October 12, 2010
Compliance is a challenge to every organization, regardless of its size. The goal of regulatory compliance is to provide guidance and accountability so companies have strong, auditable security regardless of where data resides. If implemented correctly by companies, it should help them manage risk, protect sensitive data and ensure technology investments improve daily operations as intended, while keeping sensitive data compliant. However, the reality is the compliance needs of the multiple laws and acts (i.e. HIPAA, Sarbanes Oxley, Gramm-Leach-Bliley, etc.) seem competitive, contradictory and practically impossible to implement. So, the threats of fines and penalties for non-compliance can assume nightmarish proportions. Therein begins the problem of compliance.
Most organizations are reactive rather than proactive about compliance. Every new regulation has them scrambling to update policies and to put in place processes for the enforcement of these new policies. Considering the number of new laws that are being written every year, this can be a losing proposition leading to confusion, frustration and non-compliance. As such it is not surprising that many organizations lose heart and declare that keeping up with customer data compliance is difficult if not impossible. They bemoan the fact that every act and law demands a different methodology of handling data. Many organizations still resort to manual handling of their data (tape backups, external drive) to meet the different compliance standards. They begin to treat compliance as a checklist that must be checked off for the satisfaction of the audit teams. They consequently put in place processes to comply with one specific requirement and then have to set up additional processes to meet the requirements of others. This makes for a lot of "band aid" processes that create a tracking nightmare that only gets worse with time.
The root of the problem seems to be in the way organizations handle their online or offline data storage and security with daily processes that do not comply with today's, let alone tomorrow's needs. In many organizations, operations and data security teams are logically separated as they handle different aspects of data impacting work. For example, the security teams do not have access to the work areas monitored by the operations teams. This often results in an imperfect network monitoring system and under-optimized network infrastructure, which becomes vulnerable. Security teams end up pouring over logs when an audit is imminent and any changes in the configuration files between audits go unnoticed by the security teams. Therefore, if an audit points out that something has changed, the security team can be at a complete loss to identify what has changed and why.
One trend you are beginning to see in the market place is fines for companies that mistakenly lose data and are not in compliance as a result. A recent example was in August when Zurich Insurance had to pay an enormous £2.3m fine for losing thousands of British people's personal data. The fine was imposed not by the Information Commissioner's Office but by the Financial Services Authority. Zurich Insurance lost 46,000 customer records including some bank details when a tape back-up went missing between two sites in South Africa. Even worse, it took a year for Zurich UK to hear about the loss.
Businesses need to look for technology solutions that allow them to automate their processes, improve security, easily track policy adjustments and provide reports for auditing purposes. They should attempt to create an efficient, enterprise wide business process that blends security, and strategy into operations, while automating compliance to all laws and standards. In addition, they must learn to appreciate the fact that compliance is a continuous process and not a point in time exercise. The good news is there are cloud solutions available in the market place that provide the tools and automation to make this struggle with compliance a lot easier for today's and tomorrow's business needs. The risk and liability for organizations is growing daily along with their data. Your business cannot afford to remain manual and expect to keep up with the growing complex regulatory environment in the days, weeks and years to come.
CoreVault, America's most endorsed cloud backup and recovery solution, identifies, protects and manages your business's most valuable asset. Their tailored and managed services will automatically store and encrypt your business's critical data off-site at their private data centers with 24 x 7 customer support. You also get to enjoy technologies and benefits like monitored backups, data deduplication, local storage, 4 levels of data recovery 24 x 7, continuous data protection (CDP), hosted data services, CBRM certified engineers and SAS 70 Type II certified facilities.
About the Author: Jeff Cato is V.P. of Marketing at CoreVault, an online data backup and cloud based data storage company located in Oklahoma.