Today’s Blog is sponsored by MER 2017, Cohasset Associates’ 25th
annual educational conference on electronic records management, in Chicago, May
8-10.
That
said, we can manage the risk of imperfect security. We can balance our protection efforts against
the increasing cost of safeguarding our information. Theoretically, we could buy a remote cave,
control its environment, and put all kinds of protection and blockages to
prevent the “bad guys” from getting it.
Two problems: it limits availability of the data, and the expense is out
of proportion to the value of the information.
And, oh, one more thing: we can never be sure that the keeper of the
keys has our best interests at heart.
I’m
going to let the IT folks worry about whether the organization uses, McAfee,
Norton or Kaspersky to protect digital information from hacks and infection. But some of the aspects of digital security
that Records Managers understand don’t occur to our colleagues in technology. There are threats – both internal and external
-- that are outside the training and awareness of the IT department, but are
well within the RIM domain. As RIMmers,
we don’t necessarily have the tools to mitigate the risks, but we have the
expertise to show IT the threats they may have overlooked.
Our
immediate responsibility largely revolves around physical storage onsite. (This includes electronic records on physical
media, and I know legacy organizations that keep huge banks of WORM disks in
various formats.) Do we keep
unauthorized workers out of the records repositories? Do we have adequate check out/recall/check in
procedures? Are the records protected from
fire, flood, and other calamities? Is
there a plan to safeguard physical records when disaster strikes – such as a
backup repository or emergency remediation or shelter for records from a
damaged building?
While
we must prepare for those, accessibility is a more likely threat. Lost records may as well be stolen, except
that there are no competitors to benefit from them. Of course, accessibility is one of the
Generally Accepted Recordkeeping Principles [see the Limericks of GARP in the
archives of this Blog] and if you follow best practices, you should be in reasonably
good shape, for paper records. But there
are some loopholes, or bases not covered, which concern security-minded RIMmers
dealing with electronic records:
- Do you really know what you have? Is your taxonomy consistent across the enterprise, and is it the same inside and outside the firewall? Are all indices up to date and inventories current? Is the metadata consistently recorded so searches are productive?
- Do you regularly test for access to Electronically Stored Information (ESI), sampling the storage media for degradation and the files for corruption?
- Is ESI regularly migrated so 1) File formats and operating systems remain current, and 2) There are compatible drivers to display and/or print aging files?
- Does each structured data system have an active administrator who knows how to produce data and maintains the passwords/encryption keys?
To
answer these questions in the affirmative, responsible RIMmers work closely
with their technology people. We defer
to IT to deflect virus attacks, unauthorized downloads, and password or
encryption hacks. But they may not know how to organize records with taxonomy,
and, in my experience, they may not maintain legacy data systems.
There’s
a whole other realm of security risks, outside the firewall. RIM needs to alert IT, and the mitigation of
those risks may require contributions from Legal Counsel.
·
- Security
risks in the Cloud are explored in the previous post of PositivelyRIM. Cloud storage is so easy to set up (and
company policy may not regulate it) that Cloud accounts can up go ad hoc, with little attention to
potential security gaps
- Consider social media: Are posts, Blogs, Tweets, comments, and other communiques records? Do they need to be captured? Technically, can they be captured and managed? Can they be secured? Can the records be removed and disposed, according to a retention schedule?
- Consider mobile apps: Do they collect and store records? Can those records be managed and disposed at the right time? If the records can be disposed, are they really scrubbed from the servers? Can Legal Counsel help write contract language for the mobile app host to enable management of mobile records?
- In an era of Bring Your Own Device, IT is well aware of the security risks. But do they understand what mobile-device records need to be captured, retained, and disposed? The next Pirates of the Caribbean movie is entitled “Dead Men Tell No Tales”. Does IT realize that “Dead Records Tell No Tales”?
We
need a partnership between Records Legal, and IT. And let’s bring in Internal Auditing, Human
Resources (HR), and any other groups with a stake in keeping information safe,
secure, and accessible. That’s what I
call Information Governance.
Re
HR: the hiring process is a sometime-neglected security gap. Any organization with information of value to
“bad guys” must thoroughly vet all staff to reduce the risk of theft or
espionage. This applies whether the
hiring is done through HR or a RIM Dept. hiring manager. Close the barn door before the horses get out.
Three
axioms:
-- Know what you have, protect and manage it.
-- If you don’t know what you have, you can’t tell what is stolen.
-- Lost records are as useless as stolen records.
Security
is a never-ending quest. Those “bad
guys” are always probing for security lapses while they develop ever more
insidious methods. It’s a moving target,
so it is vital to stay on top of the subject, trying to stay one step ahead of
the threats.
My favorite upcoming resource
for that “step ahead” is the MER17 Conference this May in Chicago
(www.merconference.com). This year, a keynote
speaker is Eric O'Neill, the former FBI operative who broke the Hanssen spy
case. He’ll be speaking about
"Cyber Security in the Age of Espionage", with feedback from some of the best
minds in the field. I look forward to
networking with many of you, gentle readers, because each of us has something
to contribute. The more we know, the better
we are. See you there.
n -- 30