Kerry A. Anderson, CISA, CISM, CRISC, CGEIT, CISSP, ISSMP, ISSAP, CSSLP, CFE
When picturing the relationship between the information security and the records information management (RIM) teams in many organizations, Aunt Eller, from the Broadway play Oklahoma, singing “The farmer and the cowboy should be friends” comes to mind. Both the farmer and the cowboy had similar interests and could have likely benefited from some collaborative endeavor; however, in many organizations, the tendency has been to fixate on the differences between information security and RIM rather than the mutual benefits.
In many organizations, there has been limited interaction between the information security and the RIM teams. While there may be myriad explanations for this lack of partnership, the most likely cause is a combination of the following erroneous assumptions:
Information security and IT organizations seem more naturally aligned because the technical focus of many information security initiatives and tools necessitates their mutual involvement. Many information security practitioners view their IT peers as natural extensions of their team. Put simply, information security sees IT as “us” rather than “them.”
Fewer information security professionals view their RIM counterparts as potential players on their team. Conversely, RIM professionals seldom regard information security as prospective stakeholders on their projects. When communication is required between the two teams, the approach is often to send an envoy to fetch the necessary information rather than to initiate continuing exchanges.
Despite the historical gaps that exist between RIM and information security, there has been increased outreach between professional associations, such ARMA International and (ISC) 2 , as well as significant research initiatives that form a junction between the two disciplines. This effort to form a bridge between information security and RIM comes from an increasing recognition between risk and compliance professionals of the requirement to manage information securely from its creation to its ultimate destruction.
The current regulatory environment and growing concerns around data privacy create an opportunity for information security and RIM to forge a new relationship that draws on the strengths of both groups to yield innovative approaches to managing the increasingly complex business requirements to provide cradle-to-grave protection for information assets. A significant example of this fusion of information security and RIM requirements is the Massachusetts Data Privacy Law (M.G.L. c.93 H ~ Regulation 201 CMR 17.00). This data-protection statute is one of the toughest of the state privacy laws. The Massachusetts law requires the identification of records containing personally identifiable information (PII).1 For those uninitiated in RIM practices, this provision means having a current, sustainable and accurate electronic records inventory that intermingles security-related attributes. The law’s focus on records is no surprise given that it owes its creation to a series of data breaches2 that involved both security issues and storage of a significant amount of PII retained far past its useful existence.
While it is tempting to believe that RIM and information security can deal with the recent regulatory challenges and proceed down their separate and parallel paths, this would waste an opportunity to forge a synergistic affiliation that has the potential to yield invaluable benefits in the protection of information.
An organization can introduce a series of related practices to construct a collaborative partnership between the RIM and information security function within an organization. It may be preferable to introduce each practice in succession to obtain its full benefits. It is not necessary to implement all practices into an organization; however, developing a sustainable approach to electronic records inventory is the foundation upon which the other practices are dependent.
All practices have been implemented successfully in a production environment. Different combinations of practices have been implemented depending on the cultural environment and level of organizational maturity of the client enterprise. Utilizing all nine practices is best suited for larger enterprises, based upon the author’s experience implementing this strategic approach. Smaller organizations experienced a better outcome employing the first practice, as well as by employing several other of the practices based upon a risk-based analysis of the organizations’ environments. The success of this approach is dependent on senior management’s commitment to the project and buy-in from the RIM and information security teams. Because implementing all practices requires the availability of resources, the outcome is dependent upon the ongoing commitment of all key stakeholders to this strategic approach.
The practices are as follows:
One approach to cultivating a robust relationship between information security and RIM is the establishment of human outposts within each other’s teams. These human outposts would be rotating roles fully integrated into the daily operations of their assigned team. Some participants might elect to become permanent members of these teams. Other participants will go back to their original assignments with new insights into the issues of their peers, thus becoming subject matter experts (SMEs). This exchange endeavor could be an approach to the creation of a new class of hybrid professionals with core competencies that span both RIM and information security disciplines. These hybrid professionals could become indispensable resources on data protection strategies and on managing the current trend toward greater privacy regulation.
Corporate governance boards provide another avenue to develop closer integration between the RIM and information security teams by inclusion of both groups in regular meetings and cross-pollinating project teams among both teams’ members.
In the past decade, information security professionals have proactively sought their peers in business areas to build relationships and provide value to the organization. Information security management may need to take the lead in establishing a closer alignment between the two complementary risk functions.
Albert Einstein said, “We cannot solve our problems with the same thinking we used when we created them.” The closer alignment between RIM and information security may provide an approach to managing increasing data protection concerns and tough privacy regulations rather than maintaining the separation between these critical compliance functions.
1 201 CMR 17.00: Standards for the Protection of Personal Information for Massachusetts Residents, www.bingham.com/ExternalObjects/docs/201%20CMR%20clean%20-%208_17_09_(4755).pdf2 The Massachusetts Data Security Regulations—Prepare to Comply, www.harborlaw.com/newsletters/october09.pdf3 Pareto’s Principle—The 80-20 Rule, http://management.about.com/cs/generalmanagement/a/Pareto081202.htm4 Berg, Gary G.; Michelle S. Freeman; Kent N. Schneider; “Analyzing the TJ Maxx Data Security Fiasco: Lessons for Auditors,” www.nysscpa.org/cpajournal/2008/808/essentials/p34.htm
Kerry A. Anderson, CISA, CISM, CRISC, CGEIT, CISSP, ISSMP, ISSAP, CSSLP, CFE, is an information security and records management consultant with more than 15 years of experience in information security and IT across a variety of industries. She has worked in information security, application development, financial systems operations, network administration, IT audit, records management, business contingency planning and college-level instruction. She can be reached at [email protected].
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2012 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.