Compliance – Securing Sensitive Information
The business case for regulatory compliance
Increasingly, corporations have to make sensitive information – board minutes – M&A intentions – handling of reputation – available, not only to people on internal networks like Boards of Management, but also to key people outside of corporate control – supervisory board members, major shareholders, key investment groups or VC fund managers.
Now in the past this was done on paper, or if it was done electronically – email, pdf, password access controlled web site or whatever, then nobody felt they had a duty of care to make that information secure. Plenty of enterprises (especially lawyers) were content to say, “Hey, you were on notice that there was no real security being applied to this information, so don’t even think that we are liable if it hits the public domain.”
As a result of regulation, the fig leaf is no longer a defense. Boards of Management are being told in no uncertain terms by their auditors that a cavalier attitude to information protection is a sure route to personal prosecution. Now there’s nothing like making it personal to motivate the mind!
Today there are many acts of legislation that must be complied with. Sarbanes-Oxley (SOX) is probably the single piece of legislation to hit almost all businesses – the US inspired Sarbanes Oxley Act has sharply increased the focus on proper and secure control of corporate information. Then there is the HIPAA (Health Insurance Portability and Accountability Act) which came into full force in April 2005, the Gramm-Leach-Bliley Act (GLBA) which is focused upon the financial sector, and NIST SP 800-171 for Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations.
Locklizard digital rights management products, PDF security, and document copy protection software are ideal for helping you comply with all these regulations. To show you what can be achieved we have identified the different compliance requirements you face, and how Locklizard document DRM solves them for you.
Compliance Requirements and document security
Business process compliance
Locklizard document DRM can help with all process compliance requirements. You can use our document security to ensure that only those authorized can view information and prove that it cannot have been seen or used by anyone else. So you can prove that your business processes are sound and secure – better than relying on encryption where once information has been decrypted the user can distribute it to anyone they want.
Information access compliance
You can demonstrate who actually registered to read information, and who did not, even if they were authorized to read it through document security and document controls. And if it is necessary you can prove when they read specific documents, and the location they were at when the documents were accessed. Also if any of the documents were printed that can be monitored and logged.
Ensuring information becomes inaccessible
In many circumstances you are only legally required to maintain information for a specific time period (commonly 6 or 7 years) and after that you may destroy information after that time. It can be very important for you to be certain that information will become destroyed at the actual time, and not be capable of recovery from backups or personal copies. Locklizard document DRM allows you to set an end date by document, so you can be certain that from that end date the document is inaccessible, and effectively destroyed. For further reading see document retention.
Since Locklizard document security uses the best available encryption methods you can be sure that your protected documents cannot be accessed by anyone who is not authorized. Authorized users do not have the ability to pass on their authority to others, so lines of accountability are clear and precise. Our document security products can be readily used to support the open use of corporate information both inside and outside the corporate network whilst preventing outsiders from being able to access information – even when it is held on a laptop or mobile device.
Control of availability of documents
You may need to be able to prove that documents could not have been used before a given date (SEC reports, analyst briefings, formal reports to statutory bodies). Locklizard document DRM can control access so that they cannot be seen before the date on which they are authorized.
Controlling legal access
You may need to provide access to privileged documents to lawyers or other investigators as part of the legal process known as discovery, or because you need to provide documents to your own advisers. You want to be sure that only documents that you have authorized can be used and be able to know which parties have used them. This is an ideal way of being sure that others can only gain access to specifically authorized information and cannot go on ‘fishing trips’ through your information. It also allows you to comply with the NIST SP 800-171 rules concerning controlled access to information. You can set an expiry date for information and instantly revoke access when needed.
Meeting compliance with Locklizard DRM document security
Meeting compliance does not have to be the difficult task that some suppliers make out (perhaps because they figure they can charge you more?). If you publish sensitive documents in PDF format then Locklizard provide you with simple, easy to use tools that leverage state-of-the-art DRM controls over your sensitive information.
You require best practices to demonstrate that unauthorized individuals could not access information, because the information was strongly encrypted and use licensed. This approach allows corporations to allow sensitive information (trade secrets, personal data including social security numbers, board of management documents etc.) to be stored on laptop computers and mobile devices, and distributed outside of their organization without any loss of control.
Locklizard document security prevents all the simple compromises – use of the print screen key, stopping any form of editing or saving so that your information can’t be passed on to those who are not authorized, watermarking dynamically to expose the people who try to compromise your security, preventing screen grabbing, and, if you feel compelled to allow people to print the sensitive information you have sent them, creating dynamic watermarks to make copying more problematic for the information pirate.
We also prevent forwarding – there are no ‘Save’ or ‘Save As’ features in our Secure Viewers, and we do not use root kits, temporary files or similar mechanisms, so typical compromises cannot be achieved.
So for a modest price you can achieve a state-of-the-art protection service for your sensitive information that meets auditors requirements (indeed it is used by auditors and governments to protect their own information) at the same time as being able to distribute information electronically, quickly and cheaply. The ROI and cost/benefit arguments are obvious. Complete document security for regulatory compliance – but not at any price.