Taking the "Cyber" Out of Security

Topics: Information Management: New Thinking

By Tyler Morris, Director of Product Management for Iron Mountain Government Services (tyler.morris@ironmountain.com)

Not All Information is Digital and Not All Security is Cybersecurity

The volume and diversity of information that federal agencies are responsible for managing has radically increased – new considerations, such as text messages and social media are adding to the complexity. Information, whether physical or digital, is the lifeblood of an agency, but when it comes to securing this valuable asset, most people immediately make a connection to cybersecurity – the policy and safeguards that protect digital information from improper handling, dissemination or destruction. However, not all information is digital and not all security is cybersecurity. The federal government needs to focus on the whole of information security, i.e., defending information, both physical and digital, from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction

Agencies need to start evaluating if they are proactively securing and managing all of their information, regardless of format or where it resides. Whether physical or digital, email or text, if the information contained within is pursuant to government business or operations, then that information needs to be protected accordingly. In order to bring information security to the forefront of an agency's operations, both a policy and culture shift is required.

1. Establish information governance inclusive of Records Management (RM) and Information Technology (IT)

An information governance program establishes a framework that details employee roles and responsibilities while also providing employees with the tools and knowledge they need to properly determine what constitutes a record and how it should be treated. This allows agencies to effectively manage the growing volumes of information they are seeing and ensures that associated risks are well understood, documented and then controlled so risk mitigation can happen appropriately. Self-monitoring and reporting processes are also crucial to information governance programs, as they allow agencies to identify ongoing problem areas and establish corrective actions; ensuring policies are up to date and relevant, which in turn increases security via consistent and compliant behavior. As it stands, only 15 percent of agency records professionals strongly agree that their current records management policy is meeting the needs of their agency, according to a recent Market Connections survey[1].

A truly successful information governance program will facilitate and promote collaboration between RM and IT personnel. Both groups of employees bring valuable expertise that is essential to standing up an effective, comprehensive information security program. Failing to incorporate both camps results in information silos that separate physical records from electronic records, incorrectly treating the two as mutually exclusive. This approach leads to missed opportunities for cross-functional efficiencies and inconsistencies or gaps in security coverage. With the diversity of information that exists today, both groups must work together to ensure governance policies are applied consistently across all types of information.

2. Build end-user understanding and buy-in

Since complete information security begins on the front lines, it really comes down to the end-user. If end-users don't know what the policies are, or why those policies are in place, they will not know how or when to implement those policies, thereby putting information at risk. It is essential for agencies to formally train every employee, from the records managers to end-users at every level on their individual responsibilities in handling agency records. Without this formal training, agency compliance and confidence levels are severely affected. Currently, 47 percent of agency records professionals have not received formal records management training, having to rely only on informal training or having no training at all.[2]

Formal training will also help secure end-user buy-in by connecting the dots on why and how following proper records policies will make their daily activities more productive. Employees will be able to streamline their daily functions because they are able to rely on a standardized organizational system, and apply consistent retention policies to make it easier to respond to requests for information. Ultimately, they will perform significantly better from a security perspective, and will be more confident in their agency's ability to guard against risk.

3. Establish records retention best practices and automate where possible

If your agency isn't retaining records appropriately, how do you know what information is (or should be) accessible to your personnel? How do you determine if your information is being securely protected against improper dissemination, destruction or duplication? These are questions that a successful information governance program will address. As the recent Government Accountability Office (GAO) Information Management Report stated, "Without adequate and readily accessible documentation, agencies may not have access to important operational information needed to make decisions and carry out their missions."[3] Once best practices have been identified, agencies should look to automate these processes wherever possible. This minimizes the risk of human error, reduces the manual burden on employees and improves the consistency of policy execution.

As we collectively move forward into a future full of new mediums and technologies for information sharing, it is important that federal agencies' focus on preserving transparent, accessible and secure information remains steadfast. Information, regardless of format or method of transmission, is subject to the principles, laws and regulations that govern information security. Agencies need to establish comprehensive governance policies with automated best practices capable of anticipating future risks. They need to take the "cyber" out of security, broadening their focus on the big picture of securing their information as a whole, by starting with an established information governance program.

[1] Market Connections. The 2015 Federal Information Management Report. Page 29.

[2] Market Connections. The 2015 Federal Information Management Report. Page 9.

[3] United States Government Accountability Office. Information Management – Additional Actions Are Needed to Meet Requirements of the Managing Government Records Directive. May 2015. Page 3.