A lot of people probably heard the recent news story about actor George Clooney's medical records allegedly being inappropriately accessed or leaked to the press by hospital staff following his motorcycle accident.
It got me thinking about how private or sensitive information can be secured, and the implications beyond celebrities and the tabloids. Some of the same IT controls that can be used to enforce HIPAA policies in healthcare can also be used in the chemicals industry to protect intellectual property and security-sensitive information.
What if proprietary formula, test, or process data at a chemical company was released to competitors or suppliers, even accidentally? While some of this data is locked down in SAP or central information warehouses, there is a legitimate need to collaborate with other departments, third parties, and people who may not be "power users". How can you take steps to ensure that people can do their jobs while still protecting intellectual property?
There are three scenarios that come to mind:
1. The simplest is the accidental theft or loss of a laptop or a mobile device such as a PDA phone. What if you had an e-mail detailing confidential plans for a new product launch on your device?
- If it is a laptop running Windows Vista, you could use BitLocker drive encryption to ensure that no one would be able to read the info on your hard drive, even in a temporary swap or hibernation file.
- If it is a smartphone or PDA, you could log into your corporate Exchange Server account via web access and remotely "kill" the mobile device if you thought you couldn't recover it.
2. The second is document security. What if you had to share forecast data in Excel with feedstock suppliers who also serve your competitors? What if you need to legitimately share schedules with subcontract logistics providers that operate within your facilities, but wanted to minimize the security risk of this information being passed outside without your knowledge?
- You could use the Rights Management functionality within Office and Windows Server to restrict what people can do with certain documents and e-mails. For example, when sending a forecast to a supplier, you want them to view it, but not to edit, forward, copy, or print the information, all of which represent means by which the forecast could "leak" to unauthorized viewers. Or if you do this weekly, you could set a 1-week expiration date on the e-mail so that there are not old copies of your forecast sitting around on your supplier's computer. With a trusted subcontractor that operates on-site, you might want that person to be able to edit, respond to, and print the information, but only be able to forward it to internal e-mail addresses. You can define role-based permissions that are based on how each person's identity is maintained in your corporate directory.
- You could also prevent unauthorized users from even finding the sensitive information using the role-based results capability in Enterprise Search. If you are talking about product formulas, the research team needs to be able to search and find this info to do their jobs, but an administrative assistant may not. When the assistant searches the intranet, the sensitive document will not even show up in their search results since they are not authorized to view it.
3. The third is team collaboration. This may apply internally, such as when the R&D, marketing, manufacturing, and supply chain functions need to collaborate on a new product launch. This may also cross the company boundary, such as collaboration with suppliers, or toll manufacturing within a shared facility.
- Groove is a great tool here – all the data is encrypted both on the desktop and in-transit over the network, it provides a full collaboration suite including instant messaging and custom "tools" within the context of a given project, and the project data can be controlled and deleted from team member's laptops by the project leader when the project is done so that it's not hanging out there. In addition, the documents can be synchronized to a Sharepoint document library so that they can be archived and made available more broadly within the company's information management infrastructure.
- You could use Unified Communications to enable all of the popular forms of collaboration such as online meetings and instant messaging, but subject to the same corporate policies that apply to e-mail and systems access control. For example, you permit instant messaging, but prevent certain file types from being sent or received via that medium.
In summary, we can learn some lessons about information security from the George Clooney incident:
- Access to sensitive information can be restricted to only the immediate teams that need it to do their jobs.
- Documents can be protected with rights management to control someone's ability to pass information outside the company.
- Team collaboration, even with external partners, can be enabled using tools such as Groove and Unified Communications that keep the collaboration secure and subject to corporate IT policies.
- Marc from the Chemicals Team