Achieving Compliance: Rules & Tools

“Increasingly, different functional areas in a company have different regulations they have to comply with,” says Michael Borman, COO of StoneArch Software, a compliance and risk management software company in Minneapolis. “Finance may have to show compliance with financial-related regulations such as Sarbanes-Oxley. Operations may have to be compliant with [International Organization for Standardization or ISO] programs at the corporate level. IT may have to show compliance with privacy initiatives. Typically, the functional areas are responsible for verifying that they’re following the regulations they have to sign off on. And IT plays a varying role in helping them do that, through deploying tools that make it easier or less complicated.”

Recently, CIO magazine estimated that companies are spending $8.40 out of every $100 of IT budget on IT security. That’s a significant figure. And it’s not confined to just the largest firms, or to a few types of companies that work in highly regulated areas. That’s because of what Jeff Olejnik, president of information security company Assurity River Group in New Brighton, calls a trickle-down effect.

“If you want to do business with someone—for example, to be a vendor for Wells Fargo—they’re going to require that you have the same, if not better, security controls in place as they do,” he says. “They need to be sure you can secure their corporate information in a way that keeps them in compliance.”

Jungbauer concurs. “If you had asked me five years ago,” he says, “I would have said that compliance issues applied disproportionately to the traditional industries that have always been heavily regulated: banking, insurance, finance, health care, and so on. The reality is, it is much broader. A few years ago, California adopted a law [Section 1798.80 of the Civil Code] that regulates use of personal information, and now there are approximately 30 states that have adopted similar laws. It’s going to hit everyone. If you collect any information about your customers or employees, you will be at risk of a breach, and there will be rules that apply to you.”

And every company’s ability to respond to compliance issues will vary. On one hand, Kuula says the burden tends to be heavier on larger companies, and that large firms may have to expend more resources on compliance because their volume is higher and their organizations are more complex. On the other hand, smaller companies may be less well-equipped to manage audits and store information.

Find It and Fix It

What, exactly, do compliance efforts involve? In some industries, the majority of the work has to do with testing for security loopholes. Denning Compliance Services, LLC, in Victoria, conducts a variety of tests on the information systems of small financial institutions.