Information Security Management: Protecting

your Assets

By Emerson O. Bryan

We are in now officially in the Hurricane Season for this year, and while it is the norm for us here in the Caribbean to
focus on Business Continuity Planning, relative to hurricanes, and disaster preparedness to reduce exposure to
water damage, there is an even more urgent issue that we often don’t pay too much attention to. The other issue that
needs to be seriously considered by us as information management professionals is Information Security.

What is Information Security?

Definition

Systems and procedures designed to protect an organization’s information assets (throughout their
life cycle), from disclosure to any person or entity not authorized to have access to that information,
especially information which is considered sensitive, proprietary, confidential or classified, and
which protects the integrity of an organization’s information. (IRMT)

Information which may be needed to be kept secure may vary from organization to organization depending on the
operations/ type of business of the organization.

For example:

Type of Organization Type of information vulnerable

Hospital patient’s health records

Private‐Sector entity trade secrets, new product information, or innovative marketing strategies
Government with FOI legislation exempt classes of records.

1
Some other commonly targeted information may include: customer lists, financial data, patent or copyright
information, legal transactions, executive correspondence, personnel records, research and development data,
marketing plans, budget projections and so on.

Strategies for Protecting Corporate Information

In order to minimize the risks of information theft, loss or leak, the following should be included in any organization’s
information security management programme:-

1. Establish the basic objectives of the overall security programme of the organization;
2. Define the various responsibilities of each staff member, consultant and vendor representative;
3. Solicit the cooperation of your Legal Counsel, IT Manager, Finance Director and other key personnel for
their input into the programme;
4. Ensure that all corporate legal information and trade secrets are properly registered and copyrighted;
5. Assess the risks that loss or theft of various information may pose to the organization;
6. Establish information security policies and procedures (including all the penalties outlined if breached);
7. Establish procedures for continuous auditing, monitoring and evaluation of the system.

How does Records Management relate to this?

Some essential policy components specific to recordkeeping may be:-

• Ensuring proper Security Classification of all records according to the assessed risk(s) that they may pose if
exposed, NB. This can be done by using numerical coded taxonomy when coding files and correspondence,
which will aid both in the identification and the protection of sensitive information;
• Educate users on the methods that are to be used to secure sensitive records ensuring that these
procedures are clearly indicated (preferably in a RM Manual) and observed by all levels of staff;
• Establish after discussion with senior management, the procedures to be followed when responding to
requests for the releasing of company documents, information and records to persons external to the
organization;
• Get senior management to outline in a statement to new and existing employees that any record created by,

2
 and used by them during the discharge of their duties is the exclusive property of the organization;
• Practice redacting to ensure the continued security of documents when sharing information that is subjected
to FOI legislation;
• Don’t label records with stamps such as ‘CONFIDENTIAL’ or ‘SECRET’—these will instead draw curiosity,
use instead special color coded folders (e.g.; pink, blue or buff) and keep confidential records segregated in
a ‘secure area’ and in a locked filing equipment;
• Always ensure that the movement/ transportation of the records within the building (and if possible off-site
as well) is secure;
• Observe a ‘Clean Desk’ Policy, where at the close of business each day, all employees clear their desks
and lock away all files and correspondence.

Internal Document Control

Facsimiles

It is often the case that most facsimile machines are usually located (i.e.; for both dispatched and received faxes), in
a centralized or public area and therefore restricted documents conveyed by this method is susceptible to possible
interception or inadvertent or deliberate exposure. It is recommend that sensitive information not be transmitted via
fax; unless you know for-a-fact that the fax is being sent directly to the intended recipient or the machine is in a
secure area.

Personal Computers

Methods of securing documents:

• Users should treat phone numbers to dial-up their computers to the company servers or ISP as carefully as
their passwords;

• Users should never leave their computers unattended for any extended period whilst logged-on without
having either a password protected screen saver, or a secure monitor energy-saver;

• Terminal/ keyboard locks employing the use of passwords for computer access, (preferably along with a
challenge-response calculator);

• Automated audit trails to enable system security personnel to trace any additions/ deletions/ changes back
to the person who initiated them, and which also indicates where and when the changes occurred;

• Utilize removable hard/ optical disk drives or desktop docking ports for laptops, but when these are not in
use, stow them in a secure storage area and never leave them openly unattended;

3
 • Back-up disks and tapes must also be securely stored and regularly purged;

• Always within a highly classified security networked environment, establish ‘dummy terminals’ ‘i.e.; disk
less’ workstations for public use;

Reprographics

• Ideally, employees should make only the minimum number of copies that are actually needed;
• Ensure that ‘sensitive’ documents are not ‘accidentally’ left by the photocopier.

Internal Literature

Most company newsletters, memoranda other ‘in-house documents’ often contain information, while not sensitive, but
which was intended primarily for internal use. Therefore, care should be taken whenever decisions are being made
regarding content for these publications, and to whom it should be circulated to.

Disposal

Never throw records or documents into office waste bins without properly shredding them before. You must dispose
of them in a secure and approved manner, which may be: burning, shredding (preferably with a cross-shredder) or by
pulping.

Finally, when disposing of computer equipment, ensure that hard disk drives are reformatted or de-magnetized to
ensure that there is no information left in volatile memory, and most importantly, since we hardly use them
anymore…ensure and that no floppy disks are left in the drive(s)!

Emerson O. St. G. Bryan

4
 Mr. Bryan has been a Records and Information Management practitioner for over
twelve (12) years; currently he is the Information and Document Management
Specialist with the Caribbean Regional Negotiating Machinery (CRNM) in Barbados.
And has worked with several regional organizations including: the United Nations
Department of Economic and Social Affairs (UN-DESA), the Caribbean Centre for
Development Administration (CARICAD), and the Ministry of Foreign Affairs and
Foreign Trade of Jamaica.

He is also an Associate Consultant/ Trainer at Lorson Resources Limited, “the

Records and Information Company of the Caribbean”, which is based in Trinidad and
Tobago, see: www.lorsonresources.com/seminar1.asp

Emerson O. St. G. Bryan Contact: emerson.bryan@gmail.com