Cloud and mobile computing make IT compliance more complicated and demanding. Here's what it takes to satisfy the required regulatory oversight of data.
Mandatory regulations governing data security, access, and usage are increasingly complex and prominent in IT. With the very public issues of the Target breach and the Edward Snowden case, compliance is likely to be an even more important consideration moving forward.
Every enterprise must deal with regulatory compliance, though some industries (e.g., healthcare and human resources) more than others. For instance, in healthcare, personal data sharing is increasing.
Several technologies have proliferated rapidly, creating significant complications for compliance. These changes call for specific IT-related skills in a compliance officer.
More and more is going into the cloud, and for obvious reasons: It's cheaper, more accessible, and more flexible from a design standpoint. Public access in particular benefits from cloud deployment of enterprise content.
But the cloud presents new challenges to the compliance officer: Those servers host regulated content, but the servers are not under the compliance officer's control. And, making matters worse, broad standards for cloud security (with respect to federally-mandated data regulation) are not yet mature.
The first skill a compliance officer needs, then, is the capacity to screen potential cloud-based data hosts for satisfactory security and methodologies.
The second skill is the knowledge to manually compensate, in designing and implementing data security, for inadequacies in selected cloud's standard administration.
Increasingly, sensitive records (especially those accessible by the public) shift from mass storage access to local storage access for temporary reasons: Regulated records available to their public owners, for instance, are used temporarily in government or industry studies.
Variable rights management of those records is an issue, and a compliance officer must oversee those rights for limited terms. This requires the compliance officer to study up on access rights to limited bodies of data along two axes: limited rights-by-user and rights expiration. In some cases, different instances of these deployments might run concurrently, making compliance even more difficult. The third skill, then, is dexterity in implementing rights management.
Compliance must also take into account the increasingly mobile surfacing of sensitive data. Sensitive information that is regulated is now being surfaced not only within the secure confines of company HQs, but on mobile devices everywhere.
This means acquiring the skill of understanding multi-channel content surfacing, the details of which vary platform-to-platform, content-wise. SharePoint 2013, for instance, has multi-channel content delivery, and the details can determine what sensitive content can reasonably be offered via mobile channels and what can't.
Finally, there are selective rights. Many mandatory regulations discriminate between documents (which are subject to change) and records (which are generally static), and require different handling of each. An increasingly common scenario is that regulations require records and documents to be physically segregated in different repositories on different servers.
The compliance officer must be capable of understanding and planning the appropriate hosting of sensitive data of differing types, appropriately segregating data, advising on its usage, and influencing design decisions as necessary.
These skills go far beyond the purview of compliance requirements from not so long ago. But the enterprise that gets there, and the compliance officer who is ready for this new order, will excel.
- Cloud security and compliance trends in 2015, according to Vormetric's C.J. Radford
- Personal data access opens new doors for patients and consumers
- Businesses taking PCI compliance more seriously: Verizon (ZDNet)
- Electronic Data Retention Policy (Tech Pro Research)
Note: TechRepublic, ZDNet, and Tech Pro Research are CBS Interactive properties.