Best Practices: Meeting Compliance Challenges

Courtesy of Computer Associates International, Inc., Published in Partnership with Inc.

June 2005

After 9/11, Enron, Ahold, WorldCom and Parmalat, governments all over the world have enacted new laws concerning corporate governance, financial and reporting practices, data protection and privacy, consumer protection, preventing terrorism, and more. The resulting security, data backup, and electronic documentation requirements have spawned a need for new kinds of IT systems with auditing, monitoring, and reporting capabilities that affect companies of all sizes. This paper addresses these implications and the resulting compliance challenges.

The list of new regulations is impressive. Most direct the actions of large, publicly-held companies but not all of these regulations are reserved for large corporations.

Yes, This Means You

Several regulations directly affect smaller businesses in certain industry sectors, but plenty of others -- especially those with ambitions to grow and be acquired or go public -- will still feel the impact.

For these businesses, developing adequate corporate governance processes and structures prepares them for the future -- a future in which, according to researcher International Data Corp., the vast majority of businesses will need information management compliance solutions to help with the likes of electronic discovery of documents and realtime analysis of IT systems.^3-1

Are Your Business Practices Legal?

Consider these examples of violations of EU/UK data protection rules:

Via a third-party marketing firm, a respected Irish charity disclosed donor information to a bank and received in return a donation for each donor who responded to the bank's sales effort, even though the charity's donors had not agreed to this use of their information.

A car rental agency charged alleged damage to a customer's credit card -- but the customer had not used his credit card to rent the car and the agency misused credit card data from an earlier transaction, data that should have been destroyed.

The Long Arm of the Law: Does This Mean Today?

Even those with more modest growth plans may face immediate compliance requirements: HIPAA (the Health Information Portability and Accountability Act) demands that all U.S. healthcare providers, large and small, must not only protect the privacy of patient data but also be able to prove they've done so. The price of noncompliance is exposure to liability issues as well as civil and criminal penalties. Similarly, the UK's recently revised Electronic Commerce Regulations impose new information requirements on small businesses as well as large companies engaged in e-commerce.

Various U.S. Securities & Exchange Commission (SEC) regulations require compliance from small brokerage houses and financial services firms, while small banks and even certified public accountants (CPAs) must deal with the Gramm-Leach-Bliley Act (GLBA) and related antimoney- laundering regulations. The U.S. Patriot Act, meanwhile, impacts both large and small trading and financial services companies including check-cashing businesses, that includes new rules aimed at preventing terrorism and money-laundering by requiring businesses to be able to identify customers and activities that might be suspicious.

And the Sarbanes-Oxley Act in the United States (SOX) -- requiring, among other things, that a business's relevant financial reports be certified by both the CEO and CFO -- affects both small publicly-held and privately-owned companies not just based in the U.S. but all over the world.

In one study of the effects of Sarbanes-Oxley on private companies (which are not required to comply with the law), 87% of those queried indicated that SOX had impacted their firm, and 78% had voluntarily imposed reforms on themselves, mainly because their boards of directors, auditors, customers, lenders, or insurance providers have insisted on it. ^3-2

While there is not yet a European Union equivalent to Sarbanes-Oxley -- the much heralded "eighth directive" is in fact focused only on auditors -- individual EU nations have generated corporate governance regulations that are similar to SOX. Notable among these are:

France's Loi sur la securitie financiere (LSF), in force since 2003, requires companies to document all their main business processes, and

Germany's Data Access and Digital Signature Authentication Law (GDPdU), empowers tax officials to instantly access company financial documents.

Still more regulations may apply, depending on the kind of business you're in. Makers of pharmaceuticals and other kinds of manufacturers, for instance, are subject to environmental laws. Those transporting goods must now contend with U.S. Department of Homeland Security regulations.

Then there are internal and supplier-related compliance issues, such as Wal-Mart, Proctor & Gamble, and the U.S. Department of Defense requiring their suppliers' use of electronic product-coded radio frequency identification tags.

The Bottom Line:

Increasingly, staying in business means staying compliant with new laws and standards that are raising the bar on all business behavior. And to stay compliant, all businesses must adopt basic security, data backup, and records management practices and technologies.

What You'll Need to Achieve Compliance: Best Practices

Regardless of the particular regulations and standards affecting your business, you can start by adopting several best practices as a starting point:

Get legal advice about what regulations your business is subject to and what you need to do to ensure compliance.

Figure out what kind of -- and how much -- risk your business can handle, and prioritize the risks and vulnerabilities in need of remediation.

Create an information security policy for your business and document it.

Make sure this policy appropriately assigns responsibility for information security and determines how security events should be reported and documented.

Establish business continuity management procedures and systems.

Protect your operational data and your business records -- this includes restricting access to it and backing it up so that you copies should originals become corrupted or lost.

Create and enforce an email policy that specifies what employees can and cannot send.

Protect the privacy of the personal information your data contains.

Adhere to rules concerning intellectual property rights.

Ensure that your employees are trained about information security issues such as protecting passwords and recognizing scams.

The Technologies that Can Help You

Several types of technologies are critical to achieving compliance:

Security software will protect your business against errors (accounting-based and otherwise) or malicious acts. These programs include authentication, encryption, antispyware, and per-user passwords.

Data storage and backup/recovery systems will help you get on-demand access to business information and maintain accurate historical data that's easy to retrieve when required.

An up-to-date communications infrastructure will enable your business to support realtime collaboration and data access both within your business and with partners, suppliers, and regulators. This includes company-wide local area networks (LANs) as well as broadband wide area networks (WANs) for inter-company activities; PC migration tools to ease transfer of data between disparate desktop systems; and accurate and timely reporting software.

Compliance Questions to Ask and Answer

Do you know what will happen to your business operations if parts of your networks or systems fail?

Are your systems and networks protected against viruses and other malware?

Do you have ways to authenticate everyone who accesses your information systems and data?

Can you monitor how your IT network is used and by whom?

Do you have the means to track security incidents?

Is your data tamper-proof?

Is your key data backed up off-site?

Have you protected "unstructured" data -- that is, the emails, spreadsheets, and other documents on your employees' desktop systems?

Do you have company-wide email archiving capability?

How long does your data need to be archived and how quickly must you be able to retrieve it?

Can you show/prove that you are in compliance?

Anticipating the Future: Why Archiving Email Is Worth It

Many new regulations now require that organizations do one or more of the following:

Keep copies of all emails, including all email transactions with third parties

Archive email messages in a way that ensures the emails are authentic -- typically in an indexed format that is secure and that enables on-demand retrieval, viewing, reproduction, and manipulation in the same manner as the original

Be able to retrieve selected email messages quickly -- sometimes in as little as 48 hours

Preserve copies of electronic calendars of key employees

Consider this large-company anecdote, possibly applicable to smaller firms, too: in a 2003 sex discrimination/retaliation suit brought against UBS Warburg, the plaintiff sought emails in discovery. The archived emails cost $175,000 to restore and produce, an expense borne solely by the defendant.

The Virtues of Voluntary Compliance

Following basic corporate governance best practices -- even when you're not required to -- can pay off in a number of ways:

The information on which your business depends will be more accurate and more timely, since you'll be working with just one version of company financial and operational data -- which will be available in real time to you, other decision-makers, and your auditors.

Financial processes will be streamlined and your company's financial information will be more reliable, making your business more attractive to potential customers and partners.

You'll create a better audit trail and will reduce auditing costs because data can be more easily tracked.

Your company will enjoy lower fraud risks because unauthorized data access has been made more difficult.

Your business processes will become more efficient and your controls will work better as you standardize reports, automate manual activities, and consolidate or eliminate redundant workflows.

Your business will be able to respond more quickly to opportunities and challenges, thanks to more accurate information being made available to the right people at the right time.

Similarly, embracing the practices and technologies supporting data privacy and protection standards will help your company avoid the legal and competitive liabilities of violating (intentionally or not) the rights ofcustomers and employees.

Thus for all the hassle of regulatory and standards compliance, there is a silver lining: you'll have much better tools with which to manage and protect your resources, monitor your business, and control employee actions. Combined, that all adds up to a competitive edge.

Endnotes

^3-1 Compliance IT to sport double-digit growth through 2009, InformationWeek smallbizpipeline, March 2005 ^3-2 The impact of Sarbanes-Oxley on private companies, Foley & Lardner LLP, 2005

For more information on CA's small and medium business solutions, please visit ca.com/smb.

Copyright 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document "AS IS" without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages. Inc. and Inc. 500 are registered trademarks owned by Gruner + Jahr Printing & Publishing Co.MP282980605

This story was editorially selected as relevant and is used with permission from CA. PC World received no compensation for posting this article.