In our first post, the Records Management Policy Team explored a bit of the current environment for mobile work in the Federal government and the reality that employees are using their mobile devices to conduct agency business. In this second post, we will review the risks and records management considerations for Federal agencies.
When Federal employees work in mobile environments, they will likely be creating records. Depending on how the mobile devices are set up, they could be accessing, downloading, or storing files on their devices – either securely or insecurely. According to various industry studies and surveys, Federal employees are carrying out these activities regardless of whether their agency has a BYOD or a mobile device use policy. This is to say, whether or not agencies have embraced mobility, their employees are using these tools to perform their mission.
Clearly, mobility offers new way for employees to create, maintain and dispose of Federal records and information. So, what are the risks?
According to NIST’s Guidelines for Managing the Security of Mobile Devices in the Enterprise, “Mobile device features are constantly changing, so it is difficult to define the term ‘mobile device’. However, as features change, so do threats and security controls, so it is important to establish a baseline of mobile device features.” When employees use devices without following agency policies or lack mobile device management tools, they open themselves and their agencies up to information, transmission, and operational security risks. These risks include:
-
Lost or stolen devices that contain Federal records
-
Device misuse (mobile device jailbreaking or rooting)
-
Inconsistent mobile device data protection policies
-
Legal issues related to e-discovery, confiscation rights, wiping rights, and liability issues
-
Lack of interoperability for content and systems
-
Insufficient data encryption
-
Using apps not approved by the agency that may be malicious. Applications in turn have access to address books, GPS data, text messages or internal networks.
-
Inadequate integration with agency network access control and endpoint management
-
Increased costs for the agency to support different mobile platforms and acquire more software licenses for the same user
-
Mobile malware or spyware and malicious texting or SMSing
To complement these broader risks and concerns we’ve identified several implications for records management. Agencies may face many of the following challenges when managing records in a mobile environment:
-
Identification of records when content may be located in multiple places
-
Capture of complete records in a manner that ensures their authenticity and availability when records frequently change and are located in many places
-
Data being stored or replicated on the device or in an application instead of only being accessible from a central repository
-
Development and implementation of records schedules, including the ability to transfer and permanently delete records, apply legal holds, or perform other records management functions when it is unclear where records reside
-
Ownership and control of data that resides with a third party
-
Unsecured content
-
Reliance on individuals to follow agency policies
-
Creation of agency policies to address how personal devices and personal information would be handled in the case of investigations or requests for information
-
Sources and formats of records will continue to change and it may be difficult for agency records management policies, processes, and technology to keep up.
Have you seen these risks? Are there any risks we’ve missed? Let us know in the comments.
Stay tuned for the third and final post next week for a discussion on how we can begin to address these challenges.
Image credit: “Wi-Fi” by Fuma Ren under the Creative Commons Attribution-Share Alike 3.0 Unported license.