Platt Perspective on Business and Technology

Navigating the bring your own tech puzzle – 3: connecting IT and HR policy and practice

Posted in business and convergent technologies, HR and personnel by Timothy Platt on December 13, 2011

This is my third installment in a series that deals with an issue that would not have been considered even just a few years ago – employees would not consider bringing their own home desktop computers or wired phones with them to work and if for some unusual reason one did, they would not be allowed to connect them into their employer’s IT or communications system. Now, and particularly with ubiquitously portable handheld devices and with the ubiquitous computing and communications capabilities they offer, the lines between work and private lives blur and employees bring their personal technology everywhere and to everything they do. And with cloud computing and remote access software readily available even the desktop and other large employee-owned technology they physically keep at home, can get connected in too. So bring your own tech has in effect become the new norm, and even when it is not formally acknowledged or accounted for in workplace policy.

You can find Part 1: building a framework for understanding and managing this emerging trend and Part 2: who owns IT? at HR and Personnel. My goal in this posting is to at least start outlining an approach for managing this for productivity, security and confidentiality issues, and in fact in accordance with good due diligence and risk remediation policy in general. That means developing coordinated policies for bringing in and connecting in outside technology that would be developed and owned jointly by Information Technology and Human Resources. And both would bring in corporate legal council for advice as well.

I would start this with Information Technology and with a focus on what technology is involved in this discussion, and on the technical side of risk and opportunity that this practice presents. And I start that up-front by noting a few parameters that should at least be fairly obvious, but that sometimes have implications that can be more unexpected.

• The basic technology that employees own and use in their personal lives is constantly changing, and that change includes ongoing increases in power and also in flexibility and range of use and application. Every rapidly arriving next advance makes mapping out what this technology can do, and how it would impact on business systems that much more complex a challenge.
• This applies to hardware and to software, but at least as importantly this applies to how employees use their technology and their expectations as to what they can and should be able to do with it.
• And together and certainly when dealing with multiple technology generations and for many, many diverse types of technology, an IT department faces a seemingly unending series of “non-standard” to deal with and to understand – and to integrate on the fly into its governance and other policy-based systems.

The IT side of this has to be flexible and not tied down to any one technology or technology generation. And as alluded to in my third bullet point above, one way to do this is to develop an IT governance policy and to operationalize it into a system of connectivity standards that users will have to comply with if their hardware and software are to work in connection with business systems.

• Internet protocols and other connectivity standards insure that this ever-widening range of technology options and resources all at least potentially can communicate and share information together.
• Operationalized IT governance rules, coupled with filled-out and enforced security layers in the protocol stacks in use would serve as at least a first technology-side line of defense against risky or malicious connections and systems breaches.
• And I stress that security here needs to go beyond simple password systems. None of this can be effective if it is developed as a do it once and forget it solution.

Human Resources personal do not generally know the technology, at least with the depth of expertise that IT professionals should have. So they need advice and guidance on the technology itself and its capabilities as a starting point for developing their side to this policy. And their focus of attention here would be on the people involved who would use this technology.

• HR policy regarding use of personal, employee owned technology at work has to be consistent with overall personnel policy as governs what behaviors are and are not acceptable from employees.
• That definitely includes policy as it relates to accessing, using and sharing information that is developed at or obtained through the employer business.
• Policy restrictions would be based in at least significant part on the sensitivity of information involved, and both for who would be permitted to access that information and how and where they could legitimately use it and on what hardware and software platforms. So an employee who only accessed and worked with publically visible information and knowledge such as current external-facing marketing images and text would be governed as to appropriate usage under much less restrictive guidelines than an employee who was accessing and using confidential, personally identifiable customer database information, or information regarding a new product still under development.
• Level of access and utilization controls would correspond to levels of risk and potential cost from misuse.
• Some types of information would simply not be allowed out of the formal business owned and managed information infrastructure with breaches in their legitimate and approved use identified as grounds for dismissal or even legal action.
• It is crucial that any such HR policy spell out both permitted usage and behavior and also disallowed usage and behavior, and that like the IT half of this overall policy the HR side of it be drafted to be flexible – both with regard to the technology in use and in how employees use it. The idea here is that a well drafted policy will not rapidly become obsolete or irrelevant and that it will maintain ongoing value by focusing on core principles that are more state of the art agnostic.
• With that said, policy would be reviewed and updated, and shared with all employees on an ongoing basis – starting with their initial onboarding process as new employees and for as long as they are with the business, and in whatever capacity.
• This policy would also govern outside consultants, and be consistent with confidentiality and non-disclosure policies for after an employee leaves the business.

And because businesses hold and are responsible for personally identifiable information and about employees, customers and others as well as a wide range of other types of legally protected information, it is crucial that corporate legal council be brought into this:

• For insight as to the nature of the data sensitivity categories that policy would be developed around, and
• For guidance in shaping policy and procedures for dealing with and resolving alleged breaches in policy.

Policy would be enforced at least in part through signed agreements and in accordance with contract law.

As I final thought I return briefly to the top of this posting where I noted that this policy would be owned by IT and HR, and with legal council advice included as a core requirement. I intentionally left off that list other information and knowledge owning stakeholders (e.g. Marketing and Communications for their data and processed knowledge.)

• It is very important that an organization have a single shared policy that all stake holding services and departments would adhere to.
• They would provide advice and input for more accurately assessing the sensitivity and value of confidentiality of the data, information and processed knowledge that they hold within that organization, but policy per se should be centrally managed and explicitly owned by HR and IT and not be separately maintained within specific units of the business.
• And I add that while this is as a matter of impact about business information, this policy is about the technology that this information would be accessed and managed through.

I am going to turn in my next series installment to consider a second major area of due diligence concern that has to be managed when employees bring their own technology to work: cyber-security and the potential for security breaches. After that I am going to look into technology advancement and the impact of disruptive new technology when it is brought into work by employees. This, I add also has to include discussion of the closely aligned issue of disruptive, unplanned for new ways of using existing technology that employees can bring to their workplace practices. As a foretaste of that posting to come, disruptive technology and usage are where even the most flexible and technology-agnostic technology inclusion policy can and will break down if it is ever to so that.

You can find this and related postings at Ubiquitous Computing and Communications – everywhere all the time and at HR and Personnel.

Tagged with:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: