Open By Design, Closed By Exception - Best Practices in Information Security

By Greg Clark posted 09-23-2010 00:57


It's a debate that is as old as the information management industry itself (which isn't really that old, but bear with me).  Users want to collaborate freely and access the internal information they need while your IT security  team wants to information shared only on a "need to know" basis.

I side with the users on this one, but not because I think IT security types are wrong or misguided. I think that information wants to be free and that by adopting an "open by design, closed by exception" security model, you can keep everyone happy.

Here are a few common objections I have heard from IT security teams and my responses to each:

1. You're telling me that everyone gets access to everything? What about HR information or trade secrets or other sensitive information?

Open by design most definitely does NOT mean that everyone should have access to everything.  It's easy to get stuck on the "open by design" part and forget "closed by exception". There are most definitely categories of information that will be tightly controlled. Most organizations will have rules about who can access contractual information and most are governed by privacy and information disclosure rules. The benefit of Enterprise Content Management (ECM) systems is that you have the option of managing access to this information in a more granular way than you can on a shared drive. If the system is used properly, links to content distributed within the organization will only allow privileged users to access information.  Your ECM rollout must abide by the rules but these rules are not an excuse to lock down all information. 

2. The "need to know" principle means that if someone needs information to do their job, they will have access to it.

The best thing about an information management system is the power of ad hoc information discovery.

If you don’t know what you don’t know, how do you know you need access to it?  If valuable information doesn't come up in a search result, how do you avoid re-creating it or making decisions without  the benefit of this information? 

It's a case of risk vs. reward.  Your organization needs to decide if you are more worried about the risks that come from people finding information they shouldn’t (a risk which is still mitigated by the "closed by exception" part, as noted above) or if you are more interested in promoting knowledge sharing, collaboration and information discovery. I will always take the side of more information sharing over less; the "weak ties" we develop through finding information created by others help us expand our knowledge exponentially. Sociologist Mark Granovetter first came up with the concept of "the strength of weak ties" and Andrew McAfee and others have applied it to information management.   Basically, this principle says that we learn more from those we know peripherally than from our immediate colleagues; we already know what they know and we tend to become insulated and single-minded in our decision making. By expanding your network to people you only know somewhat, or people you don't yet know at all but have read a document authored by them, you will gain new perspectives and are much more likely to come up with creative solutions.

3. If everyone has access to information they will misuse it.

I fundamentally trust people. Maybe that's a shortcoming of mine but in a corporate context, I trust that the vast (vast) majority of people are trying to do the right thing for the organization.  If not, you've got far bigger problems than information security.  The "open by design" principle does not mean that just anyone can edit all information; most information will be read-only and some will be less than that (i.e. see that the content exists but not the content itself).  ECM repositories also have versioning and audit capabilities, so it is easy to see who accessed or changed a document and to roll back a version if necessary. This is difficult in an ordinary shared drive scenario and impossible if you can't find the information in the first place!

To address the concern that people will share information inappropriately outside of the organization I suggest making sure everyone understands your appropriate use policy. No, I am not so naive that I believe everyone will follow the rules just because they are the rules, but that's why ECM systems have security policies. If information is truly sensitive it should be secured. If not, is should be open to all users within your organization. Simple as that.

#ECMBestPractice #InformationGovernance #Security #ElectronicRecordsManagement #ecmstrategy