Businesses warned of 'dirty document' threat within their own organisations
Workshare introduces new guidelines to help combat document security breaches
Sydney, September 19, 2005 -In light of the spate of recent document security breaches and inadvertent leaks of sensitive information in Australia and globally, document integrity specialist, Workshare, has launched new guidelines to help organisations ensure the hundreds of millions of documents they produce and share electronically are secure, clear of sensitive confidential data, and comply with internal policy and external regulations.
Workshare's "Five Steps to Document Integrity", which will also encourage companies to scrutinise existing data protection and risk mitigation strategies, is the first part of a global campaign to combat a phenomenon known as the "Inside-Out" threat. This is the opposite of malicious external threats such as hacking or computer virus attacks, which most companies' security strategies are set up to combat.
After a plethora of high-profile cases in the United States, the inside-out threat is now very much an Australian issue. Only last month, Victorian Premier, Steve Bracks, said he was "sick and tired" of security breaches following revelations of incidents where classified files from the police database were inadvertently leaked.
In the most recent case, a prison officer, who applied to see his police file, received 1,000 files on other people - including the names and addresses of victims and alleged offenders. While the breach was due to human error and was not malicious, the damage it caused was far reaching with major legal ramifications.
Moreover, the need for clear guidance and effective solutions for e-document construction and sharing is particularly important in Australia, which has one of the world's most stringent regulatory regimes on information governance and data security. Key international legislation includes the global Sarbanes-Oxley regulations governing financial and accounting information as we all as the specific Australian privacy legislation, including the Health Records and Information Privacy Act, the Financial Transactions Reporting Act and CLERP 9.
Launching the Five Steps at a gathering of leading technology journalists in Australia's Hunter Valley, Andrew Pearson, Workshare's General Manager for APAC, said: "The inside-out threat is still not understood or taken seriously by organisations here in Australia. They don't yet comprehend the considerable technical and business risks they face because they are focused on more widely publicised external threats such as viruses or hacking. But the threat from within has the capacity to cost businesses millions of dollars in lawsuits, lost business as well as unquantifiable damage to reputations.
"Many companies believe they have effective data governance policies and document integrity solutions. Frankly, many don't. Their policies are flawed because the onus is on people to make manual document security and integrity checks, rather than using effective technology to do it for them automatically and transparently. We believe information integrity and security are too important to be at the mercy of human error."
The Workshare Professional solution makes the review and exchange of electronic business documents secure, accurate and compliant. It provides an audit trail of what people have done with and to a document since its inception. It converts all files to a PDF file in one click from within Microsoft Office, and allows policy-based document security controls.
Pearson concluded: "Corporate Governance is near the top of every Australian CEO's agenda. But what does this mean? In simple terms, Corporate Governance is a set of policies supported by processes. But what are these policies worth if they are not enforced? There is also a fine line between governance and productivity. Too much governance greatly reduces productivity. On the other hand, policy enforcement should never prevent a person doing their job. In our view, enforcement should, therefore, be automated and transparent to the end user."
Workshare's Five Steps to Managing Document Integrity
Document integrity is an ongoing problem that requires action, measurement, and periodic re-evaluation. Only through commitment and focus can organisations hope to manage the risk associated with business documents and their integrity.
1. Understand the level of threat from within your organisation.
Understanding the three components of document integrity aids risk assessment. All three components should be examined together, in detail:
- Document Security - Documents carry many types of risk, including both business risk and technical risk.
- Business risks are around content that should not be distributed widely such as privacy and customer information, intellectual property, and financial data.
- Technical risks includes information such as hidden track changes, filepaths and other metadata.
- Regulatory and Corporate Policy Compliance - Documents are critical to just about every business process including financial filings, and customer and supplier contracts.
- The documents' complete history is auditable against global regulations such as Sarbanes-Oxley in Australia and the US.
- In addition, documents often carry information that is subject to privacy regulations such as the Australian Privacy Act 1988 (operational in 2005), the CA SB1386 in the US and the EC Data Protection Act in Europe. These regulations restrict the disclosure on information as well as the state in which it can be distributed.
- Document Accuracy - Documents go through many iterations and reviews.
- Independent research by Vanson Bourne conducted in 2005 indicates that up to 75% of documents do reflect all reviewers input. In addition, multiple versions of documents and their broad distribution often creates lost and multiple masters and confusion over currency of information.
2. Conduct a risk assessment to understand the threats your organisation faces
In this phase of the process an assessment must be performed. This assessment should at a minimum evaluate the risk as defined in step one, the existing policies and processes to manage these risks, or the lack thereof, and user awareness of the business and technical risks.
