E-records confidentiality, integrity, availability, authenticity, possession/control and utility 77

Use secure remote access methods: The ability to remotely connect to a network can add a great deal of convenience for the end user. Though a secure access method such as a virtual private network (VPN) should be used if remote access is required (WaterISAC 2016; Microsoft 2009).

Other measures may include, but are not limited to, issuance and use of digital certificates or similar means of authentication, encryption of messages, inventory authorised and unauthorised devices, inventory of authorised and unauthorised software, secure configurations for hardware and software on laptops, workstations and servers (WaterISAC 2016; Kumar and Malhotra 2015;

Glantz and Landine 2012; Gupta 2007).

3.6 E-records confidentiality, integrity, availability, authenticity, possession/control and

privacy regulations and available policies, procedures and guidelines (Northwestern University records policy, 2018). Personnel responsible for ensuring the confidentiality and appropriate use of institutional e-records to which they are given access, ensuring the security of the equipment where such e-record is held or displayed, ensuring the security of any accounts issued in their name and abiding by related security rights of students and staff concerning the use and release of personal information as required by law or existing policies must be vigilant to enhance confidentiality of e-records (Moi university ICT policy 2011; MoReq 2001). According to Bigirimana et al. (2015), confidentiality can be achieved through proper classification, labeling, indexing, and file naming among others. Organisations including Moi University must ensure that those that have appropriate access to e-records handles them correctly (Bey 2012). Asogwa (2013) concludes that only authorised personnel should have access to information; thus, preventing information from being stolen or damaged. This would ensure the protection of e-records and consequently prevent disclosure of information that could harm the organisation or infringe on the privacy of individuals.

E-records integrity: Observing integrity is vital in the organisation for it ensures that e-records are accurate and remain unchanged representation of the original transaction (Bey 2012, Antirion 2011, Wu 2009, Bhaiji 2008, Parker 2002; Parker 1998). According to the Parkerian Hexad Model, integrity means information cannot be modified without authorisation. In e-records security management, breach of integrity can be displayed in many ways. For instance, when an employee accidentally or with malicious intent deletes important e-records when a virus infects a computer, when an employee can modify his/her salary in payroll, and when an unauthorised user vandalises a web site among others. ISO 15489-1:2001 explains that it is necessary that a record is protected against unauthorised alteration. Records management policies and procedures should specify what additions or annotations may be made to a record after it is created, under what circumstances additions or annotations may be authorised, and who is authorised to make them. Any authorised annotation, additions or deletion to a record should be explicitly indicated and traceable.

Furthermore, ISO 15489-1:2001 suggests that control measures such as access monitoring, user verification, authorised destruction, and security should be implemented to prevent unauthorised access, destruction, alteration or removal of records to maintain integrity.

E-records availability: E-records availability component ensures that the e-records concerned are readily accessible to the authorised users at all times (Bey 2012; Antirion 2011; Wu 2009; Bhaiji 2008; Parker 2002; Parker 1998). Many authors have asserted that availability is the most challenging component to protect though it has not been given extensive attention (Qadir and Quadri 2016; Bey 2012; Martin and Khazanchi 2006). Unauthorised denial of use of e-records or information system could have a severe or catastrophic adverse effect on the organisational operation's assets or stakeholders (Dardick 2010). Availability of e-records dictates reliability, accessibility and timeliness of e-records and the systems that hold them. Frank (2016) concurs that an organisation shall maintain records in a manner that ensures timely efficient and accurate retrieval of needed information. This implies that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems always aim to remain available, preventing service disruptions due to power outages, hardware failures and system upgrades (Yinka n.d.).

E-records authenticity: Authenticity ensures the validity, trustworthiness, and dependability of e-records (Bey 2012; Antirion 2011; Wu 2009; Parker 2002; Parker 1998). It involves proof of identity (Clemmer 2010). DoD 50152 defines authenticity as a condition that proof that a record is genuine based on the mode (including method by which a record is communicated over space or time), form (that is format or media that a record has upon receipt), state of transmission (that is the primitiveness, completeness, and effectiveness of a record when it is initially set aside after being received), and manner of preservation and custody. Hence, authenticity aims to prove that a record is what it purports to be and that it had been created by the organisation with, which it is identified (Raaen 2017; Mukuevho and Jacobs 2012; Ismail and Jamaludin 2009). ISO (2001) states that an authentic record is one that can be proven to have been created or sent by the person purported to have created or sent it, and to have been created or sent at the time purported. The use of digital certificates and digital signatures is used to secure the authenticity of e-records (National Archives and Records Services of South Africa 2006). Like many organisations and institutions, Moi University has the responsibility of ensuring that authenticity is observed to enhance its reputation. ISO 15489-1:2001 asserts that an organisation should implement and document policies and procedures which control the creation, receipt, transmission, use, maintenance and

disposal of e-records to ensure that records creators are authorised and identified and that records are protected against unauthorised addition, deletion, alteration, use, and concealment.

