Access Export Control of S1000D Technical Datapublic.s1000d.org/Documents/2015 S1000D User Forum...
Transcript of Access Export Control of S1000D Technical Datapublic.s1000d.org/Documents/2015 S1000D User Forum...
September 21‐23, 2015
Access & Export Control of S1000D Technical Data
Presenter Name: Sean RushingRank or Title: Product ManagerOrganization: CDG/Boeing
Purpose
• Describe the information control capabilities of S1000D• Is not meant to describe how to implement Security or Export controls on your data
• Learn about how the information control in S1000D relates to document management and presentation
Topics
• Data Controls Review• Data Controls in S1000D• Controlled Information Identification in S1000D• Labeling Controlled Information in S1000D• Software Considerations• Additional Thoughts
What are Data Controls?
• Determining the need to protect dataIdentifying
• Proper marking of controlled dataLabeling
• Ensuring proper access to the data is enforced and controlled
Protecting
Data Control ScopePublic Internal Confidential Regulatory
Description
Information that could be viewed by anyone
Proprietary information and work products
Key business data and information
Information protected by statutes, regulations and laws, governed by a regulatory body
Impact
Access will cause has no organization impact
Unauthorized access could influence the Organization’s operational effectiveness, cause an important financial loss, provide a significant gain to a competitor
Unauthorized access could cause significant Organization harm or impact due to legal, contractual, privacy, or theft of intellectual property.
Unauthorized access may involve civil or criminal penalties.
Access
Public Access Data is restricted to data owner approved access and protected from external access.
Access to this data is restricted within the Organization or with appropriate release approval.
Sensitive in nature, and access restricted. Disclosure is limited to individuals on a need-to-know basis.
Type of data
Data available on web Copyright marked
material
Organization proprietary Day to day company
documents Emails
Engineering Information
Commercial Markings
Security Classification EAR/ITAR
Data Controls and S1000D
• DMRL, Publication Modules, Data ModulesIdentifying
• Data Marking, Output Presentation in IETM and PDFLabeling
• CSDB Control, Access and Publication FilteringProtecting
Indentifying Modules
• All S1000D Objects (except ICN) are have data control markings in their IDSTATUS sectionSecurity or Commercial
ClassificationApplicabilityData RestrictionEAR/ITAR
Identifying ICNs
• ICN data control identification is limited to the security classification
• Addition control can be applied at ICN usage in content
Identifying Content
Most S1000D content allows the following data controls
Security or Commercial Classification
Applicability
Content cannot have data restrictions
Data Restriction
EAR/ITAR
What are the types of information controls in S1000D?
ClassificationRestrictionExport ControlApplicability
Classification• Relation to the degree of danger to national security, or risk to the
company, from its unauthorized disclosure• A document should not fall under both security and commercial
classifications• Documents with any restrictive classification should be controlled
in a system separate from documents without classification to avoid spillage
• Additional caveats can be applied as a code word to complement the appropriate security classification.
• Most data modules and content can have classification attributes @securityClassification or @commercialClassification
Data Restrictions/Instructions
• Restrictive markings are additions to the security classification of data modules/technical publications, used to indicate additional restrictions on the data usage– Distribution– Handling– Destruction– Disclosure– Supercedure– Export Control (*provides additional control structures)
Export Control Structures• <exportControl>
– Contains the export control information. The @exportRegulationType attribute indicates the type of regulation, i.e. EAR or ITAR.
• <exportRegistrationStmt>– Statement can be full or partial.
• <exportRegistrationCode>– Contains a @exportRegulationCodeType attribute to indicate the
type of registration and then the text content would be the registration number.
Applicability
• Applicability provides the ability to mark information by configuration
• Can also be used to provide customer or distribution data control by allowing “sensitivity”
• Sensitivity is different than runtime filtering as information that is not applicable is removed before it is delivered
• Using applicability and customer configurations data can be filtered for sensitivity during publishing of DM, PM and DMRL
Display
Restrictions
Classification
Labels
Protecting Data with Software
– Encrypted communication (HTTPS)– Restrict access by user– Identify “export” status of users and content– Customer or Configuration specific data packages– Producing “filtered” datasets or runtime views– Providing appropriate content/view labeling– Logging/Auditing
Additional Thoughts
• The security marking of data modules, publications and DMRLs should always be as high as the most restrictive content they contain
• Dublin Core tag <dc:rights> might be able to expose marking to non CSDB systems such as Adobe XMP
• A full data control program requires planning, user training, auditing and controls processes not described here.
S1000D Chapters ‐Data Controls
• Chap 3.6 ‐ Information generation ‐ Security and data restrictions• Chap 3.9.5.1 ‐ Data modules ‐ Identification and status section• Chap 3.9.5.1.1 ‐ Identification and status section – Export control• Chapter 4.4 – Information management ‐ Information control
number• Chapter 6.2.1 ‐ Page layout, paper publications, headers and
footers• Chapter 6.3.1 ‐ IETP ‐ Output specification
Summary
• Increasing importance placed on export compliance and access control from both the federal government and private industry requires active management
• S1000D provides multiple mechanisms and structures that can be used to indentify and label controlled information
• In conjunction with proper planning, training, auditing and control processes S1000D can provide value in managing your controlled information
Thank [email protected]