Information Management Blog

By Alex Thompson

With the increasing popularity of information loss there has been a few notable news stories in the last fortnight:

• It appears that some faith in PA Consulting remains (see here) – albeit for a project that has already suffered the loss of compact discs containing information on 25 million UK families;

• The senior intelligence official responsible for leaving top secret documents on the train has been charged (see here); and

• A quick reminder to check what kind of tip you’ve left the taxi driver (see here).

But what if information loss didn’t really matter?

Now I’m not about to suggest that leaving your mobile smart device in the back of a cab is a smart move but I attended a seminar the other day for an Information Rights Management (IRM) product that appeared to be a comprehensive solution to mitigating the risk that organisations face from information falling into the wrong hands. Oracle’s IRM software seals documents and emails, associates them with a policy and provides a digital signature to prevent unauthorised access. The solution also tracks and audits information outside of the organisation’s own network to enforce policies beyond the company firewall. Should business relationships change then information access rights can be changed accordingly and when retention policies kick in and the information is eligible for destruction, access rights are revoked entirely. In theory, memory sticks could be used with ease to transfer sealed data and should one end up in the wrong hands then there really shouldn’t be too much to worry about – the new ‘owner’ won’t have access to the rights management server – their only option being to wipe the memory stick and make a few pennies on ebay.

Obviously there are other solutions out there that are equably suitable and ultimately the choice of technology is dependent on requirements but it illustrates that electronic information can be safe to use if it is managed appropriately and solutions like that of Oracle’s IRM could prove to be a popular safety net for contractors that might be a little more nervous than they used to be when handling client information. Unfortunately IRM can’t protect those who want to follow in the steps of the intelligence official – perhaps it’s time that the ever so secure “TOP SECRET” stamp was reconsidered…

A quick “Did you know?” – 31% of organisations do not train their employees specifically about data security or protection of sensitive data (ARMA training survey 2007).

By Alex Thompson

Short of introducing airport style security at the office door, how do businesses tackle the problem of the memory stick? Threat of prosecution after information loss is one thing (see here) but surely the trick is to catch the problem at source? But having just “rules” in place is not enough and did not prevent one of the latest high profile cases of information loss at the Home Office by PA Consulting (see here), who have since suffered the consequences of their error.

On picking up a fellow commuter’s copy of the Guardian the other morning I noticed a letter from Les Bright in Devon who had commented on the latest incident of the memory stick in the night – “News that, once again, confidential information from the Home Office has gone missing, strikes a powerful blow against the paperless office. After all, when did we ever hear of people mislaying a room full of filing cabinets, or leaving one on a train?”. Interesting point Les but I’d like to draw your attention to an event back in June when a memory stick was not to blame and secret paper documents about Al-Qaeda and Iraqi security forces were left on the train by a senior intelligence official (see here).

So we have a problem here – neither the paperless nor the ‘papermore’ office seem to be working – and surely those businesses that are rapidly disabling all the USB connections on employee computers are only fire-fighting half of the problem? Has anyone asked why people are using memory sticks to transfer information or why paper files are being removed from their ‘secure’ locations?

There is clearly an information access requirement amongst users here that has either not be identified or has not been addressed appropriately and as such people are having to develop workarounds to policy in order to meet their needs. However I’m not suggesting that this is just a user requirements issue as there are clearly information security risks to be assessed also and this is where Information Management comes in.

Making information accessible and usable is key to appropriate Information Management but it is important to have a complete people, process and technology infrastructure in place that meets both business and user requirements. Businesses need to be looking at providing users with the ability to access information as their requirements dictate but within controlled environments that protect the information from loss and theft. A policy alone can not achieve this but an Information Management Infrastructure that is built around function and not form can mitigate risks and eliminate the need for users to develop workarounds to the policies and – if the conservatives are to get their way – putting themselves at risk of prosecution.

Of course one could leave the infrastructure as it is and employ additional security at the doors to check bags and pat down the pockets of staff leaving the office but I’ll leave this one for the Home Office risk assessors to consider.

By Patrick Thatcher

There is a widely accepted concept within information management; that being the main division for data is between structured and unstructured. Structured data being rows and columns of data within a database and unstructured being “the rest” of an organisation’s data. “The rest” being all documents including Office documents, PDF’s, emails and so on.

Traditionally and practically, organisations will have their structured data reasonably well managed (I guess that is why we call it structured data). However, the unstructured data is often wild and unruly. The most common method of taming the wild of the unstructured data is with one or a combination of Enterprise Content Management (ECM), Document Management (DM) and Records Management (RM).

All too often the chosen solution and the implementation journey is dramatically underestimated. The perception is simply to buy a product, install it and all will be well.

To quote a very old cliché; “If you fail to plan, you plan to fail”. This most certainly rings true for any project involving unstructured data. The most important work of an information management project must be done upfront, if possible prior to even purchasing a product. Should the product selection already been done; still more work is required prior to the solution roll out.

Some points may seem obvious, but please remember the following:

1. Ensure infrastructure is in place
2. Define all document / content types
3. Engage with all levels of the organisation
4. Pilot, prototype or model office is essential
5. Plan, plan, and plan

Where there is strong drive within organisations to manage unstructured data effectively. I would like to highlight that in order to reach the organised point there needs to be clear and concise structure surrounding the unstructured. Although unstructured data will never appear as rows and columns in a database; it should be approached with structure and order in mind.