Like small boats in the open sea, over the last several years businesses of all kinds have been rocked and battered by new and powerful industry regulations. Some of the regulations are annoying little squalls while others are Category Five hurricanes like the infamous Sarbanes-Oxley (SOX) and HIPAA regulations.

The regulations, large and small, have had a profound effect on IT, which is the key department in organizations that has been tapped to figure out the esoteric regulations, find ways to implement them, maintain them, and basically cover the backside of C-class executives.

Often enough, the regulations are frustratingly vague and require sweeping enterprise-wide changes. For small companies, the regulations can equate to big costs--tens of thousands of dollars for projects that don't necessarily show any tangible return on investment. For midsize companies, the costs often start with six figures and ramp up into seven, while multinational corporations are hit from all corners of the globe. Enterprise Resource Planning (ERP) solution providers have created new modules to help its customers meet requirements, and software change management companies have provided solutions for handling custom applications in consistent and auditable ways.

Industry regulations, however, aren't all bad--some bring sunshine and bright blue skies.

So Many Terms

Most of the industry regulations are referred to by their acronyms, and some have more than one acronym, but all of them tend to be lumped together under the topic of Governance, Risk, and Compliance (GRC). The GRC acronym includes regulations, business operations, documented standards, audits, best practices, people, documented procedures, assessments, continual improvement, architecture, and frameworks. The terms overlap and GRC is often just a vague moniker used to describe the things companies must do to make someone with a big hammer happy.

Still, smart companies take GRC seriously and are not only able to meet industry requirements faster than others, but are also able to use their resources to deliver business value faster: By being proactive, you can skirt the storm, avoid survival mode, and focus on your destination.

You've Got to Prove It

It's one thing to claim an organization is compliant with a regulation, another thing to be compliant, and an entirely different third thing to actually prove compliance--at the core of most regulations is the need to prove compliance, and that means an auditor has to understand what IT is up to as well as know what business processes are followed and/or are unavoidable.

Because we're talking about regulations that affect data in some way, IT is charged with creating solutions. In years past, notes John Earl, chief security officer for i Security Experts, companies would talk about good security or best practices for security, and they would implement some security on an ad-hoc basis. Enterprise-wide security was more often akin to a leaky boat than a tight ship. Regulations, it turns out, have patched more than a few holes.

"When you talk about security in terms of compliance, it becomes a must. You don't have options or leeway," Earl says. "You just have to do it."

Two Kinds of Regulations

There are two basic kinds of regulations: those handed down by governments or their regulatory bodies, and those that are created by powerful businesses. Many manufacturers or companies that work in supply chains for retail giants, for example, face de facto industry regulations that have come from heavyweights like Wal-mart, Home Depot, and Lowes. And what do most companies get? The privilege of simply being able to to continue doing business with their biggest customers.

"When a government agency creates a regulation, they tend not to be very specific," Earl says. While we're seeing the tail end of Sarbanes-Oxley--because most of the affected organizations are already compliant--Sarbanes-Oxley is a good example of vagueness.

"SOX doesn't even address IT directly," Earl says. "There's a section that says executive management must have someone externally testify that there are adequate internal controls in place."

And that means an auditor, who basically looks to make sure that no one can get into a pubic company's books and tamper with the data. So how is an auditor supposed to do that? And how does IT even begin to prove that no one can tamper with the company's data?

"Auditors don't look at i5/OS or Linux or any other operating system, they look at frameworks," Earl explains.

There's three key frameworks: COBIT (Control Objectives for Information and related Technology), ITIL (Information Technology Infrastructure Library), and the ISO/IEC (International Organization for Standardization and the International Electrotechnical Commission) 27000-series of information security standards.

"If you apply those standards to your systems, you can make some accurate assumptions about how well the system can be managed," Earl notes.

Still, navigating regulations and arriving at compliance can have wide ranges of difficulty. SOX, for example, focuses on data integrity for public companies (and often by proxy, private companies that do business with public companies) while HIPAA (Health Insurance Portability and Accountability Act) focuses on the medical field and covers privacy issues. So, social security numbers, patient names, and health data need to be not only secure but have controls in place to ensure the data remains private to those who don't actually need it.

"HIPAA has really affected businesses," Trevor Perry, an IBM i-focused consultant and CTO for KMR Systems Corporation, says. "Some IT departments have to change all the applications that show a social security number--and lock down who can see that information. So businesses are spending money in direct relation to an industry regulation," he explains.

"Data privacy is particularly tough," Earl notes. "When you look at it from a System i or IBM i position, one way is to put in triggers so that every time someone reads something with private data, it creates a data log. That's going to create a voluminous data log, but I can't think of anyone who knows of something better."

Of course, this means IT has to beef up processor, power, and storage. And if encryption comes into play, the encrypted data can prevent data from being misused. But some employees still need access to the private data, which would then need to be decrypted, which should also produce an audit log. The trouble is doing it quickly and easily, and still, it comes down to an element of trust: it’s still possible for employees to scribble identity or account data onto low-tech sticky notes.

Widespread Reach

HIPAA, it turns out, ranges farther than your local hospital, quick care facility, and insurance company--employers can fall under the HIPAA umbrella, but so do many schools and universities that have student health services onsite. Because healthcare and health-related privacy is such a public hot-button issue, it's more likely to result in legal action that brings courts into play that help define the law, which can set precedents for the kinds of controls organizations must put in place. For example, if a court determines that the use of encryption is an industry best practice, then a company not using encryption for HIPAA-related data better sit up straight and start taking notes.

The hard part, of course, is that there's no single court (or classroom) for industry regulations.

