Taking the "Cyber" Out of Security

Information, whether physical or digital, is the lifeblood of an agency, but when it comes to securing this valuable asset, most people immediately make a connection to cybersecurity – the policy and safeguards that protect digital information from improper handling, dissemination or destruction. However, not all information is digital and not all security is cybersecurity. The government needs to focus on the whole of information security, i.e., defending information, both physical and digital, from unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.

Agencies need to start evaluating if they are proactively securing and managing all of their information, regardless of format or where it resides. Whether physical or digital, email or text, if the information contained within is pursuant to government business or operations, then that information needs to be protected accordingly. In order to bring information security to the forefront of an agency's operations, both a policy and culture shift is required.

1. Establish information governance inclusive of Records Management (RM) and Information Technology (IT)

An information governance program establishes a framework that details employee roles and responsibilities while also providing employees with the tools and knowledge they need to properly determine what constitutes a record and how it should be treated. This allows agencies to effectively manage the growing volumes of information they are seeing and ensures that associated risks are well understood, documented and then controlled to ensure risk mitigation. Self-monitoring and reporting processes are also crucial to information governance programs, as they allow agencies to identify ongoing problem areas and establish corrective actions; ensuring policies are up to date and relevant, which in turn increases security via consistent and compliant behaviour.

A truly successful information governance program will facilitate and promote collaboration between RM and IT personnel. Both groups of employees bring valuable expertise that is essential to standing up an effective, comprehensive information security program. Failing to incorporate both camps results in information silos that separate physical records from electronic records, incorrectly treating the two as mutually exclusive. This approach leads to missed opportunities for cross-functional efficiencies and inconsistencies or gaps in security coverage. With the diversity of information that exists today, both groups must work together to ensure governance policies are applied consistently across all types of information.

2. Build end-user understanding and buy-in

Since complete information security begins on the front lines, it really comes down to the end-user. If end-users don't know what the policies are, or why those policies are in place, they will not know how or when to implement those policies, thereby putting information at risk. It is essential for agencies to formally train every employee, from the records managers to end-users at every level on their individual responsibilities in handling agency records. Without this formal training, agency compliance and confidence levels are severely affected.

Formal training will also help secure end-user buy-in by connecting the dots on why and how following proper records policies will make their daily activities more productive. Employees will be able to streamline their daily functions because they are able to rely on a standardised organisational system, and apply consistent retention policies to make it easier to respond to requests for information. Ultimately, they will perform significantly better from a security perspective, and will be more confident in their agency's ability to guard against risk.

3. Establish records retention best practices and automate where possible

If your agency isn't retaining records appropriately, how do you know what information is (or should be) accessible to your personnel? How do you determine if your information is being securely protected against improper dissemination, destruction or duplication? These are questions that a successful information governance program will address. Once best practices have been identified, agencies should look to automate these processes wherever possible. This minimises the risk of human error, reduces the manual burden on employees and improves the consistency of policy execution.

As we move forward into a future full of new mediums and technologies for information sharing, it is important that government agencies' focus on preserving transparent, accessible and secure information remains steadfast. Information, regardless of format or method of transmission, is subject to the principles, laws and regulations that govern information security. Agencies need to establish comprehensive governance policies with automated best practices capable of anticipating future risks. They need to take the "cyber" out of security, broadening their focus on the big picture of securing their information as a whole, by starting with an established information governance program.