Relationship building: information security and information management

In this era of open government and rapidly interconnected workplaces, information is vulnerable to a variety of risks and threats. Like any other business asset, records, information and data require protection.

The Standard on records management and ISO 15489 require NSW public offices to:

• identify and manage high risk and high value records, information, data and systems
• design records and information management to safeguard records, information and data with long term value
• protect records, information and data from unauthorised or unlawful access, destruction, loss, misuse or alteration
• protect the authenticity, reliability, integrity and useability of records, information and data 
• systematically and accountably destroy records and information when legally appropriate
• monitor and review records and information management to ensure it meets information security needs.

Similarly, public offices must also comply with their own information security requirements, as outlined in:

• internal information or cyber security policies
• NSW Cyber Security Policy and Strategy
• NSW Government Information Classification, Labelling and Handling Guidelines
• Australian Cyber Security Centre’s Information Security Manual
• AS ISO/IEC 27001
• AS ISO/IEC 27002.

State Records recommends that records and information management professionals work closely with information security professionals to ensure that records, information and data are secured and protected. Key areas for collaboration include:

• determining appropriate requirements
• designing secure systems
• implementing measures for metadata, storage and disposal
• managing and monitoring information security in the organisation.

Back to top

Determining information security requirements

Determining recordkeeping requirements will also determine requirements for access and security. It can assist the organisation in:

• identifying and applying appropriate security controls
• reducing risks to an acceptable level.

Compliance with requirements set in the Standard on records management and with the NSW Cyber Security Policy will ensure that:

• records, information and data of high risk and high value are identified and prioritised
• the organisation’s vital systems (“crown jewels”) are critically managed and secured.

Your knowledge and expertise in these areas will assist the organisation’s information security teams in:

• developing a comprehensive information security policy
• designing and managing secure records and information systems
• implementing a variety of information security measures.

For more information, see:

• FAQs: Information Security
• Identifying and managing high-value and high-risk records, information and data

Back to top

Designing secure records and information systems

Incorporating access and security requirements into the design and configuration of records and information systems will not only safeguard records, information and data, but also mitigate information risks.

When collaborating with information security, it is vital that your joint efforts involve:

• implementing the ASCS’s Essential Eight
• ensuring that cyber security requirements are built into procurement and the development life cycle of records and information systems
• maintaining documentation of system design, configuration, access control and/or migration
• complying with retention and disposal requirements for records, information and data contained in systems before and during decommissioning
• reviewing audit trails and activity logs.

Security measures for records and information systems should also be included in the organisation’s information security and business continuity plans. [1]

For more information, see: Designing, Implementing & Managing Systems

Back to top

Security measures for records, information and data

Classifying records, information and data

Information should be classified in relation to its:

• legal requirements
• value and criticality to the organisation
• sensitivity to unauthorised disclosure or modification. [2]

Your knowledge of this classification will assist information security teams in understanding the needs, priorities and expected degree of protection when handling the organisation’s records, information and data.

Sensitive or confidential information should be labelled and must:

• comply with the system outlined in the NSW Government Information Classification, Labelling and Handling Guidelines
• be supported by the development of business rules and handling procedures
• be accessible exclusively to people who meet clearance and suitability criteria.

Information security in third party agreements and cloud computing arrangements

Considering the rise of data breaches impacting NSW public offices and/or their service providers, it is critical that recordkeeping requirements and considerations, including those relating to access and security, are conveyed to the service provider.

You and the Information Security team can advise on matters outlined in:

• Accountable outsourcing
• Using cloud computing services: implications for information and records management
• Storage of State records with service providers outside of NSW

… and work collaboratively on refining and implementing:

• the organisation’s Information Security Management System (ISMS)
• initiatives offered and recommended by Cyber Security NSW
• strategies offered and recommended by the Australian Cyber Security Centre.

Applying metadata

Adequate metadata is essential to effectively manage, secure and retrieve records, information and data. Without robust metadata, records and information are at risk.

Metadata itself is a record and should be: 

• appropriately managed
• protected from loss, alteration or unauthorised deletion
• retained or destroyed in accordance with appraisal requirements
• perpetually linked to the records it relates to.

To strengthen the security and authenticity of metadata, you must liaise with the organisation’s information security teams to:

• control access to metadata using authorised permission controls
• identify and include minimum metadata requirements during planning, procurement and migration
• assess the currency of metadata amid changes to recordkeeping standards and to technology. 

For more information, see: Metadata for records and information

Storing records, information and data

All public offices are required, under Section 11 of the State Records Act 1998, to ensure the safe custody and proper preservation of State records in their care.

Working closely with the organisation’s information security teams is paramount to achieving this goal. Together, you can ensure that:

When storing physical records, information and data

records are stored in compliance with the Standard on the physical storage of State records access to storage or information processing areas are monitored and controlled records are not moved offsite without appropriate authorisation or tracking a clean desk policy is implemented for sensitive records labels (protective markers) are applied onto classified information to indicate the level of protection required

When storing digital records, information and data

access, security and user permissions for systems that manage records, information and data are documented and regularly updated devices (containing work-related information) are locked when not in use and never left unattended in unsecured vehicles or for extended periods of time a clear screen policy is implemented labels (protective markings) are applied on classified information to indicate the level of protection required

Disposing of records, information and data

Secure disposal of records, information and data ensures that confidential information is not shared, made public or sold to third parties.

When consulting with the organisation’s information security teams, you must direct planning and implementation around:

• systematic and accountable destruction of records
• sentencing of records according to current and authorised retention and disposal authorities
• transferring of records required as State archives to the State Archives Collection
• provision of approval by a Senior Responsible Officer for the destruction and/or transfer of records.

For more information, see: Retention and Disposal

Back to top

Managing information security

Implementing training

As a recordkeeping professional, you are required to work closely with staff to increase their awareness of risks and threats, and to help equip them with the tools necessary to responsibly conduct their work.

Ensuring that all staff, including contractors, are trained, updated and fully aware of their responsibilities will influence organisational culture and contribute to the implementation of good information security behaviours.

These behaviours can be applied or reinforced in collaboration with information security teams via:

• induction and education/training programs (including cyber security awareness training)
• business rules and procedures for the classification, handling and destruction of records, information and data
• official communications (including emails, newsletters or team meetings) 
• awareness campaigns
• participation in whole-of-government/NSW Government initiatives and forums.

All training initiatives should be established in line with the organisation’s information security policy.

Business continuity management

From targeted cyber attacks to raging floods and fires, business continuity management is imperative to:

• counteract interruptions to business activities
• protect critical business processes from the effects of information system failures and outages
• protect or salvage records, information and data from incidental disclosure
• protect or salvage records, information and data from loss or damage.

It is crucial that you work closely with the organisation’s information security teams to:

• keep disaster management plans and procedures current, accessible and familiar to all staff
• assign responsibilities to staff in the event or aftermath of a disaster
• conduct periodic disaster response training
• integrate cyber security requirements with the organisation’s business continuity arrangements.

For more information, see: Disaster management overview

Monitoring compliance

Continuous monitoring of records, recordkeeping and records and information management may assist the organisation’s information security teams in proactively identifying and responding to security threats and vulnerabilities. 

Monitoring may include:

• regular review of the organisation’s recordkeeping systems and security controls
• evaluating information from security incidents
• undertaking a compliance audit using internal or external auditors
• staying informed on developments in technology and the organisation’s digital landscape
• investigating changes or breaches to relevant legislation or regulations
• checking against security requirements for metadata.

For more information, see: Monitoring Overview

Footnotes

[1] Standards Australia. AS ISO 15489.1:2017, Information and documentation—Records management—Part 1: Concepts and principles, 5.3.2.2 Secure
[2] Standards Australia. AS ISO/IEC 27002:2015, Information technology—Security techniques—Code of practice for information security controls, 8.2.1 Classification of information

Back to top