Are you ready for the feds?

With an extensible framework, IT can meet regulatory compliance mandates years in the future as well as those looming just ahead

“Hurry up” is the latest battle cry at companies struggling to fall in line with an onslaught of government regulations. The summer of Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), and other mandates is upon us as deadlines loom. The heat is beating down on IT administrators, whose chief executives face stiff penalties -- even jail time -- if their companies fail to comply with the law.

“The frightening big stick of enforcement is out like a brick bat,” warns Lane Leskela, research director at Gartner. “There’s a lot of confusion around implementing regulatory compliance as a process.”

Part of the confusion stems from the sheer number and scope of regulations affecting companies that, until recently, took an application-specific approach to regulatory compliance in an effort to cope with individual mandates.

Enterprises are beginning to see the futility of that strategy, which results in fragmented processes ill-equipped for the next body of mandates that comes down the line. Instead, business and IT are joining together to create extensible compliance frameworks that can accommodate any number of regulatory mandates, providing componentlike reusability that simplifies change management and reduces deployment costs.

“Sarbanes-Oxley, the Patriot Act, and HIPAA were the straws that broke the camel’s back, and companies are saying, ‘We’ve got to find a better way to do this -- the regulations are only going to get worse,’ ” observes Ted Frank, CEO of Axentis and advisory chairman of The Compliance Consortium, an industry group formed in June to help CIOs and IT outfits get organized. The consortium’s mission includes making sense of all the overtures from vendors who are in gold-rush mode.

The high anxiety is fueled by what Gartner’s Leskela calls “the lack of a consistent technology approach to managing governance, risk, and compliance processes across the board. It’s a very complex environment.”

Looking out for the law

Consider just a few of the systems that fall under the monitoring provisions of Sarb-Ox: data security, disaster recovery, content management and archiving, information retrieval, transaction surveillance, and e-learning (the ability to deliver ongoing education online). Section 404 of Sarb-Ox will put a huge burden on IT by requiring companies with valuations of more than $75 million to prove that their internal controls and audit trails are sound and that their processes are capable of producing certifiably correct data. And, ready or not, Sarb-Ox’s infamous Section 409 — which mandates that “material events” such as the acquisition of a big customer, or anything that could affect a company’s perceived market value, must be reported within 48 hours — is upon us, taking effect Aug. 23.

The liability doesn’t stop there. Many enterprises remain unaware that Section 215 of the Patriot Act requires companies to surrender customer data when subpoenaed and gives customers the right to sue if they haven’t been properly warned that their information will be disclosed if the feds ask for it.

32FEcomply_ch2.gif
Click for larger view.

The good news, experts say, is that separate regulations bodies have many directives in common -- the call to retain IM exchanges and e-mail, for example -- thereby enabling IT to create a modular compliance framework. Most companies already have systems that employees and consultants can leverage and integrate into a wider compliance strategy.

“If you understand the consistencies of these processes within your company, you can build a scalable technology infrastructure while leveraging existing investments,” Axentis’ Frank says. “Just because you put together a strategic framework doesn’t mean you need to full-out implement it right away across all processes. If you can develop a baseline plan, you can still act tactically.”

Ultimately, two frameworks are required: one for business and one for IT. The business side needs to develop a management infrastructure to establish and maintain internal controls and repeatable processes that ensure reliable regulatory compliance. IT needs a technology framework that capitalizes on existing resources and makes point solutions the exception rather than the rule.

32FEcomply_ch1.gif
Click for larger view.
Building better management

Government regulators don’t explicitly tell enterprises how they should reorganize for compliance. But in June 2003, the Securities and Exchange Commission implicitly recommended the Committee of Sponsoring Organizations (COSO) of the Treadway Commission framework. COSO, an independent auditing industry group established in 1985, released a seminal report in 1992 entitled “Internal Control -- Integrated Framework,” which describes how companies should establish and maintain controls to avoid fraud. But the COSO framework seeks to help organizations develop proper business processes, mainly related to authorizing and reporting transactions, not to creating controls that apply specifically to IT.

Instead, many IT execs are turning to the COBIT (Control Objectives for Information and Related Technology) framework for help. Published by the IT

Governance Institute, COBIT provides guidelines for IT security and control. The organization’s “IT Control Objectives for Sarbanes-Oxley” details IT’s role in implementing and sustaining control over disclosure and financial reporting, including planning, acquiring missing pieces of technology, properly deploying solutions, and monitoring compliance.

The larger the company, the more likely it is to have implemented the controls outlined by COSO and COBIT and to have adjusted management structure accordingly. As regulatory deadlines approach, small and midsize companies will face the greatest risk.

“We’re encouraging smaller companies to form a committee and put a virtual team in place,” says David Donelan, senior director of industry and compliance solutions at EMC.

According to CJ Rayhill, CIO of O’Reilly Media, without a cohesive team, “you typically have one person who is anointed as the expert. So, in addition to their day job, they try to make sure everyone else is in compliance -- and it’s mostly hit or miss. The biggest issues I’ve seen are around authority. At big companies, [compliance officers] have a direct line to the CEO. In smaller and midsize organizations, a perceived lack of authority can make it more challenging to get people to respond to compliance efforts.”

