Posted by: David Scott
Let’s look at a common mistake on IT’s part. How many organizations have a requirement for “centralized” data, yet have full knowledge that users – the business community – are storing data on local (c:) computer drives? It matters not whether you have server virtualization, or if you harbor your own physical server(s).
In fact, it doesn’t even matter if you have virtualized desktops. If your users are storing data in the wrong virtual space, it’s in the wrong place!
Even some of the most sophisticated organizations, and the most tightly controlled enterprise environments, have this condition. This goes on even in organizations where it violates a document retention and content management policy – policies that are often imposed by outside regulatory agencies, or client bodies. Yet, if business members and leaders insist that it’s a necessary “work-around,” IT frequently goes along.
Conversely, business often assumes that policies are being adhered to, even as IT lets the environment go slack. This is a major mistake on IT’s part. Let’s leave the document retention/content management considerations aside for the moment, other than to state the obvious: If business leaders and various level users are running reports on what they believe to be a coherent data-store, in the absence of critical data that is harbored in unapproved and unrecognized repositories, then reports content can never be accurate and true. Business decisions can be weighted according to false criteria, and a true measure of any situation cannot be made. Today, let’s look at the situation from a simple backup and recovery standpoint – certainly an important enough area to highlight perils.
IT’s position in any organization should be that all data is secure: accessible according to authorization; safely and securely maintained in the technical environment; recoverable in the case of loss in the production environment through any reason (corruption, human error). Too often, especially in SMB environments, users are responsible for backing up their own local drives. This is wrong. If there is genuine business data that is not coming under the umbrella of IT’s backup domain, then that is a wrong situation and you cannot profess to have complete security. You are at risk.
You can hash out in a business-IT management team as to how to expose peripheral data, and how to manage it, secure it and back it up – at a minimum you must document exceptions to policy and put them on record. Ideally and in accordance with best practice, you’ll want to “centralize” data (whether actually or virtually) and put it squarely in the realm of IT’s secure and sure backup process. Many important caches and swaths of data have been lost by organizations because the central, qualified, authority for the safekeeping of data (IT) was unaware of it. There was no central authority guaranteeing its safekeeping under these circumstances.
Let’s look at one more area where IT is frequently remiss. Organizations overall are responsible for anything and everything that happens within: We see where large judgments have been made in favor of employee plaintiffs with complaints regarding offense and damages over electronic content containing porn, offensive jokes, inflammatory material based on race, etc., illegal advocacy, and other inappropriate content. Here, we’re speaking of content that has long been defined as this kind of liability by courts. Remember too that just because some content may be “legal” in the broader sense, it can still violate your organization’s best interest: Perhaps its internal policies, and those of clients and allied organizations.
Consider too: Should your organization’s data be subpoenaed, you wouldn’t want negative characterizations of business partners or critical evaluations of members made public, for example. Most organizations have policies to guard against inappropriate use of business resources and to explain the consequences of harboring improper content, but many don’t adequately reinforce, refresh, or train to the policy. Further, it’s apparent that a lot of IT departments haven’t picked up their responsibility, or perceived their own liability, in this area.
IT: Take care of business – and take care of business – if you know what I mean. ;^)
NP: Feeling Good, Gerry Mulligan, jazz24.org