employee leaves a company, his work devices will be collected as part of the off boarding process. But what about the personal or even company owned storage devices that contain the same sensitive and proprietary information? Companies need to set policies around whether they allow these devices and if they don’t, must also decide how they will compensate for that.
Another hot policy area is whether or not organizations will support the Apple operating system. The popularity of Apple computers leads many employees to ask for Apple operating system devices for use in the workplace even if they are not approved by corporate. In many cases however, the programs employees want to use on Apple computers make them incredibly productive and help them to do their specific jobs better. Companies must set clear policies when it comes to whether or not individual employees will be allowed to use Apple products for work and under what circumstances it would be acceptable. From there they need to address related issues such as managing security, compatible approved applications, etc.
Defining Policies Around Auditing Users’ Systems
One final and extremely complex relevant area is defining policies around auditing users’ systems. Many employees, usually without malicious intent, are running pirated and unlicensed software on their computers. Companies must decide whether they will turn a blind eye to this fact or whether they will actively prevent this from happening. Should a company programmer use unlicensed software during product development for example, and the company profits from that, there are major legal implications involved and ignoring the issue could be very problematic. On the flipside, companies who decide to proactively audit users’ systems need to be prepared for pushback from employees wanting to maintain privacy on their devices.
There are many types of corporate environments. Some companies take a fairly open approach while others decide to implement strict data controls. Regardless of the company’s style, there are very complex data governance policy questions that need to be answered before a company makes decisions on the technology side. Before evaluating tools and then committing to them, organizations need to take the time, no matter how painful, to set governance policies and work to secure buy in for them. It is also important to recognize that there are no right and wrong answers to these difficult policy questions; they will be tailored to each company’s specific industry and environment and there will be pros and cons no matter what is decided. What is important is to answer these questions, set the policies and adopt technology to enforce them. Data governance technology can be transformative but will not solve data governance challenges without effective policies in place. The mindset that technology will drive policy instead of vice versa guarantees a lackluster program or worse, complete failure.
About the author:
Chris Grossman is senior vice president, Enterprise Applications, Rand Secure Data.