Congratulations. Now that the organization has accepted the mobile ECM business case and decided to surf the wave of device adoption to make its enterprise content available to the mobile workforce, it’s time to figure out how to govern employee access and use of this content while they are away from the office.
The good news is that good mobile ECM governance is predicated on precisely the same principle as any effective information governance framework: developing and enforcing policies to control how information will be managed across its entire lifecycle, who will manage it and under what circumstances.
But when it comes to the mobile workforce, governing mobile ECM can be tricky. According to a recent survey by AIIM International, there are two major problem areas. One, access devices come in many different varieties and are hard for IT to efficiently support. And two, they are supposed to travel with users and so are difficult to protect from either unauthorized use or loss. For these reasons, “the usual” governance techniques should be reinforced, and new best practices are emerging accordingly.
Source: AIIM International, Making the Most of Mobile – Content on the Move
As easy as 1, 2, 3
Let’s start with the proven conventional wisdom, which at a high level breaks information and ECM governance down into three essential steps.
The first is to set up an oversight board to determine what the organization’s policies and standards are going to be -- or, if they already exist, to evaluate how well they apply to mobile workers. Because enterprise content by definition has such a broad reach, this mobile ECM governance board should include representatives from all affected departments, beginning with someone from the executive suite to chart and maintain the proper course. It should also comprise members from various lines of business, including records management, IT and the end-user community itself. All of those perspectives should be considered to engender effective mobile ECM governance.
Find out more about mobile ECM governance
Read an interview with SpringCM about mobile content management and cloud security issues
Find out what the experts say about governance and how it affects cloud content management
Learn how to build a business case for information governance and other ECM matters
Read about how to avoid the pitfalls of information governance management
The second step is to take all that input and design firm yet flexible policies and standards that are unequivocal in terms of their coverage (e.g., who has access to use or modify what, under what circumstances and for how long) but elastic enough to apply to new technologies without having to be rewritten (e.g., crafting them for all of social media rather than Facebook specifically).
The third step is to put these policies into a governance document for all to reference and adhere to. This document also should retain some flexibility so it can clearly address the issue from the perspective of each of the represented stakeholders, but also should include a mechanism for reviewing it regularly and updating it as needed.
Mobile muddies the matter
Doing governance right is challenging enough when its scope is limited to users whose locations and means of access can be predicted -- as when they work in company offices and are plugged into the company network. However, adding the mobility layer greatly complicates the matter because users now are logging in on devices that must first navigate an external network that is managed by a third party (typically the cellular carrier) over which the enterprise has no control. So while the governance of the content remains largely unchanged -- mainly because it’s the same content being accessed -- the governance of the access devices themselves is far more acute an issue here than in a tethered environment.
Because physically securing the mobile devices themselves is impossible while they are on the road with users, at a minimum they should require an extra layer of electronic access control (passcode, pattern swipe, even voice or facial recognition or both). But a policy also might be necessary to ensure the screen locks and any local content self-destructs after a certain period of inactivity or unauthorized use. It’s an extra layer of enterprise content security should a device end up left behind in a taxi, lost or stolen.
To simplify the technology aspects of mobile ECM governance, it’s wise to limit the list of devices the enterprise approves for use. One of the best ways to do that is to establish an organizational policy of issuing the devices, rather than permit employees to use whatever they already own. The sheer number of platforms available can make hardware and software maintenance a nightmare, and every time someone brings his or her own smartphone or tablet in from home or on the road to do work, the situation only gets worse.
Who manages the network is important because that same party is responsible for ensuring security. And as anyone who has ever connected to a Wi-Fi network at an airport or a Starbucks can tell you, this is not something most providers even address. It rests with the governance committee and its director to mandate and verify secure logins or the use of virtual private networks. Simply treating a mobile device as a “regular” device that gets around is not the answer, and it’s important to pay attention to that while setting up an enterprise mobile ECM governance strategy.
Governance is all about protecting enterprise information while ensuring it is available and reliable. Extending its reach into the field by arming employees with mobile devices changes nothing. Rather, the sheer accessibility of the devices -- and the resulting need to pay them particular attention -- is what changes matters.
It is critical to develop a strong governance policy that retains flexibility. Strong policies can help close costly gaps in regulatory compliance and, at the very least, improve process accuracy and efficiency. And they should maintain enough pliability to cover the new users and new generations of devices that appear every month. In that way, your enterprise mobile governance strategy will be able to meet each new development without having to be amended or rewritten every time.
ABOUT THE AUTHOR
Steve Weissman provides guidance and professional training on content, process and information management. Weissman is president of the AIIM New England Chapter and principal consultant at Holly Group. He can be reached at firstname.lastname@example.org