IT Compliance Institute, October 12, 2004:

Best Practices

Factor Content Management into Your Compliance Efforts

Organizations may need to invest in new content management software to comply with Sarbanes-Oxley and HIPAA.

By Mathew Schwartz

Among your compliance efforts, don't ignore content management software and the associated cultural changes necessary to make a document-tracking program work.

Along with improved security, reporting, and policy enforcement, Boston-based research firm the Yankee Groups says organizations typically need to invest in new content management software to achieve compliance with such regulations as Sarbanes-Oxley and the Health Insurance Portability and Accountability Act.

“Today … CFOs are finding an average anticipated increase in their budgets of 600 percent to achieve compliance,” notes Yankee analyst Andy Efstathiou. Some content management software vendors include Documentum, FileNet, IBM, Microsoft, Open Text, OpenPages, and Stellent.

To discuss the cultural and technological changes necessary to institute content management programs in regulatory environments, ComplianceNOW spoke with John Landwehr, group manager of security solutions and strategy at Adobe. Its PDF content management product, Policy Server, is currently in beta and due out later this year.

How do organizations instill basic notions of who can or can’t see a document?

We’re actually finding more organizations are starting to use information classification … [especially] in the manufacturing community … and even pharmaceuticals. Organizations are training their users to know what these information classification policies are, and know they are accurately applied to documents they create. In addition, [a product such as] Policy Server allows for automated workflows to automatically set the right policy.

What sorts of document-auditing regulations do companies face?

Publicly held companies have requirements [under Sarbanes-Oxley] to appropriately manage their information, and to make sure that only the intended recipients can view sensitive corporate documents.

We also have, in addition to the Policy Server, digital certificate capabilities that can be used to provide authenticity and integrity of the information. So … you can be sure that the information hasn’t been changed, down to the letter or decimal point.

What cultural changes are necessary to make content management work in a regulatory environment?

In the beta feedback we get back from users, there’s a social change they’re going through. They’re being forwarded documents from colleagues they shouldn’t be receiving, and trying to open them, but realizing that even if they have a copy of this document, unless the owner or workflow allows it, they can’t view it.

We’ve also heard of scenarios where employees change jobs … and they knew their access to [certain] documents would change, so they downloaded a bunch of documents from the server … because they knew they’d be useful in their new job. So when they tried to open those documents and couldn’t—that’s the way the system is supposed to work—they were very surprised.

What exactly does Policy Server corral?

PDFs … and of course you can pretty much turn any document into a PDF—spreadsheets, Word documents, engineering drawings. You can even embed audio and video inside a PDF. It works across Windows, Mac, and we’re even adding support for Linux on the desktop, so people will be able to view and interact with these documents both inside and outside the firewall … And having the document in PDF, … people can collaborate [without having] the native application installed.

What content management controls does Policy Server offer?

At a high level, Policy Server is used to control access to information and who can do what with it—who can open, then print, modify, or paste information from that particular document. [Those] policies … can be driven by an administration for an entire organization or by end users [themselves]. You can also maintain an audit log to see who opened, modified, copied, or pasted, or who tried to do any of those things but didn’t have access …

Then we have the ability to expire, revoke, or … “virtually shred” a document, so at the push of a button … you can turn them all off. … This helps organizations enforce version control, and is very important in a regulatory environment … where it’s important that everyone works with the same playbook.

Is the ability to revoke documents driven by regulatory needs?

The driving needs for that … are confidentiality and privacy. … Also it can be used to share information with internal auditors, external auditors, [and] a board of directors. And if a document is forwarded intentionally or unintentionally, then no one can open it [without permission].

Today … there are portals [and] file servers … [and] once users download the file onto their computer, they might not go back to the server to get the new version.

So document creators can leash their documents?

Exactly. Version control is interesting because a lot of people don’t necessarily view it as a security capability. But they certainly have significant problems with version control, and as soon as it starts to touch the regulatory environment, you have organizations that want to make sure that only the appropriate copies are out there—whether it is a disaster recovery plan that’s a standard-operating procedure … or financial information.

You can imagine if you’re preparing your quarterly findings, you may have preliminary financials for auditing or review, and they may change. … You want to make sure all of those auditing [and marked-up] versions are turned off … and that someone didn’t actually keep an Excel spreadsheet on their system [with old results].

What does the addition of digital signatures—which Acrobat can use to sign a document—do for compliance efforts?

You have an audit record of who did interact with the document, and assurances that nothing has been changed along the way. Or [employees] could also provide their approvals along the way … and as more and more paper-based workflows go to an online workflow, having that authentication [helps].

How are digital certificates being used today?

In Europe … we have the Spanish Ministry of Public Works, which does the roads, bridges, and canals, and their information is digitally signed, so they know that this isn’t a copy, it hasn’t been tampered with … We’re starting to see the civil engineering community be much more sensitive about the authenticity and veracity of documents, especially in relation to homeland security. Because … you want to make sure there aren’t any unintended changes introduced into the documents.

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.