Tuesday, February 20, 2007

Document Management and Security

As with most technical endeavors, it seems that with the majority of Document Management projects, security is always an afterthought. Paper documents are an important asset to an organization, and once they are moved into the digital realm, even more attention should be placed on their security. Would you place an unlocked file cabinet with all your confidential customer information in the middle of Grand Central Station? This article will be the first on how to involve Information Security (InfoSec) from the beginning of your Document Management/ECM project, to the end and in implementation and maintenance.
To start with, as in any technical project, the three basic tenets of InfoSec should be considered: Confidentiality, Integrity and Availability.

Confidentiality

The basic premise of the Confidentiality tenet is to prevent unintentional or intentional disclosure of information. In the planning stages, steps need to be taken to arrange the correct controls on your digital documents. The need exists to analyze the types of documents that will be stored online, and who needs to access them. Any system that is being considered to manage the security of the documents should have the ability to control access, rights and privileges. Care should be taken to mitigate risk, and protect all confidential information.

Integrity

What does integrity mean? In a nutshell, a system will be required to prevent unauthorized alteration of the data. In the case of a Document Management System, the data includes the image or file and the information about that file (metadata). There needs to be the ability to control who can alter data (update a record), and who cannot based on specific users or groups. In some industries (financial), the ability to write data to unalterable media will be required so changes cannot be made. In planning, it is necessary to examine the Integrity tenet, and insure the system you examine has all the capabilities to prevent alteration.

Availability

What good is a system if you cannot access your information? Availability goes way beyond just having the information available to users. It is what happens behind the scenes to insure the greatest possible redundancy and in-depth disaster recovery planning. It includes everything from having a redundant disk subsystem, to having a restore plan in the case of a disaster. Availability planning is paramount to the success of any Document Management system.
These three basic tenets of InfoSec must be a requirement of any Document Management or Enterprise Content Management project. They must be carried through all the project phases: Planning, Implementation and Maintenance.
Stephen Boals, CISSP sboals@scanguru.com http://www.scanguru.com/

No comments: