Cloud Computing - Heads in Sand - Governance Issues

It started as trickle, but like a dripping tap, the flow kept up ... for the last few weeks Cloud Computing keeps dropping into my email inbox ... something to do with Microsoft's Blue Sky Horizon, Windows Azure. Like the dripping tap, I tried to ignore it as just more IT geek jargon. Realisation dawned .. I'd been a fledgling Cloud Computing user for a few years without realising ... as I paid my EBay bills using PayPal, used Amazon Books payment system, Google maps, Blogger, Google Reader for RSS feeds, LinkedIn, Yahoo Groups, Web based email, etc etc.

In the end I found Robin Hastings' (Missouri River Regional Library) slideshare presentation on "Cloud Computing" & the Cloud Computing Glossary the most non-geek friendly.

But like the rest of Web 2.0 applications, rather than head in the sand, avoiding Cloud Computing issues, those with governance roles, need to be asking questions of those with their heads in the clouds, looking to blue sky horizon possibilities. Those questions need to be fully answered, and not treated dismissively.Starting with ... Will Cloud Computing storage providers guarantee access to your information & records for as long as statutory regulations require, regardless of whether done in house or outsourced ... sometimes decades ? Then would Private Clouds & Virtual Private Clouds be better approaches ? Gartner predicts a future in this approach for large organizations. If IT departments were worried about managing security concerns with Web 2.0's Microsoft Sharepoint, they must be agonising over Governance and the full ramifications of Cloud Computing applications, eg Chieftech.blogspot. Perhaps, looking at it from Web 2.0 experiences, if companies & quality management professionals have their heads in the sand, then the horses will bolt.

MORE

Cloud Computing - detail Heads in the Sand on Governance

It started as trickle, but like a dripping tap, the flow kept up ... for the last few weeks Cloud Computing keeps dropping into my email inbox. Probably something to do with Microsoft's Blue Sky Horizon, recently announced, venture into the field, with Windows Azure.

Like the dripping tap, I tried to ignore it as just more IT geek jargon. Finally curious enough, I clicked on one of the email hyperlinks ... a new unintelligible taxonomy aka jargon emerged. It meant turning to Wikipedia, to get a plain English understanding of "Cloud Computing"....and a bit more at "How Stuff Works". Funny how many Orgs frown on using Wikipedia, just like my old uni professor frowned on the Plain English style metallurgy textbook, used at the TAFE across the road, despite its friendlier "Gunning Fog" readibility ranking. In the end I found Robin Hastings' (Missouri River Regional Library) slideshare presentation & the Cloud Computing Glossary the most non-geek friendly.

Realisation dawned .. I'd been a fledgling Cloud Computing user for a few years without realising ... as I paid my EBay bills using PayPal, used Amazon Books payment system, Google maps, Blogger, Google Reader for RSS feeds, LinkedIn, Yahoo Groups, Web based email, etc etc. Many say Cloud Computing is the next disruptive computing technology, just like the IBM Mainframe, Apple 2 computer and internet - Web 1.0/Web 2.0.

And why did I go to Google Reader for RSS feeds ? Probably because my Org didn't seem to provide Readers for RSS feeds, or it was too hard to find out how, or its use was discouraged. Many other employees looked at me blankly when I asked about RSS feed? So it was easier just to go outside the system. If I found anything worthwhile, then I'd just archive it, email it around internally or capture really useful bits onto a Sharepoint Wiki Page.

Another stage for the Microsoft vs Sun Microsystems paradigm debacle, with Microsoft's catch up commercialisation plans in offering a fee per use. "Cloud Computing" seems headed to SME's, so they don't have to outlay the capital for huge IT systems. Some commentators liken it to electricity and water utilities access and usage charging - where you don't need your own generator, windmill or well. Consumers expect reliable and safe supply at rates that are not exorbitant. But what about governance ? After all it was a utility, Enron, that led to the Sarbanes Oxley legislation in the USA.

It was dawning that, like the rest of Web 2.0 applications, rather than head in the sand, avoiding Cloud Computing issues, those with governance roles, need to be asking questions of those with their heads in the clouds, looking to blue sky horizon possibilities. Those questions need to be fully answered, and not treated dismissively.

Starting with ... Will Cloud Computing storage providers guarantee access to your information & records for as long as statutory regulations require, regardless of whether done in house or outsourced ... sometimes decades ? A good question and one being posed on How Stuff Works - Cloud Computing Security Concerns page. Very pertinent in an era of increased regulatory constraints, following the financial global meltdown. But then Key IT decision makers fret about the cost of software licensing and what they may perceive to be excessive and unnecessary data storage, ... forgetting the ramifications of not having data storage. Systems, which businesses need in order to operate, ie QMS, EMS, OHSMS, CRMS, FMS, have requirements to keep records for a very long time. Breach those and it could be a very costly threat to your business's longevity. Some commentators seem to be recognising this concern.

