In this third and final post on mobile environments, the Records Management Policy Team will look at some ways Federal agencies can address the implications for managing records in a mobile environment. The steps that agencies can take to address security concerns have been well-covered in the many articles, vendor advertisements, and white papers on this topic. In contrast, the ways to address records management implications have not received the same level of attention, so we would like to start that discussion here. Please let us know your thoughts, any issues you’ve identified, and possible ways to address them.
One of the first things agencies can do is to recognize that employees have records management responsibilities when working on a mobile device or environment. We can point you to the three basic obligations for employees regarding Federal records, as outlined in NARA’s Telework FAQ:
-
Create records needed to do the business of their agency, record decisions and actions taken, and document activities for which they are responsible;
-
Take care of records so that information can be found when needed. This means setting up directories and files, and filing materials (in whatever format) regularly and carefully in a manner that allows them to be safely stored and efficiently retrieved when necessary; and
-
Carry out the disposition of records under their control in accordance with agency records schedules and Federal regulations. Employees also must consider and follow agency-specific policies for managing records that contain personally-identifiable or security-classified information.
Secondly, agencies can look for best practices emerging in the Federal community around mobile. We’ve found the following best practices that could be useful to agencies who are beginning to address general mobile concerns that also affect records management:
-
Promulgate clear and concise policies that address the risks and concerns for BYOD programs and mobile environments
-
Provide training to employees on the appropriate use and conduct for using personal devices for work purposes, including management of records.
-
Have employees sign consent forms in writing so they understand what they are agreeing to when using their personal devices, especially for devices that may be wiped to avoid situations like this
-
Work with agency general counsel, IT staff, and the employees’ union to draft rules that balance employee privacy and agency security
-
Allow data to only be viewed by users on a device and not stored or replicated on the device. Keep data in central repository.
-
Implement “container” technology to separate work and personal uses of the same device. A device with this technology can be divided into personal and work sections, so that memory is assigned for each space. Then the only the work side could be wiped when the employee leaves or a device is lost.
-
Implement mobile device management (MDM) and mobile application management (MAM) solutions to push the appropriate data from enterprise systems to devices
-
Configure and manage devices with “information assurance controls commensurate with the sensitivity of the underlying data as part of an overall risk management framework.” (BYOD Toolkit, White House)
-
Remove government-owned devices that are not in use from the network, capture any records, and wipe them.
Third, agencies may consider establishing mobility policies that address the question of records management in a mobile environment. In numerous Bulletins (Social Media, Email, Capstone), we’ve talked about the need for agencies to have policies that address the who, what, where, when, and why of managing records. We often talk about the importance of enlisting the assistance of a number of agency stakeholders when developing policy or even to form a working group that includes records management staff, information technology staff, privacy and information security staff, agency counsel, public affairs staff, and other relevant stakeholders. This type of group could ideally meet regularly to discuss the records management concerns for a variety of topics, including the topic of managing records in a mobile environment.
For the Records Management Policy Team, one question we are considering is, “Does it matter what tool is used to create records and should policies be developed to address the records management implications of using mobile devices?” If so, what policy would be needed? We recognize that NARA guidance is often used by agencies who in turn develop their own specific policies. Such policies can help agencies articulate clear processes, policies, and recordkeeping roles and responsibilities for records in a mobile environment to ensure that records are identified, managed and captured.
We invite you to comment below with your thoughts about what Federal records management policies would be helpful agencies’ mobile environments.
Finally, there are a number of resources available to assist in managing content and devices in mobile environments. Below are some of the resources we’ve found helpful:
-
GSA’s Managed Mobility Program and their Managed Mobility User Guide
-
Mobile Gov Community of Practice Wiki sponsored by GSA’s Office of Citizen Services and Innovative Technologies
-
The Federal CIO Council’s Federal Mobile Security Baseline, Mobile Security Reference Architecture, and Mobile Computing Decision Framework
-
NIST’s Guidelines for Managing the Security of Mobile Devices in the Enterprise
See also the following NARA resources:
What do you think? What records management implications have we missed? We would love to hear your thoughts and to keep the discussion going on this important topic.
Image credit: “Wi-Fi” by Fuma Ren under the Creative Commons Attribution-Share Alike 3.0 Unported license.