Reference no: EM13332529

Information Security for Document Management Systems

According to the Merriam-Webster online dictionary a document is an original or official paper relied on as the basis, proof, or support of something [1]. This was the main definition of a document until approximately eight years ago a need to make documentation readily available and to minimize cost of distribution became an important and costly issue. A paper document is a tangible object that can be signed, copied, stamped, protected in a fire proof vault, and verified. It has a life span of 75 years. The flip side of paper is that it can be costly to store and distribute.

Electronic management is a practice and software systems that are used in order to make documentation easier to distribute and make it readily available for use. Although it is often times less costly to maintain documentation in an electronic format it has its downfalls. I will discuss the pitfalls of an electronic management system as it relates to authentication, availability, confidentiality, and integrity. In the document control world maintaining the integrity of the documentation is the most important role the system should play. For instance what good is it to be able to find a document if it will not be recognized in the court of law. The rapid rate at which technology changes also hinders the document control process. File formats are constantly being changed updated and obsoleted, during conversion information is most times lost and corrupted.

Currently my department is in the middle of transitioning from a completely paper based system to an electronic document management system. According to AIIM, a Document Management System is the use of a computer system and software to store, manage and track electronic documents and electronic images of paper based information captured through the use of a document scanner [2]. Some document management systems offer version control, check in and check out locking, audit trails, stamps, etc. Approximately four years ago my company the Advanced Photon Source of Argonne National Laboratory purchased and Electronic Document Management System made by Stellent Inc. Their system was called "Stellent Content Management System. After Stellent was acquired by Oracle it is now called UCM.

The use of an EDMS system allows a company to make electronic forms of documentation available. In addition to being able to access the information 24/7 it can also track the lifecycle of the documentation. But our current system lacks important security measures that will prevent the information from being altered. This feature is a must have in order for the courts to acknowledge the documentation as valid. Not only can the integrity of the system be challenged but the security measures that are currently in place are not enough to safeguard the information.

For instance, there should be current policies and procedures in place that lay out guidelines on how to deal with backup and recovery of lost information. The backup tapes should be filed in an off-site storage in case of fire and not within the confines of our office where the computer and the backup files can be destroyed simultaneously. I will cite information that has been gathered in papers and case studies concerning the vulnerabilities and threats of the Oracle UCM Security [3].

Moreover the systems lack the proper security measures to safeguard the system from being hacked. Currently the system resides on the intranet behind the firewall. Although this can be viewed as a good security measures employees are allowed access to the system from home via the CISCO VPN program. The Cisco program has built in security and endpoints [4]. This is an added system that could also contribute to vulnerabilities that needs to be addressed. Moreover, I will discuss the use of home computers by employees that have not been properly safeguarded from physical or electronic threats[5].

I will define and assess all vulnerabilities within each component of the document management system and give solid examples and solutions that can be used to better safeguard our information. The system is authenticated by using our LDAP accounts. Each employee is assigned to a security group but the documentation is manually entered into the proper category because we rely on the employee to assign the group we are at risk of confidential information being compromised.

After I have identified and assessed all the vulnerabilities and threats I will analyze the level of risk of the threats. In addition I will then show the financial lost, gain or benefit to correcting the issues. I will also make suggestions of information that should be addressed and included in the policies and procedures as it relates to storage, backup and recovery.