Printer Friendly
The Free Library
18,914,768 articles and books
Member login
User name  
Password 
 
Join us Forgot password?

The long arm of compliance: how SMBs can effectively manage various requirements.


When one hears the word compliance, the initial thought that often comes to mind is of laws and regulations that guide well-known, publicly held companies. The reality is that compliance reaches farther than large, public companies. It affects business of all sizes in various industries, including both publicly held and private small and medium-sized businesses (SMBs).

Certain industry-specific compliance requirements Compliance requirements are a series of directives established by United States Federal government agencies that summarize hundreds of Federal laws and regulations applicable to Federal assistance (also known as Federal aid or Federal funds).  can affect SMBs, such as HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health,  (the Health Information Portability and Accountability Act There are a number of piece of legislation known as the Accountability Act:
  • Canada's Federal Accountability Act
  • The American Syria Accountability Act,
  • Darfur Peace and Accountability Act
  • Health Insurance Portability and Accountability Act
), which demands that all U.S. healthcare U.S. Healthcare is a now-defunct healthcare company. The logo had an apple. The merger with Aetna
In 1996, the company merged with Aetna, calling it Aetna U.S. Healthcare. The U.S. Healthcare apple logo was next to the Aetna name, and U.S. Healthcare under it. U.S.  providers--from the smallest private doctor's office to the largest public hospital--protect the privacy of patient data and be able to prove they've done so. Similarly, SMBs operating in the financial services The examples and perspective in this article or section may not represent a worldwide view of the subject.
Please [ improve this article] or discuss the issue on the talk page.  sector are governed by various U.S. Securities & Exchange Commission (SEC) regulations that require compliance from small brokerage houses and financial services firms. At the same time, small banks and even certified public accountants Certified Public Accountant (CPA)

An accountant who has met certain standards, including experience, age, and licensing, and passed exams in a particular state.  (CPAs) must deal with issues such as the Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition  and Basel II Basel II is the second of the Basel Accords, which are recommendations on banking laws and regulations issued by the Basel Committee on Banking Supervision. The purpose of Basel II is to create an international standard that banking regulators can use when creating regulations  Accord. The U.S. Patriot Act Patriot Act: see USA PATRIOT Act.  meanwhile impacts trading and financial services companies irrespective of irrespective of
prep.
Without consideration of; regardless of.

irrespective of
preposition despite  size, as it aims to prevent terrorism and money-laundering by requiring that businesses are able to identify potentially suspicious customers and activities. Compliance requirements in the form of environmental laws further extend to manufacturers of pharmaceuticals and other products, while businesses transporting goods must now comply with U.S. Department of Homeland Security Noun 1. Department of Homeland Security - the federal department that administers all matters relating to homeland security
Homeland Security

executive department - a federal department in the executive branch of the government of the United States  regulations.

The Sarbanes-Oxley Act See SOX.  (SOX) is particularly far-reaching and requires--among other things--that a business's relevant financial reports be certified by both the CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board.  and CFO See Chief Financial Officer. . SOX not only affects publicly-held SMBs, but can also indirectly affect SMBs that are privately-owned and aspire to aspire to
verb aim for, desire, pursue, hope for, long for, crave, seek out, wish for, dream about, yearn for, hunger for, hanker after, be eager for, set your heart on, set your sights on, be ambitious for  go public or be acquired. In many cases, SOX can affect private SMBs that simply want to do business with public companies governed by SOX.

The pressure SOX has exerted on SMBs prompted the SEC to delay the deadline to July 2007 for SMB (1) (Small to Medium-sized Business) Also called "SME" (small to medium-sized enterprise), it refers to companies that are larger than the small office/home office (SOHO), but not huge.  compliance with SOX Section 404, which requires companies to report on the state of their internal controls. A 2005 study by Foley & Lardner LLP LLP - Lower Layer Protocol  showed that 87 per cent of private companies (which are not required to comply with SOX), reported that SOX affects their businesses, and 78 per cent had voluntarily implemented compliance reforms due to directives from the board, lenders, insurers or auditors.

New laws New Laws: see Las Casas, Bartolomé de.  and standards are raising the bar on all business behavior, and complying with those guidelines will determine whether companies stay in business or close the doors. SMBs often face resource challenges as they strive to comply with various regulations. By implementing a few best practices and standard technologies to support the business, SMBs can establish a framework for compliance.

Setting a Baseline and Best Practices

The intrinsic role of information technology (IT) in compliance cannot be stressed enough--at the heart of every compliance effort is a sound IT infrastructure. As SMBs initially address compliance, they should first evaluate the IT systems that will figure largely into their overall compliance strategy. Having the proper infrastructure in place will greatly simplify the process and maximize their efforts.

By asking a few simple questions, an SMB can determine if it is meeting some of the basic compliance elements; identify compliance areas that it needs to address; and establish a starting point Noun 1. starting point - earliest limiting point
terminus a quo

commencement, get-go, offset, outset, showtime, starting time, beginning, start, kickoff, first - the time at which something is supposed to begin; "they got an early start"; "she knew from the  for action.

* Do you know what will happen to your business operations Business operations are those activities involved in the running of a business for the purpose of producing value for the stakeholders. Compare business processes. The outcome of business operations is the harvesting of value from assets  if parts of your networks or systems fail?

* Are your systems and networks protected against viruses and other malware?

* Do you have ways to authenticate everyone who accesses your information systems and data?

* Can you monitor how your IT network is used and by whom?

* Do you have the means to track security incidents?

* Is your data tamper-proof?

