The Case for Compliance Management
s Doing business today means managing data, lots of data, and being responsible for that data and how it is used. This is what it means to be complete compliant. You need to know what types of data you store, how your users are manipulating that data, if your users are sending the data outside your organizations and how. You also need to make sure that no sensitive data is leaked during the course of normal business operations. In addition, you need to be able to show others that you know what is happening to your data.
|You also need to make sure that no sensitive data is leaked during the course of normal business operations. In addition, you need to be able to show others that you know what is happening to your data.|
This is easy to do if you know where your data is stored. With a financial database, you know what the purpose of the database is and what types of information it stores. Butwhen you take other forms of databases — databases that are operational and that are used to run your systems — you cannot be sure of what they may contain and how the data is used. Take for example, an email system such as Microsoft Exchange. This system runs on top of a database. This database stores all of your users’ messages, their calendars, their contact lists and much more. In addition, through the use of attachments, the Exchange database will include external data that is not particular tothe email system itself. So now you have a very large database — in many cases, the largest database in your organization — and you are not sure what type of information it contains or worse, what type of information it may leak to the outside.
Yet, you must maintain your vigilance and you must remain compliant with the present regulations that affect the type of business you run. How can you make sure your systems run efficiently and, at the same time, make sure your users maintain compliance to all of the regulations that affect you?
It is your Information Technology (IT) group’s responsibility to manage compliance,
right? Not necessarily. True, your IT group is responsible for putting your electronic
systems in place and keeping them running. But it is not true that the IT group should be responsible for making sure your organization remains compliant. In fact, it is the business side of the organization that must take responsibility for compliance. IT is just there to assist in the process and provide you with the tools that help you manage compliance.Regulations have now become an everyday part of life both at home and abroad.
Compliance measures such as Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), the Patriot Act, and so on affect how you do business and impact your everyday operations. Wouldn’t it be nice if you could somehow implement systems that allowed you to proactively manage these regulations? With new technologies such as Exchange 2013 and its Data Loss Prevention feature, it is possible to do just that. However, you need more than just managing compliance proactively:you need to be able to mine the data you capture when these systems are implemented so you can draw patterns of compliance and project as well as report on just how your organization meets the demands of these regulations.
Compliance Obligations at Home and Abroad
The first place to start when implementing a proactive compliance management system is to calculate the necessity just what you need to do to meet the demands of each regulation that affects you. Let’s look at the most common acts that may affect you and your organization.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) has had a major impact on how health care providers do business electronically. The implications of this act are not only limited to the providers themselves but also affect their business partners. This act addresses four particular areas of electronic health care provision:-
- Electronic transactions and code sets
- Security of the systems
- Use of unique identifiers for patients
- Privacy of patient and other critical information
Not all operations need to be performed electronically, but if they are, they must be performed in accordance to the standard format outlined in the act. If you contract a third-party organization to conduct a service for you, for example, electronic billing, it is primarily your responsibility as the health care provider to ensure that this third party organization complies with the requirements of the act. HIPAA applies mostly to any organization that conducts one of the following in relation
to health care:
- Payment or remittance advice
- Claims status inquiry or response
- Eligibility evaluations
- Referral authorizations
This means that if your organization is in this category, you need to be fully aware of the documents contained in your systems and how your systems and processes protect the information that could put you at risk. In fact you have to ascertain the following :-
- Notify patients about their privacy rights and how their information may be used
- Adopt and implement privacy procedures
- Train employees in your privacy procedures
- Designate an individual as the privacy agent responsible for overseeing how these rules are adopted and followed
- Secure patient records containing information pertaining to specific individuals
In addition, all affected businesses and their associates must provide notification of a breach of unsecured protected health data if and when it occurs. Best to avoid such a breach altogether. Using a proactive protection system goes a long way to preventing such breaches.
The Sarbanes-Oxley Act
Probably the single and most important act affecting information technology in
organizations of all sizes is the Sarbanes-Oxley Act. This act targets both the regulation of financial practice as well as corporate governance. It outlines that all public organizations demonstrate due diligence in the disclosure of financial information.