More Than SOX and HIPAA

It's not all a SOX and HIPAA world, of course. The Gramm-Leach-Bliley Act (GLBA) lets financial and insurance companies merge and run retail, investment, and insurance operations under one roof--but it also requires separation between the operations and safeguards for customer data privacy. And for companies looking at merging, there have been some provisions that could block a merger, if for example, the parties received a less than satisfactory rating on its Community Reinvestment Act (CRA) exam. You dizzy yet? For IT departments firmly entrenched in the financial and insurance sectors, there are, no doubt, even more regulations to watch out for--and what might come? After the mortgage industry meltdown in the U.S., the current administration will no doubt usher in some new regulations that IT will have to understand and implement.

Meanwhile, there's plenty of states that have their regulations that reach out and touch IT operations. Nevada, for example, has its State Gaming Control Board, which sets its Minimum Internal Control Standards (MICS), which it updates regularly. Casinos, of course, must follow the MICS regulations, and IBM i-based systems, by the way, are widely used in the gaming industry.

In California, the state has passed a variety of consumer privacy and data protection laws. Senate Bill No. 1386, for example, is particularly interesting--and troublesome. It requires any company that stores customer data electronically to notify its California customers of a security breach if unencrypted information about the customer has been stolen. What's particularly wild about this law is that it extends to companies doing business in other states--if a company in Georgia, for example, has a security breach and has customers in California that are affected, the company in Georgia is required by the California law to notify its California customers. While California's enforcement across state lines isn't particularly clear, the state does seem to make it easy for affected customers to launch class action lawsuits. And it's not hard to imagine how badly such a suit could shake out for a company playing fast and loose with customer data.

California's data-breach notification laws aren't exactly static, either. There's new legislation pending that could require companies to provide more detailed information in their breach notification letters to consumers.

In the energy sector, utilities have faced increased regulations for managing reliability--remember the blackouts of years past? More recently, utilities are coming under new scrutiny for smarter grids that are more secure from terrorists threats.

In Canada, for example, IBM i-focused solution provider LANSA has a pair of customers that are frequently affected by Canadian regulation changes--Children's Aid Society and Ontario Student Assistance Program. "Every year the government changes the rules for how they operate and we help them react," notes Eden Watt, vice president of professional services for LANSA. "I don't think this behavior is unique to Canada, and as with any government functional area, changing legislation and change in power are both constant . . . this means ongoing changes to the [IT] systems."

Big Retailers Wield Power

Wal-Mart, for example, basically pushed its supply chain business partners to start using the Global Data Synchronization Network (GDSN). There was little real choice but to comply because the risk was to be replaced by some other competitor and lose Wal-Mart's business. Other big retailers, like Lowes, have adopted similar requirements for its supply chain partners--and in some ways, everyone has benefited: the retailers have reportedly eliminated lengthy manual paper processes in favor of instant and more accurate electronic methods.

But not all is easy. Home Depot, for example, has its own proprietary solution for its suppliers, HomeDepotLink. So who has to figure out the nitty-gritty integration details? IT.

Payment Card Industry

While many consumers aren't particularly happy with their credit card interest rates and terms, there's a whole Payment Card Industry (PCI) group that’s dedicated to making the entire infrastructure work, and more pointedly, to protect consumer data and prevent credit card fraud. Lots of businesses, it turns out, retain credit card numbers on their servers in their customer databases, and they aren't particularly secure. Some even keep expiration dates and the little three digit number on the back . . . both of which make it easy to use the card without actually holding the card. Perfect for hackers to use or sell.

"In the payment card industry, those folks got together and said to the retailers of the world, 'We are tired of losing billions of dollars a year to credit card fraud,'" Earl notes. "They studied it, and they determined that most of the fraud is from data sitting on servers, and not only is it unencrypted, but the public has change rights to it. I've demonstrated to C-level management that, with just a low-level user name and password, I can deliver a list of credit card numbers on their desk in under five minutes--and most of that is printing time."

The net result? Retailers have had to change their habits by either not storing customer credit card data or by adequately securing and protecting it. If they don't, they risk losing their access to retail credit card processing--how's that for a big stick?

New Hardware, New Services

Stan Staszak, director of System i/x products for Sirius, an IBM Premier Business Partner, says that industry regulations like HIPAA and SOX have led to CIOs who are very motivated to become compliant with their particular regulations.

"As a result, we have seen a spike in tape encryption strategies--even some encryption on disk and/or VTL," Staszak says. "We have also seen a rise in online data archival, especially e-mail, that customers are typically saving to Tier 2 or 3 storage. This really necessitates a good deduplication product, like the IBM ProtecTIER deduplication appliance or NetApp's DeDup offering," he explains.

"From a consulting perspective, security audits are definitely a hot competency," he added.

Sunshine and Light

There's a tendency to bemoan industry regulations--how many companies have spent untold millions and billions on compliance efforts that, at the end of the day, don't give them a direct return on investment?

Wall Street confidence in public companies might not be particularly high right now, but at least it's not so much about worrying that corporations are altering their books to hide their performance. And what of multinational crime organizations that are finding it easier and safer to hack into companies than running illicit drugs? For the good of the world, who doesn't believe that customer credit card and identity data sitting essentially in the clear on a computer in Iowa is a bad thing? That’s right--sometimes, in the big picture, these pesky regs aren’t so bad after all.

Chris Maxcer (chris.maxcer@penton.com) is news editor for System iNEWS. "Some of these regulations attempt to make businesses more efficient, and some are designed to keep the really bad nasty guys locked out," he says. "But others are designed to keep your colleagues from doing stupid things--who knows what a guy might do to pay off a bad gambling debt, and when push comes to shove, what if someone's kids are hungry? What data might be stolen and sold? As John Earl noted in our conversation, 'When you do security right . . . you can save a good person from a really bad decision.'"