The plan needs to embrace regulatory requirements and privacy as well as security, and where privacy and security imperatives conflict, the business owner should make the call, and the security officer should help to implement it.
"Finding the right balance is often led by some of the international standards like BS799 and HIPPA [a wide ranging set of policies around the health-care industry], if you're in the health-care field. So for any industry there's most likely industry policies that they should be looking at, industry regulations that they should be adhering to, both country-wide and international ones. Companies which do business inside and outside Australia need to ensure policy conformance all over the world," Patterson says.
When it comes to document integrity, Patterson says there have been a number of great advances in the area of encryption lately, so that encryption is now inexpensive and widely available and should become a standard tool in every IT shop, certainly for company-sensitive documents. "Encryption is not just used to keep a document secret for a while; it can be used to maintain the integrity of a document. You can put in a signature, you can put in a date and time stamp, you can encrypt the whole package, so that if anybody else changes it even one bit in the future you know that it has been tampered with," he says.
Kevin Shaw, who heads the Asia-Pacific region of Deloitte Touche Tohmatsu's security services group, points out that when documents are collated through the use of Web forms, those Web forms take the data and put it back into databases in a format that is broken down into two rows.
"What happens is that at a later stage if something happens and you have to reconstitute that document, say with legal proceedings on the go, you reconstitute that document and in some constituencies they will say that document has been stored not in context. So the document's validity from the point of the time that it was reconstituted is not the same as from when it was created," Shaw says.
"By using encryption technologies you can still break it down into the rows and tables and databases, and when it gets put back together again, the hash function in the encryption technology makes sure it's exactly the same document that was first collected. So from a legal perspective they say we're fine, we're happy that document has been stored in context."
As Time Goes By
However, there are some difficulties with digital signatures when it comes to document protection. Surety is a US-based data integrity services company that focuses on helping companies in industries that have been highly regulated for many years, and which have requirements to maintain records for long periods of time. Through the use of patented, proprietary technology, Surety can verify the authenticity of a document: who created it, precisely when and precisely what was created, indefinitely.
Klaff says this ability is proving to be of growing importance particularly in the US where companies are now required to retain documents for much longer times than previously. "The issue that we're tackling is the issue of: How do you know that the data has integrity 10 or 20 years from now?" he says. "Particularly if you're using a digital signature, there still is a problem with document life exceeding the life of the key, so we have a patent on extending the validity of that key to meet the life of that document."
Klaff warns there is "a complexity" in managing digital signatures once they expire, with organisations periodically facing the massive task of re-signing vast numbers of electronic records that have been accumulated over the years. Surety thinks public key infrastructure (PKI) is a "wonderful technology" but Klaff warns the problem many organisations face from a regulatory standpoint is the need to manage that key infrastructure.
"You have to trust the people that manage [the infrastructure] and you have to trust the people who have access to your data, and that's a problem," he says. "We take the trust out of the equation because we're not built on keys or certificates; we're built on mathematical algorithms."
Shaw says when it comes to identity management, CIOs have an important role to play in the education of the employees within the organisation. "That's the way to get around the 'people peril' absolutely," he says. "We've noticed on some of the engagements that we've been doing where budget restrictions start to bite, unfortunately that's where clients tend to do the first budget cuts - in their education/evangelisation of the project."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.