In addition, organizations are responsible for the implementation of internal controls and procedures that ensure that their data is protected at all times. This includes protection of the data during transmission as well as where and how the data is stored. It is particularly section 404 of this act that applies to IT controls. This section, entitled “Management Assessment of Internal Controls” requires that each annual report of any publicly-traded organization contain an internal control report. This report must:-
- State the responsibility of management for establishing and maintaining this
internal control structure and the procedures for financial reporting.
- Contain an assessment of the effectiveness of the internal control structure
and procedures used for financial reporting.
You must also indicate if you have adopted a code of ethics for senior financial officers and if you have, you must disclose the contents of that code. In case of an audit, you must give auditors documented evidence of data storage, protection mechanisms and identify the internal controls you have applied to this data. Implementing a proactive compliance management system along with the ability to report on the activities of this system helps organizations maintain compliance to this very important security rule.
The Patriot Act :US
An act that affects all organizations in the U.S. is the Patriot Act. Its purpose is to deter and punish terrorist acts in the United States and around the world. It also aims to enhance law enforcement investigatory tools. Its goals are to control and prosecute money laundering and financing of terrorist activities, grant access to foreign financial institutions that may be susceptible to criminal abuse, and to help prevent the abuse of the U.S. financial system by foreign interests.
While this act’s main goals is to grant additional powers to American institutions that help protect the country against terrorism, it also affects everyday operations among organizations of all sizes. If your organization is financial in nature, your record-keeping practices must be enhanced to ensure compliance with the act. In fact, you need to gather an unprecedented amount of personal information from your customers and secure this information properly. You must also be able to provide this information and how it has been used to the powers that be should they request it.
For businesses large and small, this act imposes significant reporting and record keeping requirements, requirements that may have an impact on your business’
profits, as well as reduce the effectiveness of your customer relations because it takes resources away from this aspect of business.
Once again, implementing a proactive measure for compliance to this act can help
reduce its impacts on your business. If your users know when they may be in violation of the act before they actually violate it, it will help educate them on their responsibilities and greatly reduce the impact of compliance on your business as a
The Gramm-Leach-Bliley Act (GLBA)
If you’re in a financial institution, you need to safeguard the confidentiality and
integrity of your customer information. This is no longer just a best practice, it is now a legal requirement—a requirement enforced by the Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act. This act mandates that your institution establish appropriate security standards to protect private customer and employee data from internal and external threats. This data also has to be completely protected from unauthorized access.
This means a complete and accurate auditing trail of all events related to this data as well as well-documented configuration information on the systems you put in place to protect it.
The GLBA gives authority to some federal agencies and each state to administer and enforce two regulations: the Financial Privacy Rule and the Safeguards Rule. These rules apply to financial institutions, which, according to the Federal Trade Commission, include not only banks, securities firms and insurance companies, but also companies providing other types of financial products and services to consumers. These products and services include lending, brokering or servicing any type of consumer loan,transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities. transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities.
Other countries such as Canada have also implemented measures to protect
information and secure it from prying eyes. The Personal Information Protection and
Electronic Documents Act (PIPEDA) is one such example. The purpose of this act is to establish rules to govern the collection, use and disclosure of personal information during the course of normal commercial activities. This broad-reaching act affects businesses, not-for-profit organizations and the health care industry.
Basically, all organizations affected by this act must take reasonable steps to safeguard the personal information in their control from risks such as unauthorized access, collection, use, disclosure, copying, modification, disposal and/or destruction. The first step in reaching a level of compliance to this act is in making sure your organization does not capture personal information that is not necessary in conducting your business. For example, if your firm does not need to use private information such as a person’s Social Security number, then you become compliant by making sure you do not collect it in the first place. However, if you do need access to this number for the purpose of your business with an individual, then you must make sure the number is stored securely and will not leave your premises.
HRIP Act (Australia)
Like many other countries around the world, Australia has also implemented protection acts for private information. The Health Records and Information Privacy Act (HRIP) of 2002 is one such example. This act aims to govern the handling of health information of both private and public hospitals, doctors and health care organizations, as well as any other organization that may be in the practice of storing any type of health information. For example, universities undertaking health research or fitness centers that store information about a person’s health performance over time are also under the obligation to protect the information they store.
