Compliance 2.0: Raising the bar

This guide is part of SearchCIO.com's Executive Guide series, which is designed to give IT leaders strategic guidance and advice that addresses the management and decision-making aspects of timely topics. For a complete list of topics covered to date visit the Executive Guide section.

Table of contents

Sarbanes-Oxley advice for smaller public firms

Table of Contents

[James Champy, Contributor]

Up to now, smaller public companies -- usually those with just less than $75 million in public equity -- have not been required to comply with Section 404 of the Sarbanes-Oxley Act. That section requires that a public company's management file a report on its assessment of the company's internal control over financial reporting -- including the financial work that passes through IT. It also requires the company's auditors attest to the quality of the company's internal control over financial reporting in the auditor's annual report.

The Securities and Exchange Commission (SEC) itself has recognized the compliance challenges for smaller companies: smaller companies typically don't have full-time financial controllers; managers in smaller companies have a broad span of control, and this could lead to management override of financial controls; and smaller companies are more dynamic and don't have well-documented processes. Your company may have a lot of work to do to produce a report that makes investors feel confident about your numbers -- even if you are the most honest company.

The SEC has given smaller companies and their auditors more time to prepare -- but time is almost up. Companies with fiscal years ending on or after Dec. 15 will have to start complying. IT is an integral part of compliance, especially for processes and systems that touch financial controls and reporting.

   Learn more in the full column, "Sarbanes-Oxley advice for smaller public companies." Also:

• Steps to institutionalizing compliance
  CIOs can successfully handle the many pressures of compliance by shifting from a reactive to a proactive mode, according to industry experts.
• Expert podcast: Top five questions to ask when shopping for compliance products
  Many vendors are positioning their products as compliance offerings, but when should you focus on fine-tuning your existing architecture, and when is it time to buy? When it is time, what should you keep in mind? This podcast will count down the top five questions you should ask when preparing to make a compliance-related purchase.

Putting your finger on federal data security law

Table of Contents

[Matt Karlyn, Contributor]

In a previous column, I discussed several of the state security breach notification laws [see "The State of State Security Breach Notification Laws," November 2006 issue].

Generally, state security breach notification laws require that organizations that collect, own or license personal information about a state's residents notify these individuals and, in some cases, other entities, such as consumer reporting and law enforcement agencies when unencrypted personal information has been lost or compromised.

Since my column was published, the Privacy Rights Clearinghouse reported no fewer than 65 incidents of lost or compromised personal information in the U.S. affecting more than 3.5 million people. In December 2006, the Privacy Rights Clearinghouse also reported that security breaches had resulted in 100 million records being lost or compromised.

   Learn more in the column "Putting your finger on federal data security law." Also:

• Mobile device encryption: A best practice that no one uses
  Experts and IT executives agree that encryption is the best way to protect data on mobile devices. But too few companies are actually deploying this critical technology.
• Content monitoring tags questionable email activity
  You've spent thousands to keep malware and hackers out, but what are you doing to keep your data inside? Encryption can lock things down, but you need visibility to make sure the data is truly safe.

IBM vows solution to identity theft outbreak

Table of Contents

[Linda Tucci, Senior News Writer]

The TJX Cos.' Ben Cammarata is not the only retailer pulling out his hair over identity theft. There are countless ways customers' personal information can be compromised. For companies and organizations desperate to get out of the business of authenticating, digging up and holding information on customers they do business with online, Big Blue might have an escape hatch.

New technology developed by IBM and released last week to the open source community promises to let consumers do business online without disclosing personal information.

Developed by IBM's laboratory in Zurich, Switzerland, the software puts identity management in the hands of consumers, the company said, and could help merchants as well by limiting their liability.

Identity Mixer, as it's called, uses sophisticated cryptographic algorithms to ensure that sensitive information -- a person's date of birth, Social Security number, bank balance or real credit card numbers -- is never disclosed to the inquiring online party.

   Find out more in "IBM vows solution to identity theft outbreak." Also:

• Top IT execs could take heat for TJX breach
  Experts say senior IT executives at TJX are most likely on the hot seat today after the retail giant revealed Wednesday a massive computer security breach.
• Acquisition bolsters IBM's compliance, security portfolio
  IBM's purchase of Dutch software firm Consul gives it a security and compliance auditing product that runs on both distributed and mainframe systems.

Remote backup: Making the case to your CEO

Table of Contents

[Herman Mehling, Contributor]

Remote backup of data, applications and operating systems is becoming more important for companies of all sizes as they struggle to cope with a growing number of remote workers and a mountain of compliance and legal mandates. It is also becoming more important as companies realize that a tape backup plan is not enough to provide business continuity in the event of a disaster.

Tape backups

Most tape backups involve transferring data each day to a local disk or tape before shipping the data to a central office and perhaps to an off-site tape storage facility. But what happens if a disaster destroys the remote office? The raw data is useless without the applications and properly configured hardware.

Striving to solve that scenario, vendors created remote backup solutions using high throughput and affordable Internet data transmission that back up data and -- in some cases -- applications and operating systems to a distant location. Essentially, there are two options: do-it-yourself software and managed services, to which companies outsource their remote backup functions.

   Learn more about backups in "Remote backup: Making the case to your CEO." Also:

• Data center management for CIOs
  A successful data center management strategy should address compliance, consolidation, migration and business continuity. Learn more about setting up and managing your data center.
• Monitoring technologies making headway with CIOs
  Catching unscrupulous employees gambling online isn't the only reason to monitor Web activity. Employee monitoring can also help CIOs make better use of network resources.

Email archiving: Four steps to ensuring success

Table of Contents

[Carol Hildebrand, Contributor]

According to Gartner Inc.'s "Magic Quadrant for E-mail Active Archiving, 2006" report, "The growing size of email data stores, coupled with the requirement to retain email records for regulatory compliance and legal discovery, has created a market for email active-archiving tools."

Moreover, the overwhelming use of technology to create and disseminate documents has heightened the need for email management, said Mark Diamond, president and CEO of Contoural Inc., a Mountain View, Calif.-based consultancy that specializes in email and record retention strategies. "The majority of documents companies get are electronic -- the latest figure is 96%," Diamond said. "And even hard-copy documents are usually copies of electronic ones."

With data retention issues touching a number of factions within a company, smart CIOs will accommodate all the intersecting interests, from legal to compliance officers, to the business units that create the emailed information. The trouble is, many companies' solutions, as well as the underlying retention policies that govern them, are created without such input. Building an email archiving policy while not taking into consideration business drivers such as compliance, privacy, business productivity and trends in litigation and discovery can put a company at risk, said Dick Benton, a principal consultant at GlassHouse Technologies Inc., a consulting firm in Framingham, Mass. "Take email discovery," Benton said. "If you are hit by a Iawsuit, it can cost about five to seven bucks an email in legal discovery, and millions of emails in discovery is not unusual."

Going the opposite direction and letting the legal or compliance staff draft these policies unchecked can also be disastrous.

   Find out more in "Email archiving: Four steps to ensuring success." Also:

• Podcast: Email archiving and the law
  CIOs considering email archiving need to look at issues beyond compliance. E-discovery and litigation readiness typically have the greatest impact on archiving strategies. This podcast discusses the legal ramifications of email archiving, and how they affect IT strategy.
• The evidence is in the email
  What can email archiving technology do for you? Get you more storage space, improve system performance -- and make your auditors happy.

More compliance resources for CIOs

Table of Contents

   Resource Center: Compliance and legal concerns

   Glossary: What is Compliance: Glossary