events or scenarios for different types of information risks that organisations may face.
These examples of risks, causes, and mitigation strategies are for illustration only. The likelihood of these risks occurring and how to respond depend on the specific environment of each organisation.
Refer to Identifying and managing high-value and high-risk records, information and data for examples of high-risk records.
Reliability and integrity
| Risk Events/Scenarios | Causes (threats and vulnerabilities) | Possible mitigation activities/controls |
| Poor quality information and data not 'fit for purpose' | Duplication and inconsistencies following the migration and/or importation or merging of information and data. Omitted information or data. Typographical errors such as spelling and values. Obsolete information or data. | Business rules and procedures created for data entry quality control practices. Use of encoding schemes for data requiring manual entry. Adequate monitoring. Use of data cleaning software tools to detect and correct problems in database records. |
| Metadata incorrect or the minimum metadata required not captured in full. | Minimum metadata requirements identified and included in planning, procurement and migration decision making. Additional metadata that supports organisational recordkeeping, along with business and legal requirements, should also be identified. Use of encoding schemes for metadata requiring manual entry. | |
| Poor image quality of digitised records such as documents and photos. | Digital surrogate does not possess the essential characteristics of the original record. Essential characteristics are elements of a record that need to be reproduced for the record to retain its meaning and/or evidential value. | Defining image quality requirements through the implementation of benchmarks, such as technical and specifications. |
| Unauthorised alteration of information and data by staff or third parties such as sub-contractors of the cloud provider or hackers. | Personal/financial gain in altering data. Disgruntled employee. Inappropriate security settings and/or user permissions. | Information security and protection mechanisms in place that reflect the risk and value of the information assets (for example, event logs that track access and usage). User permissions reflect individual staff members’ positions and responsibilities. Information assets backed up along with metadata. |
Accessibility and retrieval
| Risk Events/Scenarios | Causes (threats and vulnerabilities) | Possible mitigation activities/controls |
|---|---|---|
| Failure to locate and retrieve information assets | Staff poorly trained in performing complex searches such as using Boolean operators, relational expressions and wildcard symbols. | Training staff in performing simple and advanced searches in business systems. |
| Staff unfamiliarity with available systems, databases and other repositories. | Providing an information pack listing systems used by individual business units/the organisation. | |
Poorly organised or inadequately indexed repositories:
| Business classification scheme (BCS) developed for grouping related information assets. Development of naming conventions. Migration of electronic information assets to a controlled system, for example, an electronic document and records management system (EDRMS). Implementation of controls for records in accordance with the Standard on records management and Standard on the physical storage of state records. Adoption of document indexing methods, such as:
Use of federated search technologies to simplify search and retrieval operations across multiple repositories. | |
| Unauthorised access to non-public information, for example, personal information or confidential/sensitive business information) | Organisation not aware of information-disclosure restrictions under the Health Records and Information Privacy Act 2002, the Privacy and Personal Information Protection Act 1998 and the Data Sharing (Government Sector) Act 2015. Incorrect interpretation of laws and regulations (For example, Government Information (Public Access) Act 2009) in disclosing confidential/ sensitive business information. | Allocation of responsibility for identifying and interpreting regulatory requirements that prohibit information disclosure. Creation of policies and business rules on the disclosure requirements of non-public information, including responsibility for managing the process. |
| Unintentional non-compliance by staff due to a lack of training/education around requirements. | Staff educated/trained in managing personal information and confidential/ sensitive business information. | |
| Inadequate security infrastructure. | Establish an information security governance framework, in collaboration with ICT, to ensure appropriate policies, procedures and monitoring are in place to prevent data and information breaches. | |
| Unlawful collection of personal information not directly related to the organisation’s activities. | Creation of policies and business rules on the collection of personal information, for example, making notations that personal information/documents have been sighted rather than keeping a copy). | |
| Information assets unretrievable from cloud hosted storage | Organisation not aware of legal requirements in the cross-border transfer and storage of information assets. A cloud service provider may suspend an organisation’s account due to:
Service provider goes out of business/is taken over. | Use the cloud computing checklist to identify areas where risks may eventuate. Allocation of responsibility for identifying, analysing and interpreting both local laws and regulations (including General authority for transferring records out of NSW for storage with or maintenance by service providers based outside of the state (GA35)) as well as those of the jurisdiction the information assets will be stored in. Adequate contractual control, including but not limited to:
Adequate monitoring. |
