08 February 2017

Are Your Records Home by Curfew?

Today’s Blog is sponsored by MER 2017, Cohasset Associates’ 25th annual educational conference on electronic records management, in Chicago, May 8-10.

Sorry to be the one to tell you, but “secure information” is an illusion.  No records are really 100 percent secure.  We protect our information, but we only create improvement, not assurance.  If you think you can totally protect your information, forget it.  It’s a fool’s errand.

That said, we can manage the risk of imperfect security.  We can balance our protection efforts against the increasing cost of safeguarding our information.  Theoretically, we could buy a remote cave, control its environment, and put all kinds of protection and blockages to prevent the “bad guys” from getting it.  Two problems: it limits availability of the data, and the expense is out of proportion to the value of the information.  And, oh, one more thing: we can never be sure that the keeper of the keys has our best interests at heart.

I’m going to let the IT folks worry about whether the organization uses, McAfee, Norton or Kaspersky to protect digital information from hacks and infection.  But some of the aspects of digital security that Records Managers understand don’t occur to our colleagues in technology.  There are threats – both internal and external -- that are outside the training and awareness of the IT department, but are well within the RIM domain.  As RIMmers, we don’t necessarily have the tools to mitigate the risks, but we have the expertise to show IT the threats they may have overlooked.

Our immediate responsibility largely revolves around physical storage onsite.  (This includes electronic records on physical media, and I know legacy organizations that keep huge banks of WORM disks in various formats.)  Do we keep unauthorized workers out of the records repositories?  Do we have adequate check out/recall/check in procedures?  Are the records protected from fire, flood, and other calamities?  Is there a plan to safeguard physical records when disaster strikes – such as a backup repository or emergency remediation or shelter for records from a damaged building?

While we must prepare for those, accessibility is a more likely threat.  Lost records may as well be stolen, except that there are no competitors to benefit from them.  Of course, accessibility is one of the Generally Accepted Recordkeeping Principles [see the Limericks of GARP in the archives of this Blog] and if you follow best practices, you should be in reasonably good shape, for paper records. But there are some loopholes, or bases not covered, which concern security-minded RIMmers dealing with electronic records:

  • Do you really know what you have? Is your taxonomy consistent across the enterprise, and is it the same inside and outside the firewall?  Are all indices up to date and inventories current?  Is the metadata consistently recorded so searches are productive?
  • Do you regularly test for access to Electronically Stored Information (ESI), sampling the storage media for degradation and the files for corruption?
  • Is ESI regularly migrated so 1) File formats and operating systems remain current, and 2) There are compatible drivers to display and/or print aging files?
  • Does each structured data system have an active administrator who knows how to produce data and maintains the passwords/encryption keys?

To answer these questions in the affirmative, responsible RIMmers work closely with their technology people.  We defer to IT to deflect virus attacks, unauthorized downloads, and password or encryption hacks. But they may not know how to organize records with taxonomy, and, in my experience, they may not maintain legacy data systems.

There’s a whole other realm of security risks, outside the firewall.  RIM needs to alert IT, and the mitigation of those risks may require contributions from Legal Counsel. 
  • Security risks in the Cloud are explored in the previous post of PositivelyRIM.  Cloud storage is so easy to set up (and company policy may not regulate it) that Cloud accounts can up go ad hoc, with little attention to potential security gaps
  • Consider social mediaAre posts, Blogs, Tweets, comments, and other communiques records?  Do they need to be captured?  Technically, can they be captured and managed?  Can they be secured?  Can the records be removed and disposed, according to a retention schedule?
  • Consider mobile apps:  Do they collect and store records?  Can those records be managed and disposed at the right time?  If the records can be disposed, are they really scrubbed from the servers?  Can Legal Counsel help write contract language for the mobile app host to enable management of mobile records? 
  • In an era of Bring Your Own Device, IT is well aware of the security risks.  But do they understand what mobile-device records need to be captured, retained, and disposed?  The next Pirates of the Caribbean movie is entitled “Dead Men Tell No Tales”.  Does IT realize that “Dead Records Tell No Tales”?

We need a partnership between Records Legal, and IT.  And let’s bring in Internal Auditing, Human Resources (HR), and any other groups with a stake in keeping information safe, secure, and accessible.  That’s what I call Information Governance.

Re HR: the hiring process is a sometime-neglected security gap.  Any organization with information of value to “bad guys” must thoroughly vet all staff to reduce the risk of theft or espionage.  This applies whether the hiring is done through HR or a RIM Dept. hiring manager.  Close the barn door before the horses get out.

Three axioms:

  --  Know what you have, protect and manage it. 
  --  If you don’t know what you have, you can’t tell what is stolen.    
 --  Lost records are as useless as stolen records. 

Security is a never-ending quest.  Those “bad guys” are always probing for security lapses while they develop ever more insidious methods.  It’s a moving target, so it is vital to stay on top of the subject, trying to stay one step ahead of the threats.   

My favorite upcoming resource for that “step ahead” is the MER17 Conference this May in Chicago (www.merconference.com).  This year, a keynote speaker is Eric O'Neill, the former FBI operative who broke the Hanssen spy case.  He’ll be speaking about "Cyber Security in the Age of Espionage", with feedback from some of the best minds in the field.  I look forward to networking with many of you, gentle readers, because each of us has something to contribute.  The more we know, the better we are.   See you there.
n    -- 30