Security Risk: First, a company can use tools such as those found at www.metadatarisk.org to assess both the business and technical risk across all of its documents. This information should then be evaluated against user awareness to provide a gap analysis of risk versus awareness. Question the following:
- How documents are sent between authors and third parties.
- What state and access controls are at each stage of the document lifecycle?
- Who has access to sensitive information?
- Can hidden information provide effectiveness without liability or damage to the organisation?
- Is there an ability to restrict documents from external distribution when necessary?
- What visible information is included in what documents?
- How aware are users of these risks?
Compliance Risk: The organisation should assess the specific regulation and audit policies that affect each of its critical document types and processes. Next, the policy, process and data available around critical documents should be evaluated to understand the gap between compliance requirements and effectiveness of existing policy and processes. Question the following:
- Do you have a document security policy?
- What regulations effect what documents and what processes?
- Who in your organisation is responsible for writing and reviewing - where does accountability lie?
- What policies, internal and external, are accounted for in the document lifecycle?
- How have your current policies been implemented and verified?
- Can you prove what has been done and why?
- Is there any process in place to provide audit history of documents which fall under regulatory compliance requirements?
Accuracy Risk: Finally, the organisation should evaluate the processes it has in place to ensure the accuracy and integrity of key business documents. Organisations should evaluate both the processes and technologies in place to ensure that final documents include all critical user input, and that document masters are maintained and managed effectively. Question the following:
- How precise is the information held within a document?
- What processes could compromise the document content intention?
- Can the content and/or format be altered during the document lifecycle?
- How do users ensure that the master document is not compromised when the document is shared for review?
3. Develop risk mitigation policies based on document integrity classifications
Understand the different levels of importance around critical information within your organisation and develop information classifications to support your document integrity policies, including:
Highly Confidential
Information where unauthorised disclosure will cause a company severe financial, legal or reputation damage. Examples: acquisitions, bid economics and negotiation strategies.
Confidential
Information where unauthorised disclosure may cause a company financial, legal, or reputation damage. Examples: employee personnel and payroll files, some interpreted exploration data.
Internal Use Only
Information that, because of its personal, technical, or business sensitivity is restricted for use within the company and its close advisors.
Unrestricted
Information that in general can be shared, but must still be monitored and managed for risk.
Sender Privilege and Recipient Trust
In addition, for each type of information, it must be determined both who has the business need to distribute the information and who has a need and is trusted enough to receive this information. For example, the CFO should have ability to share highly confidential information with auditors, board members and members of his team, while his team members may only be authorised to receive this information, but not redistribute it.
4. Configure and deploy document integrity safeguards
For every combination of document classification, sender and recipient, policy must be put in place to enforce appropriate levels of risk management, mitigation and audit trails. As in the example above, even the CFO may not have the right to send a document to any recipient, but if the recipient is not by policy trusted to receive this information, the document must be converted into a non-editable format. Other safeguards may apply to ALL documents sent to ANY external party. For example, a company may require the removal of certain types of meta-data from any document, and restrict ALL employees from distributing certain documents over email period. In addition to acting on documents, audit data must be gathered which includes document, sender and recipient identity and actions applied to each attempted or successful distribution.
Once these sets of classifications and policies are put in place, compliance officers and security staff must now find ways to enforce these policies. Because this is both an education, and technical challenge, automated solutions which involve both users and compliance personal must be sought out and implemented. These solutions must allow for the user education, appropriate levels of user discretion, and visibility and compliance assurance. These solutions must have a hybrid of end-point and network level implementation, with centralized policy management and control.
Regularly audit risk mitigation results
Organisations must put in place mechanisms to both monitor and audit the
enforcement, appropriateness and effectiveness of their document integrity safeguards.
These processes and safeguards should include:
- Mechanisms to both monitor and audit the enforcement, appropriateness and effectiveness of a company's document integrity safeguards.
- Regular audit of the security of information, user acceptance of technology, effectiveness of policy and business productivity in evaluating and measuring program effectiveness.
- Regular reviews of classification of documents and users in order to ensure the organisation is complying with both new regulation and corporate policy.
- Periodic reassessments and measurement of risk should be performed influenced by the document integrity components detailed in Step 1.
About Workshare
Workshare is the industry leading provider of document integrity software applications for professionals. Its products include Workshare Professional, DeltaView, DeltaView PE, Protect and TRACE! Workshare's customer base spans small to large organisations in every industry segment with more than 50 percent of the Fortune 1000 and 85 percent of the professional services 250. In total, more than 5,000 companies and over 800,000 professionals in 65 countries use Workshare software. The company has offices in Sydney, Hong Kong, London, New York, Chicago, San Francisco, Frankfurt, and The Hague. For more information on Workshare visit www.workshare.com.
