Archived Newsletters: June 2007
It’s June, and the New York State Archives bustling with activity.
Records Center News
When we found out that there was a problem with the asbestos at the Records Center, health and safety were the primary concerns of the State Archives, State Education Department and Office of General Services. This ensured that thorough asbestos testing and abatement project planning was done and that the abatement contractor's work was carefully monitored. Linked below is a letter confirming the safety of the records, from Phil Salamacha of Warren and Panzer Engineers, who was on-site throughout the project. Please contact Records Center manager John Welter (518-457-4801, email@example.com) if you have any questions. http://www.archives.nysed.gov/a/nysaservices/documents/ns_mgr_src_asbestos.pdf
Email Policy Development
The meeting date is set for June 29th, and we’re anticipating some lively discussion. Individuals who have agreed to participate in the focus session will receive formal invitations and registration information in the mail. If you have questions about the upcoming focus session, please contact Ann Marie Przybyla at firstname.lastname@example.org or 518-474-5834 for more information.
One thing that seems to be on everyone’s mind at the moment is e-discovery, and how records management feeds into it. Both the New York State Cyber Security and GTC Best of New York conferences prominently featured panels devoted to the subject. Throughout the presentations the importance of good records management practices to support and facilitate e-discovery was emphasized. The cyber security presentation debunked some popular myths relating to set email mailbox volume limits being considered adequate means of managing e-mail records (it’s not) and the automated deletion of data being adequate to clear records from a system (also not true. Links to the data are erased, but the data is still on the storage media until it’s overwritten). The Best of New York presentation focused on the importance of scheduling e-mail records to establish their retention periods.
Upcoming Training Opportunities
Free records management workshops presented by the New York State Archives.
Preservation of Electronic Records (last chance to register!)
Wednesday, June 20, 2007
This month’s security tips from CSISC deal with the unintended disclosure of information. “Unintended” disclosure is the malicious or accidental disclosure of confidential or sensitive information. Often this entails exposure to individuals outside your organization, but it can also mean exposure to unauthorized individuals inside your organization. The kinds of information at risk can be confidential data such as financial accounts, credit cards, Social Security numbers, personal medical information, or other personally identifiable information defined by law or by your organization’s data classification policy.
Unintended information disclosures occur though a variety of means. Electronically, they can result from lost backup tapes, lost thumb drives, lost laptops, exposure via website attacks, email exchanges, or from other electronic communications or data storage exposure. Disclosure can also occur from non-electronic means - discovering paper files in trash bins, overhearing phone conversations and shoulder surfing are all examples of this.
If you have an information disclosure incident, reporting the incident is the right thing to do. Not only are you helping to limit the damage the breach may create, you may be able to help stop it from happening again. Review your organizations policies and response procedures for the most appropriate actions to take. If you are unsure what those policies and procedures are, or if they do not exist, report the incident to your supervisor. Document what you know – what happened, when it happened, where it happened, so your management and your incident response team have the most accurate information possible.
If you think your personal financial information has been compromised, contact the data holder to confirm the incident, and contact your financial institution or credit company to initiate protection mechanisms for your accounts. The Federal Trade Commission also has excellent guides to both preventing and responding to identity theft.
You can help prevent unintended information disclosure by:
- Knowing what kind of data you are handling or the data your system is storing and processing, whether electronically or on paper.
- Classify your organization’s data and protect it according to its value and risk.
- Follow your organization’s security policies and procedures. These will help you protect against both malicious and accidental information disclosure.
- Follow the least privilege and role based rules for allowing access. Limit access to confidential information to only those people or roles that require access.
- Know your organizations data retention policies – don’t store confidential information longer than necessary.
- Use privacy statements in electronic and paper documents.
- Don’t use confidential data for testing systems or applications.
- Store, transport, and destroy confidential data responsibly. Protect data with encryption and access controls when appropriate, and adequately erase or destroy electronic storage devices. Don’t take confidential information home or when traveling unless authorized. When disposing confidential documents, use a shredder.
- Keep portable data storage devices like laptops, CDs, blackberries, flash drives, and backup tapes in secured locations – it only takes a few seconds to steal these valuable items.
- Remember that cyber security is everyone’s responsibility and that you can make a difference.
That’s it for this month! Remember that we want to hear from you. State Agency Services is here to help make your job easier by answering questions, doing site visits, and providing training.
Have a great June!