Information Security Management Handbook, Sixth Edition (2012)

DOMAIN 7: OPERATIONS SECURITY

Operations Controls

Chapter 26. Records Management

Sandy Bacik

As electronic storage gets larger and enterprise information continues to grow, records management is a key topic that needs to be discussed. A record is evidence of what an enterprise does. An enterprise captures its business activities and transactions—information. Records management maintains information storage of an organization from the time the information is created up to the information disposal, a systematic control of information. This may include classification, storage, preservation, and destruction of information. Records come in many formats, such as physical paper, electronic messages, Web site content, PDAs, flash drives, and databases, to name a few. When there is an issue, such as a lawsuit, all of these may be identified as discoverable, including copies that individuals have retained and any items prematurely destroyed.

All enterprise records are information assets and hold value for the enterprise. The enterprise has a duty to all internal and external stakeholders to manage these records to maximize profits, control costs, and ensure effective and efficient enterprise operations. Effective and efficient records management ensures that the information asset is stored, retrieved, authenticated, and accurate. This all must be done in a timely manner. To ensure that the enterprise has an effective and efficient records management program requires:

Establishing and following enterprise policies, standards, and procedures

Identifying who is responsible and accountable for managing records

Communicating and executing procedures consistently

Integrating enterprise records management standards and process flows with all enterprise departments

Preserving the enterprise history and identity

Identifying vital/critical records and establishing standards and procedures for business continuity

To begin with, all staff use records and information daily to:

Deliver goods and/or services consistently with accuracy and integrity

Perform daily business transactions and duties

Comply with internal policies, standards, and procedures, as well as laws and regulations

Protect internal and external stakeholder interests

Provide documentation for all enterprise projects for products and/or services.

Because the staff use information on a daily basis, it is each staff member’s responsibility to manage the records and information. In turn, each staff member has an important role in protecting the future of the enterprise by creating, using, retrieving, and disposing of records in accordance with the enterprise’s established policies and procedures, as well as applicable laws and regulations.

An enterprise needs to address well-defined objectives to add value, either directly to the bottom line or toward the achievement of the enterprise’s mission, vision, and values (goals and objectives). Records management objectives can fall into one of three categories:

1. Profit/cost-avoidance

2. Moral, ethical, and legal responsibility

3. Effective and efficient service.

Enterprise record management programs need to manage information assets to be timely, accurate, complete, cost-effective, cost-efficient, accessible, and useable.

Within most enterprises, records management programs are not the primary business function and usually do not generate income, and the following are important reasons to establish a records management program within the enterprise. (Adapted from “Ten Business Reasons for Records Management,” in Robek, M.F., Brown, G.F., and Stephens, D.O., Information and Records Management: Document‐Based Information Systems, New York: Glencoe, 1995.)

1. To control the creation and growth of records: Despite the growth of portable and electronic media, paper records in enterprises continue to increase. An effective records management program addresses both creation control by limiting records generation and copying not required for business operations and records retention by destroying useless or retiring inactive records. This can stabilize the growth of records in all formats.

2. To reduce operating costs: Any recordkeeping requires administrative dollars for storage and filing equipment and spaces and the staff to maintain this.

3. To improve efficiency and productivity: Time spent searching for missing or misfiled records is nonproductive. Good records management can help an enterprise enhance recordkeeping systems.

4. To assimilate new records management technologies: When an enterprise knows what information assets (records) are needed to be maintained, the enterprise can assimilate new technologies and take advantage of their benefits. When an enterprise invests in new systems and equipment without formal goals and objectives, the full potential of the systems and equipment will not be recognized and may not solve the root cause of the problems.

5. To ensure regulatory compliance: Most countries have regulations for recordkeeping. Many times, these regulations can create major compliance problems for the enterprise due to difficulty in locating, interpreting, and applying the regulation. With formal records management policies, standards, and procedures, compliance with regulations is made easier.

6. To minimize litigation risks: Enterprise records management can reduce risks associated with litigation and potential penalties. Consistently applied records management can reduce liabilities associated with information/records disposal with a standard, systematic, and routine disposal during the course of business.