What about production history systems - no matter if managed in-house or via "Cloud Computing" applications ? If your product identity codes are re-used in a "wrap around" situation, it might be tempting to cut costs and not archive the records of each wrap around sequence separately. But how do you know if the data is for item "Awxyz" produced in 2006 or for item "Awxyz" from 2009. 3rd Party quality auditors certifying your Quality Management Systems, and Factory Production Control Systems, could take a dim view of your cost cutting - not good, especially if you plan to export into the EU in Europe.

There's the challenge - in line with James Robertson's view of two uses for a wiki - to ensure governance, "command and control" rules where they're needed - as well as to encourage collaborative environments with enabling support, hints and tips, to capture lessons learned, preventing key knowledge loss (refer egov.vic) . I decided to ask the "significant other", one of the aforementioned IT geeks, about his exposure to Cloud Computing & governance issues, a pause, then he explained how it was being adopted by some organizations, as a Virtual Private Cloud to enable collaboration with external users, and yet maintain security. Gartner predicts a future in Private Clouds/Virtual Private Clouds approaches for large organizations.

If IT departments were worried about managing security concerns with Web 2.0's Microsoft Sharepoint, they must be agonising over Governance and the full ramifications of Cloud Computing applications, eg Chieftech.blogspot. And again, despite all the proclamations, it will be a behavioural issue. Perhaps, looking at it from Web 2.0 experiences, if companies & quality management professionals have their heads in the sand, then the horses will bolt.

Records Management - where does it fit & where is it heading ?

There has been a lot of comment about increasing records management requirements eg retention schedules etc. Internationally these are covered under ISO 15489 Parts 1 &2 - these have been adopted into Australia. .

Many would argue that these have place imposts on businesses and stifled innovation. However increased strictures on Records Management processes are here to stay, and have been driven in the USA by the Sarbanes Oxley legislation, following the Enron furores. In Australia, Records Management requirements have been accelerated, following the Rolah McCabe vs BAT case in Victoria... According to Lawyers Weekly, "As at common law, there is a shift at the legislative level. The Crimes (Document Destruction) Act 2005 (Vic) amends the Crimes Act 1958 (Vic) and creates a new criminal offence in relation to the destruction of documents likely to be required in legal proceedings. An employee or officer attempting to delete a ‘smoking gun’ email, who therefore knows of the reasonable likelihood of litigation and intends to prevent the document from being used, could be prosecuted for document destruction. Both individuals and companies can be prosecuted, potentially facing large fines and imprisonment. .. A company may be vicariously liable for an officer who breaches the document destruction provisions of the Crimes Act. "

So it is really a case of "get over it and get on with it". Many legal firms are providing advice that could be quite challenging for some organisations, eg Freehills & Blake Dawson Waldron.

In fact, as part of their ISO 9001 quality management document control systems, organisations will have Records Management covered in their Quality Management Manual, or Department Handbook. This is the peak document in their quality system. Records may be either hard copy or electronic - and both should be covered in more detail in individual operating department quality management manuals.

Similar records management requirements exist for ISO 14001 Environment Management Systems. They also exist for also OHSMS systems - and as required for Workers Compensation Self Insurer's status under WorkCover NSW.

Some companies have also establised an Information Management standard. This may provide guidance on records management, eg including Records Disposal standards, as informed by the Australian Records Retention Manual.

This standard may be complemented by an Information Security Policy Statement, eg Victorian context. And there may also be an Information Management Governance Policy/Strategy, which will also address information security issues, eg such as information rights management.

Arising from Victorian State Government legislation, many organisations have developed very comprehensive records classification systems. These include records retention/disposal requirements, in accordance with Victorian and Australian federal legislative, relevant to businesses operating in Victoria. Ideally these would be developed with the involvement, and approval, from an organisation's legal counsel.

It can be very expensive to fall foul of the legislature on these issues : Failing to Keep Records is Expensive - Federal and New York regulators ordered the U.S. Trust Corporation to pay $10 million in fines to settle accusations that it violated bank secrecy laws and failed to keep complete records in a special trading unit.

It is interesting that e-technology is not always seen as providing positive improvements -
"Contrary to the conventional wisdom that technology is an aid to efficiency, the electronic age has made discovery of relevant documents an even lengthier and more expensive process than hitherto,'' Federal Court Justice Ronald Sackville's speech to the NSW Supreme Court conference, after hearing the Channel 7's C7 case, with a database compiled for the case consisting of some 86,000 documents, comprising nearly 590,000 pages.