Security features to                                look for when                                  choosing a document
management system

The security of your documents matters. Data loss and litigation are headaches no one wants, especially with the potential fines and loss of reputation that can frankly ruin a business.

To evaluate the current security of your documents and information, you can ask yourself these questions about how your organization handles documents:

• How do we protect against accidental or deliberate internal security breaches?
• Are we protected from hacking threats?
• How would we access and recover our information in the case of a natural disaster?
• Could we be accused of data mismanagement? Could we demonstrate proper document and data handling?
• Is there a clear retention policy and practice in place for legally sensitive information?
• Are we at risk of any financial penalties?

You can dig deeper into how documents are handled by looking at how employees engage and work with documents. Here are a few questions to get you started:

• Can employees get the documents they need, immediately when they need it?
• Do employees always know whether they are looking at the most current document?
• Are employees trained in proper document handling, especially against social hacking and social engineering attacks?

Once you have the answers to these questions, and any others you identify and ask, you’ll know which document security features you most need.

These questions address security features of a document management system. If you are looking at cloud document management – where the provider hosts your system, you may want to ask specific questions about their data center security. 

Read more about cloud document management in our article, "An introduction to cloud document management."

You can find questions to ask about a potential partner’s data center in our article, “Is your cloud vendor secure?” 

A document management system’s security begins with how it encrypts data. 

But it isn’t only the system itself that you should evaluate. You also want to understand data security between the different systems, including the PCs, tablets, and other devices which may connect to the system. 

Look for 256-bit encryption (AES). This is military-grade encryption and the standard for U.S. government classified documents at the highest level. It may sound excessive, but it’s not. Most business systems use at least this standard.

Traffic between systems and devices should also feature HTTPS encryption. HTTPS has the added security layer of TLS/SSL. Standard HTTP communication lacks this security protocol and makes it easy for hackers to intercept critical data like passwords and financial information, especially when employees might be accessing the system from remote locations.

Some documents have specific lifecycle requirements. Legal mandates may require you to keep documents for a defined minimum of time. For example, in the United States, invoices must be kept for seven years. 

Fortunately, digital documents are now an acceptable means of storage. While this saves on space (and storage costs), it does mean you need to have a well-defined plan for managing the document lifecycle.

You may also have compliance regulations to consider. Protecting the rights of people to control their data (GDPR and CCPA), providing fiscal transparency (Sarbanes-Oxley), and securing health information (HIPAA) are only a few of the compliance requirements you may have to address.

• Electronic signatures. A qualified electronic signature is the most secure digital signature. This type of e-signature ensures the legitimacy of the signature and that the document has not been altered or manipulated because an authorized Trust Service Provider authenticated the signer and issued a digital certificate as validation.

• Version management. The system should check-out and check-in documents when they are accessed, and changes are made. A new version is created when a document is changed. This helps protect the validity of a document by recording who changed what and when and ensures users only update and edit the most current version. 

• Change logs. A document system should record every access, annotation, and workflow state of every document, so that an entire history can be reconstructed if necessary. You should be able to access this information through a CSV file or other common file format.

 There are a lot of considerations when you want to get and implement a document management system for your organization. Here are questions you can ask when evaluating the system’s security.

• Does the system authenticate by individual user login?
• Can you control rights access by group, individual, and even document data?
• Will your data be backed up and does that include geographically separate areas?
• Is 256-bit encryption part of the system?
• Does the system have workflow and retention policies?
• Will the system meet your compliance requirements?
• Are you able to validate document integrity?
• Can you integrate the system securely with other line of business applications (ERPs, CRMs)?
• Does the system log every change to a document?
• What does the system do to ensure maximum uptime and availability?

You may have plenty more questions as you start looking. And one of the best ways to evaluate a system is to see it used, such as in a demo. We do this for our DocuWare customers whenever that is possible. When you provide your own documents, you get a better feel for the system.