Subscribe to the RSS feed

Green Hills Software Integrity 178B operating system is the first, and only, certified Common Criteria Evaluation Assurance Level (EAL) 6+ operating system on the market. Green Hills Software uses Integrity as the basis for a secure PC operating system called Integrity PC and includes Padded Cell Virtualization, a secure hypervisor running within Integrity PC. Integrity Global Security LLC has been formed as a subsidiary of Green Hills Software to market Integrity PC. Integrity PC is provably secure.

Comments(2)

A new survey from Barracuda shows compliance is the most important reason to archive mail, but not the only driver.

Comment on this blog entry

The Dallas Morning News reported that the state of Texas is fining IBM $900,000 for failing to make timely backups as part of an $863 million outsourcing contract. Gov. Rick Perry also suspended the transfer of additional state records into the IBM system, claiming the new system puts state agency data at risk.

Comments(1)

A hotel operator says his point-of-sale vendor is using PCI as an excuse to force expensive upgrades to POS equipment.

Comments(7)

Recommind and Guidance have launched products to help companies preserve electronically stored information for legal and audit investigations.

Comment on this blog entry

Feel that? It's the economy quaking. With the House rejecting the $700 billion bailout bill, stocks seesawing, and loads of uncertainty looming, it's possible you'll have more candidates than you ever imagined applying for jobs at your company. Are you ready to handle that?

Comment on this blog entry

Sarah Palin's Yahoo account is a stark reminder of how easy it is for employees to get around corporate compliance policies.

Comments(13)

IBM launches eDiscovery Manager software to help enterprises find and manage information that may be relevant to litigation.

Comment on this blog entry

Three new product releases aimed at the electronic discovery market close out the last week of summer.

Comment on this blog entry

With all the activity in the content management market, I thought it would be a good idea to start a weekly ritual of quick blurbs and sound bites from vendors, users, and anyone else who'd like to throw their message in the mix.

Comment on this blog entry

There's a lot of interesting scenarios these days around the intersection of software-as-a-service (SaaS) and content management. Thanks to companies like Google, Salesforce.com, and Amazon, cloud-based computing is no longer some mythical, business-led, revolutionary approach to accessing technology. Everyday, mission-critical applications are being neatly packaged and delivered to business users regardless of time, place, or device.

Comments(5)

It's always a challenge for something baked into an enterprise platform to be as competitive as the pure-play providers. And in most cases, if content management is the set of applications you're trying to incorporate, it can be even more daunting.

Comment on this blog entry

E-mail governance might not be the sexiest thing when it comes to content technologies, but don't tell that to your CIO or general counsel. Besides keeping them out of jail, a solid e-mail governance strategy drives compliance, improves information retrieval, and reduces paper.

Comments(1)

If your IT department isn’t pals with legal, now's the time to strike up a friendship. Both departments must work together to produce e-mail and files related to litigation, otherwise known as e-discovery.

Comments(6)

In a story headlined, Open Source Code Contains Security Holes, I referred recently to the Firebird database project as "somewhat moribund." So imagine my surprise when a reader pointed out it was named project of the month in December by SourceForge, the dominant host of open source projects. Geez. Then there was the case of the supposedly "inactive" FreeBSD Unix.

Comments(16)

The IRS is investigating whether Oracle used some accounting tricks to manufacture a quarter billion dollar loss and claim a $78 million refund. So far, Oracle won't talk--is it too busy trying to buy BEA?

Comments(3)

Knowing that proper information management can be the most effective means of reducing risks and bolstering regulatory compliance efforts, ARMA International, the not-for-profit professional membership association for records management professionals is offering some simple tips on setting your records and information management policies.

Comment on this blog entry

For all the internal controls and automated policy enforcement that you've started layering atop your systems, you've no doubt reached the conclusion that it will never be enough to protect the company's confidential information, and you're probably right. These times call for a big stick. Without rules with teeth, how can you be expected to integrate big brother into the IT fabric, right? And there's just too much that goes on outside the scope of technology. So with tongue planted only half-way in cheek, here are some suggestions. Use them as guidelines and add your own.

