Download PDF version of this article PDF

Playing by the Rules

The complex world of compliance

Charlene O’Hanlon, ACM Queue

Some of my favorite childhood memories are of playing games with my sister—both structured games such as Monopoly or hopscotch and imagination-fueled games such as cops and robbers or roller derby girls (don’t ask). Regardless of whether the game had established regulations, often our play would devolve into what I call Calvinball, a term coined in the comic strip Calvin and Hobbes referring to the act of making up the rules as you go along.

Our Calvinball play had some distinct advantages: It was a lot more fun to change the rules in the middle of the game. No one ever got bored. It allowed us to stretch our minds beyond the parameters of regular play. And—quite possibly the best advantage—everybody won in Calvinball. Of course, there was the occasional cry of, “Hey, that’s not fair!” but that person was quickly outnumbered if there were more than two players.

Unfortunately (at least for me), life doesn’t work that way. Calvinball would never fly in the corporate environment. Results are based on expectations, and expectations are based on rules. Things can get messy if that path is not followed. Rules and regulations bring a sense of order, and order has more of a place in the corporate world than in childhood games.

Compliance is one very large way of imposing order and ensuring everyone plays by the same rules. Corporate financial shenanigans, most notably the Enron debacle a few years back, have brought on a plethora of new compliance regulations including the Sarbanes-Oxley Act of 2002 (more commonly known as SOX) and Basel II (aka The New Accord, or its given name of the International Convergence of Capital Measurement and Capital Standards—A Revised Framework). HIPAA (the Health Insurance Portability and Accountability Act of 1996), which was originally designed to protect employees from losing their health insurance coverage should they leave their jobs for any reason, has spawned a reformation of the health-care industry as it relates to privacy and protection of a patient’s personal information. The HL7 (Health Level 7) standard developed by the organization of the same name is now the de facto standard for interfacing disparate health-related software systems.

The impact of these compliance regulations and resulting standards has had a ripple effect throughout the entire corporate spectrum, from Fortune 500 companies to mom-and-pop shops. Developers and IT departments now must scrutinize every application, purchase, and implementation with an eye toward compliance. IT budgets have been stretched to deal with myriad issues associated with becoming compliant.

It’s not an easy task, but savvy IT managers can keep their organizations compliant while staying within the parameters of their budgets. The best developers can help make that seemingly impossible dream a reality. CIOs, on the other hand, are tasked with helping ensure success by providing both a workable budget and smart, dedicated people—a delicate balance at best.

This issue of ACM Queue attempts to deal with compliance head-on, but admittedly only scratches the surface. Compliance generates subtopics like a rabbit generates bunnies, so if there is a compliance-related topic we haven’t covered that you would like to read about, please let us know.

On a totally unrelated note, this month’s issue also features the debut of a new monthly column devoted to technology outside the workplace. Geek@home explores how technologists can—and do—use their wares to improve their lives and the lives of those around them. Contributor Mache Creeger kicks things off with his internal argument over installing a terabyte server in his home. The column promises to be an interesting and mostly lighthearted read, and might even offer a few takeaways to spur you into action. Again, let us know what you think, and what you would like to read about.

Keeping up with compliance is a difficult and consuming task. In this instance, however, I’d rather have real rules than Calvinball.

CHARLENE O’HANLON, editor of ACM Queue, believes everyone could benefit from a good game of Calvinball. You can reach her via e-mail at [email protected].


Originally published in Queue vol. 4, no. 7
Comment on this article in the ACM Digital Library

More related articles:

Jatinder Singh, Jennifer Cobbe, Do Le Quoc, Zahra Tarkhani - Enclaves in the Clouds
With organizational data practices coming under increasing scrutiny, demand is growing for mechanisms that can assist organizations in meeting their data-management obligations. TEEs (trusted execution environments) provide hardware-based mechanisms with various security properties for assisting computation and data management. TEEs are concerned with the confidentiality and integrity of data, code, and the corresponding computation. Because the main security properties come from hardware, certain protections and guarantees can be offered even if the host privileged software stack is vulnerable.

Tracy Ragan - Keeping Score in the IT Compliance Game
Achieving developer acceptance of standardized procedures for managing applications from development to release is one of the largest hurdles facing organizations today. Establishing a standardized development-to-release workflow, often referred to as the ALM (application lifecycle management) process, is particularly critical for organizations in their efforts to meet tough IT compliance mandates. This is much easier said than done, as different development teams have created their own unique procedures that are undocumented, unclear, and nontraceable.

J. C. Cannon, Marilee Byers - Compliance Deconstructed
The topic of compliance becomes increasingly complex each year. Dozens of regulatory requirements can affect a company’s business processes. Moreover, these requirements are often vague and confusing. When those in charge of compliance are asked if their business processes are in compliance, it is understandably difficult for them to respond succinctly and with confidence. This article looks at how companies can deconstruct compliance, dealing with it in a systematic fashion and applying technology to automate compliance-related business processes. It also looks specifically at how Microsoft approaches compliance to SOX.

John Bostick - Box Their SOXes Off
Data is a precious resource for any large organization. The larger the organization, the more likely it will rely to some degree on third-party vendors and partners to help it manage and monitor its mission-critical data. In the wake of new regulations for public companies, such as Section 404 of SOX, the folks who run IT departments for Fortune 1000 companies have an ever-increasing need to know that when it comes to the 24/7/365 monitoring of their critical data transactions, they have business partners with well-planned and well-documented procedures. In response to a growing need to validate third-party controls and procedures, some companies are insisting that certain vendors undergo SAS 70 Type II audits.

© ACM, Inc. All Rights Reserved.