Information Security & Governance
Information Security & Governance - Overview
The challenge of protecting business critical information has never been greater, with the increasing amounts, remote and mobile sources, different formats, and value of information — coupled with the rising costs and financial penalties for failure. Most important of all, earning your customers’ trust by securely managing their private information is essential to keeping and growing your market share.
The average organizational cost of a data breach this year increased to $4 million, up 18 percent from 2009… The United States had the most expensive average cost of $7.2 million. Germany came in second with $4.7 million. The United Kingdom and France had nearly identical average costs at $3.1 million apiece. Australia had the cheapest average cost of $2 million.1
These “organizational costs” include only those from breaches of personally identifiable information (PII)— not compromised sensitive customer information nor intellectual property, and do not account for fines, lawsuits, nor damage to brand or customer trust and loyalty.
The majority of information security breaches come from within the organization, whether through negligence, incompetence, or malicious intent.2
|Internal issues are the most frequent causes of security breaches|
Protecting critical information is not only limited to digital data. Much business information—especially customer data—resides on paper. Paper documents remain a significant source of business critical information for knowledge workers, second only to email, and ahead of digital forms and documents.3 In Europe, 42.5% of business critical information is in hardcopy format only.4 See a breakdown by business function.5
Employees are stealing data in different ways. It is interesting that most employees (61%) who stole valuable customer and other business information are taking it in the form of paper documents or hard files.6
C-Level executives recognize the increasing value of business information and the need to prioritize a security policy. They are elevating and broadening their information governance charter, making it a strategic priority expanding beyond IT alone. In fact, one of the primary drivers for improving business critical document management processes (input, throughput and output) is improved security.7
|Key aims and objectives for business critical document management processes|
Internal security threats and lapses can be addressed with well-articulated information governance policies, employee training and a more secure information infrastructure that covers business critical information throughout its lifecycle: during its creation, movement through a business and, ultimately, secure destruction.
Security Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprises’ resources are used responsibly.8
Regulations governing the security of business information have proliferated well beyond PII breach notification laws9, for example:
- Sarbanes-Oxley (SOX) in the US, and international equivalents like Bill 198 in Canada, Financial Instruments and Exchange Law in Japan, and the Companies (Audit, Investigations and Community Enterprise) Bill in the UK
- Payment Card Industry Data Security Standard (PCI DSS)
- Service Organization Control (SOC) 1, 2, & 3 (formerly known as SAS 70)10
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
Business information security is best approached as a layered defense based on a broad framework, like the ISO information security standards 27000 series, or Basel II for the banking industry, or for IT, specific risk mitigation guidelines provided by COBIT.11 Both the European Network and Information Security Agency (ENISA), and National Institute of Standards and Technology (NIST) have also published information security guidelines.
These guidelines frequently serve as the underpinnings for information regulations: such as the Federal Information Security Management Act of 2002 (FISMA) based on NIST, or the European Union Data Protection Directive (Directive 95/46/EC) originally based on Organization for Economic Development (OECD) data privacy guidelines.
But compliance with regulations alone is not a business information governance policy. Businesses must know where their sensitive data resides, who has access to it or should have access, at every stage of the document lifecycle. Front-runners are proactive about creating a culture of security and secure their business critical data end-to-end, including input and output devices throughout the infrastructure. This is easier said than done.
Many organizations have trouble fully understanding how and where data flows across the organization, as well as establishing clear ownership and accountability for such data.12
Ricoh MDS helps you keep your information capital secure throughout the three fundamental parts of document management: input (the creation of information), throughput (how information moves around a business), and output (processing information in a way to add business value).
We work to understand how your enterprise accesses, uses and stores both print and electronic information. We adapt and optimize those processes so you can make them more secure — by focusing on processes, people, infrastructure, print and content security. You can align our solutions with your existing governance policies. Building upon our experience derived from service to a diverse customer base, we will help you close information security vulnerabilities before a costly crisis erupts. Ricoh can identify MDS solutions that can protect your customer data, letting you focus on building a relationship of trust with your customers around the globe.
1 2010 Annual Study: Global Cost of a Data Breach, Research conducted by Ponemon Institute, LLC, Sponsored by Symantec, May, 2011.
2 Accenture. How Global Organizations Approach the Challenge of Protecting Personal Data Dec 16, 2009
3 Del Prete, Crawford, Takashi Miyazono and Angèle Boyd. Controlling Today’s And Tomorrow’s Information Costs. IDC, 2011.
4 Ricoh Process Efficiency Index, Conducted by Coleman Parkes Research, June 2011.
5 Ricoh Process Efficiency Index, Conducted by Coleman Parkes Research, June 2011.
6 Ponemon Institute. (2009). Data Loss Risks During Downsizing.
7 Ricoh Process Efficiency Index, Conducted by Coleman Parkes Research, June 2011.
8 The IT Governance Institute in its Board Briefing on IT Governance, 2nd Edition
9 “A New Era of Compliance: Raising the Bar for Organizations Worldwide,” A report based on discussions with the Security for Business Innovation Council, Volume 3, Fall 2010. Sponsored by RSA.
