Best Practices to Prevent Document Leaks

Thursday, February 16, 2012

Peter Weger

4e30710fdd82d696f9a69b8a561c0c3e

The need for security by government agencies, public corporations and private business is underscored by recent document leaks and what can happen when sensitive documents are freely distributed by unauthorized parties.

Unfortunate consequences occur when companies lose control over confidential assets and experience intentional or unintentional disclosure of the information. In some cases, even the possibility of information leakage can damage reputations and stock prices.

But on the other hand, document security needs to be transparent to end users so as not to hamstring their work. IT needs to find a way to apply centrally-defined security policies without any effort or awareness by users.

Automated policy application in a transparent security environment keeps workers happy since it allows them to focus on getting their work done without thinking about security. Automating security policies also removes Big Brother-like obstacles to the collaboration that companies need to remain competitive and ensures policies are consistently applied.

Without a compliance strategy in place to manage document sharing, end users will resort to e-mailing and printing documents, or they will employ online collaboration tools that are not designed for security and traceability.

This puts information at risk and can result in the disclosure of strategic, financial or personal information. Unsafe document sharing can result in failures to meet contractual or regulatory obligations due to the loss of information entrusted by partners or other stakeholders.

Ironically, a document paradox exists -- the most confidential documents tend to be shared most.  The lifeblood of any business depends on trust and sharing information with strategic partners, board members, auditors, consultants, M&A bidders, regulatory authorities and the like.

But the integrity of a business is compromised if its most sensitive documents are stolen or tampered with.

Best Practices to Prevent Document Leaks

For companies to protect themselves, they must establish a framework whereby business users can perform their jobs without worrisome distraction. IT departments can do this by developing a document compliance management strategy that addresses security policies to systematically protect information shared with external parties.

Applying best practices for document compliance is balancing act. Following these tactics can lessen the challenge:

  • Risk-rank all business processes involving flow of information outside the organization to identify threats
  • Define security policies for all types of documents, along with the roles and privileges of each group of users in relation to all types of documents
  • Ensure that SLAs support contractual agreements and certification requirements
  • Support the organization’s audit, security and compliance standards
  • Provide two-factor authentication to guard against password fraud
  • Separate content ownership and platform administration
  • Produce audit trails of all document accesses

Following these best practices makes good business sense because if sensitive documents become public, the business loses the trust of all constituents and damages its reputation. This could easily lead to loss of revenue, depressed stock price, decreased market share, and legal issues.

Companies are at risk if they believe their documents are safe simply because they haven’t yet been leaked.  This is more common than not.

By nature we hope for the best, then panic when we find ourselves in a crisis. Whatever you do, a document compliance strategy shouldn’t be so Draconian as to impose too many restrictions on users.

Contributed by Brainloop

Possibly Related Articles:
9161
Policy
Information Security
Data Leakage Compliance Enterprise Security Risk Management Best Practices Data Loss Prevention Security Audits Information Security Policies and Procedures Service Level Agreement Peter Weger
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.