As I wrote in a previous post, using social networking technology (collaborative workspaces) to reach business objectives can be productive for the business and rewarding for employees. But like all business solutions, security managers must work with implementers and users to achieve a balance between usability and system assurance.
In this post, I look at functionality organizations might seek to implement in a collaborative workspace (CW) and a proposed acceptable use policy for using CWs in a health care organization.
Business requirements for a CW aren't much different from those typically defined for any other process or solution. The following are requirements similar to those defined for a CW implemented by the Institute for Johns Hopkins Nursing (IJHN) Leadership Academy (IJHN Case Study):
- Accessibility and ease of use. The GUI should be intuitive. Navigation of the CW should support how information is informally shared, located, and presented in a collaborative environment. An environment that looks and feels like friends and co-workers sitting around a table having a conversation, brainstorming, or even conducting an interactive root cause analysis.
- Site scalability. The infrastructure on which the CW runs has to support the expected number of concurrent participants. This includes bandwidth, connections, and server capacity.
- Easy administration and management. Management should be centralized with granular security design, allowing multiple administrators assigned to specific tasks, including moderating one or more CWs.
- Moderator workflow. The best way to ensure adherence to privacy, security, and standards of practice policies in a CW is to moderate activity. However, moderating a CW should not significantly restrict the flow of information between participants. Workflow capability, with electronic alerting and one-step approval, is an important piece of a successful CW.
CWs are not like an application database or department file shares. They are design around the principle of free, open exchange of ideas. However, the ability to share can also increase opportunities for data leakage, privacy concerns, or business liability issues. So before launching its first CW, an organization should consider the following:
- What is the defined purpose of CWs in the organization? Will they be allowed for general communication, or will they be restricted to specific purposes with defined ends of life?
- How will the organization ensure no sensitive information (e.g., ePHI, PII, and intellectual property) is posted for viewing by those without a need to know?
- What prevents a CW participant from posting offensive material? What processes will be in place for dealing with posts that might prompt complaints, or litigation, due to perceptions of a hostile work environment?
- Who will approve CWs, the content they contain, and the people responsible for managing them?
- What information will be collected during the registration process? If PII is involved, how will it be protected?
- How will users be made aware of what constitutes "acceptable use" of the organization's CWs?
The first step in consolidating these answers into a safe rollout of collaborative workspaces is writing a policy. The policy should address all the issues listed above. It should also include a clear statement about how the organization views CWs, their role, and management's commitment to safe use.
I recently wrote a draft CW policy for a health care company. It reflects the unique culture of the organization, and management's approach to dealing with security and privacy considerations. So it might not be an exact fit for your workplace, but it's a good start.
The final word
Collaborative workspaces are driven by both the need for improved business productivity and how new entrants to the workforce share information, how they expect to communicate with each other. Organizations must address these issues by clearly defining how CWs will be used and how they will be managed.
Like all emerging technologies that change the way we work, management shouldn't simply ignore CWs because they might introduce some business risk. Rather, they should engage the right people to design an innovative solution, which provides additional business benefit while mitigating risk to an acceptable level. Sound familiar?
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.