Introduction
As a records and information management professional you will have much to contribute to information security. You are already involved in maintaining the integrity and authenticity of business information and you likely have a comprehensive knowledge of information assets that your organisation can benefit from. In addition, if you have a records management program – an organised, managed and planned approach to records management required under the State Records Act 1998 – you will probably have many structures and tools in place that can assist your organisation in the secure management of information.
Good records management can contribute to good information security. Some of the ways this can be achieved are outlined below.
Defining requirements
Policy and procedures development and review
The Standard on Records Management requires NSW public offices to establish governance frameworks for records and information management, including policy directing how records and information shall be managed. These policy statements can incorporate rules and responsibilities relating to information security.
In addition, an organisation-wide information security policy will provide management direction and support for the security objectives of your business, in accordance with business requirements and relevant laws and regulations. [1] You can provide input into this policy development and review and may be assigned designated responsibilities for carrying out specific security processes defined in the policy.
Defining recordkeeping requirements
The Standard on Records Management requires NSW public offices to identify records and information required to meet short and long term needs. Steps A, B and C of the DIRKS manual (particularly Step C) describe how to define requirements for records and information. This analysis often includes the identification and definition of specific requirements for access and security.
For example, the Step A analysis may highlight:
- business operations (and records that relate to them) which are commercial in confidence
- industry standards and requirements for security and access
- legal obligations to protect or give access to records
- requirements of the Privacy and Personal Information Protection Act 1998, the Government Information (Public Access) Act 2009 or the State Records Act 1998.
The Step B analysis can help you to relate these requirements to specific business functions, activities and processes. This is through the use of either functional analysis or process analysis, or both. These investigations can help you to establish business classification schemes and business process maps.
The Step C analysis, which can also be mapped to the business, examines requirements more closely. It helps you to understand what records need to be created and managed to meet requirements. Risks of not creating and managing these records are also assessed.
Note: Steps A, B and C can also include research into the past activities of your organisation which can enable a better understanding of security requirements in relation to legacy records.
If your organisation is trying to address information security it can benefit greatly from this rigorous analysis of requirements. This analysis can help your organisation to apply appropriate controls and reduce risks to an acceptable level.
Note: Steps D, E, F, G and H of the DIRKS Manual can assist in ensuring that recordkeeping systems address access and security requirements.
For more information see Strategies for documenting government business: the DIRKS manual, particularly Manage record access and security, and the Australian Standard AS5090:2003 Work process analysis for recordkeeping.
Incorporating requirements into business information / transactional systems
AS/NZS ISO/IEC 27002:2006 reinforces the importance of identifying requirements in the design and implementation of any information systems that support business processes. [2]
You can also assist your organisation in determining whether existing systems enable recordkeeping requirements, including security and access requirements, to be met.
For more information see Checklist for assessing business systems.
Promoting confidentiality
Classifying information and assigning security classifications
According to AS/NZS ISO/IEC 27002:2006, information should be classified in relation to its value, legal requirements, sensitivity and criticality to the organisation. The purpose of this classification is to indicate the needs, priorities and expected degree of protection when handling the information, i.e. the standard is referring to security classification. [3]
As described above, the DIRKS Manual can assist you to establish business classification schemes and business process maps, both of which are invaluable in providing a framework for analysing the security requirements of information assets.
A DIRKS analysis can also assist you to identify information that requires particular levels of protection or special handling. Security labelling (which may form part of the metadata assigned) should then be supported by the development of business rules and handling procedures for the secure processing, copying, storage, transmission, declassification and destruction of the records and for the release of information to the public. [4]
You may also be able to contribute to reviewing classifications assigned to particular information assets periodically to ensure the classification is still appropriate for the information and to ensure the security controls required by the classification are in place.
Note: The NSW Government Cyber Security Policy, which applies to NSW government departments and agencies, outlines the NSW Government’s commitment to strengthening cyber security governance and controls. Sensitive information labelled or classified on or after 1 January 2014 must comply with the system outlined in the NSW Government Information Classification and Labelling Guidelines.
Addressing security in third party agreements and cloud computing arrangements
When a business function is outsourced, it is vital that recordkeeping requirements, including security and access requirements, are conveyed to the service provider. You can advise your organisation on issues such as:
- what records need to be produced relating to the business function/s being outsourced
- any sensitive records that require security
- the format in which these records are to be returned to the organisation when the contract has ceased.
You can also provide advice on recordkeeping considerations when entering into cloud computing arrangements. For more information see:
- Using cloud computing services - implications for information and records management
- Accountable outsourcing: managing the records and information management considerations of outsourcing NSW Government business, which includes a contract inclusions checklist.
- Storage of State records with service providers outside of NSW
- Australasian Digital Recordkeeping Initiative (ADRI), Advice on managing the recordkeeping risks associated with cloud computing.
Addressing security in customer access
The Government Information (Public Access) Act 2009 (GIPA) requires government information to be more readily available to the public, unless there is an overriding public interest against disclosure. Some information needs to be publicly disclosed on an organisation’s website, some proactively released, and other information made available by informal or formal request.
If you have performed an analysis of your organisation’s business you are in an excellent position to advise them on what information can be released to the public under GIPA and what information needs to be secured and prevented from release. Records management tools like EDRMS or other recordkeeping systems should be used to indicate which records have been made publicly available.
You can also assist your organisation in developing policies and procedures for access control and public access to information.
For more information see Recordkeeping and the Government Information (Public Access) Act 2009.
Promoting integrity
Applying metadata
Paper and digital records need to have adequate metadata so that they can be effectively and accountably managed, secured and retrieved by authorised users. Without robust metadata, records are at risk.
There are two types of metadata that provide an accountable trace of a record’s creation, use and management through time:
- Point of capture metadata provides a snapshot of how, when, why and by whom a record was created. It authenticates a record, enables it to be appropriately classified and managed, and provides the key search terms to promote accessibility.
- Process metadata documents recordkeeping processes, including registration into a recordkeeping system, the application or change of security and accessibility rules, transfer of control and record destruction or migration. Maintaining a record of these processes is necessary to prove a record’s integrity and to account for its appropriate management over time.
The application of point of capture and process metadata is critical for proving a record's integrity. The use of appropriate security metadata is the prime means by which confidentiality markers can be consistently applied, managed, tracked and assessed for currency through time. The availability of digital records is completely contingent on their appropriate metadata description.
The right metadata used appropriately is therefore a critical feature of all digital asset management. As the mechanism to manage, locate and protect records, metadata is itself a record and so it too needs to be managed appropriately, secured where necessary and persistently linked to the records to which it relates even through transfers or migrations.
For more information on metadata, see Metadata for records and information.
Promoting accessibility
Assisting in asset identification and management
As part of your records management program you will have carried out inventories of systems and repositories containing official records, whether in paper or digital form. Your inventories can be used to inform the development of an information security inventory, which describes all major information assets, where they are located and their use and value to your organisation.
Long term accessibility of records
AS/NZS ISO/IEC 27002:2006 indicates that important records should be protected from loss and destruction, and that procedures should be established to safeguard the accessibility of data for as long as required. [5] The State Records Act 1998 places a legal requirement on organisations to maintain records for as long as they are required.
Strategies for ensuring the ongoing accessibility of digital records include:
- knowing how long records need to be kept
- choosing formats that are suitable for records of long term value
- system design and migration strategies to ensure records can remain accessible and useable.
Storing records
As you manage hard copy assets as well as digital, you may have considerable experience with physical security including security barriers and entry controls for storage areas. This knowledge may be valuable to your organisation when determining how critical or sensitive business information should be physically secured to prevent unauthorised access, damage or interference. [6]
You may also have developed rules and guidance for staff regarding handling measures, like not taking information off-site without appropriate authorisation (and developing measures for tracking this) and implementing clean desk policies for sensitive records.
For more information see the Standard on the physical storage of records and Solutions for storage: guidelines on the physical storage of State records.
Media handling
You may have experience in classifying, managing, storing and accessing different media formats, and understand their vulnerabilities over time. As a result, you can contribute to discussions and the development of procedures regarding the management and handling of different media, to prevent their unauthorised disclosure, modification, removal or destruction. [7]
State Records recommends against storing records on offline media. This is due to the risks of loss, lack of back ups and the dangers of technological obsolescence. For more information see Managing removable media.
Business continuity management
Business continuity management is an important part of information security management. These measures are required to counteract interruptions to business activities and protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. [8]
Your organisation's records should be covered by any business continuity planning undertaken. Your involvement in the identification and management of risks for records will help to ensure that their needs are fully addressed in business continuity planning.
Disposing of records
Numerous references are made in AS/NZS ISO/IEC 27002:2006 to information destruction. Your knowledge of requirements for the legal destruction of records can ensure that disposal decisions made by your organisation as part of information security management are not in conflict with legal requirements under the State Records Act 1998. You can also establish and manage disposal programs that accountably manage the destruction of records.
For more information see Retention and disposal.
Implementing information security
Training
An important implementation aspect to managing information security is ensuring that all employees in the organisation, including contractors, are trained, updated and fully aware of their responsibilities in relation to their job function. This is also recommended in AS/NZS ISO/IEC 27002:2006. [9]
As a recordkeeping professional’s role involves working closely with staff and their information needs, and induction and training responsibilities, you can ensure that security awareness and procedures in relation to staff use, classification, handling and destruction of records in all formats are reinforced.
Compliance monitoring
The Standard on Records Management requires NSW public offices to monitor and review records and information management to ensure that it is performed, accountable and meets business needs. This includes checking compliance against aspects of information security practices. For example, you need to regularly review the security of recordkeeping systems, assess the adequacy of security controls for records, evaluate information from monitoring and reviews of security incidents and recommend appropriate action required.
Any additional responsibilities for security monitoring may be assigned in the information security policy.
Conclusion
In summary, you are an important stakeholder in your organisation’s endeavours to protect information security. Work that you are already undertaking as part of managing records and information can be of significant value to management teams implementing AS/NZS ISO/IEC 27002:2006 or trying to meet other security objectives.
Footnotes
[1] Standards Australia/Standards New Zealand, AS/NZS ISO/IEC 27002:2006, Information technology – Security techniques – Code of practice for information security management, 5.1. Information security policy
[2] AS/NZS ISO/IEC 27002:2006, 12.1 Security requirements of information systems
[3] AS/NZS ISO/IEC 27002:2006, 7.2 Information classification
[4] AS/NZS ISO/IEC 27002:2006, 7.2 Information classification
[5] AS/NZS ISO/IEC 27002:2006, 15.1.3 Protection of organisational records
[6] AS/NZS ISO/IEC 27002:2006, 9 Physical and environmental security
[7] AS/NZS ISO/IEC 27002:2006, 10.7 Media handling
[8] AS/NZS ISO/IEC 27002:2006, 14.1 Information security aspects of business continuity management
[9] AS/NZS ISO/IEC 27002:2006, 8.2.2 Information security awareness and training
Published 2011 / Revised February 2015/Updated February 2019