Striking the right balance between security and accessibility
- By Tyler Morris
All too often, records and information managers find themselves compromising security for the sake of accessibility. Balancing effective security while maintaining ease of access is especially a concern for “high value assets,” federal information that would result in significant damage if mishandled or compromised. The very nature of HVAs makes them a high-priority target for criminals and foreign adversaries who are seeking to profit from them or cause damage. And while security investments can provide a significant protection against these threats, they cannot address every underlying problem that is driving information risk. To help safeguard HVAs, the Office of Management and Budget in December 2016 directed agencies to identify and submit a list of their HVAs to the Department of Homeland Security.
Among the most common risks to agency HVAs is inadequate governance and risk management (one of six risk areas identified by DHS in its HVA control overlay presentation). Many agencies tend to slide into asset-by-asset approaches, rather than embracing an enterprisewide strategy. Without a holistic view, it quickly becomes impossible to keep track of agency-owned information assets. And without knowing what type of information is owned and where it is stored, agencies compound their risk of data breach, insider threat, mislabeling, loss of vital assets and simple loss to obscurity.
This is a challenge for all information, not just HVAs. So how can agencies protect their information without sacrificing the need to keep it readily visible and available? They must establish a formal records and information management program that features the proper storage of HVAs. This program should include the following:
Establishing an information management framework. The first and most important step is to establish a formalized information framework that addresses risk management, retention, compliance and disposition. This framework will allow agencies to introduce added control over their information, from the moment of creation to the end of the asset’s lifecycle.
In standing up this framework, agencies must first identify their complete information inventory -- including HVAs -- and develop information maps, which are databases that capture an inventory of systems, applications and repositories, where they are and who is responsible for managing them. With this tool, agencies can keep tabs on their information, systems and records, identify sensitive information, monitor the use of assets, gain analytical insight and update information stores.
Enabling continuous monitoring. From here, agencies will be ready to tackle another risk area: continuous monitoring. After identifying information and assets, agencies should also be ready to identify the requirements and rules that govern that information. Emerging technologies like automation can help agencies achieve higher levels of asset visibility while keeping both their information stores and compliance requirements continuously updated. These tools not only improve agency security but also facilitate the necessary continuous monitoring reporting around asset management, in addition to data authorization metrics like security plans and assessments.
Enforcing access controls. Finally, after agencies have deployed capabilities for governing and monitoring their information and HVAs, they must establish identity and access management practices that enforce physical access authorization along with physical security for facilities housing HVA components and systems. Secure, offsite storage options can be a creative and cost-saving solution for federal information. Suitable facilities will meet or exceed the high standards for physical security required by the Federal Information Security Management Act and may feature security controls like access controlled security cages and other internal measures; controlled parking, loading dock access and external safeguards; as well as fire, water, temperature and other environmental protections. These offsite facilities help limit risks associated with lost, damaged or stolen records, while enhancing records retention practices and making information readily accessible for federal employees.
Implementing full information lifecycle strategies. Even after implementing robust security controls, agencies’ work is not done. The last step for properly securing HVAs is a continual one, and that is ensuring that the enterprise strategy applies to both current and future information. This means establishing capabilities for inbound and outbound paper and tape record storage and retrieval services; long-term archiving and preservation; pick-up of newly created records; digitization of records; and disposition services including accession and archival destruction. Agencies are not completely on their own for this step, though. Industry partners can help agencies with National Archives and Records Administration-compliant storage and records management capabilities that are substantially more cost-effective than many of the legacy solutions. This partnership can help agencies surpass governmentwide goals to streamline operations, modernize government-owned records and information and significantly cut costs.
A comprehensive information management program will help agencies more effectively secure their information and HVAs, while still maximizing the availability of important agency data. As agencies continue to collect more and more information, the risk of improper management will only continue to increase. Every agency needs to adopt an enterprise approach for governing its information and phase out ad-hoc protocols. By continuously and automatically updating their information stores in the context of a larger information framework, agencies -- working with industry partners to properly store and manage that information -- can address risk to standard information and their most critical HVAs.