Traditional document and records management systems have evolved into more comprehensive, organization-wide enterprise content management solutions -- and information security professionals need to be paying attention. The sky's the limit for risks in and around enterprise content management systems -- with threats ranging from people to processes to technologies -- if they're not properly managed.
There are many potential gaps in a content management strategy that can turn a company's technology into a goldmine for abuse by malicious insiders and external attackers. Here are three security-related issues that businesses need to step back and examine when developing an enterprise content management system.
1. Are you protecting all the right areas? Many people in charge of information management do not have the slightest idea where their data is being stored on the network. Further complicating matters is the information system's complexity stemming from the mobile workforce. Whether it's inside the business' four walls or in employees' pockets and purses on the other side of the world, the data needs to be protected.
If a business rolls out a content management solution, decision makers need to do their homework and make sure it's secure from the beginning.
If you haven't considered the sensitive information that's present on virtually every tablet, phone, workstation, server and storage system, then you aren't looking deeply enough. If you don't consider data protection from this standpoint, an enterprise content management system won't be nearly as effective as it could be -- in fact, it may provide a false sense of security.
Cloud service providers -- and all the information they process, store and manage for you -- need to be in scope as well. Information worthy of the content management umbrella is everywhere throughout your enterprise, but you won't know what's where until you start digging in. Odds are you'll find sensitive, unprotected data in some unlikely places.
2. How do you know where your data security processes stand? Measuring your enterprise content management-related risks can be difficult for several reasons: the number of people involved; the complexity of the systems in scope; and the politics and bureaucracy that tend to surround these systems. A high-level controls audit is not enough, nor is a run-through of a compliance checklist. The security associated with your enterprise content management system doesn't just exist because the content is protected behind a login prompt, either.
You need to work with your IT or information security department -- or an outside party -- to determine what's truly at risk. Everything may appear sound on the surface, but even if all the content management policies and processes are reasonably implemented and well managed, all it takes is some missing server patches, exposed database listeners or flaws in the network's front end to create serious issues. Balancing technical and operational risks is critical.
3. How are you going to keep information security in check moving forward? It's humorous that many business managers and lawyers assume that if they simply place "internal use only" in the footer of sensitive documents or have a strong contract with third-party providers, then all's well with enterprise information security. That's often the extent of many organizations' enterprise content management controls. Hoping that nothing will happen is not a strategy, however; you must ensure that somebody is in charge and then work with the right people to develop a plan for content management oversight and improvements over time. Periodic and consistent assessments are key. Most importantly, follow through to ensure everyone is held accountable for their responsibilities.
More on enterprise content management
Mobile, cloud create need for new information governance strategy
The modern challenges to enterprise content management
Content management is not a set-it-and-forget-it enterprise tool that merely satisfies a compliance checkbox. Instead, it's people, processes and technologies coming together to minimize information risks. As with many technologies, however, enterprise content management solutions can fall victim to the "buy it and forget it" syndrome that often affects IT shops. If a business rolls out a content management solution, decision makers need to do their homework and make sure it's secure from the beginning.
Whichever way you look at it, being proactive about information risk controls for your enterprise content management system is much smarter than reactively wishing you'd had such controls in place after a data security incident has occurred.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored or co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and the newly updated Hacking for Dummies, 3rd edition. In addition, he's the creator of the Security on Wheels information security audiobooks and blog.
This was first published in December 2012