In most organisations, the records management team and the information security teams are separated, primarily because information security is seen as a technology function, and records management is not. But good records management requires effective security management, and good cybersecurity practice relies on appropriate recordkeeping. By considering the ways in which these two domains intersect, we can make the case for closer collaboration, if not connection, between these roles.

Consideration of the three key principles of information security – confidentiality, integrity, and availability – shows how aligned security and records can and should be.

• Confidentiality is the protection of information from unauthorised access, both within and outside the organisation
• Integrity means the protection of the veracity and traceability of information, so that it has evidential value, and is a true representation of the organisation’s work output
• Availability is the ability to access the right information at the right time.

In the security world, threats to the CIA triad are mitigated in varying ways. Confidentiality risks are managed by applying strong access controls, and protecting systems from penetration. User education is also key here, as most data spills are accidental.

Integrity risks are managed by keeping audit trails and shipping logs to secure locations. Privileges (not who can access something, but rather what they can do with it when they do access it) are also controlled to reduce the likelihood of deliberate or accidental damage to information.

And availability risks are managed by having highly available systems that can stay online in the event of an attack, or by at minimum keeping backups that can be restored if data is deleted or encrypted maliciously.

Records managers may not have much involvement in the establishment and management of ICT security systems, but they will be familiar with all of these concepts.

Confidentiality

Part of the records management lifecycle, as described in the ISO 15489 Information and documentation -- Records management, is Access and Security Classification.

The Standard states that:

4.2.5.2: ...Reasonable security can be described as the level of security that a reasonable person on the street would believe is needed to protect the information from unauthorized access, collection, use, disclosure, deletion, alteration and/or destruction.

Access must be restricted to protect personal information, intellectual property, commercial interests, national or state security, legal, financial and other sensitive information. And the best way to reduce the possibility of inappropriate access to sensitive information is to dispose of it as soon as possible – sentencing and disposition are as much a key part of confidentiality risk-management as access control is.

So confidentiality is a records-management function, as much as an IT security function. But there is evidence to show that neither side of the aisle is doing a great job at managing confidentiality (and may actually be getting worse at it):

Of the four focus areas for protective security, information security remains an ongoing challenge for the Australian Government, with NCCEs reporting an average compliance of 85.26% for the PSPF information requirements. Of note, in 2017–18, there was a 5.19% reduction in average compliance levels with INFOSEC3. INFOSEC-3 contains policies and procedures for the security classification and protective control of information assets.

Source: PSPF Compliance Report 2017-2018

Since June 2019, there have been confidentiality breaches of sensitive records at the Australian National University, Australian Parliament, PayID, Bupa, MyKi, TAFE NSW, National Australia Bank, GeelongPort, Symantec, the Australian Catholic University – and the list of notifiable data breaches numbers 460 for the first half of 2019 alone.

Integrity

Records managers are very familiar with integrity, in the context of maintaining a true and complete record of changes to information over time, such as can be used to show reliable evidence of decision making, consultation and activity. This is important for in extremis cases such as legal defences, but also for more general support of information quality and trustworthiness.   

From ISO 15489:

5.3: Evidential Weight
Records managers need to have readily available evidence to demonstrate and prove the organisation’s compliance with legislation, policies and procedures throughout the life of the system…. This evidence would be available from records of the monitoring and auditing of the system process.

So records managers need comprehensive system logs in order to be able to confirm the integrity of records. Security managers know that the first metadata to be compromised in the event of a system attack are the logs – hackers will make sure to delete evidence of their activities from the logs promptly to evade detection. But some systems don’t create detailed logs in the first place, or if they do, they are not saved for long. The Information Security Manual only requires system event logs to be retained for 7 years per the AFDA (absent now from AFDA Express v2), which is at odds with ISO 15489 records management requirements, where we need the logs to establish veracity for the lifespan of the record (which could be decades, or even forever in the case of archival records):

4.3.8: Use and Tracking
Use of the record is a records management transaction that may need to be captured by the system to form part of the metadata. Use of the record may affect its disposition status.

‘Use and tracking’ in the ISO means keeping a record of user permissions, access and security status, movement and custody, changes to classifications, and any actual use of the record. None of this is possible without good ICT security logging systems and practices.

Availability

What use is a record if you can’t read it? Or find it?

Records managers are concerned with the availability of information assets, both to ensure that people in the organisation can make use of the significant investment in the IP already stored in their systems, but also to comply with the multiple legal obligations to provide records to other stakeholders, government and the community as requested.

Having access to the right information at the right time is such a critical part of successful operation that hackers have made an industry out of it. Ransomware is a growing problem in Australia and around the world. Recently, multiple Victorian hospitals were subject to a ransomware attack, disrupting surgeries and affecting administration. And Small to Medium Enterprises are most at risk – one report found that over 90% of Australian SMEs had been subject to a ransomware attack, the highest of anywhere in the world.

Enterprise-wide encryption attacks are hugely impactful, but information availability can also be disrupted in other ways. Poor management of user privileges, and lack of records compliance controls, means users of most systems can delete important records (both individually and en masse), and there is little that records or security teams can do about it. Most of the time, they won’t even know it has happened. This gradual white-anting of records availability can be even more detrimental than big-bang data losses as, at least with a cryptovirus, there is a prompt to restore files from backup. Ad hoc record deletions are rarely restored, because nobody saw them go.  

What is causing the gap?

The gap seems to be in the initial identification of sensitive information. While there will always be a zero-day vulnerability that we can’t patch against, on the whole, IT security teams do have the resources at their disposal to protect the confidentiality, integrity and availability of information, if only they are told what to protect. This is where records teams can do better, by understanding and cataloguing the high-risk information in their environment. IT can’t do this themselves – in one example, a recent VAGO Audit found that:

[Water control] systems [are exposed] to the risk of a successful cyberattack, particularly by a trusted insider or an intruder breaching physical security and gaining unauthorised access.

