Security Controls and the EDMS

If you can’t control the access of the documents/data within the EDMS, what is the point of the system? Some of the basics of risk management as associated with security controls are as follows.

The big three:

* Before the event, preventive controls are intended to prevent an incident from occurring e.g. by locking out unauthorized users.
* During the event, detective controls are intended to identify and characterize an incident in progress e.g. by sending an intruder alert to the administrator.
* After the event, corrective controls are intended to limit the extent of any damage caused by the incident e.g. by recovering the enterprise to normal working status as efficiently as possible.

And from our friends at Wikipedia, these are the bible of document management security:

1. Risk assessment and treatment – analysis of the organization’s information security risks
2. Security policy – management direction
3. Organization of information security – governance of information security
4. Asset management – inventory and classification of information assets
5. Human resources security – security aspects for employees joining, moving and leaving an organization
6. Physical and environmental security – protection of the computer facilities
7. Communications and operations management – management of technical security controls in systems and networks
8. Access control – restriction of access rights to networks, systems, applications, functions and data
9. Information systems acquisition, development and maintenance – building security into applications
10. Information security incident management – anticipating and responding appropriately to information security breaches
11. Business continuity management – protecting, maintaining and recovering business-critical processes and systems
12. Compliance – ensuring conformance with information security policies, standards, laws and regulations

Tomorrow…Access Control