Strategies for sharing and protecting sensitive information: the emergence of secure-collaboration technology carries the promise that organizations can share sensitive information without worrying about theft and misuse.Information theft and misuse can affect businesses in a variety of ways, with different consequences (though all are severe) for varying arms of the organization. Confidential research and development information or proprietary sales and product strategies may be leaked to competitors, for example, or employee health records can be mishandled with insurers and put businesses at risk for lawsuits and government fines. For financial executives, especially at companies working under fair disclosure (Reg FD) and Sarbanes-Oxley regulations, it is critical to protect sensitive or financial information such as confidential data that is not meant to be shared externally or information that by law must be shared with investors in a structured manner. As CFOs make strategic decisions related to layoffs, mergers, business models and other material topics, they need to gather and share confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead such as contracts, financials and proposals in a protected fashion with legal counsel, investors, consultants and business partners. It goes without saying that sensitive information must be protected from internal and external misuse or fraud. Security breaches in any of these cases can result in a Joss of trust from Wall Street, loss of market share (if competitors gain strategic information) and loss of credibility for financial management. All of these factors are forcing management, especially financial executives, to reassess reassess Verb to reconsider the value or importance of reassessment n Verb 1. reassess - revise or renew one's assessment reevaluate their methods of collaboration and information-sharing to ensure that critical information is protected when working with both internal and external audiences. Recent statistics underscore The underscore character (_) is often used to make file, field and variable names more readable when blank spaces are not allowed. For example, NOVEL_1A.DOC, FIRST_NAME and Start_Routine. (character) underscore - _, ASCII 95. the financial damage of information theft. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. the 2003 Computer Security Institute/FBI Computer Crime and Security Survey, 251 organizations reported total annual losses of more than $201 million due to computer crime. Theft of proprietary information caused the greatest financial loss, as it has consistently since 1999--$70.2 million was lost in 2003, with the average reported loss being approximately $2.7 million. The sources of the attacks as a percentage of all respondents included: independent hackers (82 percent), disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see employees (77 percent), U.S. competitors (40 percent), foreign governments (28 percent) and foreign corporations (25 percent). (The CSI/FBI report is available for free at www.goc si.com.) Research also shows that information theft comes from on-site contractors, vendors and suppliers, strategic partners, intelligence services, original equipment manufacturers (OEMs), outsource manufacturers and the media. Information theft and the resulting competitive, legal and public exposure are not the only drivers for organizations to improve content security and their means of collaboration. The government recently enacted laws such as the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when (HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, ) and the GrammLeach-Bliley Act that include mandates for information privacy and penalties for improper storage or access to confidential information. To combat the various types of information theft, an organization should consider implementing the following security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security : * Access control Making information accessible only via an authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. method (user name and password). * Encrypted en·crypt tr.v. en·crypt·ed, en·crypt·ing, en·crypts 1. To put into code or cipher. 2. Computer Science storage: Preventing internal or external thieves from viewing information they obtained without authorization. * Post-access control: Controlling the actions end-users can perform with information they are authorized au·thor·ize tr.v. au·thor·ized, au·thor·iz·ing, au·thor·iz·es 1. To grant authority or power to. 2. To give permission for; sanction: to view. * Role-based administration: Uniformly assigning permissions to groups of users based on their role in an organization * Auditing: Knowing who accessed the content, as well as what actions were performed and when. * Immediate access revocation The recall of some power or authority that has been granted. Revocation by the act of a party is intentional and voluntary, such as when a person cancels a Power of Attorney that he has given or a will that he has written. : Denying access to information when it is no longer needed. The challenge organizations face is to enable these security measures while maintaining the ability to collaborate internally and externally on financial and other information. While increased security is a requirement, it should not undermine collaboration, one of the essential elements for achieving business objectives. Until now, there was a gap between the need for collaboration and the need to protect sensitive information. That gap has been filled with the introduction of a new category of enterprise software called "secure collaboration." Secure collaboration technology enables organizations to collaborate internally and externally, while controlling the flow and use of sensitive information, and providing a clear audit trail indicating how, when and where information is shared. (The diagram below depicts secure collaboration as a combination of digital rights management and collaboration software See collaborative software. , with the need for secure collaboration increasing with the value and sensitivity of content.) [ILLUSTRATION OMITTED] Before the introduction of secure collaboration, the security and collaboration landscape was a patchwork of partial solutions that could not be combined to secure content while enabling collaboration. Access controls, firewalls, virtual private networks (VPNs), public-key infrastructure (PKI (Public Key Infrastructure) A framework for creating a secure method for exchanging information based on public key cryptography. The foundation of a PKI is the certificate authority (CA), which issues digital certificates that authenticate the identity of ) and secure socket layer (SSL (Secure Sockets Layer) The leading security protocol on the Internet. Developed by Netscape, SSL is widely used to do two things: to validate the identity of a Web site and to create an encrypted connection for sending credit card and other personal data. ) provide authentication and secure transmission, but they do not control information use. Digital rights management (DRM (1) (Digital Radio Mondiale) A digital audio broadcasting (DAB) system for AM radio in Europe. See HD Radio. (2) (Digital Rights M ) solutions control the use of information, but do not enable collaboration. Collaboration software and Web-based collaboration environments enable collaboration, but do not control information use. Businesses Can Share And Control Data Secure collaboration provides the right mix of capabilities, enabling organizations to share sensitive and valuable information with confidence. It is a comprehensive solution combining authentication, access control, information-use control and the ability to collaborate while auditing all end-user activities. As financial executives consider secure collaboration as a means to protect sensitive information while maintaining the ability to collaborate, they will need to understand its features in some detail, and they will also need a strategy for its use in order to address their specific needs. Framework Implementing a secure-collaboration system raises questions about your organization's checks and balances and its security policy. To ensure that no one has the rights to audit and administer the entire system and access all secure content (administrators with such rights are also a security threat), secure collaboration should be implemented with a framework that distributes administration among three roles: Security Officer, Administrator and Auditor. This framework enables you to quickly implement a policy that includes checks and balances while allowing you to address organizational needs. Access An important consideration in evaluating a secure-collaboration solution involves the impact it will have on company content: where it resides, which formats are supported and how it is accessed. Ideally, since it may span across your entire organization, secure collaboration will not require significant changes to your environment, and you will be able to access content where it resides--and in its native format. It should also include the flexibility to grow and change as you add new systems and develop new applications. Security Security is the foundation of secure collaboration, and the main reason organizations consider its implementation. When examining and implementing security within secure collaboration, you should ask these three questions: How do users access the information? For maximum security, content should remain stored and encrypted on a secure server and should not be delivered to users' desktops, where it could be more easily decrypted and where it remains indefinitely in·def·i·nite adj. Not definite, especially: a. Unclear; vague. b. Lacking precise limits: an indefinite leave of absence. c. . It is better to share information than files. How easy is it to administer access rights across users and groups of users? Secure collaboration should accommodate various types of end-users, who should be organized into groups with the same content-use permissions. For example, a group of investors may only be authorized to view information, while your legal counsel may be authorized to annotate annotate - annotation content that you provide for review. What end-user actions can the system control? You should have extensive control of all end-user interaction with content. Actions such as viewing content, copying to a clipboard A reserved section of memory that is used as a temporary holding area for data that is copied or moved from one application to another using the copy and paste and cut and paste (move) menu options. Each time you transfer something into the clipboard, the previous contents are deleted. , saving to disk, printing, print screen functions, number of access sessions and access dates should all be controlled. Another key feature of secure collaboration is the end-user's ability to collaborate on content and share ideas. End-users should be able to annotate content, and it should also be possible to make their annotations public, so that others can view them, or private. Control The final consideration in implementing secure collaboration is the way the entire process is controlled and audited. You need to consider how user access rights are enforced, how you can be assured a secure collaboration policy is working and how you can prove that internally and externally, to auditors and regulators. The secure-collaboration system should actively and frequently enforce end-user permissions by checking on their status at intervals coming or happening with intervals between; now and then. See also: Interval under one minute, enabling administrators to quickly modify or revoke To annul or make void by recalling or taking back; to cancel, rescind, repeal, or reverse. revoke v. to annul or cancel an act, particularly a statement, document, or promise, as if it no longer existed. end-user access rights. You should also maintain a complete history of the activities performed by each end-user and administrator, such as time and duration of access, activities such as copying and printing, and pages accessed. This provides the information needed to determine the effectiveness of a secure-collaboration policy and the ability to comply with internal and external information-security mandates. Our increasing ability to share information is offset by the staggering increase in information theft and its accompanying legal, financial, competitive and public-relations exposure. As financial executives play a key role in the strategic direction and financial stability of an organization, they preside pre·side intr.v. pre·sid·ed, pre·sid·ing, pre·sides 1. To hold the position of authority; act as chairperson or president. 2. To possess or exercise authority or control. 3. over information central to an organization's success and a natural target for theft. The stagnant stagnant /stag·nant/ (stag´nant) 1. motionless; not flowing or moving. 2. inactive; not developing or progressing. economy has also caused many business and employment relationships to sour, which increases the potential for information theft by disgruntled employees and business partners. Until quite recently, there was no comprehensive means to secure sensitive information while maintaining the ability to collaborate. Secure collaboration is an emerging technology that helps protect information against theft and misuse, while enabling compliance with internal and external mandates for information storage, access and security. Elaine Price is President and CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of CYA CYA Cover your ass. See Defensive medicine. Technologies Inc., in Trumbull, Conn., a supplier of secure collaboration technology. She can be reached at 203.261.1676. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion