What separates most DMS solutions from others in terms of information security is not only where data is stored to enable recovery in the event of its loss, but also how many physical and artificial locations in which the data is backed up—the gold standard being three for both types of locations. These multiple points of presence (MPoPs) ensure that, in the event of a natural disaster or an office-break in, the integrity of the data is retained and replicated to restore organizations’ functions. However, most DMS vendors do not setup multiple physical copies of the data in On-Premise solutions. If organizations want to do that, in many cases, they would need to do it themselves.
Before continuing, one caveat is needed, explaining the security essentials between data in transit and data at rest: Data in transit is the most at-risk data, and the best DMS products have client-sharing portal capabilities that help send sensitive information securely (covering data in transit). However, data at rest is a security issue, too—since roughly half of the organizational data breaches worldwide are the result of employees’ errors or malicious intent.
As a general security standard for document management and enterprise content management solutions, information should be stored in data centers or transmitted through technologies that have achieved one of the following standards or attestations:
1. SSAE 16 is a more complete and dependable group of information security standards than what its security benchmark predecessor, SAS 70, offers. The best DMS solutions will have SSAE 16 (Statements on Standards for Attestation Engagements No. 16) audit approval, a standard for data control centers devised by the AICPA (The American Institute of Certified Public Accountants). Despite the accounting-specifics of this certification, it is of benefit for organizations in any industry.
2. Level 1, Payment Card Industry Data Security Standard (PCI DSS) Compliance: a guideline in legal accordance with ISO standard 27001: a standard of great relevance, particularly for those in the accounting and finance industries. This standard ensures information continuity, accessibility, and confidentiality for things like asset management. Finance and accounting firms/organizations can obtain ISO standard 27001 certification through the NQA (National Quality Assurance) at NQA.org.
3. SAS 70 Type 1 Attestation: This service auditor report includes description of controls and operating effectiveness. This offers fraud and security intelligence services for organizations.
4. SAS 70 Type 2 Attestation: SAS 70 Type 2 and SAS 70 Type 1 attestations have several differences as they pertain to DMS. Information provided by the service report auditors is optional in Type 1, whereas in Type 2, information regarding tests and operating effectiveness as administered by the quality assurance professional will be included in the Type 2 attestations. This offers fraud and security intelligence services for organizations, too.
5. 256-Bit Advanced Encryption Standard: Relevant to client-sharing portals (which stand to supplant transmission of sensitive information via email within the near future) standards in Document Management Software, this standard, although administered by the National Institute of Standards and Technology (NIST) in 2001, is still relevant and accommodating of today’s technologies.