When rolling out an enterprise social networking platform or any collaboration platform there is natural tension between the need to share and security considerations. This 4 point checklist provides a path for maximizing the benefit to a business through advanced collaboration tools without sacrificing data confidentiality.
1. Identify Who Owns the Information
This is a necessary starting point. The information owner should be the relevant business owners. However, in many organizations IT has become the owner by default as IT is managing the infrastructure where the information resides. When rolling out an enterprise social network you need to address the concern of IT and the following stakeholders.
IT – manages collaboration infrastructure and technical security controls (authentication, authorization etc.)
Internal communications –provide collaboration services to the business and involve key stakeholders from HR, legal, and marketing.
Finance –will need to see the ROI of a social collaboration project and may have a direct reporting line down to the Chief Security Officer (CSO)
Security –In any collaboration project, the CSO and team will have natural concern for security. These concerns can be addressed with an understanding of the criticality of shared data, the associated risk and appropriate risk control measures. These points are addressed below.
2. Classify the data
There will be stakeholders who will be naturally concerned with technology that disseminates your organization’s information. It is important to address these concerns by understanding the criticality of the data through a data classification policy. A data classification policy undertakes a business impact analysis of data and gives the responsibility of that data to the information owners. Oftentimes this work may have already been done within the organization. In that case, there is already a model to determine what information is appropriate to share with a new collaboration tool. Otherwise, a good document to describe what is a data classification system is here.
3. Risk
Stakeholders in a collaboration project may be concerned with the risk of lost data. The best way to manage stakeholder concern is to quantify the risk that lost information presents to the organization. A risk matrix is surprisingly effective in quantifying the risk posed to an organization. Section 3.7 of this National Institute of Standards and Technology document gives good advice on risk determination and what is a risk level matrix. When a matrix is used this will quantify the risk to an organization. Once a problem is quantified a risk control measure can be used, rather than delaying or stopping an otherwise good project.
4. Risk control measures
If the risk is sufficiently low the business may continue the collaboration project without additional risk control measures. If the level of risk is unacceptable, then there are many control measures available to control data. It is correct to apply these controls only where they are appropriate and sufficient based on the risk that they need to address. Inappropriate controls alienate users and are counterproductive to collaboration. However, appropriate controls enhance collaboration as conscientious users feel that they can safely use collaboration tools to get their job done. Examples of technical controls include transport encryption, appropriate authentication control and data at rest encryption at the database, client device and document levels.
When organizations understand the value of their information and the risk that its loss has to the organization they can then apply these appropriate controls where needed.
