Building a data map will help your company deal with the challenges of tracking information that comes into your business, Parry Aftab says.
What information is collected and stored by human resources and how is it accessed? Is health information stored or outsourced? Sick-day information? Health benefits and life-insurance-beneficiary information? Claims for disability? What's collected on applications? Are employees' backgrounds checked? Were is that information stored and how is it accessed?
If monitoring of computer networks and communications systems is used, how is the information accessed and stored? What information is collected and stored on phone calls, inbound or outbound? Who has authority over the monitoring decisions? What kind of authority do they have?
How often, if at all, are the desktops and laptops scanned to find unauthorized software applications? Are personal E-mail and instant-messaging applications permitted on employees' computers at work? If so, how are passwords being handled? Can IT access the programs? Are these communications being monitored and stored? Where, by whom, and how? What notice, if any, is provided to the employees about monitoring and risk management of workplace communications? If notice is being provided, do you also obtain consent in writing for monitoring or acknowledgement of your monitoring practices?
Are keystroke loggers used? Biometrics? Screen shots? Do your monitoring software and systems capture all instant-messaging platforms? Are you unionized? Are there attempts to organize your workplace?
(A special workplace communications audit should be conducted after consulting with a privacy professional, preferably an attorney, so you can benefit from any privilege that may apply to the results of the audits. But this can be a quick snapshot of some of the more risky issues.)
What information is paired with customer, passenger, and patient records? Is outside information gathered? How? Is a name and address or other personally identifiable information used to obtain this outside information? (For example, sending to a data-management company the names and Social Security numbers of your customers to obtain any known offline information and buying habits.)
Is data inputting, management, or storage outsourced? To whom? Where? Does the information cross international borders?
Answering these questions will go a long way to helping identify what information is held, where, and how. It will also help guide you in determining who has access to it and what they are permitted to do with the information. Once gathered, this data inventory can be used to help conduct a data audit and, ultimately, a data map for the company.
At each of these stages, the compliance, security, and legal departments should be consulted. The entire process is very time-consuming and can take several months, at least. Holes and potential risks that are spotted in the meantime can be rectified when identified, rather than having to wait months to be handled.
Note that these processes are part of a preventive law audit and may or may not be privileged if inquiries are made at a later date about what the company knew and when. Your legal counsel should be involved in the planning of any confidentiality or privilege strategies. The audit may have to be conducted entirely under the auspices of your outside counsel to qualify for privilege. And even the best-laid plans for covering the audits under attorney-client privilege may be frustrated by the way certain laws are written. Environmental laws, for example, may protect audits under privilege only if the company takes action to rectify the problem. So think carefully and get good advice.
But privileged or not, without a data audit the company may be doomed. So work to protect the results of the audit, but work harder to comply and fix any problems you discover.
IT's Reputation: What the Data SaysInformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
What The Business Really Thinks Of IT: 3 Hard TruthsThey say perception is reality. If so, many in-house IT departments have reason to worry. InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business views IT's performance in delivering services - and, more important, powering innovation. The news isn't great.
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.