News Stay informed about the latest enterprise technology news and product updates.

Embrace system compliance before it's too late

Having the right compliance policies, whether they cover Sarbanes-Oxley or Web-based e-mail, can keep an enterprise running smoothly -- and an administrator out of hot water.

Lax e-mail and document retention policies, unsecured servers and inadequate backup plans can land an administrator in the unemployment line, on the witness stand or even in jail. Avoiding such a fate means knowing the basics of compliance.

Christopher Byrne, of the Assurance and Compliance Practice at The Cayuga Group LLC, gave administrators several tips for staying ahead of the game during a breakout session on the first day of Admin2005, the Notes/Domino education and training event in Boston.

Obvious compliance issues stem from regulations like the Sarbanes-Oxley Act, Basel Capital Accord (Basel II), Health Insurance Portability and Accountability Act (HIPAA) and privacy laws, which differ depending on which continent you do business on.

However, Byrne said, compliance also involves internal policies governing the use of instant messaging, Web mail and music files. If an employee is fired for spending too much time in personal e-mail, even though the "no Web-based e-mail" rule is rarely enforced, there could be trouble -- especially if the admins themselves break that rule. "In this current environment, your management will not tolerate it," Byrne told a group of about 50 admins from both public and private companies. "You may think you have great policies in place, but you don't."

The first step toward achieving compliance is risk assessment. "Risk assessment is a subjective process. There's nothing objective about it. It should always be the first thing done," Byrne said. "Risk can never be totally eliminated." He divides risks into threats (financial loss, blackmail, sabotage and disclosing confidential or embarrassing information) and vulnerabilities (compromised passwords, ill-defined policies and a lack of end-user training).

An internal system audit, involving every department within an enterprise, will identify threats and vulnerabilities, Byrne said. Create a user survey on topics like e-mail use, then use the results to build or amend your policies and save them in a Notes database. Even if management knows the risks are there but opts not to do anything about it, Byrne said that's better than not knowing the risks exist at all.

Byrne recommended as a good source for risk assessment process documents. AuditNet is a Web portal for auditors.

Another important step toward achieving compliance involves control frameworks, the best of which is COBIT (Control Objectives for Information and related Technology). More information on COBIT is available at "[COBIT] is the only standard generally accepted by auditors across the board," Byrne said. "It gives you a reference framework for management and users [as well as the] IS audit, control and security practitioners."

Byrne said there's no shortage of examples of what happens when control frameworks are missing -- payroll data ends up on the external Internet, the wrong people get access to Social Security numbers or steamy e-mail messages between adulterous colleagues go public and embarrass the entire company.

Dig Deeper on Lotus Notes Domino Archiving

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.




  • iSeries tutorials's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...