Suzanne Mescan, Vasont Systems
Security is a number one concern for all businesses these days. Security risks range from the obvious—building access, virus protection, and IT security—to the less obvious, such as access to technical content and compliance issues.
Some mistakes in technical documentation are funny. An online search for mistakes in instruction manuals turns up examples such as this one, found in a manual for an electric skillet:
“DO NOT LEAVE THE APPLIANCE UNATTENDED WHILE NOT IN USE.”
But some documentation mistakes are very serious. Everyone remembers the Tylenol scandal, when bottles of Tylenol had to be pulled from shelves because of a tampering scare. Imagine what would happen if a manufacturer’s instruction manuals were tampered with and an important warning was not included. Thousands of people could be hurt and the company would be open to lawsuits and government action.
Financial risks can be just as dangerous as physical ones. On March 31, 2006, NBC News did a story on a large lawsuit against several major sunscreen manufacturers. The lawsuit claims that sunscreen labels and words like “sunblock” make people think they’re getting full protection from all the sun’s rays, where that may not actually be the case. Depending on the outcome of the legal proceedings, the word “sunblock” may end up costing manufacturers millions of dollars. Many other industries must be just as careful about exactly what words make it into their product documentation, in order to protect themselves from lawsuits.
Randall Goodden, author of Product Liability Prevention: A Strategic Guide andPreventing and Handling Product Liability, wrote an excellent article called “Understanding the Focus of Product Liability Prevention” in The CEO Refresher. In the article, Goodden lists the different areas in a company that need to be involved in product liability prevention, including:
- Customer Contracts/Agreements
- Product Design/Labeling
- Reliability Testing
- Document Control
- Warning Labels & Instructions
- Records Retention
- Supplier Selection
- Recall Procedures
- Accident Reporting
- Accident Investigation
- Litigation Management
More than half of those areas involve documentation! Goodden stresses the importance of making sure the entire organization understands the importance of anything put into writing and provides employees with tips on how to recognize where potential dangers lie in what they write. Content management system vendors also take these risks seriously. While no system can eliminate all human error, vendors are both incorporating security features into their systems and integrating with already existing corporate security policies and protocols. Here are some security protections that your company’s system should have and why it is important for you to have them.
Detailed access control
Detailed or highly configurable access control is important because it ensures that only authorized users can access your organization’s content, protecting against mistakes or risks from unauthorized or unknowledgeable people. Access control usually comes in the form of user log-in, managed by the system administrator. The more detailed or configurable this control is, the more secure and useful the content will be. Administrators know the balance between security and productivity is a delicate one. If they put up too many roadblocks in the system, users won’t be able to access the content they need when they need it. If they put up too few, the content will be open to risk.
Component-level content management systems can help to manage that balance. Component-level content management systems are not designed to store whole documents (although most can); rather, they are most efficient at storing smaller, useful pieces of information. For example, instead of storing an instruction manual as one document, a component-level content management system stores each procedure individually. In terms of productivity, this maximizes the ways that those procedures can be reused across an organization. In terms of security, this allows system administrators to configure access control down to the component level. Rather than giving individuals access to a whole manual, the administrator might only give them access to one specific section of the manual, or even a single procedure.
The level of access can also vary by individual and piece of content. Access levels may include: read-only authorization, read and edit, edit but requires approval, approval rights, and so on. A single user might be given access to many different chunks of content, all at different access levels, as the user’s and the organization’s needs require. This control allows users to be productive because they have access to the content they need at the level they need, while the system stays secure because users have access only to the content they need at the level they need it.
Change and deletion protection is important because it protects an organization from the risk of content being deleted or changed by accident. Changing just one word in a product warning or instruction can put an organization at risk for regulation infractions, customer injury, lawsuits, government action, and more, depending on the industry. A secure content management system provides users with the ability to reinstate deleted content or revert back to a previous version of the content if a change has been made. No change or deletion is ever permanent.
Most secure content management systems go a step further and track all versions of each piece of content. Version tracking means that at any given time, a system administrator can go back to see who changed a product warning, when the change was made, what the warning said before the change, and what it said after. In the event that a mistake does take place, a good tracking and versioning system helps to ensure the mistake can quickly be corrected and prevented from happening again.
Strong automated workflow functionality can be a system administrator’s best ally in change/deletion protection. No two organizations set up their workflow processes in the same way, but they usually serve the same purpose—to move content from person to person through the production cycle, making sure that all of the correct approvals take place before the content is completed and published. The workflow might be automated with steps such as automatic emails to notify the graphic designer that a piece of content needs a graphic to accompany it. Or it might send an editor a notice that three pieces of content are ready to be reviewed and approved. By giving each piece of content a clear workflow path and setting up automatic check points along the way, system administrators can help to ensure that the content stays secure throughout the production process. The automated system ensures that the correct people review the content, and, because all changes/deletions are tracked, if an unauthorized change or deletion does occur, they will catch it and address it before final publication.
Corporate security policies/technology
Along with the security features above, it is important for content management systems to integrate with existing corporate IT security policies and procedures. If a content management system doesn’t smoothly integrate with those policies, it may create a security risk that could affect many aspects of the business. Common industry standards, including Microsoft Active Directory and Lightweight Directory Access Protocol (LDAP), control user authentication throughout an organization. Individual content management systems integrate with the protocols differently—it is best for users to discuss their needs with their CMS vendor.
By taking some precautions when configuring your content management system, each piece of content your company creates can also be this secure, and you can be confident that you are protecting your company from the risks associated with publishing content.