Keys for Securing Private Information in an EDMS

Information Management Journal, Mar/Apr 2008 by Mooradian, Norman

* Allow a better idea of what security requirements are

* Provide a product-neutral set of requirements that can be used to transition to a new system

* Provide a criterion against which to measure the system

* Identify gaps that can be addressed by policies, procedures, and methods outside the system

A common way of conceptualizing security schemes - one that is probably inadequate to meeting the minimum necessary - is called the "organization chart method." This method supposes that access requirements will correspond to the organization's structure of divisions, departments, and workgroups. However, an organizational scheme is not fine-grained enough to meet the minimum necessary in typical situations. Employees from different work groups, departments, and divisions often need to share documents. They may not need the whole case file or dossier, but they need part of it to perform a particular business function. To compensate for this shortcoming, system administrators will often add hybrid groups to supplement the organization chart scheme. This, however, can become quite difficult to manage over time.

An alternative approach to creating a security scheme that is sufficiently finegrained to meet the necessary minimum requirement is called the "taxonomy model." This model is based on the document taxonomy created to organize and store the documents. As mentioned above, the taxonomy should reflect or correspond to the naming conventions used in privacy policies. If it does not, then one should be created, and it should be used for the security scheme.

Like organization charts, taxonomies are hierarchical. However, they describe the organization's information assets and how they are related, providing a clear structure upon which access rules can be based. Further, because it is hierarchical, a taxonomy allows the organization to determine what levels of the taxonomy are needed to meet security needs. Below is an illustration:

Employee Records

Performance Evaluations

Medical Records

Insurance

Using such a scheme, user access can be conceptualized as relating to the bottom-level descriptors, e.g., "Employee Records-Insurance." This scheme allows users to be assigned to this document type based on their need to access it, whatever work group they belong to. If a user needs access to another kind of employee record, he or she can be assigned to it. In documentation, the scheme would appear as follows:

Employee Records

Insurance

Group, Users

The documentation would explain, for example, that "Group" includes all employees who work in HR benefits and might include in-house attorneys or specific employees from finance who need to monitor insurance expenses.

The advantage of such a scheme is that users will have access to all that they need and no more in a way that is easy to understand and manage. When a user no longer needs access to the document type, he or she can simply be removed from that document descriptor (i.e., from the group or list of users) without adjusting any of the objects in the security scheme. Using the organization chart method, such changes are more awkward, as the user's access needs can change even without a position change.