Are your organization’s document management security inefficiencies leaving you open to legal and economic repercussions?
Compliance with mandates such as the Privacy Act, Freedom of Information Act, HIPAA and the Sedona Principals for e-discovery and disclosure are causing ongoing concern within government agencies and corporations…and increased need for solid document security.
6 Facts You Should Know About U.S. Business Documents
• Over 30 billion original documents are used each year in the United States.
• The cost of documents to corporations is estimated to be as much as 15 percent of annual revenue.
• 85 percent of documents are never retrieved.
• 50 percent of documents are duplicates.
• 60 percent of documents are obsolete.
• For every dollar that an organization spends to create a final document, 10 dollars are spent to manage the document creation process.
SOURCE: Microsoft Corporation
Electronic Document Management Systems (EDMS) are electronic repositories designed to provide organized, readily retrievable, collections of information for the life cycle of the documents.
But how can you keep these electronic files secure during the entire chain of custody?
18 Security Suggestions
1. Plan how the documents will be organized and accessed before they are scanned.
Paper documents may be secured by locking them in a file cabinet or safe. Before they are digitized, however, a security hierarchy must be carefully planned, to avoid inadvertent disclosure.
2. Electronic documents need to be preserved in an original and unchangeable format.
It is important to preserve the original files in an unalterable state in order to add legitimacy to the system. When scanned, PDF is a standard storage format. Searchable PDF is even better.
3. Design a scalable security implementation as part of your documentation management workflow.
You need to develop a consistent, scalable security hierarchy that’s easy to administer and update as staff and roles change.
4. Plan to apply security to collections of documents rather than individually.
This makes your security management tasks easier to manage. It’s a waste of time to manually adjust permission settings on a multitude of documents.
5. Grant access rights via Active Directory.
Enable rights to the EDMS application through Active Directory. This enables assignment of individual and group rights, as necessary, as well as making it easier to change or update security as your organization and document security needs change.
6. Design Security Roles within the EDMS Application
While rights to the application may be established via Active Directory, establishment of security roles within the application facilitates a more granular approach to controlling who can see various collections of documents, as well as who can administer the application.
7. Ensure mobile security.
If your employees access the document repository via mobile phones or tablets, you should disable automatic login so that the secure information is not compromised should a device be lost or stolen.
8. Focus primarily on internal security.
The majority of security issues with documents are due to internal mismanagement or manipulation. The biggest threat may already be inside your firewall. It is important to protect documents from insiders – employees who may want to steal information such as customer bank account numbers or electronic medical records. Innocent threats include inadvertent deletion of documents. This may be controlled through the use of read-only permission assignment to document storage areas.
9. Keep documents on a need-to-know basis.
One of the most dangerous and easily preventable ways of ensuring document security is to only allow employees or contractors access to sensitive files when they have a need for such access, and only for as long as they need access to them. This prevents inappropriate access of those documents at a later date and will prevent your company from potential litigation.
10. Ensure provisions are in place to prevent user error.
Ensure that there are provisions in place to prevent non-malicious events such as accidental deletion or modification of documents from occurring by users. Remember that your employees are your most valuable assets but they are also the most likely to make mistakes. These unintentional mistakes can hurt your company’s reputation.
11. Only collect information you need.
Be sure each piece of information you gather is necessary for any of the current functions or activities of your organization or agency. If you don’t need it, don’t collect it in the first place. Also…don’t collect personal information just because you think that you will use that information at a later date. Don’t store what you don’t need.
12. “Clean” information from desktop machines, mobile devices and tablets.
Be sure all personal information has been removed from electronic devices before you assign them to a different user, or send them to be recycled.
13. Be careful who has permission to download files to local machines.
Disable electronic document exports for employees who do not have permission to store sensitive documents locally.
14. Protect your document files from natural disasters.
Are your records and documents protected from fire, flood, and natural disasters? Have a backup plan that saves files in an alternative location should a disaster occur.
15. Don’t store information any longer than you need it.
It is just as important to delete files as well as keep them. Review records retention guidelines. If you don’t have a records retention schedule, create one. Schedule the destruction of electronic records you do not need to archive once they reach the end of their useful life .
16. Secure those email accounts and archives.
Email is a vital tool for all organizations. Yet it can expose your agency to significant risks due to the unintentional disclosure of confidential information, as well as data loss or destruction due to viruses or the unintentional downloading of other malware programs. Secure your employee email accounts and archives, and control via policy the types of attachments that may be emailed.
17. Watch that metadata.
When your employees create files using word processing or other applications, information about them and the edits they make are stored as hidden information within the document file. This information is called metadata. This hidden metadata can become visible accidentally – when a file is improperly converted, or when a corrupted file is opened. Reduce or eliminate the metadata in your documents before you store them electronically.
18. Be sure you really delete those files.
When you destroy electronic records from your EDMS, be sure they are gone for good. Many people don’t realize that files that have been deleted can be recovered using forensic recovery software. Ensure that hard drives are “scrubbed” so that the data is not recoverable.
Blue Mountain Data Systems Inc. is dedicated to application and systems development, document management and the automation of workflow processes. Contact us today at 703-502-3416 to discuss your next document management project.