Relationship building for information security and management
This framework highlights the connection between strong information security and effective records management. Collaboration and compliance help NSW public offices protect their information assets against growing digital threats.
In today’s interconnected workplaces, information faces many risks and threats. Like other business assets, records and data need protection.
The NSW Standard on records management and ISO 15489 require public offices to:
- identify and manage high-risk and high-value records, information, data and systems
- design management processes to protect information with long-term value
- prevent unauthorised access, misuse, alteration, loss, or destruction of records, information and data
- ensure records, information and data are authentic, reliable, and usable
- systematically and accountably destroy records when appropriate
- regularly monitor and reviewrecords and information management practices to meet information security standards.
Similarly, public offices must also comply with their own information security requirements, as outlined in:
- internal information or cyber security policies
- NSW Cyber Security Policy and Strategy
- NSW Government Information Classification, Labelling and Handling Guidelines
- Australian Cyber Security Centre’s Information Security Manual
- AS ISO/IEC 27001
- AS ISO/IEC 27002.
State Records NSW encourages collaboration between records managers and information security teams.
Together, they can determine requirements, design secure systems, manage metadata, storage and disposal, and monitor information security effectively.
Determining information security requirements
When setting up recordkeeping requirements, it’s important to also address access and security. This helps organisations to:
- identify and apply the right security controls
- reduce risks to an acceptable level.
By following the Standard on records management and the NSW Cyber Security Policy, organisations can ensure that:
- high-risk and high-value records, information, and data are identified and prioritised
- vital systems (the 'crown jewels') are managed and secured.
Your expertise will help the organisation’s information security teams in:
- developing a comprehensive information security policy
- designing and managing secure records and information systems
- implementing a range of security measures.
Get more information
Designing secure records and information systems
To protect records, information, and data, it’s important to include access and security needs in the design of your systems. This not only helps keep your data safe but also reduces information risks.
Key points to focus on when working with information security include:
- implementing the Essential Eight security measures
- ensuring cybersecurity requirements are included in procurement and system development
- maintaining records of system design, configuration, access control, and migration
- meeting retention and disposal requirements for records, information and data, and systems, before and during decommissioning
- reviewing audit trails and activity logs.
These security steps should also be part of your organisation's information security and business continuity plans.
Security measures for records, information and data
Classifying records, information and data
Information should be classified in relation to its:
- legal requirements
- value and criticality to the organisation
- sensitivity to unauthorised disclosure or modification.
More details on the classification of information can be found in AS ISO/IEC 27002:2015 Information technology – Security techniques – Code of practice for information security controls.
Your knowledge of this classification will assist information security teams in understanding the needs, priorities and expected degree of protection when handling the organisation’s records, information and data.
Sensitive or confidential information should be labelled and must:
- comply with the system outlined in the NSW Government Information Classification, Labelling and Handling Guidelines
- be supported by the development of business rules and handling procedures
- be accessible exclusively to people who meet clearance and suitability criteria.
Information security in third party agreements and cloud computing arrangements
Considering the rise of data breaches impacting NSW public offices and/or their service providers, it is critical that recordkeeping requirements and considerations, including those relating to access and security, are conveyed to the service provider.
You and the information security team can advise on matters outlined in:
- Accountable outsourcing
- Using cloud computing services: implications for information and records management
- Storage of State records with service providers outside of NSW
They should also work collaboratively on refining and implementing:
- the organisation’s Information Security Management System (ISMS)
- initiatives offered and recommended by Cyber Security NSW
- strategies offered and recommended by the Australian Cyber Security Centre.
Applying metadata
Adequate metadata is essential to effectively manage, secure and retrieve records, information and data. Without robust metadata, records and information are at risk.
Metadata itself is a record and should be:
- appropriately managed
- protected from loss, alteration or unauthorised deletion
- retained or destroyed in accordance with appraisal requirements
- perpetually linked to the records it relates to.
To strengthen the security and authenticity of metadata, you must liaise with the organisation’s information security teams to:
- control access to metadata using authorised permission controls
- identify and include minimum metadata requirements during planning, procurement and migration
- assess the currency of metadata amid changes to recordkeeping standards and to technology.
Get more information
Storing records, information and data
All public offices are required, under Section 11 of the State Records Act 1998, to ensure the safe custody and proper preservation of State records in their care.
Working closely with the organisation’s information security teams is paramount to achieving this goal.
Together, you can ensure that:
| When storing physical records, information and data |
|
| When storing digital records, information and data |
|
Disposing of records, information and data
Secure disposal of records, information and data ensures that confidential information is not shared, made public or sold to third parties.
When consulting with the organisation’s information security teams, you must direct planning and implementation around:
- systematic and accountable destruction of records
- sentencing of records according to current and authorised retention and disposal authorities
- transferring of records required as State archives to the State Archives Collection
- provision of approval by a senior responsible officer (SRO) for the destruction and/or transfer of records.
Get more information
Managing information security
Implementing training
As a recordkeeping professional, you are required to work closely with staff to increase their awareness of risks and threats, and to help equip them with the tools necessary to responsibly conduct their work.
Ensuring that all staff, including contractors, are trained, updated and fully aware of their responsibilities will influence organisational culture and contribute to the implementation of good information security behaviours.
These behaviours can be applied or reinforced in collaboration with information security teams via:
- induction and education/training programs (including cyber security awareness training)
- business rules and procedures for the classification, handling and destruction of records, information and data
- official communications (including emails, newsletters or team meetings)
- awareness campaigns
- participation in whole-of-government/NSW Government initiatives and forums.
All training initiatives should be established in line with the organisation’s information security policy.
Business continuity management
From targeted cyber-attacks to raging floods and fires, business continuity management is imperative to:
- counteract interruptions to business activities
- protect critical business processes from the effects of information system failures and outages
- protect or salvage records, information and data from incidental disclosure
- protect or salvage records, information and data from loss or damage.
It is crucial that you work closely with the organisation’s information security teams to:
- keep disaster management plans and procedures current, accessible and familiar to all staff
- assign responsibilities to staff in the event or aftermath of a disaster
- conduct periodic disaster response training
- integrate cyber security requirements with the organisation’s business continuity arrangements.
Get more information
Monitoring compliance
Continuous monitoring of records, recordkeeping and records and information management may assist the organisation’s information security teams in proactively identifying and responding to security threats and vulnerabilities.
Monitoring may include:
- regular review of the organisation’s recordkeeping systems and security controls
- evaluating information from security incidents
- undertaking a compliance audit using internal or external auditors
- staying informed on developments in technology and the organisation’s digital landscape
- investigating changes or breaches to relevant legislation or regulations
- checking against security requirements for metadata.