7. To safeguard vital information: All enterprises should require a comprehensive program for protecting critical and vital records and information from a disaster, because every enterprise is vulnerable to loss. Records management program can preserve the integrity and confidentiality of the critical and vital records and information according to the “plan.”

8. To support better management decision making: Enterprises that can present the most relevant and complete data first often win the decision or competition or can make better decisions. An enterprise records management program helps managers and executives ensure that the information is in the hands of the staff when they need it for what they need it for.

9. To preserve the corporate memory: Enterprise files contain institutional memory, an irreplaceable asset that is often not addressed. The enterprise records create background data for current and future management decisions and planning. This history needs to be preserved for effective and efficient future enterprise activities.

10. To foster professionalism in running the business: In an enterprise that is messy, files, papers, boxes, and equipment displayed in an unorganized manner create a poor working environment and culture. This unorganized display may change the perception of the customers and the public to something unwanted. This perception can also change the moral of the staff, though hard to quantify in cost–benefit terms, may be among the best reasons to establish a records management program.

How would an enterprise start with developing record management requirements? The enterprise must create and preserve adequate and proper documentation of enterprise activities to support operational needs and allow accountability to ensure complete documentation, records, including those generated electronically with automated applications. At a minimum, the records management system shall include the following capabilities:

Proper identification of originators

Proper identification of recipients

Appropriate dates (creation, storage, update)

Any other information needed by the enterprise to meet business requirements

Information generated by automated applications shall be copied to a recordkeeping system where they are maintained for as long as needed, such as data flows

Complete identification documentation, including originators, recipients, appropriate dates, and other information necessary for enterprise business requirements

A capability to organize and index information to properly preserve, retrieve, use, and dispose of information, including different disposal schedules

Shall be accessible to all appropriate staff using access control mechanisms

Shall have a manual or automated system to collect, organize, and categorize records to facilitate their preservation, retrieval, use, and disposition

Shall provide required instruction for what to do with the records that are no longer needed for business. This set of instructions are sometimes called a records destruction schedule or records retention schedule.

To start a records management program, definitions for information classification need to be established. An enterprise can start with something similar to the following for an easy start to information classification for records management:

Confidential: This classification applies to less sensitive information that is intended for use within the enterprise. Its unauthorized disclosure could adversely impact the enterprise, its partners, its employees, the citizens, and/or its customers. Information that some people would consider to be private is included in this classification. Examples include employee performance evaluations, call and dispatch information, and internal audit reports.

For internal use only: This classification applies to information that should not be distributed to anyone outside the enterprise and can be distributed to others within the enterprise. Although its unauthorized disclosure is against policy, it is not expected to seriously or adversely impact the enterprise, its employees, its stockholders, its business partners, and/or its customers. Examples include the enterprise telephone directory, manufacturing production schedules, training materials, and policy manuals.

Public: This classification applies to information that has been explicitly approved by the enterprise management for release to the public. By definition, there is no such thing as unauthorized disclosure of this information and it may be freely disseminated without potential harm. Examples include advertisements, job opening announcements, and press releases.

Although this chapter cannot tell the enterprise what specific technology to select and implement, what follows is a sample enterprise records retention policy and standard.

In conclusion, the enterprise records management does not have to be elaborate; it needs to cover the business and legal requirements to ensure that business operations continue regardless of the situation.

Sample Records and Information Policy

Policy: It is MyCompany (MYC) policy to maintain a companywide records and information management program to ensure appropriate retention, protection, maintenance, and disposition of all records, regardless of format or media.

Scope: This policy applies to all employees, contractors, consultants, temporaries, and other workers at MYC, including those workers affiliated with third parties who access MYC company network asset devices. Throughout this policy, the word “employee” will be used to collectively refer to all such individuals. The policy also applies to all computer and data communication systems owned by and/or administered by MYC. The company will establish asset management programs and support infrastructure to optimize the company asset values. Employees are aware that effective management of the company assets under their direct control is closely linked to expected performance.

