Workshare Document Integrity

Document integrity is an ongoing problem that requires action, measurement, and periodic re-evaluation. Only through commitment and focus can organizations hope to manage the risk associated with business documents and their integrity.

Understanding the three components of document integrity aids risk assessment. All three components should be examined together, in detail:

• Document Security - Documents carry many types of risk, including both business risk and technical risk.
• Business risks are around content that should not be distributed widely such as privacy and customer information, intellectual property, and financial data.
• Technical risks includes information such as hidden track changes, filepaths and other metadata.

• Regulatory and Corporate Policy Compliance - Documents are critical to just about every business process including financial filings, and customer and supplier contracts.
• The documents' complete history is auditable against global regulations such as Sarbanes-Oxley in Australia and the US.
• In addition, documents often carry information that is subject to privacy regulations such as the Australian Privacy Act 1988 (operational in 2005), the CA SB1386 in the US and the EC Data Protection Act in Europe. These regulations restrict the disclosure on information as well as the state in which it can be distributed.

• Document Accuracy - Documents go through many iterations and reviews.
• Independent research by Vanson Bourne conducted in 2005 indicates that up to 75% of documents do reflect all reviewers input. In addition, multiple versions of documents and their broad distribution often creates lost and multiple masters and confusion over currency of information.

In this phase of the process an assessment must be performed. This assessment should at a minimum evaluate the risk as defined in step one, the existing policies and processes to manage these risks, or the lack thereof, and user awareness of the business and technical risks.

Security Risk: First, a company can use tools such as those found at www.metadatarisk.org to assess both the business and technical risk across all of its documents. This information should then be evaluated against user awareness to provide a gap analysis of risk versus awareness. Question the following:

• How documents are sent between authors and third parties
• What state and access controls are at each stage of the document lifecycle?
• Who has access to sensitive information?
• Can hidden information provide effectiveness without liability or damage to the organization?
• Is there an ability to restrict documents from external distribution when necessary?
• What visible information is included in what documents?
• How aware are users of these risks?

Compliance Risk: The organization should assess the specific regulation and audit policies that affect each of its critical document types and processes. Next, the policy, process and data available around critical documents should be evaluated to understand the gap between compliance requirements and effectiveness of existing policy and processes. Question the following:

• Do you have a document security policy?
• What regulations effect what documents and what processes?
• Who in your organization is responsible for writing and reviewing - where does accountability lie?
• What policies, internal and external, are accounted for in the document lifecycle?
• How have your current policies been implemented and verified?
• Can you prove what has been done and why?
• Is there any process in place to provide audit history of documents which fall under regulatory compliance requirements?

Accuracy Risk: Finally, the organization should evaluate the processes it has in place to ensure the accuracy and integrity of key business documents. Organizations should evaluate both the processes and technologies in place to ensure that final documents include all critical user input, and that document masters are maintained and managed effectively. Question the following:

• How precise is the information held within a document?
• What processes could compromise the document content intention?
• Can the content and/or format be altered during the document lifecycle?
• How do users ensure that the master document is not compromised when the document is shared for review?

Understand the different levels of importance around critical information within your organization and develop information classifications to support your document integrity policies, including:

Highly Confidential
Information where unauthorized disclosure will cause a company severe financial, legal or reputation damage. Examples: acquisitions, bid economics and negotiation strategies.

Confidential
Information where unauthorized disclosure may cause a company financial, legal, or reputation damage. Examples: employee personnel and payroll files, some interpreted exploration data.

Internal Use Only
Information that, because of its personal, technical, or business sensitivity is restricted for use within the company and its close advisors.

Unrestricted
Information that in general can be shared, but must still be monitored and managed for risk.

Sender Privilege and Recipient Trust
In addition, for each type of information, it must be determined both who has the business need to distribute the information and who has a need and is trusted enough to receive this information. For example, the CFO should have ability to share highly confidential information with auditors, board members and members of his team, while his team members may only be authorized to receive this information, but not redistribute it.

For every combination of document classification, sender and recipient, policy must be put in place to enforce appropriate levels of risk management, mitigation and audit trails. As in the example above, even the CFO may not have the right to send a document to any recipient, but if the recipient is not by policy trusted to receive this information, the document must be converted into a non-editable format. Other safeguards may apply to ALL documents sent to ANY external party. For example, a company may require the removal of certain types of meta-data from any document, and restrict ALL employees from distributing certain documents over email period. In addition to acting on documents, audit data must be gathered which includes document, sender and recipient identity and actions applied to each attempted or successful distribution.

Once these sets of classifications and policies are put in place, compliance officers and security staff must now find ways to enforce these policies. Because this is both an education, and technical challenge, automated solutions which involve both users and compliance personal must be sought out and implemented. These solutions must allow for the user education, appropriate levels of user discretion, and visibility and compliance assurance. These solutions must have a hybrid of end-point and network level implementation, with centralized policy management and control.

Organizations must put in place mechanisms to both monitor and audit the enforcement, appropriateness and effectiveness of their document integrity safeguards. These processes and safeguards should include:

• Mechanisms to both monitor and audit the enforcement, appropriateness and effectiveness of a company's document integrity safeguards.
• Regular audit of the security of information, user acceptance of technology, effectiveness of policy and business productivity in evaluating and measuring program effectiveness.
• Regular reviews of classification of documents and users in order to ensure the organization is complying with both new regulation and corporate policy.
• Periodic reassessments and measurement of risk should be performed influenced by the document integrity components detailed in Step 1.

• Learn More about Workshare Protect
• Download a Free Product Trial
• Contact Sales

©2008 Workshare, Inc. All rights reserved   Contact Us | Sitemap | Privacy Policy | Terms of Use