New Fire-able Offences:

• Walking past a fax machine without first averting one's eyes


• Leaving the office without first activating the self-detonating device on your Blackberry


• Entering a washroom before donning approved soundproof headphones


• Waving at the security cameras over the men's urinals


• Being discovered with a filing cabinet outside the corporate underground bunker


• Allowing note taking during a Bring-Your-Daughter-To-Work Day


• Concealing any manual writing implement on your person.


• Connecting your laptop to the same home network that your wife uses to play online poker


• Catching a ride home with the armed courier transporting the company's backup tapes


• Remembering to update the corporate Web site


• Suggesting a paper recycling program


• Activating a CD/ROM or any other personal storage device without direct supervision of a corporate legal team member.
  
• Owning a briefcase (it's amazing how many of these incidents start with a briefcase)

All these are grounds for termination, or a least a good beating for first-time offenders. Which brings up a good point: you can't be expected to enforce such policies without prior experience in the CIA or on The Jerry Springer Show. So it's time for a new C-level position: the CCO (Chief Corrections Officer). Don't worry about the brown polyester business suit; the night stick and handcuffs are the real accoutrements for the job. Best to find one with a visible scar or a missing eye.

On the off chance that you've already implemented one or more of these rules, I was only kidding.

Comment on this blog entry

The first, and potentially highest, hurdle in shifting compliance management from a labor-intensive manual activity to an automated process is defining the scope of the project. That entails chores like identifying stakeholders and their roles, setting milestones and determining things like workflow and sign-offs.

In fact, this is where many companies pressing toward compliance automation get stuck and flounder. And when sighting down on a compliance problem, it's easy to overlook some obvious things, like useful software tools that have been around forever that could help drag a compliance project out of the quagmire.

I'm talking about project management applications. After looking through Information Week's review of project management software, it struck me how well-suited and inexpensive (even free) these applications are for helping frame the compliance management automation project and get it moving again.

Chances are, you've used one or two project management application in the past. And, if not, then chances are that there are at least a few of them being used somewhere in your company. As the reviewers point out, project management software has evolved from monolithic programs to more focused, agile applications for clearly defined purposes and users.

It's just thought, knowing how quickly the compliance management problem can become convoluted with conflicting agendas and subsets of problems that were never envisioned. And if you're not familiar with the available project management tools, the review is a good place to start.

Comment on this blog entry

As we continue to find out, there are many ways to skin the compliance cat, especially when it comes to archiving. And every once in a while simple ideas crop up that are relatively inexpensive to deploy and can really help the compliance cause.

Here's an example: We've all heard that archiving is less than half the battle in proving compliance with several key regulations. Once the data is archived, you have to be able to quickly search and discover the files critical to any ongoing litigation or compliance audit.

So why not use a system to automatically tag the files before they are stored? Seems logical, but such a system would have to based on preset policies for classifying files before they enter the archive. And with something as unstructured and diverse as E-mail, that in itself can be a pretty tall order.

Yes, some vendors offer something like this as part of their overall archiving systems, but what if you already have an archiving system?

Well, Orchestria has a piece of technology that often gets overlooked among its other compliance, threat and policy management, and behavior monitoring systems. The company's Smart Tagging technology can automatically apply rich metadata to the millions of messages that hit a corporate e-mail system every day, before those messages reach the archive. And it can be set up to look for special content such as discussions of financial records, intellectual property, employment solicitations, and personal communications. And then set retention periods based on the tagged categories to help manage storage costs.

Comments(1)

If you're still harboring doubts about meeting your SOX deadlines, you might want to check out a webinar tomorrow (Feb. 28) that features Michael Horowitz, commissioner of the United States Sentencing Commission (USSC).

The event, titled, "Upward Mobility: Leveraging Your Sarbanes-Oxley Investment for Broader Risk Management," will take place 1 p.m. EST. Co-hosted by compliance vendor Axentis and Business Finance Magazine, speakers will also include Scott Mitchell, CEO of Open Compliance & Ethics Group (OCEG) and Ted Frank, president of Axentis and chair of OCEG.

The discussion promises to focus on the current critical mandates of SOX and the ramifications of neglecting certain areas of compliance. And perhaps more interesting, attendees will also learn about compliance enforcement mechanisms. Special focus will be given to the Thompson Memo and Federal Sentencing Guidelines. Other topics to be covered include an overview and evaluation of a broad approach to compliance solutions and an understanding of how to integrate compliance into a business model.

