Monday, May 18, 2015

Records security and information privacy

Content security
  • Provision for the protection against intentional destruction, disclosure, modification, or breach of confidentiality of information
  • Based on principal people have right to decide what personal information they wish to divulge, to whom and for what purpose. People have right to expect the information will be kept private and used only for purposes for which it was obtained.
  • Growing proliferation of electronic databases containing personal information
    • Government: health, income tax, census, military, etc.
    • Private sector: credit cards, affinity cards, etc.
  • Information highway: integrated computer, communication, and cable/satellite TV networks
  • Need to balance need for access with protection from unauthorized users
Canadian privacy legislation
Access to information act
  • Access to Information and Privacy Homepage
    https://www.tbs-sct.gc.ca/atip-aiprp/index-eng.asp
  • In order to help requestors find government records and determine where to send their requests, the Access to Information Act and the Privacy Act require each government institution subject to the two Acts to describe the nature of their records in Infosource http://infosource.gc.ca
PIPEDA
  • Personal Information Protection and Electronic Documents Act
  • All Canadian Provinces were to pass like legislation by January 1, 2004 or fall under the Federal Legislation
  • Electronic and paper documents are equivalent
Manitoba Privacy Legislation
Voluntary Organizational Protection
  • Voluntary programs by businesses are emerging in the private sector
    • Altruistic motives
    • Voluntary compliance to head off legislated compliance
    • Self protection from law suits for the breach of confidentiality and invasion of privacy
  • Voluntary Privacy Codes http://web.archive.org/web/20100211204326/http://www.ic.gc.ca/eic/site/oca-bc.nsf/eng/ca01361.html
  • The following Associations are examples of Canadian organizations which have developed important voluntary codes dealing with privacy:
    • Canadian Association of Internet Providers
    • Canadian Bankers Association
    • Canadian Marketing Association
    • Canadian Medical Association
    • Insurance Bureau of Canada
Security management
  • Establish objectives
  • Define responsibilities
  • Assess risk
  • Establish into security policies and procedures
  • Audit, monitor, and evaluate security management
Area and facility access
  • Security measures vary from organization to organization
  • System of controlled access must be established to maintain safeguards against unauthorized invasion of equipment and records
  • Primary criterion for entrance: admit only those whose work requires access
Types of access controls
  • Keys
    • Easily duplicated and lost
    • Anyone can use
    • Lock itself vulnerable
  • Electric, electronic, or mechanical entry (keypad systems)
    • People forget the code or record it where others may find it and use it
    • Combination can be shared easily
    • Vulnerable to electronic lock picking
  • Plastic cards with coded strips
    • Card can be lost (should carry no ID which allows finder to know what it unlocks)
    • More difficult to duplicate
  • Biometric and physical attributes
    • Match individual characteristics electronically
    • Biometric devices: fingerprints, voice, chromosomes in strand of hair, retinal eye patterns
  • Combination systems
Audit trails
  • Ability to record an audit trail of all access attempts can be built into many of the area and facility access systems
  • Printouts showing who has had access, date and time of entry, unauthorized entry attempts, etc.
    • Useful in monitoring access system
Equipment access
  • Procedures for controlling theft and unauthorized access must be provided
    • Keep current inventory including date of purchase, serial no., cost
    • Tag with ID no. both inside and out
    • If employees can borrow have sign out system with due dates for return
    • Supervise and monitor equipment use during breaks, lunch, after hours
    • Train building security guard to check for computer equipment, etc.
  • Need to balance security with employee privacy rights
Security devices
  • Cables
  • Locking cabinets
  • Computer alarms
  • Anchoring pads
Paper document access
  • Desirable to have central source with one person responsible for compliance with company guidelines
  • Guidelines to be written, disseminated and enforced
Typical procedures
  • Review of personal record
    • 2 pieces of ID, completion of authorization form
  • Copy of personal record
    • 2 pieces of ID, completion of authorization form, plus signature for receipt of copy
  • Company employee
    • Signature on receipt for copy, or signature on a log identifying record logged out
  • Request by mail
    • Verify legitimacy; obtain written permission for release when necessary
  • Highly confidential records
    • Check requestor’s name against “authorized to see” list
  • All other requests
    • Records manager or designee must grant authorization on case-by-case basis
    • Signature on log or request form
Electronic files access
  • The bigger you get and the more private information that you maintain online, the more of a target you become to hackers. Hackers may be after your private information, but they may also be after the notoriety that comes with cracking your site.
  • Security breaches can be caused by problems with the technological systems that you use, but they can also be caused by negligent staff
Security measures
  • Firewalls
    • hardware and/or software that controls information entering your computer system or network
  • Intrusion detection software
    • detects unauthorized intrusions into your computer systems
  • Encryption
    • a security method that transforms information into random streams of bits to create a secret code. There is software-based encryption such as Public Key Infrastructure (PKI) and Secure Sockets Layer (SSL). Hardware-based encryption, such as smart cards, is another type of encryption.
  • PKI
    • the combination of software, encryption technologies, and services that enables enterprises to protect the security of their communications and business transactions on the Internet.
  • SSL
    • a program layer created by Netscape for managing the security of message transmissions in a network
  • Smart card
    • a plastic card resembling a credit card that contains a computer chip, which enables the holder to perform various operations, including limiting access to individual computers to legitimate users
Nonremovable media security
  • To prevent access to data stored on hard disks must control access to equipment
    • Assigned numeric code for each person, a password or combination of the two
Removable media security
  • Key and lock for disks
  • Deny access to employees who resign, then immediately change access codes
  • Encrypt (scramble) sensitive and confidential files
  • Mutilate or erase disks before disposal
  • Turn off modems when not in use
  • Turn off computers when not in use so unauthorized users cannot access files
Virus protection
  • Use and update antivirus software
  • For further information on computer security see: 

Monday, May 11, 2015

Records classification

Class Definition Example Recommended Protection
Class 1 - Vitals Records essential to the continued life
of the business. These records are
irreplaceable because they give
evidence of legal status, ownership,
and financial status.  Vital records are
generally housed in active records storage.
Accounts receivable
Inventory
Contracts
Creative materials
Research records
Fire resistant vaults
Dispersal
Fire resistant safes/cabinets
Class 2 -Important Records necessary to the continued life
of the business.  While these records can
be replaced or reproduced, this can be
done only at considerable time and money.
Important records can be housed in either
active or inactive storage.
Accounts payable
Directives
Payroll records
Safes
Vaults
Class 3 - Useful Records useful to the uninterrupted
operation of the business. These records
are replaceable although their loss could cause temporary inconvenience.
Bank statements
Correspondence
File cabinets
Class 4 - Nonessential Records having no present value and
should be destroyed.
Requests answered
Advertisements
Announcements
Use, then destroy

Source: Gordon P. McKinnon, editor. Fire Protection Handbook, 15th ed. (Boston : National Fire Protection Association, 1981).

Monday, May 4, 2015

Recovery priority by types of records media

Recovery Priority by Type of Records Media from http://www.arma-gla.org/presentation/2001-02/armafeb20workshop2.pdf
Salvage techniques
Media
Recovery priority
Initial action
Initial purpose
Follow-up action
Follow-up purpose
Comments
Magnetic media Magnetic tapes
Disc packs Floppy diskettes and disks Flexible disks Audio and video tape cassettes CD-ROM Computer Output Laser Disk&
Immediately Contact vendor To obtain professional advice May include freeze or vacuum drying, special cleaning techniques professional assistance in retrieving data To remove all moisture and other contaminants from the media, to access data in case of damaged media Such advice should
be sought well
in advance of a
disaster.
Contingency plans
for data and word processing groups
may be advisable. Heat and water damage to media may result in subsequent
damage to hardware or irretrievability of data. Proper backup and
salvage
procedures are essential. It is worth noting that such records are among the easiest to duplicate and share off-site.
Photographic materials Colour film and photographs Immediately Once wet, keep wet To avoid further damage and image toss Colour dyes are inherently
unstable and should be handled immediately to prevent loss of colour and other damage
Within 48 hours Obtain professional advice and/or assistance with cleaning, drying and restoring Freeze if professional help must be delayed longer than 48 hours To stabilize color dyes
Silver or emulsion films and photographs Immediately within 48 hours Immerse totally in water. Formaldehyde to a 1% solution, may be added to cool, clean water. One tablespoon of salt may be added to hard water. To avoid further damage. To avoid softening or filling of gelatin or emulsion layer. If materials are allowed to dry out, they tend to stick to adjacent surfaces, with image loss and other damage. Seek professional advice and help with cleaning and drying. Freeze only if necessary. To restore films to original state. Freezing may lead to image damage, but less damage is likely to be caused by freezing than by delayed treatment.
Diazo or vesicular (duplicate) films Last If time and staff are available, rinse off and lay out to dry, otherwise, leave until last. To prevent water sooting and curting of films and fiche. Wash with liquid detergent and rinse and lay out on absorbent paper to dry. To remove water spots and other contaminants and to restore film. Diazo and vesicular films are nearly impervious to water damage and should clean-up easily. Diazo films sometimes fade with age. Fading or other damage discovered after the disaster can be related to poor quality control rather than to the disaster.
Paper Bond, rag, duplicating other Within 48 hours (depending on temperature and humidity levels at disaster site and on extent of damage). In fires, paper is least vulnerable media. Air dry in well ventilated area: if volume of wet records is large, consider freeze or vacuum drying. To prevent further deterioration of paper materials and eruption of mold and fungus. May include freeze or vacuum drying. If mold erupts, treat with fungicides. May place paper towels or newspaper print between wet pages. To remove moisture from materials and to reduce humidity levels in damaged materials: to eradicate mold. In high humidity levels, deterioration of wet paper records can begin within 2-3 hours.
Coated or clay paper Immediately Freeze To hold damaged materials until freeze or vacuum drying can be arranged. Freeze or vacuum drying. To remove all moisture from paper, without damaged or removing coated surface. Freeze or vacuum drying is the only successful recovery technique for this medium.