This is where enterprise IT operations will have to step up to the plate and lead the business side of their companies. And in order to succeed in that compliance, the best approach is a multidisciplinary, streamlined, comprehensive base of operations.
Concerned with data privacy and security, new federal and state regulations were developed to encourage corporate accountability. Not only is data required to be retained for a specific time period, but it is also to be done in a secure fashion, as per legislation like the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley Act, the Federal Information Security Management Act and California's SB 1386.
HIPAA is perhaps the most renowned, because it has required the most from IT departments responsible for securing electronic patient information, some of the most private data around. Gramm-Leach-Bliley is notable because it requires banks and financial services firms (again, their IT departments) to protect consumer financial data. Sarbanes-Oxley requires public companies to support their financial statements with proof that they have adequate procedures and controls.
New accountability regulations are forcing businesses (and their executives) to ensure that not only is company data accurate, but also that consumer data is adequately secured.
With the growing number of regulations, those in charge of privacy and security compliance need comprehensive and practical information about the issues they must address -- and it's often up to them to find that information. Compliance with regulatory requirements means that businesses have to dedicate personnel to the task, in effect maintaining a staff just for that purpose. The extent of the hours to be committed is especially evident, for instance, in the portion of the Sarbanes-Oxley Act that requires that records of electronic communications be tamperproof and that electronic storage media be kept in nonrewritable, nonerasable formats. Here, electronic communications includes not only e-mail, but instant messaging and some phone communications as well.
In addition, Sarbanes-Oxley mandates that internal controls and financial reporting procedures be evaluated annually to see if they're adequate. The amount of controlled data is often massive, and logging, archiving and being able to produce communications upon request is labor-intensive and costly.
Another important compliance issue stems from the fact that some companies are concerned that they're spending too much time wrestling with the details and appearance of compliance and not spending enough time on security in general. A recent Ernst & Young report suggests that companies are failing to look into vulnerability issues related to endpoint security for systems such as laptops, wireless networks and Internet telephony -- a dangerous development with potentially disastrous consequences.
The National Institute of Standards and Technology offers an introductory resource guide for implementing HIPAA, which can be found at http://csrc.nist.gov/publications/nistpubs/800-66/SP800-66.pdf. The Federal Trade Commission offers advice for complying with the financial privacy requirements of Gramm-Leach-Bliley at www.ftc.gov/bcp/conline/pubs/buspubs/glbshort.htm. A growing number of consultancies have arisen that do nothing but guide companies through the thicket of compliance.
There are numerous software tools and hardware appliances available to help businesses manage each step of the compliance process. Mounting regulatory pressure has created several thriving markets for categories such as compliance monitoring and management software and unified threat-prevention systems, in addition to giving a boost to plenty of security and auditing tools that have been around for a long time.
Where once compliance was simply important, in today's business climate, a slip outside the rules can have consequences that range from disasterous to fatal for a company. Organizations must also be able to prove they're compliant in case the feds come knocking at their doors. The bottom line: While regulatory compliance and other issues may seem insurmountable -- or at least overwhelming -- failure to meet requirements and mandates can and will result in stiff penalties. There's no choice but to bite the bullet and make use of the tools that are out there.
Douglas Schweitzer is a freelance writer and Internet security specialist in Nesconset, N.Y. He can be reached at dougneak@juno.com.