Sitemap    Contact Info
Tizor Systems, Inc. - Data Protection and Compliance Auditing Solutions
About Us Solutions Products Services Partners News & Events Resource Center
Resource Center View Mantra
Resource Center Overview
Data Sheets
Whitepapers
On-Demand Events
Compliance Resources
SOX Perspective
The SOX Challenge
Beyond SOX Compliance
SOX 404
IT Controls for SOX
Background: Sarbanes Oxley
PCI Requirements
Data Security Resources
Data Breach Resources
Podcast
Bylines
The SOX Challenge

Turning a Regulatory Hurdle into a Competitive Springboard

Whenever a major, new compliance regulation appears it is, perhaps, human nature to see it as yet another hurdle in the race for corporate profitability. When Sarbanes-Oxley was introduced, it was no exception. Companies focused primarily on the costs of complying (and the potential costs of noncompliance), rather than on the corporate benefits of meeting Sarbanes-Oxley requirements.  

Now, that’s starting to change. Today, forward-looking enterprises are beginning to realize that the same steps required to achieve SOX compliance also provide some pretty compelling business benefits (beyond simply avoiding legal snags). Could these companies be on to something? Is SOX compliance the leading edge of a new phase of positive business practices? Could it be that by strengthening their compliance posture these enterprises are also strengthening their competitive posture? If that’s the case, companies who view SOX in a positive light may be giving themselves a valuable edge.  

 

When SOX was first introduced, it was difficult for businesses to take a long-term view of compliance. The compliance clock was ticking. CEOs and boards of directors took this new law seriously...and personally. Public companies were scrambling to sort through the myriad requirements of SOX, touching almost every aspect of their business—beginning with the corner office. The SEC had discovered an effective strategy for inspiring corporate action: threaten executives with stiff penalties, including jail time, for non-compliance. Suitability inspired, these same executives made SOX compliance priority #1. The work was all-consuming.  

 

Since then, things have settled down a bit. As companies have achieved SOX compliance and honed their systems and processes to keep them in compliance, they are now able to step back and take stock of the real effect of SOX on their enterprise. The insights may surprise them.  

 

Beyond the billions of dollars spent on compliance initiatives, what effect has SOX had on the American corporation? To answer this question, it is helpful to take look at the bigger picture and examine the core issues and evolving business environment that gave birth to these regulations which are, in many respects, changing the way we do business.  

 

For those of us over the age of 40, it is easy to remember the age of paper (perhaps you fondly recall the department filing room). But those days are dead and gone. Today, you don’t have to be at the “bleeding edge” to realize that virtually all of our critical assets are now electronic—from sensitive consumer personal information to proprietary product designs and financial records; even the fundamental business processes and procedures that keep businesses running in our 24/7 world. Companies that once saw the machines on the manufacturing floor as their core assets are now recognizing their company’s real value lies in the computer models that drive these systems, to say nothing of the intellectual property that makes their products unique. The very nature of critical corporate assets has changed and business will never be the same. This is important, because the way we view business assets affects how we and how others outside of our organizations define our value, our risks and our responsibilities.  

 

This gradual change to this new form of fungible currency—electronic information—has marked virtually every aspect of society, around the globe. The many new laws around the world requiring that personal information be protected and that the integrity of critical data be assured are indications of this recognition. SOX is just one more signal that information is power, digital information is even greater power...and with that power comes both tremendous opportunity and tremendous responsibility.  

 

This helps explain why virtually every interaction where valuable information is exchanged is increasingly being regulated. This trend, which is only likely to grow, is forcing companies to pay close attention to their information assets, including the information entrusted to them by customers, partners and others. They need to know where these valuable assets are and what is happening to them—at all times. Companies that do not have a firm handle on the disposition of electronic assets will hurt their businesses. Regulators are demanding that companies have enough visibility into their data assets to identify when something goes wrong quickly and have enough information to correct the problem. Visibility, in fact, is the underlying requirement of every information protection law, whether it’s SOX, Gramm Leach Bliley, HIPAA or the European Privacy Directive. But what does “visibility” mean when we’re talking about data? 

 

Put simply, visibility is knowledge. Most compliance requirements center on knowing what has happened to the regulated data. In order to have that knowledge, a company must: 1) identify which information is relevant to the regulations, and; 2) demonstrate that they know who is doing what to that information and when. In the process of addressing these critical compliance regulations, the company will discover important, new things about this critical information. Savvy companies will learn how to turn this new knowledge to their advantage.  

Viewed in this context, SOX is just the catalyst for an even more important strategic imperative: data governance. Focusing on data governance as a new discipline will allow rapid, cost-effective compliance with virtually any new regulation that comes down the pike—while enabling the companies that practice it to reap significant internal benefits.  

So how do achieve strong data governance? Many companies find the COBIT and ISO 17799/2005 frameworks provide guidelines that are very useful in helping them determine how to think about the root requirements of compliance regulations and data risks. These frameworks were specifically developed to help large organizations protect and harness information assets. For anyone with responsibility for stewardship of information resources, COBIT (www.  isaca.org/ cobit) and ISO 17799/2005 should be considered required reading.  

 

There are also other industry groups working to develop best practice models for managing and optimizing information assets. One such group is the Data Governance Council, formed by IBM. These groups are working to help establish methodologies to make critical information more accessible, while ensuring its security and integrity. The processes these groups promote, based on a strong recognition of the value of data assets, can provide a framework for driving the critical transformation all organizations must address sooner or later: realizing and taking advantage of the value and competitive importance inherent in their critical data assets.  

So is SOX a hurdle...or a springboard? It all depends on how you view the world. Companies that don’t want to be left behind focus not just on the accumulation of data, but of an understanding of its value. These forward-looking organizations don’t view SOX as a nuisance, a hindrance or an unrecoverable cost. They see it for what it is: a powerful catalyst for waking up your organization and helping spark the transformation beyond being a trustworthy fiduciary of information to an organization that’s a major beneficiary of it.  

Copyright Tizor Systems 2007