Principle of Protection

    An information governance program shall be constructed to ensure a reasonable level of protection to information that is personal or that otherwise requires protection.

    Information generated by an organization in the course of business requires various degrees of protection. Such protection is mandated by laws, regulations, or corporate governance, and it is necessary to ensure that information critical to an organization’s continued operation during or after a crisis is available. A recordkeeping program must ensure that appropriate protection controls are applied to information from the moment it is created to the moment it undergoes final disposition. Therefore, every system that generates, stores, and uses information should be examined with the protection principle in mind .to ensure that appropriate controls are applied to such systems.

    Information protection takes multiple forms. First, each system utilized must have an appropriate security structure so only personnel with the appropriate level of security or clearance can gain access to the information. This includes electronic systems as well as physical systems, using such measures as key card access restrictions and locked cabinets. This also requires that as personnel change jobs, their access controls are changed appropriately and immediately.

    Second, this requires protecting information from “leaking” outside the organization. Again, this may take various forms – from preventing the physical files from leaving the premises by various mechanical and electronic means to ensuring that electronic information cannot be e-mailed, downloaded, or otherwise proliferated by people with legitimate access to the system. Sometimes, this information should not even be sent by e-mail – even among parties who have access to it – because such an exchange can jeopardize its security. An organization must also safeguard its sensitive records from becoming available on social networking sites and chat rooms by employees who may either inadvertently or maliciously post it there. It is prudent to have such safeguards clearly defined in organizational policy and, if necessary, to monitor sites for any postings that may violate this rule.

    Where appropriate, controls and procedures for declassification of confidential and privileged information should be clearly defined and understood. There may be instances, however, when it may be necessary to allow security clearance exceptions. For example, outside counsel engaged to assist with a litigation action may need to access records that they otherwise would not be cleared to access. 

    Security and confidentiality must be integral parts of the final disposition processing of the information. Whether the final disposition is an accession to an archive, transfer to another organization, or preservation for permanent storage or destruction, the procedures must consider the principle of protection in defining the process. For example, confidential employee paper files should be handled for disposition only by employees with appropriate clearance and must be shredded or otherwise destroyed in an unrecoverable manner. Classified government records must retain their classification for the appropriate number of years even if they are transferred to an archive.

    Finally, an organization’s audit program must have a clear process to ascertain whether sensitive information is being handled in accordance with the outlined policies in the principle of protection.



    © 2017, ARMA International