The long arm of compliance: how SMBs can effectively manage various requirements.
Certain industry-specific compliance requirements can affect SMBs, such as HIPAA (the Health Information Portability and Accountability Act), which demands that all U.S. healthcare providers--from the smallest private doctor's office to the largest public hospital--protect the privacy of patient data and be able to prove they've done so. Similarly, SMBs operating in the financial services sector are governed by various U.S. Securities & Exchange Commission (SEC) regulations that require compliance from small brokerage houses and financial services firms. At the same time, small banks and even certified public accountants (CPAs) must deal with issues such as the Gramm-Leach-Bliley Act and Basel II Accord. The U.S. Patriot Act meanwhile impacts trading and financial services companies irrespective of size, as it aims to prevent terrorism and money-laundering by requiring that businesses are able to identify potentially suspicious customers and activities. Compliance requirements in the form of environmental laws further extend to manufacturers of pharmaceuticals and other products, while businesses transporting goods must now comply with U.S. Department of Homeland Security regulations.
The Sarbanes-Oxley Act (SOX) is particularly far-reaching and requires--among other things--that a business's relevant financial reports be certified by both the CEO and CFO. SOX not only affects publicly-held SMBs, but can also indirectly affect SMBs that are privately-owned and aspire to go public or be acquired. In many cases, SOX can affect private SMBs that simply want to do business with public companies governed by SOX.
The pressure SOX has exerted on SMBs prompted the SEC to delay the deadline to July 2007 for SMB compliance with SOX Section 404, which requires companies to report on the state of their internal controls. A 2005 study by Foley & Lardner LLP showed that 87 per cent of private companies (which are not required to comply with SOX), reported that SOX affects their businesses, and 78 per cent had voluntarily implemented compliance reforms due to directives from the board, lenders, insurers or auditors.
New laws and standards are raising the bar on all business behavior, and complying with those guidelines will determine whether companies stay in business or close the doors. SMBs often face resource challenges as they strive to comply with various regulations. By implementing a few best practices and standard technologies to support the business, SMBs can establish a framework for compliance.
Setting a Baseline and Best Practices
The intrinsic role of information technology (IT) in compliance cannot be stressed enough--at the heart of every compliance effort is a sound IT infrastructure. As SMBs initially address compliance, they should first evaluate the IT systems that will figure largely into their overall compliance strategy. Having the proper infrastructure in place will greatly simplify the process and maximize their efforts.
By asking a few simple questions, an SMB can determine if it is meeting some of the basic compliance elements; identify compliance areas that it needs to address; and establish a starting point for action.
* Do you know what will happen to your business operations if parts of your networks or systems fail?
* Are your systems and networks protected against viruses and other malware?
* Do you have ways to authenticate everyone who accesses your information systems and data?
* Can you monitor how your IT network is used and by whom?
* Do you have the means to track security incidents?
* Is your data tamper-proof?
* Is your key data backed up off-site?
* Have you protected "unstructured" data--that is, the e-mails, spreadsheets, and other documents on your employees' desktop systems?
* Do you have company-wide e-mail archiving capability?
* How long does your data need to be archived and how quickly must you be able to retrieve it?
* Can you show/prove that you are in compliance?
Regardless of the particular regulations and standards that affect your business, and even if you answered "yes" to many of the questions above, you can simplify and make the best of compliance resources by adopting several best practices as a starting point:
* Get legal advice about what regulations your business is subject to and what you need to do to ensure compliance. This will help SMBs maximize resources and devote effort to the areas that matter most to the business.
* Figure out what kind of--and how much--risk your business can handle, and prioritize the risks and vulnerabilities in need of remediation.
* A risk assessment will help determine where compliance resources are most needed and allow a business to focus on the areas that will have the most impact on operations.
* Create and document an information security policy for your business and ensure employees are trained and educated about it.
Computer Associates and the research group Quocirca recently surveyed 240 senior managers from U.S. and European SMBs and found that SMBs do not regularly engage in periodic security reviews, proactive patch management, or testing of data backup and recovery systems. A policy should be established that addresses both physical and digital security issues. The policy should assign responsibility for information security and determine how security events are reported and documented.
Establish business continuity management procedures and systems.
Good business continuity plans and procedures ensure business operations are resilient, the impact on customer service is minimized, financial losses are reduced and regulatory compliance is maintained.
Protect operational data, business records and the privacy of personal information.
This includes restricting access to the data and backing it up so that you have copies should originals become corrupted or lost.
Create and enforce an e-mail policy.
An email policy should specify not only proper employee use of the system, but also establish guidelines on archiving e-mail, how quickly the archives can be recalled, the format in which e-mails are saved, etc. This is especially important from an auditing perspective and it demonstrates a business's ability and proactive efforts to protect critical unstructured data.
Three areas of technology can help SMBs implement best practices to bring a business closer to compliance and to address the compliance questions asked above.
* Security software protects SMBs against errors (accounting-based and otherwise) or malicious acts. These programs include user authentication, encryption, anti-spyware, anti-virus, and per-user passwords.
* Data storage and backup/recovery systems help SMBs get on-demand access to business information and maintain accurate historical data that's easy to retrieve when required.
* An up-to-date communications infrastructure enables SMBs to support real-time collaboration and data access both within the business and with partners, suppliers and regulators. This includes company-wide local area networks (LANs) as well as broadband wide area networks (WANs) for inter-company activities; PC migration tools to ease transfer of data between disparate desktop systems, and accurate and timely reporting software.
As SMBs grapple with implementing the appropriate level of controls, they should consider the positive effect that those procedures can have on the business's bottom line. For example, a business can become more agile by having the right information available at the right time, thanks to process and IT improvements that deliver automated reports and streamlined workflows.
The data backup required by compliance makes an SMB more resilient to disaster because of improved records retention and data recovery mechanisms. In his book Disaster Recovery Planning: Managing Risk and Catastrophe in Information Systems, IT veteran Jon Toigo wrote that companies who suffer outages and are inoperative for more than 10 days never make a full financial recovery, and more than 50 percent of those firms go out of business within five years. An SMB's financial operations will also be streamlined, which reduces the chance for errors, and there will be a better auditing trail, which will help reduce auditing costs.
Integral to any successful compliance initiative is a comprehensive strategy in which SMBs recognize the value of their data and take steps to sufficiently protect it. The benefits gained by such data protection initiatives go beyond compliance to deliver real operational and business benefits to the business.
David Luft is senior vice president, product development at the SMB program office, Computer Associates (Islandia, NY).
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Special Section|
|Publication:||Computer Technology Review|
|Date:||Oct 1, 2005|
|Previous Article:||Optimizing serial attached SCSI with PCI Express.|
|Next Article:||Personal disaster recovery software: an essential part of business disaster recovery plans.|