[oagitm] Consumerization and the data divide dilemma
- From: "Mark Decker" <DeckerML@xxxxxxxxxxxxxxxxx>
- To: "OAGITM (oagitm@xxxxxxxxxxxxx)" <oagitm@xxxxxxxxxxxxx>
- Date: Tue, 27 Sep 2011 16:52:31 -0700
All,
To date, our policy regarding mobile devices (smartphones, tablets) is that
intermingling of personal/business data is not allowed and that mobile devices
that locally store county data must be owned/managed by county IT so we can
enforce security. Currently, we only offer BlackBerry devices managed through
BES.
As you might expect, this policy leads to frustration for people who don't like
BlackBerrys or who want a single, integrated view of their
calendars/mailboxes/tasks. I tell them the policy is for their own protection,
and that allowing county data to physically reside in their personal device's
memory, intermingled with their personal data, has two important ramifications:
1) the safety of any sensitive county data residing on a personal device is
entirely dependent on the inherent strength of the security tools available in
the device, and the degree to which the user takes full advantage of those
tools and uses them responsibly. In other words, data on personal devices may
be more vulnerable to theft and if any county data is stolen via their device
they may lose their job and/or be personally liable for not adequately
protecting it.
2) the entire contents of a personal device, including all their personal data,
could potentially be subject to mandatory disclosure as part of a public
information request or litigation discovery. Theoretically, the personal stuff
should be exempt from disclosure, but in practice if you routinely mix business
and pleasure the courts may judge that you've waived your right to privacy and
compel you to release everything.
Some people never deal with sensitive county data (or think they don't), and
don't have any personal data they fear disclosing. But for others data
security is a huge concern, especially employees in HR, law enforcement, and
health.
I carry both a personal iOS device and a county-owned BlackBerry so I can
maintain full separation of business/personal data. The alternative to a
county-owned BlackBerry is to only access county email through a web client so
that the data stays on county servers and never resides on the personal device.
The first option forces you to carry two devices. The 2nd option requires an
extra login step and sacrifices push notification of new work
email/appointments. Neither is ideal, but they avoid the risks of intermingled
data.
How do you approach this issue?
Best regards,
Mark L. Decker
CIO / Technology Director
Jackson County, Oregon
(541) 774-6023
Other related posts:
- » [oagitm] Consumerization and the data divide dilemma - Mark Decker
