Improving security and privacy in information management

Information security and privacy is a significant challenge in government information management. The OAIC Community Attitudes to Privacy Survey Research Report 2013 found that public confidence in the ability of government to handle personal information had fallen since 2007 – with financial institutions now viewed as more trustworthy than government agencies. This is certainly understandable in light of the high-profile political data breaches that have been making headlines with increasing frequency since the 2010 Wikileaks scandal. It puts pressure on government agencies to not only tighten up any security loopholes but, perhaps more importantly, to prove to the public that sensitive information is being managed properly.

This starts with the Protective Security Policy Framework (PSPF) – a multi-tiered collection of guidelines covering the management of personnel, information and physical security across the whole of government. The part of this framework that deals with electronic information security is in turn based on the Australian Signals Directorate’s Information Security Manual (ISM), a sizeable document that outlines a risk-based approach to information and ICT system security.

Despite having access to these resources, many agencies can find it difficult to know whether an information management initiative meets the detailed stipulations of the guidelines. Contractors dealing with the inter-agency transfer of physical information alone need to be vetted by the Security Construction and Equipment Committee (SCEC) in accordance with a range of requirements that can be difficult to assess:

  • Operated as a commercial courier service for a minimum of two consecutive years and meet the majority of the SCEC Endorsement Criteria – Safe Hand Courier Services A11995602 requirements.
  • Agree to initial and ongoing examination of its services to ensure compliance with criteria requirements.
  • Agree to initial and ongoing assessment of foreign ownership.
  • Nominated couriers agree to be subject to initial and ongoing personal background checks; prejudicial results will exclude an individual from undertaking the safe hand courier duties.
  • Company is ISO 9001 Quality Management Systems certified by a third party registrar.

A facility that holds a Transported Asset Protection Association Freight Security Requirement certification.[1] It’s understandable that many agencies prefer to stay with something familiar rather than step into territory that can seem complicated and time-consuming.For those still dealing with physical archives, there are two major security issues. In-house archives rely on agencies themselves to maintain a level of security on premises that is costly and would otherwise be unjustified. Off-site archives, while more secure, can expose information to compromise during transit, especially over long distances where multiple handovers are involved. Very few information management firms have a secure chain of custody across all their delivery locations. Instead, when they have to deliver outside certain geographical boundaries or times of day, they outsource to contractors.

This adds one or more unnecessary steps to the information transmission process. While it may only increase the risk of breach by a slight margin, it elevates the risk of data loss significantly. “Complexity is fertile territory for error,” says researcher Matthew C. Holtman. When the human element in a system increases, so does the possibility that something will go wrong.

Maintaining compliance by ensuring documents are destroyed at the right time is another area that agencies can struggle with. Many are aware of where their document retention obligations end, but can be unwilling to commit to sentencing schedules. There are a number of reasons for this, the most common being uncertainty over what their archives contain – especially if those archives date back to the pre-digital era. From a liability perspective, the relatively small cost of ongoing storage is more than justified by the possibility that an arbitrary sentencing mechanism might accidentally destroy mission-critical documents. Why not audit the documents? The time- and money-consuming task of going through the archives would require a financial investment equivalent to the cost of decades of static storage.This means that agencies can end up hanging onto many times the amount of data that retention regulations demand, potentially complicating search and retrieval processes, and creating issues of compliance with the Privacy Act.

For smaller agencies, security and privacy concerns are limited by more modest information volumes and a greater ability to keep records in-house. For larger government departments, the risk is greater. With the confidential information of thousands of individuals in their possession, large-scale mismanagement can have an ongoing negative effect on public confidence.

The best solution providers store and transport data according to the strictest government standards – fully satisfying all PSPF requirements. Their physical storage facilities are secured with advanced fire-protection and surveillance systems, with all employees undergoing a Police Criminal Security check before being allowed to handle client information. The same vetted staff also operate a secure fleet of vehicles and ensure that document chain of custody is unbroken by anyone outside the company, such as a generic courier or other third-party contractor. Their digital offering will provide an administrative console with airtight security configurations, function-level verification on transactions, and application-level security that limits users to accessing only the functionality and data they need.

In addition, these companies are conscious of the evolving legislative environment and can keep track of stored information over time, setting up retention and sentencing schedules that ensure destruction occurs when documents reach the end of their lifespan. They can also assist with proof of compliance by providing certificates of destruction.

Accredited information management companies are a boon for agencies because they don’t need to go through the lengthy vetting process. With information stored off-site, much of the pressure is taken off agencies that are currently maintaining a high level of physical and cyber security in their office premises. Access to archives can then be controlled entirely through administrative systems to reduce the burden on existing departmental separation practices or clean-desk policies.

Having an information management partner paying close attention to sentencing schedules means that documents are less likely to occupy costly shelf space, allowing for a dramatic reduction in information storage overheads. Healthy sentencing schedules also help ensure all of an agency’s records comply with the Privacy Act and other relevant legislation without significantly driving up costs

.A government agency that can assure people that their information is safe is one that will stand out for all the right reasons to the privacy-conscious public. Find out more in Grace’s FREE in-depth information management report for government agencies – available exclusively at www.grace.com.au/information/government

________________________________________

[1] https://www.scec.gov.au/scec-couriers