Regulatory compliance management issues, information privacy rules and data security initiatives have presented today's IT executives with more legal issues than ever before. This Executive Guide provides resources to help CIOs learn more about the technology solutions needed to combat the growing number of legal issues affecting organizations.
This guide is part of SearchCIO.com's CIO Briefing series, which is designed to give IT leaders strategic guidance and advice that addresses the management and decision-making aspects of timely topics. For a complete list of topics covered to date visit the CIO Briefing section.
- Sarbanes-Oxley advice for smaller public firms
- Putting your finger on federal data security law
- IBM vows solution to identity theft outbreak
- Remote backup: Making the case to your CEO
- Email archiving: Four steps to ensuring success
- More compliance resources for CIOs
| Sarbanes-Oxley advice for smaller public firms
Table of Contents
Up to now, smaller public companies -- usually those with just less than $75 million in public equity -- have not been required to comply with Section 404 of the Sarbanes-Oxley Act. That section requires that a public company's management file a report on its assessment of the company's internal control over financial reporting -- including the financial work that passes through IT. It also requires the company's auditors attest to the quality of the company's internal control over financial reporting in the auditor's annual report.
The Securities and Exchange Commission (SEC) itself has recognized the regulatory compliance management challenges for smaller companies: Smaller companies typically don't have full-time financial controllers; managers in smaller companies have a broad span of control, and this could lead to management override of financial controls; and smaller companies are more dynamic and don't have well-documented processes. Your company may have a lot of work to do to produce a report that makes investors feel confident about your numbers -- even if you are the most honest company.
The SEC has given smaller companies and their auditors more time to prepare -- but time is almost up. Companies with fiscal years ending on or after Dec. 15 will have to start complying. IT is an integral part of compliance, especially for processes and systems that touch financial controls and reporting.
Learn more in the full column, "Sarbanes-Oxley advice for smaller public companies." Also:
to institutionalizing compliance
CIOs can successfully handle the many pressures of compliance by shifting from a reactive to a proactive mode, according to industry experts.
your finger on federal data security law
Table of Contents
In a previous column, I discussed several of the state security breach notification laws.
Generally, state security breach notification laws require that organizations that collect, own or license personal information about a state's residents notify these individuals and, in some cases, other entities, such as consumer reporting and law enforcement agencies when unencrypted personal information has been lost or compromised.
Since my column was published, the Privacy Rights Clearinghouse reported no fewer than 65 incidents of lost or compromised personal information in the U.S. affecting more than 3.5 million people. In December 2006, the Privacy Rights Clearinghouse also reported that security breaches had resulted in 100 million records being lost or compromised.
Learn more in the column "Putting your finger on federal data security law." Also:
device encryption: A best practice that no one uses
Experts and IT executives agree that encryption is the best way to protect data on mobile devices. But too few companies are actually deploying this critical technology.
monitoring tags questionable email activity
You've spent thousands to keep malware and hackers out, but what are you doing to keep your data inside? Encryption can lock things down, but you need visibility to make sure the data is truly safe.
| IBM vows
solution to identity theft outbreak
Table of Contents
The TJX Cos.' Ben Cammarata is not the only retailer pulling out his hair over identity theft. There are countless ways customers' personal information can be compromised. For companies and organizations desperate to get out of the business of authenticating, digging up and holding information on customers they do business with online, Big Blue might have an escape hatch.
New technology developed by IBM and released last week to the open source community promises to let consumers do business online without disclosing personal information.
Developed by IBM's laboratory in Zurich, Switzerland, the software puts identity management in the hands of consumers, the company said, and could help merchants as well by limiting their liability.
Identity Mixer, as it's called, uses sophisticated cryptographic algorithms to ensure that sensitive information -- a person's date of birth, Social Security number, bank balance or real credit card numbers -- is never disclosed to the inquiring online party.
Find out more in "IBM vows solution to identity theft outbreak." Also:
IT execs could take heat for TJX breach
Experts say senior IT executives at TJX are most likely on the hot seat today after the retail giant revealed Wednesday a massive computer security breach.
bolsters IBM's compliance, security portfolio
IBM's purchase of Dutch software firm Consul gives it a security and compliance auditing product that runs on both distributed and mainframe systems.
backup: Making the case to your CEO
Table of Contents
Remote backup of data, applications and operating systems is becoming more important for companies of all sizes as they struggle to cope with a growing number of remote workers and a mountain of regulatory compliance management and legal mandates. It is also becoming more important as companies realize that a tape backup plan is not enough to provide business continuity in the event of a disaster.
Most tape backups involve transferring data each day to a local disk or tape before shipping the data to a central office and perhaps to an off-site tape storage facility. But what happens if a disaster destroys the remote office? The raw data is useless without the applications and properly configured hardware.
Striving to solve that scenario, vendors created remote backup solutions using high throughput and affordable Internet data transmission that back up data and -- in some cases -- applications and operating systems to a distant location. Essentially, there are two options: do-it-yourself software and managed services, to which companies outsource their remote backup functions.
Learn more about backups in "Remote backup: Making the case to your CEO." Also:
- Data center
management for CIOs
A successful data center management strategy should address compliance, consolidation, migration and business continuity. Learn more about setting up and managing your data center.
technologies making headway with CIOs
Catching unscrupulous employees gambling online isn't the only reason to monitor Web activity. Employee monitoring can also help CIOs make better use of network resources.
| Email archiving: Four steps to ensuring success
Table of Contents
According to Gartner Inc.'s "Magic Quadrant for E-mail Active Archiving, 2006" report, "The growing size of email data stores, coupled with the requirement to retain email records for regulatory compliance and legal discovery, has created a market for email active-archiving tools."
Moreover, the overwhelming use of technology to create and disseminate documents has heightened the need for email management, said Mark Diamond, president and CEO of Contoural Inc., a Mountain View, Calif.-based consultancy that specializes in email and record retention strategies. "The majority of documents companies get are electronic -- the latest figure is 96%," Diamond said. "And even hard-copy documents are usually copies of electronic ones."
With data retention issues touching a number of factions within a company, smart CIOs will accommodate all the intersecting interests, from legal to compliance officers, to the business units that create the emailed information. The trouble is, many companies' solutions, as well as the underlying retention policies that govern them, are created without such input. Building an email archiving policy while not taking into consideration business drivers such as compliance, privacy, business productivity and trends in litigation and discovery can put a company at risk, said Dick Benton, a principal consultant at GlassHouse Technologies Inc., a consulting firm in Framingham, Mass. "Take email discovery," Benton said. "If you are hit by a Iawsuit, it can cost about five to seven bucks an email in legal discovery, and millions of emails in discovery is not unusual."
Going the opposite direction and letting the legal or compliance staff draft these policies unchecked can also be disastrous.
Find out more in "Email archiving: Four steps to ensuring success." Also:
- The evidence is in the email
What can email archiving technology do for you? Get you more storage space, improve system performance -- and make your auditors happy.
compliance resources for CIOs
Table of Contents
- Resource center: Compliance strategies and best practices
This was first published in May 2007