Subscribe to the RSS feed

The Health Information Trust Alliance (HITRUST) has unveiled a new program that helps streamline how healthcare organizations report to their business associates their status of compliance to security regulations such as HIPAA and others.

Comment on this blog entry

The healthcare reform bill that passed a key Senate committee today contains several health IT related provisions. Among them are new rules regarding HIPAA, including a proposals allowing the periodic update of HIPAA standards, and fines to health plans that don't comply to HIPAA "operating rules" by April 2014.

Comment on this blog entry

A new certification program could make it easier for healthcare organizations to decide whether their IT security products meet their compliance needs.

Comment on this blog entry

Amazon, purveyor of the EC2 public cloud, suddenly announced Aug. 26 it’s a private cloud supplier. Isn't there something wrong with a multi-tenant, shared resource provider transforming itself into a private cloud service? I'm not sure Amazon can offer a private cloud --yet. Then again, I see no reason why it couldn't sometime in the future.

Comments(2)

Fewer new clinical information systems were sold in 2008 than during the previous seven years, according to a new report. But that trend will change in a big way soon.

Comments(1)

Last week, the HIT Policy Committee, which is advising the U.S. Dept. of Health and Human Services on the details of the $20 billion health IT stimulus programs, made several recommendations related to the certification of e-health products. Marc Probst, a co-chair of the HIT Policy Committee's certification and adoption workgroup, provides some insight.

Comment on this blog entry

Vanguard Health is the latest company that's signed up with the Dossia Consortium to offer its employees electronic health records as a work benefit. But when will it become mainstream for any and all patients to access their health records electronically, rather than it being a rare job perk for some?

Comments(3)

Things that make us say "hmmm" include these stats: The percentage of respondents to our 2009 Strategic Security Survey rating encrytion as effective in reducing risk dropped from 57% in 2008 to 48% in 2009. Use of disk, file and backup media encryption ALL fell year over year by at least five percentage points. Backup encryption usage is down 10 points.

Comments(2)

Verizon Business' most recent 2009 Data Breach Investigations Report is a must-read report if you're involved in IT. The authors are quick to point out that the report is not a "state of security" report, but an analysis of breaches from Verizon Business' Risk Team and therefore based on in-the-field findings. The report winds up with recommendations. How many is your company following?

Comments(6)

New SourceOne platform takes a modular approach to archiving content and focuses strongly on electronic discovery.

Comment on this blog entry

The inherent paradox of the Payment Card Industry's compliance program to protect credit card data makes PCI a futile exercise. Let's try something else.

Comments(1)

Let's dump the credit cards' security compliance program and replace it with a framework to actually reduce the risk that card data will be stolen.

Comment on this blog entry

Vendors are teaming up to tackle e-discovery -- and rake in cash.

Comment on this blog entry

As IT and corporate counsel struggle with the financial, technical, and legal burdens of e-discovery, efforts are under way to lighten those burdens by modifying federal rules. But others say changes aren't necessary.

Comment on this blog entry

Green Hills Software Integrity 178B operating system is the first, and only, certified Common Criteria Evaluation Assurance Level (EAL) 6+ operating system on the market. Green Hills Software uses Integrity as the basis for a secure PC operating system called Integrity PC and includes Padded Cell Virtualization, a secure hypervisor running within Integrity PC. Integrity Global Security LLC has been formed as a subsidiary of Green Hills Software to market Integrity PC. Integrity PC is provably secure.

Comments(4)

A new survey from Barracuda shows compliance is the most important reason to archive mail, but not the only driver.

Comment on this blog entry

The Dallas Morning News reported that the state of Texas is fining IBM $900,000 for failing to make timely backups as part of an $863 million outsourcing contract. Gov. Rick Perry also suspended the transfer of additional state records into the IBM system, claiming the new system puts state agency data at risk.

Comments(1)

A hotel operator says his point-of-sale vendor is using PCI as an excuse to force expensive upgrades to POS equipment.

Comments(7)

Recommind and Guidance have launched products to help companies preserve electronically stored information for legal and audit investigations.

Comment on this blog entry

Feel that? It's the economy quaking. With the House rejecting the $700 billion bailout bill, stocks seesawing, and loads of uncertainty looming, it's possible you'll have more candidates than you ever imagined applying for jobs at your company. Are you ready to handle that?

Comment on this blog entry

Sarah Palin's Yahoo account is a stark reminder of how easy it is for employees to get around corporate compliance policies.

Comments(13)

IBM launches eDiscovery Manager software to help enterprises find and manage information that may be relevant to litigation.

Comment on this blog entry

Three new product releases aimed at the electronic discovery market close out the last week of summer.

Comment on this blog entry

With all the activity in the content management market, I thought it would be a good idea to start a weekly ritual of quick blurbs and sound bites from vendors, users, and anyone else who'd like to throw their message in the mix.

Comment on this blog entry

There's a lot of interesting scenarios these days around the intersection of software-as-a-service (SaaS) and content management. Thanks to companies like Google, Salesforce.com, and Amazon, cloud-based computing is no longer some mythical, business-led, revolutionary approach to accessing technology. Everyday, mission-critical applications are being neatly packaged and delivered to business users regardless of time, place, or device.

Comments(5)

It's always a challenge for something baked into an enterprise platform to be as competitive as the pure-play providers. And in most cases, if content management is the set of applications you're trying to incorporate, it can be even more daunting.

Comment on this blog entry

E-mail governance might not be the sexiest thing when it comes to content technologies, but don't tell that to your CIO or general counsel. Besides keeping them out of jail, a solid e-mail governance strategy drives compliance, improves information retrieval, and reduces paper.

Comments(1)

If your IT department isn’t pals with legal, now's the time to strike up a friendship. Both departments must work together to produce e-mail and files related to litigation, otherwise known as e-discovery.

Comments(6)

In a story headlined, Open Source Code Contains Security Holes, I referred recently to the Firebird database project as "somewhat moribund." So imagine my surprise when a reader pointed out it was named project of the month in December by SourceForge, the dominant host of open source projects. Geez. Then there was the case of the supposedly "inactive" FreeBSD Unix.

Comments(16)

The IRS is investigating whether Oracle used some accounting tricks to manufacture a quarter billion dollar loss and claim a $78 million refund. So far, Oracle won't talk--is it too busy trying to buy BEA?

Comments(3)

Knowing that proper information management can be the most effective means of reducing risks and bolstering regulatory compliance efforts, ARMA International, the not-for-profit professional membership association for records management professionals is offering some simple tips on setting your records and information management policies.

Comment on this blog entry

For all the internal controls and automated policy enforcement that you've started layering atop your systems, you've no doubt reached the conclusion that it will never be enough to protect the company's confidential information, and you're probably right. These times call for a big stick. Without rules with teeth, how can you be expected to integrate big brother into the IT fabric, right? And there's just too much that goes on outside the scope of technology. So with tongue planted only half-way in cheek, here are some suggestions. Use them as guidelines and add your own.

New Fire-able Offences:

• Walking past a fax machine without first averting one's eyes


• Leaving the office without first activating the self-detonating device on your Blackberry


• Entering a washroom before donning approved soundproof headphones


• Waving at the security cameras over the men's urinals


• Being discovered with a filing cabinet outside the corporate underground bunker


• Allowing note taking during a Bring-Your-Daughter-To-Work Day


• Concealing any manual writing implement on your person.


• Connecting your laptop to the same home network that your wife uses to play online poker


• Catching a ride home with the armed courier transporting the company's backup tapes


• Remembering to update the corporate Web site


• Suggesting a paper recycling program


• Activating a CD/ROM or any other personal storage device without direct supervision of a corporate legal team member.
  
• Owning a briefcase (it's amazing how many of these incidents start with a briefcase)

All these are grounds for termination, or a least a good beating for first-time offenders. Which brings up a good point: you can't be expected to enforce such policies without prior experience in the CIA or on The Jerry Springer Show. So it's time for a new C-level position: the CCO (Chief Corrections Officer). Don't worry about the brown polyester business suit; the night stick and handcuffs are the real accoutrements for the job. Best to find one with a visible scar or a missing eye.

On the off chance that you've already implemented one or more of these rules, I was only kidding.

Comment on this blog entry

The first, and potentially highest, hurdle in shifting compliance management from a labor-intensive manual activity to an automated process is defining the scope of the project. That entails chores like identifying stakeholders and their roles, setting milestones and determining things like workflow and sign-offs.

In fact, this is where many companies pressing toward compliance automation get stuck and flounder. And when sighting down on a compliance problem, it's easy to overlook some obvious things, like useful software tools that have been around forever that could help drag a compliance project out of the quagmire.

I'm talking about project management applications. After looking through Information Week's review of project management software, it struck me how well-suited and inexpensive (even free) these applications are for helping frame the compliance management automation project and get it moving again.

Chances are, you've used one or two project management application in the past. And, if not, then chances are that there are at least a few of them being used somewhere in your company. As the reviewers point out, project management software has evolved from monolithic programs to more focused, agile applications for clearly defined purposes and users.

It's just thought, knowing how quickly the compliance management problem can become convoluted with conflicting agendas and subsets of problems that were never envisioned. And if you're not familiar with the available project management tools, the review is a good place to start.

Comment on this blog entry

As we continue to find out, there are many ways to skin the compliance cat, especially when it comes to archiving. And every once in a while simple ideas crop up that are relatively inexpensive to deploy and can really help the compliance cause.

Here's an example: We've all heard that archiving is less than half the battle in proving compliance with several key regulations. Once the data is archived, you have to be able to quickly search and discover the files critical to any ongoing litigation or compliance audit.

So why not use a system to automatically tag the files before they are stored? Seems logical, but such a system would have to based on preset policies for classifying files before they enter the archive. And with something as unstructured and diverse as E-mail, that in itself can be a pretty tall order.

Yes, some vendors offer something like this as part of their overall archiving systems, but what if you already have an archiving system?

Well, Orchestria has a piece of technology that often gets overlooked among its other compliance, threat and policy management, and behavior monitoring systems. The company's Smart Tagging technology can automatically apply rich metadata to the millions of messages that hit a corporate e-mail system every day, before those messages reach the archive. And it can be set up to look for special content such as discussions of financial records, intellectual property, employment solicitations, and personal communications. And then set retention periods based on the tagged categories to help manage storage costs.

Comments(1)

If you're still harboring doubts about meeting your SOX deadlines, you might want to check out a webinar tomorrow (Feb. 28) that features Michael Horowitz, commissioner of the United States Sentencing Commission (USSC).

The event, titled, "Upward Mobility: Leveraging Your Sarbanes-Oxley Investment for Broader Risk Management," will take place 1 p.m. EST. Co-hosted by compliance vendor Axentis and Business Finance Magazine, speakers will also include Scott Mitchell, CEO of Open Compliance & Ethics Group (OCEG) and Ted Frank, president of Axentis and chair of OCEG.

The discussion promises to focus on the current critical mandates of SOX and the ramifications of neglecting certain areas of compliance. And perhaps more interesting, attendees will also learn about compliance enforcement mechanisms. Special focus will be given to the Thompson Memo and Federal Sentencing Guidelines. Other topics to be covered include an overview and evaluation of a broad approach to compliance solutions and an understanding of how to integrate compliance into a business model.

You can register for the hour-long webinar at Business Finance Magazine's Web site.

Comment on this blog entry

So how many of you are surprised that the Securities and Exchange Commission is looking to possibly withdraw the Section 404 requirements of Sarbanes-Oxley for small businesses? It seems to be one of those controversies that won't go away.

We learned that an advisory panel is expected tomorrow to urge the SEC to eliminate Section 404 compliance for smaller companies. The agency has twice extended the SOX compliance deadline for small cap companies. The most recent extension granted a reprieve until July 2007.

Now, it appears the SEC will hear advice to make smaller companies permanently exempt, and hold yet another public discussion on the reporting and auditing requirements of SOX on May 10.

The business community at large appears to be split on whether small cap filers deserve such a break. In a recent Compliance Pipeline poll, 49 percent of the respondents felt the move to push back the deadline for smaller companies was the correct move. Another 40 percent didn't think the break was fair, and 11 percent were still unsure.

Comment on this blog entry

Listen to technology vendors and automating compliance processes seems like a snap. Listen to the companies trying the reach the level where they can even think about automating their processes and you come away with a more realistic picture. No one is patting their CIOs on the head for waving the magic automation wand yet.

At first, I was a little alarmed to read the surveys that showed a majority of organizations felt they would be approaching 2006 with few, if any, more compliance processes automated. But there are truly dozens of reasons why this is the logical case.

First of all, getting any sort of reasonable budget to apply to the problem is next too impossible without first discovering the extent of what to means to automate those processes. It's like going into the wall to fix a leaky pipe in an older home. You know that once you open the wall, you might as well remodel because the initial problem will invariably point to several sets of interrelated problems.

As with that leaky pipe, adherence to regulatory requirements might call for data to be securely retained, which points to your storage architecture. Before you can think about automating data archiving, discovery and delivery processes, you have to make sure your storage systems are up to the task.

Comment on this blog entry

We can all use a little guidance when it comes to identifying how regulations will affect our business processes and IT environments. The hard part is figuring out how compliance requirements change based on geographic variables and vertical markets.

And such guidance is starting to emerge. Two directories/guides were recently announced; both are free after registration, but only one is currently available.

The Object Management Group (OMG) and the OMG Regulatory Compliance Alliance (ORCA) have issued a call for participation for an open database project focused on global regulations called the Global Regulatory Information Database (Compliance GRID).

Comment on this blog entry

Will storage concerns outweigh security this year? It seems like a stretch but that's what a recent survey by Glass House Technologies indicates. According to Glass House's "2006 Storage Budget Survey", 2006 will be a year for holding down costs and that means IT will be wringing out more efficiency from storage architectures.

Now, Glass House is a provider of independent services that help organizations solve enterprise storage problems and focuses on information lifecycle management (ILM). So yes, you can read vested interest, but the company raises an interesting point. Storage budgets at most organization, large and small, continue to grow and become a natural target for cost cutting, especially after spending all that money on security in 2005.

Do I think those security concerns have diminished enough to move storage to the top of the IT agenda. Not yet; maybe not for a while. And with compliance activities intersecting the security and storage activities, both storage and security will attract major IT attention.

The survey did show some other interesting things about storage. Most companies with annual storage costs of more than $10 million treat storage as a separate budget item from other IT expenditures. And ninety percent of companies with storage expenses higher than $150 million gave storage a separate budget, and 50 to 75 percent of smaller companies did the same.

Comment on this blog entry

Analysts and vendors have been telling us Sarbanes-Oxley compliance costs should go down each year, but in a recent reader poll, more than half of our respondents claimed they are expecting just the opposite. A third of respondents did, however, expect their compliance costs will go down this year.

That tells me one of three things is happening: Either the promised return on investment from tools already applied to the problem is not happening; or the tools have been applied too recently to yield any savings; or SOX automation tools have not been applied yet.

If you company falls into the latter group, what's up? Can you still believe that SOX is a knee-jerk reaction by overzealous legislators and that it will eventually fall by the wayside.

Comment on this blog entry

Market dynamics often mean good news for users when it comes to technology products, especially when competition drives prices down, but there are other dynamics that work to your benefit; for instance, when vendors partner to deliver more features and services to round out their offerings.

The market for compliance-related software and services is still young, and you've probably heard me warn here before not to expect these products to meet all your requirements. Not to say that all compliance applications are one-trick ponies, but most are designed to accomplish specific compliance tasks, like archiving, or monitoring, or reporting.

Acknowledging this, vendors are starting to partner up in the exploding compliance market and looking to each other to add value to their respective products. And that's good news, indeed. With the continuing hot market, vendors are realising two things: Companies that buy technology to assist compliance efforts often have other needs that the product being purchased does not address; and that their can be natural synergies between products from different vendors. Nothing new among technology vendors but it is the sign of a healthy and growing market.

Comment on this blog entry

Two years into the regulation, the issues of Sarbanes-Oxley compliance, technical and otherwise, are so diverse and complex that an entire sub-industry has emerged to assist companies looking for resources, technology or just good old advice.

Most of those resources have a Web presence, so from time to time I'll point you to some of the more useful Web content. Here's three sites to check out:

The Sarbanes-Oxley Act Community Forum

The Forum is an membership information portal designed to encourage information exchange and includes tips, guides, and other resources. One of the more interesting resources is a downloadable Sarbanes-Oxley Compliance Toolkit, which includes stuff like guides, presentations and implementation checklists.

The Site also includes a discussion forum area with topics like SOX IT issues and the most heavily visited forum: Sarbanes-Oxley Employment, which is open to both job seekers and employers.

Comment on this blog entry

This final prediction for 2006 is a look at where the rubber will meet the road in the journey toward a sustainable, automated compliance architecture. Your goal is to create an environment of continuous controls, but what exactly is that? Continuous controls are something that analysts, consultants and auditors stress but, somehow, only vaguely describe. It will be your number one priority for compliance management but there is no silver bullet technology that gets you there.

There are no pre-packaged tools or services that will give you continuous controls across the range of regulatory requirements and internal risk management practices that govern most businesses. But more than anything else, continuous controls will make everyone's life much easier in 2006.

That means you'll have to get there the hard way, and if you haven't already started, 2006 may not be your year. I'm not talking against pre-packaged tools. The reason there are so many tools is that there are so many unique problems to address and you'll, no doubt, find some of them useful in your overall compliance and risk management environment. For a large organization to achieve continuous controls, however, they will need a way to monitor and report all events that break with accepted security, risk and compliance policies and then document any and all remediation efforts. Most continuous controls environments also provide a centralized view of the entire enterprise risk management landscape via tools we've come to call dashboards.

Comment on this blog entry

Every organization subject to regulatory compliance needs it; every vendor of compliance tools promises it; so achieving it is a piece of cake, right?

Unfortunately, when the "it" in question is a sustainable, automated compliance management framework, its existence has been a bit hit and miss. The main problem with a promise like sustainability is that it means something different to nearly all organizations, not to mention nearly all vendors of IT products and services.

Sustainable compliance can mean the ability of a tool to easily integrate changing requirements and add new policies and controls processes, and add new stakeholders to the workflow. It can also mean the tools are built using open standards and deployed in a services oriented architecture (SOA). An SOA can also ensure reuse of the software for several different regulatory compliance and risk management initiatives.

Comment on this blog entry

With most of the regulatory focus up to this point on larger public companies, financial institutions and healthcare providers, it wasn't until the last half of 2005 that we started to see a concerted effort on the part of technology vendors to scale down compliance-related systems and tools for small- and medium-sized businesses (SMBs).

It was only a matter of time; the SMB market is huge, hot and underserved, especially when it comes to compliance. Vendors focused first on the low hanging fruit, the publicly traded companies with higher market capitalization that faced the most aggressive deadlines for complying with Sarbanes-Oxley. The SEC recently extended the deadline for smaller public companies (those with a market cap under $75 million) to 2007 for reporting their internal control processes for.

