publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/306297
ILTA WHITE PAPER: APRIL 2014 WWW.ILTANET.ORG 19 are consistently enforced, simple enough to be articulated, well-understood by the user community and monitored for deviation. The security rules should be reassessed periodically by management to ensure they are the right rules for the firm, and by administrators to ensure they are being applied in the most effective way. Areas to think about include: • The overall security model — Do you want optimistic or pessimistic security? • Groups and group memberships — Does the structure match with the organization of the firm? • Ethical walls — Are tighter walls needed? Is there an adequate balance of security with continuity of service (for example, are document processors able to provide service even on documents with ethical walls?)? • Default settings — If the firm's default security on documents is "public" to all firm users, is that appropriate? Another concern is "security by obscurity," which means a document was considered "secure" because no one could find it by searching. Particularly in the legacy pre-workspace systems, users saved a document, filled out the profile, and they might not have stopped to think about whether something would be public or private. The DMS's database was a vast, deep repository from which documents were only found by entering search criteria. In today's folder-based systems, documents have been "swept up" from the database of documents and are presented in folders, usually matching the client, matter and document type. Documents are now more visible through the folder interface. Couple that change with the advancement of full-text search technologies, and even the most obscurely named or profiled document, with "public" security, can be seen by people for whom it was not intended. Most systems give the document creator or author the ability to set security on their own documents. Whose responsibility is it to make sure security is set correctly? The user's? The firm's? This is a question answered differently depending on a firm's methods of security enforcement. How large is this problem in your environment? The health check will Validate that DMS security is consistent with stakeholder expectations. Peter Lieber Peter Lieber, President at EIM International, monitors enterprise content management (ECM) industry trends and establishes the strategic vision for EIM. With plenty of real-world insight into document, email and records management, Peter provides some of the world's largest corporations and law firms with strategic, long-term ECM planning. With more than 25 years of industry experience, Peter's expertise in crafting next-generation solutions establishes him as a well-respected member of the ECM community, and he is a frequent guest speaker at industry conferences. Contact him at peter@eimintl.com. tell you. One of the auditing processes should be an attempt to find sensitive documents that might not be secured correctly, then to work with users and the firm to address the problem. Mark: There are two levels of security to review: • The infrastructure security around the system • The application and document security within the system