Information Management Blog

By Alex Thompson

Short of introducing airport style security at the office door, how do businesses tackle the problem of the memory stick? Threat of prosecution after information loss is one thing (see here) but surely the trick is to catch the problem at source? But having just “rules” in place is not enough and did not prevent one of the latest high profile cases of information loss at the Home Office by PA Consulting (see here), who have since suffered the consequences of their error.

On picking up a fellow commuter’s copy of the Guardian the other morning I noticed a letter from Les Bright in Devon who had commented on the latest incident of the memory stick in the night – “News that, once again, confidential information from the Home Office has gone missing, strikes a powerful blow against the paperless office. After all, when did we ever hear of people mislaying a room full of filing cabinets, or leaving one on a train?”. Interesting point Les but I’d like to draw your attention to an event back in June when a memory stick was not to blame and secret paper documents about Al-Qaeda and Iraqi security forces were left on the train by a senior intelligence official (see here).

So we have a problem here – neither the paperless nor the ‘papermore’ office seem to be working – and surely those businesses that are rapidly disabling all the USB connections on employee computers are only fire-fighting half of the problem? Has anyone asked why people are using memory sticks to transfer information or why paper files are being removed from their ‘secure’ locations?

There is clearly an information access requirement amongst users here that has either not be identified or has not been addressed appropriately and as such people are having to develop workarounds to policy in order to meet their needs. However I’m not suggesting that this is just a user requirements issue as there are clearly information security risks to be assessed also and this is where Information Management comes in.

Making information accessible and usable is key to appropriate Information Management but it is important to have a complete people, process and technology infrastructure in place that meets both business and user requirements. Businesses need to be looking at providing users with the ability to access information as their requirements dictate but within controlled environments that protect the information from loss and theft. A policy alone can not achieve this but an Information Management Infrastructure that is built around function and not form can mitigate risks and eliminate the need for users to develop workarounds to the policies and – if the conservatives are to get their way – putting themselves at risk of prosecution.

Of course one could leave the infrastructure as it is and employ additional security at the doors to check bags and pat down the pockets of staff leaving the office but I’ll leave this one for the Home Office risk assessors to consider.