Taking the 'cyber' out of security
- By Tyler Morris
- Sep 22, 2015
Information, whether physical or digital, is the lifeblood of an agency, but when it comes to securing this valuable asset, most people immediately make a connection to cybersecurity – the policy and safeguards that protect digital information from improper handling, dissemination or destruction. Not all information is digital, however, and not all security is cybersecurity. The federal government must focus on the whole of information security: defending information, both physical and digital, from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
Agencies must start evaluating if they are proactively securing and managing all of their information, regardless of its format or where it resides. Whether physical or digital, email or text, if the information is pursuant to government business or operations, then that it must be protected.
In order to bring information security to the forefront of an agency’s operations, a shift in both policy and culture is required. The following three steps will help agencies create an environment that better protects their data.
1. Establish an information governance program that includes both records management and IT staff.
An information governance program establishes a framework that details employee roles and responsibilities, while providing staff with the tools and knowledge they need to properly determine what constitutes a record and how it should be treated. It also allows agencies to effectively manage the growing volumes of information and ensures that associated risks are well understood, documented and then controlled.
As it stands, however, only 15 percent of agency records professionals strongly agree that their current records management policy is meeting the needs of their agency, according to a recent survey.
A truly successful information governance program will facilitate and promote collaboration between records management and IT personnel. Both groups of employees bring valuable expertise that is essential to standing up an effective, comprehensive information security program. Failing to incorporate both camps can result in information silos that separate physical records from electronic records, incorrectly treating the two as mutually exclusive. This approach leads to missed opportunities for cross-functional efficiencies and inconsistencies or gaps in security coverage. With the diversity of information that exists today, both groups must work together to ensure governance policies are applied consistently across all types of information.
2. Build end-user understanding and buy-in.
Information security depends on the user to know what the policies are and how to implement them so they will not put information at risk. It is essential for agencies to formally train every employee, from the records managers to end users at every level, on their individual responsibilities in handling agency records. Without formal training, agency compliance and confidence levels are severely affected. Yet 47 percent of agency records professionals said they have not received formal records management training, having to rely only on informal training or having no training at all.
Formal training will also help secure end user buy-in if it explains how following proper records policies will make their daily activities more productive. A standardized organizational system and consistently applied retention policies make it easier to for employees to respond to requests for information. Ultimately, they will perform significantly better from a security perspective and will be more confident in their agency’s ability to guard against risk.
3. Establish records retention best practices and automate where possible.
If your agency isn’t retaining records appropriately, how do you know what information is (or should be) accessible to your personnel? How do you determine if your information is being securely protected against improper dissemination, destruction or duplication? These are questions that a successful information governance program will address.
Once records management best practices have been identified, agencies should automate these processes wherever possible. This minimizes the risk of human error, reduces the manual burden on employees and improves the consistency of policy execution.
As we move forward into a future full of new media and technologies for information sharing, it is important that agencies’ focus on preserving transparent, accessible and secure information remains steadfast. Information, regardless of format or method of transmission, is subject to the principles, laws and regulations that govern information security. Agencies must establish comprehensive governance policies with automated best practices capable of anticipating future risks. They need to take the “cyber” out of security, broadening their focus on the big picture of securing their information as a whole, by starting with an established information governance program.
Tyler Morris is director of product management at Iron Mountain Government Solutions.