You can register for the hour-long webinar at Business Finance Magazine's Web site.

Comment on this blog entry

So how many of you are surprised that the Securities and Exchange Commission is looking to possibly withdraw the Section 404 requirements of Sarbanes-Oxley for small businesses? It seems to be one of those controversies that won't go away.

We learned that an advisory panel is expected tomorrow to urge the SEC to eliminate Section 404 compliance for smaller companies. The agency has twice extended the SOX compliance deadline for small cap companies. The most recent extension granted a reprieve until July 2007.

Now, it appears the SEC will hear advice to make smaller companies permanently exempt, and hold yet another public discussion on the reporting and auditing requirements of SOX on May 10.

The business community at large appears to be split on whether small cap filers deserve such a break. In a recent Compliance Pipeline poll, 49 percent of the respondents felt the move to push back the deadline for smaller companies was the correct move. Another 40 percent didn't think the break was fair, and 11 percent were still unsure.

Comment on this blog entry

Listen to technology vendors and automating compliance processes seems like a snap. Listen to the companies trying the reach the level where they can even think about automating their processes and you come away with a more realistic picture. No one is patting their CIOs on the head for waving the magic automation wand yet.

At first, I was a little alarmed to read the surveys that showed a majority of organizations felt they would be approaching 2006 with few, if any, more compliance processes automated. But there are truly dozens of reasons why this is the logical case.

First of all, getting any sort of reasonable budget to apply to the problem is next too impossible without first discovering the extent of what to means to automate those processes. It's like going into the wall to fix a leaky pipe in an older home. You know that once you open the wall, you might as well remodel because the initial problem will invariably point to several sets of interrelated problems.

As with that leaky pipe, adherence to regulatory requirements might call for data to be securely retained, which points to your storage architecture. Before you can think about automating data archiving, discovery and delivery processes, you have to make sure your storage systems are up to the task.

Comment on this blog entry

We can all use a little guidance when it comes to identifying how regulations will affect our business processes and IT environments. The hard part is figuring out how compliance requirements change based on geographic variables and vertical markets.

And such guidance is starting to emerge. Two directories/guides were recently announced; both are free after registration, but only one is currently available.

The Object Management Group (OMG) and the OMG Regulatory Compliance Alliance (ORCA) have issued a call for participation for an open database project focused on global regulations called the Global Regulatory Information Database (Compliance GRID).

Comment on this blog entry

Will storage concerns outweigh security this year? It seems like a stretch but that's what a recent survey by Glass House Technologies indicates. According to Glass House's "2006 Storage Budget Survey", 2006 will be a year for holding down costs and that means IT will be wringing out more efficiency from storage architectures.

Now, Glass House is a provider of independent services that help organizations solve enterprise storage problems and focuses on information lifecycle management (ILM). So yes, you can read vested interest, but the company raises an interesting point. Storage budgets at most organization, large and small, continue to grow and become a natural target for cost cutting, especially after spending all that money on security in 2005.

Do I think those security concerns have diminished enough to move storage to the top of the IT agenda. Not yet; maybe not for a while. And with compliance activities intersecting the security and storage activities, both storage and security will attract major IT attention.

The survey did show some other interesting things about storage. Most companies with annual storage costs of more than $10 million treat storage as a separate budget item from other IT expenditures. And ninety percent of companies with storage expenses higher than $150 million gave storage a separate budget, and 50 to 75 percent of smaller companies did the same.

Comment on this blog entry

Analysts and vendors have been telling us Sarbanes-Oxley compliance costs should go down each year, but in a recent reader poll, more than half of our respondents claimed they are expecting just the opposite. A third of respondents did, however, expect their compliance costs will go down this year.

That tells me one of three things is happening: Either the promised return on investment from tools already applied to the problem is not happening; or the tools have been applied too recently to yield any savings; or SOX automation tools have not been applied yet.

If you company falls into the latter group, what's up? Can you still believe that SOX is a knee-jerk reaction by overzealous legislators and that it will eventually fall by the wayside.

Comment on this blog entry

Market dynamics often mean good news for users when it comes to technology products, especially when competition drives prices down, but there are other dynamics that work to your benefit; for instance, when vendors partner to deliver more features and services to round out their offerings.

The market for compliance-related software and services is still young, and you've probably heard me warn here before not to expect these products to meet all your requirements. Not to say that all compliance applications are one-trick ponies, but most are designed to accomplish specific compliance tasks, like archiving, or monitoring, or reporting.

Acknowledging this, vendors are starting to partner up in the exploding compliance market and looking to each other to add value to their respective products. And that's good news, indeed. With the continuing hot market, vendors are realising two things: Companies that buy technology to assist compliance efforts often have other needs that the product being purchased does not address; and that their can be natural synergies between products from different vendors. Nothing new among technology vendors but it is the sign of a healthy and growing market.

Comment on this blog entry

Two years into the regulation, the issues of Sarbanes-Oxley compliance, technical and otherwise, are so diverse and complex that an entire sub-industry has emerged to assist companies looking for resources, technology or just good old advice.

Most of those resources have a Web presence, so from time to time I'll point you to some of the more useful Web content. Here's three sites to check out:

The Sarbanes-Oxley Act Community Forum

The Forum is an membership information portal designed to encourage information exchange and includes tips, guides, and other resources. One of the more interesting resources is a downloadable Sarbanes-Oxley Compliance Toolkit, which includes stuff like guides, presentations and implementation checklists.

The Site also includes a discussion forum area with topics like SOX IT issues and the most heavily visited forum: Sarbanes-Oxley Employment, which is open to both job seekers and employers.

Comment on this blog entry

This final prediction for 2006 is a look at where the rubber will meet the road in the journey toward a sustainable, automated compliance architecture. Your goal is to create an environment of continuous controls, but what exactly is that? Continuous controls are something that analysts, consultants and auditors stress but, somehow, only vaguely describe. It will be your number one priority for compliance management but there is no silver bullet technology that gets you there.

There are no pre-packaged tools or services that will give you continuous controls across the range of regulatory requirements and internal risk management practices that govern most businesses. But more than anything else, continuous controls will make everyone's life much easier in 2006.

That means you'll have to get there the hard way, and if you haven't already started, 2006 may not be your year. I'm not talking against pre-packaged tools. The reason there are so many tools is that there are so many unique problems to address and you'll, no doubt, find some of them useful in your overall compliance and risk management environment. For a large organization to achieve continuous controls, however, they will need a way to monitor and report all events that break with accepted security, risk and compliance policies and then document any and all remediation efforts. Most continuous controls environments also provide a centralized view of the entire enterprise risk management landscape via tools we've come to call dashboards.

Comment on this blog entry

Every organization subject to regulatory compliance needs it; every vendor of compliance tools promises it; so achieving it is a piece of cake, right?

Unfortunately, when the "it" in question is a sustainable, automated compliance management framework, its existence has been a bit hit and miss. The main problem with a promise like sustainability is that it means something different to nearly all organizations, not to mention nearly all vendors of IT products and services.

Sustainable compliance can mean the ability of a tool to easily integrate changing requirements and add new policies and controls processes, and add new stakeholders to the workflow. It can also mean the tools are built using open standards and deployed in a services oriented architecture (SOA). An SOA can also ensure reuse of the software for several different regulatory compliance and risk management initiatives.

Comment on this blog entry

With most of the regulatory focus up to this point on larger public companies, financial institutions and healthcare providers, it wasn't until the last half of 2005 that we started to see a concerted effort on the part of technology vendors to scale down compliance-related systems and tools for small- and medium-sized businesses (SMBs).

It was only a matter of time; the SMB market is huge, hot and underserved, especially when it comes to compliance. Vendors focused first on the low hanging fruit, the publicly traded companies with higher market capitalization that faced the most aggressive deadlines for complying with Sarbanes-Oxley. The SEC recently extended the deadline for smaller public companies (those with a market cap under $75 million) to 2007 for reporting their internal control processes for.

That means SOX section 404 reporting will be an across-the-board activity by the later half of 2006. But that doesn't begin to account for all the smaller and much smaller private companies that have also felt the long arm of SOX. They may not be required to attest to their own controls, but chances are they do business with companies that are. And more and more, we're seeing governance activities extended to suppliers and partners.

Comment on this blog entry

The laws of physics still apply to compliance spending. In my second prediction in this series on the expected reduction in manpower costs associated with SOX compliance, I said that the funds spent in 2005 to automate SOX compliance processes would pay-off with a nice reduction in manpower costs.

But for every action there is s separate but equal reaction, unless you're Martha Stewart. Regardless of the benefit and return on the investment, the IT monies allocated to SOX will be extremely coveted for other areas of the business, and SOX will take the rap, once again for a lack of funding in business development.

A recent Gartner Group financial compliance management survey found that spending for compliance and corporate regulations are expected to account for 10 to 15 percent of enterprise IT spending in 2006. Moreover, Gartner expects the IT spending on compliance to rise five to 10 percent over last year's spending.

Comment on this blog entry

I've already discussed in an earlier prediction the biggest and most annoying cost of compliance; the manpower dedicated to manual compliance processes, including human auditors. But there's more to consider than people costs. Some companies have used Sarbanes-Oxley as an excuse to re-examine their core business processes for ways to drive out cost.

In fact, cost reduction and return on investment will be the focus of SOX compliance activity in 2006. Why? Because it's time to complete the hand-off of compliance processes to IT, and IT's goal is always to drive costs out of business processes, increase performance and demonstrate ROI.

Documenting a collection of sustainable best practices is the first step in driving down costs associated with regulatory compliance. By now, organizations should have a much clearer picture of how they can best respond to the SOX requirements. If nothing else, SOX has forced everyone to examine their business processes and figure out which controls are really necessary and which controls are expensive overkill.

Comment on this blog entry

Remember your first reaction when you found out you had to manage content like e-mail and instant messages as part of the business record for compliance regulations like Sarbanes-Oxley. Remember the collective "Oh Brother" you heard from your department. Well repeat after me . . . "Oh Brother" because its happening again.

With the growing popularity of blogs in the enterprise and the use of wikis in corporate settings, these outlets are being recognized to contain potential material information and, therefore, will need to be managed for compliance.

If you employ wiki technology to gather comment or provide an open forum for customers, the information you collect via wikis could also become material. Hey, if you set it up, the information is yours. Your company, theoretically, has knowledge of the information, which must be documented.

Comment on this blog entry

After going out on a limb for my third prediction for the new year, I'll make another semi-safe forecast this time around. What compliance management, disaster recovery, and general process optimization has shown us in 2005 is that some data is just better off centralized.

At the very least, the views to data need to be centralized, but companies found this year that managing for Section 404 of SOX, or getting back on track after hurricane damage, or just setting up an archiving system is easier if the data is all in one place. I'm not saying we'll see a wholesale shift, a re-centralization, if you will, of all those distributed servers out there.

But IT organizations have started to learn that the data that counts needs to be counted, and putting it in a secure place where it can be viewed in context of all the reasons we now need to prove the existence of data is simply the best way to achieve that.

Comment on this blog entry

This one might put me out on a limb, but I'm going to say that in 2006 we will see a marked reduction in customer data theft cases. Why, because it's on everyone's radar.

Today, close to half the states have enacted data privacy laws modeled after California's SB-1386, requiring companies to out themselves when a breach occurs. And late last month, the Senate approved the Personal Data Privacy and Security Act, which requires businesses holding the personal data of more than 10,000 U.S. residents to conduct risk assessments and implement data-protection policies.

With consumer confidence shaken and politicians clamoring for stiffer laws and penalties, if companies can't make sufficient headway against the problem in 2006, the loss of customer data will become the big security issue of the year.

Comment on this blog entry

With more and more manual processes associated with Sarbanes-Oxley compliance activities being automated through technology, we expect the people costs for SOX to fall off dramatically in 2006.

This is actually a pretty safe bet since it will be the third year that large public companies have had to manage SOX compliance. One could assume that everyone is getting more adept, including the independent auditors, so manpower costs should go down as a percentage of overall costs associated with SOX.

But automation will be the key factor in driving down the man hours. AMR Research recently surveyed more than 300 IT and business managers and found that SOX will drive and increase in technology spending in 2006, while actual headcount numbers dedicated to compliance efforts will decrease.

