Posted by: David Scott
acceptable use, accpetable use, backup and recovery, BIT, business implementation team, business liabilitiy, centralized data, content, content management, data, data backup, data liability, data management, data recovery
A couple articles ago, I talked about a business deficit. It’s only fair we consider one on the other side of the line.
Let’s look at a common mistake on IT’s part. How many organizations have a requirement for “centralized” data, yet have full knowledge that users – the business community – are storing data on local (c:, etc.) computer drives or on desktops? Even the most sophisticated organizations, and the most tightly controlled environments, have this condition. This goes on even in organizations where it violates a document retention and content management policy – policies that are often imposed or required by outside regulatory agencies, or other bodies (that is, boards, classes of customers/clients, and so on). Yet, if business members and leaders insist that it’s a necessary “work-around,” IT goes along. This can be a major mistake on IT’s part. Let’s leave the document retention/content management considerations aside for the moment, and look at the situation from a simple backup and recovery standpoint.
IT’s position in any organization should be that all data is secure: accessible according to authorization; safely and securely maintained in the technical environment; recoverable in the case of loss in the production environment through any reason. Too often, users are responsible for backing up their own local drives. This is wrong. If there is genuine business data that is not coming under the umbrella of IT’s backup domain, then that is a wrong situation and you cannot profess to have complete security. You are at risk. You can hash out in the BIT forum as to how to expose peripheral data, and how to manage it, secure it and back it up – at a minimum you must document exceptions to policy and put them on record. Many important caches and swaths of data have been lost by organizations because the central, qualified, authority for the safekeeping of data (IT) was unaware of it. So, there was no central authority guaranteeing its safekeeping under these circumstances.
Let’s look at one more area where IT is frequently remiss. Increasingly, organizations are responsible for anything and everything that happens within. We see where large judgments have been made in favor of employee plaintiffs who had complaints regarding offense and damages over electronic content containing porn, offensive jokes, illegal advocacy, and other inappropriate content. This is content that has long been defined as this kind of liability by courts. Remember too that just because some content may be “legal” in the broader sense, it can still violate your organization’s best interest. Should your organization’s data be subpoenaed, you wouldn’t want negative characterizations of business partners or critical evaluations of members made public, for example. Most organizations have policies to guard against inappropriate use of business resources and to explain the consequences of harboring improper content, but many don’t adequately reinforce the policy. Further, it’s apparent that a lot of IT departments haven’t picked up their responsibility, or perceived their own liability, in this area.
Let’s be clear: One thing you don’t want to have happen is that something blows up into an embarrassing exposure, with people asking how “IT” could have let inappropriate content broach your business-technology environment. For it is IT that implements spam-guards, monitors storage, and has the means (even if only under special permission by Business) to do a comprehensive review of data. The mechanics of, and the burden in, running a “clean” environment is IT’s. While it is true that Business must cooperate and contribute to a clean environment, and that this is reinforced by policies both Business (HR) and IT – no business person has the authority to look across the board at data and content on a regular basis. No business person is tasked to have knowledge superior to IT’s regarding best practice protections and best software solutions. This is a “behind the screen” faculty. If you’re an IT staff member, and your IT department is not comfortable in answering to your organization’s content, you need to get this into the BIT agenda quickly.
Next, we’ll discuss putting activity where it belongs.