With the virtual data room for lawyers, the company has the right to independently develop the procedure for electronic document management and choose software for its operation.
What Lawyers Should Pay Attention to While VDR Selection?
The structure and organization of the data room system for lawyers are influenced by such factors as:
- The system must maintain a well-defined security policy.
- The ability of subjects to access objects should be determined based on their identification and a set of access control rules.
- Where necessary, a regulatory access control policy should be used to effectively implement the delimitation of access to categorized information (information marked with the secrecy label: “secret”, “Sov. Secret”, etc.).
- Objects must have security labels associated with them to be used as access control attributes.
- To implement normative access control, the system must provide the ability to assign each object a label or set of attributes that define the degree of confidentiality.
Another factor of dataroom providers that makes it necessary to build special models of thematic access control is that in most cases on the classification set in documentary information systems, not a linear order is established (as at the set of security levels in mandatory models), but a partial order, set by a certain type of root trees (hierarchical and faceted rubricators).
All documents of the information storage are thematically indexed, that is, they are correlated with certain thematic headings of the classifier. Employees of the enterprise, according to their functional duties or for other reasons, receive the right to work with documents of a certain subject. This approach, in combination with discretionary and mandatory access, provides a more adequate and flexible configuration of the access control system for specific functional technological processes, and provides additional means of control and access control.
How to Avoid One of the Most Intractable Security Problems?
One of the most intractable security problems in information systems, including those based on mandatory access models, is the problem of covert information leakage channels. A hidden channel of information leakage is a mechanism through which information flow (information transfer) between entities can be carried out in the system, bypassing the access control policy. For example, covert channels of information leakage include the previously considered flows arising from “Trojan” programs, and implicit information flows in systems based on discretionary models.
A hidden channel of information leakage in mandatory access systems is a mechanism through which information can be transferred from entities with a high-security level to entities with a low-security level without violating the NRU and NWD rules. In certain cases, information can be received or transmitted without the direct implementation of read/write operations to objects, in particular, based on the analysis of certain processes and system parameters.
In collective virtual dataroom systems (many users, many objects), transitions, and therefore the states of the system, are determined by a large number of very diverse, including random, factors, which implies the use of the apparatus of the theory of probability to describe the system. With this approach, the security policy requires a certain modification and, in particular, a theoretical and probabilistic interpretation of the processes of functioning of systems and dangerous information flows.
Role-playing politics via data rooms is very widespread because, unlike other more strict and formal policies, it is very close to real life. Indeed, in fact, the users working in the system do not act on their own behalf, they always carry out certain official duties, that is, they perform certain roles that are in no way connected with their personality.