Four ways to get people in the habit of using Content Manager (or any Content Management System)

The largest issue facing records and managers now and forever, is adoption.

It’s the one thing we don’t seem to be able to get away from, and before the miraculous paper to digital paper transition can take place effectively, it needs to happen, becuase I don’t ever see a lot of government work starting anywhere but a word processor.

I regularly ask agencies that I work with how they’ve improved adoption, like them, I think I’m always looking for a magic bullet. The most common answer is always education – what an officer’s obligations are, how they need to fulfil them, how the system works. The list of 4 below are others that have come out of conversations with the agencies I’ve spoken to:

  1. Process Integration via TRIM based actions.
  2. Workflow with Performance Reporting.
  3. Make Content Manager part of your performance management framework.
  4. Make it a compliance step enforced by another system

Process integration via TRIM based actions.

Simply, this means making parts of the process TRIM based actions. Many systems available for various processes can be triggered in TRIM and if most of a person’s job can be triggered in TRIM – they’ll come back there often. A simple example is the DA process in local government, three common tools – Pathway, Trapeze and Connect can be integrated to Content Manager, meaning that for people working in that process, Content Manager becomes the natural place to start and finish.

Workflow with Performance Reporting.

No real surprise that workflows get people using the system. What often gets missed though, is the inclusion of Performance Reporting. Workflow implemented without Performance Reporting is useful, but largely invisible to managers, and if all management reporting is a spreadsheet – it doesn’t matter how the work is getting done.

If Content Manager or a third party integrated workflow system is managing and reporting on how someone does their job, and that’s being fed automatically to management via a dashboard, they’ll go there frequently. It takes time and effort to set up, but once it’s done well, people will never go anywhere else and managers will get used to understanding what is going on with their process.

Make Content Manager part of your performance management framework. 

One agency I have worked with assesses employee performance based on what is in their CM system. Their policy is that if it’s not in there, it doesn’t exist, so when it comes time to assess performance, work product needs to be there. People who aren’t producing work don’t get promoted, so record keeping is a routine part of everyone’s job.

Make it a compliance step enforced by another system

Many workflow management systems aren’t integrated into Content Manager but can still be used to enforce Content Manager usage. Mandating the includsion of a link to the Content Manager document supporting the completion of a process or process stage can ensure that people are filing supporting documentation and that it’s findable from the process management system later.

Ultimately there’s no magic bullet.

There are lots of ways to move the needle – a little at a time. These methods have worked for other people

I’d love to hear what’s worked for you.

Where is multi factor authentication in the 2017 Australian Government Information Security Manual?

This post is going to be a bit dry, it is written to provide an accurate overview of specifically where you can find multi-factor authentication controls in the 2017 Australian Government Information Security Manual (ISM). It is accurate as at the 3rd of March 2017. If you are in a security or IT decision-making role, and are considering whether multiple factors of authentication should be part of your security apparatus, the ISM provides both a minimum standard for accreditation, and guidance that can be used to inform your risk assessment. Each control is contextual, and doesn’t apply to every situation – you should seek a qualified opinion from a member of the IRAP program to ensure that you are assessing the right controls.

The minimum standard is imposed through controls that are listed as “must” for compliance purposes. In areas where some consideration of control vs. ease of access is appropriate, the controls are listed as “should”. What is clear from the ISM is that for system administrative activities, it is not considered acceptable to act without multiple factors of authentication. In some individual user access scenarios though, multiple-factors are listed as “should”. This lessening of controls for end users provides scope for each agency to consider the level of risk associated with access to the system, the level of burden that it is appropriate for users of that system to bear, and the level of operational complexity that the additional factors add.

As always, prior to looking at controls, the grade of information the service will carry needs to be decided. The cost of achieving each higher classification rises substantially, and each successive classification focuses more on access control than ease of access. From a risk perspective, more consideration of whether “should” should become “must” should also be considered. Appropriately qualified security and risk management personnel should be engaged to advise on these matters.

From a pure control standpoint, the controls focused on multi-factor authentication are listed below, each applies to all classifications –

  • 0974 – “Agencies should use multi-factor authentication for all users.”
  • 1039 – “Agencies should use multi-factor authentication for access to gateways.”
  • 1173 – “Agencies must use multi-factor authentication for” – system and database administrators, privileged users, positions of trust and remote access.
  • 1384 – “Agencies must ensure that all privileged actions must pass through at least one multi-factor authentication process.”
  • 1401 – “Agencies using passphrases as part of a multi-factor authentication must ensure a minimum length of six alphabetic characters with no complexity requirement.”

Some discussion of Multi-factor authentication can also be found in the “Access Control” section of the ISM – Principles manual.

All the documentation you need can be found at https://www.asd.gov.au/infosec/ism/index.htm

The 2017 ISM – Controls can be found at – https://www.asd.gov.au/publications/Information_Security_Manual_2017_Controls.pdf

The 2016 ISM (the latest) – Principles can be found at – https://www.asd.gov.au/publications/Information_Security_Manual_2016_Principles.pdf

Reducing risk in government contractor engagements by improving information governance

The last two decades have seen a step change in the methods we use to interact with contractors. Generally speaking, the primary means of engagement is now digital. This has brought with it significant reductions in the cost of engagement, and reduced the time to commencement of work. It has also increased the volume of engagements each employee is expected to support, and the quantum of risk associated with incorrect transfers of information. In discussions with many government entities I have found a number of common areas in which expensive problems occur frequently, that I also believe can be substantially reduced by improving information governance around each engagement.

Incorrect version transmittals. In organisations that run large projects, I’ve found that transmittals are still error prone. Large transmittals (lots of documents, or large documents) generally go out as multiple emails or on physical media – paper or digital. When they do, the probability of using an incorrect document version increases substantially and has obvious consequences for the financial and completion timeline of a project.

Provision and capture of as-built documentation. As-built documentation is typically large and held in systems inaccessible outside the organisation. It almost always has changes that need to be captured in a system of record after an engagement. Content is large enough and changed exclusively digitally, so transmission needs to be via electronic medium, or post work updates become very difficult. After an engagement, capture and correct storage of updated as-built documentation is again difficult. The risks are clear, when access isn’t provided and updates aren’t captured effectively, engagements start with incorrect information that leads to variations and re-work.

Capture of compliance documentation. Compliance documentation is a fact of life for contractor engagements. Workcover, insurance, safe work method statements etc. Good contractor management dictates that this documentation should be captured and stored in an organisational system of record and preferably associated with the specific work. Breakdown in this capture process is usually only noticed when there is a project failure. It can often be explained by an over-reliance on email, and failure to follow information governance processes. Mailbox limits frequently dictate that people will archive to repositories that are typically ungoverned and which can lead to a variety of significant liability scenarios.

Proof of work. Proof of work for contractor engagements has gone electronic over the last few years, particularly where it involves small construction or physical maintenance tasks. In some scenarios, inspectors capture photos of completed work, in others, contractors provide photos to prove completion. In each scenario, the problem is the same, the photo is provided, the payment is ordered, everyone moves on to the next project, often without the proof of work being captured in a system of record. I have spoken to records managers supporting legal action who counted themselves lucky for being faced with directories of several thousand photos with descriptive names like “DSCP1101”. The reality is that photographic proof is often lost with the email archive or laptop of the employee who ordered the work.

Ultimately, each of these scenarios can lead to substantial loss, and reflects an information governance challenge that is relatively simple to address. Many of these challenges can be traced to contractors’ lack of access to information governance systems. Manual work arounds and transfers from a system of record to an ungoverned system (ie. email and paper) introduce information risk that can easily be avoided.

Good solutions to this problem start by ensuring that there is a single source of truth for engagement information, and that all staff and contractors involved have access to it. They wrap an information governance framework around the engagement processes, ensuring that when evidence of transmittal, completion, or compliance is needed, it has been captured, is available and its source is known. This is a gap I’ve often encountered within the government organisations that I deal with. Historically this gap has been caused by tool cost and the security status of cloud platforms. Recent changes to the Australian Government Protective Security Policy Framework, and Information Security Manual mean that tools like our own Objective Connect and others are now viable for use by government. If you’re having trouble controlling risks like the ones above, a tool like ours should be on your list to examine.