That means SOX section 404 reporting will be an across-the-board activity by the later half of 2006. But that doesn't begin to account for all the smaller and much smaller private companies that have also felt the long arm of SOX. They may not be required to attest to their own controls, but chances are they do business with companies that are. And more and more, we're seeing governance activities extended to suppliers and partners.

Comment on this blog entry

The laws of physics still apply to compliance spending. In my second prediction in this series on the expected reduction in manpower costs associated with SOX compliance, I said that the funds spent in 2005 to automate SOX compliance processes would pay-off with a nice reduction in manpower costs.

But for every action there is s separate but equal reaction, unless you're Martha Stewart. Regardless of the benefit and return on the investment, the IT monies allocated to SOX will be extremely coveted for other areas of the business, and SOX will take the rap, once again for a lack of funding in business development.

A recent Gartner Group financial compliance management survey found that spending for compliance and corporate regulations are expected to account for 10 to 15 percent of enterprise IT spending in 2006. Moreover, Gartner expects the IT spending on compliance to rise five to 10 percent over last year's spending.

Comment on this blog entry

I've already discussed in an earlier prediction the biggest and most annoying cost of compliance; the manpower dedicated to manual compliance processes, including human auditors. But there's more to consider than people costs. Some companies have used Sarbanes-Oxley as an excuse to re-examine their core business processes for ways to drive out cost.

In fact, cost reduction and return on investment will be the focus of SOX compliance activity in 2006. Why? Because it's time to complete the hand-off of compliance processes to IT, and IT's goal is always to drive costs out of business processes, increase performance and demonstrate ROI.

Documenting a collection of sustainable best practices is the first step in driving down costs associated with regulatory compliance. By now, organizations should have a much clearer picture of how they can best respond to the SOX requirements. If nothing else, SOX has forced everyone to examine their business processes and figure out which controls are really necessary and which controls are expensive overkill.

Comment on this blog entry

Remember your first reaction when you found out you had to manage content like e-mail and instant messages as part of the business record for compliance regulations like Sarbanes-Oxley. Remember the collective "Oh Brother" you heard from your department. Well repeat after me . . . "Oh Brother" because its happening again.

With the growing popularity of blogs in the enterprise and the use of wikis in corporate settings, these outlets are being recognized to contain potential material information and, therefore, will need to be managed for compliance.

If you employ wiki technology to gather comment or provide an open forum for customers, the information you collect via wikis could also become material. Hey, if you set it up, the information is yours. Your company, theoretically, has knowledge of the information, which must be documented.

Comment on this blog entry

After going out on a limb for my third prediction for the new year, I'll make another semi-safe forecast this time around. What compliance management, disaster recovery, and general process optimization has shown us in 2005 is that some data is just better off centralized.

At the very least, the views to data need to be centralized, but companies found this year that managing for Section 404 of SOX, or getting back on track after hurricane damage, or just setting up an archiving system is easier if the data is all in one place. I'm not saying we'll see a wholesale shift, a re-centralization, if you will, of all those distributed servers out there.

But IT organizations have started to learn that the data that counts needs to be counted, and putting it in a secure place where it can be viewed in context of all the reasons we now need to prove the existence of data is simply the best way to achieve that.

Comment on this blog entry

This one might put me out on a limb, but I'm going to say that in 2006 we will see a marked reduction in customer data theft cases. Why, because it's on everyone's radar.

Today, close to half the states have enacted data privacy laws modeled after California's SB-1386, requiring companies to out themselves when a breach occurs. And late last month, the Senate approved the Personal Data Privacy and Security Act, which requires businesses holding the personal data of more than 10,000 U.S. residents to conduct risk assessments and implement data-protection policies.

With consumer confidence shaken and politicians clamoring for stiffer laws and penalties, if companies can't make sufficient headway against the problem in 2006, the loss of customer data will become the big security issue of the year.

Comment on this blog entry