Definition: A record is defined as any written, recorded, or graphic material generated or received in any form: paper, electronic, drawing, photograph, microfilm, diskette, magnetic tape, optical disk, voice mail, electronic mail, or other data compilation from which information can be obtained, or any printed copy that has sufficient information value to warrant its retention. A record can contain information from which decisions are made, plans are developed, and control is exercised.

Responsibility: Records and information management will:

Develop and maintain companywide records retention standards and business/operating unit supplemental records retention schedules

Retrieve records in an expeditious manner

Make records readily available to employees who are granted access

Assure privacy and security of records

Communicate tax and/or litigation holds on records and subsequent releases, and protect records during the hold period

Identify the records with historical value

Ensure prompt record destruction at the end of the retention period.

Note: If necessary for litigation or other special holds, normal disposition of records will be superseded until written notification of the release of the hold is received from the law or tax departments.

Responsibility: All employees are responsible for proper attention, adherence, and compliance to this policy, including:

Identifying the records for which they are responsible

Confirming the retention time for each type of document

Disposing of records that are beyond the scheduled retention period, unless the retention has been suspended in writing by the law/tax departments.

Responsibility: Management is responsible for the following:

Partner with records and information management to develop, approve, implement, and ensure compliance with companywide records retention standards and business/operating unit supplemental records retention schedules

Ensure that individual employee responsibilities are carried out

Give business units the option to assign/appoint a records coordinator

Ensure communication with records and information management.

Responsibility: The process owner is responsible for the following:

Partner with records and information management to develop, approve, implement, and ensure compliance with companywide records retention standards

Monitor processes to verify and measure compliance the records and information management program

Serve as an advisor to the corporate records manager

Communicate all legal, regulatory, operational, archival, and financial requirements.

Responsibility: The corporate records manager is responsible for the following:

Implement and manage the companywide records and information management program to ensure compliance with legal requirements, state and federal regulations, and business operations

Establish policies, retention standards/schedules and procedures for the best use, and storage, destruction, and safekeeping protection of company records, regardless of media

Assist in matters of litigation holds, tax audits, and regulatory changes

Analyze, recommend, and support records and information management systems technology and implementation.

Violations: Failure to comply with this policy could potentially adversely affect the company in legal matters. Failure to comply could result in disciplinary actions, up to and including dismissal.

Sample Records Retention Standard

Specification: MYC accumulates, generates, and maintains records in the course of all of its operations. This Information Services (IS) Records Retention and Disposal Standard is in support of MYC’s corporate Records Retention Policy. For the purpose of this IS Records Retention and Disposal Standard, a “record” is defined as any written, recorded, or graphic material generated or received in any form: paper, electronic, drawing, photograph, microfilm, diskette, magnetic tape, optical disk, voice mail, electronic mail, audio tapes, maps, indices, electronic media, video tapes, reference materials, or other forms of data compilations from which information can be obtained, recorded, or printed. Records contain information from which decisions are made, plans are developed, and control is exercised. An adequate records and information management program encompasses the control of all records, including electronic, from their inception or receipt to their destruction or permanent retention. For the purpose of this IS Standard, “record retention” is the act of retaining records in any form or media for specified, predetermined periods of time commensurate with their value, with subsequent disposal or permanent preservation as a matter of official organizational policy.

This IS Standard, including the attached Retention Schedules, set forth requirements regarding the retention and disposal of MYC IS records, the person(s) responsible for their proper maintenance, retention time periods, and procedures for on- and off-site storage. They are designed to promote sound business practices, safeguard confidential and proprietary information, and comply with applicable laws and contractual obligations. All IS records are subject to this IS Standard.

Separation of duties: All MYC IS employees are responsible for complying with this IS Standard. All IS staff must, periodically and as deemed appropriate by IS management, review files and records in their work area, on local hard drives, and on appropriate network shares, then remove inactive records for disposal, destruction, or off-site storage in accordance with the IS Standard set forth below, and work cooperatively with the persons identified below, who have specific responsibilities in connection with the implementation of this IS Standard:

Chief security officer (CSO): The CSO is the records administrator for the IS department and works with the staff to ensure compliance with this IS Standard, oversees off-site record storage (if required), tracks stored records, coordinates records retrieval, and documents record destruction. The CSO also consults with MYC counsel prior to destruction of records in accordance with the Retention Schedules. The CSO works with MYC counsel upon request to process and respond to all third-party requests for information about and/or production of MYC records, in accordance with this IS Standard.

