Information Governance Insights:
Managing information in a remote working world
Welcome to 2121! The world has completely changed for most of us over the course of the last year. I’ve been reminding my clients about all the things I preached over the years that they needed to let go of the paper and go digital as much as possible. 2020 comes along & I’m Nostradamus! The end of the world is neigh indeed!
Now commercial real estate is going in the tank as organizations have no choice but to empty their offices and everyone is scrambling to get control of their information assets in the new remote worker environment. Everyone has some kind of plan by now, or at least some kind of process, but the question to ask now as the dust settles is is it the right process? “Right” will be different for every organization, but there are some fundamentals that should be followed to lead you in the right direction.
The most critical part of any organization’s information governance program, particularly in today’s litigious environment, is protecting the privacy of the people you are dealing with. Governments around the world are imposing more regulations around privacy that can and do impose very hefty fines for violations. Strict policies and procedures must be in place to ensure that there is no unauthorized access to any private or sensitive data.
Personally, Identifiable Information (PII) or Personal Health Information (PHI) is just one part of the equation, however. The intellectual property of the organization must be protected just as vigorously. Guarding these information assets has always been an issue, but the problem has grown exponentially with ramping up the remote working capabilities within the organization. A thorough policy review is the first step.
As with any review, you should always start with the policies to make certain they meet the organization’s strategic goals and that they are up to date with all current regulations. Particular attention should be given to remote working guidelines since that is the big change in everyone’s business life. These should address the organization’s expectation for overall device security and include acceptable use of devices and the handling of information, copying records to a personal device (don’t do this), sending records to a personal email (also don’t), and even the little things like using flash drives to store company information. (don’t as well).
A policy is just the first step and does no good for the organization if no-one knows about them. The training program must be updated with the current changes in policy as well. Any major changes or new policies that are developed in the review should be distributed to all affected personnel as soon as possible. These changes can then be included as part of the organization’s annual training program.
Obviously, the elephant in the room for the information Technology staff is that the information that was once stored in a secure environment they had control of is now spread out across to everyone in the organization. Now is the time to impress upon them how critical they are to maintaining the security of the organization’s information assets.
Most organizations have had remote working policies and procedures in place for quite some time.
First and foremost is a refresher of basic device security; locking them away when not in use, do not share login or password information with anyone (this includes key fobs). The most important thing an organization can do to protect its information assets is to establish a secure network for everyone to work in. Do not permit anyone to do business on their personal devices for any reason. A Virtual Private Network (VPN) is the best way to still maintain some centralized control of how the organization does business.
It should go without saying, but everyone should be diligent about not printing anything while working remotely. Of course, there are always exceptions to this rule and the organization should have a plan to deal with printed material. Back in the “old days” there were secure shred bins throughout the building that people could dump their documents in while they stopped by the coffee machine.
That’s no longer possible with everyone working remotely and the possibility that the actual office building is no longer there. In the case where the organization still has a physical location, a secure shred bin can be placed in a central location for personnel that has such material to access and ensure the integrity of the process is maintained as much as is reasonably possible. If the physical location no longer exists, there are many third-party vendors available that do secure shredding. These services exist in most major areas.
Most organizations have had remote working policies and procedures in place for quite some time, but never to the scale that is required currently with the pandemic. Everyone is now facing the same issues and the information technology departments across the globe are working as fast as they can to get these systems in place. While speed is certainly of the essence, doing it right the first time can save a disaster later. Take the time to review the policies first and then move on to the rest knowing all the bases are covered. Together we’ll get through this.