How Secure is Your Organization’s Data?
A July 15th Wall Street Journal article highlights a recent case that puts the Food and Drug Administration (FDA) at the center of a data security breach.
The FDA is investigating how its document management vendor inadvertently made public some 75,000 pages of confidential data about the approval of medical devices – many related to the FDA monitoring of e-mails sent and received by a number of current or former agency scientists regarding concerns about how the FDA was evaluating and approving new medical devices.
In the midst of responding to document requests related to the lawsuit filed, the FDA’s vendor allegedly mishandled the documents by publicizing them via the Internet for a period of several days back in May of this year.
The situation highlights how critical comprehensive data security protocols and procedures are for any organization, especially those that deal with high volumes of confidential data. The FDA case unfortunately highlights the risk an organization can expose itself to when delegating highly sensitive business processes, like document management and electronic discovery, to a third party.
Security models can differ widely among third-party service providers—especially when those documents are hosted in the cloud. Below are key questions to ask when entrusting your data to a third party document management and e-discovery provider.
1. What authorization, authentication and user permission mechanisms are in place?
When data is hosted in the cloud, authorization, authentication and user permissions processes check and confirm that approved users are actually approved to access the data and never see data they should not be viewing.
2. Is your provider using a public or private cloud?
The difference between public and private clouds is important to understand in a document management and e-discovery context. A public cloud, such as Amazon EC2, Amazon Web Services and Google Apps, uses shared hardware, software and applications that are accessible by the public. A private cloud, whether deployed by an organization behind its corporate firewall or a third-party provider, utilizes the same technical requirements but only allows access to authorized users.
3. How robust are the audit capabilities and documented chain-of-custody for your data?
Your provider should offer end-to-end audit capabilities and create documented chain-of custody for all data and actions, including logins, document reviews, print outs, coding edits and updates, and archive these logs to an off-site facility that is readily accessible.
4. What disaster recovery, redundancy and business continuity capabilities does your provider offer?
In order to quickly restore vital business functions in the event of a disaster, a provider should have an extensive disaster recovery and business continuity plan in place – one that is regularly tested and audited for full site failover capabilities to validate that service redundancy features remain current and available. Additionally, having a secondary data center with real time back-up and equivalent processing power to the main site maximizes data protection and ensures uninterrupted data synchronization between the two locations.
Because many organizations are investing more in security and analysis, using a third party provider often times makes sense. But in spite of the expectation that vendors will enforce stringent policies, organizations can further reduce their risk of exposure by insisting on necessary protocols. Through proper use of the cloud, organizations can reduce risk and exposure as well as provide proven, consistent data protection processes.
About the Author