IS work unit lead: An IS work unit lead oversees their unit’s work to ensure compliance with this IS Standard. Specific responsibilities of each IS work unit lead include:

– Maintaining IS records in accordance with MYC’s internal requirements, legal requirements including state, federal, or local laws and regulations and any other applicable requirements

– Performing a timely records review each year, resulting in the disposal or retention of work unit records in accordance with their respective Retention Schedule

– Approving the destruction of stored IS records in accordance with their respective Retention Schedule

– Immediately notifying the CSO of any third-party requests for IS records

– Consulting with MYC counsel or the CSO regarding any questions or concerns about the retention or destruction of particular IS records

– Coordinating file review for centralized filing areas, shared network files, and staff work areas

– Working with the CSO to document, track, and retrieve records sent to off-site storage locations

– Coordinating the destruction of IS records, including obtaining appropriate approvals from their work unit leads

– Documenting approvals/exemptions and destruction of IS records.

MYC Counsel: MYC counsel may serve in an advisory capacity for any of the following:

– Reviewing, processing, and responding to all third-party requests for information about IS records, in conjunction with the CSO and in accordance with this IS Standard

– Reviewing and approving the scheduled destruction of records in conjunction with the CSO, when necessary

– Notifying IS work unit leads, other managers, or staff to halt the destruction of particular IS records

– Providing consultation to the IS staff regarding this IS Standard

Standard: The Retention Schedules included as part of this IS Standard identify the timeframes for retaining MYC IS records as well as the work unit(s) responsible for their integrity, maintenance, and retention. Appendix A applies to all IS work units and includes the following features:

Record Series: Identifies records by functional categories, such as Service Request Files, Business Records, Finance Files, HR Files, etc.

Description: Lists the type of documents, files, or other media that are contained within the Records Series.

IS work unit responsible for official copy of records: Identifies the IS work unit responsible for the official copy of each Record Series. The location designated as the official record copy holder is responsible for maintaining those records for the retention period designated for Records Held Off Site.

Official record copy held On Site: IS work units may hold records On Site for the specified period. After this time, records must be either destroyed or moved Off Site. On Site means the primary office filing location. Off Site means a designated central location. The meaning of Current will vary. Depending on the type of record, Current means:

– The end of the calendar year

– The closure of an incident

– The completion of a project or lease

– The sale of property

– The usefulness of the information

Comments: This section holds information about the Records Series, including identification of critical records. Records designated as critical are considered essential to continued business operations and should be protected from loss by the official record copy holder.

Periodic file reviews: Each IS work unit must conduct a file review for the purpose of determining the disposition of records in accordance with this IS Standard. The file review includes all record media (paper, electronic, photos, videos, tapes, etc.) and all IS Staff. Periodically and as deemed appropriate by IS management, IS Staff are responsible for reviewing records and files maintained in their personal work areas and in individual computer and backup folders. At the direction of their work unit leads, IS Staff will conduct a periodic file review for their work units, including the following:

1. Review all records media.

2. Identify Records Series on the schedule in Table 26.1.

3. Follow the schedule’s instructions for on-site and off-site retention requirements.

4. Per the schedule, remove the records from active filing locations that have met their on-site retention time.

Table 26.1 Information Services Record Retention Schedule

Electronic records: MYC IS performs incremental backup of application programs and data files Monday through Thursday with full backup at close of business on Friday. The full backup performed on the first Sunday after the 16th of a month is sent to Recall Data Protection Services (RDPS) for permanent (indefinite) off-site storage. All other full backups are sent off site to RDPS as well but rotated back to the designated MYC Network Engineer after 30 days have elapsed. Tapes rotated back on site are overwritten with the next set of backups.

Records disposal: In accordance with Retention Schedules, the following records should be disposed as set forth:

Note: For large amounts of material to be shredded or destroyed, engage a vendor specializing in records destruction. The CSO is available to provide assistance.