Between IT-related laws and governance regulations, IT executives today deal with more legal issues than ever before. These issues include compliance regulations, privacy rules and data protection. This Executive Guide provides resources to help CIOs learn more about the technology solutions needed to combat the growing number of legal issues affecting organizations today.
This Executive Guide is part of the SearchCIO Executive Guide series, which is designed to give IT leaders strategic guidance and advice that addresses the management and decision-making aspects of timely topics. For a complete list of topics covered to date visit the Executive Guide section.
Staffing for ongoing legal and ethical issues
The number of ethical issues that need to be managed by companies has become increasingly complex during the past few years, and an ethics officer can make sure that a company really follows the policies, guidelines and ethical standards that it promotes. Nothing is worse than a company that does not follow what it preaches to its employees and customers. Ethics officers can also help employees at all levels of the organization make correct decisions in difficult situations, which can be helpful to some who may not have had ethics education in school or at previous employers. This is especially true for IT security personnel because of their access to sensitive information as well as the responsibility to protect it.
Here are some specific reasons why enterprises should consider having an ethics officer:
- To provide assistance with meeting regulatory compliance: An ethics officer can work with the company's top brass to make sure that they are compliant with legislation such as the Sarbanes-Oxley Act (SOX). A survey of business executives by New York-based PricewaterhouseCoopers LLP indicates that SOX accounts for 54% of total compliance spending, which added up to more than $6 billion in 2005. An ethics officer can develop and implement ethics training programs for the company as well as monitor their effectiveness so top management can measure the results.
- To improve the company's reputation and public perception: In the last few years, some companies' reputations have been tarnished by scandals and other misdeeds. To help bring them out of the muck, some companies such as MCI have hired an ethics officer to rebuild their reputation with employees, regulators and the general public. Fortunately for MCI, after much hard work it was able to turn the corner and has been re-listed on Nasdaq. However, proactively hiring an ethics officer before there is trouble will help mitigate problems from occurring in the first place.
- To provide a mechanism for reporting issues: The United States Sentencing Commission and the Federal Sentencing Guidelines recommend companies have nonretaliatory systems in place for reporting misconduct. Creating and implementing an infrastructure for reporting and managing ethical issues and inquiries is something for which an ethics officer is responsible. These systems could include email addresses, anonymous phone and fax numbers, and Web contact pages.
Joe Malec is a security analyst at St. Louis-based Enterprise Rent-A-Car Co., specializing in compliance and application security. He is also the president of the St. Louis chapter of the Information Systems Security Association and serves on the ISSA International Ethics Committee.
- Definition: Compliance (Source: SearchCIO.com, powered by Whatis.com)
- Definition: Corporate governance (Source: SearchCIO.com, powered by Whatis.com)
- Definition: Chief Compliance Officer (Source: SearchCIO.com, powered by Whatis.com)
- Definition: Email archiving (Source: SearchCIO.com, powered by Whatis.com)
- Definition: HIPAA (Source: SearchCIO.com, powered by Whatis.com)
- Definition: Sarbanes-Oxley Act (Source: SearchCIO.com, powered by Whatis.com)
General legal, regulatory and compliance issues
- Article: Five compliance questions to ask your CEO (Source: SearchCIO.com, 10/20/2005)
- Article: Ways to cut SEC compliance costs (Source: SearchWinSystems.com, 2/03/2006)
- Article: Expert: Lengthy logs not always a good thing (Source: SearchSecurity.com, 12/13/2005)
- Magazine feature: How CIOs are rebounding from compliance shock (Source: CIO Decisions magazine, 3/01/2006)
- Article: Benefits of regulatory self-assessments (Source: SearchCIO.com, 5/11/2006)
- Article: Rural hospital tests VPN to meet state regs (Source: SearchCIO.com, 5/23/2006)
- Article: Credit union takes top-down approach to compliance (Source: SearchSMB.com, 2/22/2006)
- Q&A: A compliance conversation: PEMCO's Kip Boyle (Source: SearchCIO.com, 6/1/2005)
- Article: Cut SOX costs by limiting what you test (Source: SearchCIO.com, 5/31/2006)
- Article: By the Numbers: SOX no bargain in '06 (Source: SearchCIO.com, 12/21/2005)
- Q&A: VoIP and SOX: Tricky recipe for CIOs (Source: SearchCIO.com, 7/21/2005)
- Article: Study: SOX-compliant firms see drop in costs in year 2 (Source: SearchCIO.com, 4/20/2006)
- Article: Opinions split on new SOX proposal (Source: SearchCIO.com, 3/01/2006)
- Article: SEC to small companies on SOX: Not off the hook (Source: SearchCIO.com, 5/18/2006)
- Article: Spending on Sarbanes-Oxley software climbs (Source: SearchCIO.com, 2/08/2006)
- Article: Healthcare users struggle with HIPAA (Source: SearchStorage.com, 01/03/2006)
- Article: SMBs respond to HIPAA demands (Source: SearchStorage.com, 01/03/2006)
- Tip: Instilling a HIPAA mindset (Source: SearchSecurity.com, 06/13/2006)
- Tip: Lake Forest Hospital's Rx for HIPAA compliance (Source: Information Security magazine, 03/24/2006)
- Survey: Survey results highlight the importance of HIPAA compliance training (Source: IT Business Edge, 05/10/2006)
Security and privacy issues
- Article: Privacy expert calls for action on Specter-Leahy bill (Source: SearchStorage.com, 12/12/2005)
- Article: Spyware Survey: Do users want Uncle Sam in this fight? (Source: SearchSecurity.com, 10/25/2005)
- Article: Compliance shouldn't be a primary security driver (Source: SearchSecurity.com, 6/08/2005)
- Tip: Best practices for managing compliance with security standards (Source: SearchSecurity.com, 4/20/2004)