The mobile movement has advanced faster than a speeding bullet: Devices such as tablets, iPads, smartphones, digital watches and even eyewear are all becoming tools employees use to access corporate information assets every day. Each of these devices enables users to create, access, modify, process, send, receive, store or delete the information assets that have historically been protected behind systems-based controls and firewalls.
Every organization has seen information governance transformed by this rapid migration. Executives and managers are now forced to govern digital assets beyond their own control walls. Mobile devices requiring information governance and monitoring increasingly are not even owned by the company.
Amid these accelerating transformations, bad actors are exploiting uneven and absent mobile governance processes and targeting devices. High schoolers hacking for fun have given way to highly skilled hackers with nefarious intentions. Today's hackers are seeking valued corporate intelligence and looking to gain control of the mechanisms and pathways into corporate information systems left vulnerable by mobile devices.
How does an organization achieve information governance under these conditions? Here are four essential rules that provide a solid foundation for mobile information management.
Rule #1: Design your governance.
When building rules and processes that enable mobile device use, companies must review applicable legal rules and incorporate any functional requirements for mobile devices to align to those legal rules.
Information governance involves three steps: building an inventory of rules for data management, applying those rules effectively and creating records that prove effective application of those rules.
For too long, organizations have only authored new IG rules after an adverse event or when new technology is launched. Instead, governance should be part of enterprise architecture and incorporated into how all IT and all data is designed and implemented.
Organizations should anticipate that both users and their corporate data are mobile, and moving it outside the firewall -- even if it's only stored in a device's cache -- makes it accessible from any geographic location. Therefore, companies must build infrastructure to support these realities. Experience, however, shows that IG professionals often are not invited to the table when infrastructure decisions are being made.
Changing that reality should be a goal. If governance rules can be considered and "baked in" to the infrastructure design process rather than being an afterthought, mobile devices become far less threatening to IG control objectives.
Rule #2: Anticipate mobility.
Information governance control objectives and subsidiary procedures must all be authored with the expectation that the company's data assets and device users are mobile. This may require significant updates to existing IG rule portfolios.
Once executives and managers begin to think differently about how to achieve effective IG, they quickly realize they must connect rules more closely to the data assets rather than user behaviors. Doing so allows them to better evaluate and design responsive policies and controls for mobile devices.
Effective IG should include rules that outline how data assets are governed not only within the company's own systems, but also when that data is mobile and moving outside the firewalls. By anticipating the mobility of data assets, companies will begin to govern the information and not the humans that interact with that information.
Rule #3: Expand the information governance rules.
In the 20th century, records management was driven by a records retention schedule's rules for destruction or disposition data. Today, and into the future, governing digital assets requires much more.
For mobile information management to succeed, IG must expand its scope to embrace all of the rules that govern mobile data assets throughout the information lifecycle. This includes both substantive and procedural rules for how digital assets are created, saved, accessed, modified, sent, received, stored, preserved for e-discovery/legal purposes and eventually scheduled for disposition. Mobile devices introduce companies to the compelling need to abandon retention schedules and instead develop and manage digital asset governance schedules.
These expanded schedules enable all of the technology controls essential to enabling mobile device use -- including bring your own device -- to be connected with the organization's IG objectives. Digital asset governance schedules bring together rules for using certificates, VPNs, disaster recovery, security incident response, password management and numerous other security controls. Doing so also creates a foundation for enterprise-wide mobile collaboration, and the ability to quickly adapt to new mobile tools and processes.
Rule #4: Enable the legal rules.
Most 20th-century records management programs also supported mandatory legal requirements stipulating retention and availability of specific types of records. The rule of law is rapidly evolving to more specifically dictate regulations for systems, applications and specific data elements and how they are preserved and made accessible.
When building rules and processes that enable mobile device use, companies must review applicable legal rules and incorporate any functional requirements for mobile devices to align to those legal rules. And remember: This will require more than merely editing existing policies to include the words "and mobile devices."
Information governance executives that are demonstrating leadership and creating a competitive advantage for their companies are also including their legal team members in these exercises. In doing so, their resulting frameworks enabling mobile information management are truly aligned across the organization and do not present a compliance or security risk.
About the author:
Jeffrey Ritter is one of the nation's experts in the converging complexity of information governance, security, the use of digital information as evidence and the emergence of cloud-based services. He advises companies and governments on successful 21st-century strategies for managing digital information with legal and business value. He is currently developing and teaching courses on information governance at Johns Hopkins University's Whiting School of Engineering and Georgetown University Law. Learn more at www.jeffreyritter.com.