Compliance

Vol. 4 No. 7 – September 2006

Compliance

Articles

A Requirements Primer

Many software engineers and architects are exposed to compliance through the growing number of rules, regulations, and standards with which their employers must comply. Some of these requirements, such as HIPAA (Health Insurance Portabililty and Accountability Act), focus primarily on one industry, whereas others, such as SOX (Sarbanes-Oxley Act), span many industries. Some apply to only one country, while others cross national boundaries. To help navigate this often confusing world, Queue has assembled a short primer that provides background on four of the most important compliance challenges that organizations face today.

A Requirements Primer

GEORGE W. BEELER, JR., BEELER CONSULTING and DANA GARDNER, INTERARBOR SOLUTIONS

Many software engineers and architects are exposed to compliance through the growing number of rules, regulations, and standards with which their employers must comply. Some of these requirements, such as HIPAA (Health Insurance Portabililty and Accountability Act), focus primarily on one industry, whereas others, such as SOX (Sarbanes-Oxley Act), span many industries. Some apply to only one country, while others cross national boundaries. To help navigate this often confusing world, Queue has assembled a short primer that provides background on four of the most important compliance challenges that organizations face today.

SARBANES-OXLEY (SOX)

The Sarbanes-Oxley Act of 2002 can be tidily summed up as trying to answer the not-so-simple question, “Says who?” when it comes to proper corporate financial reports. Because of a spate of major corporate and accounting scandals at the turn of the century—perhaps best punctuated by the collapse of Enron and Arthur Andersen—Sarbanes-Oxley, or SOX, was designed to shore up public and investor confidence in financial reporting.

by George W. Beeler, Dana Gardner

Box Their SOXes Off

Data is a precious resource for any large organization. The larger the organization, the more likely it will rely to some degree on third-party vendors and partners to help it manage and monitor its mission-critical data. In the wake of new regulations for public companies, such as Section 404 of SOX (Sarbanes-Oxley Act of 2002), the folks who run IT departments for Fortune 1000 companies have an ever-increasing need to know that when it comes to the 24/7/365 monitoring of their critical data transactions, they have business partners with well-planned and well-documented procedures.

Box Their SOXes Off

Being proactive with SAS 70 Type II audits helps both parties in a vendor relationship.

JOHN BOSTICK, dbaDIRECT 

Data is a precious resource for any large organization. The larger the organization, the more likely it will rely to some degree on third-party vendors and partners to help it manage and monitor its mission-critical data. In the wake of new regulations for public companies, such as Section 404 of SOX (Sarbanes-Oxley Act of 2002), the folks who run IT departments for Fortune 1000 companies have an ever-increasing need to know that when it comes to the 24/7/365 monitoring of their critical data transactions, they have business partners with well-planned and well-documented procedures.

In response to a growing need to validate third-party controls and procedures, some companies are insisting that certain vendors undergo SAS (Statement on Auditing Standards) 70 Type II audits. These audits refer to an AICPA (American Institute of Certified Public Accountants) standard that sets forth the practice for evaluating the performance of outside service organizations. (A Type I audit describes the business’s controls, noting if they are suitably designed and in place; a Type II audit tests those controls and reports if they are working adequately.)

by John Bostick

Compliance Deconstructed

The topic of compliance becomes increasingly complex each year. Dozens of regulatory requirements can affect a company’s business processes. Moreover, these requirements are often vague and confusing. When those in charge of compliance are asked if their business processes are in compliance, it is understandably difficult for them to respond succinctly and with confidence. This article looks at how companies can deconstruct compliance, dealing with it in a systematic fashion and applying technology to automate compliance-related business processes. It also looks specifically at how Microsoft approaches compliance to SOX (Sarbanes-Oxley Act of 2002).

Compliance Deconstructed

When you break it down, compliance is largely about ensuring that business processes are executed as expected.

JC CANNON AND MARILEE BYERS, MICROSOFT

The topic of compliance becomes increasingly complex each year. Dozens of regulatory requirements can affect a company’s business processes. Moreover, these requirements are often vague and confusing. When those in charge of compliance are asked if their business processes are in compliance, it is understandably difficult for them to respond succinctly and with confidence. This article looks at how companies can deconstruct compliance, dealing with it in a systematic fashion and applying technology to automate compliance-related business processes. It also looks specifically at how Microsoft approaches compliance to SOX (Sarbanes-Oxley Act of 2002).

Compliance Drivers

Regulatory legislation and corporate governance are primarily what drives compliance. Failure to comply with legislation such as Sarbanes-Oxley can lead to fines and disruption of day-to-day business. Even companies that are not concerned with regulatory legislation need to protect important corporate resources such as customer data and trade secrets.

by J. C. Cannon, Marilee Byers

Complying with Compliance

“Hey, compliance is boring. Really, really boring. And besides, I work neither in the financial industry nor in health care. Why should I care about SOX and HIPAA?”

Yep, you’re absolutely right. You write payroll applications, or operating systems, or user interfaces, or (heaven forbid) e-mail servers. Why should you worry about compliance issues?

Complying with compliance

Blowing it off is not an option.

ERIC ALLMAN, SENDMAIL

“Hey, compliance is boring. Really, really boring. And besides, I work neither in the financial industry nor in health care. Why should I care about SOX and HIPAA?”

Yep, you’re absolutely right. You write payroll applications, or operating systems, or user interfaces, or (heaven forbid) e-mail servers. Why should you worry about compliance issues?

by Eric Allman

Kode Vicious

Facing the Strain

Dear KV, I've been working on a software team that produces an end-user application on several different operating system platforms. I started out as the build engineer, setting up the build system, then the nightly test scripts, and now I work on several of the components themselves, as well as maintaining the build system. The biggest problem Ive seen in building software is the lack of API stability. It's OK when new APIs are added--you can ignore those if you like--and when APIs are removed I know, because the build breaks. The biggest problem is when someone changes an API, as this isn't discovered until some test script--or worse, a user--executes the code and it blows up. How do you deal with constantly changing APIs?

Facing the Strain

A koder with attitude, KV answers your questions. Miss Manners he ain’t.

APIs can change. Even the ones you’ve come to depend on over the years—the ones you thought were set in stone, indelible, immutable, pure. But fear not, because this month Kode Vicious offers his take on dealing with this most loathsome form of change. Encountered an equally annoying programming challenge? Write to Kode Vicious at KV@acmqueue.com and vent until your heart’s content.

by George Neville-Neil

Articles

Keeping Score in the IT Compliance Game

Achieving developer acceptance of standardized procedures for managing applications from development to release is one of the largest hurdles facing organizations today. Establishing a standardized development-to-release workflow, often referred to as the ALM (application lifecycle management) process, is particularly critical for organizations in their efforts to meet tough IT compliance mandates. This is much easier said than done, as different development teams have created their own unique procedures that are undocumented, unclear, and nontraceable.

Keeping Score in the IT Compliance Game

ALM can help organizations meet tough IT compliance requirements.

TRACY RAGAN, CATALYST SYSTEMS

Achieving developer acceptance of standardized procedures for managing applications from development to release is one of the largest hurdles facing organizations today. Establishing a standardized development-to-release workflow, often referred to as the ALM (application lifecycle management) process, is particularly critical for organizations in their efforts to meet tough IT compliance mandates. This is much easier said than done, as different development teams have created their own unique procedures that are undocumented, unclear, and nontraceable.

Achieving 100 percent compliance from all development teams requires that the ALM team clearly communicate the levels of compliance to the developers and clearly communicate to upper management which development teams are and are not in compliance. Keeping track of the game using a simple “compliance scorecard” can do the job.

by Tracy Ragan

Opinion

Rationalizing a Home Terabyte Server

With 1 TB of RAID 5 storage, most of my friends believe I have really gone off the deep end with my home server. They may be right, but as in most things in life, I have gotten to this point through a rational set of individual upgrades all perfectly reasonable at the time. Rather than being overly indulgent to my inner geek, am I an early adopter of what will be the inevitable standard for home IT infrastructure? Here is my story; you be the judge.

Rationalizing a Home Terabyte Server

Self-indulgent, or a view of the future?

Mache Creeger, Emergent Technology Associates

With 1 TB of RAID 5 storage, most of my friends believe I have really gone off the deep end with my home server. They may be right, but as in most things in life, I have gotten to this point through a rational set of individual upgrades all perfectly reasonable at the time. Rather than being overly indulgent to my inner geek, am I an early adopter of what will be the inevitable standard for home IT infrastructure? Here is my story; you be the judge.

A Simple Router

Eight years ago, my employer at the time graciously funded cable-modem broadband Internet service at my home so I could work from there. The base service supported only one PC. Because my wife and son each had a PC, I needed a way to share Internet access—a router to share Internet service and a home LAN to distribute network traffic.

by Mache Creeger

Curmudgeon

Seeking Compliance Nirvana

Compliance. The mere mention of it brings to mind a harrowing list of questions and concerns. For example, who is complying and with what? With so many standards, laws, angles, intersections, overlaps, and consequences, who ultimately gets to determine if you are compliant or not? How do you determine what is in scope and what is not? And why do you instantly think of an audit when you hear the word compliance?

Seeking Compliance Nirvana

Don’t let SOX and PCI get the better of you

Greg A. Nolann

Compliance. The mere mention of it brings to mind a harrowing list of questions and concerns. For example, who is complying and with what? With so many standards, laws, angles, intersections, overlaps, and consequences, who ultimately gets to determine if you are compliant or not? How do you determine what is in scope and what is not? And why do you instantly think of an audit when you hear the word compliance?

To see the tangled hairball that is compliance, just take a look at my company. It is on the hook for SOX (Sarbanes-Oxley Act of 2002), as we are a publicly traded company; for a number of banks for the PCI DSS (payment card industry data security standard), also known as Visa CISP (Cardholder Information Security Program); for HIPAA (Health Insurance Portability and Accountability Act); for CA 1786 (and all other states’ disclosure laws); and for the European Union, its member countries, Japan, Korea, and a handful of other countries’ privacy and data security laws (these alone could probably spawn an entire series of lessons and lectures!).

by Greg A. Nolann

Interviews

The Compliance Game

Although complying with myriad regulations affecting information technology these days can feel like a chore, technology professionals now have an opportunity to leverage these efforts and create a proactive approach to IT governance. Tune into this month's Queuecast as Kris Lovejoy, CTO of Consul, discusses with host Mike Vizard why companies must shift their focus on compliance to a new governance approach that will ultimately better serve a company's needs.

Although complying with myriad regulations affecting information technology these days can feel like a chore, technology professionals now have an opportunity to leverage these efforts and create a proactive approach to IT governance. Tune into this month's Queuecast as Kris Lovejoy, CTO of Consul, discusses with host Mike Vizard why companies must shift their focus on compliance to a new governance approach that will ultimately better serve a company's needs.