E-records possession or control: Possession or control of e-records refers to the ownership or control ability to use e-records (Bey 2012; Antirion 2011; Wu 2009; Parker 2002; Parker 1998).

Parkerian Hexad Model defines possession or control as a state of having or taking into one's control or holding at one's disposal, actual physical control of property by one who holds for himself, as distinguished from custody, something owned or controlled. It is the attribute that describes the physical relationship between users and their technology. The growth of nomadic computing (driven by the new generation of cell phones, high sale of laptops, IPad, internet cafes, WiFi; and other growing specialised and inexpensive internet access devices as indicated in section 2.2.4), with its increased levels of non-local specific access via relatively small portable devices has increased the significance of this attribute. Possession or control is also about user rights management. Reid and Gilbert (2011) assert that another area of interest in the possession or control is digital rights management where the user or creator of information wants to maintain some ability to control its use or production. Subsequently, Possession or control is a vital component because it covers breaches where confidentiality is both critical and nonexistent. There are several ways of protecting e-records when a laptop, a mobile phone, hard disk or/and flash disks have been stolen or lost. For instance, cryptography is one powerful way of guarding against breach of confidentiality (Bey 2012).

E-records utility: E-records utility refers to the usefulness of information (Bey 2012; Antirion 2011; Wu 2009; Parker 2002; Parker 1998). ISO 15489-2001 explains that a usable record is one that can be located, retrieved, presented and interpreted. It should be capable of subsequent presentation as directly connected to the business activity or transaction that produced it. The contextual linkages of records should carry the information needed for an understanding of the transactions that created and used them. It should be possible to identify a record within the context of broader business activities and functions. The links between records the document a sequence of activities should be maintained.

3.7 Skills and competencies available for e-records security management

To carry out the functions of any given job one must have appropriate competencies and skills to achieve efficient and effective output. The University of Toronto (2013) explains that competencies and skills can be supported by evidence of professional affiliation from a recognised organisation related to one's subject area.

The advancement of information and communication (ICT), its application and the abundance of software and hardware in the market have contributed to the proliferation of e-records. As early as 2000s authors have advocated repeatedly for the importance of capacity building in the area of information and records management (Cook 2006; Wamukoya and Mutula 2005; ICA 2004). Cook (2006) reiterates that information professionals need to realise that an utter transformation is taking place in the world of information; this, in turn, requires an entirely new paradigm or intellectual framework to situate our ideas and practice. Consequently, the trend with which technology is advancing, governments should be alert in terms of maintaining and upgrading infrastructure and equipping the personnel with required skills; This is because, the challenges brought about by the new advancement in technologies and e-records security management require that creators and managers of e-records be equipped with new skills and competencies through training and retraining to be able to effectively and efficiently operate and undertake projects in e-records management (Kumar and Bansal 2014; Ngoepe 2014; Nengomasha 2013; Asogwa 2012). Eiring (2008) on his part in a presentation at the International Council on Archives Congress in Kuala Lumpur, Malaysia asserted that the advent and the explosion of the creation and use of e-records demanded new technologies and methods of education and training on how to effectively and efficiently manage these records.

Similarly, Wamukoya and Mutula (2005) in their study on capacity–building requirements for e- records management in East and Southern Africa noted that various skills are required by records management staff. These skills and competencies are diverse but can be categorised into records and information management skills, technological skills, managerial skills, and project management skills. They further stated that other skills and competencies include, but are not limited to those needed to create, capture, classify, index, store, retrieve, track, appraise, preserve, archive and dispose records in an electronic environment.

The Parkerian Hexad model emphasizes that human resources are vital on the one hand and the biggest threat on the other to e-records security. For instance, the model explains that staff can sometimes enter inaccurate information, save over the wrong file, edit the wrong file, steal or share confidential information, intrude and accidentally delete files. For this reason, they should have competencies, skills and be provided with capacity building opportunities to enable an institution or organisation to achieve confidentiality, integrity, availability, authenticity, control, and utility of e-records (Parker 2002; Bey 2012). These sentiments are also echoed by the public service of Kenya (2010) that training and capacity building is critical for records management officers in the public service.

E-records are vital organisational asset and organisations depend on accurate, complete, readily available information to assist in making decisions, providing litigation support, improving organisational efficiency, documenting compliance with legislative, regulatory, contractual requirements and providing historical references (ARMA 2017; Asogwa 2013; Asogwa 2012;

Luyombya 2010). The growing use of e-records has signaled the need for senior management, directors, records managers, records staff and action officers among others who are responsible for the e-records creation and use to be equipped with appropriate training (Johare et al. 2013; ISO 2001). The continuum model provides knowledge and skills that extend the concept of the continuum beyond metaphor (Upward 2004). In addition to the competencies outlined by the continuum model, understanding the organisation’s business activities, objectives, and process;

and classification of records skills are needed. Moreover, preparing disposal authorities, system designs; information management; technological management; human resource management and project management are essential skills and competencies in e-records security management (Wamukoya and Mutula 2005; ISO 2001). These competencies and skills are needed to manage e- records from creation or receipts through processing, distributing, sharing, using, accessing and securing, organising, storing, retrieving and disposing them.

As indicated in section 3.5, the Moi university responsibility of e-records security management is distributed among the individual units with little or no centralised control (Bigirimana et al. 2015;

Kyobe et al. 2009). This implies that competencies and skills to all employees are mandatory to enhance e-records management security effectively. Ohio State University (2013) in this regard notes that the creating unit must actively maintain active records systems that have continuing

utility and value. Maintaining these systems will entail routine system backup and may involve periodic or scheduled recopying of data from old to new storage media. Continued maintenance of electronic systems may require the responsible personnel migrate records considering their integrity to new systems that can take advantage of the most current systems and software.

Competencies and skills in e-records security management and implementation of ICT services and systems and for the use of these systems are very limited in both academic and administrative areas. Consequently, staff training in the use of ICT services and systems, development of the ICT professional skills and appropriate management capacity are regarded as high-priority goals of the University (Moi University, ICT policy 2011).

Mnjama and Wamukoya (2007) observed that the level of awareness and commitment of staff could be used to gauge where an organisation is placed in terms of records management readiness on a scale of 1-5: Level 1-senior management has no understanding of commitment to the management of the organisation records; Level 2-senior management has a broad understanding of and recognise the need to embrace and support records management in the organisation; Level 3-senior management is highly committed to and are supportive of a records management programme in the organisation; Level 4- senior management has created an environment where records management is highly valued as part of the organisation’s overall information management strategy and Level 5- the organisation is recognised for its stewardship and leadership role in implementing records management programmes.

ISO (2001) also asserts that organisations may choose to use already–trained staff to facilitate attendance by other staff at suitable external training programme or they may choose to engage trained and experienced consultants. ISO further explains that an organisation should consider the following methods of training: in-cooperation in organisations employee orientation programmes and documentation; classroom training for employees new particular responsibility at times of system change; on-job training by knowledge supervisor; training courses provided by educational institutions or professional organisations that may be part of the general offerings of these institutions or may be part of the general offerings of these institutions or may be developed on request to meet an organisation’s particular needs; computer-based presentations which may be interactive, available on the network or storage device, workshops and seminars on-e-records security management issues and initiatives; and leaflets and booklets providing ‘how to' guides

describing aspects of the organisation’s record policies or practices. According to the Kenya public (2010) and ISO (2001), organisation, ministries, public institutions should employ personnel with professional qualification and should ensure that they continuously organise training in order to improve their competencies, knowledge, skills, attitudes, and ability to assimilate new technology to enable them to undertake the reforms in the records management function effectively and efficiently. Despite this directive, many scholars and authors have lamented about the inadequacy of appropriate competencies and skills in e-records management and security management in organisations and institutions (Musembe 2015; Ngoepe 2014; Nengomasha 2013; Erima 2013;

Asogwa 2012; Sichalwe, Ngulube, Stilwell 2011; IRMT 2009; Kemoni 2008; Kemoni and Ngulube 2008; Wamukoya and Mutula 2005; Katuu 2004). Fourteen years ago International Council of Archives maintained that e-government services delivered using ICTs, will be compromised unless the issue of capacity building is addressed, noting that failure to address this issue could lead to reduced government effectiveness, increased operating costs, gaps in recorded memory, reduced public access to entitlements, erosion of rights, and weakened capacity for decision making (ICA 2004).

Dalam dokumen E-records security management at Moi University, Kenya. (Halaman 94-101)