Move beyond access control

Devise an effective information management system

Devise an effective information management system

The recently established Jericho Forum has opened up an important user-driven agenda for IT security.

Most security products, access control mechanisms, firewalls, virus scanners, virtual private networks and public key infrastructures focus on securing the perimeter or communication mechanism. Although important, they do not complement today's business strategies, which often involve extending the enterprise. "Dissolving" company perimeters leads to conflict with IT security based purely on reinforcement.

These new strategies drive the requirement to maintain control over highly confidential, proprietary or sensitive data. This is especially important when information is regarded as a competitive differentiator or a valuable company asset.

For this reason, forward-thinking companies such as Vodafone are implementing a strategy to protect such sensitive information. An organisation's lifeblood - its information - must always be available to employees at a moment's notice to improve productivity.

However, with e-mail and the internet, employees can accidentally or maliciously leak sensitive information. Recent surveys have estimated that the threat from within an organisation is equal to or greater than the threat from an outside attack.

This is exacerbated by the rise in mobile or remote workers, which leaves confidential company information outside the perimeter for most, if not all of the time. When an employee leaves an organisation it is likely they will have copied useful but pertinent information to their home PC.

How do you prevent such information going to your competitors? What happens when a distribution partner takes on a competitive product? How do you make sure your suppliers, partners and customers treat your sensitive information in the same way you would?

These issues can be solved by initially identifying and classifying top secret, highly confidential and sensitive information and then setting up policies and procedures to manage it. Some firms use a standard such as ISO17799 to help set up a classification system and then look for a technology to help enforce this.

The system must have centralised policy-based management to define which users can access which information and what they can do with it. Information needs to be protected, controlled and tracked at all times and wherever it goes, whether this is in your organisation or in the computers of your suppliers, customers, partners or employees.

Post-delivery protection systems such as those based on digital rights management tech-nologies can provide such capabilities. Business information can be stored in e-mails, documents, images, sound or video clips, all of which can be stored in a number of formats.

Ideally, you need to choose one technology that handles all the appropriate formats with a single, consistent user interface that will satisfy your organisation's requirements. Some formats are collaborative in nature, such as e-mail and Microsoft Word, so ideally you want to secure this information and still enable the appropriate personnel to collaborate on it.

Your security system also needs to integrate with existing enterprise-wide technologies including NT Authentication, LDap and Active Directory for deployment, administration and manageability purposes. This must complement existing security products and perimeter and communications channels must still be protected.

Finally, it must be easy to use or users will not adopt it and it must provide the ability to work offline - a tall order for most security products.

A combination of document classification policies and procedures enforced by an appropriate technology - often referred to as an information security management system - will help organisations meet all these objectives.

Alan Cornwell is chief operating officer at SealedMedia

Read more on IT risk management