Policyforunstructureddataaccess

Controlling the Emerging Data Dilemma: Building Policy for Unstructured Data Access Anne Shultz Edited by Ray Trygstad

Copyright © 2009 Anne Shultz and Illinois Institute of Technology. Used by permission. www.itm.iit.edu An Information Technology and Management Whitepaper from Illinois Institute of Technology’s School of Applied Technology ILLINOIS INSTITUTE OF TECHNOLOGY School of Applied Technology ITM Whitepaper ITM Whitepaper: Building Policy for Un structured Data Access It’s everywhere. It’s saved blatantly on the desktop of a coworker’s unattended computer, just wait- ing to hop onto the next flash drive and head out of the company. It lingers just a click away, ready to be uploaded and emailed to a competing company. It lies nakedly on a manager’s desk, eager to be picked up by criminal hands. It lurks in an unsecured network drive, hoping to be discovered by someone with malicious intentions. It’s unstructured data and it’s demanding attention. What is Unstructured Data? In general, unstructured data can be defined as any electronic information without a specific struc- ture. Depending on the context, this definition can indicate data which is stored outside of a data- base as well as documents where the contents can take any shape, much like the text in a Word doc- ument. This includes documents, blueprints, presentations, image files, video files, and so on. However, it is important to remember that whether or not the data is considered structured depends on the context. For example, although spreadsheet data can be structured in cells and arranged in rows and columns, like those created with Excel, this is not controlled by the applica- tion

Merrill Lynch estimates that unstructured data makes up over 85 percent of all business informa- tion

With email and file services being the biggest contributors, more and more information is becoming available electronically and easy to share

increase in the amount of unstructured data generated throughout the organization was reported by

assume that management of unstructured data and unstructured data access would be a priority for most organizations, but a survey developed by the Ponemon Institute and Varonis System Inc. indicates differently. According to this study, which surveyed 870 IT operations professionals, 91% of organizations do not have a process for establishing ownership of unstructured data

felt that employees in their organization had unnecessary access to unstructured data

of respondents to this survey acknowledged that controlling access to unstructured data is very dif- ficult for their organization

Why is Unstructured Data Access a Problem? The looming beast of unstructured data is a serious issue for companies from a legal standpoint. Businesses lacking control over unstructured data access may be ill prepared when it comes to legal discovery. In the event of a lawsuit, all related documents must be held as potential evidence. If there is no control over unstructured data in general, required documents may be difficult to find in the time allotted by the court

determined who is responsible for the information. Further, “chain-of-custody” must be verified for any documents held during the litigation process, and to verify chain-of-custody, a company must prove that the documents are authentic and are what they claim to be

documented proof of when the documents were created, who they were created by, what was done with the documents, and who accessed or viewed the documents. Verifying chain-of-custody may prove to be nearly impossible with no control over unstructured data access. In addition to main-

http://searchstorage.techtarget.com/guide/faq/category/0,,sid5_tax306615_idx0_off10,00.html

February 1, 2003. Retrieved from http://www.information-management.com/issues/20030201/6287-1.html

Retrieved from http://www.nymity.com/Free_Privacy_Resources/Previews/ ReferencePreview.aspx?guid=d7c2 b604-3f7e-

Retrieved from http://www.storagenewsletter.com/news/miscellaneous/varonis-ponemon-institute-unstructured-data

http://www.matchps.com/training.html An Information Technology and Management Whitepaper from Illinois Institute of Technology’s School of Applied Technology 1 ILLINOIS INSTITUTE OF TECHNOLOGY School of Applied Technology ITM Whitepaper: Building Policy for Unstructured Data Access taining chain-of-custody, any retention policy mandated by the company will be difficult to enforce if it has not been determined who is accountable for maintaining the data. If the retention policy is not applied evenly, documents may be deleted prematurely or kept longer than the retention policy requires. Either of these situations will point to an inconsistent retention policy and could cause ser- ious trouble for a company faced with providing documents in a court of law. Lack of control over unstructured data is also a problem for businesses when it comes to compliance. In light of today’s corporate compliance requirements, such as Sarbanes-Oxley, PCI, and HIPAA, many businesses must tighten controls on their processes and sy stems. This also involves tighten- ing controls for systems which handle unstructured data. For example, the Sarbanes-Oxley act requires strong access controls to ensure that financial information is not corrupted

strong access controls for financial systems, as well as for unstructured financial data. The Payment Card Industry (PCI) Data Security Standards also require strong access controls in order to ensure sufficient protection for customer credit card information. PCI requirement 7.2 maintains that access to cardholder information must be denied for all employees unless access is absolutely needed for their job

unstructured credit card data as well. Yet another act which requires tighter access controls around unstructured data is the Health Insurance Portability and Accountability Act (HIPAA). HIPAA sets security standards in order to maintain “confidentiality and integrity of individual health informa- tion”

handle individual health information, including those which handle unstructured information, such as file systems

will find any of these compliance controls difficult to meet In addition to any legal and compliance implications, a lack of control over unstructured data access is also a problem from a general security and productivity standpoint. As the Ponemon Institute and Varonis survey demonstrated, 76% of respondents were not able to determine who can access unstructured data and nearly 70% of respondents felt that employees in their organization had unnecessary access to unstructured data

highly confidential or sensitive information could easily fall into the wrong hands and possibly leak to the public. Depending what type of information is leaked, this could impact the company’s ability to be competitive in its dealings or even damage the company’s ability to do business. Whether the lack of control over unstructured data access is a problem for legal and compliance reasons or simply general security reasons, it is obviously something that needs to be done. The good news is that more and more solutions are surfacing in the area of unstructured data. The bad news is that none of these “solutions” seem to have completely solved the problem. Throughout this paper, we will review available methods for controlling unstructured data access and propose a strategy for developing a foundation for Unstructured Data Access Policy. Available Unstructured Data Access Solutions When considering any problem related to information, it is typical for businesses to look first to technology solutions. This idea seems to have held true for unstructured data access as well. As con- cern about this problem has gained momentum, more and more technology solutions have surfaced with the promise to improve organization and productivity. These technologies have many different names but can generally be referred to as content management systems or document and record management systems. For the sake of simplicity, throughout this paper they will be referred to as content management systems or CMS. Content management systems can be used as unstructured data repositories which allow the information to be organized and controlled. Basic components of

http://www.securityinfowatch.com/root+level/1296049

Implementing effective PCI data security standards. Burlington, MA: Syngress Publishing.

%20Guide%20Part%20I%20-%20infotechadvisor.mht

An Information Technology and Management Whitepaper from Illinois Institute of Technology’s School of Applied Technology 2 School of Applied Technology ILLINOIS INSTITUTE OF TECHNOLOGY ITM Whitepaper: Building Policy for Unstructured Data Access content management systems include document repository, integration with desktop applications, and security

The most relevant component of content management systems in the context of unstructured data access is security. Azad Adam explains that “Security should be tightly integrated with the system, allowing for security access permissions to be applied at different levels within the system”

adequate content management system may allow security to be assigned to groups or individuals as well as to groups of documents or individual documents. For example, an administrator should have the ability to assign one group of users the ability to read and edit a specific document while assign- ing another group of users the ability to read the document only. Still another group of users may not have access to see that specific document at all. As another example, an administrator should be able to assign access to a specific folder such that all users have the ability to read documents stored in the folder while only one user has the ability to edit them. Content management systems handle access differently with unique options for securing data at multiple levels of granularity. An example of a content management system with growing popular- ity is Microsoft Office SharePoint. SharePoint users can be granted access in two ways. First, as with most content management systems, access permissions can be granted to a user or group of users

organize display groups of documents

used to allow for more creation with less access management overhead. If a group of users have read-only access to a collaboration site and the site is configured to inherit permissions, that same group of users will have read-only access to all subsequent sites as well

tent management system with unique security capabilities is Laserfiche. In addition to offering security permissions at a group or individual user level, Laserfiche also allows users to control access to specific documents through the use of security tags

a security tag titled “Confidential,” that user will have access to see documents that have the “Con- fidential” tag applied to them. Further, if that user is creating or saving a document in Laserfiche, they will have the ability to apply the “Confidential” tag to their own documents. These are just two examples of the many diverse content management systems available. Regardless of the specific functionalities offered by the software, any content management system will no doubt propose a unique solution to the problem of unstructured data access. At first take, it seems that content management systems should be the perfect solution to the prob- lem of unstructured data access. However, contrary to the claims of CMS vendors, this is not likely to be the case. The fundamental issue with content management systems lies in the establishment of policy. In other words, these content management systems cannot be used effectively if it is not first established how access should be configured. The authors of Integrative Document & Content Management explain that development, communication, and acceptance of a policy framework should be completed before even beginning requirement specifications for a content management system

not dependent on an investment in [content management systems]. The policy framework can be developed to apply improved practices for managing documents using existing tools”

extremely important point for any technology solution. A policy must be established first to support

Publications.

http://sharepoint.microsoft.com/how-to-buy/Pages/default.aspx

solutions.com/content/enterprise-content-management.html

knowledge. Hershey, PA: IGI Global.

An Information Technology and Management Whitepaper from Illinois Institute of Technology’s School of Applied Technology 3 ILLINOIS INSTITUTE OF TECHNOLOGY School of Applied Technology