3: Protection
Construct the recordkeeping program to ensure a reasonable level of protection to records and information that are private,
confidential, privileged, secret, or essential to business continuity.
Other Information:
Information generated by an organization in the course of business requires various degrees of protection. Such protection
is mandated by laws, regulations, or corporate governance, and it is necessary to ensure that information critical to an organization’s
continued operation during or after a crisis is available. A recordkeeping program must ensure that appropriate protection
controls are applied to information from the moment it is created to the moment it undergoes final disposition. Therefore,
every system that generates, stores, and uses information should be examined with the protection principle in mind .to ensure
that appropriate controls are applied to such systems. Information protection takes multiple forms. First, each system utilized
must have an appropriate security structure so only personnel with the appropriate level of security or clearance can gain
access to the information. This includes electronic systems as well as physical systems, using such measures as key card access
restrictions and locked cabinets. This also requires that as personnel change jobs, their access controls are changed appropriately
and immediately. Second, this requires protecting information from “leaking” outside the organization. Again, this may take
various forms – from preventing the physical files from leaving the premises by various mechanical and electronic means to
ensuring that electronic information cannot be e-mailed, downloaded, or otherwise proliferated by people with legitimate access
to the system. Sometimes, this information should not even be sent by e-mail – even among parties who have access to it –
because such an exchange can jeopardize its security. An organization must also safeguard its sensitive records from becoming
available on social networking sites and chat rooms by employees who may either inadvertently or maliciously post it there.
It is prudent to have such safeguards clearly defined in organizational policy and, if necessary, to monitor sites for any
postings that may violate this rule. Where appropriate, controls and procedures for declassification of confidential and privileged
information should be clearly defined and understood. There may be instances, however, when it may be necessary to allow security
clearance exceptions. For example, outside counsel engaged to assist with a litigation action may need to access records that
they otherwise would not be cleared to access. Security and confidentiality must be integral parts of the final disposition
processing of the information. Whether the final disposition is an accession to an archive, transfer to another organization,
or preservation for permanent storage or destruction, the procedures must consider the principle of protection in defining
the process. For example, confidential employee paper files should be handled for disposition only by employees with appropriate
clearance and must be shredded or otherwise destroyed in an unrecoverable manner. Classified government records must retain
their classification for the appropriate number of years even if they are transferred to an archive. Finally, an organization’s
audit program must have a clear process to ascertain whether sensitive information is being handled in accordance with the
outlined policies in the principle of protection.
Objective(s):
|
