When you manage your corporate data, do you have the proper technology controls in place to ensure it’s safe, and are you always in regulatory compliance? In order to answer yes to these two questions, your organization requires internal control systems, risk management practices, and a system for IT governance.
David Luft, senior vice-president, product development at the SMB program office for Computer Associates, of Islandia, N.Y., in a thorough article in Computer Technology Review, argues that while compliance often brings to mind laws and regulations to guide well-known public companies, it can actually affect businesses of all sizes.
There are many industry-specific compliance requirements that can affect smaller, privately held SMBs, including the Personal Information Protection and Electronic Documents Act (PIPEDA). The Sarbanes-Oxley Act (SOX) is particularly far-reaching. It requires, for example, that a business’s relevant financial reports be certified by both the CEO and CFO. While SOX definitely affects publicly held firms, “it can also indirectly affect SMBs that are privately-owned and aspire to go public or be acquired. In many cases, SOX can affect private SMBs that simply want to do business with public companies governed by SOX,” says Luft.
“If they’re not public corporations then obviously Bill 198 (SOX) may not apply. It becomes an issue of best practices. If they’re not public, then it’s not that it’s of less importance, it’s just that it’s not a regulatory requirement in terms of corporate governance,” says Daniel Paul, partner and lawyer at Ogilvy Renault‘s Montreal office, who specializes primarily in information technology (IT) law.
Bill 198 deems, for one thing, a company’s CEO and the CFO have to sign off on financial statements. The company must ensure that the information that is provided to create these financial statements is accurate. Internal controls will play a major role in the process. These internal controls include information systems. That’s where IT governance kicks in.
SMBs can help their compliance efforts by having a sound IT infrastructure in place, protecting their networks and data with the proper security and ensuring they back up all data and maintain a back-up plan for when the network — or one of its systems — fails.
The backing up of data also includes e-mail. MailStor, from US-based UbiStor Inc., for example, is one product designed to comply with regulatory requirement relating to email storage, specifically to Sarbanes-Oxley, SEC Rule 240.17a-4, 204-2, NASD 3010/3110, and NYSE Rule 342, 440.
Frank Shannon, vice-president of operations at UbiStor, says the Web-based managed solution captures, monitors and archives all e-mail and attachments. Everything is configured remotely by UbiStor so that e-mail records are routed to the MailStor Archive Server, allowing Web Console access to the user company’s Compliance Officer. Multiple levels of protection are available, including queuing suspect records for release approval on inbound and outbound traffic and WORM DVD archive.
Shannon says in the U.S., $3.1 billion in fines were issued by the Securities and Exchange Commission (SEC) in 2005, up from $313 million in 2003. “Our belief is that the SEC resources focused on the bigger fish up to this point and now are starting to focus into the SMB arena where there are potentially more violations. Today’s SMBs are wise to include e-mail/IM data protection in their business planning.”
If not, they can expect fines from regulatory agencies, internal resource drains, legal costs and jeopardized reputations.
Steps to compliance
In order to get on the road to better compliance, SMBs should consider procuring a detailed risk assessment from a vendor specializing in this area. This will help determine where compliance resources are most needed and allow them to focus on the areas that will have the most impact on their operations. It may also be helpful to create and document an information security policy for the business and ensure employees are trained and educated about it, suggests Luft.
With the new legislation, the importance of compliance and IT governance has increased in the eyes of both senior executives and boards of directors because they now face the requirement of making sure that data always comes through the information systems, says Ogilvy Renault’s Paul. “They are no longer the holder of the little black box, but it’s obviously a lot more important now to make sure that they do understand the systems that are providing the information needed to manage a company.”
Contact the editor