A must for agencies or a candidate for deletion. A grounded theory investigation of the relationships between records management and information security
| DOI | https://doi.org/10.1108/RMJ-09-2018-0026 |
| Date | 11 March 2019 |
| Published date | 11 March 2019 |
| Pages | 57-85 |
| Author | Sherry Li Xie |
| Subject Matter | Information & knowledge management,Information management & governance |
A must for agencies or
a candidate for deletion
A grounded theory investigation
of the relationships between records
management and information security
Sherry Li Xie
School of Information Resource Management, Renmin University of China, Beijing,
China and Center for Digital Records Management Research, Beijing,
China and Key Laboratory of Knowledge and Data Engineering,
Ministry of Education of China, China
Abstract
Purpose –This paper aims to report on a study that aimed at analyzing the relationships between
informationsecurity and records management (RM), both as programs/functionsestablished in organizations.
Similar studieswere not found in relevant literature.
Design/methodology/approach –The study used the classicgrounded theory methodology. Pursuing
the general curiosity about the informationsecurity-RM relationship in organizations, the study selected the
United States (US) Federal Government as its field of entrance and followed the process of the classic
grounded theory methodology that starts from the letting of the emergence of the research question to the
formulationof a substantive theory that answered the question.
Findings –On the emergent question that why, despite the legislative establishment of agency RM
programs and the use of the term records in their work, the US Federal Government information security
community considered RM a candidate for deletion(CFD), the study coded the truncated application of the
encompassing definitionof records as the underlying reason. By this code, along with its threeproperties, i.e.
limitations by the seeminglymore encompassing coverage of information, insufficient legislative/regulatory
support and the use of the terms of evidenceand preservation in the records definition, the CFD consideration
and the associated phenomena of unsound legislative/regulatory conceptualization, information shadow,
informationignorance and archival shadow were explained.
Research limitations/implications –The study results suggested the data for subsequenttheoretical
samplingto be the operationalsituations of individual agency RM programs.
Practical implications –The rationale presented in the study regarding the encompassing nature of
recordsand the comprehensive scopeof RM program can be used for building strongRM business cases.
Originality/value –The study appears to be the first of its kind, which examined the RM–information
securityrelationship in a very detailed setting.
Keywords Records management, Information security, Archival shadow, Information ignorance,
Information shadow, Records definition
Paper type Research paper
Introduction
Information security and records management(RM) appear to be two different activities as
indicated by their objects of concern(i.e. records and information) and the concerned aspects
This study is supported by the Fundamental Research Funds for Central Universities and the
Research Funds of Renmin University of China (15XNL032).
RM and
information
security
57
Received20 September 2018
Revised28 November 2018
Accepted6 December 2018
RecordsManagement Journal
Vol.29 No. 1/2, 2019
pp. 57-85
© Emerald Publishing Limited
0956-5698
DOI 10.1108/RMJ-09-2018-0026
The current issue and full text archive of this journal is available on Emerald Insight at:
www.emeraldinsight.com/0956-5698.htm
(i.e. security and management). While the relationships between the concerned aspects are
highly contingent, depending on how the term managementis specified, the objects of their
concern can be viewed as related. A general view from the RM standpoint is that records
constitute a portion of information, or records are a special type of information. As
exemplified by the definition of recordsin the ISO standard on RM, records are “information
created, received and maintained as evidence and as an asset by an organization or person,
in pursuit of legal obligations or in the transactionof business”(ISO, 2016). Curiosity arises
logically regarding the relationships between the two activities as to how they treat each
other in the context of organization. This paper reports on a study that aimed at exploring
such relationships, as no ready knowledge in literature was found. When searching peer-
reviewed records journals, only one relevant article surfaced, which promoted the idea of
integrating information security and RM in achieving information governance (Lomas,
2010). When searching the databasesof Web of Science and Academic Search Premier, a few
hits returned, but all of them are about security/protection of medical/health records in
digital environment. The present study takes a general view toward the relationships
between information security and RM in organizations and chooses the US Federal
Government as its primary source of data. It used the classic grounded theory method
(CGTM) as developed by Glaser and Strauss (1967) and Glaser (1978, 1992, 1998, 2001) and
applied in the Record Nature project (Xie, 2013). The chosen methodology guided the
organization of the paper, which follows the CGTM process. It starts with the emergenceof
the research question and ends with the substantivetheories conceived as the answer to the
question.
The classic grounded theory method process –letting the question emerge
As a basic tenet, CGTM disallows researchers from working with research questions that were
conceived based on literature review. A general interest on any social phenomenon is enough
for researchers to get into the field for inquiries regardless whether there is existing research.
This is not to ignore existing research, thus risking the possibility of “reinventing the wheel”,
but to treat it as one type of data, in accordance with the CGTM principle “all is data”,and
compare it, at a later stage, with memos (i.e. ideas, thoughts and conceptual constructions)
produced in the CGTM process. Comparison is the main analytical technique used by CGTM,
which, at its core, does the same for data just as any other comparative analyses. What makes
the CGTM comparison unique is the requirement that it needs to be in operation constantly and
it should not be restrained by, for example, the types of data or the stages of the research
process. The approach of getting into the field (physical and/or virtual) with a general interest
serves the purpose of keeping as much as possible an open mind and letting the real, specific
question emerge. Real, specific questions typically emerge when intimate knowledge of the
field has been developed. For the present study, the status of information security in the US
Federal Government is such intimate knowledge required for question(s) to emerge.
Information security in the US federal government
Information securityin the US Federal Government is a subject regulated by law. According
to the current FISMA (Federal Information Security Modernization Act of 2014, which
amends the Federal Information Security Management Act of 2002), information security
means “protecting information and information systems from unauthorized access, use,
disclosure, disruption, modification, or destruction to provide integrity, confidentiality and
availability”(Office of the Law Revision Counsel of the USA House of Representatives,
2014). As one main mechanism to assistits implementation, FISMA requires NIST (National
Institute of Standards and Technology) to develop pertinent standards and guidelines,
RMJ
29,1/2
58
To continue reading
Request your trial