Platt Perspective on Business and Technology

Navigating bring your own cloud as an emerging trend 2: thinking through the parameters for more effective resolutions to this 1

Posted in business and convergent technologies by Timothy Platt on November 11, 2013

This is my second installment in a series on an emerging face to the Bring Your Own Device, or BYOD phenomenon in which employees use their own personal computer and communications devices for their work (see Part 1: identifying and thinking through the basic challenge.)

My goal for Part 1 was to outline some of the issues, as to what types of business data can be and are brought by employees into personally controlled and managed cloud storage, with a basic outline of at least some of the of the key security and risk management consequences that this raises. I recommend reviewing that posting to put this one into a more meaningful context. My goal for this installment is to outline some of the core parameters that would go into developing business policy to manage this phenomenon among its employees that would meet legal and business due diligence requirements.

There are two basic approaches that need to be coordinately applied for that type of risk remediation and information security protection:

• General policy and policy implementations that would be developed for and applied across the entire business organization in a uniform and consistent manner for all employees, with compliance a work performance requirement and violation of this policy considered as a quality of work performance issue, and
• Special context and situationally defined policy that would be developed to address specific and more specialized data security vulnerabilities, and data access and use requirements involving them.

As an example of more general policy, it can be stated, and as both an issue for performance evaluation and as a term of employment, that all employees are responsible for the information security of any business intelligence or data that they access and take into their position or that is shared with them by others in the course of their work. As a more locally defined policy example, I could cite processes and data and proprietary knowledge usage from essentially any department or service as virtually every part of a business sees and uses at least some sensitive information, and at least select specific types of it. I cited Human Resources and Payroll in Part 1 and I add here Information Technology, where testing and validating in-house software and maintaining even third party developed resources usually requires real world testing with real world data. And that can include essentially any and all types of data that a business might hold, with the possible exception of trade secret information that would not be entered into any computerized systems.

The secret formula for Coca Cola comes immediately to mind with parts of it held by members of a group of select executives and managers within that company. I have heard that key parts of this trade secret formula were not even written down, at least for a long time and while that detail of access control might not be true in that case, I know that that type of secrecy and proprietary knowledge security is used by some businesses that depend on such knowledge resources. But even businesses that depend essentially entirely for their competitive strength and long-term viability in preserving the confidentiality of special trade secret information, also need to protect employee and customer data and much more that would be entered into computer and networked systems and for both business and legal reasons.

I add here that while clearly stated policy and incorporation of a requirement that it be followed are important to managing data confidentiality in the face of bring your own cloud, and BYOD in general, making this work for your business, and as a legally protective measure calls for specific types of ongoing practice too. I am going to consider some of those pieces to this puzzle in a next series installment. Meanwhile, you can find this and related postings and series at Ubiquitous Computing and Communications – everywhere all the time 2 and also see my first Ubiquitous Computing and Communications directory page.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: