September 21‐23, 2015

Access & Export Control of S1000D Technical Data

Presenter Name:  Sean RushingRank or Title:  Product ManagerOrganization: CDG/Boeing

Purpose 

• Describe the information control capabilities of S1000D• Is not meant to describe how to implement Security or Export controls on your data

• Learn about how the information control in S1000D relates to document management and presentation

Topics

• Data Controls Review• Data Controls in S1000D• Controlled Information Identification in S1000D• Labeling Controlled Information in S1000D• Software Considerations• Additional Thoughts

What are Data Controls?

• Determining the need to protect dataIdentifying

• Proper marking of controlled dataLabeling

• Ensuring proper access to the data is enforced and controlled

Protecting

Data  Control  ScopePublic Internal Confidential Regulatory

Description

Information that could be viewed by anyone

Proprietary information and work products

Key business data and information

Information protected by statutes, regulations and laws, governed by a regulatory body

Impact

Access will cause has no organization impact

Unauthorized access could influence the Organization’s operational effectiveness, cause an important financial loss, provide a significant gain to a competitor

Unauthorized access could cause significant Organization harm or impact due to legal, contractual, privacy, or theft of intellectual property.

Unauthorized access may involve civil or criminal penalties.

Access

Public Access Data is restricted to data owner approved access and protected from external access.

Access to this data is restricted within the Organization or with appropriate release approval.

Sensitive in nature, and access restricted. Disclosure is limited to individuals on a need-to-know basis.

Type of data

Data available on web Copyright marked

material

Organization proprietary Day to day company

documents Emails

Engineering Information

Commercial Markings

Security Classification EAR/ITAR

Data Controls and S1000D 

• DMRL, Publication Modules, Data ModulesIdentifying

• Data Marking, Output Presentation in IETM and PDFLabeling

• CSDB Control, Access and Publication FilteringProtecting

Indentifying Modules

• All S1000D Objects (except ICN) are have data control markings in their IDSTATUS sectionSecurity or Commercial  

ClassificationApplicabilityData RestrictionEAR/ITAR

Identifying ICNs

• ICN data control identification is limited to the security classification

• Addition control can be applied at ICN usage in content

Identifying Content

Most S1000D content allows the following data controls

Security or Commercial  Classification

Applicability

Content cannot have data restrictions

Data Restriction

EAR/ITAR

What are the types of information controls in S1000D?

ClassificationRestrictionExport ControlApplicability

Classification• Relation to the degree of danger to national security, or risk to the 

company, from its unauthorized disclosure• A document should not fall under both security and commercial 

classifications• Documents with any restrictive classification should be controlled 

in a system separate from documents without classification to avoid spillage

• Additional caveats can be applied as a code word to complement the appropriate security classification.

• Most data modules and content can have classification attributes @securityClassification or @commercialClassification

Data Restrictions/Instructions

• Restrictive markings are additions to the security classification of data modules/technical publications, used to indicate additional restrictions on the data usage– Distribution– Handling– Destruction– Disclosure– Supercedure– Export Control (*provides additional control structures)

Export Control Structures• <exportControl>

– Contains the export control information.   The @exportRegulationType attribute indicates the type of regulation, i.e. EAR or ITAR.

• <exportRegistrationStmt>– Statement can be full or partial.   

• <exportRegistrationCode>– Contains a @exportRegulationCodeType attribute to indicate the 

type of registration and then the text content would be the registration number.

Applicability

• Applicability provides the ability to mark information by configuration

• Can also be used to provide customer or distribution data control by allowing “sensitivity”

• Sensitivity is different than runtime filtering as information that is not applicable is removed before it is delivered

• Using applicability and customer configurations data can be filtered for sensitivity during publishing of DM, PM and DMRL

Display

Restrictions

Classification

Labels

Protecting Data with Software

– Encrypted communication (HTTPS)– Restrict access by user– Identify “export” status of users and content– Customer or Configuration specific data packages– Producing “filtered” datasets or runtime views– Providing appropriate content/view labeling– Logging/Auditing

Additional Thoughts

• The security marking of data modules, publications and DMRLs should always be as high as the most restrictive content they contain

• Dublin Core tag <dc:rights> might be able to expose marking to non CSDB systems such as Adobe XMP

• A full data control program requires planning, user training, auditing and controls processes not described here.

S1000D Chapters ‐Data Controls

• Chap 3.6 ‐ Information generation ‐ Security and data restrictions• Chap 3.9.5.1 ‐ Data modules ‐ Identification and status section• Chap 3.9.5.1.1 ‐ Identification and status section – Export control• Chapter 4.4 – Information management ‐ Information control 

number• Chapter 6.2.1 ‐ Page layout, paper publications, headers and 

footers• Chapter 6.3.1 ‐ IETP ‐ Output specification

Summary

• Increasing importance placed on export compliance and access control from both the federal government and private industry requires active management

• S1000D provides multiple mechanisms and structures that can be used to indentify and label controlled information

• In conjunction with proper planning, training, auditing and control processes S1000D can provide value in managing your controlled information

Thank you!Sean.P.Rushing@cdgnow.com