| Accessibility to equipment/technology dependent information assets not sustained | Degradation or discontinuation/obsolescence of analogue and electronic storage media, for example, microfiche and hard drives respectively. Discontinuation/obsolescence of compatible software and hardware that can read information and data on specific storage media or in a particular file format. | Implementation of a preservation program/strategy to ensure information assets are accessible for as long as they are required. Determination of information and data migration frequency based on retention requirements of individual classes of information assets. Electronic information assets are saved in sustainable formats (for example, DF/A format). |
| Information assets unable to be opened and read/ viewed due to format conversion errors. | Use of file conversion software to preserve the readability of digital content over time. |
Safe custody
| Risk Events/Scenarios | Causes (threats and vulnerabilities) | Possible mitigation activities/controls |
| Storage of physical records in poor environmental conditions | Exposure to contaminants (for example and mould) and high or fluctuating temperatures. Presence of vermin. Incidents of water incursion. Facility/repository located near manmade hazards (for example, heavy atmospheric pollution and hazardous industries). Inadequate or no storage equipment used (for example. shelving and boxes). | Compliance with the Standard on the physical storage of state records. Educating staff in the proper management or storage of physical records. |
| Loss or damage to information assets due to natural disasters |
| Having an up-to-date and tested disaster and counter disaster plan in accordance with the Standard on records management and Standard on the physical storage of state Records. Relocation of physical records and infrastructure if located in known disaster-prone areas. Back-up copies made of high-value records. |
| Loss of information assets during the decommissioning of systems | Technology obsolescence (for example, systems at end-of-life). Format obsolescence for text, images, videos, databases and websites. Metadata not captured in full when transferred to the new business system. | Decommissioning planning (in relation to records and information management requirements) is part of the standard project methodology in the acquisition and development of new systems. Identifying and disposing of information assets that are due for destruction – and with the required authorisation – prior to the system being decommissioned. See Standard on the physical storage of State records. |
| Data stolen | Security patching is out-of-date/inadequate security infrastructure. Outdated computer systems and applications. Staff opening suspicious emails or clicking on suspicious links or attachments. Malicious cyber-attacks (for example, phishing emails and malware). | Operating systems and applications are kept up-to-date with the latest security patches. Implementation of firewalls. Records and information management teams working in collaboration with IT in the management of security classified records, or sensitive records that require additional controls. Establishing and managing disposal programs to ensure that records and information are destroyed according to relevant retention and disposal authorities. Rolling cyber security training provided to new and existing staff. Refer to Digital NSW’s cyber security resources for further information. |
| Accidental loss of information assets | Unintentionally overwriting information and data during editing. Damage to records (for example spilling liquids on physical records). Losing external hard drives and physical records that have been removed from the office. | Review processes relating to data entry in business units where the loss has occurred. Capturing official records and information in a mandated EDRMS. Real-time back-up of files. Education or retraining of staff in the appropriate management/handling of information assets. |
| Loss of information assets due to media instability | Damage in use (unstable working copies). Long term information and data kept on paper. | Creation of policies and business rules aligned with the Standards on records management and the physical storage of state records. Purchase of high-quality electronic storage media, paper and photographic film. that conforms to specifications presented in international standards. Prior to use, storage of electronic storage media, paper and photographic films under temperature and humidity conditions specified by the manufacturer. |
Retention
| Risk Events/Scenarios | Causes (threats and vulnerabilities) | Possible mitigation activities/controls |
| Over-retention of information assets containing personal information | Ad hoc/irregular disposal of high-risk information assets that are due for destruction. Lack of planning and management in undertaking disposal activities. | Implementation of a regular program of records disposal (destruction and transfer of records to the State Archives Collection). Routine destruction of time-expired records containing personal information, unless there is a business need to retain the records longer (for example, current or pending legal matter). |
| Under-retention of information assets | Organisation not aware of all applicable recordkeeping requirements, due to, for example, incorrect interpretation of record retention requirements or no in-house records management staff. | Allocation of responsibility either internal (another qualified employee) or external (records management consultants, legal researchers or compliance specialists) responsible for identifying, analysing and interpreting applicable laws and regulations. |
| Poorly designed systems or processes not mapped or aligned to relevant retention requirements. | Systems designed and managed in compliance with legal and regulatory requirements that apply to the business documented within them. System compliance should be regularly monitored and assessed. | |
