Keeping up with the volume and velocity of information creation, use, storage, security, and disposition in any organization is a challenging proposition.  Period.  Partnership, with active collaboration, across organizational stakeholders is the only way to truly optimize the outcomes of information governance efforts.  While stakeholders such as “the Business” and “Information Technology” are certainly important stakeholders in deciding how information should be governed, there are two stakeholder groups in particular that should be especially close partners – Records Management and Information Security.

Defining Records Management

Records Managers are experts in understanding the kinds of information organizations create and use.  A Records Manager’s mission is to ensure information, of all kinds in all formats and stored in any repository, is effectively identified and classified so it can be managed in such a way as to support the operation while meeting the organization’s legal and regulatory requirements.  

A key concept in modern Records Management is that not every piece of information an organization creates is a “record.”  

A record is any information, in any format, that documents official actions and decisions of the organization related to its operations, finances, and meeting its legal and regulatory obligations.  

Records, because of their inherent value and potential risk to an organization, warrant the cost of specific management.  However, some information is transitory or ephemeral and therefore does not warrant the application of additional labor or other resources to manage it in a specific way.  For example, retaining every email with the same rigor and cost applied, even the “cake is in the breakroom” email, does not have a corresponding value to the organization.  The practice of Records Management helps organizations separate the wheat (the “records”) from the chaff (the “non-records”) and apply its management resources effectively.

Information Security and Records Management Partnership

Ideally, a Records Management Program would include Security Classification as part of its overall classification schema, creating a natural point of collaboration and partnership between the two groups.  A security classification schema attempts to align a sensitivity label to information assets to enable Records Management, Information Security, and others to optimize where resources are spent to control access to sensitive information.

Information Security Managers are experts in applying logical and physical controls to information to ensure that information is available only to the right users, at the right time, in the right way and for the right amount of time.  All information, whether a “record” or “non-record” should be subject to some security considerations while some especially sensitive information will warrant the cost of taking extra security measures.  If the Records management program does its job well, Information Security has a leg up on identifying key information that needs to be governed in special ways.  

For example, while an organization will invest in firewalls and other gateway-type controls for all information coming and going, if it is known that the organization has and stores trade secret information in a particular place, the Information Security team can augment that particular repository with additional security controls to protect that especially valuable information.

Consider a castle analogy.  A king may deploy a moat, front gate, and reinforced walls to stop anyone from gaining access to what is inside the castle.  However, the king would not keep the crown jewels right inside the front gate; instead, a special guarded room in a high tower would be a more appropriate security strategy.

Optimizing Information Governance Outcomes

When Records Management and Information Security combine their efforts, an organization is able to optimize the cost and effectiveness of both programs.  

Some key goals of a Records Management program are:

• Manage the cost of storing information
• Ensure information is classified and stored appropriately to facilitate use and management
• Keep information in such a way and for the period of time needed to satisfy operational needs as well as any legal or regulatory requirements.

Some key goals of an Information Security program are:

• Manage the overall security of organizational information
• Ensure sensitive information is known, stored in an appropriate repository, and is accessible to only those who are authorized
• Dispose of information in such a way as to ensure the information is no longer accessible.

There is considerable overlap between these programs.  When an organization knows what information it has, why it has it, where it is (or should be) stored; it can not only manage that information for business, legal and regulatory purposes but can also strategically apply security controls effectively.  The result of these blended efforts are lower overall information storage costs, enhanced use/reuse of organizational information, improved integrity of information assets, and secure control over sensitive information.