Physical and Technical
Document Management Security Concerns
eFileCabinet’s Key Recommendations
Security for your organization’s data and documents is a more important issue today than it ever has been. It seems like every few weeks there is another news flash regarding a security breach of confidential data at a major company or agency. When that happens, not only does it severely damage the reputation of the organization involved, but it also reduces confidence in their ability to run their business, and may create liability to lawsuits and even criminal penalties.
Clearly, ensuring that crucial security concerns are well-understood and properly managed is of extreme importance. However, many small and medium businesses may have only a very basic understanding of the overall requirements for their organizations, and even less understanding of how to manage those requirements across both online and on-premise document management resources.
The objective of this paper is to provide a basic overview of these crucial document management security concerns, and to identify specific considerations to use in determining how best to manage those concerns, both online and on-premise. For many companies, using online cloud-based document management exclusively may not be the best option. In fact, according to research conducted by GigaOM, a full 60 percent of businesses plan to use a “hybrid” cloud model for IT resources in the future. In the hybrid model, some resources are online and some resources are kept within the organization. By clearly understanding the security trade-offs, your organization can better manage costs and protect itself against potential security risks and problems.
The U.S. Department of Health and Human Services has created a set of information security standards for the healthcare industry under the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA.2 These standards cover all aspects of an organization’s security, and are too voluminous to be covered adequately here. Rather, we will focus on two specific areas covered by the standards that have the biggest impact on a Document Management Solution: Physical Document Security and Technical or Technological Document Security. It is interesting to note that the HIPAA standards state that they are intended to protect the “confidentiality, integrity, and availability”3 of critical information. What this means for your organization is that when security procedures are properly implemented, the organization does not have to sacrifice availability of information in order to avoid risk. This paper will help you decide the best document management security strategy for your organization that will give you reliable access to the information you need, while protecting you from security risks.
Physical Document Security
In the HIPAA standards, physical security safeguards are defined as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”5 Basically, physical security deals with how you prevent unauthorized physical access to your systems and information. If your organization is a small to medium business, physical security is a very important area for your organization to consider, especially when it comes to on-premise systems. If your environment is like many organizations, this area is where a great deal of potential vulnerability exists.
Important Questions to Ask About Physical Security
Think about this… What does your company do when it is preparing for a financial audit? When you know the auditors are coming, everyone does what they can to make sure that their numbers look as good as possible, and cleans up any neglected “loose ends.” Now assume for a moment that you’ve been tipped off that someone really wants to steal your confidential information or perhaps even destroy it, and that they are going to come to your facilities sometime in the next 30 days. You don’t know who they are, exactly when they will come, or what they will try, just that they are intent on their objective.
Unfortunately, in today’s environment, you really do have to make this kind of assumption in order to adequately protect yourself. The following questions will help you assess how prepared you really are to prevent loss or damage from a breach of your physical security, and how your document management system can help.
It’s extremely important to think about how you control physical access to your electronic information systems and facilities. You want to give relatively easy access to those properly authorized while also preventing or limiting unauthorized access by any “info terrorists.”
Is Our Facility Security Plan Adequate?
In other words, can you prevent unauthorized access to your facilities and systems? One of the best ways to stop a potential attack is to carefully control access to those sensitive facilities and systems in the first place. This may include everything from personnel access controls, signage and warnings, surveillance cameras (be sure to check regulations – cameras may now be required for your operations), property control tags, and alarms.
What Procedures Do We Use to Validate and Control Access?
If you have sensitive information on site, you need documented procedures for determining who can have access and how unauthorized access is prevented. Don’t forget to include visitor control in your procedures. Inevitably, someone will end up having to visit your most secure locations.
How Do We Track Changes to Our Procedures?
It’s a very smart idea to track and record changes and modifications to facility access controls. Repairs and upgrades – everything from changing locks or combinations to installing new security devices – should be properly documented. What if your visitor shows up as a security systems repair person?
What Happens In Emergency Situations?
How do your procedures change if there is an emergency or disaster? What if your visitor causes a flood or some other problem? If your organization has sensitive on-premise systems, you should anticipate and plan out how access to physical facilities can still be properly allowed and controlled in an emergency situation.
Examine carefully the work environment for workstations (and their surroundings) that are used to access sensitive information. If a thief can photograph screen shots from across the street, or observe a laptop in a crowded restaurant, they may never need to gain access to your facility. Specific issues to consider here include:
Have We Placed Workstations to Prevent Unauthorized Viewing?
Have Workstations been placed near windows?
What Types of Workstations Have We Authorized to Access Sensitive Information?
Do We Have Similar Rules for Workstations in Remote Locations
For some organizations, security is so important that they only allow access to sensitive data from specific workstations in a secure room. This may be overkill for your organization, but it might be helpful in evaluating your physical security to assume that your determined visitor has somehow gained access to your facility and is looking for a workstation to use.
Do We Understand the Security Limitations of All Our Workstations?
What about smart phones and tablets?
Do We Allow Storage of Sensitive Information on the Workstation?
In some situations it might make sense to have a different policy for laptops and portable devices.
Will Workstation Settings Allow for Automatic Login to Secure Systems?
Do We Share Sensitive Information With Partners and Customers, and if so, How Do We Maintain Security?
If you have on-premise systems with highly confidential data covered by specific regulations, this may be an area where you can encounter some very stringent requirements with your data security efforts. Will a potential thief find it as easy as picking up a backup tape or DVD and walking out with it?
How Do We Dispose of Old Data Storage?
If you just throw out old hard disks, CDs, DVDs or Tapes, your thief may just need to check your trash.
Do We Re-use Media?
Media with sensitive info that might be re-used or even donated to charitable organizations needs to have a data removal process thorough enough to prevent any access to previously stored information.
Do We Need to Track Where Our Media Goes?
Again, depending on how sensitive your data is, you may wish to record all the movements of hardware and electronic media containing sensitive information and who is responsible for that movement. This can become an arduous task, tracking disks, tapes, jump drives and even smart phones.
Are our Data Backup and Storage Policies Adequate?
It is wise to examine your backup policies to determine if they are happening frequently enough, and how they are stored. Off-site storage of backup information is simply a good idea even if you don’t consider your information terribly confidential. Just imagine how you would get your business up and running again if a fire destroyed your facility.
There is little doubt that physical security is a more difficult, and typically somewhat more expensive, proposition for those with On-Premise document management of sensitive information. Having a server or PC on site that is the central repository for confidential information will simply require additional controls for that system. That said, it is also true that a solid on-premise document management system can be much more secure than physical storage of the documents themselves. The best document management systems will have features that can help you dramatically improve physical security for on-premise systems.
Encrypted Storage – Storage of sensitive data in an encrypted format can provide an extra level of security should someone gain physical access to a sensitive server or PC.
Role-Based Security – Sophisticated role-based security features that change system capabilities depending on the user can prevent unauthorized users from writing data to a jump drive, DVD or other device.
Integrated Online Backup – Online backup capabilities added to your on-premise document management will make it much easier to ensure you have off-site storage of your critical data in the event of a disaster.
Automatic Backup – Features to allow scheduling of automatic backups, particularly when combined with integrated online backup will help keep your backup storage up to date.
Document Sharing – Some on-premise document management systems have optional online document sharing capabilities to ensure security when working with partners and customers.
For many organizations, managing their documents online or “in-the-cloud” is a good solution because it removes a significant portion of their responsibility for physical security because the service provider will handle many of these issues. In addition to the benefits listed above for on-premise systems, cloud-based systems can help with physical security in the following ways:
Access Control – Cloud-based document management systems are typically housed in highly secure facilities with very sophisticated intrusion detection, video surveillance and visitor logging. For a small business, using a good online document management service provider can provide a level of physical security that is overly expensive or simply impractical when using an on-premise system.
Certifications – If your industry requires certifications or accreditations for physical security, the best cloud-based systems will typically have already established compliance with those regulations.
Backups and Storage – Cloud-based systems will automatically manage appropriate scheduling and performance of all backups, and ensure that data is properly secured and stored. In addition, the best services will ensure that your data is securely stored in multiple geographic locations to ensure availability in the event of a natural disaster.
Environment Control – State-of-the-art climate control, power control, and fire detection are standard with the best cloud-based systems, providing a level of security that may be difficult to replicate in a small office.
Document Sharing – With the best cloud-based document management services, highly secure document sharing capabilities are tightly integrated with the system. In some cases, they also include role-based capabilities to ensure security and effective collaboration with partners or customers.
Technological Document Security
When we think of electronic or technological security, most of us think of a “hacker” slouching in front of his PC in a darkened room somewhere with empty energy drink cans strewn about. While that is definitely a concern, it is important to remember that the threat to your sensitive information can just as easily come from foreign government agencies, unscrupulous competitors, or even employees. Because of the pace with which technology advances, this is probably the most fluid and consequently the least well-defined area for system security. For that reason, it is important to keep up to date with where your vulnerabilities may lie.
Important Questions to Ask About Technological Security
To evaluate your potential risk from a technological security standpoint, let’s take a closer look at that imaginary thief who is trying to steal your information or damage your systems electronically instead of physically. That scruffy “hacker” has matured a little and gotten a real job, one that pays very well. He or she has regular performance evaluations and a manager to report to. His or her skills have even improved because of training and talented co-workers. Not only that, but their employer makes sure they have access to the latest technology. Unfortunately, their job is still to steal your data or cause you trouble.
It may seem like a daunting task, but the following questions will help you understand what you can do to minimize your technological security risk and the help you can get from a good document management system.
This is where we look at policies and procedures that give authorized individuals proper access to sensitive information while preventing electronic access to those like our “hacker” who do not have authorization.
How Do We Uniquely Identify Each User? Examine how we create and assign unique names and/or number to identify each individual user and track the activity of that user identity within the system. Do we have policies and penalties in place to prevent sharing of user IDs?
How Do We Authenticate the User? This may be as simple as a password, or as complex as a retina scan or sophisticated challenge mechanism. If passwords are used, there should be a policy in place to ensure they are kept confidential and changed periodically.
Will We Still Be Able to Securely Access Information During an Emergency? If we haven’t planned ahead, we might find that gaining secure access to our sensitive information during a natural disaster or emergency becomes problematic. In some cases, organizations may unwittingly leave openings in their electronic security during an emergency. If that is the case, all the hacker has to do is cause an emergency.
Do Our Systems Have Automatic Logoff? An unattended system that is logged in to the document management system is a much bigger security risk.
Is Our Data Properly Encrypted? The most secure systems will encrypt data whenever it is sent as well as giving you the option of encrypting it when it is stored on the disk. You should expect this level of encryption from your cloud-based systems provider. If you have a home-grown on-premise system, this is something you should seriously consider for your sensitive information.
Good audit controls provide a record of most activity within a document management system, identifying who accessed information, when they accessed it, and what modifications they made. The better the audit controls are, the better you can deal with potential security problems.
We might have the most secure servers and the most security-conscientious employees in the world, but if our data isn’t secure when it travels across a network, especially a public network, we are still quite vulnerable.
Can We Ensure Data Integrity During Transmission?
Using proper network communication security protocols will help identify and prevent potential capture or alteration of data during transmission.
Is Information We Send Over Public and Private Networks Properly Encrypted?
Typically, if data is worth protecting, it is worth encrypting when it is sent. Even with proper communication protocols, data can be intercepted. But with proper encryption, it becomes extremely difficult to interpret.
Perhaps the primary concern to consider here is whether you have a “home-grown” document management system, or whether you are considering a system provided by a vendor. If you have your own system, it will be your responsibility to keep up with technology risks. The best third-party on-premise document management systems will be able to provide you with regular security feature updates to minimize your risk.
User ID and Password Management – Good third party systems have features that allow you to properly manage user IDs and passwords. Some will allow you to require periodic password changes and set password security levels that must be met.
Role-Based Security – Role-based security features can determine what kind of access or capability is granted to different users based on their role.
Automatic Logoff Settings – Allow you to set defaults for how long a session on your document management system can be idle before it is terminated.
Audit Controls – Good third-party document management systems have sophisticated audit controls to help you determine activity patterns and potential security issues on your system.
From an electronic security standpoint, some organizations may assume that cloud-based systems must be less secure than on-premise systems. However, the best cloud-based systems include all of the security features mentioned above as well as the benefits listed below. The bottom line is that cloud-based document management services can be used even for the most secure applications.
Emergency Access – The bottom line here is that your access methods and security shouldn’t change at all in an emergency. You might have to access it from a different location, but it will still be just as secure.
Remote Access – One of the clear benefits of an online solution is that you will have secure access to your document management system even when you are not in your office.
Certifications – As with certifications regarding physical access, the best online systems will also have taken care of the appropriate electronic requirements for certifications and accreditations.
Data Encryption – The best cloud-based systems will ensure that your data is properly encrypted whenever it is transmitted or sent, eliminating the possibility of interception.
Document Sharing – Doing your document management in the cloud provides the best security for securely sharing documents between your partners and customers with configurable security levels.
Security concerns are a rapidly growing concern for nearly all entities. Whether it is personal customer information, credit card numbers or sensitive personnel data, document management solutions will need to be kept as up-to-date as possible to deal with potential electronic and physical security threats.
As those threats are becoming more profound, the potential risk from a breach is becoming more and more severe. In addition to substantial penalties from regulatory organizations or service providers, the potential damage to an organization’s reputation resulting from a data breach can be devastating.
By a careful analysis of your organization’s risk profile, and by using the recommendations and observations in this white paper, your organization can find the best balance between cloud-based and on-premise document management. As a result, you will be able to minimize your overall security risk, and maximize the return on your document management system.
1 – http://gigaom.com/cloud/forget-public-private-clouds-the-future-is-hybrids/
2 – http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html
3 – Security 101 for Covered Entities, HIPAA Security Series, US Dept. Of Health and Human Services
4 – Security Standards: Physical Safeguards, HIPAA Security Series, US Dept. Of Health and Human Services
eFileCabinet is a leading provider of electronic document management software for small to mid-sized businesses. With electronic sharing capabilities and paperless filing, you can cut out pounds of paper and save your business time and money. With features like eSignatures, optical character recognition, instant electronic sharing, and cloud-based file storage, eFileCabinet can bring your office into the paperless era.
Are You Ready to Learn More?