IT
Policy for the Win
Samuel
Warren
IS464
- Policy
Professor
Ryan Gunhold
January
26, 2012
I.T.
Policy for the Win
There
are many drivers in the world of Information Technology (IT). If IT were a car,
policy would be the chassis. Just like a physical car could not drive without
the chassis, IT cannot function properly without policy. To carry this thought
further: there are good and bad frames. All of the very best frames help to
enhance and further guide the drive-ability of the car. Bad frames are
accidents waiting to happen. Policies, just like the aforementioned frames,
must enhance, control, and cause an increased effectiveness of a business. If
they do not directly, and positively, affect the business, what good do they
do? A study of two recent policy decisions, one good, and one bad, will help to
frame a discussion of how to better manage policy development, deployment, and
enforcement.
Since
its creation, there is no doubt that Google has vied for greatness. When they
started in 1996, they have had one simple goal, “…to organize the world‘s
information and make it universally accessible and useful” (Google.com, 2012).
With so much information in the world, this goal becomes very daunting unless
there are good policies to keep track of how Google operates. On January 24,
2012, Google unveiled a unified approach to privacy. According to their blog,
The main change is
for users with Google Accounts. Our new Privacy Policy makes clear that, if
you’re signed in, we may combine information you've provided from one service
with information from other services. (2012)
With
so many products out there, most of which are free to anyone willing to sign
up, the approach seems to make sense. But does it? By combining your
information across multiple tools, the lines between Google’s tools blur and
may cause problems. Imagine having all your data available for Google and to
whomever they decide to sell it. The worst part of the whole new privacy policy
is that they are attempting to play this move as a helpful tool for better,
more accurate searching and sharing across all of one’s Google tools. However,
Google’s main revenue is from advertising (Dawson, 2012); that said this policy
seems more self-serving than noble. If Google holds all one’s personal data,
they could, in effect, tailor large amounts of ads based off of user profiles
to spam all the applications one has under their name. Because they know
exactly what a user does on their applications that would be like selling
alcohol to an alcoholic. It is not illegal, but it does raise a question of
appropriateness. Should someone who knows exactly what users search for, read,
post, and watch be allowed to make money on the knowledge that one will have a
higher likelihood of clicking the links? Google maintains that they already had
the information (Dawson, 2012). When developing this policy they seemed to
overlook one crucial behavior of users: compartmentalization.
Simply
put, this is the behavior of using different tools for different things. By
combining all of the tools into one user-focused place, means Google will not
allow one to use Google Adwords for their small business without it being
affected by their Google Search, Google Plus, and Youtube behavior. All that
data rolled into one location would make for an extremely tempting target for
would-be data thieves.
But for others,
Google’s moves reinforce just how much the giant company knows about them, from
their browsing history to their email conversations. For those who want to “compartmentalize”
their lives, with some services reserved for personal use and others for
business or public use, the pooling of information is a very real threat.
(Ingram, 2012)
When developing privacy policy,
businesses must not simply look to their own needs. They must take into account
things like compartmentalization and how real customers use their systems.
Having a way to “opt-out” of this change would go a long way to encouraging
friendly adoption of this policy by Google’s supporters and would have lessened
the sting from their opponents.
While
the development of this new privacy policy was not the best, Google did do a
pretty good job of deploying the new policy. On Google’s blog they fully
explained the major changes, and even gave a brief video to explain the
changes. The explanation was easy to understand and simple to follow. It did a
good job of reassuring its fans of the need to keep the information streamlined
and unified. However, the glaring hole in the development and lack of consideration
clearly outweighs whatever good work Google did in promoting the policy.
The
last key area of policy management that Google seems to struggle with on this
policy is the area of enforcement. If one is ok with their policy, then there
are no problems. But as the aforementioned quote points out, some are now more
aware of the fact that Google is swiftly becoming more knowledgeable about its
users than the Federal Government. If users are concerned, there is really only
one option: leave Google and all of its tools behind. That is it; no other
options. They did not give anyone the option to try it out or to put up a flag
to say, “Please do not share my information across tools, I like it the way it
is.”
With
the vast amount of free tools and services that Google puts at one’s
fingertips, one may very easily sacrifice their desire for privacy to be able
to have access to their favorite Google tool. However, the fact that it
conveniently serves up your information into one place for would-be hackers and
spammers means that there is a price associated with this new privacy policy.
On the flip side of this bad IT policy, is a new idea that is starting to gain
traction.
Swedish
Medical in Seattle is embracing a new policy called “Bring your own Device.” It
means using one’s personal device to assist in his/her job. However, it
typically sends shudders down the spines of the Chief Information Officer (CIO)
and the Information Security (InfoSec) teams. To understand why, one must
understand the sacred trust that CIO’s and InfoSec teams share. The trust they
share involves the protection of all the information their organization gathers
and resources. Whether that be directly acquired information, such as the
company’s customers, or indirectly acquired, such as a purchased marketing
list; the information must be protected.
Also, they must take into account protected Intellectual Property and
trade secrets; it is no wonder the previously mentioned teams are nervous. Each
personal device represents a possible hole in the security infrastructure.
Because the electronic devices are typically used to access secure information,
patient data in the case of Swedish Medical, it is very important to the
InfoSec team and the CIO that the information is then completely removed from
the device. If said device were to be stolen or misplaced by its owner, the
information would probably be accessible by anyone. Additionally, the use of
some password storage tools on the device may add to the convenience of
repeated access, all the more reason to carefully consider how this type of
policy will be enforced.
Some
recent research suggests there are several good reasons to develop a “Bring
your own Device” policy. Charles Bess, a blogger for Hewlett-Packard, suggests
the following favorable areas: Cost-control for the company, higher overall
morale, increased productivity for the employee, freedom from the limited
devices supported by the company, and flexibility. According to Bess, “If
employees are allowed to use a device that they want to use and are familiar
and comfortable with, it stands to reason that they will be more productive”
(2011). While these areas are not a guaranteed win in IT, especially since
there are so many possible problems, doing some sort of Risk Analysis should be
a priority prior to implementing anything along these lines.
With
Swedish Medical’s decision to allow “Bring your own Device,” doctors are
finding a new level of communication and service with their comrades and
patients. Inasmuch as he is using his personal Apple iPad, a doctor was able to
make a potentially life-threatening decision from the comfort of his home. A
woman went into one of the Swedish Medical hospitals and was going to get a
procedure done that would require her to be removed from her regimen of
anticoagulants. His colleague called him,
[Dr.] Westcott was
at home when he got the call, but he had his iPad and logged into his
hospital's Epic electronic medical records system's iPad client and was able to
see that the woman had an artificial aortic valve and must remain on the drug
for that reason. (Carr, 2011)
This kind of collaboration,
especially in light of the potential loss of life was the kind of scenario that
must have played out in the development of this policy. Getting more access,
while remaining secure, should be a goal of every IT department. In this case,
the patient’s record was also secured inside a separate information system,
which has password authentication associated with it. Swedish Medical is still
in the process of testing, as are many medical groups, the potentially positive
impact of a “Bring your own Device” policy. One area for concern is the
physical bacteria level of a device brought in from the outside. Or even the
fact that the personal device could be left unlocked and open with patient data
outside the hospital, or doctor’s home.
Despite all the
benefits, many hospital and healthcare technologists are still trying to sort
out where the iPad and other mobile devices fit into their medical bags.
Ensuring information security and protecting patient privacy both loom large in
the context of devices that can easily walk out the door. If it's a doctor's
personal device, rather than hospital property, it's going to exit at the end
of every shift. While that lets the doctor quickly look up medical records when
called at home or at a restaurant, it also opens up the possibility that the
device will be left behind on a restaurant table. (Carr, 2011)
During deployment
of any policy related to “Bring your own Device,” Swedish Medical would need to
be abundantly clear about who is able to take advantage of this policy, as well
as when they can participate. Allowing anyone access to patient records at any
time would cause a serious breach in the age-old code of doctor-patient
confidentiality and would cause numerous potential problems for InfoSec teams,
possibly outweighing any benefits. On the other hand, with what is clearly a
potential for productivity increase, a “Bring your own Device” policy may
require some additional costs-benefits analysis.
While enforcing
this policy, one needs to consider the potential impact associated with their
field. After all, showing someone’s name, address, and email address is far
less damaging than showing a patient’s medical records. Swedish Medical and
other hospitals must take into account the potential for their networks to be
breached through the personal devices. To mitigate that, one hospital, Seattle
Children’s, uses middle-ware presentation software to allow viewing access, but
no direct access to the patient records (Carr 2011).
With different
cars, come different chassis’ or frames. The same can be said for IT groups and
policies. When developing policy, one needs to be keenly aware of what their
customers and most loyal users think, while keeping technological changes in
their mind’s eye. Understanding that no policy is perfect, nor will it ever
last forever, is a wise approach to creating policies in the IT world. Also,
one needs to be cognizant of the number of policies created:
In smaller
organizations, a single policy document may be enough to address most
Information Management issues. However, most medium and large organizations
will require a number of different policy and practice documents to adequately
address the Information Management needs of different departments and different
operations. (Kahn & Blair 2009)
While making it easy for the
organization, as was the example of Google’s privacy policy, is dangerous. It
borders on what Kahn and Blair call a “catch all” (2009) policy, which they say
should be avoided as much as possible. While making it easier for Google to
manage the multiple applications, it takes away the freedom of users to choose
what applications with which they want to interact. For example, if I want to
only use Gmail, when I register a new user email on Gmail, they take my
information and share it. Now Google+, Google Music, Google Calendars, Google
Search, and Youtube all have access to that information. This makes it
convenient for Google, but tough on users. By comparison, Swedish’s policy is
making it easier for users and puts limits on the support given to the users,
thereby keeping costs down. Development, deployment, and enforcement should not
be passed over lightly. They are the key pillars of successful management of
policy. Adding to the pillars, it is important to make clear, concise, and
granular policies. Each company should manage their policies with the intent to
protect their employees, their information, and their customers. By avoiding
the pitfalls of catch-all policies, as well as the temptation to rush the
development and deployment phases, corporate policy can be a win-win for
everyone. When enforcing policy, corporations must be consistent and follow
their policies. If the policies are outdated, they ought to be reviewed by the
Human Resources department and management. If they are too big, they should be
broken down with clear verbiage and description of consequences associated with
non-compliance. No group is exempt from policy within the corporate entity,
including the CEO; therefore, enforcement must happen at every level.
References
Bess, C. (2011,
October 26). Are there 5 top reasons CIOs should allow a Bring Your Own Device
(BYOD) policy? [Web log post]. Retrieved from Enterprise CIO Fourm:
http://www.enterprisecioforum.com/en/blogs/cebess/are-there-5-top-reasons-cios-should-allow-bring-your-own-device-byod-policy
Carr, D. (2011,
May 21). Healthcare. In Healthcare Puts Tablets To The Test [Editorial].
Retrieved January 26, 2012, from InformationWeek website: http://www.informationweek.com/news/healthcare/mobile-wireless/229503387
Dawson, C. (2012,
January 25). News & blogs, Googling Google. In Confessions of a Google
junkie (or, Privacy? What privacy?) [Online Editorial]. Retrieved January 23,
2012x, from ZDNET website:
http://www.zdnet.com/blog/google/confessions-of-a-google-junkie-or-privacy-what-privacy/3553?tag=content;siu-container
Ingram, M. (2012,
January 25). Google’s new privacy policy: Should you be concerned? [Online Editorial].
Retrieved January 26, 2012, from GigaOm website:
http://gigaom.com/2012/01/25/googles-new-privacy-policy-should-you-be-concerned/
Kahn, Randolph
& Blair, Barclay. (2009). Information nation: seven keys to information
management compliance. [Books24x7 version] Available from http://common.books24x7.com.proxy.cityu.edu/toc.aspx?bookid=29596.
Whitten, A.
(2012, January 24). Updating our Privacy Policies and Terms of Service [Web log
post]. Retrieved from The Official Google Blog: http://googleblog.blogspot.com/2012/01/updating-our-privacy-policies-and-terms.html
No comments:
Post a Comment