08 February 2017

Are Your Records Home by Curfew?

Sorry to be the one to tell you, but “secure information” is an illusion.  No records are really 100 percent secure.  We protect our information, but we only create improvement, not assurance.  If you think you can totally protect your information, forget it.  It’s a fool’s errand.

That said, we can manage the risk of imperfect security.  We can balance our protection efforts against the increasing cost of safeguarding our information.  Theoretically, we could buy a remote cave, control its environment, and put all kinds of protection and blockages to prevent the “bad guys” from getting it.  Two problems: it limits availability of the data, and the expense is out of proportion to the value of the information.  And, oh, one more thing: we can never be sure that the keeper of the keys has our best interests at heart.

I’m going to let the IT folks worry about whether the organization uses, McAfee, Norton or Kaspersky to protect digital information from hacks and infection.  But some of the aspects of digital security that Records Managers understand don’t occur to our colleagues in technology.  There are threats – both internal and external -- that are outside the training and awareness of the IT department, but are well within the RIM domain.  As RIMmers, we don’t necessarily have the tools to mitigate the risks, but we have the expertise to show IT the threats they may have overlooked.

Our immediate responsibility largely revolves around physical storage onsite.  (This includes electronic records on physical media, and I know legacy organizations that keep huge banks of WORM disks in various formats.)  Do we keep unauthorized workers out of the records repositories?  Do we have adequate check out/recall/check in procedures?  Are the records protected from fire, flood, and other calamities?  Is there a plan to safeguard physical records when disaster strikes – such as a backup repository or emergency remediation or shelter for records from a damaged building?

While we must prepare for those, accessibility is a more likely threat.  Lost records may as well be stolen, except that there are no competitors to benefit from them.  Of course, accessibility is one of the Generally Accepted Recordkeeping Principles [see the Limericks of GARP in the archives of this Blog] and if you follow best practices, you should be in reasonably good shape, for paper records. But there are some loopholes, or bases not covered, which concern security-minded RIMmers dealing with electronic records:

  • Do you really know what you have? Is your taxonomy consistent across the enterprise, and is it the same inside and outside the firewall?  Are all indices up to date and inventories current?  Is the metadata consistently recorded so searches are productive?
  • Do you regularly test for access to Electronically Stored Information (ESI), sampling the storage media for degradation and the files for corruption?
  • Is ESI regularly migrated so 1) File formats and operating systems remain current, and 2) There are compatible drivers to display and/or print aging files?
  • Does each structured data system have an active administrator who knows how to produce data and maintains the passwords/encryption keys?

To answer these questions in the affirmative, responsible RIMmers work closely with their technology people.  We defer to IT to deflect virus attacks, unauthorized downloads, and password or encryption hacks. But they may not know how to organize records with taxonomy, and, in my experience, they may not maintain legacy data systems.

There’s a whole other realm of security risks, outside the firewall.  RIM needs to alert IT, and the mitigation of those risks may require contributions from Legal Counsel. 
  • Security risks in the Cloud are explored in the previous post of PositivelyRIM.  Cloud storage is so easy to set up (and company policy may not regulate it) that Cloud accounts can up go ad hoc, with little attention to potential security gaps
  • Consider social mediaAre posts, Blogs, Tweets, comments, and other communiques records?  Do they need to be captured?  Technically, can they be captured and managed?  Can they be secured?  Can the records be removed and disposed, according to a retention schedule?
  • Consider mobile apps:  Do they collect and store records?  Can those records be managed and disposed at the right time?  If the records can be disposed, are they really scrubbed from the servers?  Can Legal Counsel help write contract language for the mobile app host to enable management of mobile records? 
  • In an era of Bring Your Own Device, IT is well aware of the security risks.  But do they understand what mobile-device records need to be captured, retained, and disposed?  The next Pirates of the Caribbean movie is entitled “Dead Men Tell No Tales”.  Does IT realize that “Dead Records Tell No Tales”?

We need a partnership between Records Legal, and IT.  And let’s bring in Internal Auditing, Human Resources (HR), and any other groups with a stake in keeping information safe, secure, and accessible.  That’s what I call Information Governance.

Re HR: the hiring process is a sometime-neglected security gap.  Any organization with information of value to “bad guys” must thoroughly vet all staff to reduce the risk of theft or espionage.  This applies whether the hiring is done through HR or a RIM Dept. hiring manager.  Close the barn door before the horses get out.

Three axioms:

  --  Know what you have, protect and manage it. 
  --  If you don’t know what you have, you can’t tell what is stolen.    
 --  Lost records are as useless as stolen records. 

Security is a never-ending quest.  Those “bad guys” are always probing for security lapses while they develop ever more insidious methods.  It’s a moving target, so it is vital to stay on top of the subject, trying to stay one step ahead of the threats.   

