Information Management Blog

By Alex Thompson

With the increasing popularity of information loss there has been a few notable news stories in the last fortnight:

• It appears that some faith in PA Consulting remains (see here) – albeit for a project that has already suffered the loss of compact discs containing information on 25 million UK families;

• The senior intelligence official responsible for leaving top secret documents on the train has been charged (see here); and

• A quick reminder to check what kind of tip you’ve left the taxi driver (see here).

But what if information loss didn’t really matter?

Now I’m not about to suggest that leaving your mobile smart device in the back of a cab is a smart move but I attended a seminar the other day for an Information Rights Management (IRM) product that appeared to be a comprehensive solution to mitigating the risk that organisations face from information falling into the wrong hands. Oracle’s IRM software seals documents and emails, associates them with a policy and provides a digital signature to prevent unauthorised access. The solution also tracks and audits information outside of the organisation’s own network to enforce policies beyond the company firewall. Should business relationships change then information access rights can be changed accordingly and when retention policies kick in and the information is eligible for destruction, access rights are revoked entirely. In theory, memory sticks could be used with ease to transfer sealed data and should one end up in the wrong hands then there really shouldn’t be too much to worry about – the new ‘owner’ won’t have access to the rights management server – their only option being to wipe the memory stick and make a few pennies on ebay.

Obviously there are other solutions out there that are equably suitable and ultimately the choice of technology is dependent on requirements but it illustrates that electronic information can be safe to use if it is managed appropriately and solutions like that of Oracle’s IRM could prove to be a popular safety net for contractors that might be a little more nervous than they used to be when handling client information. Unfortunately IRM can’t protect those who want to follow in the steps of the intelligence official – perhaps it’s time that the ever so secure “TOP SECRET” stamp was reconsidered…

A quick “Did you know?” – 31% of organisations do not train their employees specifically about data security or protection of sensitive data (ARMA training survey 2007).

By Alex Thompson

Short of introducing airport style security at the office door, how do businesses tackle the problem of the memory stick? Threat of prosecution after information loss is one thing (see here) but surely the trick is to catch the problem at source? But having just “rules” in place is not enough and did not prevent one of the latest high profile cases of information loss at the Home Office by PA Consulting (see here), who have since suffered the consequences of their error.

On picking up a fellow commuter’s copy of the Guardian the other morning I noticed a letter from Les Bright in Devon who had commented on the latest incident of the memory stick in the night – “News that, once again, confidential information from the Home Office has gone missing, strikes a powerful blow against the paperless office. After all, when did we ever hear of people mislaying a room full of filing cabinets, or leaving one on a train?”. Interesting point Les but I’d like to draw your attention to an event back in June when a memory stick was not to blame and secret paper documents about Al-Qaeda and Iraqi security forces were left on the train by a senior intelligence official (see here).

So we have a problem here – neither the paperless nor the ‘papermore’ office seem to be working – and surely those businesses that are rapidly disabling all the USB connections on employee computers are only fire-fighting half of the problem? Has anyone asked why people are using memory sticks to transfer information or why paper files are being removed from their ‘secure’ locations?

There is clearly an information access requirement amongst users here that has either not be identified or has not been addressed appropriately and as such people are having to develop workarounds to policy in order to meet their needs. However I’m not suggesting that this is just a user requirements issue as there are clearly information security risks to be assessed also and this is where Information Management comes in.

Making information accessible and usable is key to appropriate Information Management but it is important to have a complete people, process and technology infrastructure in place that meets both business and user requirements. Businesses need to be looking at providing users with the ability to access information as their requirements dictate but within controlled environments that protect the information from loss and theft. A policy alone can not achieve this but an Information Management Infrastructure that is built around function and not form can mitigate risks and eliminate the need for users to develop workarounds to the policies and – if the conservatives are to get their way – putting themselves at risk of prosecution.

Of course one could leave the infrastructure as it is and employ additional security at the doors to check bags and pat down the pockets of staff leaving the office but I’ll leave this one for the Home Office risk assessors to consider.