The act is composed of 15 health privacy principles that help govern how organizations collect, store, access, use, disclose and potentially transfer the information. It also affects the accuracy of the information as well as the type of identifiers used and the respect for anonymity of the persons targeted by the information.
The Privacy Commissioner has the power to investigate any organization for which it may receive a complaint, and, should the organization be deemed non-complaint,
enforce the regulation. While organizations can comply reactively with the act, using a proactive compliance measure greatly enhances the organization’s ability to comply since it puts compliance in the direct hands of the ones who manage and manipulate the information, their users.
Personal Identity Information
Several countries around the world have implemented measures to help protect
Personal Identity Information (PII). PII usually consists of a person’s name and initials linked with any one item of other personal information such as driver’s license number, Social Security number, identification card number, credit card number, financial institution number and so on.
While the different implementations of PII protection may differ around the world,
most rely on basic principles. They include:
- The secure deletion of the information once its business purpose has been fulfilled. This means that all instances of the information must be deleted including drafts or older versions of a document containing the information, emails and attachments containing the information, and any other location that could include the data during processing.
- The ability to detach the PII from any particular identifiable source, basically rendering an instance of PII unusable.
- The ability to protect all PII when in use should it be on a U.S.B. stick, within a corporate computer or worse, within a personal or home computer.Encryption at this stage is best.
- Encryption of the data during transmission.
PII is one of the types of information that is most commonly used during email
transactions and therefore lends itself perfectly well to a proactive compliance
management system. There is no better tool than a Data Loss Prevention tool to
protect this data. When a user is about to send a message containing PII, the Exchange email system can warn him or her that the message they are about to send could violate the rules of their organization. The user then has the opportunity to decide how to correct the instance of PII before sending the message.
Information technology (IT)
s the application of computers and telecommunications equipment to store, retrieve, transmit and manipulate data, often in the context of a business or other enterprise.The term is commonly used as a synonym for computers and computer networks, but it also encompasses other information distribution technologies such as television and telephones. Several industries are associated with information technology, such as computer hardware, software, electronics, semiconductors, internet, telecom equipment, e-commerce and computer services.
In a business context, the Information Technology Association of America has defined information technology as “the study, design, development, application, implementation, support or management of computer-based information systems”. The responsibilities of those working in the field include network administration, software development and installation, and the planning and management of an organization’s technology life cycle, by which hardware and software is maintained, upgraded and replaced.
- “Information Technology” (community.spiceworks.com)
- Information Technology (sjhstech.wordpress.com)
- Development of Information Technology (wildankharismazisnanda.wordpress.com)
- Information technology (sovanda2013.wordpress.com)
- What is IT? (nasarnasimudin11.wordpress.com)
- Development Information technology (IT) (nuruliatw.wordpress.com)
- Information Technology (gilangbellasaputra.wordpress.com)
- It (afialchemist.wordpress.com)
- Information technology (IT) (qurrotalotta.wordpress.com)
- It in This Era (adijaya354.wordpress.com)
Tips on building an analytics infrastructure from scratch — quickly
LAS VEGAS — In 2007, Alfa Insurance, an insurer that operates mainly in Alabama, Mississippi and Georgia, had no data analytics infrastructure in place. A year later it had deployed an operational data warehouse. By 2010 it was running analytics software on top of the warehouse and basing underwriting decisions on the results of data analysis applications. Read More……….
When, and how, to best make use of data visualization tools
It’s clear that data visualization software is catching the eyes of more and more companies. In a recent TechTarget reader survey, 44% of 664 respondents cited an expected increase in data visualization initiatives over the next 12 months. And with good reason. Data visualization can help business users better understand — and act upon — business intelligence and analytics data.
This special issue of our Business Information e-zine follows the trend. Readers will explore data visualization trends and strategies for managing successful visualization processes in organizations. Experts help to identify how and when to best visualize data, with tips for turning especially complex data sets into effective data visualizations. Real-world examples of data visualization projects in action and advice on incorporating data visualizations into BI dashboards round out our coverage.