Are you ready for the feds?
With an extensible framework, IT can meet regulatory compliance mandates years in the future as well as those looming just ahead
Follow @infoworld“Hurry up” is the latest battle cry at companies struggling to fall in line with an onslaught of government regulations. The summer of Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), and other mandates is upon us as deadlines loom. The heat is beating down on IT administrators, whose chief executives face stiff penalties -- even jail time -- if their companies fail to comply with the law.
“The frightening big stick of enforcement is out like a brick bat,” warns Lane Leskela, research director at Gartner. “There’s a lot of confusion around implementing regulatory compliance as a process.”
Part of the confusion stems from the sheer number and scope of regulations affecting companies that, until recently, took an application-specific approach to regulatory compliance in an effort to cope with individual mandates.
Enterprises are beginning to see the futility of that strategy, which results in fragmented processes ill-equipped for the next body of mandates that comes down the line. Instead, business and IT are joining together to create extensible compliance frameworks that can accommodate any number of regulatory mandates, providing componentlike reusability that simplifies change management and reduces deployment costs.
“Sarbanes-Oxley, the Patriot Act, and HIPAA were the straws that broke the camel’s back, and companies are saying, ‘We’ve got to find a better way to do this -- the regulations are only going to get worse,’ ” observes Ted Frank, CEO of Axentis and advisory chairman of The Compliance Consortium, an industry group formed in June to help CIOs and IT outfits get organized. The consortium’s mission includes making sense of all the overtures from vendors who are in gold-rush mode.
The high anxiety is fueled by what Gartner’s Leskela calls “the lack of a consistent technology approach to managing governance, risk, and compliance processes across the board. It’s a very complex environment.”
Looking out for the law
Consider just a few of the systems that fall under the monitoring provisions of Sarb-Ox: data security, disaster recovery, content management and archiving, information retrieval, transaction surveillance, and e-learning (the ability to deliver ongoing education online). Section 404 of Sarb-Ox will put a huge burden on IT by requiring companies with valuations of more than $75 million to prove that their internal controls and audit trails are sound and that their processes are capable of producing certifiably correct data. And, ready or not, Sarb-Ox’s infamous Section 409 — which mandates that “material events” such as the acquisition of a big customer, or anything that could affect a company’s perceived market value, must be reported within 48 hours — is upon us, taking effect Aug. 23.
 Click for larger view. |
