Coming to Terms With ComplianceBy Michael Vizard | Posted 2007-08-24 Email Print
Taking the grunt work out of the process will cut costs and boost productivity.
While compliance regulations have in general been a boon to managers who needed business executives to focus more on the strategic role information technology plays in their organizations, the actual physical process of bringing an organization into compliance is sheer drudgery.
Unfortunately, there is no way to avoid the tasks associated with compliance because at its core, this is an activity that requires things to be measured. And things that need to be measured generate reports. As a result, compliance-related activities are consuming an increasing percentage of the I.T. budget in the form of labor costs, as I.T. personnel and business managers spend more time compiling reports.
The challenge facing I.T. managers today is how to automate the process of coming into compliance in a way that lowers the total cost of the activity by making it less labor-intensive. That was the challenge that Hai Ngo, chief information security officer for New York University Medical Center, recently took up.
Ngo needed a relatively unobtrusive way to collect compliance information that would not require I.T. people to add code to their systems or fill out reams of forms every month. In effect, what Ngo set out to do was find a decentralized model that would make it easy to collect data from 300 distributed systems while using a tool that had a relatively low footprint in terms of consuming I.T. resources.
After an extensive product search, Ngo chose Risk Manager from Modulo as the answer to his problem, which has significant levels of complexity; the medical center needs to be in compliance with regulations including Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), the Control Objectives for Information and Related Technologies (COBIT) guidelines and the Federal Information Security Management Act (FISMA).
What he liked about the Modulo system is that it comes with a database in which Modulo has codified all the knowledge about regulation requirements that its consultants have developed over the last several years. Although Modulo is not a household word in the U.S., it's one of the largest consulting companies in South America. It has thus developed a substantial base of expertise around compliance that it recently turned into a product and service that customers could buy, versus having to rely on consultants who bill by the hour to collect compliance data.
Ngo says he has simplified the compliance process for NYU Medical Center by giving each I.T. unit an executable that it can run locally to collect all the necessary compliance data from its systems. This means the local unit doesn't have to load any additional code on its systems. The executable then feeds that report back to the Modulo database, which compares the information with the best practices for compliance rules that Modulo regularly updates. For business executives, Ngo uses a set of forms on the Web that allows executives to fill in the needed information, which is then sent to the Modulo database.
The end result of this approach is that Ngo says he can keep the medical center in compliance with a host of regulations without having to hire a mass of additional personnel just to manage countless spreadsheets full of compliance data. And perhaps better yet, he now has a centralized repository for all the data; this makes it easier for auditors to determine whether the medical center is in compliance, which means fewer billable hours for the auditors and lower costs for the business.
There are a lot of good tools out there for storing compliance information, but the more vexing problem thus far has been finding a relatively painless way of collecting the data. The simple fact is that all this compliance work is a drain on productivity, because the people performing the task both inside and outside of I.T. could easily be dedicated to something that drives profit and revenue for the organization. But compliance has also led to a much better I.T. governance environment that over the long haul serves the business better, so calling for less-stringent compliance rules is generally a counter-productive exercise.
Instead, we need to find ways of making it easier for organizations to come into compliance with any number of regulations without gutting those regulations, which would make the whole thing a pointless activity that would add costs without providing any real additional value.