|
 |
|
General Information
|
Add To My Personal Library |
June 13, 2008
• Vol.30 Issue 24
Page(s) 12 in print issue
|
Regulatory Compliance: What You Should Know
Don’t Underestimate Its Importance In Your Enterprise
|
 For data center managers, understanding regulatory compliance is like doing your taxes: It involves wading through a plethora of minor regulatory updates, hours of research, and quite a few headaches. Yet ask anyone whose company is under an injunction for a data breach if compliance is important, and you will likely hear a litany of sage precautions—or a lot of grumbling and “should have dones.” Compliance may not be as exciting as installing a new 100Mb pipeline at the office or running a slick new Web 2.0 application for the marketing department, but it can be a critically misunderstood topic.
Once you understand the grievous nature of data breaches and how litigation can bring operations to a screeching halt even for the most seemingly minor offense, it’s easier to focus on governance as a priority. Here are a few important tips and guidelines to help you on the road to airtight data control.
 Understand The Importance
Before even visiting one Web site or talking to your legal department, IT managers should first understand how important data governance, archival process, and compliance are to company health. Without this understanding, the other steps in meeting regulatory compliance (no matter how important) may fall into a category where other topics, such as storage or servers, take a quick priority.
“There are all too many small and medium-sized businesses in danger of or actively falling through the cracks of compliance regulations,” says Charles King, an analyst with Pund-IT (www.pund-it.com). “Some of these organizations don’t understand the complexity or gravity of the regulations with which they’re required to comply, while others believe that playing dumb will provide adequate protection for first offenses. Both behaviors can lead to expensive, difficult, and unnecessary lessons.”
Start With Communication
The most obvious strategy for a company of any size, no matter how many employees are involved with IT, is to do the hard work of communication. Brian Babineau, a noted analyst at Enterprise Strategy Group (www.enterprisestrategygroup.com) who has extensive data center compliance experience, suggests that IT sometimes uses a “playing golf in the dark” approach to regulatory compliance. Not surprisingly, without a clear customer-centric goal related to compliance, managers often deliver the wrong solution.
Babineau advises data center managers to be much more proactive. He says a first step is to meet with any legal and compliance teams in the company and/or any department that could impact data governance rules, such as the human resources department that needs to protect sensitive employee data.
This concept is a bit different from one that is often employed, which is a discovery process that seeks to understand the regulations first as opposed to their impact on the company. Instead, it is a strategy that puts an emphasis on the customer of IT—its needs and its data security issues.
Research After Communication
After holding these discussions with stakeholders, IT can then better research what regulations exist. It is partly a matter of researching regulations and partly a matter of understanding the IT process required for those regulations. With PCI DSS (Payment Card Industry Data Security Standards), for example, you may discover that the regulation requires a retailer to change its transaction process at the point of sale or encrypt data more thoroughly.
“After this research, IT should figure out what processes will support compliance and then determine if these processes can be improved, automated, or reconstructed with the right technology,” says Babineau. “Then, it is time to start making investments [in technology products].”
Match Compliance To Industry
Because every industry is different, the rules that apply to one field may not be applicable to another, a trap that managers sometimes fall into. Often, it’s easy to see a rule in an industry such as health care that governs patient records, for example, and then assume that rule applies equally to a manufacturing or automotive company.
“The most important points for companies to determine are what rules and regulations apply to their operations and which information is affected,” says Pund-IT’s King. "That may seem simple, but for heavily regulated industries like health care, it can be very complex. The next step is to consider what sorts of solutions a company's existing and favored vendors offer and how they stack up against the competition. Meeting compliance requirements can be so critically important that deploying new technologies may be the best way for an organization to meet its needs.”
Find Ancillary Tools
Another strategy in regulatory compliance is to look for tools and vendors that provide an ancillary service to enhance your process and make your data collection even more secure. In the event of a discovery against your company, you can produce a wealth of extraneous data to assist in the process.
“The log management sector has blossomed in recent years to help customers meet compliance needs—companies like LogLogic, Alert Logic, Prism Microsystems, and others,” says Michael Coté, a RedMonk analyst. “While most of these tools fly under the banner of the more generalized ‘log management’ area, much of their focus and domain-specific functionality comes into play with compliance.” 
by John Brandon
Most Important Thing To Know
In IT, the most well-known advisory firms almost always turn the conversation toward process. The term is used as the answer to almost every IT question. In the compliance field, where topics such as log management, archivals, and governance play a key role in how data is collected, stored, and archived, having a sound, well-established process is critical. |
|
|
