A study released in October by MeriTalk shows that U.S. federal agency cybersecurity professionals have become so focused on data security they fail to consider how the security measures will affect users. As a result, nearly a third (31%) of agency users said they use workarounds regularly to circumvent security measures they say are time consuming and hinder productivity. That explains why about half (49%) of federal security breaches are blamed on user noncompliance.
The survey found that very few federal cybersecurity professionals feel prepared for cyber threats. Nearly three-quarters (74%) said they are not prepared for an international cyber attack or to support secure access for mobile devices. Almost as many (70%) said they are not prepared for a denial-of-service attack or to secure cloud computing environments.
The activities that cybersecurity professionals said are the most likely to cause a security breach are the same activities in which end users encounter the most frustrating security measures: Internet surfing, downloading files, accessing networks, and transferring files. E-mail, external websites, and Internet access via agency work stations are not only the most challenging end-user applications to secure, they are also the tools that more than 80% of end users rely on daily.
Dealing with security measures has reportedly become so burdensome that 20% of end users said they can recall an instance where they were unable to complete a work assignment on time because of a security measure. End users’ responses to this study should make it clear to data security professionals that end user experience needs to be given higher priority.
“Without question, federal cyber security pros have a tough job, but they must start working with end users as partners instead of adversaries. It is a team game, and better support for users will deliver better results for security,” concluded Tom Ruff, vice president public sector for Akamai, which underwrote the study, “Cyber Security Experience: Cyber Security Pros from Mars; Users from Mercury.”
Records and information management (RIM) professionals who understand information protection protocols and users’ experiences with them can play an integral role in resolving the non-compliance issue. But, it will require the RIM professional also to have a collaborative relationship with IT.
The ARMA International guideline Records and Information Management for Information Technology Professionals describes many areas in which RIM and IT must work together. Both groups should be aware of the following requirements with regard to the access, control, and preservation of records and records systems.
The following access criteria are essential:
- Policies stipulating who has access to records
- Policies on restricted records
- Assurance that access and retrieval are timely
- Assurance that records are retrievable by authorized users only
- Relevant metadata applicable to the record that is captured and maintained for the lifecycle of the record or until otherwise designated
- Recognition of privacy issues, specifically:
– Ensuring that privacy and personal information are protected
– Preventing unauthorized access to records
– Ensuring rights to information as well as protecting confidential information
– Ensuring that records of long-term value remain accessible
The following controls are needed on systems that handle records:
- Measures to monitor who has access to records
- Safeguards to protect records from unauthorized access to ensure that the integrity of the record is maintained at all times
- Audit trail of all records systems to capture all activity to ensure the records are not compromised
- Demonstration that migration, systems malfunctions, upgrades, and regular maintenance of records systems will not impinge upon the integrity of the record
- Methodologies to protect the confidentiality, privacy, and security of records from unauthorized access, tampering, or disposal
- Validation/verification techniques that ensure system and functional compliance requirements are met
The following records protection and preservation requirements must be met:
- Ability of the records system (and removable media used to store records) to preserve records and their associated metadata and make them accessible for the duration of each record’s retention period
- Ability of the records system (and removable media used to store records) to preserve those records and metadata selected for long-term or archival storage, and ensure those records and metadata remain accessible in the future
Those who want to learn more about developing collaborative relationships between RIM and IT may purchase this guideline in the ARMA International online bookstore.