“Compliance” is a term that refers to a whole spectrum of legislative requirements. All types of organizations are subject to legislations associated with the payment card industry, data security standards organizations (e.g. PCI DSS) or Sarbanes Oxley Act (SOX) etc. Non-compliance with any or some of these legislations can prove expensive, paralyzing and enervating. But, complying with all of them—whatever the cost or the effort — is a challenge that must be taken up in the long term interest of the organization.
To begin with, let us list out some of the long-term implications of non-compliance. The list can be long or short depending on the type of organization that is reviewing the compliance program. At the minimum, it would include:
- Loss of business privileges
- Criminal prosecution
- Inability to meet stakeholder expectations
- Broken networks
- Loss of revenue
- Customer dissatisfaction
Compliance legislations are focused on data security. The HIPAA (Health Insurance Portability and Accountability Act) imposes heavy penalties for insecure data storage practices that can result in breach of security. Breach of service level agreements (SLAs) by Cloud backup service providers will attract penal action, under several legislations on all parties involved. Misconfigurations of network settings can attract penal provisions under PCI DSS. Gaps in data management and practice can leave organizations vulnerable to financial penalties from regulatory authorities. These gaps can open up the enterprise information repositories to cyber threats, external hackers, and internal discontented employees.
Ease of e-discovery is the mantra of compliance legislations. Data should be so organized as to be easily discoverable. The implication is that enterprises storing their data on local servers or the Cloud must ensure that the data is well annotated with relevant metadata and can be identified and recovered at all times and under all conditions.
IT departments shouldering the burden of resolving trouble tickets and instituting compliance processes will be the first to agree that organizations need support from the top management to take a compliance oriented approach to data storage and management—whether locally or in the Cloud. Top management support implies that the organization must draft and implement a clear compliance policy and institute all measures that are required for ensuring an appropriate level of compliance. These policies must be periodically reviewed and brought in line with the extant legislative requirements and implementation issues must be handled instantly.