Proper records management is an imperative for every organization. Storage, disposal and access to records are vital to everything from compliance, for financial reporting, to legal, for discovery purposes. Records management can even assist incident response and help determine the business value of information accessed during a breach. Building a secure records management program is difficult, however, particularly when you're talking about an organization that's been around for a while and is set in its ways.
As any records management professional will tell you, the most important goal of records management is to address the reliability, integrity, compliance, comprehensiveness and systematic management of records through the entire lifecycle, from origination to eventual disposal.
While it might be nice to dream about electronic document and records management systems (EDRMS) that solve all an organization's data governance problems, most organizations aren't quite there yet. It's not that the products don't have the necessary features (although that too is sometimes the case), but that there are often many data complexities in the organization itself. In some environments, paper may still be king, or the organization might have multiple, overlapping electronic records systems that cater to certain types of records or business units. There might be also legacy systems that are not quite performing up to par.
While the overarching processes and goals are the same regardless of record type, sometimes implementations will differ and this can dramatically impact risk.
In fact, even organizations with a single EDRMS might periodically support "mixed-mode" recordkeeping for a variety of reasons. Sometimes records managers need to address more than one type of record at a time (electronic, paper or otherwise) or use multiple, overlapping systems that address the same type of record. This hybrid type of record management requires careful planning -- particularly when it comes to security controls that safeguard the integrity, accuracy and accessibility of those records. While the overarching processes and goals are the same regardless of record type, sometimes implementations will differ and this can dramatically impact risk.
Governing standards such as ISO 15489-1:2001 ("Information and documentation -- Records management -- Part 1: General") don't really differentiate between the type of record (paper, electronic or otherwise) from a "record lifecycle" standpoint. This is by design: The value of the record and the requirements to safeguard it don't vary depending on how or where it's stored. But as a practical matter, hybrid records management scenarios require a bit of a different perspective when it comes to certain aspects of the lifecycle. There is sometimes temptation to author policy and standards catering to what's achievable for one system and not another, and this presents a problem in a hybrid environment.
Not every records management system or process can implement security features in an identical way. For example, an electronic health record might have built-in encryption controls, since they're required by meaningful use criteria under the HITECH Act. However, a homegrown documents management system for insurance contracts management might not have the same stipulations. If your records management program must comply with both healthcare and insurance regulations, you might want to frame policy in terms of "records access," rather than defining a specific mandate for encryption. This seems like a relatively straightforward proposition, but you'd be surprised by how often this is not the case.
If your shop has more than one repository, review your lifecycle with a critical eye for how each policy goal might be implemented given a particular type of record. Watch for policy goals that require or imply a specific technological capability, as those might not be achievable using certain types of systems or processes.
Control selection in the hybrid environment
Once you've addressed the records management policy piece, now comes the harder part: selection of specific controls that address policy and standards requirements. This should include every aspect of the data management lifecycle, from identification of records, to authentication, to their filing and indexing, to storage and retrieval and disposal. To say this is a challenging exercise is an understatement. However, many records management professionals sometimes don't realize that there are allies that can help perform some of these functions, including the organization's information security and compliance departments.
More on records management strategy
Data governance tools, strategy expand their scope
Transparency's vital to records management processes
Clearly, information security professionals and risk managers have a vested interest in ensuring that the organization's records are appropriately protected. Compliance professionals have an interest in ensuring that records management processes implement technical controls as required by any governing standards.
As a result, the security and compliance departments are a useful source of data when it comes to specific control selection. They may also have tools that you can leverage to help with data security tasks. For example, a data loss prevention tool used by security teams to find and filter certain types of sensitive information could help in the categorization and indexing of records. In some cases, encryption methodologies might assist in data disposal efforts by leveraging a process called "crypto-shredding," where encryption keys are deliberately deleted after a defined period of time to ensure the data becomes inaccessible.
The point is that records managers do not have to go it alone or assume that, because an EDRMS doesn't implement a particular control, an equivalent outcome is impossible to achieve. By partnering up with like-minded and similarly-interested parties within the organization, you'll find that very often you can leverage their tools, expertise, personnel and, in some cases, budget to help you implement specific controls. This boost is particularly important when you're dealing with the complex union of hybrid records management tools and approaches.
About the author
Ed Moyle is director of emerging business and technology for ISACA. Moyle previously worked as senior security strategist at Savvis, senior manager at CTG, and prior to that served as a vice president and information security officer at Merrill Lynch Investment Managers.