The design documentation is intellectual property of the organisation performing design works. Almost all documentation in electronic form is confidential. However often it is necessary to send fragments of such confidential information by e-mail to the customer who is outside of the protection organised by the system administrator of firm, and the employee (the designer or the secretary), not possessing corresponding knowledge and skills on protection of the confidential information carries out transfer usually. Статьи
According to given spent by the company InvisiViewmedia.com interrogation, 46% of respondents are disturbed by possibility of theft of the data, and 98% agree that protection of the confidential information is vital for business management. Nevertheless, 30% of employees send the documents containing the confidential data, simply attaching them in the form of investments in e-mail messages, 45% use for this purpose not protected “paper” post services and 2% simply send it by fax. 25% of the interrogated companies have noticed that consider risk of threat of safety of such departures as the lowest, 13% – are ready to go on such risk, and 16% never reflected on it, believing that ways of sending which they used for correspondence dispatch, were protected and reliable. Jan Gunner, director InvisiViewmedia.com, making comments on results of research, has noticed the disturbing fact of presence of similar positions at the company in aspects of protection of the confidential data, and also that business users are convinced that alternative ways of safe sending of similar documents do not exist.
Interrogation Russian vendors of systems of еnterprise content management (ECM), spent CNews, has shown that noted in research InvisiViewmedia.com are actual and for the domestic companies. “it is possible to tell with confidence that the confidential information of the majority of the Russian commercial organisations is transferred on not protected channels. The risk of theft of confidential documents is seriously perceived by very small quantity of the companies” – Andrey Treshchuk, the assistant to the chief executive of company Terralink speaks. He considers that ECM-systems (Enterprise content management – management of information resources of the enterprise or management of the corporate information) can unequivocally help with the decision of a problem of restriction of distribution of the confidential information, first of all, at the expense of restriction of availability of confidential documents in the organisation. “The organisation can forbid to work with confidential documents out of control systems of documents, and also to send copies of such documents by e-mail (only references)” – mister Treshchuk explains. “Risks always neglect and thus always underestimate them. We spent estimations – the economy from decrease in risks in a dale of financial effect from ECM-system introduction can often be compared to economy from optimisation of processes. Risk of information leakage of the document and its availability to undesirable persons though and not the most essential in our list, but notable enough” – Maxim Galimov, the director for perspective researches of company Directum notices. Nevertheless, the basic losses all the same occur, as he said, not from use of not protected communication channels by document transfer on the party, and because of internal leaks and elementary disorder: The information of the document which is out of perimetre of ECM-system (unloaded on the local disks, unpacked, and sometimes and the printer left in a tray sent by mail to the colleague), already is under the threat. “the ECM-system reduces risks because, first, provides the protected storage of the document, secondly, suggests to spend the teamwork most part over the document without its removal for limits of the protected environment. If the culture of the coordination, an exchange of documents in electronic form within the limits of ECM-system is accepted by the organisation safety of content management essentially raises. The protected intercorporate exchange of electronic documents should become following step, obviously” – the expert marks. According to the chief of department of marketing of company EOS of Elena Ivanovoj, in Russia historically and office-work has been developed more widely, and the relation to confidential documents has developed in another way, than abroad. “In Russia and people, and the companies accordingly much more attention give to preservation and confidentiality maintenance. The another matter that at this understanding does not suffice knowledge and abilities in use available technological and software, that is people understand, it is not necessary what to protect, and apply special software can or do not want” – she notices. Ivanov's madam expresses hope that with distribution and wider use ECM the culture of the reference with such documents will change. “people, working in ECM to learn to use and means of the protected transfer of electronic documents as it will be a part of habitual system in which they work. Now, as ECM are introduced in very small amount of the organisations performing design works if to take scales of all Russia also cultures of work at people with electronic documents are not present or it undeveloped.
In majority ECM functionality of transfer and work with confidential documents is realised, will work therefore with them in habitual working environment ECM to people easier and in another way they cannot fulfil such documents any more”.
