|
 |
|
General Information
|
Add To My Personal Library |
December 3, 2010
• Vol.32 Issue 25
Page(s) 28-29 in print issue
|
Top Compliance Issues
Cloud Computing & Lack Of Prior Preparation Are Stumbling Blocks To Compliance
|
Most SMEs have to deal with compliance issues of at least one type no matter what business they are in. Although financial services and healthcare companies tend to deal with stricter and more complex issues than, say, a chain of auto body shops, any business that uses credit cards and has an IT component has to address compliance in one form or another.
“Most organizations will have multiple compliance obligations, [including] legal, security, and privacy obligations, and on top of that, they may have internal policies that, for example, would be specific to their needs to protect intellectual capital,” says Vivian Tero, governance, risk, and compliance analyst at research firm IDC.
But getting a handle on these issues and figuring out your role in compliance can be overwhelming, given that a general road-map doesn’t exist to guide you through it. “Companies need to understand their regulatory profiles, and the first step is understanding the legal and regulatory constructs within which you work,” says Steve Whetstone, Esq., vice president of client development and strategy and general manager at Iron Mountain Legal Discovery Services (www.ironmountain.com).
 The Facets Of Compliance
Whetstone describes three primary facets when it comes to compliance: regulatory compliance, which addresses specific federal regulations, such as | Key Points
• Compliance covers many areas, including regulations, legal, and internal corporate requirements.
• Compliance policies should be in place before a trigger event and not the other way around.
• Organizations cannot assume that cloud computing services will adhere to specific compliance issues and must therefore take responsibility for any breach that happens no matter where it originated. | | Sarbanes-Oxley and HIPAA; compliance with cases and controversies, such as when a legal event presents itself outside of an ongoing regulatory scheme under which a company operates; and maintaining compliance within a company’s own policies and procedures for managing the business and the information that the business is using.
Because compliance has so many facets, you cannot expect to take on any of these aspects on your own"nor should you. According to Tero, C-level executives ultimately are responsible for setting the policies and adhering to obligations around compliance as a whole and communicating those policies and practices to IT.
At the same time, all departments within an organization must make sure these policies are aligned, and typically IT needs to work closely with the corporate legal department to ensure that this happens. “Whatever those policies are, they must be translated into the proper technical con-trols that focus on availability of applications and security, controlled access, and destruction of applications, and then [IT must make] sure that whatever functional relationships between the owner of the data and those individuals with access to that data are properly maintained and are in compliance with those security and retention policies,” Tero says.
Avoiding The Pain
Many organizations put off setting up and implementing compliance policies until they face what Whetstone calls a “trigger event,” which he defines as a case or controversy that jars them into action. “They haven’t experienced that profound, acute pain that [forces] them into a strategy for handling digital information,” he says.
But risk-based arguments for implementing compliance strategies tend to be about as effective as similar ones are for earthquakes in California. Even though the average resident knows that he needs to have backup water, food, and some sort of escape strategy, it is too easy to put that off until tomorrow, the next day, or the day after that. Too often, companies fail to do anything until faced with a lawsuit, which creates chaos as they struggle to provide the information needed during the discovery process and spend unbudgeted monies on outside counsel and third-party providers in a reactive fashion.
Therefore, Whetstone says that putting forth a cost-based argument tends to get the right groups working together on compliance policies when risk-based ones are ignored. “You can save in storage costs by calculating that if by eliminating some percentage of information because we have a policy to get rid of [a certain] type [of] data after, say, six months, you can save X amount a year, or you can show that a cloud-based service that manages sensitive data will save you the cost of building the architecture, creating the compliance schema, and paying for the maintenance and monitoring of it in-house. Not only are you then protected, you get the financial advantages of [doing so],” he says.
Checking The Cloud Forecast
A Look At Compliance By Region
Compliance laws vary by country. Overall, the European Union has much stricter regulations than the United States, with Germany having the strictest laws within the EU.
COPYRIGHT © 2010, FORRESTER RESEARCH |
However, cloud services can create additional complications for internal compliance policies, especially if you fail to vet them ahead of time. In an August 2010 report entitled “Compliance With Clouds: Caveat Emptor,” Forrester analyst Chenxi Wang, Ph.D., writes that although cloud services offer businesses many advantages in a wide range of business functions, ensuring compliance has been problematic at best.
“Support for regulatory, regional, or internal policy compliance is arguably the weakest aspect of cloud computing,” Wang writes. “Today’s infrastructure-as-a-service (IaaS) players don’t provide geographic ubiquity, and software-as-a-service (SaaS) players rarely offer comprehensive data-level controls. As a result, leveraging the benefits of cloud and maintaining compliance can be at odds with each other.” She continues, “Security and risk professionals assisting businesses with sourcing selections must understand that your organization is ultimately responsible for compliance, and it is your responsibility to help business assess compliance risks. When necessary, you should implement compensating controls atop the cloud infrastructure to attain compliance.”
AAt the same time, Wang’s colleague, Forrester analyst Chris McClean, writes in a January 2010 report that Forrester has seen a growing level of concern over third-party compliance and risk management and adds that organizations should expect improvements to cloud-based vendor risk and compliance solutions over the next year. 
by Robyn Weisman
|
|