11 Control Objectives for Information and Related Technology (COBIT) Control Objectives from ISACA http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx
12 Accenture – Data Privacy and Protection at the Tipping Point – how Global Organizations Approach the Challenge of Protecting Personal Data
Information Security & Governance - Business Outcomes
Prioritizing Security Efforts
You want to identify and map where your business critical information resides and how it is used in order to prioritize your security efforts.
Understanding where your sensitive data resides is fundamental to being proactive about creating a culture of security. Enterprises embodying a culture of security experience fewer breaches and can more successfully maintain their customers’ trust.
Ricoh MDS Output Analysis identifies the type, location, layout and connectivity of each device in your business critical document processes, along with supporting IT infrastructure: factors such as network security protocols (TCP/IP, IPX/SPX), type of servers, integrations to back-end systems, etc. This “map” helps in the evaluation of potential security issues and prioritizing opportunities for improvement in device and network security.
Examining output infrastructure is only part of the picture; Ricoh MDS Process Analysis also looks at the strength of your security in the input and throughput processes of your business critical information. This process analysis includes taking into account human factors as well as the technical components.
Together, these services can provide baselines to help you design specific initiatives to optimize security measures so they better align with your strategic information governance objectives.
Not All PR is Good PR
You are acutely aware of highly publicized business information breaches; recovering from them can be operationally costly, can result in fines, and most importantly, they can damage your reputation and relationship with customers.
Ensuring your information governance is comprehensive and defensible and practiced consistently across the enterprise keeps you safely out of the news—and protects your bottom line.
Strategies and policies for strengthening device security are an important part of the Ricoh MDS Output Solution Design service. Recommendations may include stronger data encryption, user authentication, deployment of locked and follow-the-user printing, secure fax routing, and data overwrite. Ricoh MDS can help you design continuity plans for mission-critical devices.
Ricoh MDS Process Solution Design provides for fortified security measures based on the analysis of your current business critical document processes and the technology that supports them (IT platforms, equipment, software, data migration and facilities).
In order to fully realize the benefits of security improvements in processes and technology, you must also ensure that the people who use them are on board. Ricoh has built a comprehensive organization change management methodology around a framework from the Association of Change Management Professionals (ACMP) that balances the subjective, qualitative and emotional elements of behavior change.
Doing much with limited resources
You have been tasked with managing security across all current operations and locations—a huge undertaking given limited resources.
Outsourcing to a trusted partner can help you meet corporate security mandates while working within your current staffing levels. You may be able to achieve a better security posture because you can leverage your partner’s broad and deep experience derived from service to a diverse customer base. Choosing the right managed service provider enables consistent security management across departments (from AP to HR to Manufacturing) in locations across the globe.
Ricoh MDS Security Management service can be leveraged to help you identify and develop controls to mitigate risks to the confidentiality, integrity, and availability of your business critical information throughout the document lifecycle—including setting sensitive information to expire automatically and ensuring outdated information is made unavailable.
These controls help ensure that deployed security technology fully corresponds to the enterprise’s information security objectives and policy. The controls protect confidential business critical information that needs to be shared with the appropriate employees, customers, and partners, providing consistent protection for sensitive documents even after they have been saved to a user’s desktop from a repository (i.e., network share, e-mail, electronic content management system [ECM]).
Security best practices are built into Ricoh MDS Document Lifecycle Services. Leveraging Ricoh’s experience derived from serving a global, diverse customer base allows you to focus on core business processes rather than on managing specific security tasks related to document input, distribution, output, archival, and disposal.
For example, Ricoh MDS Document Lifecycle Services can help ensure valuable corporate information is available at the right time in the right format, in a secure and compliant manner. Ricoh MDS can also help by storing or archiving documents, such as legal or compliance requirements, for future use with an audit trail to track user activities within documents and throughout the system.
Ricoh MDS can identify a secure document disposal solution to address compliance and environmental challenges of destroying documents at the end of their useful life. For example, with a certificate of destruction, you can be assured that your company’s sensitive information is legally and credibly destroyed.
Measuring and Monitoring Security Performance
You are looking for ways to measure and monitor your information protection performance, such that your security program meets your corporate governance, risk management, and compliance (GRC) objectives.
Demonstrable and measureable Key Performance Indicators (KPIs) around information governance programs are critical for compliance and audits, and proactively creating a culture of security.
By providing accurate and timely reports on document centric activity, Ricoh MDS Management Information Reporting can give you the information you need to make sound, proactive, and defensible data protection decisions. These reports can be departmental or global, and aligned with corporate governance objectives.
