|
The
supplier management and procurement function is responsible
for conducting confidential and sensitive but unclassified
(SBU) source selection and procurement activities with external
suppliers.
The
procurement function handles large volumes of SBU data
containing material specifications, cost, pricing, intellectual
property (IP), proposal terms and conditions, and other confidential
information. The data must be rapidly accessed, shared
with internal personnel and external affiliates, and quickly
processed without the risk of compromising security, procurement
strategy, and supplier selection. Overall a strong SBU data security
policy is essential and a complete security solution
must reduce the overall cost of doing business and lower business
risks.
The
financial benefits that are derived from securing the SBU
data include: eliminating “leakage” of cost information;
keeping business terms confidential; and substantially reducing
risks associated with losing a supplier’s proprietary
data. Additionally, as a government organization, the risk
of an increased rate of focused attacks by foreign hackers
was becoming a concern.
Employee
authentication to facilities and computer resources for
Department of Defense organizations required the use of Common
Access Cards (CAC). Suppliers were using a combination of CAC,
secure sign-on token and other technologies for user authentication.
The
technology tools used by the organization included strong
firewall, VPN and virus software that was installed on
servers and employee PC systems. Additionally, OpenText LiveLink
workflow and knowledge management software, and Citrix
MetaFrame Access software were being used in a MS Windows environment.
 Back
to Top
Information
Technology resources worked with Procurement to identify
a solution that would provide automatic security for email
messages, document and spreadsheet files. The right solution
would require minimal training, ease of deployment and the
assurance that security of files would be maintained as they
traveled between internal operating departments, procurement
and suppliers.
Previous
attempts to ensure that all internal employees and external
supplier personnel complied with the central written security
policy – which included encryption of documents, spreadsheets
and email messages for protection of SBU information – were
unsuccessful. The ability to establish a central security
policy standard and systematically mandate usage of the policy
was not available. Using encryption required additional user
procedures that were not transparent to normal user activities.
Training personnel in the use of encryption procedures and
file-security procedures did not result in consistent compliance
with the security policy. Solutions available from several
software vendors were incomplete and required IT to integrate
several disparate products and piece together a solution.
Recently,
the organization was becoming aware of unusually high rates
of attacks from hackers that appeared to originate outside
the United States. The rate of problems caused by keyboard
loggers, Trojan, worms and polymorphic malware was becoming
a concern to IT management. End-user attack incident reporting
was increasing and was a concern to management. Some other
government high-risk businesses periodically experienced
malware attack rates that could reach gigabyte per hour
attack levels.
The
function looked into solutions provided by major operating-system
suppliers and determined that adopting the cost and architecture
of the solution was not feasible. Problems included high
costs and impossible deployment requirements. Achieving
consistency required mandating that external suppliers completely
change their internal IT processes.
Back
to Top
The procurement function, IT and Interfuse Technology personnel
defined a detailed test and assessment plan for OfficeLock
software.
The results of the assessment indicated an OfficeLock
solution would
meet and exceed policy requirements, internal and external
personnel scope requirements, and would appear transparent
to user operations.
The
team launched deployment activities to use OfficeLock
Enterprise software as
the key element of an integrated file-security solution.
The implementation provided seamless integration with the
Microsoft Office applications and normal worker procedures,
was easy to use, and was transparent to normal daily work
activities. Procurement’s security policy was described
on a central server and transferred to user PC systems.
Security-policy
compliance and the use of encryption and file rights management
became transparent to routine procedures. Usage of the
security policy was now assured. Certain users were authorized
to create confidential employee and supplier work groups to
form secure, compartmentalized work teams. In other cases,
the IT department used Microsoft Active Directory groups
to define the secure internal work teams. Internal employee
and external employee authentication for SBU data access
was accomplished by using a combination of the token, CAC
and multifactor authentication interface provided as a
standard OfficeLock component.
Two
methods were used to rapidly install the OfficeLock software
on user PC systems. A standard MSI installation package
was transferred to users with Systems Management Services (SMS).
Other users downloaded the MSI installation package from
a shared folder on the network. Maintenance and updates
to the OfficeLock software are provided to users in the same
automatic manner.
The
implementation delivers compartmentalized workgroup security
for all SBU source selection data within the current structure
and security policy. The complete time required for planning,
training, deploying and initiating operations was five
business days.
Back
to Top
Today,
secure work group member management for internal employees,
suppliers and external consultants is accomplished by the
Procurement department. Work group member authentication
and access to SBU data is accomplished through individual
customized multifactor authentication devices. The leakage
of SBU information has been reduced, supplier intellectual
property is secure, users comply with security policies and
there has been no impact on productivity. File security and
rights management are integral elements of application files.
Files are secured and remain protected behind the firewall, on
employee field equipment, on supplier and consultant equipment
regardless of the presence or security level of external
networks. Executives with notebook computers remain secure even
when they are traveling on airplanes and at out of the country
locations.
Users
with fully automatic security do not know that encryption
has become a part of their standard daily routine. Other
with higher policy and privileges find OfficeLock software easy
to use. Overall compliance with the security policy has become
a transparent business process within procurement and at
the suppliers. Interoperability with LiveLink and MetaFrame
is seamless. The security provided by OfficeLock has met
procurement’s goal of increasing security for SBU and
confidential information.
###
Back
to Top |