Comment on this blog entry

The holiday season is now officially out of its cage and you know what that means . . . Yup, it's time for that annual right of analysts, pundits, journalists and wags everywhere to vent their predictions for the coming year.

But rather than wait and wrap all predictions up in a nice holiday bundle, I think I'll meter out our guesswork in the time-honored tradition of seasonal marketing campaigns that dictate the emergence of flocked trees and jingle bells shortly after the back-to-school sales end. If you're like me, you just love walking into your neighborhood big-box superstore on a hot, late September day, and getting serenaded by an animated reindeer.

But the better part of taste and a disturbing lack of material have forced me to wait until Thanksgiving leftovers are finally starting to look like leftovers to begin unleashing our predictions for IT compliance management in 2006.

Why the lack of material, you ask. Well, for the most part, the issues around compliance management remain largely the same. Companies are getting off the stick and doing more to automate their compliance processes and there's a lot more products and services available to help them accomplish that, but the basic needs have changed little from year to year.

Comment on this blog entry

It's right before Thanksgiving and I'm trying hard not to think curmudgeonly thoughts but just in case you haven't noticed your users downloading AOL's spiffy new IM client (which is much more than an IM client) be aware that instant messages aren't the only thing that could be breaking your compliance policies.

The new AIM Triton service, which became available for free download today, is an integrated communications client that offers instant messaging, free e-mail and SMS mobile texting as well as voice and video chat services. It also offers access to AOL's new TotalTalk VoIP calling service.

With a few clicks users can now carry on multiple conversations simultaneously and transition from desktop instant messaging to mobile text messaging, e-mail, voice or video chat.

Comment on this blog entry

There is a code of conduct in professional sports dictating that what happens or gets said in the locker room stays in the locker room. Well, a quick scan of the sports headlines shows how closely that honor rule is followed. And the same holds true for corporate teams with the added problem of incidental and accidental information leakage.

I've been on a bit of a harangue the last couple weeks about monitoring the internal flow of information for compliance policy violations, as well as the incoming and outgoing flow. And I'm happy to report that it seems several vendors are on the same page, understanding that there are threats that a typical firewall or security appliance are not going to detect, namely the internal data stores.

We recently saw Embarcadero Technologies offering database-monitoring software that it acquired with its buyout of SHC Ambeo Acquisition Corp., a privately held maker of database-security software. Embarcadero is selling two database tracking tools from Ambeo's product line: Activity Tracker, a database-auditing mechanism that monitors all user activity in real time, and Usage Tracker, which provides historical statistics on how data is being accessed and used.

Comment on this blog entry

Retailers and consumer products manufacturers need to take a more risk-based, top-down approach to Sarbanes-Oxley compliance in order to increase efficiencies, eliminate unnecessary work and reduce costs, according to a recent white paper issued by PricewaterhouseCoopers.

The document, titled "Leading Strategies: Streamlining Sarbanes-Oxley Compliance for Retail & Consumer Companies" offers three strategies that retailers and consumer products companies can utilize to lessen the financial and personnel strain of Sarbanes-Oxley.

Comment on this blog entry

Yesterday I issued a reminder that data security and compliance meant protecting the data stores as well as the network perimeter, but good compliance practices also require a consistent and thorough monitoring of the way your users are interacting with the enterprise applications, in particular your databases.

Once again we are talking mostly about internal intruders, those getting access to information they are not authorized to use or using authorized information in an unauthorized manner.

And three recent product releases could point you in the right direction or at least help you frame the issues.

Comment on this blog entry

An out-of-site, out-of-mind attitude toward data protection should leave most corporate exectives with that insecure, non-compliant feeling in the pit of their archives. And guess what? It does, but not enough take action—at least not yet.

The threat is still perceived to be at the barriers, while stored data remains relatively unprotected. The reason for this continued problem remains relatively simple. Companies set up policies and systems and then monitor activity at the borders with the mistaken notion that sensitive data going out or dangerous incoming threats have to pass through those defenses.

Leaving stored data unprotected, however, invites even low-tech and no-tech tampering, and the results can be just as harmful as external assaults.

