When considering your choices for communications and collaboration systems compliance, it is important that you also think about the available methods and processes to identify and address items or communications that create risk.
There are many categories of risk, and within collaboration systems they can vary from an unintended release of:
· Company, customer, or employee sensitive security information (SSI)
· Customer payment account information
· Release of personally identifiable information (PII)
· Protected health information (PHI)
Beyond the release of information, you also can have problems stemming from the release of inappropriate communications that could expose your organization to civil action. The possible risks, consequences, and penalties are in many cases specific to your state, country, political region – or even down to local city or county regulations.
AvePoint provides solutions that can not only surface risk and risk areas, but also can audit and limit the risk. While eliminating risks on rich internet, internet, or networked communication systems is not entirely possible, it also should not be your main concern. Instead, your main concern should be operating your organization in the manner that achieves your goals while managing and mitigating risks. You must not only surface risk, but you must also rate the risk and the likelihood of being impacted by the same as well as the real impact of one risk weighed against others.
This is an area in which AvePoint is uniquely positioned to help provide automated methods allowing compliance and risk professionals to easily complete their jobs. Let’s take a few moments to discuss what a risk or security officer does after surfacing the risk. For this discussion, let’s assume that risk is equal to the vulnerability/exposure multiplied by the impact. Some vulnerabilities and exposures are, but certainly not limited to:
· Is the defined risk item discoverable by automated tools?
· Is the defined risk item secured by access rights?
· Are information collection systems transmitting securely and at prescribed levels?
· Is the information easily accessible when it should not be available?
· Is information not accessible according to internationally recognized accessibility guidelines when it should be?
The list above is a simple illustration and representation of concerns that go much deeper and are intended simply as an example. Next, after we define the exposure we need to understand and rate the impact. Here is a brief list including – but not limited to – items that will be a part of our impact assessment:
1) Exposure/Loss of Confidential or Sensitive Information (SSI, PHI, PII)
· Non-sensitive data released
· Small amount of sensitive data released
· Extensive non-sensitive data released
· Extensive sensitive data released
2) Loss of Availability
· Is information not accessible and consequently preventing completion of an essential task?
· Is information not accessible, therefore limiting needed information?
· Is complimentary or non-essential information not available?
· Is information not available to a small population of technology users?
· Is information not available to a large population of technology users?
3) Lack of Accountability
· Was data exposure available anonymously?
· Is an access log somewhat available?
· Is the data completely not accessible?
Looking at this brief and demonstrative list, we can see that there are different levels of impact. However, we must go beyond this specific standard or technical impact and factor in risk values based on business impact, which can come in several forms:
1) Non-compliance as related to level of violation and exposure. This is also related to profile of exposure from a low to high priority for the policy groups listed below, including but not limited to:
· Cookie Regulations
2) Damages – be it financial, position, or placement in a community – are real and need to be factored into the risk assessment. Again, we need to look at the level of damage and how it is relative to exposure – a couple types of possible damages are listed below:
Based on the above information, we can then do the work of determining real risk. This risk can be calculated automatically via a system or process, or in combination of system and human review and analysis.
The AvePoint Testing Language (ATL) provides the solutions and capabilities to automate the risk analysis mentioned above and it all starts with an attribute “RiskLevel”. The risk level can be set on specific rules so that you can accurately and systematically determine the exposure of the risk item and then compare it to the technical and business impacts. When combined with AvePoint risk formulas, (either available out of the box or ready for your customization), you can quickly get to the concern following the surfacing of risk and determine the severity! Severity can take the factors listed above and determine risk by using simple or complex formulas, depending on your organization’s specific need.
If we simply start with our raw risk (r1) and then consider the exposure and vulnerability, essentially, count of errors and rate of increased risk (r2), then we can then apply the impact in comparison to what the number would represent in damages (r3) in order to come up with a risk sum (rs) – which then provides you with the information you need to take the necessary steps for resolution. In the case of documents we can create a summary based on all checks and the variables discussed above to provide a relative risk per collection or site. Here is an example formula: rs(n)=(rs(n-1)+((rs(n-1)+(( rs(n-1)+r1)+(r1*r2))*r3).
Once we have this risk severity, it is possible to determine what we need to fix or where we need to implement controls (permissions, access, and security) before allowing access to a system or a collection. We can decide also at this point what needs to be fixed, archived, quarantined, or deleted. AvePoint Compliance Guardian provides the complete capability to assess risk to this level. At this point it is not only a matter of fixing potential issues with your system; this also allows Compliance Guardian users to decide what content can exist on which systems. Compliance Guardian can also help you analyze which content can be migrated to more public sources or removed to more secure sources.
Perhaps the most important thing for a risk officer or compliance worker to consider is what they actually consider risk in their organization. Compliance is a combination of standards, exposure, and what that means to your business. Because of this, any risk management solution must provide an open language to allow you to define your organization’s specific risk model. You may need to add more risk factors than I discussed here, and you may want to change the out-of-the-box risk factors that ship with Compliance Guardian. Above all, you will want to be able to address and assess weighting factors. The beauty of Compliance Guardian and the ATL is that you can do all of this, and do so according to your specific risk and compliance requirements.
This capability can also be used to do an assessment of your existing environment to determine where you have strengths, weaknesses, and need to take immediate action – and also help you decide whether or not to implement a cloud solution to supplement or replace any of your on-premise systems. This methodology is incorporated into AvePoint’s Cloud Readiness Assessment and Compliance Healthcheck, allowing you to:
· Programmatically assess and prioritize areas of risk based on sensitive data within your environment
· Determine where you may or must move data in order to sufficiently protect it
· Identify the data you are ready to move to the cloud, and which data you may leave behind in your on-premise environment due to data protection, security or privacy requirements.
It’s clear that there are many factors to take into consideration in order to account for the myriad policies and regulations by which organizations must abide. Regardless of your risk or security process or model, Compliance Guardian and the ATL offer the flexibility to manage compliance and mitigate risk for your collaboration systems – whether on-premise, cloud, or hybrid environments.