“Open by default” for information access
I remember a friendly but passionate argument with a lawyer several years ago who was a solid advocate of a “need to know” approach to document management.
In this scenario, I wanted access to non-sensitive documents that the board of the organization uses and produces.
I was unable to convince them of the learning value of seeing these documents to better understand how the board works, how it makes decisions, how it creates content, and possibly re-use some of their good ideas. Though there was no real reason why I shouldn’t access the board documents (I was working inside the organization, security cleared, and the documents were non-sensitive), the lawyer’s position was firmly rooted.
This is a common document management tension within many organizations. The tension is between:
A “Need to know” closed permission model vs.
An open permission model
“Need to know” is where access is closed unless there is a clearly defined reason to access information.
Legal and security experts tend to favor a more closed approach to minimize risk, and sometimes content owners have a personal preference for tighter control over information access.
Conversely, people trying to get their jobs done ask for easier access to more information. They often find themselves recreating work that already exists after many futile attempts to find something they can re-use and learn from.
In today’s environment, we are constantly aware of the cyber security risks that we all face personally and at work. Data breaches and ransomware attacks are regularly publicized. Organizations are increasing their cyber security capability, raising awareness in their organizations, and building cyber threats into their disaster recovery planning.
We must all be diligent, and yet at the same time have easy access to information we need to learn from and be productive.
The tension, the dilemma, of those early document management days still exists, if not even more pronounced.
Balance Policy Principles
An important step in striking the right balance between information security and information availability is ensuring the balance is reflected in information and data policies.
One example is to include both a sharing and security principle in a broad information policy, in that order, and align any information security policy accordingly.
Sharing — Provide open access to information wherever possible to support organizational effectiveness, collaboration, and learning.
Security — Safeguard sensitive information to ensure its confidentiality, integrity and availability.
Adopt an “Open Unless” Approach
Another important step in creating the right balance between security and availability is beginning with an “open unless” approach to information architecture and permissions. Do this by:
Examining workgroup business, workflows and content to understand what is truly sensitive in nature
Design specific spaces to segregate/isolate that content with strictly managed permissions and governance
Make the remainder of the workgroup sites and libraries “read only” to the organization at large so the content is findable and reusable
Design flat hierarchies and ensure content is appropriately tagged with metadata to help manage access through its lifecycle
In so doing, highly sensitive information will be appropriately protected, while the remainder is available to learn from and reuse.
Flat hierarchies with open permissions will also minimize the need to grant unique permissions for sharing and collaboration and requires less overhead and maintenance over time. It also encourages adoption and provides less incentive for people to store content outside the content management system.
Manage permissions thoughtfully and diligently
Change is constant in organizations. Roles and responsibilities change frequently. Employees leave the organization and others are hired in. People move to new roles and responsibilities inside the organization.
Access permission management needs to be an ongoing priority to ensure sensitive information remains appropriately protected through staffing and role changes, and the remainder remains open as it should. Conduct regular permission reviews in high-risk areas, and even engage your cyber security team in performing regular spot checks to check for potential security breaches.
Whether in a public, non-profit, or private sector, an “open unless” approach can help effectively balance the need for information security, and information access.