Compliance doesn't begin and end with the Sarbanes-Oxley Act (SOX).
Small and medium-sized businesses (SMBs) must also keep up with the
Payment Card Industry's (PCI) security standards, the Health
Insurance Portability and Accountability Act and numerous other
regulations and guidelines. It's a tall order, but it's one SMBs
must face in order to protect their customers and stay in line with
standards set by the IT industry as well as the government. This IT
Management Guide offers news, insights and resources to help SMBs
stay on top of their compliance responsibilities.
For free advice and resources on more IT and business topics,
visit our list of
SMB IT Management Guides.
Table of contents
Compliance,
security take managing log data to next level
Sarbanes-Oxley
compliance costs drop, better processes credited
Regulatory
compliance -- Stay ahead to keep on top of issues
E-discovery
must be a team effort
Laptop
security best practices
More
resources
[Shamus McGillicuddy, News Writer]Three years ago, PCI auditors came to Peter Boergermann and
asked him what his IT organization was doing with its log data.
Network devices, servers, PCs, applications, firewalls and most
other devices and software in a corporate system retain a log of
every information transaction conducted on that machine. The log
data is a virtual fingerprint of activity that takes place on a
company's system. But gathering and making use of that data can be
a challenge.
Boergermann, associate vice president, MIS technical support
manager and IT security officer at $1.1 billion Citizens &
Northern Bank in Wellsboro, Pa., said the PCI auditors had just
gone through training on the importance of log data to
compliance.
"They asked, 'What are you doing with your logs? Who's looking
at them? How do you react to them? What changes do you make based
on your reactions?'" Boergermann said of the auditors, who are
charged with checking a company's compliance with the
PCI security standards. "We weren't doing a lot with logs.
After listening to their questions, we decided to start reviewing
our options."
Find out what the bank learned in
"
Compliance, security take managing log data to next level."
Also:
[Shamus McGillicuddy, News Writer]The financial burden of SOX compliance is slowly (but surely)
starting to ease.
The cost of compliance with Section 404 of the Sarbanes-Oxley
Act declined by 21% in fiscal 2006, according to a survey by
Financial Executives
International. The Florham Park, N.J.-based organization found
the average company spent $2.9 million on SOX compliance in 2006,
versus $3.8 million in 2005 and $4.5 million in 2004.
"Technology has a lot to do with the cost reduction," said
Sanjay Anand, chairperson of the
Sarbanes-Oxley Institute. Public companies "are
actually automating their controls. A good 20 to 30%, even as much
40%, of the cost reduction is actually coming from automated
controls rather than manual controls."
These cost reductions have come despite the fact that auditors'
fees have remained relatively steady, the research revealed.
External auditor fees dropped by just 11% in 2006, from $1.35
million to $1.2 million.
Learn more in "
Sarbanes-Oxley compliance costs drop, better processes
credited." Also:
-
SEC makes good on promise to clarify guidance on SOX
(SearchSMB.com)
The Securities and Exchange Commission (SEC) makes good on
long-promised new guidance for the bugaboo of Section 404 of the
Sarbanes-Oxley Act. -
Sarbanes-Oxley advice for smaller public companies
(SearchCIO.com)
Smaller public companies have had more challenges when it comes to
preparing for SOX. But as of Dec. 15, the SEC will start cracking
down. In his latest column, James Champy offers some tips for those
trying to do more with less in achieving compliance.
[Justin Korelc, Contributor]As an IT manager of a small or medium-sized business (SMB), you
may find yourself asking, "How can we affordably and effectively
store and
archive data to meet
regulatory compliance demands?" It sounds
like a daunting task, indeed. But who doesn't love a good
challenge?
The key to regulatory compliance is the ability to enforce and
monitor security policies and processes at any given time, all of
the time. And an SMB must plan and maintain an effective security
strategy for its business infrastructure from the onset to serve as
a solid foundation for regulatory compliance.
Of course, early precautions taken against security breaches and
network vulnerabilities are much easier and less costly than late
reactions to a direct violation. So remaining on top of relevant
security issues as they change with occupational considerations and
operational environments is key.
Learn more in "
Regulatory compliance -- Stay ahead to keep on top of issues."
Also:
-
Insider threats thwarted in simple steps (SearchSMB.com)
Don't wait for new SMB-specific offerings before you prevent
insider threats. Leverage your existing systems with simple
planning and integration. -
Security buy-in starts at the top (SearchSMB.com)
Security gets more buy-in from business execs now that
Sarbanes-Oxley is here, but it's still a tough internal sell. CIOs
must reach out to business managers to ensure that security is a
priority in every technology project.
[James M. Connolly, Contributor]IT organizations have survived Y2K, the Sarbanes-Oxley Act,
HIPAA and other compliance issues that more or less have an end in
sight once the deadlines have been met. But there's one hurdle for
CIOs at small and medium-sized businesses (SMBs) that never really
ends: the emergence of rules relating to electronic discovery, or
e-discovery, of corporate communications and
documents in court cases.
The rules relating to types of information companies must
produce when involved in lawsuits are being defined by individual
court decisions and changes to the
Federal Rules of Civil Procedure (FRCP) that
took effect in December. They affect companies of all sizes and
in all industries. While larger companies may tend to be prime
targets for lawsuits, SMBs are more likely to lack the IT and
legal resources to deal with e-discovery.
"The biggest thing we have to do from a small-company
perspective is to balance everything we have to do because we don't
have the luxury of a big staff," said Dan Grosz, vice president of
information systems at VIP Parts, Tires & Service in Lewiston,
Maine. "We wear multiple hats, and I don't want to add yet another
hat. I have enough to worry about without having to become a
lawyer.''
Yet Grosz said he recognizes that he will have to work with
legal advisers to understand how the evolving e-discovery rules
will affect his IT operations. He will also have to educate
business-side users on the implications of e-discovery in their
day-to-day communications.
Learn more about e-discovery in
"
E-discovery must be a team effort." Also:
[Joel Dubin, CISSP, Contributor]More employees with more
laptops can mean greater exposure of your
network to roaming security threats. And, in a worst-case scenario,
a stolen laptop with sensitive customer data or proprietary company
information can also expose the company to liabilities, legal or
otherwise. Lost customer data can lead to identity theft and open
the company to lawsuits. Lost proprietary information can damage
the company's competitive edge, if not its business altogether.
Large organizations have sophisticated network defenses and
firewalls to block malware from compromised laptops. For outbound
threats, they may also employ complex content control systems to
prevent the loss of customer data or company information. Not so
for small and medium-sized businesses (SMBs), which may operate
simple firewall networks on a shoestring and don't have the cash to
spend on expensive content filtering systems and software.
But there are solutions for SMBs that won't break the budget and
involve little or no overhead. Many of these solutions rely on
simple procedures and best practices that don't require bulking up
stretched-thin IT departments or hiring a dedicated information
security team.
There are three parts to laptop security: physical security,
administrative access and technical controls.
Find out more about laptop security
in "
Laptop security best practices." Also: