Homework: Spring 2019, Class 2 (2/26)

What is your organization’s Governance Policy on Encrypted & Password Protected Records?

1 Like

This is just an abridged version of a governance policy for Encrypted and password-protected records/ restricted files:

Encrypted and password-protected records shall be subject to a level of encryption that provides reasonable assurance against unauthorized access while the data is at rest. Such records shall be marked “Restricted information: Do not disseminate”
Physical facilities, asset and/or recording media shall be marked as containing restricted information accessible to authorized personnel only. Access to restricted records should be, where necessary, consistent with authorized job functions.
Where authorized business functions or legal requirements necessitate the sharing of Restricted data with parties other than D+H personnel, such sharing shall be subject to assessment of possible risks to data security, integrity and privacy.
When encrypted and password-protected records are no longer required to be retained, these shall be subject to secure data wiping, physical destruction or other process that provides reasonable assurance against the data being recovered or reconstructed.

I have asked my organization’s IT department to set up a switch to manage confidential electronic records.

This improvement permits to flag document as confidential, and as a way to ensure that this critical type of records can be securely transferred to Records Management, stored and only be retrieved by authorized staff.

Every document record uploaded into our records management database has a check field: Confidential: Flag document as Confidential. Once this field is checked, staff searching for specific keywords will also get in their result confidential flagged records.

The document record displays the description field but not the link to the actual document. The description field also includes a note: Please see Records or Legal.

I wanted to make sure that all our vital documents are captured in the same database and access for future use. Staff will be able to find what we have as an organization, but in this case, they must request clearance. These flags can be removed. I believe that not everything needs to be kept forever restricted.

I hope this helps others.

Very good information to have as it relates to governance policy documents. The move to go digital can result in lags because records that need to be digitized are considered too sensitive and are not converted but kept in the non-ditgital state

We have a File and Media Encryption Standard for media encryption, including hard disks and portable media, across all ministries to ensure that an acceptable level of encryption controls are implemented as required by the Business Unit and the Security Management Directives. The User Password Standard defines the password format, length, and duration requirements. The standard describes the password requirements for the following three account groups (standard users, administrative accounts and special accounts). The Information Security Classification Standard must me applied to all data and information (Public, Protected A, Protected B, and Protected C).

We unfortunately do not have a governance policy, but we do have other types of policies where passwords are required (standard users, administrative accounts and special accounts) or only certain job positions can acquire the information. I do hope in the future this changes but I can only do so much when I don’t have total control or 100% support. This area is a very sticky area for records for our organization. I do understand what it should be however password protected files and programs with permissions are all we have in place. It’s quite discouraging at times. Even when there are passwords in place, its not always the best or ideal situation. What if someone is away/out of office and you need to get information. It should at least be by department or more then 1 person, perhaps have a back up. I could keep going on and on about it but quite frankly I feel our records department needs a lot of help. They are organized and filed properly and only few people have access to them how ever there are files that even the records manager(myself) don’t even have access too which sometimes makes the job difficult when I cannot determine some things not having everything or access too. Unfortunately some people just do their own thing and keep others out of the loop and don’t consider due processes. Its very frustrating.

This is the situation I deal with, I have tried to answer your question, however I don’t feel I am able to answer it properly and in full due to lack of policy, they do follow some of the protocol around a policy but no set/written policy exist.

Our InfoSec policies and IT supporting technologies have ramped-up over the last few years. We have four security ratings and the two highest require encryption in transit/rest. Rest means it cannot be stored on your hard drive device but in an authorized app. The highest level cannot be passed in apps like Skype or email unless the recipient is a TLS partner. The grace period of marking documents is soon over and we will be forced to select a security level in order to save a doc or send an email.

My organization does not have such a policy in place (we need to catch up!), but there is other policy procedures where passwords are used or only certain departments can access only their information (certain nursing staff or IT). Our department isn’t funded very well and I feel we are considered at times either as a barely functioning but yet non-essential part of the organization or our office is just a place to send boxes of ‘stuff’. Our records program was created by a former IT employee who didn’t ‘completely’ finish it and there are problems within the system that makes records disappear from the program but hide in the server. Not a good thing when you need to pull documents for legal or medical requests! I’ve been making efforts to further educate myself and my department as to show the need for a secure but still obtainable records base within our organization. And that it can be done!!

Our organizations policy on emailing records is to use our network secured folders with password and permission standards for protection and a password to be sent separately. Files used in these secure folders are copied files and given purge dates from 24 hours or more depending on the subject material contained or how the end user will use or need the information. We use other types of governmental electronic transmission systems between agencies. Additionally we have network controls and flags that allow information shared based on job function categories.

We do not have a policy at the moment but we do use passwords to access our computers and applications.

Our organization have Governance Policy. All our devices encrypted by password-protected all records

This is an excerpt from our Document & Retention Policy posted on our intranet which anyone in our firm can access at anytime.

Electronic records should be stored in the appropriate workspace in our secure
Document Management System (DMS) or, if necessary, in an electronic
discovery database maintained by our Litigation Support Department, or, as
appropriate, in other Firm-approved systems (e.g. financial system).

  1. Electronic records should not be maintained on individual desktop or
    laptop computers hard drives or removable storage media, except
    where necessary to fulfill the purposes of our engagement and where
    such device is encrypted. (With regard to removable storage media,
    see the Firm’s Removable Media Policy.)
  2. Electronic records should never be stored on a cloud-based service,
    except as approved in advance by the Firm and as consistent with our
    Cloud Usage Policy.
    iii. Physical records should be managed by appropriate support personnel in the
    Records Management System (RMS) (or a successor to that system adopted
    by the Firm), the Firm’s database for managing physical records.
    c. Storage:
    i. Electronic records not in active use and maintenance should be stored in the
    Firm’s secure DMS or, if necessary, in an electronic discovery database
    maintained by our Litigation Support Department, or, as appropriate, in other
    Firm-approved systems (e.g. financial system).
    ii. Physical records must always be stored in a fashion that ensures
    confidentiality and is consistent with the Firm’s Information Security Policy and
    applicable statutory, regulatory, ethical, or client requirements.
    iii. Use of any third-party vendor for off-site storage must be coordinated with the
    Firm’s Director of Risk Management and the Firm’s Records Manager, who
    will ensure that the vendor has sufficient safeguards and has provided
    appropriate contractual commitments concerning confidentiality.

Law firms documents have never been known for their brevity :grin:

1 Like

My organization does not have such a policy. I am not aware that we password protect documents. Instead, access is restricted at the folder level on our shared drive. If you don’t have access, you most likely won’t even see the folder. If we did establish such a policy, could it be part of a broader Records Management Policy?

My organization does not have a policy regarding encrypted and password protected records. I have tried to make a document password protected and was told that this was not a good idea in case for some reason someone needed access or something happened to me.

Homework for Class # 2

For my company we don’t have a government policy per se however we have secured network folders where electronic files access is limited to employees job function and department. In addition permission to access confidential files must be requested through an approved form and a custody form is filled out for physical files that is requested by another department or person.

In the company I work, encrypted and password-protected records are well managed by the Governance team. This Policy is highly applied to confidential business information; even though they are encrypted, and password protected, permission to this type of documents is very restricted only to high level and those persons that have the authority to deal with the information. These secured files are automatically audited by the system every time they are opened.

We do have an information management policy, with a paragraph dedicated to Information Security and Privacy

excerpts from our policy:

The xxx maintains and regularly updates an information classification scheme used to classify all its information. xxx’s information is classified in three levels: Confidential, Internal and Public. Information with the classification Internal and Public may be subject to routine disclosure at the department level, or if required, accessed under a Freedom of Information Request (Also see Information Management - Information Classification).

" information must be protected by applying security measures commensurate with the information classification:

7.3.1 The confidentiality, integrity and availability of information must be preserved when stored, processed or transmitted by a third party cloud computing provider.

" will follow the City of … position on Data Sovereignty for Cloud Services"

Electronic records, including electronic images of records originally in another format, to be trustworthy as official records and to be admissible as evidence in legal proceedings, will be captured, protected, managed and disposed of in the approved electronic documents and records management system or other approved repositories. Electronic Information must not be maintained in email folders, shared folders, personal drives or external storage media as these lacks the necessary functionality to manage the information with a lifecycle approach (also see 5.2 above).

Access to repositories are based on the roles and responsibilities and managed through AD groups.
All our record series are flagged as required: PIB (Yes/no), Security Level (Confidential, Internal, Public) , Vital (yes /No).

All data, except for what is approved for public release must be encrypted using a FIPS compliant/approved encryption tool.

We do not have a governance policy for encrypted and password protected records.