Security Adviser | Roger A. Grimes | InfoWorld | One reader's response to my Weighing the Cost of Compliance article | January 19, 2007 07:16 AM

MORE ENTRIES

One reader's response to my Weighing the Cost of Compliance article

January 19, 2007 | Comments: (0)

One reader's response to my Weighing the Cost of Compliance article

One reader's response to my Weighing the Cost of Compliance article:

Dear Roger:

A bit behind in my reading, I just came upon your piece “Weighing the Cost of Compliance” in the 8Jan issue. You suggest “hold your nose as you overspend” on regulatory compliance.

There is another way, especially when dealing with overlapping regs. It’s Risk Management, and it is something I deal with every day in terms of surviving regulatory audits – and litigation eDiscovery requests as well.

Even if an organization could bring their risk of non-compliance down to zero, it might not be cost effective. Given two overlapping regulations, the penalty for transgressing one might be an acceptable risk, the figurative slap on the hand. Conversely, the penalty for the other might be a massive fine or even executive imprisonment. Does it make sense to treat the two regulations equally?

I am not suggesting ignoring regulations. I am saying, “Manage the risks.”

And in self-interest, I must say that Records Management is one of the best, most cost-effective ways to manage the risks.

If you would like to discuss this further or, perhaps, write about it, please contact me.

Thanks for your work.

Posted by Roger Grimes on January 19, 2007 07:16 AM

RATE THIS ARTICLE:

COMMENTS

Security has long been talked about but the reality is that passwords are taped to the underside of the keyboard, doors to the data center are left blocked open and security is only really in place when the auditors show up.

The shotgun wedding of records management and information technology is being forced upon us to protect the shareholders and directors of corporations from the disonnect that now exists between RM and IT. The IT staff see the media as just back ups and see no value, other than as back ups.

The courts see the back ups as records and require that they be searchable, organized and for the corporations' sake they must be aligned with a legal retention schedule. IT then shakes its head when the notice of discovery lands on their desk.

New software, like Index Engine or Cassion or others not developed yet, will provide the ability to sort the records out of this jumble; much like a coin sorter takes a jumbled bag of coins and sorts them into nice little rolls of the same denomination. Order from chaos. Now the courts, through the intervention of a robust link between records management and IT, will be able to access the records; and the auditors will be able to affirm the integrity of the collection.

But somewhere along this merry path that IT marches, someone needs to develop servers that do not run so hot they are a risk to themselves (and no mechanical contractor can cool properly) and the media needs to be more stable so records are protected for years and years, not months. Apple is the first to show some common sense and ingenuity as they have developed servers that run cool. Now that is something that risk managers should bring up at the next security meeting. The IT people seem only concerned with density and speed and now we live in a world of Etch-a-Sketch stability for our records.

I expect the next step is the courts will rule that media needs to be able to survive to 25 years or so and the servers need to be capable of "not" posing a risk to themselves. Common sense but no one from IT community will attempt it until they are forced to comply and an auditor verifies it.

Posted by: Hugh Smith at January 22, 2007 07:04 AM

Technology White Papers

InfoWorld Technology Marketplace

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert