IT Pros Take Control of Compliance
Technology editor Peter Coffee recently spoke with members of the eWEEK Corporate Partner Advisory Board about their experiences as they work toward attaining and maintaining compliance with the various regulations affecting their industries.
The burdens of achieving enterprise compliance with expanding regulatory and legislative mandates are obvious; the means of meeting them, and even the possible dividends, are less so.
Coffee spoke with Robert Rosen, CIO of the National Institute of Arthritis and Musculoskeletal and Skin Diseases, in Bethesda, Md.; Kevin Baradet, chief technology officer at the Johnson School of Management at Cornell University, in Ithaca, N.Y.; Tom Miller, senior director of IT at FoxHollow Technologies, in Redwood City, Calif.; and Ed Benincasa, vice president of MIS at FN Manufacturing, in Columbia, S.C.
Following are excerpts from that conversation. (eWEEK Labs recommends how to leverage existing technology to meet compliance needs.)
Bob, at the National Institute of Arthritis and Musculoskeletal and Skin Diseases, which is part of the National Institutes of Health, youre used to working under fairly strict guidelines in terms of whats known and whats disclosed to whom. I wonder, are you seeing a big change in the way you have to do things, or are new compliance demands just a matter of some different check boxes and some different names on documents?
Rosen: Weve always had a lot of requirements on us. I think whats different now is that theres a lot more upper-management attention paid to it. We used to be the lone voice in the wilderness, crying out about doing better things with security, and so on, and I think the message has finally gotten across. Now, were seeing it coming the other waypeople asking us, Have you done this? Have you done that? Thats a good thing.
The second part of the problem, though, is that NIST [National Institute of Standards and Technology] has been putting out an awful lot of security guidelines, and sometimes theyre written in an ivory tower vacuum. So we end up doing a lot of things that I dont think add a lot of value. Not that theyre bad, but they are increasing our costs significantly.
Are these things that people are requesting to make sure that all is are dotted and all ts are crossed? Or are they things that are actually required by the rules that are being written but wind up being redundant because the rules are really asking for two or three different things with one common purpose?
Rosen: A combination of all of the above. [NISTs] Certification and Accreditation Process essentially reduced to paper the things we do that are just good practices. But they do it to an excessive level of detail, which all has to be documented. Ultimately, the emphasis weve had on security has really been a good thing. People have come to recognize the importance of it.
Kevin Baradet, the next environment I think of when I think of people dealing with a very stringent level of documentation in terms of how data is handled and to whom its revealed is the education sector. At the Johnson School of Management at Cornell, are you, like Bob, just getting a new set of codifications of things youve been doing already, or have there been operational effects as well as document certification costs?
Baradet: I think its more along the lines of what Bob has saidweve been doing a lot of it already, but the auditors are now looking at everything a lot more closely. So, there are customer service things that weve been doing for the last eight or 10 years that we probably have to stop doing because of issues the auditors have with the way things like passwords are being set, as well as information disclosure.
Thats interesting, and thats not something Ive heard before. Are you saying that youre not sure youre going to be able to do things you used to do before to make life easier for users?
Baradet: Well be able to do them; its just going to take a lot more time, and it wont be as convenient.
Tom Miller, what is going on with you in terms of the impact of compliance issues in your organization, FoxHollow Technologies?
Miller: We just completed our first year of Sarbanes-Oxley compliance, particularly around Section 404, and we also have ongoing compliance with the Food and Drug Administration for 21CFR Part 11 [Title 21 of the Code of Federal Regulations; Part 11 defines the FDAs requirements for electronic records and signatures].
I think we took it a little bit differently and saw compliance as an opportunity to define and optimize our business processes and IT operations, and not just as an unfunded or partially funded mandate. So, with that, were able to deal with the cultural shift that needed to occur both in IT and in the rest of the organization, even though some people may have had experience with compliance regulations in other life science companies or things like that.
What we really did was a lot of trainingwe implemented a formalized audit review cycle, we focused very heavily on change management and on testing. We also built out a lab, where we can test a lot of things that we would want to do in our production environment without compromising our testing environment. We also appointed a compliance officer. [Compliance] is not his sole duty, but part of his duties is to look at all compliance issues. He also specializes in security.
When you appointed a compliance officer, did you put a new hat on an existing C-level officer, and, if so, was that person a technologist or a financier? Where did you find that person?
Miller: This came out of IT at a lower level. Were a 600-person company, and to get someone at a C level as a compliance officer is something we just couldnt do. We have a committee that will review a lot of the things that come out of IT, and particularly out of compliance, but we elected to go more at the operational level. Then, as the business grows, well look at adjusting it at the senior level.
But you brought that function up out of the technology area instead of making someone in the corporate counsels office, for example, the compliance officer.
Miller: That is correct.
OK, hes a technologist rather than a lawyer.
Miller: Thats correct. One of the challenges of working with our auditors is, when issues come up, we really need to educate the auditors on size-specific issues. So, with a company of 10,000 or 15,000a very large enterprisethere are things that you can do, particularly around segregation of development and production environments, that you cant do at a 600-person company. So, thats sort of been an ongoing challenge of educating the auditors to understand what you can do at a smaller company.
Weve gone ahead and used technology to our advantage. We purchased a product from Ripple-Tech called LogCaster that helped us with our Sarbanes-Oxley compliance. Were able to provide auditors with electronic output of whats happened when theyre doing their auditing. Were also looking at business process management tools to automate the change management process.
I was asked the other day if I thought there was any return-on-investment proposition in achieving compliance. Youre a relatively entrepreneurial operation, with an agile approach to your resources, so Ill ask you: Has shaking the tree of your business processes produced any opportunities for consolidation or streamlining of economies that you might not have been able to achieve without that wedge?
Miller: Definitely around Sarbanes-Oxley because we partnered heavily with our finance organization, and we reviewed a lot of the basic business processes that happen within the company. Then we refined a number of controls that are in place, and, therefore, we really were able to do a lot of basic functions faster by agreeing that, by refining the processes, there would be fewer checkpoints we would need. And, therefore, [we] were able to achieve compliance that much faster.
So, perverse and paradoxical as it might seem, the cost of control and making approval points explicit may be a little bit bigger because of the documentation associated, but it has given you a wedge to maybe reduce overall costs in the process?
Miller: Yes, and that comes back to my opening statementthat we saw compliance more as an opportunity than a mandate.
Ed Benincasa, you must have to adhere to a lot of different mandates in the areas in which you work at FN Manufacturing.
Benincasa: Were privately held, so not everything applies to us, but since we [work with the] Department of Defense and we work in firearms, there are State Department regulations, import/export issuesa lot of things that we do have to comply with.
Did you introduce the compliance requirements and mandates on the IT side through existing mechanisms, or did you bring them up in kind of a parallel operation?
Benincasa: We dont have a specific compliance officer. We have a contract function that works with the government, and part of that is understanding the regulations. So it isnt necessarily a particular person or function. Theres a lot of data tracking for State Department regulations.
Is there anything that any of you would like to do at your organizations thats being held up by compliance demands?
Benincasa: We have been wanting to update our ERP [enterprise resource planning] system to a newer version, but because of the RFID [radio-frequency identification] program [coming into compliance with the Department of Defenses RFID requirements], resources have been devoted to that, and weve been unable to proceed with the upgrade. Were going to try again this year, and we think were starting to get over the hump, but we did have to divert resources.
What are you having to do that youve never had to do before that touches every single user in the organization, in terms of orientation and verification that theyve been given certain mandates and so on?
Rosen: Weve gone to a lot of online training thats mandatorywe track it. Its turned out to be a fairly foreign notion: You told me to take it, but youre actually going to check?
Check out eWEEK.coms for the latest news, commentary and analysis on regulatory compliance.