CogniDox and Information Security Management - a white paper


CogniDox and information scurity management

Last week we published a white paper entitled "CogniDox and Information Security Management" to our customer support site. It was written in response to questions received from our customers. To answer their questions, it had to be specific about what CogniDox does for information security. But we also found it had to be educational in a broader sense. So, we decided to publish it on our website to make it available to a wider audience.

You can find it in the Library section (under Documents) on our website or you can open/save the PDF file directly from this link.

Most companies are still unsure about the risk to their business associated with cyber attacks. They may read that cyber-crime costs the UK economy an estimated £19bn to £27bn every year. They see stories on one hand about lost or stolen USB drives or company laptops containing confidential data; and about sophisticated attacks by highly organised hacker gangs on the other. It can be hard to relate this wide spectrum of cyber-risk to the everyday operations of a high-tech business.

Some (wrongly) believe cyber-attacks are only a problem for large financial institutions, military, government, or mega-corporations. Verizon publishes an annual report called the Data Breach Investigations Report (DBIR). In the 2013 edition, it found 62% of data breaches happened to companies with fewer than 100 employees. It found that 20% of network intrusions involved manufacturing, transportation, and utility companies - the common motivation for these attacks is stealing intellectual property (IP).

One security firm which examines the so-called 'Dark Web' for evidence, found over 100 million stolen user IDs and passwords in one month of analysis. A quick scan of our company website server logs reveals 6 suspect IP addresses probing and 32 rogue attempts to use SSH in just a one-week period. It takes just seconds for automatic tools to scan your website looking for known vulnerabilities and weakly protected data. 86% of all websites investigated during 2012 had at least one serious vulnerability. Using these, an attacker could take control over a website, and have access to user accounts and sensitive data.

What can we do about it?

You could try to lock down data storage even further, but that can deprive authorised users of legitimate data availability. With the trend among employees to 'bring your own device' (BYOD) still on the rise, it also looks like a forlorn hope. If you make it hard to access information in the official repository; it increases the odds that it is 'temporarily' stored in Dropbox, or takes to the 'SneakerNet' via a USB flash drive.

You could try to improve your security training and awareness. The Guardian newspaper recently reported a survey of media professionals in which 70% said that they had received no training against cyber attacks. But, some experts believe that training is a waste of time.

You can try to spot intrusion attempts at the earliest opportunity through network intrusion detection software, so that 'mean time to detection' is minimised. The problem is that it only protects against attacks to your network. Other types of vulnerabilities are still a threat.

The answer is that it requires a number of concerted actions to improve security. It is a spectrum of risk, and different security controls apply to different parts.

The white paper argues that the ISO/IEC 27001 information security standard currently offers the best framework for cyber security. It reviews ways for hardening IT security on Linux-based systems, and shows how applications such as CogniDox can use (and depend on) this functionality. That still leaves a major gap in solving the problems of Information Security. The white paper therefore concludes by demonstrating how security-related features in CogniDox can address these problems.

The value of DMS for Product Development


Tags: Compliance, Document Management and Control

Paul Walsh

Written by Paul Walsh

Paul Walsh was one of the founders of Cognidox. After a period as an academic working in user experience (UX) research, Paul started a 25-year career in software development. He's worked for multinational telecom companies (Nortel), two $1B Cambridge companies (Ionica, Virata), and co-founded a couple of startup companies. His experience includes network management software, embedded software on silicon, enterprise software, and cloud computing.

Related Posts

A short guide to non-conformance reports; what, why and how

How do you log and deal with non-conformities so that faulty products don't end up in the hands of ...

Data integrity in life sciences: the vital role of ALCOA principles

Data integrity is central to the safe development and manufacturing of every life-science product ...

Corrective action: why, when and how?

It’s the job of your corrective action process to identify and eliminate the systemic issues that ...

Why not just use Google Drive as a Document Management System?

Google Drive is a cloud-based program that allows you to create, edit, store, and share documents. ...

Why not just use SharePoint for your Medical Device QMS?

A Quality Management System (QMS) is a requirement for medical device developers across the globe. ...

Why not just use Dropbox as a document management system?

Dropbox is an easy to use cloud storage and sync application that is increasingly used in work ...