Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Regulatory compliance management guide for the midmarket

Regulatory compliance management can tax a midmarket company, but there's no way around it. Get the latest news and insights regarding regulations and standards in this guide.

Regulatory compliance management doesn't begin and end with the Sarbanes-Oxley Act (SOX). CIOs at midmarket companies must also keep up with the Payment Card Industry's (PCI) security standards, the Health Insurance Portability and Accountability Act (HIPAA) and numerous other regulations and guidelines. It's a tall order, but it's one midmarket CIOs must face in order to protect their customers and stay in line with standards set by the IT industry as well as the government. This Midmarket CIO Briefing offers news, insights and resources to help midmarket companies stay on top of their regulatory compliance management responsibilities.

For advice and resources on more IT and business topics, visit our list of Midmarket CIO Briefings.

Table of contents

  Compliance takes log data to next level
  Table of Contents

Three years ago, PCI auditors came to Peter Boergermann and asked him what his IT organization was doing with its log data.

Network devices, servers, PCs, applications, firewalls and most other devices and software in a corporate system retain a log of every information transaction conducted on that machine. The log data is a virtual fingerprint of activity that takes place on a company's system. But gathering and making use of that data can be a challenge.

Boergermann, associate vice president, MIS technical support manager and IT security officer at $1.1 billion Citizens & Northern Bank in Wellsboro, Pa., said the PCI auditors had just gone through training on the importance of log data to compliance.

"They asked, 'What are you doing with your logs? Who's looking at them? How do you react to them? What changes do you make based on your reactions?'" Boergermann said of the auditors, who are charged with checking a company's compliance with the PCI security standards. "We weren't doing a lot with logs. After listening to their questions, we decided to start reviewing our options."

Find out what the bank learned in "Compliance, security take managing log data to next level." Also:

  Sarbanes-Oxley compliance costs drop
  Table of Contents

The financial burden of SOX compliance is slowly (but surely) starting to ease.

The cost of compliance with Section 404 of the Sarbanes-Oxley Act declined by 21% in fiscal 2006, according to a survey by Financial Executives International. The Florham Park, N.J.-based organization found the average company spent $2.9 million on SOX compliance in 2006, versus $3.8 million in 2005 and $4.5 million in 2004.

"Technology has a lot to do with the cost reduction," said Sanjay Anand, chairperson of the Sarbanes-Oxley Institute. Public companies "are actually automating their controls. A good 20 to 30%, even as much 40%, of the cost reduction is actually coming from automated controls rather than manual controls."

These cost reductions have come despite the fact that auditors' fees have remained relatively steady, the research revealed. External auditor fees dropped by just 11% in 2006, from $1.35 million to $1.2 million.

Learn more in "Sarbanes-Oxley compliance costs drop, better processes credited." Also:

  • SEC makes good on promise to clarify guidance on SOX (SearchSMB.com)
    The Securities and Exchange Commission (SEC) makes good on long-promised new guidance for the bugaboo of Section 404 of the Sarbanes-Oxley Act.
  • Sarbanes-Oxley advice for smaller public companies(SearchCIO.com)
    Smaller public companies have had more challenges when it comes to preparing for SOX. But as of Dec. 15, the SEC will start cracking down. In his latest column, James Champy offers some tips for those trying to do more with less in achieving compliance.
  Regulatory compliance -- Stay ahead
  Table of Contents

As an IT manager of a small or medium-sized business (SMB), you may find yourself asking, "How can we affordably and effectively store and archive data to meet regulatory compliance demands?" It sounds like a daunting task, indeed. But who doesn't love a good challenge?

The key to regulatory compliance is the ability to enforce and monitor security policies and processes at any given time, all of the time. And an SMB must plan and maintain an effective security strategy for its business infrastructure from the onset to serve as a solid foundation for regulatory compliance.

Of course, early precautions taken against security breaches and network vulnerabilities are much easier and less costly than late reactions to a direct violation. So remaining on top of relevant security issues as they change with occupational considerations and operational environments is key.

Learn more in "Regulatory compliance -- Stay ahead to keep on top of issues." Also:

  • Insider threats thwarted in simple steps (SearchSMB.com)
    Don't wait for new SMB-specific offerings before you prevent insider threats. Leverage your existing systems with simple planning and integration.
  • Security buy-in starts at the top (SearchSMB.com)
    Security gets more buy-in from business execs now that Sarbanes-Oxley is here, but it's still a tough internal sell. CIOs must reach out to business managers to ensure that security is a priority in every technology project.
  E-discovery must be a team effort
  Table of Contents

IT organizations have survived Y2K, the Sarbanes-Oxley Act, HIPAA and other compliance issues that more or less have an end in sight once the deadlines have been met. But there's one hurdle for CIOs at small and medium-sized businesses (SMBs) that never really ends: the emergence of rules relating to electronic discovery, or e-discovery, of corporate communications and documents in court cases.

The rules relating to types of information companies must produce when involved in lawsuits are being defined by individual court decisions and changes to the Federal Rules of Civil Procedure (FRCP) that took effect in December. They affect companies of all sizes and in all industries. While larger companies may tend to be prime targets for lawsuits, SMBs are more likely to lack the IT and legal resources to deal with e-discovery.

"The biggest thing we have to do from a small-company perspective is to balance everything we have to do because we don't have the luxury of a big staff," said Dan Grosz, vice president of information systems at VIP Parts, Tires & Service in Lewiston, Maine. "We wear multiple hats, and I don't want to add yet another hat. I have enough to worry about without having to become a lawyer.''

Yet Grosz said he recognizes that he will have to work with legal advisers to understand how the evolving e-discovery rules will affect his IT operations. He will also have to educate business-side users on the implications of e-discovery in their day-to-day communications.

Learn more about e-discovery in "E-discovery must be a team effort." Also:

  Laptop security best practices
  Table of Contents

More employees with more laptops can mean greater exposure of your network to roaming security threats. And, in a worst-case scenario, a stolen laptop with sensitive customer data or proprietary company information can also expose the company to liabilities, legal or otherwise. Lost customer data can lead to identity theft and open the company to lawsuits. Lost proprietary information can damage the company's competitive edge, if not its business altogether.

Large organizations have sophisticated network defenses and firewalls to block malware from compromised laptops. For outbound threats, they may also employ complex content control systems to prevent the loss of customer data or company information. Not so for SMBs, which may operate simple firewall networks on a shoestring and don't have the cash to spend on expensive content filtering systems and software.

But there are solutions for SMBs that won't break the budget and involve little or no overhead. Many of these solutions rely on simple procedures and best practices that don't require bulking up stretched-thin IT departments or hiring a dedicated information security team.

There are three parts to laptop security: physical security, administrative access and technical controls.

Find out more about laptop security in "Laptop security best practices." Also:

  More resources
  Table of Contents

Next Steps

Photo story: Overcoming top regulation compliance challenges

Dig Deeper on Small-business IT strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.