Water providers have not completed a detailed assessment of the current security risks for control system assets and do not have comprehensive asset information. They have focused their attention on risks to their corporate systems and on high-level control system risks. Therefore, they have not designed or built their control system security based on a thorough and detailed understanding of their assets, vulnerabilities and risks to ensure security measures are proportionate to those risks.

Source: Security of Water Infrastructure Control Systems

Trying to create ‘a thorough and detailed understanding’ of information assets by interviewing users or searching drives is not working. There is too much information, and it changes too rapidly, for centralised records teams to stay apprised of what is where. And the nuances of sensitivity are not always straightforward enough for general users to understand and proactively apply. Security analysts know, for example, that all the records about perimeter fencing for a water pumping station shouldn’t be made available to the construction teams building the gates, because there is a high ratio of organised crime in the construction industry in Australia, and those threat actors can make use of this information in various ways (including by selling the information to Foreign State Actors, who are very interested in Australian critical infrastructure). General users don’t necessarily know this, and wouldn’t think that information warranted special protection. We can’t expect users to know everything that is sensitive, let alone apply the right sensitivity metadata or tags to it.

There is also a gap in technology. Important business records are now spread across more systems and platforms than ever before, and most of these systems don’t have easy facilities for managing record integrity (versioning, audit and event logs, monitoring and audit capability) or record availability (identifying or preventing deletions, effective backup and restore features). ICT security managers may be able to access centralised systems that help with the enterprise-level confidentiality, integrity and availability triad, but the outputs of these are often not granular or accessible enough for records managers to make use of.

What’s the solution?

The importance of an information asset register cannot be overstated. The NSW Audit Office recently made recommendations to all state agencies related to asset registration:

Agencies are not proactively identifying sensitive data held and where it resides

Sixty-eight per cent of agencies maintain an inventory of their sensitive data. However, this may not be a complete inventory…. We also found that the process whereby agencies identified their sensitive data was not always comprehensive. Generally, agencies relied on common processes such as reviewing existing documentation (e.g. data flow diagrams) and business process walkthroughs to identify sensitive data.

The use of common processes to identify where sensitive data is held increases the risk that not all sensitive data will be identified, meaning it may not be adequately protected.

Agency processes to identify whether data is sensitive needs to improve 

Only 74 per cent of the agencies performed a risk assessment as part of their sensitive data identification process to determine the data's criticality and sensitivity. Of these agencies, only 81 per cent had performed another level of review to assess the potential impact of the data loss to the agency.

Without a comprehensive risk assessment, data sensitivity may be inappropriately classified and resources may not be allocated to the highest risk data.

Source: NSW Auditor-General's Report to Parliament – Internal controls and governance 2019

Macro-level registers do have some value, in that they identify systems and the types of information likely to be in those systems. Once the risks and regulatory requirements relevant to those types of information are understood, this information can be overlaid to show which systems are likely to have what risks. This can help the ICT security team prioritise preventative (intrusion protection, privileged access control) and detective (audit, monitoring and DLP) activities over those data sets.

However, while this is a helpful start, it is not enough for particularly high-risk information assets. Where the risks of a confidentiality breach are most significant, we need more granular control. We recently ran an audit using our software over a file dump of around 30,000 ‘unclassified’ documents provided as test data for a project. Hidden within that 30,000 were over 100 that should definitely not have been in the public data dump – they contained commercial-in-confidence information, or were FOUO, or contained sensitive PII. Yet these files had been selected specifically because they appeared, to all intents and purposes, to be unclassified. They were stored in unclassified systems, and had nothing indicating sensitivity in their titles or metadata.

• To really manage confidentiality risks, we need systems that can not only identify high-risk records automatically, but also track and alert on them. Records managers need to be told when a sensitive record is due for disposition, so its removal from the network can be expedited if possible; and be alerted when a sensitive record is created or saved in an ‘unclassified’ system or file.
• To manage integrity risks, we need systems that independently record and maintain metadata and audit events on all records, centrally and securely, where they won’t be lost as part of the routine systems maintenance activities. This metadata has to be at hand for records managers to use for evidentiary purposes, even (or especially) when records have been kept in systems with poor inbuilt logging and audit features.
• To manage accessibility risks, records managers also need to know when a high-risk or high-value record is deleted, is moved, or has its access rights changed, so that they can either prevent (or immediately recover from) unauthorised loss.

Conclusions

Even where someone in the records team does have time to review and curate individual documents, unless they look inside each one, and they understand the threat environment, they are likely to let a lot of high-risk information through the cracks. The traditional ways of identifying, tracking and controlling high-risk information assets aren’t working any more. The only way to manage this problem, considering the scale of our current data holdings, is intelligent automation.

Security teams, who understand the threat environment and can apply the right technology controls, need to work hand in hand with records managers, who should know what, and where, all our information assets are. Using modern technologies, these two cohorts must work together to find and control sensitive information, and so reduce both the likelihood and the impact of a data breach.

Rachael Greaves is a Certified Information Professional (CIP), Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM), and is certified in project, change and records management. She is the cofounder and Chief Executive Officer of Castlepoint Systems. Rachael has consulted on large-scale records, security and audit projects in government and regulated industries with complex integrated environments, and developed Castlepoint in response to the tension seen in organisations between compliance, usability, sustainability and cost. Rachael’s mission is to improve outcomes for citizens and stakeholders by helping governments and regulated organisations to provide better, more accountable services.

References

EY – Records and Security Management

NSW State Archives – RM and Security

Shaw Paper – Records and Security

NSW Audit Office – Information Governance 2019

APSC Current and Future Recordkeeping Environment