Security issues vary between organizations based on numerous factors that should be analyzed and assessed regularly in preparation for security threats, vulnerabilities and risks. The following are threats, vulnerabilities and risks relating to the processing of electronic documents for e-recording.

A security threat is something that is the source for causing danger or harm and include:

Rogue Submitters: an entity posing to be a legitimate submitter.

Rogue Web Sites: a website posing to be a legitimate site (i.e. a real online county recording system) to collect documents or information (phishing, pharming).

Rogue Recording Entities: an entity posing to be a legitimate recording-related entity to record documents.

Hackers: an entity attempting to gain unauthorized access to computer systems.

Eavesdroppers: an entity capable of intercepting documents or information as it is collected by the recording agency from the submitter.

Denial of Service Attacks: an attack against a system that is designed to overload system capabilities so that legitimate services cannot be rendered until the attach is ended.

Internet-based Attacks: viruses, worms, etc. that reach targets via internet channels and look to exploit vulnerabilities within computing networks and systems.

Insider Threats: an employee, contractor, etc. that has internal access to organizational assets, intending to leverage access to perform unauthorized functions.

Uneducated Employees: an employee who unknowingly performs unauthorized functions, susceptible to social engineering attacks that disclose sensitive information, or performs ill-advised functions due to lack of education/training.

Un-trusted Applications: applications performing functions that they are not supposed to perform or do not perform functions they are supposed to perform.

Catastrophic Events: unforeseen events such as natural disasters or major power outages that cause operations to cease.

A vulnerability is something that is susceptible to a potential attack or harm, including:

Collecting Unnecessary Documents and Information: a submitter that collects sensitive/non-public information that is not needed to support e-recording functions or processes.

Transferring Unnecessary Sensitive Information: a recording entity that transfers additional sensitive information that is not needed by the recipient entity.

Poor Authentication: the inability for either the submitter or recording entity to authenticate one another prior to executing online transactions.

Inadequate Network Security: minimal/poor security at the web interface that leads to exposure of documents or data as it is collected by submitter.

Inadequate Individual Computer Security: minimal/poor security at the submitter’s computer that leads to exposure of the submitter’s document and information.

Insecure Transfer Methods: electronic and physical transfer methods that do not provide adequate protection of documents or information.

Inadequate Event Logging: lack of event logging to provide details on transaction history or support security incident monitoring capabilities.

Uneducated Requestor/Submitter: a requestor/submitter who has little to no security knowledge with online transactions.

Uneducated Employee: a staff member fails to properly authenticate a package being received or may not properly secure user ID and password or delete documents.

Super User: a person with unlimited access privileges who can perform any and all operations on the computer.

Insecure Test Environment: environments that use live operational data but lack security capabilities compared to operational environments.

Poor Disaster Recover Plans and Capabilities: nonexistent or poor quality plans and capabilities which an organization is unable to recover back adequate operations after catastrophic event.

Non-Compliant Third Party Service Providers: recording-related entities that do not perform periodic security reviews/audits to understand the security posture of their organization.

Inadequate Physical Security: minimal or poor physical security to prevent unauthorized access to critical computing equipment.

Removable Media: USB drives, PDA, laptops, etc. that can store documents and info and are easily removed from the operational environment of the entity.

Stored Documents and Information in Unused Storage Devices: storage devices containing sensitive information that are not current.

Improper Deletion or Destruction of Documents and Information: documents and data still within system after disposal procedures have been followed.

A risk is the undesired consequence that occurs when a threat successfully attacks or exploits a vulnerability further identified as having two components: the likelihood that the consequence will occur, and the impact of the consequence.

About the Author: Chantel Soumis

Chantel Soumis represents the Marketing Department at Extract as Marketing Manager. Chantel studied marketing communications and business administration at Franklin University and proceeded to work in a fast, ambitious environment, assuring client delight in the healthcare and pharmaceutical industries. Passionate about project productivity and streamlining workflows through the use of technology, Chantel strives to inform organizations of Extract’s advanced OCR solution by mastering communications and messaging while delivering helpful information and supporting resources.