My favorite upcoming resource for that “step ahead” is the MER17 Conference this May in Chicago (www.merconference.com).  This year, a keynote speaker is Eric O'Neill, the former FBI operative who broke the Hanssen spy case.  He’ll be speaking about "Cyber Security in the Age of Espionage", with feedback from some of the best minds in the field.  I look forward to networking with many of you, gentle readers, because each of us has something to contribute.  The more we know, the better we are.   See you there.
n    -- 30

05 January 2017

Seven Risks in the Beneficent Cloud

Today’s Blog is sponsored by MER 2017, Cohasset Associates’ 25th annual educational conference on electronic records management, in Chicago, May 8-10.

User beware: amid the security and budgetary advantages of the Cloud, risks lurk, ready to sabotage the unprepared or unsuspecting.  Make sure you are not caught unaware.

Records Management in the Cloud cries for Information Governance (IG).  It requires input, energy, and synergy from the organization’s Records, technology, and Legal groups.  Each has necessary skills, perspectives and insights beyond the scope of any one of these disciplines.

Theoretically, you can manage information in the Cloud with the same care and quality of locally stored records.  But there are complications that may not appear with local storage.  Addressing those requires teamwork from those three major constituents of IG.  Cloud-based storage is an important option, so it’s worth considering the safety, integrity, availability, and other critical aspects of your information stored there. 
Here’s the plus side: Cloud providers generally secure information better than local IT departments can.  Disaster recovery/business continuity should be better as well.
Also, economic advantages come from “elasticity”, that is, you only buy what you need.  If the need for online storage varies by the season or by the year, you can pay for Cloud storage when you need it, and conversely, you pay less when your needs diminish.  Contrast that with storage inside the firewall: you buy enough to cover your maximum use, but you still have paid for that maximum capacity even when your need is less.  If I were a seasonal retailer, doing most of my business during three months of the year, there is no way I would want to have that much capacity sitting idle inside the firewall for the other nine months.

But there are dangers.  These include:
1.       Discovery in a legal matter: Can legal holds be applied to Cloud-stored information, or does it have to be retrieved before it can be held for legal purposes?  When needed for litigation, can the servers and networks quickly deliver large quantities of data?
2.       Compliance:  Owners and custodians of information are responsible for complying with applicable laws and regulations.  When information that proves compliance is in the Cloud, is it accessible quickly and accurately?  Can the organization that owns the information (and is legally liable) easily audit the Cloud provider for compliance with laws and regulations? 
3.       Control:  Cloud providers may treat most or all information the same, but this is a problem if some records have geographical restrictions.  The Cloud user must know where the provider’s servers and pipelines are.  For example, Europe’s Safe Harbor provisions place limits on where information can be stored or transported. 
4.       Information disposal:  At the end of the information lifecycle, do Cloud users have to retrieve their records for subsequent disposal, or can the vendor provide reliable disposal?  And when the user retrieves information, is it really removed from the Cloud servers or simply deleted and/or overwritten?  When the Cloud provider disposes information, are the data and metadata truly irretrievable, or do vestiges remain, waiting to be subpoenaed and discovered?
5.       Long-term viability: For information with a retention period of over five years, backward compatibility of hardware and software can be an issue.  In the long run, will neglected updates make information files obsolete?  Does pixel-loss threaten to corrupt the files, or are the files protected?
6.       Longevity: Cloud vendors start with the best of intentions, but what happens when there are mergers, acquisitions, and divestitures?  What happens if a Cloud provider goes bankrupt, changes its business model, or gets out of the Cloud business entirely?  What then happens to the stored information?
7.       Derelict records:  Does your records management ensure that your organization does not keep paying for storage of outdated records?  Does the provider deliver the inventory and upcoming destruction dates monthly?

Again, the best answer to these dangers is a good coalition of information governors.  Records managers need savvy contract attorneys to write clauses clearly delineating a cloud provider’s responsibilities and restrictions, while mandating audits for compliance.  

Similarly, IT specialists need to ensure that the cloud provider’s technology is appropriate and adequate; that there is a forward migration path; that information is secure (internally and externally) and protected against disaster; and that accessibility will not be compromised under any circumstances.

Finally the attorneys and IT experts need Records Managers to apply the Generally Accepted Recordkeeping Principles to the whole endeavor.
Success with Cloud information management requires the cooperation, coordination, and investment of all the information governors.  Disciplines, such as Accounting and Quality Assurance, are welcome contributors.  Ignorance of this synergy leads to multiple risks.  But for those who apply Information Governance to the Cloud, success is enhanced.

The strategies and tactics to accomplish this success are many, and no two situations are identical.  Fortunately, there are helpful resources available.  One of the best is the MER Conference that meets in Chicago every May, where records managers, lawyers, techies, and others put their heads together.  The sessions, the connections, and the conviviality all help focus solutions to individual needs. You can watch streaming sessions later in the year, but nothing can replace being there with the many people who inform our choices.  MER is one of my top resources for information, networking, and inspiration, and I look forward to seeing you there.
n  -- 30