I was browsing the project share drive at work today looking for a design document that I needed. Every document that is created should, in theory, be given a classification; Comercial in Confidence, Confidential, and so on, with increasing levels of restrictions.
I was amazed at how many documents had been classified as Confidential. The required document controls for this level of classification are pretty onerous. Information must be encrypted at all times when stored and must be encrypted with keylength of x or greated if emailed or faxed. Third parties must sign confidentiality agreements and get the permission of the document creator before viewing. The document creator must approve disclosure to all other staff. The document cannot be discussed in public. And so on…
This creates an interesting problem for document management. In a case such as this, where it seems that documents have been classified by the document owner in a fairly arbitary way (many people seem to be applying the CYA rule), the classification system breaks down. All documents get stored in a way that everyone can access so that people can get their jobs done, with the attendant risk that something that actually is important slips through the system.
Some questions to ask:
* What is the average cost per document to properly manage information that has been classified at a certain level?
* Is it worthwhile having a documented process for document classification and managment if it is not audited or enforced?
* What is the cost to the business if a Confidential (or higher level classified) document is leaked? (How long is a piece of string?)
* How does the DoD do it? (They seem to classify everything. If you’ve ever received email from anyone at the Department of Defence, you will see a classification level in the subject header – usually UNRESTRICTED).
* Is document classification, access control and management already a feature of the Enterprise’s CMS (Content Management System)? What is the additional overhead experienced by each user to search for and retrieve useful information with this system?
Addendum: It is a particularly bad sign when supposedly confidential documents are posted on a public website or “hidden” in a place that will still get crawled by web spiders. Google sees all.