The single point of contact (SPOC) offered by Ricoh MDS Service Desk Integration can be used to increase the control over your printer fleet infrastructure and end use. The expertise provided can be leveraged to help you ensure appropriate security protocols are deployed and functioning as required, and alert management to anomalous behavior.
Ricoh MDS can provide a single point of contact for managing multiple vendors, and monitoring Service Level Agreements (SLAs). Ricoh MDS Multi-Vendor Management simplifies reporting, escalation activities, and consistent application of security protocols. Ricoh MDS Service Level Management monitors service levels, and can be structured to include adherence to security requirements enterprise-wide to help you achieve contractual obligations. By maintaining a high level of device uptime, you mitigate risk to business critical document processes and business continuity.
Protecting Persistent Data
You are aware of the need to protect your business critical information including customer data that is printed and persists on devices throughout the organization.
By extending security to the edges of the information enterprise, including both mobile platforms and document devices, you decrease risk and ensure maximum protection of customer and other business critical data.
Ricoh’s IMAC-D (Install-Move-Add-Change-Disposal) service performs proactive portfolio management for devices to improve availability and protect business continuity. The service also includes safe and secure removal of customer data still held on hard drives, with an option for complete onsite destruction of customer-specific data.
Ricoh MDS Delivery Installation and Configuration service can be structured to identify whether hardware and software solutions and network connectivity are not only set up to work correctly, but are configured according to the security policies and procedures that you have defined regardless of their geographical location of operation. Select Ricoh hardware devices have obtained Common Criteria certification conforming to the IEEE 2600.1 international standard for IT security products.
Information Security & Governance - Best Practices
Securing your information capital throughout the document lifecycle preserves the trust your customers place in you to protect their personal and private information—and potentially grow the relationship. Comprehensive information governance also helps mitigate the cost and risk of non-compliance with growing business information regulations.
Ricoh is a global leader in MDS. The knowledge and best practices we accumulate in thousands of engagements worldwide become powerful assets in our Ricoh MDS portfolio. Application of this knowledge and these best practices is the engine that drives our continuous improvement efforts.
Here are some best practices derived from Ricoh MDS customer deployments that you could employ to help realize the benefits of comprehensive information security governance:
- Define Information Access Based on User Credentials
- Extend Security Policies to the Edges of the Enterprise
- Encrypting Business Data on Devices
- Monitor Security across the Entire Document Lifecycle
- Secure Destruction of Information on the Device
Click below for detailed explanations of these best practices:
Define Information Access Based on User Credentials
Access to business information is best governed by role-based authentication of individuals or groups. Authentication can include password or ID cards validated against user directories such as offers Kerberos, LDAP, Microsoft Active Directory or Novell eDirectory Authentication. Permissions can be restricted at the document or folder level, by application, or at the device, by function, e.g. fax, copy, scan, print and color or BW.
Extend Security Policies to the Edges of the Enterprise
A comprehensive security policy optimizes and manages device security features and usage. Protecting the core of your infrastructure must be accompanied by adequate defenses at the periphery, where business information is input, output, and cannot be left unmanaged. Remote monitoring and reporting tools can assist in consistently managing diverse, distributed devices across the global enterprise.
Encrypting Business Data on Devices
Encrypting business data is a given, but there are points of vulnerability specific to devices where encryption is frequently overlooked or not consistently deployed. Some of these include: storage of user IDs, passwords, and address books, S/MIME protection for scan to email, and PDF password encryption, encryption of all data stored on the device hard drive and NVRAM, and of course all network communications with the device, e.g. secure socket layer and network layer encryption.
Monitor Security across the Entire Document Lifecycle
A security policy protecting business critical information must cover its input, movement throughout the business, output, and storage (including secure scheduled destruction). Administrators need visibility into the document lifecycle and should be able to track and record all activities at each stage. An audit trail should include traceable information that contributes to compliance reporting and alerts you to potential information security threats.
Secure Destruction of Information on the Device
Scanned, copied, and printed documents remain in the non-volatile memory of input/output devices. Businesses need the ability to overwrite stored business information so that it is unrecoverable or irretrievable based on the need for compliance with various information privacy/security requirements and laws.
Information Security & Governance - How We Solve This
The Ricoh MDS Services Delivery Portfolio offers all the services required to design, construct, maintain, and optimize a highly efficient information infrastructure that is aligned with your information security goals and governance needs. Examples of Ricoh MDS service offerings are:
- Output Analysis
- Process Analysis
- Output Solution Design
- Process Solution Design
- Delivery Installation & Configuration
- Document Lifecycle Services
- Document Process Optimization
- Environmental Sustainability Governance
- Management Information Reporting
- Service Level Management
- Security Management
- Multi-vendor Management
- Asset Management
- Service Desk Integration
While every Ricoh Managed Document Services Engagement is unique and tailored to your environment, you can see examples of Ricoh MDS services that address Information Security & Governance.