A friend of mine asked a question on Facebook that went something like this.
I read through this a few times and decided to reply back with something that was a lot longer than I expected. I believe he was mostly interested in the idea of managing data and how governance programs could help the business improve how data is used. I get what he was asking, but I started thinking that even if you have a governance program, what about the data that gets outside of central control. So here was my initial thoughts on his question and the problems we face in managing data.
Do small to medium sized businesses really do governance programs? My experience so far is that it only occurs if there is some kind of compliance reason to cause it. Those that are in highly regulated industries, such as small banks, would probably have no choice but to do so. Is it a good idea to do in and of itself? I think so. It doesn’t necessarily have to be a huge process to be effective. In fact, in a smaller company, a large process would be completely ineffective. I do think it would need to be regularly done and have good communication between IT and business. And I think it needs to be documented some how. Otherwise, people end up wondering exactly how it is supposed to work.
Pandora’s Box really worries me though. Having the “secret sauce” for your business leave via email, Dropbox, USB drive or DVD is pretty freaky stuff. An iPod set to be a storage device can leave with a whole lot of information and give a competitor a good leg up on you. Or it can get us front page news coverage that we’d rather not have. Neither one is some where we want to be. There are controls to help, but there are still holes that are easy to use.
Jason Wood is the Principal Consultant at JW Network Consulting. He has over a decade of systems administration and security experience with the Windows and UNIX/Linux operating systems. He has spent most of his career in internet-based companies in security, application and infrastructure roles. These roles have required him to troubleshoot application issues, making different operating systems play well with each other and supporting developers during their projects. Jason was also responsible for vulnerability assessments, web application penetration testing and network security monitoring.