Defining sensitive documents to protect.
Surprisingly few organizations classify their information in order to help them protect it from unauthorized disclosure. Usually improper disclosures get noticed when personal data are disclosed, and that can mean litigation involving a corporate authority and the public, and bags of adverse publicity.
Although some cynics might say there is a competition to see who can claim to have had the most data disclosed. In the UK Her Majesty’s Revenue and Taxes might have been in at the kickoff by disclosing some 25 millions of taxpayer records, but they have been made to look like amateurs by Yahoo, Card Systems Solutions and eBay – as a random selection.
But the reality is that more than one class of documents is sensitive. That’s not to say personal data is not important – it is – because there is regulation that says so. But there are other duties that have to be addressed with every bit as much care (or more so since some may say disclosing personal data is less costly than having your IPR stolen and pirated).
Other duties include those to the shareholders to protect the IPR assets of the business (without which trading could be harmed to the point of ceasing to trade) and contractual duties for which there are (usually) financial penalties.
This opens up a wide range of document types that have got to be protected.
So what documents should you protect?
Starting at the top are government official documents, board minutes, strategic analyses, analyst opinions and recommendations, sensitive manuals such as the credit reference methods of a bank, analysis criteria for an insurer, franchise agreements, service manuals, training manuals and courses, mergers and acquisitions, to name but a few.
More obvious sources of IPR include patent information prior to registering, trade secrets such as formulations (exactly how do you make Cointreau or Drambuie are trade secrets), not to mention books, magazines, plays, printed music.
It is easier to define sensitive documents are those which, if disclosed, would cause economic damage to the organization. And the economic damage could be loss of sales, loss of market, or loss of reputation.
Document location management & DRM
Once you have decided which of your documents are sensitive – what are you going to do about it? Do the documents have to go out of the internal corporate network? Can you stop them?
Unless you are very unusual the answer to this question is no – you can’t stop them. You must expect people to take documents out, whether they are email attachments, files uploaded to a server, files copied to USB, CD or DVD, or on a Bring Your Own Device (BYOD) like a cellular phone (in Germany called a Handy). The ubiquity of environments means that documents are being synchronized by updaters such as Dropbox, or environments like Facebook without you knowing or remembering. These are but a step away from seeing your documents released on WikiLeaks or the Torrent download sites, depending on what has got out of the bag.
So there has to be a game change if you are going to protect sensitive documents from being readily copied and used outside of the people you designate as being authorised. And those people in many instances are not going to be insiders, and even actual insiders are going to have to be able to use documents outside of the corporate or departmental network just as if they were outsiders. That means that the documents must be encrypted, because otherwise there is nothing to stop anyone from using ordinary programs such as Word or Notepad on them. The same goes with pure encryption such as that provided by companies like PGP. They prevent anyone without authorization from opening the protected files, but once they are opened the user may do what they like with them. Which is not really the plan.
The answer is to have persisting controls that are bonded to the encrypted document and cannot be trivially removed. This then requires a special program to be able to decide if the document is being used in an authorized location (computer, IP address, geographic region) and can enforce the design controls and resist hacking and cracking attempts, as well as preventing screen grabbing and stopping printing.
Document DRM – what controls to apply?
Next is the question of what controls are appropriate for which classes of documents?
An unhelpful answer would be, it depends. But if you have gone through even a high level review of which disclosures would hurt you then there are some good clues as to what protection is actually worth.
There are not so many documents from government that cause excitement, except the un-redacted discussions by senior advisers and their bosses. These usually need very high levels of protection to be applied. The other documents that cause problems are policy documents for the security agencies, but we are not considering their highly specialized requirements in this blog.
In the corporate world board papers and minutes and mergers and acquisitions documents are usually secret, but may also have to be distributed to many people outside of the corporate body. Non-executive directors, pension fund trustees, lawyers and accountants are amongst those who need access. But they are all outsiders and not in the control of the IT department. They must be able to read documents, and retain access to all the papers made available to them, but not to pass them on. Access may well be offline and printing is probably forbidden. For more sensitive documents watermarks may be present on the viewed image showing who was authorized to use it.
Manuals, including training manuals and courses, are valuable documents that are usually sold or are part of corporate certification for staff training. They will have to be able to go to people who you don’t know, they are outside of the domain of the provider and you have no idea what security, if any, they will apply to documents they receive. The documents always represent the intellectual property of the creators and are valuable in two ways. The first is the knowledgebase that they contain. The second is the skill of presenting education materials so that they can be readily absorbed by the student. Courses and manuals tend to be available only for fixed periods of time so you have to have a control system that can have start and stop dates (so the time of the course can be covered) that can be changed after the manuals are issued in case someone is ill or for technical reasons the course dates have to be changed. Also there may need to be a facility to allow prospective users to review the materials (maybe look at it two or three times, or for a day or two, to feel confident it is worth the money) before committing. These are interesting in that some of the documents will need to be printed (course notes) whilst the main training slides and all the linking and structure would need to be kept secret, particularly if there are instructor packs as well as student packs.
Analyst reports, membership association materials and magazines all have in common that they provide access to information based upon a membership type of system. So the documents need protecting because they represent intellectual capital and brand value that is lost if they are freely distributed. Contrary to some assertions nobody ever buys what they can have for free – why should they? It is the scarcity in a market that brings about the market, not a glut. So again we have to deal with people who are not known (except maybe their credit card), and there has to be a fairly sophisticated control system knowing when documents are published, who has access to them, what happens when their subscription gets updated or cancelled, and so on.
Finally there are book sales. They are perhaps the most challenging because the controls on them will have to work offline, and the rights of access are usually forever. However printing is probably not allowed as copying is usually a forbidden activity with copyright works (see the copyright statement on one of the front pages of most paperback and hardback books).
So we have reviewed what types of documents generally need to be protected, what are the general reasons for protection (in order to know what it is worth spending) and the types of controls that you might expect to have to apply.