How to develop a mobile IT strategy that balances compliance with enablement
Given the changing regularity associated with mobile working, there's never been more pressure on enterprises to address their approach to mobility
This year, the UK government has committed to the roll out of free Wi-Fi on all trains by 2017. Major mobile operators have responded by signing agreements that commit to provisioning 85% of the country’s mobile data connectivity needs by the same year. The vision of a ‘mobile Britain’, it would seem, is on track.
For UK enterprises, this represents a serious opportunity to introduce forward-thinking mobility strategies, as well as build more flexibility into their employees’ working patterns.
However, pairing mobile working with regulatory compliance considerations does require careful planning if any mobile-first strategy is to deliver on its promises.
To deliver on the potential of a mobile workforce, businesses must ensure that access to sensitive information and systems is available from anywhere in a controlled and accountable way. For technologists, this means establishing an IT setup that is robust, secure and accountable.
Such is the proliferation of mobile working (according to the Office for National Statics, there are as many as 4.2 million home workers, or 14% of the UK workforce), that legislation is always changing to meet new technology standards.
In June 2014, employees across the country were granted the right to request flexible working after 26 weeks of employment. For the CTO and IT team, this has sped up the need to support remote working, creating the need for an IT strategy that is robust, and conducive to remote productivity.
Cloudy with a chance of regulation
The majority of businesses will provision mobile and data services via cloud infrastructure: it’s flexible, scalable and capable of keeping up with constantly changing demand for bandwidth and information.
Whether using public services, such as Amazon Web Services or Microsoft Azure, private infrastructure, or a hybrid combination of the two, when employing this model, it’s important for organisations to know they retain ownership of their data.
In the UK, the Data Protection Act outlines that “data controllers [ie. the business] must be in control of data at any given stage, even if the data is sent to an external party”. In practical terms, this means retaining control of the data at all times, even if it’s being hosted by an outsourced cloud infrastructure provider.
Outsourcing shouldn’t be seen as an easy way to sidestep regulation, but as an ally to achieving compliance in a timely and cost-effective manner. For businesses, it also poses the question of e-discovery. In other words, how quick and easy it is for an organisation to produce data when requested by regulators?
Without complete control and access to owned data, wherever it’s stored it has the potential to become a compliance challenge. This puts increased importance on a firm’s choice of outsourcing partner.
Standards everywhere
While the Data Protection Act is a universal guide, specific standards exist within every industry, and they don’t differ when it comes to handling mobile data. For example, Payment Card Industry (PCI) compliance has the PCI Data Security Standard (DSS), which applies to companies handling credit card information.
Heavily regulated sectors such as healthcare and legal also come with their own set of challenges. The technology supporting these industries will need to be prepared to stand up to rigorous industry inspection.
The CTO and CIO need to be prepared for these legislative standards, to plan for compliance accordingly.
For enterprises utilising a cloud-based model, it will be important to ensure that any chosen provider not only has the correct certifications in place, but also has clearly defined protocols for how they address the constant evolution of technology regulation and compliance.
As the world becomes ever more connected, the role of the data centre as the enabling environment for the mobile economy becomes more important.
Data centre operators have a duty to take regulatory standards into consideration when implementing security measures, and should be prepared to demonstrate their credentials to any business looking to trust them with mobile provisioning.
As business moves across locations, networks and devices, via employee mobility, IT needs better visibility and control to protect sensitive assets, without imposing restrictions on flexible working or the productivity that comes with it.
The mobility of resources — geographic and range of devices — comes with a unique set of considerations that IT practitioners need to address proactively.
Source: Information Age