How to Minimize the Risk Surface of Unstructured Content for Information Security: Security and Access Remediation

Recently I’ve had quite a few clients undertake projects to address the risk presented by their unsecured unstructured content. That unstructured content includes the usual suspects: Microsoft Word documents, PowerPoint presentations, Excel spreadsheets, and PDFs, all of which live out on network drives or unmanaged SharePoint sites.

What's the big deal about unstructured content?

In many instances, a small but significant amount of this content either contains sensitive information (such as personal health information [PHI], personally identifiable information [PII], or payment card industry [PCI] information), or it’s content that hasn’t been accessed in more than 2 years.

Unsecured unstructured content presents challenges.

So what are some of the problems organizations are trying to address? The first problem centers on access – or rather overly permissive access to sensitive data (PHI, PII, PCI) and (sometimes, but less frequently) overly restrictive access to other data. It’s not just to sensitive data, though; this includes access to intellectual property (IP), too.

The second major problem is around effort. Most organizations find that an onerous level of manual effort is required to manage access for existing folders in content repositories, and manual efforts are required to permission new folders or repositories with correct security and access. Additionally, assignment of data owner is a largely manual and error-prone process.

Finally, the third major problem concerns risk. Organizations which don’t have correct security and access levels in place can’t audit or have traceability over their information assets. Moreover, without the ability to identify data owners, an organization is likely to over-retain records, sensitive data, or other information.

So how do you go about addressing these problems, particularly considering that in many organizations, these are problems which have been years, if not decades, in the making? Clients I’ve worked with each take different approaches, and I’d like to share with you Doculabs’ recommended approaches to remediating this type of content.

How to minimize the risk surface of unstructured content: Use Security and Access Remediation.

Security and Access Remediation is a foundational step to reducing the risk presented by unsecured unstructured content.

It’s critical that you ensure that people in your organization have appropriate access to the data they should, and that they not have access to the data they shouldn’t. In addition to ensuring the proper level of access, it’s also critical to identify and assign data owners to “orphaned” content folders. This approach is focused primarily on network drive environments (the areas at highest risk for security and access issues at most organizations), but can also can address SharePoint site permissions (which, at many organizations, have been pushed to the responsibility of the business and have since spiraled out of control).

Doculabs takes a measured approach to solving this challenge for our clients. We work with organizations to identify the scope of the issue and ensure that authority alignment exists for quick decision-making. We then work with stakeholders to update policies and procedures, dig in deeper to the existing level of permission structures, and develop a workplan and approach for resolving issues. Finally, we resolve all broken inheritance and unresolved security identifiers, remove global access groups (for stale data and active data), model correct access and permissions, and ensure the correct data owner is assigned. This is most effectively accomplished using the help of automated tools to speed the process up and quickly enact changes in the applicable environment.

The following figure shows the three steps of a Doculabs Security and Access Remediation project:

  1. Discover
  2. Plan
  3. Remediate
Doculabs’ Approach to Security and Access Remediation

 

 

Reaping the Results of Security and Access Remediation

So what does your organization get out of an effort like this?

First, your users get “just right” access to sensitive data, leading to improved organizational compliance with key regulations such as HIPAA, HITECH, PCI, etc. You reduce effort required to manage access and security for content in your repositories, and you gain increased efficiency in maintaining appropriate levels of security and access, going forward. This may allow you to reduce headcount required to maintain security and access, or to reallocate resources to more critical IT initiatives. Finally, from a risk standpoint, your organization will get increased visibility into data ownership (and a more complete audit trail), leading to improved data governance. From the compliance standpoint, undertaking a Security and Access Remediation also provides evidence of a level of reasonableness and good-faith effort to keep the organization’s risk surface small.

But there’s more. In addition to Security and Access Remediation, we recommend undertaking an effort to secure and clean up unstructured data and eventually migrate that content to a more secured repository. 

Download the Transforming Information Security with Information Management White Paper

Rich Medina
Jim Polka
I’m a Principal Consultant. My expertise is in security-based information management and strategic deployment of ECM technologies.