Sunday, February 20, 2011

Protection of Personal Information (PPI) and SharePoint – Part 2 of 2

Microsoft answer to PPI is proper Data Governance.



Data governance involves the management of personal information in a manner that supports an organization’s mission, complies with imposed regulations as well as its own policies and aligns with customer expectations.

Examining how information flows throughout an organization over time, and how it is being accessed by multiple applications and people for various purposes, will clarify the various areas where the organization should deploy technologies to protect private information. This information flow (AKA the Data Governance Life Cycle) comprises four key stages, within which an organization can construct many unique data governance scenarios to address specific considerations.  The four stages are:

Collection: Personal information is usually collected from multiple sources (in person, online, via other systems, 3rd party, etc.) and must establish appropriate controls that uniformly assure privacy policy compliance regardless of collection method.  This involves setting consistent standards and expectations in contracts with external partners that receive or manage the information, as well as addressing consumers’ desire for greater choice and control in how their personal information is collected. It also requires the organization to consider how these policies will be honoured throughout the lifespan of the data.


Storage: While protecting data stored only in a database is relatively straightforward, the task is far more complex as personal information scatters within and between organizations in unstructured forms such as e-mail, spreadsheets and text documents. As data in these forms is increasingly being stored on laptops and mobile devices, the risk of data breaches has risen sharply—which in turn may require organizations to implement more aggressive and sophisticated storage controls.


Usage: As information becomes increasingly fluid, it is also subject to access by multiple applications and people—including many that are outside the organization as a by-product of outsourcing agreements and partnerships. In this environment, ensuring that only the right people can gain access to this data and enforcing strict limits on their ability to take data outside the organization (such as on their laptops) are crucial considerations.
Usage also results in new data describing how the target data was used, when it was accessed, by whom and so on. This data represents a record of data use and is commonly called metadata. Importantly, all of the controls applied to the target data must also be applied to metadata.

Retention/destruction: Data storage is becoming cheaper every day, to the point where many organizations have found that the time involved in deciding which records to delete from their systems is more costly than simply retaining it all. However, this practice does not account for the liabilities associated with holding onto sensitive personal and confidential information after it has outlived its usefulness. Viewed from the standpoint of minimizing an organization’s exposure to risk from a data breach, the effort involved in setting a finite lifespan for sensitive data and enforcing policies for its automatic deletion or secure archival is a worthwhile investment.

A multifaceted approach to data governance involves a combination of policy, people, processes and technology.  While all components are essential for proper data governance, the technology component (like the use of SharePoint) will be the focus of this article.

Technology has a key role in enabling organizations to implement effective data governance processes, policies, and compliance with business practices and regulations.

An effective technology-based framework needs four essential elements to responsibly protect and manage personal information, mitigate risk, achieve compliance, and promote trust and accountability.  The four elements are:

More secure infrastructure: Safeguards that protect against malware, intrusions and unauthorized access to personal information and protect systems from evolving threats.

To help prevent unauthorized disclosure, organizations should build their IT infrastructure using software that is designed for maximum security (e.g. Microsoft Forefront and Microsoft Forefront for SharePoint*), and they should employ tools and services to continually protect against evolving threats.

* Forefront Security for SharePoint: Formerly called Antigen for SharePoint, this product helps organizations protect their SharePoint Portal Server and Windows SharePoint Services deployments against viruses, worms and inappropriate content. Using multiple anti-virus engines, it scans all documents as they are uploaded or retrieved from SharePoint document libraries. It also offers content-filtering capabilities that help prevent inadvertent or intentional posting of documents containing offensive language or other inappropriate content, as well as file types that potentially expose organizations to legal risk, such as MP3 audio files.

Identity and access control: Systems that help protect personal information from unauthorized access or use and provide management controls for identity access and provisioning.

To reduce the risk of a deliberate or accidental data breach, and to help organizations comply with regulatory requirements, Microsoft offers identity and access control technologies (e.g. Active Directory management via SharePoint) that protect personal information from unauthorized access while seamlessly facilitating its availability to legitimate users.

Information protection: Protecting sensitive personal information in structured databases and unstructured documents, messages and records by means such as encryption so that only authorized parties can view or change it throughout its life cycle.

Information rights management technology extends the capabilities of RMS into the Microsoft Office system and Internet Explorer.  The 2010 Microsoft Office system provides even broader RMS capabilities through new developments in Microsoft SharePoint. Administrators can set access policies for SharePoint document libraries on a per-user basis. For example, users who have “view-only” access to documents in a library—but cannot print, copy or paste—will have those policies enforced by RMS, even when the document has been removed from the SharePoint site.

Auditing and reporting: Monitoring to verify the integrity of systems and data in compliance with business policies.

SharePoint administrators can set auditing policies to log activities as reading, deletion and modification of documents, and monitor those policies through reports.  They can also implement document-retention policies, such as “expiring” unneeded content after a certain amount of time.

A major data spillage, security breach or failure to comply with government regulations can have significant long-term implications for an organization’s bottom line and for its brand. Managing and protecting sensitive personal information is not only the right thing to do for customers, it’s also the right thing to do from a business perspective.

In combination with the right policies, people and processes, technology like SharePoint can help lay a strong foundation for a successful data governance strategy.

Reference:
Managing and Protecting Personal Information (excellent reference – most of the article is based on this document) - http://download.microsoft.com/download/c/0/c/c0ce4de0-3feb-46ca-93aa-da6851ae5a10/Managing%20and%20Protecting%20Personal%20Information_Microsoft_08.docx 

No comments: