Saturday, February 24, 2007

Document Management and Security - Continued

In my previous article, I discussed the general security tenets and how to apply them to the planning stages of an ECM/Document Management Project. The focus of this article will be some additional focus areas when examining a system, and what to look for in a vendor.

When evaluating an ECM or Document Management System on its security features and functions, there are five key areas:

Identification
This is the process in which the system identifies the user. Most DMS/ECM Systems have the ability to identify users upon access to the system. This step is key to the below areas of focus.

Authentication
This step verifies and validates the user’s identity. Most ECM/DM software provides the ability to authenticate to standard user repositories (Windows Active Directory and LDAP), but this functionality is usually an additional module, or specialized product.

Accountability
More and more legislation is being passed to ensure organizations can provide audit trails and detailed logs on user activity and record activity within an ECM system. Accountability is just that, the ability of a system to provide a record of all transactions and activity within the repository. This is critical for organizations within certain verticals (health care, finance, etc.). Once again, the majority of products on the market include some sort of basic logging, but there are usually add on modules for “enhanced logging and auditing”.

Authorization
After a user has been authenticated, the system will grant them the appropriate rights and permissions within the repository. This is a critical requirement, as you would not want Operations personnel accessing Accounting or HR files. Some systems provide even further granular control to not only restrict access, but also to restrict the use of certain functions and features within the application. This is accomplished through the use of roles or groups to which users can be assigned.

Privacy
Of all the areas listed, this is usually most difficult, and requires security controls outside of the ECM/DM system. Privacy ensures that all user activity remains private and confidential. This can be accomplished through encryption of all traffic to and from the system, and proper security controls on the workstation and server.


Security is often overlooked when selecting and planning for an ECM/DM implementation. The five areas above comprise key areas of focus when evaluating ECM/DM technologies.

Stephen Boals, CISSP
sboals@scanguru.com
http://www.scanguru.com/

No comments: