The Records Management and Cybersecurity Correlation
What does cybersecurity and record management have in common, you ask. This article seeks to show the coexistence of these two business functions for the common objective of achieving the CIA triad.
Introduction
Harmonizing a business management process with the information technology process continues to be a hurdle most organizations cannot go over. It is a sort of a “them versus us” state of affairs between these two teams which makes a business a tad bit harder to conduct.
ISO 15489–1:2016: Clause 3.15 defines records management as a “field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use, and disposition of records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records.”
From this definition, it is clear that records management is here to help in the realization of the CIA triad in cybersecurity.
Triad Harmony
The question arises then on how the two fields can move to confirm business potency. Considering the CIA triad i.e. Confidentiality, Integrity, and Availability, records management becomes the bridge to this realization.
1. Confidentiality
In ISO 15489, Clause 8.4 Access and permissions rules … Rights and permissions may change over time, as the legal/regulatory environment, business activities, and societal expectations change. Therefore, access and permissions rules should be monitored and updated routinely, and restrictions should be reduced or removed where appropriate.
To protect the information of any nature, access must be restricted or the adoption of the least privilege principle. Most organizations look mostly into protecting this information from prying eyes and forget the disposal part of it. In order to reduce the risk of unauthorized access to sensitive information, appraisal and disposition must be done alongside access control. Luckily, record managers are experts at this process which goes to show that confidentiality is a records management function.
2. Integrity
Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire lifecycle, from creation to destruction. Record managers are familiar with this because it validates the reliability of the information in a case of decision making or even legal issues.
ISO 15489 clause 5.2.2.3: Integrity. A record that has integrity is one that is complete and unaltered. A record should be protected against unauthorized alteration. Policies and procedures for managing records should specify what additions or annotations may be made to a record after it is created, under what circumstances such additions or annotations may be authorized, and who is authorized to make them. Any authorized annotation, addition, or deletion to a record should be explicitly indicated and traceable.
In relevance to cybersecurity, record managers would need logs to be able to confirm the integrity of records. During most cyber-attacks, hackers are seen to tamper with system logs in an attempt to hide traces of themselves from the systems. Proper management of these logs will therefore help security teams in capturing the threat actor and ensure an almost safe, thriving work environment.
3. Availability
Part of a record’s lifecycle is ‘use’. To use a record, you must have access to it. Record managers, therefore, are tasked with the responsibility to make sure information assets are available to the people that need them. This can be compromised by poor management of user privileges and even a lack of records compliance across the organization.
If personnel of all levels are able to access information regardless of its classification, what would stop them from modifying these records to suit their own needs?
Record managers can therefore help security teams control access but at the same time ensure availability. It would also be easier for them to identify intentional record deletions (after appraisal) from ad hoc ones which may go unnoticed especially in the event of an impromptu auditing exercise.
Conclusion
Record management teams, therefore, need to team up with security teams to achieve the CIA triad by understanding and cataloging high-risk information in their work environment.
Identification of sensitive data and where it resides needs to be a proactive exercise which is better done by records teams. Record managers also need to be made aware of when sensitive records are due for disposition so that this can be done properly. This would help mitigate the risks of confidentiality breaches.
To mitigate against integrity risks, data needs to be in the hands of records managers to use for evidential purposes especially if the systems in place have poor auditing features. Availability risks can be managed by records teams knowing when sensitive records are modified or their permissions have been changed so that unauthorized loss does not occur.
This article is written by Rachael Gachigua, a Cybersecurity Researcher and the NCSTP Cohort 2 graduate aligned with Threat Hunting and Cybersecurity Incidence Response at eKRAAL Innovation Hub.
Her area of specialization is Records Management which she seeks to harmonize with Cybersecurity and Information Technology.
