It’s Monday morning and you’ve logged in to start working on your inbox. One email jumps out first: over the weekend a sales team member had their company laptop and a thumb drive stolen at a coffee shop. Or, they accidentally left it there—they’re not quite sure how it got away. Regardless, a Good Samaritan has just dropped off both at reception. But they left without leaving a name or saying much of anything.
In another email, you learn an engineer realized they accidentally sent two large customer files early last week…to the wrong customer. Follow-ups to the recipient and their team have gone unanswered. A third email mentions someone from recruiting managed to check out several hard copy HR files the day before being terminated for cause. The files were not returned. Emails to the former employee’s personal address are bouncing, and they are believed to have started some travel abroad.
It’s looking to be a fun week, and some questions start to race into your mind:
- Are any of these incidents a data breach?
- Was customer confidential information exposed? What about sensitive personal information or company trade secrets?
- Does your organization have any notification obligations, and to whom?
- What policies were in place relevant to these incidents and how were they violated?
- What mitigation measures must the organization immediately take?
- What should the organization do now to help prevent these types of things from happening again?
- Managing records and information means keeping them secure. And these are a few of the questions that you—a records and information management professional and member of your organization’s information governance team—would need to help confront should any of these hypotheticals occur.
For RIM professionals, information security is an undeniable part of the job. But for the non-security professional, learning information security can be intimidating. Fortunately, knowing a handful of basic principles will help you get a good start.
What is Information Security?
It helps to understand exactly what information security means. At its core, information security is about protecting your organization’s records and information from loss. Technologically complex, external threats like malware attacks tend to occupy headlines; however, RIM professionals should not discount the risks posed by internal actors, including by mere carelessness. By many estimates, insider threats—including carelessness—are the primary cause of data breaches. Even temporary and seemingly inconsequential unauthorized access or use of information can easily constitute a data breach under most definitions, which may trigger legal and contractual notice obligations. The errant hypothetical email in this article is one way information security can be compromised by accident.
Where does information security start?
It is helpful to think of information security as bundles of threes. The first bundle consists of the three types of security safeguards—physical, technical, and administrative, which are also commonly called controls.
- Physical, technical, and administrative safeguards (PTA).
Physical safeguards are things such as closed-circuit surveillance, alarms, locks, as well as physical walls and fences. While the digital age puts IT security at the front of most peoples’ minds, it’s important to not overlook your physical security controls—particularly when it comes to physical records, as strong physical safeguards are among the best protections against loss.
Then there are technical safeguards, such as encryption, firewalls, security information and event management tools (SIEM), anti-virus software, and firewalls. Technical safeguards tend to be the domain of your IT security experts; however, it’s necessary for RIM professionals to have a healthy understanding of technical safeguards, how they work, and how they interact with the records and information you manage. Information governance is the mother of all collaborative efforts, so knowing your technical safeguards will only improve your ability to partner with the IT security members on your information governance team.
Lastly, administrative safeguards are things such as your company’s security policies and procedures, as well as employee training and education. Policies are often considered the bedrock of an information security program, and an area where you, as a RIM professional, can have significant influence when it comes to how these policies will intersect with the records and information you manage.
- Confidentiality, integrity, and availability (CIA).
The purpose of information security is to preserve information confidentiality, integrity, and availability. Preserving confidentiality means protecting information from unauthorized access or disclosure. Information integrity means safeguarding its authenticity, accuracy, and completeness. And information availability means knowing it will remain accessible when needed to those who have been authorized to use it. Information CIA should be your goal when developing any records and information security measure, so think thoroughly through how each measure will maintain information CIA.
- The three phases of information security.
Prevention, detection and response, and remediation is the last information security bundle of threes. Preventative security means taking steps to limit the risk of a breach. While it’s impossible to eliminate all risks, ensuring you have taken every reasonable step in light of the risks and the type of information you oversee is expected. Making sure your organization has proper CIA safeguards is key to ensuring your organization has adequate preventative measures. As a RIM professional, you’re most likely to be involved in the preventative side of security, but in this capacity, you may have many roles. Designing policies and procedures to protect records and information is one area where RIM professionals can contribute a lot. So is developing training and education to make sure record custodians know their security responsibilities.
Breaches will happen—that is a fact of life—so it is imperative you’re able to quickly detect security failures and mount an appropriate response. Essential to any detection and response strategy is having a well-vetted incident response plan. A good way to vet your incident response plan is to conduct tabletop exercises to work through scenarios like the ones in this article. Doing this will help expose flaws in your response plan, which allows you to improve it before it gets tested in real life. Your security team should be performing tabletop exercises at least annually. If you or a member of your RIM team does not participate in your company’s tabletop exercises, ask to be involved.
Finally, remediation means analyzing the cause of a breach and improving (again using CIA safeguards) security to make sure such a breach cannot happen again. Like prevention, remediation is an area where RIM professionals can play an important role, particularly when your organization is developing new policies and procedures, as well as educating employees on new security risks and prevention.
Understanding Your Information is Key to Knowing What Security is Appropriate
You’ve heard this before, but it’s worth repeating: to have any hope of securing records and information, you must know what information you have, where it’s located, and what it’s used for. A data inventory details what records and information an organization collects, stores, uses, and discloses—both internally and without outside parties. A proper data inventory will also cover both customer, proprietary, and employee data. And depending on the kind of information your organization handles, a data inventory may be legally required. Identifying data types and classifying information helps it get assigned the level of protection it needs, and in many cases, is legally required to have. Once assembled, make sure your data inventory gets regularly updated.
All of the hypotheticals at the beginning of this article could easily constitute a data breach. But with good information security, the likelihood they will result in harm, or even be able to happen in the first place, goes way down. As a RIM professional, your knowledge and skills can be a vital asset for developing and maintaining proper security for the records and information you manage.