* Is your key data backed up off-site?

* Have you protected "unstructured" data--that is, the e-mails, spreadsheets, and other documents on your employees' desktop systems?

* Do you have company-wide e-mail archiving Retaining e-mail messages for historical purposes or to be in compliance with many industry regulations. The file structure of e-mail is different than other data formats, and message archiving software is specialized for e-mail retention and searching.  capability?

* How long does your data need to be archived and how quickly must you be able to retrieve it?

* Can you show/prove that you are in compliance?

Regardless of the particular regulations and standards that affect your business, and even if you answered "yes" to many of the questions above, you can simplify and make the best of compliance resources by adopting several best practices as a starting point:

* Get legal advice about what regulations your business is subject to and what you need to do to ensure compliance. This will help SMBs maximize resources and devote effort to the areas that matter most to the business.

* Figure out what kind of--and how much--risk your business can handle, and prioritize the risks and vulnerabilities in need of remediation.

* A risk assessment will help determine where compliance resources are most needed and allow a business to focus on the areas that will have the most impact on operations.

* Create and document an information security policy for your business and ensure employees are trained and educated about it.

Computer Associates and the research group Quocirca recently surveyed 240 senior managers from U.S. and European SMBs and found that SMBs do not regularly engage in periodic security reviews, proactive patch management, or testing of data backup and recovery systems. A policy should be established that addresses both physical and digital security issues. The policy should assign responsibility for information security and determine how security events are reported and documented.

Establish business continuity management procedures and systems.

Good business continuity plans and procedures ensure business operations are resilient, the impact on customer service is minimized, financial losses are reduced and regulatory compliance is maintained.

Protect operational data, business records and the privacy of personal information.

This includes restricting access to the data and backing it up so that you have copies should originals become corrupted or lost.

Create and enforce an e-mail policy.

An email policy should specify not only proper employee use of the system, but also establish guidelines on archiving e-mail, how quickly the archives can be recalled, the format in which e-mails are saved, etc. This is especially important from an auditing perspective and it demonstrates a business's ability and proactive efforts to protect critical unstructured data.

Three areas of technology can help SMBs implement best practices to bring a business closer to compliance and to address the compliance questions asked above.

* Security software protects SMBs against errors (accounting-based and otherwise) or malicious acts. These programs include user authentication, encryption, anti-spyware, anti-virus, and per-user passwords.

* Data storage and backup/recovery systems help SMBs get on-demand access to business information and maintain accurate historical data that's easy to retrieve when required.

* An up-to-date communications infrastructure enables SMBs to support real-time collaboration and data access both within the business and with partners, suppliers and regulators. This includes company-wide local area networks (LANs) as well as broadband wide area networks (WANs) for inter-company activities; PC migration tools to ease transfer of data between disparate desktop systems, and accurate and timely reporting software.

As SMBs grapple with implementing the appropriate level of controls, they should consider the positive effect that those procedures can have on the business's bottom line. For example, a business can become more agile by having the right information available at the right time, thanks to process and IT improvements that deliver automated reports and streamlined workflows.

The data backup required by compliance makes an SMB more resilient to disaster because of improved records retention and data recovery mechanisms. In his book Disaster Recovery Planning: Managing Risk and Catastrophe in Information Systems, IT veteran Jon Toigo wrote that companies who suffer outages and are inoperative Void; not active; ineffectual.

The term inoperative is commonly used to indicate that some force, such as a statute or contract, is no longer in effect and legally binding upon the persons who were to be, or had been, affected by it.  for more than 10 days never make a full financial recovery, and more than 50 percent of those firms go out of business within five years. An SMB's financial operations will also be streamlined, which reduces the chance for errors, and there will be a better auditing trail, which will help reduce auditing costs.

Integral to any successful compliance initiative is a comprehensive strategy in which SMBs recognize the value of their data and take steps to sufficiently protect it. The benefits gained by such data protection initiatives go beyond compliance to deliver real operational and business benefits to the business.

David Luft is senior vice president, product development at the SMB program office, Computer Associates (Islandia, NY).

www.ca.com
COPYRIGHT 2005 West World Productions, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2005, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

 Reader Opinion

Title:

Comment:



 

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Special Section
Author:Luft, David
Publication:Computer Technology Review
Date:Oct 1, 2005
Words:1375
Previous Article:Optimizing serial attached SCSI with PCI Express.(Small Computer System Interface)(Peripheral Component Interconnect)
Next Article:Personal disaster recovery software: an essential part of business disaster recovery plans.(Special Section)
Topics:



Related Articles
TRANSFER PRICING: A Truly Global Concern.(multinational corporations)
Pacific Association of Tax Administrators' transfer pricing documentation package: September 5, 2002.
Leveling the playing field: advanced customer service solutions for small and medium businesses. (Customer Relationship Management).
Protecting children in times of war: how to develop an effective monitoring and reporting system.
Compliance drives ILM into SMB market: an interview with Alan Sund of Sony Tape Storage.(Special ILM Issue)(Information Lifecycle...
Is SMB disaster recovery really within reach?(Disaster Recovery & Backup/Restore)(small and midsize businesses)
Unleashing the tigers: SMB solutions drive mid-sized companies to their full potential.(SPECIAL ADVERTISING FEATURE)(small and medium sized...
iSCSI and Serial Attached SCSI: storage technologies for SMBs and remote offices.(Connectivity)(Small Computer System Interface)(small to medium...
Data management for compliance.(STORAGE)

Terms of use | Copyright © 2010 Farlex, Inc. | Feedback | For webmasters | Submit articles