6 Steps to Handle Content on the Edge

ERM Community Wiki

Companies have long created, managed, and secured documents within official document repositories including email servers, corporate file servers, relational database, and other applications housed and controlled within the four walls of the data center. With the advent of the Internet and then mobile computing, that began to change. Email on cell phones, instant and text messages, laptops, home PCs, and even USB drives have created a type of document diaspora where centrally created information migrates outward. These mobility technologies have advanced much faster than companies’ ability to control information moving across them.

Very few documents on the edge are true business records. These few business records that do make it out to the edge typically are copies of documents already in repositories—so why care? While the edge has few records, it does have many, many documents that may contain significant amount of discoverable or sensitive information. What is out there, and your inability to find it quickly, can hurt you. These documents are subject to litigation discovery, regulatory discovery (yes, regulators can request you produce non-records), and some can contain private or other sensitive information.

1. Map your devices (don’t be in denial)
If you believe your employees have only a few access paths to the edge, you’re most likely wrong. Employees have a variety of tricks for accessing the edge, including “unapproved” cell phones with email (especially iPhones), utilizing proxy servers, creating separate archive-only Gmail accounts, etc. There are many devices that you don’t control that can connect to your system if you open access for some devices.

Map those devices and all the creative ways employees can access the edge. Be honest—while you may have a corporate policy restricting employees to one type of cell phone, how many carry a second “personal” phone, which still accesses the corporate email server? How common are USB drives?

2. Capture is half the battle
Half of the battle for managing the edge is finding documents already there. Litigators are often fearful of missing something during discovery, and know that many of these reside on the edge. Therefore it is not atypical during document discovery for companies to impound and search cell phones, laptops, and even home PCs. Regardless of whether what you find is helpful or hurtful, often the cost of discovery on the edge is in itself the most burdensome. Many organizations are capturing and copying emails, text messages, instant messages, and other information as it moves out of control, often synchronizing these with existing document repositories. These repositories then represent the copy of record, and any discovery can be performed against them. There is no need to chase down someone’s laptop, because a copy already exists in your repository. Unfortunately, often the ability to capture documents requires purchasing someone’s software. However, many newer messaging systems, such as those for in-house instant messaging (IM), for example, have logging capability built in.

3. If you can’t stop it monitor it
Once a message or document is created, it is often difficult to stop or control it. Often the best way to stop hurtful information passing over the edge is to make employees wary of ever sending it in the first place. We have found that if employees know their communications are being monitored, they are much more likely to send more appropriate, less hurtful information. Increasingly many organizations are logging information at the edge, and retaining this for some indefinite period of time (usually a few months). This information is available for review by their manager or HR. Even if these documents are rarely reviewed, the threat that they might be often is enough to curb bad practices. This review need not be limited to just email messages, but also other media including IM, text messages, wikis, etc.

4. Instant messaging: your biggest risk?
Measured on a per-message basis, instant messages (IM) represent more risk than almost any other medium. Employees send IMs quickly, often without considering either what they’re saying or whether it’s appropriate. They view these messages as ephemeral and disposable. IM is neither. Regulators and courts take a very different view, allowing the opposing side to discover this information wherever it may reside.

Companies are taking two distinct paths for IM. One group says shut it down. They are prohibiting employees from using IM, and blocking access to IM providers through their firewalls. They believe in heading off trouble at the pass. If you believe that your blocking efforts will be successful, this may be a viable option.

Another group is taking a different tact, fearful that blocking IMs will only lead to employees sending work-related messages from their personal accounts using cell phones. In the words of one litigator, “The biggest thing I fear about instant messages is when I don’t know what might be out there.” The approach of this second group is to bring IM in-house and force employees only to use these internal systems. With the right systems, some purposely auto-delete messages quickly, preventing the employee from accumulating or archiving them. Others save all messages from IM, treating them like email and reviewing them for inappropriate language or content. Either of these approaches will work if executed consistently.

5. Eliminate (mobile) personal archives, but provide a centralized alternative
Documents outside a centralized archive— such as PST files or files copied to USB drives are by definition out of your control and on the edge. To re-assert control, many organizations are eliminating these “personal” archives. For example, many companies are prohibiting offline email PST files. Some are taking it a step further through the use of Data Loss Protection (DLP) software, preventing the use of USB drives and other devices, but providing SharePoint sites instead. You want to make it hard enough for employees to save information the wrong way, so that they will use the right archives.

6. Train, train, train
It’s easy to become cynical about employees and their over-the-edge tactics. To be fair, often they don’t understand the risks and are just trying to do their jobs. The key to any edge-control strategy is training. Employees have an interest in avoiding risk, both for the organization and themselves. When they understand the real risks of documents on the edge, they tend to be much more careful about what and how they send it. Good training should include a discussion on proper email usage, the discoverability of documents, as well as clearly separating business from personal communication. It almost must discuss acceptable alternatives for sharing and transmitting information.

Adapted from On Edge, an article by Mark Diamond, president and CEO for Contoural, a consulting firm for storage issues, that originally appeared in the May/June 2009 issue of Infonomics. http://www.aiim.org/infonomics/on-edge.aspx