Keeping up with the volume and velocity of information creation, use, storage, security, and disposition in any organisation is a challenging proposition.  Full stop.  Partnership, with active collaboration, across organisational stakeholders is the only way to truly optimise the outcomes of information governance efforts.  While stakeholders such as “the Business” and “Information Technology” are certainly important stakeholders in deciding how information should be governed, there are two stakeholder groups in particular that should be especially close partners – Records Management and Information Security.

Defining Records Management

Records Managers are experts in understanding the kinds of information organisations create and use.  A Records Manager’s mission is to ensure information, of all kinds in all formats and stored in any repository, is effectively identified and classified so it can be managed in such a way as to support the operation while meeting the organisation’s legal and regulatory requirements.  

A key concept in modern Records Management is that not every piece of information an organisation creates is a “record.”  

A record is any information, in any format, that documents official actions and decisions of the organisation related to its operations, finances, and meeting its legal and regulatory obligations.  

Records, because of their inherent value and potential risk to an organisation, warrant the cost of specific management.  However, some information is transitory or ephemeral and therefore does not warrant the application of additional labour or other resources to manage it in a specific way.  For example, retaining every email with the same rigour and cost applied, even the “cake is in the breakroom” email, does not have a corresponding value to the organisation.  The practice of Records Management helps organisations separate the wheat (the “records”) from the chaff (the “non-records”) and apply its management resources effectively.

Information Security and Records Management Partnership

Ideally, a Records Management Programme would include Security Classification as part of its overall classification schema, creating a natural point of collaboration and partnership between the two groups.  A security classification schema attempts to align a sensitivity label to information assets to enable Records Management, Information Security, and others to optimise where resources are spent to control access to sensitive information.

Information Security Managers are experts in applying logical and physical controls to information to ensure that information is available only to the right users, at the right time, in the right way and for the right amount of time.  All information, whether a “record” or “non-record” should be subject to some security considerations while some especially sensitive information will warrant the cost of taking extra security measures.  If the Records management programme does its job well, Information Security has a leg up on identifying key information that needs to be governed in special ways.  

For example, while an organisation will invest in firewalls and other gateway-type controls for all information coming and going, if it is known that the organisation has and stores trade secret information in a particular place, the Information Security team can augment that particular repository with additional security controls to protect that especially valuable information.

Consider a castle analogy.  A king may deploy a moat, front gate, and reinforced walls to stop anyone from gaining access to what is inside the castle.  However, the king would not keep the crown jewels right inside the front gate; instead, a special guarded room in a high tower would be a more appropriate security strategy.

Optimising Information Governance Outcomes

When Records Management and Information Security combine their efforts, an organisation is able to optimise the cost and effectiveness of both programmes.
 
Some key goals of a Records Management programme are:

• Manage the cost of storing information
• Ensure information is classified and stored appropriately to facilitate use and management
• Keep information in such a way and for the period of time needed to satisfy operational needs as well as any legal or regulatory requirements.

Some key goals of an Information Security programme are:

• Manage the overall security of organisational information
• Ensure sensitive information is known, stored in an appropriate repository, and is accessible to only those who are authorised
• Dispose of information in such a way as to ensure the information is no longer accessible.

There is considerable overlap between these programmes.  When an organisation knows what information it has, why it has it, where it is (or should be) stored; it can not only manage that information for business, legal and regulatory purposes but can also strategically apply security controls effectively.  The result of these blended efforts are lower overall information storage costs, enhanced use/reuse of organisational information, improved integrity of information assets, and secure control over sensitive information.

The contents of this article are intended to convey general information only and not to provide legal advice or opinions.