As organizations continue to collaborate online they must balance the free flow of information that may be sensitive and must be protected. In order to deliver products or services that support this dichotomy, new methods are required to protect company and customer information. Additionally two prime goals of software engineering are not only to develop new products by applying new methodologies, but also to develop innovative methods to improve existing products. These data points were prevalent in bringing to market new technology in AvePoint Compliance Guardian Service Pack (SP) 2. In the latest edition of Compliance Guardian, we implemented new methodology to refine the free flow of information while protecting the security of the data as needed. This goal was accomplished by augmenting the platform’s human interaction capabilities by providing a human auditor function.
The concept of human review is not new to Compliance Guardian. It has been there since the initial release, and human auditing is, of course, the precursor to the technology. The new release simply makes available a comprehensive review and action capability to both allow for and plan on exceptions. Compliance Guardian monitors and acts on content based on the outcome of rule-based analysis of data either at rest or in motion. The rules can be simple or complex and the outcomes fall into one of the following categories:
- Not Applicable
- Requires Human Review
In the above list, the fourth item specifically states human review of a document or stream of data is required to complete evaluation of the status. Compliance Guardian’s Human Review feature allows compliance workers to find, review and then change the status of this information to either “Passed”, “Failed”, or “Not Applicable”.
Additionally, there may be some circumstances where the results of an automated check are technically accurate, but the results nonetheless need to be changed because of an allowed exception. In other words, the outcome of the rule and system, performing as designed, may create a condition where a piece of content or file was blocked correctly but a compliance worker wants to make an exception for the specific piece of content or file. The rule itself should not change – just the results for the specific file or files. In this case, the Compliance Guardian’s Human Auditor feature gives the compliance worker the capability to change the outcome of the validation for one or many files. We call this “exception handling.” These individual or group rule outcome changes can then better reflect the classification and usage of the data policies to better support an organization’s mission while at the same time providing the level of data security and or monitoring required by an organizations compliance program.
The system also allows the compliance worker to deal with files that failed validation but should not have failed – commonly referred to as a “false positive” in the industry. A common case may be identifying social security numbers and either quarantining a file or redacting the data inline. For example, an automated check may identify a number occurring within a document as a social security number that is actually a company product part number that cannot be programmatically filtered. In this case, the disposition of the content needs to be changed and the data needs to be restored to usable status. The Human Auditor allows this change to be made. In order to make this effective, the system supports the ability to then mark the file(s) to not be validated again unless the content itself or the validation rules are modified, thus making the exception for similar cases moving forward.
In summary, the new Human Auditor capabilities allow organizations to greatly extend their confidence in the results of their automation system and to validate that their company and customer data is protected in such a manner that the organization compliant with internal and other regulatory requirements. Additionally, beyond the ability to review outcomes for required human review, exceptions and/or false positives, there is also now an audit capability so the organization can track every override of the system, rule outcome change, and every rule or test suite modification.