How to reduce the risk of information sharing
Application management process in the three important components: policy, process, performance (Policy, Process, Performance), we construct a utility's Kuangjia, guide us how to Xinxi benefit sharing, how to reduce the information Pi Lanyong of Fengxian.
Policy
Information Classification - protect confidential data is based on the best methods that are also used to protect a variety of confidential military information; in accordance with the confidentiality of data (classified level) to classify the data, allowing only people who have access to informed data. For example, for a design for spare parts spare parts suppliers, they only need to know the physical contour parts (installation point and the installation conditions) and the electronic interface features, without the need to master the entire product design information.
Can be used / can interact with information - the raw data were extracted and analyzed, transformed into available / can interact with information. Structural contract is a good example. Enterprises have relied on such minimal commitments in advance of guarantee (in advance of the corresponding different different prices), production can guarantee (the higher the elasticity, the price will be high) and other structural provisions of the contract to express the needs of the future information needs rather than simply sharing forecast information.
Third-party accounts - successful implementation of this strategy requires an independent third party outside of the two companies involved. By the two partners to establish a third-party account, when either party breached the agreement, the account funds were used to rebuild the trust relationship between the two sides to resolve the causes leading to problems. For example, both can be used for training, team spirit, the process of reorganization or unreasonable application of new technologies. This can greatly enhance the confidence of both sides.
Process
Various approaches have required a series of processes and control systems support, to prevent, detect and correct accidental confidential information, intentional acts of abuse, such as: physical security - controlling personnel access to office space, reception staff must know who can into production, office facilities, which can not, on a stranger walking in sensitive areas to conduct inventory, safekeeping of confidential documents should not put out more.
Separation of duty - for example, physical inventory management and maintenance of inventory information by different staff.
Training and testing - on the protection of confidential information, procedures and importance of staff training. Testing the effects of training to ensure that employees follow the correct steps to share information with partners.
Log - record all data access activities, personnel information, including what kind of people when entering any area, or to obtain any information.
Verification - on your business and trading partners are verified to ensure the safety and effective. Some enterprises have also installed a computer-aided "continuous inspection" system.
Special protection of sensitive data may need to have structural and organizational security measures. For example, some engineering organizations use what is called a "clean room" approach, to those who control the design of highly sensitive information, personnel separation, limiting their other personnel within the organization of exchange and communication, designed to prevent partners information leakage within the organization.
Performance
Policies and procedures to ensure effective decision-making must be based on the trade-off:
Commercial value of information sharing
Information sharing the cost of risk control
The consequences of threatening information security
In the process of information sharing
Some useful technology can help us implement the strategy and process methods. Role-based access control model (Role-based access controls (RBAC)) so that the information classification control strategy to be implemented - depending on the specific information the user needs to set data access permissions. Digital Rights Management (Digital Rights Management) system can even tracking the file protection.
While your documents sent to other organizations outside the enterprise, the system can still protect them, restrict access to specific groups and certain activities (eg, restrictions on file print, cut and paste, forward, etc.). Private networks and business networks have to take the necessary Cuoshi to protect trade partners of confidential data; Li Ru, ANS network Shi Qi Ju OEMs and suppliers to Anquan De Jiaohuannaxie Jing Guo Shuozijiami confidential design documents and transaction information.
Debate senior managers
To the "information sharing" and "information security" and make appropriate trade-off between, to achieve the greatest value of enterprise information sharing is not easy. Both are no shortage of supporters. Some companies to work for the post of data protection raise the level of C-level, by the Chief Information Security Officer is responsible for specialized. On the other hand, senior supply chain managers may be more inclined to "information sharing" approach. To protect or share? These decisions should be made a reasonable trade-off. I think, a to maximize information-sharing through the supply chain, like a fully integrated enterprise information with those who advocate the protection of the supply chain, compared to greater competitive advantage.