How secure will my documents be?
That’s a good starting question when you begin to look at and evaluate a document management system.
Security breaches get a lot of attention and may sound commonplace, but you and your business shouldn’t accept them as a given. You can do a lot to prevent them – starting with how you secure and protect your documents, information, and data.
In this article, we’ll look at seven security features to look for in a document management system. These security features play key roles in keeping your information secured – both from potential inside breaches (accidental or not) and from outside attack.
We’ll also share some questions to ask when evaluating a system.
What is a document management system?
Starting at the beginning, we might ask, what defines a document management system? We provide an in-depth answer in our article, Why you need a document management solution.
For the quick answer…although any system or process responsible for the management of documents can be defined as a document management system, the term itself has come to commonly refer to digital platforms that store and archive electronic documents.
You may also see variation in types of document management systems. Document security often varies from one system to another and as a business, you want to find the one that ensures your documents are as secure as possible.
How to evaluate your document security
The security of your documents matters. Data loss and litigation are headaches no one wants, especially with the potential fines and loss of reputation that can ruin a business.
To evaluate the current security of your documents and information, ask yourself these questions about how your organization handles documents:
How do we protect against accidental or deliberate internal security breaches?
– Are we protected from hacking threats?
– How would we access and recover our information in the case of a natural disaster?
– Could we be accused of data mismanagement? Could we demonstrate proper document and data handling?
– Is there a clear retention policy and practice in place for legally sensitive information?
– Are we at risk of any financial penalties?
You can dig deeper into how documents are handled by looking at how employees engage and work with documents. Here are a few questions to get you started:
– Can employees get the documents they need, where and when they need them?
– Do employees always know whether they’re looking at the most current document?
– Are employees trained in proper document handling, especially against social hacking and social engineering attacks?
Once you have the answers to these questions, and any others you identify, you’ll know which document security features you should prioritize.
7 key security features to look for in a document management system
These questions address security features of a document management system. If you’re looking at cloud document management – where the provider hosts your system, you may want to ask specific questions about their data centre security.
Read more about cloud document management in our article, Document security in daily business processes.
1 – Data encryption
A document management system’s security begins with how it encrypts data.
But it isn’t only the system itself that you should evaluate. You also want to understand data security between the different systems, including the PCs, tablets, and other devices which may connect to the system.
Look for 256-bit encryption (AES). This is military grade encryption and the standard for U.S. government classified documents at the highest level. It may sound excessive, but it’s not. Most business systems use at least this standard.
Traffic between systems and devices should also feature HTTPS encryption. HTTPS has the added security layer of TLS/SSL. Standard HTTP communication lacks this security protocol and makes it easy for hackers to intercept critical data like passwords and financial information, especially when employees might be accessing the system from remote locations.
2 – Access rights management
Controlling who can access documents is essential. Your documents should only be accessible after a user enters their username and password. Assigning users to the system limits the risk of unauthorized access. Specific access rights can be assigned so users only see the documents relevant to them.
You can also define different levels of document engagement. Some users may be view-only while others may have full edit rights. Most systems will allow you to define access at a group level, but for the greatest security, look for systems that allow for access rights definition at the individual level too.
Ideally, you want to be able to restrict access even on a document’s index data (metadata), the data points that describe a document’s content and purpose.
3 – Redundancy
What will happen to your data and documents if a failure occurs somewhere? Security often conjures images of protecting against attack or unwarranted access, however, protecting against technology failure is vital. If a system fails (for whatever reason), you need to know you can restore your data and ensure business continuity.
Regardless of whether you choose cloud document management or an on-premises implementation, you should have a minimum of two levels of storage redundancy. Plus, you should add a third layer of off-site, preferably at a geographically distant location, to protect against natural disasters.
This is one of the benefits of cloud document management. Aside from the absence of needing on-site infrastructure and doing your own backups, the data centres that host these systems already have these redundancies in place.
One item to consider: data sovereignty. Whether you choose cloud document management or third-party data centre backup, you want to know where your data will be stored. Cloud providers are supposed to ensure that all data and backups stay within the nation’s borders that legally protect you and your data.
4 – Virus protection
Malware embedded in a document can wreak havoc on systems and local devices. You need to ensure that your system actively protects against these threats to protect the platform and user devices.
5 – Retention and compliance policies
Some documents have specific lifecycle requirements. Legal mandates may require you to keep documents for a defined minimum amount of time. For example, in Canada, the CRA advises businesses to keep records and supporting documents for six years after the end of the relative tax year.
Fortunately, digital documents are now an acceptable means of storage. While this saves on space (and storage costs), it does mean you need to have a well-defined plan for managing the document lifecycle.
You may also have compliance regulations to consider. Data protection (GDPR), providing fiscal transparency (Sarbanes-Oxley), and data privacy (PIPEDA) are only a few of the compliance requirements you may have to address.
6 – Document integrity
You and your business must be able to trust the authenticity of every document, every time it is accessed. Encryption and access rights are meaningless unless you can validate the state and authenticity of each document.
A document management system does this through several ways:
– Electronic signatures – A qualified electronic signature is the most secure digital signature. This type of e-signature ensures the legitimacy of the signature and that the document has not been altered or manipulated because an authorized Trust Service Provider authenticated the signer and issued a digital certificate as validation.
– Version management – The system should check-out and check-in documents when they are accessed and changes are made. A new version is created when a document is changed. This helps protect the validity of a document by recording who changed what and when and ensures users only update and edit the most current version.
– Change logs – A document system should record every access, annotation, and workflow state of every document, so that an entire history can be reconstructed if necessary. You should be able to access this information through a .csv file or other common file format.
7 – Auditing capabilities
Reporting is standard with most business systems. As you evaluate different document management systems, you’ll want to make sure the system provides the level of reporting that you need. This could be the types or depth of reporting available. Or it could be the ease of pulling the reports.
There are many considerations when assessing a document management system for your organization. Here are some questions to ask when evaluating a system’s security.