Last updated:

January 25, 2024

What is Cyber Security?

Cyber security is a risk mitigation strategy for prevention of cyber-attacks, which come in many forms including malware, phishing and ransomware. While some attacks focus on theft of information, it is more common for cyber-attacks to focus on shutting down or damaging infrastructure and systems (which prevent access to records/data).

Measures taken as part of cyber security programs are related to the confidentiality, integrity and availability of records/data. These measures protect the record/data and associated systems from external or internal threat.

Without the necessary records/data, the public office would not be able to fulfill their functions and meet their obligations. Public offices need to ensure that:

  • the necessary records/data are created and captured
  • the appropriate management controls are applied to records/data
  • records/data are stored in authorised and secure environments that are appropriate for the level of risk to the records/data
  • records/data are appropriately disposed of once their retention periods have passed
  • the appropriate security controls are applied to networks and systems.

Different systems have different security functionality, different recovery points, and are impacted differently by a cyber-attack. Factors to consider may include:

  • whether there is a single location or multiple locations that need to be managed
  • whether systems are integrated and connected to each other or systems are isolated units
  • whether systems and/or storage areas are online, nearline or offline.

​​​​​​​Some common strategies used in cyber security programs are:

​​​​​​​

Preparing for possible cyber-attack

To prepare for a possible successful cyber-attack, records/data managers should:

  • include references to what records/data might be accessible and how they may be best obtained if the systems and infrastructure were suddenly unavailable in business continuity or other recovery plans. For example, what records/data are available offline and how are they accessed? What level of authorisation is needed?
  • conduct a value/risk assessment of records/data, identify what is high value high risk and document risks to records/data in public office risk registers for annual review and management. Determine how high value high risk records can be recovered or restored in the event of a disaster, including a successful cyber-attack, and whether there is sufficient provision for their recovery
  • ensure that records/data are documented in information/data asset registers in terms of value and risk so that high value high risk records are known, managed and have appropriate controls
  • identify and assign an owner or custodian for records/data created and held across the public office in all formats and business systems, who has responsibility for managing them in accordance with their value and associated risk
  • ensure that records/data are created and maintained in long term sustainable formats where possible, and that they are part of actively managed digital preservation strategies.

 

During and recovery from a cyber-attack

When a cyber-attack has occurred, the initial focus will be on stopping the spread of the threat across infrastructure and systems. In order to be able to continue operations, records/data are needed.

Those responsible for records/data management will have valuable knowledge about how business is affected and what is needed as a priority for business to continue. This includes which systems holding records/data are priorities for recovery and where alternate sources of records/data are.

Business continuity plans can flag offline or alternative sources of records/data that may be tapped to enable business to continue. There may be some unaffected systems or services that contain records/data, or that can be mined for records/data. For example:

  • it may be possible to access email and some may have document attachments
  • there may be hardcopy records in an external facility or within the organisation
  • there may be decommissioned or legacy systems that were offline, or other offline systems, that contain records.

Each of the above have their own issues:

  • email attachments may be drafts that were circulated for review and not the final version, and there will be gaps in that not all records will have been emailed
  • hardcopy records may not be easy to access without box lists that specify what record is in what box and where that box is located. It may require physically opening every box, seeing what's there and creating a new list
  • decommissioned, legacy and offline systems will likely not have the most up to date software, unless they have been actively maintained. In order to read the records contained, the system and software would need to go through various phases of upgrades. Other forms of corrosion from inactivity may also have occurred, making it difficult to locate and retrieve readable/useable records.

Cyber Security and recordkeeping

Records/data are vital for the ongoing operations of any public office. Public records (including data and information) are in every system created, managed or used by a public office and are vital for ongoing operations. The definition of record under the Public Records Act 1973 (the Act) is very broad and includes data and information. Public offices must ensure that records/data/information are managed in compliance with PROV Standards.

When a cyber-attack occurs, it will have an impact on records/data regardless of whether the attack targeted infrastructure, systems or information.

Cyber security specialists understand:

  • how to protect systems and networks from potential threats
  • the actions which need to be taken if a cyber-attack occurs.

Records/data specialists understand:

  • the records/data needed by the public office
  • the systems which create and capture records/data
  • the controls needed for the management of records/data
  • the value of records/data over time
  • legislative and other obligations in respect to records/data, including their minimum lawful retention requirements.

Aligning records/data management and cyber security strategies improves their impact and reach across the public office. This helps to ensure that records/data are:

  • created, captured, accessible and usable for authorised purposes
  • retained for the minimum lawful period as specified within relevant retention and disposal authorities
  • protected from unauthorised access, amendment, modification and deletion
  • protected from loss of record/data integrity
  • protected from cyber-attacks.

All staff must understand their recordkeeping (including data management), cyber and privacy responsibilities and roles.

Access to records/data needs to balance being open and accessible so those who need it can locate, read, and use it, as well as being kept secure so those unauthorised to view or use it cannot do so. Locking down all records/data can result in people saving records/data outside of the system, thereby placing records/data at greater risk.

Focusing on high value high risk records/data and ensuring that they have the appropriate controls and management as a priority is an efficient approach. High value high risk records/data require more active management, generally with greater controls and protection than other records/data.

Recordkeeping requirements should be designed into systems across their lifecycle. One reason for this is that records are likely to need to be retained for longer than the lifecycle of a system, and therefore need to be factored into decommissioning plans, digital and other preservation plans, migrations plans and so on. Understanding where the records/data are located, and what controls/management is needed, will be impacted by where the system is in relation to its lifecycle.

Different systems and software have different mechanisms that can be used to manage or describe the records/data contained. Understanding how the system works, the right metadata to assign what record/data, the most appropriate label or process to apply, leads to more effective management of the records/data within the system. It enables the lifecycle of the record/data within the system to also be appropriately managed.

The following may need to be considered as part of records/data management programs:

  • management of advanced administrative privileges required to undertake essential recordkeeping tasks across all systems used
  • limits or restrictions on the functionality of software and formats used to create and keep accessible records/data
  • macros required for creation, capture or management of records/data or that otherwise are an essential component of records/data
  • ongoing management of the software and applications used to create, access and manage records/data for the duration of the retention periods of those records/data. Where that is longer than the support provided by the companies that made them, strategies to ensure the records/data remain protected, readable and accessible are needed
  • using backup technologies as part of business continuity plans only and not for archival storage of records. The latter must be managed in accordance with requirements of PROV's Recordkeeping Standards to ensure that the records/data stored are managed appropriately for the duration of their retention periods and lawfully disposed of (see the Backup Technologies and Recordkeeping Policy)
  • ensuring that records/data requirements are included and addressed when developing/implementing the system
  • flagging and alerting the appropriate people of errors or disconnection with the digital record/data and unlawful destruction of the data/record as part of maintenance and monitoring programs
  • ensuring that disposal requirements can be met by the system, which requires understanding what records the system will create or hole, how long these records will need to be retained and whether they are to be transferred to PROV at end of life or managed within the public office. Destruction methods must ensure that records/data are completely eliminated so that they cannot be reconstructed, or their content extracted or read.

Recordkeeping practices of relevance to cyber security include:

  • ongoing training of staff in their obligations and responsibilities regarding appropriate capture and management of records/data
  • awareness and management of high value high risk records through the use of tools such as information and data asset registers
  • appropriate implementation of metadata, security labels and retention labels as part of an ongoing program of records management
  • managing records/data in offline storage so they remain accessible, locatable and useable for the duration of their retention periods (which could range from completion of the immediate business use to the lifespan of a human being, for temporary records, or forever if they are State Archives)
  • ensuring that disposal of time-expired records/data is carried out in a lawful and timely manner in accordance with relevant retention and disposal authorities.

Retention and disposal authorities (RDAs) issued by the Keeper of Public Records are central to disposal programs. They describe what kinds of records/data need to be kept for how long before they may be disposed of, and whether they are State Archives, to be transferred to PROV. RDAs can be used to identify high value high risk records, so they can be managed appropriately. For example, that they have appropriate access controls, storage locations and other elements that align well with cyber security strategies.

Public records should only be kept for their minimum required retention period, unless it is likely that they will be needed for future legal proceedings or other purposes. Public records can only be disposed of with the authorisation of the Keeper of Public Records, for example in compliance with the appropriate RDA. Unlawful disposal is an offence under the Act.

An effective disposal program prevents records from being kept unnecessarily, meaning they are not at risk during cyber security incidents. This is important when personal or sensitive information is held (for example, some records may contain credit card numbers or personal identifiers). Privacy requirements are specified by the Office of the Victorian Information Commissioner (OVIC). PROV has published guidance on managing privacy and recordkeeping obligations to help minimise risk of personal information being affected by cyber security incidents.

Cyber security incidents are likely to target infrastructure and systems which will impact on being able to access and use records/data for ongoing business. A cyber security attack may even stop any business being conducted.

Records/data are essential components of business operations, providing a history of past actions, information on processes and how to do things, and recording decisions and approvals made. Public offices must ensure records/data and the systems, media and facilities in which they are stored are covered by business continuity and disaster recovery plans and processes.

Business continuity programs are strategies, plans and processes, to enable ongoing business in times of disaster or disruption (including cyber security incidents). Business continuity plans include information about high value high risk records/data and what is needed in relation to them should a disaster or disruption occur.

Reliance on backups to enable business to continue is not always possible. The backups held may also be compromised and it may be difficult to detect or confirm that they have been compromised. Whether the backups are in the cloud or on tape may not make a difference if they contain undetected ransomware or other malware.

Material in the Public Record Office Victoria archival collection contains words and descriptions that reflect attitudes and government policies at different times which may be insensitive and upsetting

Aboriginal and Torres Strait Islander Peoples should be aware the collection and website may contain images, voices and names of deceased persons.

PROV provides advice to researchers wishing to access, publish or re-use records about Aboriginal Peoples