Gartner Research Director Brian Wood advises companies to create the position of CCO (chief compliance officer), who would report to the board and be equal in stature to the CEO, rather than report to the CEO. “I’m sure Mr. [Ken] Lay can see the reason for that,” he says. Wood believes the CCO should install a rotating IT representative to assess existing IT assets, to validate processes, to meet security needs, and to ensure that there are clear methods to address abuses. Why rotating? “It helps more and more people get trained in compliance and works toward a cultural change within the company,” he says.

The IT and legal departments -- or outside legal counsel -- also make up a crucial alliance, according to Deidre Paknad, CEO of PSS Systems, a provider of document policy solutions. “There needs to be more dialog between the two. Compliance is, at its heart, a legal issue -- and then an IT issue. But they all think the other speaks a different language. They need to dine together more often. There should be frequent discussions about the synchronization of information to reduce companies’ risk.”

Risk assessment comes into play at every turn. “Our advisers have given us 3-inch [thick] binders of what to do. But the question is always, ‘Where do we start?’ ” says Wood, who is also a member of Gartner’s internal compliance team.

Wood says to start by assigning risk levels to systems, processes, and personnel that are susceptible to breaches and then assess the consequences of those potential breaches. From there, you can use those assessments to make a priority list for implementing systems and controls. According to Wood, using that criteria makes it fairly easy to come up with the top 10 things your organization should be working on.

“Anything that has a high likeliness [for an audit] and a high associated cost is a high-risk item,” Wood notes, stressing that, on an operational level, risk assessment is a group exercise not solely an IT function.

Marshalling the right technologies

IT is charged with implementing the systems that allow process owners to know “what information we have, where it is physically, which systems have possession of it, which rule settings are applied, and where I go for answers when risk arises,” PSS’ Paknad says. Of course, the precise systems vary widely, but the efficient retention and disposal of information in accordance with a single system of records is crucial when an audit or a request for discovery occurs, she says. Document and records management -- along with effective management of information lifecycles -- are the foundations of a sound compliance architecture.

Creating a modular, extensible IT compliance framework starts with storage hardware. Document management, e-mail archiving, security, and BPM software all have vital roles to play -- and should be equipped with monitoring and change management capabilities.

32FEcomply_in.gif
Click for larger view.

Yet the law seldom mentions specific technologies. Regulations typically don’t dictate which storage medium should be used. For example, Section 802 of Sarbanes-Oxley stipulates that records be stored for seven years, during which time they must be nonerasable and non-rewritable. “So to us that means WORM media,” notes Charles Brett, vice president at Meta Group.

But WORM needn’t mean that enterprises pony up for slow and expensive optical disc solutions. “For a compliance infrastructure, companies are now looking at highly scalable storage such as EMC Centera … and getting away from point solutions by departments” such as those involving magneto-optical drives, Brett says. Offering WORM storage on magnetic disk, the EMC Centera Compliance Edition combines ironclad storage software with a capacity that starts at 5TB. It supports real-time replication for fail-over redundancy and has an open API that allows for integration with dozens of compliance applications. Perhaps the biggest plus is the policy-based archive features, along with search and index functions that support fast data retrieval.

EMC’s chief competitor in this space, IBM, sells the Data Retention 450. In the context of IBM’s wide array of middleware and network management offerings, the Data Retention 450 can be thought of as the WORM component of a huge content- and data-retention suite. As does EMC, IBM offers policy- and event-based storage management with compliance in mind.

The next piece of the puzzle is document management software, which ensures that information is identified, indexed, and labeled at its point of origin and then is sent to the appropriate storage medium. Leaders in this space include Documentum -- recently bought by EMC -- and FileNet, which offers Content Manager and Records Manager as part of its FileNet Compliance Framework. A document and information policy management application, where policy and rules settings can be changed to meet different regulations, comes with PSS Systems' Atlas IPM (Information Policy Management) suite.

Thanks to a few high-profile fraud cases, e-mail has emerged as an infamous liability. The archiving of e-mail -- and more recently, IM -- has received much attention from vendors such as Legato, which was bought by EMC last year, and from several specialty archiving software providers, including iLumin and KVS. Along with its shrink-wrapped product, EAS (Exchange Archive Solution), e-mail archive provider Zantaz provides a hosted solution called Digital Safe Service.

Such offerings ensure that e-mail and IMs are indexed in real time, while allowing IT to set up rules and policies that allow for sophisticated searches and timely retrieval.

Security and identity services play a critical role in proving that the information being committed to record is valid. “If your systems themselves aren’t secure, then what good is the information from those systems?” Gartner’s Wood asks. “But this is a case where enterprises already ought to have systems in place before compliance issues are even considered.”

Rick Caccia, director of product management at Oblix, producers of CoreID identity management software, acknowledges that the company has no specific compliance offering and that many IT outfits are leveraging existing security systems. “But we can automatically generate audit trails for the applications we protect,” he says. “So, it becomes useful in the compliance arena, where a lot of the language in the regulations, particularly Sarbanes-Oxley, is pretty vague when it comes to defining ‘effective controls.’ ” In the end, security tends to become distributed across the framework by access-control limitations placed on a variety systems.

Leveraging existing assets

1 2 Page 1
Page 1 of 2