Comment on this blog entry

We would never get a chance to be a fly on the wall during something as sensitive as a fraud examination, but Oversight Systems provides us with the next best thing. The company released today the results of a survey of 204 U.S. fraud examiners identifying current institutional fraud trends. And the findings are, well, eye-opening, to say the least.

Despite the increase in regulatory oversight, only seven percent of the respondents felt that institutional fraud is less prevalent today than it was five years ago. Of course, that backs up one of the major arguments put forward when the Sarbanes-Oxley act was first introduced: that the SOX requirements wouldn't reduce unethical and fraudulent business practices, it would just force the practitioners to get better at what they do.

I never fully bought into that argument. It's a bit like the argument against banning handguns, that if you make the guns illegal, only criminals will own guns. But this survey makes one wonder just how uniformly the mandates are being followed.

Comment on this blog entry

It used to be the case that internally created and internally transmitted messages (the oldest form of e-mail) were of little threat to the security posture of an organization. That was before we actually started monitoring what went on behind closed doors, so to speak.

Organizations started paying a little more attention to internal messages once compliance and legal requirements made it more important to do so. But the focus for e-mail protection has always been on incoming messages, and more recently, outbound messages. But there is still a heck of a lot of messaging going on behind the firewall, and security and compliance vendors have only recently begun to address it.

Comment on this blog entry

For small- and medium-sized businesses (SMBs), it may be the only procedure.

Security is still the biggest concern for SMBs when it comes to their messaging systems, but archiving is starting to pick up steam as a priority for this group as well as large enterprises.

So says a report just published by the Radicati Group, which contains the results of Radicati's survey of businesses with less than 500 employees.

Comment on this blog entry

From time to time, I like to let you know of inexpensive (or sometimes free) tools that might help guide your thinking as you begin or continue to roll out new compliance processes. I noticed a couple interesting new Web-based survey tools that help assess employee attitudes and awareness of integrity and antifraud risks as part of an ethics program evaluation.

I found it interesting because it got me thinking about all the compliance-related products out there designed to document controls. Of course there is some urgency in doing just that, but how many companies truly understand what it is they are trying to control? Perhaps you have potential controls issues that are based on attitudes and beliefs that have been allowed to flourish unchecked.

Comment on this blog entry

It's time for corporate America to get specific. Shortly after the SOX legislation was introduced, we heard a lot of drum beating about shareholder value and the rosy, glass-half-full notion that early adopters of compliance management technology would hold a competitive advantage over the kickers and screamers. It seemed plausible at the time—still does, but the examples of that actually happening are few and far between.

So it gets me wondering: In the final analysis, will SOX go down as nothing more than a remedial reaction, designed to restore investor confidence, or are companies just being tight-lipped about how compliance initiatives are providing shareholder value? It wouldn't be the first time that discussions of competitive advantage are kept out of the media. Oh, technology vendors are quick to offer up case studies with real live user organizations, and they are generally educational, but they fall short of describing how a particular implementation or new practice is delivering shareholder value.

Comment on this blog entry

How many of you think life would be so much easier if the brass in your company actually took Sarbanes-Oxley compliance seriously? With all the fear and loathing voiced over the C-level accountability of Section 404, we still hear from IT managers that their bosses still don't take SOX seriously.

The publicized fines levied for non-compliance have been few and far between, and the threat of incarceration for CEOs and CFOs has not been made real. Little wonder, according to some, why their compliance budgets get laughed at. And little wonder who gets blamed if material deficiencies crop up . . . you.

Comment on this blog entry

The most confusing, frustrating and mind-numbing aspect of any compliance automation project is discovering that there are now a host of hardware and software tools for any compliance activity you can think of, and many you didn't think of. There are compliance tools that cost a couple hundred bucks and some that can set you back a couple hundred thousand just to initiate preliminary designs. If your company is like the majority who got past the initial regulatory audits the manual way, fixing problems with chewing gum and duct tape, you've probably been charged with making sure that experience isn't repeated.

But after a quick look at the compliance tools landscape, you're at a loss. The financial folks want a budget for making the pain go away. But the further you explore, the more frustrating the situation becomes. It's a bit like the poor sap who decides to refinish his kitchen cabinets and by the time he's done he's taking out a second mortgage to pay for new counters, plumbing, fixtures, flooring, wallpaper and appliances.

Comment on this blog entry