I can remember the day that I got a house key from my father. This was so exciting – since I was now responsible enough to come and go without an adult at home. (And I was responsible enough not to lose the key.)
For my parents, giving me that key was not only a responsibility issue, but a security issue. Security was a hot topic at the AIIM (Association Information and Image Management) 2016 conference that we recently attended. That’s not a surprise, since one of the business concerns that we always have to overcome when selling enterprise content management to a customer is overcoming risks: security of the data.
At AIIM, speaker Mark Brousseau, president of Brousseau and Associates, tackled the security topic asking the simple question: Think Your Scanned Images Are Safe? Think Again.
He went on to identify four risks:
1. Not encrypting the data while it’s in motion
2. Unsecured log files
3. Poor visibility into operator activities
4. Poor security management
Every company is faced with the macro concerns of a data breach, which they try to address with their IT policies and protocols for strong passwords, authentication processes and safe guards. With ECM, we share with the customer the key features of the solution that can help them prevent a micro breach or a data breach, especially when taking data in.
Data Encryption – Customers tell us that they are concerned with centralizing their data into one repository because it will enable too many people too much access to too many documents. We allay these fears by helping them to understand that they set the business rules for data access, and they have total control on who can access what content.
Tracking and auditing – We help customers create reporting and auditing functions so that they can get periodic updates on who is accessing specific types of information and set up thresholds to identify uncharacteristic activities.
Built-in user group permissions – We can provide authorized users granular levels of access right down to the individual document-level. Our ECM solution provides single sign-on utilizing NT or LDAP authentication protocols, simplifying the administration of security policies.
Secure at rest, in transit and on user devices – Information at rest is encrypted within the database and file services to protect sensitive information, even if unauthorized or malicious server breaches occur. Data in motion is protected with Transport Layer Security (TLS), which safeguards data while it’s being accessed across the internet. It can also protect data being transferred between servers. Data in use on mobile devices, tablets and laptops is encrypted to ensure information is not compromised if an unauthorized person attempts to access the hard drive directly. Our ECM solution supports standards like PCI and DSS compliance.
Masking – Even when users are provided with access to specific documents, there are instances where some aspects of the information is sensitive and should not be visible to them. With ECM, we have the ability to configure masking of data fields to restrict what information is visible.
Redaction – Depending on different business rules, documents can be redacted automatically or manually by users with the proper credentials. When confidential or sensitive information is redacted, different business rules can be enacted so that permanently redacted documents are stored as separate documents. Users given access only to redacted documents will never be able to see the information that was indelibly removed, providing another level of security and safeguard to the most critical information.
Transparency into users’ activities – Our ECM solution enables managers to optimize their business processes and see where improvements can take place. With this visibility, there is no lack of knowledge for management. They are not only assured incremental improvements but also able to find the system or human roadblocks that hamper performance.
Steps for a Security Management Process – Lastly, similar to a document retention policy or the components of an automated workflow, we stress that the client’s plan needs to work with IT to build not just the macro level, but micro level especially with customer, student or patient data. There are federal regulations for securing electronic patient data, but any sensitive customer data also needs to be safeguarded.
Our ECM solution simplifies the implementation of retention plans and policies. When content is ready for destruction, our solution sends it for review or automatically destroys it according to business requirements. With ECM, your company will minimize risk and ensure compliance by securely storing, protecting and destroying your information in accordance with applicable state and federal regulations.
But, regardless of the technology you have in place to protect your organization, most companies are faced with the hardest factor to configure … and that is their end users. Educating users is often overlooked because of the ongoing process required. As the user is routinely considered the weakest link in the chain, an organization should consider user education to be one of the most important security layers. For instance, if employees do not open that attachment from the Nigerian Prince pen pal, then they will not send sensitive bank details (or money!) to him.