Consolidating Compliance

The explosion of regulatory mandates has left organizations struggling with compliance reeling from the labor and cost involved. The Sarbanes-Oxley Act (SOX) alone may end up costing public companies as much as $6.1 billion in 2005, according to a recent survey by AMR Research.

In the United Kingdom, one financial services industry organization is calling for a regulatory moratorium after finding that more than 20 new regulations are due to hit the sector between 2004 and 2006. A staggering development for organizations such as banks, many of which are already spending 15% of IT budgets on regulatory compliance.

For many CIOs, it seems a Herculean task to take back control when it comes to compliance. The most common question? “Where to start?.”

Data Consolidation

Data consolidation is one of the “regulatee’s” best weapons in the compliance war. Data fragmentation is more than just the enemy of efficiency: it’s almost impossible to effect compliance if you have 58 places to manage users and at least that many places where that critical data lives.

While data consolidation is not a cure-all, being able to centrally manage users, what they can access, and where the information is that they are accessing enables far greater control over corporate assets subject to regulation.

Furthermore, being able to verify compliance is simplified by data consolidation. Identity management and unstructured data management are two critical areas where “putting all your eggs in one basket” makes it much easier to prove they are Grade AAA eggs that have not been tampered with.

Identity Management

Identity management is a significant facilitator in regulatory compliance with the added benefit of a demonstrable return-on-investment (ROI). In particular, the deployment of single (or reduced) sign-on often drastically lowers help-desk calls for password resets and also increases employee productivity.

Identity management enables a single-user identity and centralized provisioning of users with their access rights: a “source of truth” for who the user is and what they can access.

In contrast, having employee data (e.g., access rights) scattered in multiple places virtually ensures that it is incorrect or out-of-date in at least one place; not to mention defending against malicious insiders attempting to elevate their privileges.

How can you establish the validity of your controls when the data used to enforce them is fragmented, hard-to-secure, or out-of-date?

Identity management can also address a common, pernicious undermining of compliance efforts: out-of-date user accounts and/or privileges. In combination with workflow engines, changes in user status (position, rights, job functions) can be reflected immediately in identity management systems and propagated as needed to other (legacy) repositories.

Identity management can help enforce not only “least privilege” — the principle that a user should be granted only those privileges needed to do a job, but no more — but can ensure that least privilege is consistently up-to-date.

Unstructured Data Management

One of the areas most dramatically impacted by regulatory requirements is unstructured content — electronic documents, emails, instant messages, paper documents, calendars, Web conference proceedings, voicemail, electronic discussions, Web content, and inter-application transactions that are either covered today (or will soon be covered under one or more regulations).

Regulatory compliance is driving a major evolution of the content management market: to the entire enterprise, for everyone, and for all content in an organization.

Content management is not just about “content specialists” anymore, but about knowledge workers who need content management functionality to complete parts of their everyday work; from drafting a new business plan to sharing content with a virtual team, or getting a new business practice approved by multiple department heads.

One way to get started on rationalizing a content management strategy is to look at content management as one would view any other data management challenge. Creating an unstructured data management strategy for your organization puts you on a path towards consolidation of repositories, systems, retention policies, and IT vendors — an important first step.

Unlike Y2K, regulatory compliance is here to stay and savvy CIOs are now creating strategic frameworks that measure compliance investments based on the ability to address business objectives, not just short-term deadlines.

Since consolidation efforts invariably will impact many different lines of business, many organizations create cross-organizational working groups that can help create consensus across decentralized organizations and design requirements for their consolidated data management strategy.

Mary Ann Davidson is the chief security officer at Oracle, responsible for security evaluations, assessments and incident handling.

Harald P.F. Collet is principal product manager, Records Management and Compliance Support Products for Oracle. He is responsible for product definition and strategy as well as worldwide go-to-market and customer programs. Additionally, he works closely with Oracle’s legal and corporate affairs teams and drives a company-wide regulatory compliance initiative.