MARKET OUTLOOK

Compliance Is Only Part of the Equation

Protection against increasingly sophisticated internal and external threats demands a strategic, global policy

Since the late nineties, corporations have been poring over their financial documents, consulting legal experts, overhauling their IT infrastructure, hiring compliance chiefs, and doing everything else humanly possible to comply with Sarbanes Oxley (SOX), the Gramm-Leach-Blilely Act (GLBA) and HIPAA (Healthcare Insurance Portability and Accountability Act). Add to these regulations SEC 17, and complex state laws such as California’s Security Breach Information Act, and it’s easy to see how the explosion in regulatory compliance requirements has bred its own cottage industry, replete with corporate consultants, IT solutions, and revenues in the billions.

While the process has been painful and expensive, the push for compliance has provided several benefits. Healthcare organizations are now required by law to protect “portable” patient data. SOX has greatly enhanced internal controls primarily in public corporations, and to some extent in private corporations. The accompanying publicity engendered greater transparency and accountability, which should benefit employees, investors, shareholders and the companies in which each group is a stakeholder.

Complex regulations coupled with sophisticated threats

These changes are a step in the right direction. But compliance does not end with SOX, GLBA and HIPAA; in fact, compliance extends far beyond the US. Britain, Europe, India, and Japan have instituted new privacy laws or tightened existing ones, creating potential legal liability for non-compliant organizations doing business in these regions. Coupled with this increasingly complex regulatory landscape is a growing number of sophisticated hackers and virus writers, whose exploits propagate at alarmingly shorter intervals and with greater destructive payload. Now consider the potential loss of propriety corporate information to competitors--whether accidentally or through employee theft. The need for a strategic, flexible policy should be blindingly obvious.

No magic bullet

The digital format has become the de facto standard for the submission, storage, dissemination and editing of information of every type. Not surprisingly, vendors are quick to tout their wares as magic bullets in the never-ending quest for compliance. Indeed, the encryption and filtering of email messages, to cite two popular methods of securing corporate information, help companies achieve compliance with HIPAA; they do not however, by themselves guarantee compliance with any regulation.

But this type of approach – deploying a point technology to resolve a single business problem – is merely a tactical solution to a much broader strategic challenge. Full protection against potential compliance violations and internal and external threats requires a living, breathing policy, and a policy enforcement mechanism that not only addresses domestic regulations, but also adapts to regulations abroad.

The hospital in Iowa that owns a lab in the Philippines and employs customer service representatives in India must do more to secure their information than comply with HIPAA. Compliance for this hospital and for all multinational businesses should be a byproduct of a global policy management initiative whose aim is to safeguard the entirety of the organization’s intellectual property assets. A policy that seeks to address individual government regulations in a piecemeal fashion won’t suffice. Only a flexible, comprehensive policy that addresses all of the company’s compliance and information security needs will provide sufficient protection.

Towards a flexible and strategic global policy

To develop an effective global policy, consider these crucial steps:

1. Assign an individual in your organization to measure your compliance “gap" (i.e. the distance between where you are and where you want to be), and audit potential threat areas. These are the areas where your network may be vulnerable to network attack, corporate data leakage, etc.
2. Define how you will enforce your global policy. Research technologies that will enable you to enforce your policy easily and effectively. Make sure the platform you choose is flexible and capable of modifying policy rules on the fly, and generating detailed policy reports (the goal is to make sure the auditor leaves the same the day he/she shows up).
3. Consider internal storage and archiving of email and instant messages and other communications. Email is the most popular item to be subpoenaed. In addition, some regulations such as SOX and SEC 17 require public companies to store email sent and received by their Chief Financial Officers for seven years.
4. Analyze online privacy and other regulations for the different countries in which you do business.
5. Study the cultural values and mores of each country so that your policy can be as regionally sensitive as possible.
6. Taking all of this intelligence into account, you can now develop an overall macro policy that includes micro-policies for each region. Now apply your on-paper policy to the technology you’ve selected and installed.

Vigilance is key

Regulations change—often dramatically. As companies expand their operations abroad, the task of securing corporate information assets grows more complex. HR and IT executives must be vigilant in their efforts to modify their macro policy to address new compliance developments and increasingly sophisticated threats to corporate information security.