Achieving Compliance: Rules & Tools

Often these specialists can be brought in once, to set up the system, and then consulted minimally thereafter. “It’s an ongoing effort,” Olejnik says, “but the majority of the heavy lifting is done while you’re getting a solid information technology and information security program in place. The ongoing maintenance and testing, while there is an effort and it requires executive sponsorship and governance, is more sustainable. The effort is less to sustain the program than it is to create it from scratch.”

Get With the Program

One of the reasons IT is so intimately involved with compliance is that, increasingly, compliance functions are managed via software. Without some kind of software that creates an audit trail, a company might be in line with regulations such as Sarbanes-Oxley, but it’d be hard pressed to prove it. It helps to have a record of everyone who accesses or makes changes to the firm’s databases.

Alamri notes that many companies already have a lot of the pieces of a compliance management system in their existing software packages; the pieces just aren’t organized as a unified entity. “Many companies have some kind of identity management [also called password management or secure log-on] within their organization,” she says. “But they may not have spent a lot of time on policies or rules.

“Or it may be that, like many really large companies, they’re custom-developing a lot of applications,” she adds. “Yet they haven’t really thought about putting security or compliance requirements into the development life cycle.” In those cases, developers need to learn the applicable requirements so that they can implement the proper controls and prevent unauthorized parties from accessing the company’s information. This should occur as part of a companywide effort to organize compliance tasks.

Although it’s possible to do compliance processes manually, Borman believes larger companies may have trouble keeping up unless they automate. “Imagine a shelf of three-ring binders with each department’s policies or procedures or documents,” he says. “To implement these policies manually, they’ll e-mail Word documents around and try to track everything in Excel. That process works on a small scale, but as you start to have bigger compliance requirements, things start to fall through the cracks. Software helps to prevent anything falling through the cracks by creating repeatable, predictable compliance processes and an electronic audit trail. And    the increased use of software to help do that is creating an increased IT involvement in the whole process.”