computerwoche.de

Archiv

Learn the science of compliance to survive

31.07.2006
Government regulations have increased dramatically in response to an array of unsettling events -- terrorist activities, big-business financial misdealings and scandals, and dangerous lapses in the safeguarding of consumer data. While industry regulations and government legislation are not welcomed across the board, compliance is nevertheless mandatory, and the potential cost of noncompliance rises daily.

This is where enterprise IT operations will have to step up to the plate and lead the business side of their companies. And in order to succeed in that compliance, the best approach is a multidisciplinary, streamlined, comprehensive base of operations.

Concerned with data privacy and security, new federal and state regulations were developed to encourage corporate accountability. Not only is data required to be retained for a specific time period, but it is also to be done in a secure fashion, as per legislation like the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley Act, the Federal Information Security Management Act and California's SB 1386.

HIPAA is perhaps the most renowned, because it has required the most from IT departments responsible for securing electronic patient information, some of the most private data around. Gramm-Leach-Bliley is notable because it requires banks and financial services firms (again, their IT departments) to protect consumer financial data. Sarbanes-Oxley requires public companies to support their financial statements with proof that they have adequate procedures and controls.

New accountability regulations are forcing businesses (and their executives) to ensure that not only is company data accurate, but also that consumer data is adequately secured.

With the growing number of regulations, those in charge of privacy and security compliance need comprehensive and practical information about the issues they must address -- and it's often up to them to find that information. Compliance with regulatory requirements means that businesses have to dedicate personnel to the task, in effect maintaining a staff just for that purpose. The extent of the hours to be committed is especially evident, for instance, in the portion of the Sarbanes-Oxley Act that requires that records of electronic communications be tamperproof and that electronic storage media be kept in nonrewritable, nonerasable formats. Here, electronic communications includes not only e-mail, but instant messaging and some phone communications as well.