To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://www.silicon.com/research/specialreports/compliance/0,3800003180,39124020,00.htm

Quocirca's Straight Talking: The best route to compliance
Avoid the snake oil salesmen...

By Quocirca

Published: Friday 17 September 2004

Complying with the latest governance requirements is a problem IT departments should solve with catch-all - not legislation-specific - solutions, says Quocirca's Clive Longbottom.

With all the worldwide and regional governance requirements coming out, there's a plethora of solutions being brought to market to 'solve' the problem for companies - and a deep enough fear from the directors of these companies to create a ready market.

Whether it be Basle II, Sarbanes-Oxley (SOX), the forthcoming UK Companies Bill, HIPPA or some other piece of legislation, go to your friendly software vendor and they'll probably claim to have something for you - even if it is somewhere between snake oil and smoke and mirrors.

So what's the best way for IT departments to deal with compliance?

First, let's look at this from a requirements point of view. We have a load of information in the corporate infrastructure and there is a possibility that someone out there will come along with the requisite paper work and say 'show me'. We'll need to dig out whatever information the men in suits (or uniforms) say they want, and we'll have to hand it over to them. Meantime, we have to demonstrate that we are adherent to the opposing forces of the various data protection acts (DPA) and freedom of information bills according to either our own or a customer's geography. In a nutshell, this sums up the whole governance and compliance issue.

This is the underlying requirement for each and every solution, so starting with a SOX or a Companies Bill solution is the wrong place.

Let's take a look at a couple of scenarios: a mortgage was mis-sold 15 years ago and the customer has complained. The Financial Services Association (FSA) in the UK gets wind of this and requests a track of information to do with that case. We therefore could have to drill back through up to 15 years' or more worth of information and audit trails.

Another scenario: a relative of a patient who died a couple of years ago feels there may be important information from the deceased's records from when they were a child - there could be a need to go back 80 years or more.

Think of all the computerised solutions that we have had since the advent of the mainframe in the 1960s - barely 40 years ago. Could we now easily recover data from an original Winchester disk? Could we easily provide information to the 'powers that be' if it were stored in Navy DIF or AmiPro version 1.2? This becomes a thorny point when 'they' insist on the original document - even file viewers cannot guarantee fidelity of view.

So why should we believe that a governance solution being sold to us today will be of use to us in even 10 years' time? I don't think we should - unless the solution has started from the infrastructure up and has looked at putting in place a long-term data and information management solution, with the specific requirements of the 'regulation du jour' layered on top.

What do we mean by this? Well, we have to accept that in a world that is increasingly beset by re-regulation (as opposed to the de-regulation of the 1990s), we are at the whim of whatever governments are in power at any one time - and therefore the actual requirements will change on a regular basis. If we have put in place a prescriptive solution, we will need to change it every time a regulation changes. (And bear in mind that compliance with regulation is not something that helps the top line. It is a bottom-line cost, so we must control it as much as possible.)

If we want a governance system that lasts, we must start from a position of 'if it's data, store and audit it'. If we are to store ad hoc data, then we must ensure that we can store it in a legally acceptable form that has a proven life to it - which these days seems to mean an Adobe portable document format (PDF). We need to time stamp the document, and we need to ensure that we have in place cost-effective policies and procedures around lifecycles and archiving so we don't end up drowning in ever increasing volumes of information that we may never need to access. We need to be able to demonstrate that we can move these data sets en masse to new storage systems as and when the time comes - whether this entails moving to larger magnetic storage next year or to three-dimensional nano-robotic pseudo-intelligent storage in 2078.

We must also include policies and procedures on security. These must be granular enough to say that this item of information is secure enough to stop anyone except for the favoured few from getting at it, but that the same item is open enough to enable us to respond rapidly to DPA requirements and/or compliance requirements.

The solution must be inclusive - we have made our decisions on our existing solutions for better or for worse - and we must sweat these assets for all they are worth. Any solution that requires a 'rip and replace' approach is dead before it starts. We have to be able to accept output from existing applications and data sources.

Having said this, the whole solution must be process-focused. We are leaving behind the age of the application and the focus in the future will be on service oriented architectures (SOA) and functional components. We have to concentrate on the value chains between ourselves and across our companies, ensuring that end-to-end processes are covered by the regulators' needs.

This creates a whole new set of issues on security and storage: How can we ensure that this piece of information is secure once it moves outside of our remit? How do we hand off this piece of information, yet ensure that we can still audit the whole value chain when we are requested?

Overall, the KISS (Keep It Simple, Stupid) approach to governance and compliance is the best - start with a high-level framework and look for the technical solutions that will facilitate the framework. Then look at what a company's needs are for specific areas of governance and layer solutions over the framework. This should give a higher level of flexibility for the future and prevent that horrible feeling when you think you have everything covered and find that the one piece of information Chief Inspector Knacker of the Fraud Squad is demanding is not covered by your swanky, multi-million euro compliance solution.

You can obtain a report on this subject, entitled "Intelligent Documents and Intellectual Value Property Chains", from Quocirca's website.