Subscribe to Our e-Infosources | Search | LOGIN




Home arrow Asian Channels arrow Channels Web Stories arrow Channels Web Stories Archive arrow Asian Channels October 2005 arrow APAC Businesses Warned of Document Security Breaches Within Their Own Organziations
APAC Businesses Warned of Document Security Breaches Within Their Own Organziations Print E-mail
In: Asian Channels October 2005
Written by MediaBUZZ Team   

In light of the spate of recent document security breaches and inadvertent leaks of sensitive information in the Asia Pacific as well as globally, document integrity specialist, Workshare, has launched new guidelines to help organizations ensure the hundreds of millions of
documents they produce and share electronically are secure, clear of sensitive confidential data, and comply with internal policy and external regulations.

Workshare's 'Five Steps to Document Integrity', which also encourages companies to scrutinize existing data protection and risk mitigation strategies, is step one of the company’s global campaign to combat a phenomenon known as the ³Inside-Out threat. This is the opposite of malicious external threats such as hacking or computer virus attacks, which most companies security strategies are set up to combat.
 
After a plethora of high-profile cases in the United States, the inside-out threat is now very much an Asia Pacific issue. For example, Australia was recently hit by revelations of a series of incidents where classified files from the police database were inadvertently leaked as a result of human error. One case saw a prison officer, who applied to see his police file, receive 1,000 files on other people - including the names and addresses of victims and alleged offenders.
 
“Unfortunately, the inside-out threat is still not understood or taken seriously by organizations here in Asia Pacific.  This is because they don¹t yet comprehend that the threat from within has the capacity to cost businesses millions of dollars in lawsuits, lost business as well as unquantifiable damage to reputations,” says Andrew Pearson, Workshare¹s general manager for APAC.
 
“Many companies believe they have effective data governance policies and document integrity solutions. Frankly, many don¹t. Their policies are flawed because the onus is on people to make manual document security and integrity checks, rather than using effective technology to do it for them automatically and transparently. We believe information integrity and security are too important to be at the mercy of human error,” he continues.
 
According to Pearson, the Workshare Professional solution makes the review and exchange of electronic business documents secure, accurate and compliant. It provides an audit trail of what people have done with and to a document since its inception. It converts all files to a PDF file in one click from within Microsoft Office, and allows policy-based document security controls.
 
On top of this, Workshare is also preparing to launch a “simple yet powerful cure” for document security risks, called Hygiene, which will deliver an automated, non-disruptive document security approach that cures documents of content security risks - right from within office applications such as e-mail, Web pages, portals and other software programs that people use every day.
 
“Hygiene is the first security solution to zero in on risks unique to
electronic documents, automatically curing documents of dangerous threats without the overwhelming productivity side-effects of other content security approaches,” adds Pearson.
 
“Corporate Governance is near the top of every Asia Pacific CEO’s agenda. But what does this mean? In simple terms, Corporate Governance is a set of policies supported by processes. But what are these policies worth if they are not enforced? There is also a fine line between governance and productivity. Too much governance greatly reduces productivity. On the other hand, policy enforcement should never prevent a person doing their job. In our view, enforcement should, therefore, be automated and transparent to the end user,” he says.


Five Steps to Managing Document Integrity
Document integrity is an ongoing problem that requires action, measurement, and periodic re-evaluation.   Only through commitment and focus can organizations hope to manage the risk associated with business documents and their integrity.
 
1. Understand the level of threat from within your organization. Understanding the three components of document integrity aids risk assessment.  All three components should be examined together, in detail. They are:

  • Document Security - Documents carry many types of risks, including both business risk and technical risk. Business risks include content that should not be distributed widely such as customer information, intellectual property, and financial data. Technical risks include information such as hidden track changes, filepaths and other metadata.
  • Regulatory and Corporate Policy Compliance -­ Documents are critical to just about every business process including financial filings, and customer and supplier contracts. The documents¹ complete history is auditable against global regulations such as Sarbanes-Oxley. In addition, documents often carry information that is subject to privacy regulations.
  • Document Accuracy ­
    Documents tend to go through many iterations and reviews. Independent research by Vanson Bourne conducted this year indicates that up to 75% of documents do reflect all reviewers input.  In addition, multiple versions of documents and their broad distribution often create confusion.
     


2.  Conduct a risk assessment to understand the threats your organization faces. In this phase of the process, an assessment must be performed.  This assessment should at a minimum, evaluate the risk as defined in step one, the existing policies and processes to manage these risks, or the lack thereof, and user awareness of the business and technical risks.
 
Security Risk:
First, a company can use tools such as those found at www.metadatarisk.org to assess both the business and technical risk across all of its documents.  This information should then be evaluated against user awareness to provide a gap analysis of risk versus awareness. 
In addition question the following:                 
How documents are sent between authors and third parties.

  • What state and access controls are at each stage of the document lifecycle?
  • Who has access to sensitive information?
  • Can hidden information provide effectiveness without liability or damage to the organization?
  • Is there an ability to restrict documents from external distribution when necessary?
  • What visible information is included in what documents?
  • How aware are users of these risks?
     

Compliance Risk:

The organization should assess the specific regulation and audit policies that affect each of its critical document types and processes.  Next, the policy, process and data available around critical documents should be evaluated to understand the gap between compliance requirements and effectiveness of existing policy and processes.  Question the following:

  • Do you have a document security policy?
  • What regulations affect what documents and what processes?
  • Who in your organization is responsible for writing and reviewing ­ where accountability lies?
  • What policies, internal and external, are accounted for in the document lifecycle?
  • How have your current policies been implemented and verified?
  • Can you prove what has been done and why?
  • Is there any process in place to provide audit history of documents which fall under regulatory compliance requirements?
     

Accuracy Risk:
Finally, the organization should evaluate the processes it has in place to ensure the accuracy and integrity of key business documents.
Organizations should evaluate both the processes and technologies in place to ensure that final documents include all critical user input, and that document masters are maintained and managed effectively. Question the following:
How precise is the information held within a document?
What processes could compromise the document content intention?
Can the content and/or format be altered during the document lifecycle?
How do users ensure that the master document is not compromised when the document is shared for review?
 
3. Develop risk mitigation policies based on document integrity classifications 
It is crucial to understand the different levels of importance around critical information within your organization and develop information classifications to support your document integrity policies, including:
 
·          Highly Confidential
Information where unauthorized disclosure will cause a company severe financial, legal or reputation damage. Examples: acquisitions, bid economics and negotiation strategies.
·          Confidential
Information where unauthorized disclosure may cause a company financial, legal, or reputation damage.  Examples: employee personnel and payroll files, some interpreted exploration data.
·          Internal Use Only
Information that, because of its personal, technical, or business
sensitivity is restricted for use within the company and its close advisors.
·          Unrestricted
Information that in general can be shared, but must still be monitored and managed for risk.
·          Sender Privilege and Recipient Trust
In addition, for each type of information, it must be determined both who has the business need to distribute the information and who has a need and is trusted enough to receive this information. For example, the CFO should have ability to share highly confidential information with auditors, board members and members of his team, while his team members may only be authorized to receive this information, but not redistribute it.
 
4. Configure and deploy document integrity safeguards
For every combination of document classification, sender and recipient,
policy must be put in place to enforce appropriate levels of risk
management, mitigation and audit trails.  As in the example above, even the
CFO may not have the right to send a document to any recipient, but if the recipient is not by policy trusted to receive this information, the document must be converted into a non-editable format.  Other safeguards may apply to ALL documents sent to ANY external party.  For example, a company may require the removal of certain types of meta-data from any document, and restrict all employees from distributing certain documents over email period.  In addition to acting on documents, audit data must be gathered which includes document, sender and recipient identity and actions applied to each attempted or successful distribution.
 
Once these sets of classifications and policies are put in place, compliance officers and security staff must now find ways to enforce these policies.
5. Regularly audit risk mitigation results
Organizations must put in place mechanisms to both monitor and audit the enforcement, appropriateness and effectiveness of their document integrity safeguards. 
     
These processes and safeguards should include:
·          Mechanisms to both monitor and audit the enforcement, appropriateness and effectiveness of a company’s document integrity safeguards.
·          Regular audit of the security of information, user acceptance of technology, effectiveness of policy and business productivity in evaluating and measuring program effectiveness.
·          Regular reviews of classification of documents and users in order to ensure the organization is complying with both new regulation and corporate policy.
·          Periodic reassessments and measurement of risk should be performed influenced by the document integrity components detailed in Step 1.

 
[ Back ]
SITF DCI Channel Enablers CMO Council