| Disposal classes linked to an organisation’s business classification scheme (BCS) are out-of-date. | Scheduled reviews of the organisations’ BCS to ensure linked record retention schedules accurately reflect legal and regulatory requirements. | |
| Disposal coverage of an organisation’s core functions does not exist. | Creation or review of a functional retention and disposal authority to ensure appropriate coverage. | |
| Staff or business units not aware or up-to-date with their individual recordkeeping requirements. | Creation and implementation of an education strategy to inform staff of their recordkeeping requirements in line with their business processes. Scheduling of ongoing compliance monitoring, including implementation of an escalation pathway for non-compliance. | |
| Public expectations for particular classes of records to be retained past minimum retention requirements. | Well governed and documented disposal processes. Review relevant functional retention and disposal authorities. | |
Disposal of records subject to:
| Failure by organisation to anticipate proceedings before legal disposal of records. | Implementation of a process which identifies pre-litigation triggers as to when holds need to be placed (for example, the severity of a complaint). |
Lack of a formal process for notifying business areas to place a hold on disposal. No follow-up with business areas to confirm notification was received and it is understood. Periodic reminders are not issued to business areas when there are long holds on disposal. | Development of policies, business rules and procedures to create a formal notification and follow-up processes. | |
| Information assets held across multiple known and unknown repositories. | Create a register of business systems. |
Ownership
| Risk Events/Scenarios | Causes (threats and vulnerabilities) | Possible mitigation activities/controls |
| Failure to maintain ownership over information assets hosted by a cloud service provider | Organisation not aware of legal requirements in the cross-border transfer and storage of information assets. Service provider or external party claims ownership and control over information assets. | Allocation of responsibility for identifying, analysing and interpreting both local laws and regulations (including General authority for transferring records out of NSW for storage with or maintenance by service providers based outside of the State (GA35)) as well as those of the jurisdiction the information assets will be stored in. Use the cloud computing checklist to identify areas where risks may eventuate. Adequate contractual control, including but not limited to:
Adequate monitoring. |
| Claim of ownership over information assets by employees, non-employees (contractors, consultants and outsourced employees) or volunteers | Organisation not aware of or correctly interpret “work-for-hire” laws and regulations. Contractual terms and conditions do not address or adequately address ownership over information assets regardless of format or media. | Allocation of responsibility for identifying, analysing and interpreting “work for hire” laws and regulations. Use of contracts/agreements with clauses clearly stating that any information assets created as part of assigned duties or commissioned, is the organisation’s property. |
Do you have any anecdotes regarding information risks your organisation has encountered? If so, we would like to hear from you. As part of building the above tables, we are after 'real world' examples of risks public offices have identified and managed. Examples posted can be identified remain.
Please email submissions to govrec@nsw.gov.au
Assessing risks
To manage information risks effectively, you first need to conduct a risk assessment. This involves identifying, analysing, and evaluating risks to find out which scenarios are likely to happen and what their impact might be.
Where to start
Identifying information risks
Review the organisation’s internal and external operating environments, including:
- identifying the organisation’s recordkeeping requirements
- examining records processes and systems
- pinpointing high-risk areas
These steps will help determine the causes of information risks.
Consider the following when establishing the internal and external environments:
| Internal Operating Environment | External Operating Environment |
|
|
Assessing identified risks
Conduct a risk assessment through formal activities or as part of regular business practices, such as:
- when new business processes or activities are introduced or updated
- during compliance activities (for example, implementing requirements from the Standard on records management) and Standard on the physical storage of State records.
- when handling incidents or complaints related to recordkeeping
- in routine team meetings
- during operational planning sessions
- when implementing or retiring services or systems
Consult with those responsible for risk management in the organisation, such as the risk manager or internal audit team, to ensure the assessment aligns with the organisation’s risk management framework.
Refer to NSW Treasury’s whole-of-government risk management toolkit for detailed guidance on conducting a risk assessment.
Devising a risk statement
Create a clear risk statement to explain risks so all relevant stakeholders can understand them. For each identified risk, include:
- the event that will impact information assets
- the causes of the risk
- the potential consequences
For example: [the event that will affect information assets] caused by [cause/s] resulting in [consequence/s].
Identified information and data risks should be included in the organisation’s risk register. Depending on the organisation's size, there may be different levels of risk registers (for example, a high-level register for the whole organisation and others for individual business units). Update the organisation's information asset register with the details gathered during the risk assessment.
Keep the registers updated as risks are reviewed.