However there is also other point of view on possibility of protection of content management. It was sounded by Vladimir Gornostaev, the expert in information safety “InterTrust”. As he said, transition in the companies will not change to еnterprise content management “culture of the reference with documents” as if “cultures” was not at work with paper documents change of the form will not change the maintenance. “in the given context the primary goal – working out of necessary regulations and the politician, defining work with the confidential information (documents)” – the expert considers and allocates two variants of consideration of this research. In one of cases in the organisation there is similar a politician, therefore workers no them and do not carry out. From the point of view of information safety, according to mister Gornostaeva, such organisations have low level of a maturity as the company management does not undertake efforts on information protection. In other case if politicians are developed, means workers break security policies. Higher level of a maturity, but insufficient so in them audit and monitoring of performance of security policies is not booked has such organisations; politicians are formally developed, but training of workers is not spent, the control over their performance is not carried out. According to Sergey Kuznetsova, the head of research department “Reksoft” the IT Director should approach to this problem from two parties. First, it is necessary to bring up the user, to train in its work with documents, because for example that 90% of employees of the Russian companies at work with internal documents send each other files instead of laying out them in popular folders and to send references. As he said, precisely also it is necessary to impart to employees skills of work from the confidential information. The director for corporate projects ABBYY Russia Jury Korjukin considers that if similar research to spend to Russia the result can appear even more guarding. “when the absolute confidence of information safety of the enterprise is necessary, systems ECM with the built in elements of control systems of access rights or systems IRM/DRM can help. With their help it is possible to limit access to confidential documents, to impose a ban for a number of actions (for example, copying, transfer or the press) to limit possibility of work with documents out of a control system of a content” – Sergey Kuznetsov continues, adding that the protection system should be adequate to value of the information. “There are not too many enterprises where information leakage can lead to considerable problems. Therefore heads of the companies before to establish protection systems, first of all, correlate risks with introduction cost” – he concludes. With its point of view Michael Bashlykov, the head of a direction of information safety of the company agree also “Crocq” considering that the content management system in itself can lower only risk of the specified problems, but not to solve them completely – within the limits of content management the part of the information which use in the organisations and at the enterprises is processed only, therefore it is necessary to forget about protection of various reports and unloadings of corporate systems, business analytics systems. Reliable protection of the confidential information only the complex system of protection of the information at level of a content and management of access rights to the information (Information Right Mangement), integrated with business systems, including, systems of еnterprise content management, as he said, can provide.
“Confidential” is not a good wish, and the order strictly to follow certain regulations. But without possibilities of the control the order remains a good wish. The behaviour of employees, in a sense, is natural – with confidential documents of more efforts and if nobody sees, it is possible to simplify to itself a life. Actually, introduction ECM gives the chance how to minimise efforts (a prize of employees), and to compensate for the deficiency the control over observance of regulations (a prize of owners of the information and managers). In other words, the information system should prevent sending of the confidential information on not protected channels” – Alexander Rodionov, the director of department of control systems by documents is assured “ Cheeks”.
In company DocsVision CNews have told that use of systems of еnterprise content management, certainly, changes culture of the reference with documents including regarding support of their confidentiality, but means ECM promote confidentiality support even more. “that it is impossible to take away from system on the local computer it is impossible and to send on not protected communications. All it would work remarkably if the discretionary model of management of access (demanding direct or inherited instructions of access rights of each user in relation to each document) would not be the base approach to management of access to many ECM” – Sergey Kurjanov, the director for development DocsVision explains. “The discretionary model is inherited ECM from the operating systems operating with its help access to divided folders and files. Discretionary safety is insufficiently operated, in it it is very difficult to formulate and support politicians of access, especially contextual. Therefore it is very frequent it simply do not use absolutely, referring just to that that risk of theft of the document very low” – it continues. During too time as the expert marks, MOREQ recommends the approach on the basis of mandatory safety in which to level of confidentiality of the document level of the admission of the employee is compared. According to the expert, the mandatory model is is much better operated, it is easier for applying and using. “Even more possibilities the role model of management of the access, focused on a context opens, and allowing to formulate politicians of a kind “the employee to whom preparation of the project of the document is charged, has to it full access”. The combination of mandatory and role models of management of access, and also journalizing of actions of the user allows to build and operate security policies which do not prevent to work to people with documents, but strongly narrow possibilities of unapproved access” – he concludes.
1. Demidov M. Confidential documents are sent without any protection
2. Wikipedia: Enterprise content management [http://ru.wikipedia.org/wiki/ECM_(бизнес)]
The author: Челябэнергопроект
Comments of experts of Челябэнергопроект: