In today's knowledge economy, getting the right information at the right time can make the difference between success and failure. However companies need to put adequate controls in place before sharing information freely. How can we ensure confidential data doesn't fall into the wrong hands?
Before sharing information across the organisation, companies need to put in place a comprehensive scheme that allows for the correct level of control over data. Simply having base-line security in place is not good enough: if security is set too high, it will impede the business, and if the bar is set too low, then confidential information may be at risk.
While most large organisations have given some thought to safeguarding their data, it's an area many SMEs have yet to confront. So while the following advice should be useful to businesses of any size, it's particularly suited to those smaller companies forming their initial data security scheme.
Information ownership
The best way to understand the security or confidentiality implications of any information is to identify its owner. Floris van den Dool, head of Accenture's European security practice, explains: "Many smaller organisations consider that data ownership is the responsibility of the IT department but it is not -- it is the business' responsibility."
In some cases this will be obvious, such as the finance department taking ownership of the financial data, but in others the owner of the information may be more difficult to ascertain.
Building a classification scheme
Once the owner of the data has been identified, companies need to set up an information classification scheme. This practice is common in military and other security-conscious industries but it should be used across all types of organisation. A typical information classification scheme consists of
four levels, such as external, company-confidential, client-confidential and classified.
The lowest level of classification is 'unclassified' information, which can be shared across the organisation and with third parties. The second level should consist of all internal-use information, while the third level contains client-confidential information that can't be shared with all employees in the organisation. Finally, the highest level needs to be information that very few people in the organisation should have access to -- such as legal matters or dealing with the security services.
This four-level classification scheme is just a starting point and it can vary widely across different companies. Applying information classification is difficult in retrospect but fortunately companies will find it much easier to apply these rules to any new information created.
Mike Small, director of security strategy at CA, says: "Information classification is difficult because companies built applications to solve certain business needs and the developers did not consider the requirements of data classification and compliance." This is particularly true when classifying structured information stored in databases.
Identity management
Once the information has been classified, the next step is to enforce the scheme and the best way to do this electronically is through identity management. While it is possible to assign access rights to
individuals, it is much more effective to do it based on the individual's role in the company. Role-based access control (RBAC) software packages help companies automate access control but as CA's
Small, points out, the tools alone are no magic bullet.
He says: "Technology is only part of the process and projects will succeed or fail because of the soft side. Role-based access control tools only work if companies have got clear information on job roles. For example there needs to be a single personnel system, single definition of job functions and a process to track people who change jobs. If these things are not in place, then the software will not work properly."
It's also important to consider all possible situations whereby information could wind up in the wrong hands -- and they're not all digital.
As Dave Martin, managing consultant at LogicaCMG, cautions: "Role-based access helps companies keep electronic information secure but companies also need to address other potential sources of information leaks, such as paper left on the printer and flipcharts."
Access control
To make sure data is secure even if it does fall into the wrong hands, companies should encrypt files. Different information will probably require different encryption policies but typically only encrypting the data when it is stored on the server will cut down on the processing overhead. It is possible to keep files encrypted even when they are being transmitted over the network but this will require all end-user devices to have a decryption capability.
Access to specific information can even be embedded directly in documents by using DRM. This approach also allows users to take classified information out of the organisation on laptops or PDAs and still manage to control who has access to certain information.
Third parties
Companies also need to think about how they can share confidential information with third parties, and this is where federated identity management comes into play. Although federated identity is still relatively unknown in smaller organisations, it will become important as supply chains become increasingly fragmented.
In a nutshell, federated identity allows companies to match job roles and trust another prganisation's ID management systems. They can then give access to shared information to the correct people, without having to have any knowledge about the partner company's security infrastructure.
Companies also need to consider the issue of staff working closely with outsiders. The increasing level of outsourcing often means businesses share data with specialists such as design companies, consultants or advertising agencies who may have other customers who are competitors to your organisation. Some of the information the consultants handle can be extremely sensitive and must not fall into the hands of their colleagues who are working with your competitors.
It's worth it
Securing data may seem like a lot of work but it's clearly worth it. Businesses can still benefit from sharing information across an organisation, as long as they have proper information classification and identity management in place -- and keep security measures commensurate with the value of the information.
In this age of strict regulations on information storage, a good information security scheme will also help companies ensure regulators that only the right people are allowed access to data.
