Kerry A. Anderson, CISA,
CISM, CrISC, CgeIT, CISSP,
ISSMP, ISSAP, CSSLP, CFe,
is an information security
and records management
consultant with more than
15 years of experience
in information security
and IT across a variety of
industries. She has worked
in information security,
financial systems operations,
network administration, I T
audit, records management,
planning and college-level instruction. She can
be reached at kerry.ann.
A Case for a Partnership Between
Information Security and Records
Do you have
to say about
Visit the Journal
pages of the ISACA
web site ( www.isaca.
org/journal), find the
article, and choose
the Comments tab to
share your thoughts.
Go directly to the article:
When picturing the relationship between the
information security and the records information
management (RIM) teams in many organizations,
Aunt Eller, from the Broadway play Oklahoma,
singing “The farmer and the cowboy should be
friends” comes to mind. Both the farmer and
the cowboy had similar interests and could
have likely benefited from some collaborative
endeavor; however, in many organizations, the
tendency has been to fixate on the differences
between information security and RIM rather
than the mutual benefits.
In many organizations, there has been limited
interaction between the information security
and the RIM teams. While there may be myriad
explanations for this lack of partnership, the most
likely cause is a combination of the following
• Most information security practitioners
believe that RIM is primarily focused around
management of archival hard copy records,
rather than active electronic records.
• Many RIM professionals have limited
backgrounds in IT.
• There is a desire by both groups to avoid
conflict by not infringing on the other’s turf
(i.e., peaceful coexistence).
• Differences exist in the backgrounds of
practitioners. Many information security
professionals come from IT, where RIM staff
often have library science backgrounds.
Information security and IT organizations
seem more naturally aligned because the technical
focus of many information security initiatives
and tools necessitates their mutual involvement.
Many information security practitioners view
their IT peers as natural extensions of their team.
Put simply, information security sees IT as “us”
rather than “them.”
Fewer information security professionals view
their RIM counterparts as potential players on their
team. Conversely, RIM professionals seldom regard
information security as prospective stakeholders
on their projects. When communication is required
between the two teams, the approach is often to
send an envoy to fetch the necessary information
rather than to initiate continuing exchanges.
40 ISACA JOURNAL VOLUME 2, 2012