This article aims to generate discussion about strategies to improve information security and information sharing. It considers mechanisms to support people handling sensitive information (recognising the human factor as a key vulnerability in security programs); leveraging existing systems and frameworks to enhance interoperability; and encouraging knowledge sharing between IG professionals across different domains.

Now in its third iteration, the Email Protective Marking Standard (EPMS) is an Australian innovation to identify the sensitivity of content shared by email. It was through conversations with some of the co-authors of the original EPMS that the concept for this paper was formed. As a technical specification recognised by diverse vendors, EPMS enables non-proprietary information exchange. A similar open standard for documents seems long overdue.

Both national security and crisis management require highly sensitive information to be securely shared between applications, individuals, organisations and jurisdictions. Automation can support people sharing sensitive documents, making their jobs easier and safer by reducing manual handling and the risk of errors. This could be achieved by enhancing existing capabilities and standards, drawing on frameworks from both information security and records management.

Open standards and technical specifications are essential for interoperability - eliminating vendor lock-in, technical dependence, legacy issues and digital preservation challenges. Existing standards describe the metadata required for managing documents, but don’t specify how this metadata should travel with the document when it moves from one environment to another.

Geopolitics and COVID-19 bring renewed focus to cybersecurity

Cybersecurity is a priority for all organisations, and an especially hot topic in government right now.

Throughout 2020, pandemic response drove digital transformation at previously unseen (did somebody say “unprecedented”) rates. Barriers and objections were swept aside to swiftly enable remote working and coordinated action. In one survey, 85% of CISOs admitted they had sacrificed cybersecurity during this transition.

Both national security and crisis management require highly sensitive information to be securely shared between applications, individuals, organisations and jurisdictions. It’s also well recognised that data, information and digital infrastructure are the keys to economic recovery.

This means, a growing volume of sensitive information is being exchanged through systems and processes that may have been hastily implemented - and are of ongoing importance.

In 2020, the Australian Government released a new cybersecurity strategy, drafted principles to protect technology supply chains and consulted on an enhanced regulatory framework and amendments to the Security of Critical Infrastructure Act 2018. It is also expected to re-establish the role of Minister for Cybersecurity, flagging the importance of this function at the highest levels.

The ‘human element’ impacts cybersecurity costs and risks

But security is not just about technology; it’s about people too. According to Gartner, organisations around the world spent $1 billion on cybersecurity awareness training last year and this shows no signs of slowing down.

Human error remains the second largest source of data breaches reported to the Office of the Australian Information Commissioner (OAIC). Similar analysis from the UK shows an element of human error in up to 90% of notifiable breaches and it’s the only cause that has continued to increase in frequency.

The pandemic has also seen a surge of concerns around accidental or improper sharing of data, with 92% of organisations considering it a critical threat.

This is hardly surprising when the leading factors influencing mistakes are stress, fatigue and distractions. It’s difficult to create a physical environment that supports concentration and focus when people are operating from home alongside partners, kids, housemates and pets.

Identifying and addressing staff capability gaps is a high priority. How can we better support people to safely use and exchange sensitive information, and reduce the likelihood of human errors?

The case for integrated information governance and interoperability

I think part of the answer can be found at the intersection between information security and records management, through enhancements to existing standards and capabilities - and sharing knowledge between skilled professionals.

Information governance provides a unified strategic framework to protect and optimise corporate information assets. Each element of information governance is focused on specific risks and benefits.

Organisations can gain the most when different elements work together. The frameworks and tools of different disciplines can also be leveraged to solve each other’s challenges. This is why the National Archives recommends coordination through a Chief Information Governance Officer or Information Governance Committee.

Interoperability addresses the ability of systems and services that create, exchange and consume data to have clear, shared expectations for the contents, context and meaning of that data.

An example: sharing sensitive or classified documents

If we focus on a particular use case, we can examine the challenges; identify useful standards or capabilities; and consider potential enhancements.

One example involves sharing documents which contain sensitive or classified information, between an agency in federal government and an agency in a state government.

In this example, a document is stored in a secure corporate repository such as an electronic document and records management system (EDRMS). An officer at the “sender” agency shares a copy of the document as an attachment to an email. An officer at the “receiver” agency captures the email and attached document into their own corporate repository.

The document is moving through at least four different applications (2 email systems and 2 EDRMS); between jurisdictions with aligned, but not identical, regulatory requirements; and organisations with different information management frameworks and technology infrastructure.

This involves quite a bit of manual handling and human decision-making. It requires staff to have knowledge of policies and skills to apply them. It also relies on both agencies to interpret policies in the same way, to ensure sensitive information is handled consistently. This is fairly inefficient, and leaves a lot of points where mistakes can occur.

However, some parts of the process (i.e. the email transmission) are enabled through automation and interoperability. We can consider this as a model when we look at enhancement.

InfoSec and RM policies and standards

The key policies and standards that apply in this example include:

• the Protective Security Policy Framework (PSPF), which assists agencies to protect their people, information and physical assets. Under the PSPF, the goal of information security is to maintain the confidentiality, integrity and availability of official information. It establishes the rules for grading, labelling and handling sensitive and security classified information.
• the Email Protective Marking Standard (EPMS), which is provided in an Annex to the PSPF. It provides a standard format to apply protective markings to the internet message header extension and/or subject line of an email. This helps with construction and parsing by email gateways and servers, and allows for information handling based on the protective marking.
• the Australian Government Recordkeeping Metadata Standard (AGRkMS), which assists agencies to maintain reliable, meaningful and accessible records. The minimum metadata set identifies essential properties for management and use of business information and transfer between agencies.
• the Digital Continuity 2020 Policy (DC2020) and its successor Building Trust in the Public Record, which comes into effect on 1 January, 2021. These policies establish requirements for managing Australian Government information assets (records, information and data).

 

These policies reference each other. They are designed to work together, and to support other types of access restrictions, such as personal privacy and legal privilege. The PSPF and EPMS require Australian Government agencies to apply the AGRkMS metadata properties.

According to DC2020, the minimum metadata set should be applied to all information handled by Australian Government agencies by 31 December 2020, to meet Principle 3: Information, systems and processes are interoperable.

The target carries over in Action 10 of Building Trust in the Public Record, which requires agencies to ensure business systems, including whole-of-government systems, meet functional and minimum metadata requirements for information management.

At the end of 2019, just over 40% of agencies reported meeting this target.

Policies and standards across jurisdictions

The policies and standards described above apply specifically to Australian Government agencies. However, state government agencies are required to handle documents received from the federal government in accordance with the PSPF (and EPMS). While each state will maintain their own information security policy, many have mapped their requirements to the PSPF to support consistent handling of classified material.

The AGRkMS is the basis of the Australasian standard AS/NZS 5478:2015 Recordkeeping Metadata Property Reference Set (RMPRS), which is broadly endorsed by government records authorities across Australian states and New Zealand. Each jurisdiction maintains a mapping to AS/NZS 5478, to enable interoperability.

The Australasian standard is also compatible with the international standard ISO 23081 Metadata for Records series.

There have been calls for regulatory coherence more broadly, across the APAC region - particularly in relation to privacy. Like regulatory coherence, technology standards provide clarity about how information is handled when it moves across boundaries and between systems - building business confidence and public trust.

Challenges and opportunities to enhance AGRkMS

Metadata provides the means to codify rules or policies in a machine-readable form, which can be used to drive automation. Automation can reduce manual handling and human decision-making, decreasing the risk of mistakes.

The EPMS is a great example of how this works in practice:

• Emails are consistently marked: prominent labels visually flag sensitive content and prompt staff to handle appropriately;
• Message files include standard metadata: protective markings are machine readable so they can be handled consistently by both the sending and receiving systems, regardless of the software.

 

The AGRkMS does not specify the means of encoding metadata into the properties of a document.

Metadata may be applied to a document while it is under the control of a particular application - such as an EDRMS or Microsoft environment. While the document remains under the control of that application (either because it is stored in the repository or otherwise linked to the governance engine), the metadata can drive automation for handling and managing a document according to the rules.

But once a document is removed from that controlled environment, and shared or transferred to another application or organisation, the capability is lost. Metadata may be completely stripped out prior to transfer. Any remaining elements, apart from the title, are likely to be non-standard and may not be useable by other applications.

This is a missed opportunity, not only for security but also for digital working and broader records management. If standard metadata was embedded (or bundled/encapsulated) and could ‘travel with’ a document, any other system could use it to drive automation.

No matter which software was used to generate the document (e.g. Microsoft, Google, Adobe, image or media applications), it should be possible for the receiving system to read the metadata and act accordingly.

For this approach to succeed, metadata must be actionable, not merely descriptive.

In our example, it could enable confirmation that a document has the same or lower security classification as the email to which it’s being attached. It could also support capture and filing into the receiver’s corporate repository, pre-populating metadata profiles. This could subsequently drive downgrading of security according to expiry rules and other benefits outlined in the next section.

Enhancing AGRkMS to address this gap would:

• reduce the risk of manual errors;
• reduce the overhead on staff to manually re-enter metadata; and
• truly enable interoperability between different systems that handle documents.

 

Additional benefits for information security, information rights and records management

In terms of protective security, agencies must respect the rule that the originator classifies information. Information received from another agency cannot have the classification changed without the permission of the originating agency. This has proven difficult to manage in practice.

Agencies are also cautioned not to over-classify information, so that the costs of protection do not outweigh the consequences of a breach.

Embedded document metadata about Expiry Rules could be used to drive automation that correctly downgrades protective markings, or schedules documents for review, in the receiving system or organisation.

Similarly, other potential benefits of embedded document metadata could include:

• Persistent metadata about the Creator (originating agency or custodian), who may retain ongoing legal responsibilities for managing the document.
• Persistent metadata about other information rights or restrictions could drive automated application of access rules in the receiving system or organisation, supporting consistency in managing privacy and cultural sensitivity, legal or commercial confidentiality, copyright or intellectual property, public access (FOI) and publication.
• Metadata about the originating Disposal Class could drive the automated application of a particular disposal rule in the receiving system or organisation.
• Metadata about the originating Identifier, so this copy could always be matched or compared with any other instance of the document — for integrity checks, version control, ROT identification and disposal management.
• Enabling documents to be consistently managed in any system reduces the risk of vendor lock-in, supports the management of confidentiality, integrity and accessibility over generations of technology or through machinery-of-government changes.
• Enabling more and different systems to support information security requirements, aligns with Australia’s Cyber Security Strategy 2020 — providing for a “hub model” rather than a single “honey pot” and layered approach to cyber threat sharing.

 

Where could it apply? How could it be used? Leveraging existing capability

There’s a variety of software tools, common in many agencies, which could make use of embedded metadata to drive automation - supporting staff, improving efficiency and reducing risk of errors.

Many solutions will integrate with email tools to provide automated email capture -automatically filing messages stored in a particular inbox. These tools could potentially make use of embedded document metadata to capture a more detailed document profile in the corporate repository.

Specialised document classification tools can add highly visible labels and protective markings to the document content, as well as classification tags in the document properties. This could be driven more automatically, with standardised metadata supplied by file analysis tools or EDRMS using AGRkMS to enable secure sharing and interoperability.

File analysis tools can scan, map and manage documents stored in various locations. They may analyse and index documents to create a profile based on metadata and content. These tools are often used to identify documents containing personal information, so they can be managed according to privacy requirements; or to locate redundant, obsolete and trivial information (ROT) for disposal. If file analysis tools could report according to AGRkMS, they could potentially standardise metadata in the document properties and complete any missing elements.

Most agencies have some form of EDRMS. Their sensitive, high risk or high value documents generally make it into these systems, although there is plenty of document-based information stored in other locations.

EDRMS are “governance engines” with robust capabilities to manage records and maintain them in a tightly bound relationship with contextual metadata and audit trails of activity. Challenges occur when a single document is removed (or copied) from the repository to be shared with a system or organisation that does not have access or integration with the repository. Metadata may not follow the document, especially if it has been inherited from a parent folder/container.

Most EDRMS have capabilities that could potentially be repurposed or enhanced to make metadata available to other systems, when documents are shared outside the repository.

For example, they may provide a general export tool for system upgrades or migration. This is designed for transferring large volumes of documents, so may need some reconfiguration to be suitable for single documents.

Similarly, many EDRMS are certified to output records as a VERS Encapsulated Object (VEO) for transferring archival records to the Public Record Office Victoria. This process wraps a record up with the metadata and audit trail — which might be handy. It also converts the document to a preservation format (PDF), which may not be appropriate when sharing documents for active business use…

Other channels, not only email

There was already a significant shift happening in digital communication, but COVID-19 gave it a massive boost. The use of email was decreasing in some sectors, due in part to security concerns and in part to technological evolution.

Workplace changes accelerated the uptake of tools like Slack, Microsoft Teams, Google Docs, Monday and other platforms with integrated chat, videoconferencing and file sharing.

Sensitive and high value documents continue to be shared through these channels. Like email they are methods of transmission. They have the same needs for protective marking, labelling and metadata that enables proper handling and management. Embedded document metadata could be used by these systems too.

Can’t I just encrypt everything I send?

As a concept, encryption seems great, in terms of applying permissions that follow a file no matter where it goes. Quite frankly that sounds like a dream come true, for an InfoSec or RM professional. However, it’s often a proprietary approach which can restrict interoperability.

Encryption has been generally discouraged for many years by records managers, amid visions of self-destructing emails. It’s not considered a long-term option for protecting information because it introduces a lot of risks for accessibility - impacting transparency and accountability.

You can’t get value out of information you can’t access. Encryption is a heavy-duty solution that is best reserved for the most sensitive information. It’s not something to throw at all your data stores. It has to be carefully implemented.

Conclusions and next steps

An integrated and multidisciplinary attitude to information governance helps us tackle the challenges of an evolving regulatory and technological landscape.

Geopolitics and COVID-19 have increased the need to share sensitive information and changed the way we work, bringing renewed focus to cybersecurity. Human error remains a significant source of risk, despite heavy investments in awareness training. Automation could help by reducing decision-making, manual handling and re-keying of data.

Automation is driven by metadata, which makes rules and policies machine readable. A standardised approach allows data and information to be managed consistently as it moves from one system or environment to another. A good example is the Email Protective Marking Standard (EPMS), which enables protective markings to be applied in the internet message header extension of an email.

The Australian Government Recordkeeping Metadata Standard (AGRkMS) offers a good foundation for documents. It needs to include an agreed mechanism for embedding metadata into document properties - similar to the EPMS. This would support secure sharing, reduce administrative overhead and provide a range of other benefits through improved interoperability.

Further Reading

Thanks to everyone who contributed to this piece, either as an interviewee or reviewer (or both).

I’ll be writing more articles exploring the ways we can work together as data and information professionals to share frameworks, tools and knowledge across domains, for integrated information governance.

For an introduction to the interplay between Information Security and Privacy, I can recommend this White Paper prepared by Salinger Privacy for Janusnet.

Sonya Sherman is Founder and Principal at ZEN Information.

 

Notes and References

The author wishes to acknowledge the contributions of Greg Colla and Neville Jones from Janusnet in the formation of ideas for this article. Any mistakes are the author’s own.

Notifiable Data Breaches Report: January — June 2020. Office of the Australian Information Commissioner. 31 July 2020. https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-january-june-2020/

90% of UK Data Breaches Due to Human Error in 2019. 6 February, 2020. https://www.infosecurity-magazine.com/news/90-data-breaches-human-error

The role of human error in cybersecurity. 8 October, 2020. https://www.comparitech.com/blog/information-security/human-error-cybersecurity-stats/

[Human Error: Understand the mistakes that weaken cybersecurity. 23 July, 2020. https://www.helpnetsecurity.com/2020/07/23/human-error-cybersecurity/

Information Governance: Optimising the lifeblood of organisations. Information Governance ANZ. 12 November, 2019. https://www.infogovanz.com/information-governance/information-governance-optimising-the-lifeblood-of-organisations/

Data Interoperability Standards Consortium. https://datainteroperability.org/

Check-up PLUS 2019 Whole of Government Summary Report. National Archives of Australia. February 2020. https://www.naa.gov.au/sites/default/files/2020-02/Check-Up-Plus-Whole-Of-Government-Report-2019.pdf

Australia’s Cyber Security Strategy 2020. Department of Home Affairs. 6 August, 2020. https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy\