Blog Banner

Tag Archives: Compliance

2015 Compliance Predictions

Decorative image of 2015Highly regulated industries from healthcare and financial services to government agencies have had to make compliance part of the bread and butter of the organization. Now with increased global regulation, public and private companies, regardless of industry, are facing the same compliance requirements – with good reason. Consumer data is valuable, and with both malicious and accidental breaches occurring regularly, both customers and governments are demanding protection. In 2015, new regulations, changes to compliance requirements and general trends will change many markets. Here are some of our predictions.

5 W’s of ITAR and EAR Compliance in SharePoint

decorative image of the word securityIf you are using SharePoint and need to comply with or learn more about ITAR and EAR, read our five W’s to help you ensure compliance with these strict regulations.


ITAR, or the International Traffic in Arms Regulations, are issued by the United States government to control the export and import of defense-related articles and services on the United States Munitions List (USML). In short, the U.S. Government requires all manufacturers, exporters, and brokers of defense articles, defense services or related technical data to be ITAR compliant. TAA documents (Technical Assistance Agreements) are ITAR contracts between parties, these documents are required to be restricted from transfer or access by authorized persons only.

Life, Liberty and the Pursuit of Compliance

decorative images of fireworksAs we head into this Fourth of July weekend in the US, I started thinking about the Declaration of Independence and the well-known phrase “Life, Liberty and the pursuit of Happiness”.

This got me thinking about the industries we support and the many regulations our customers must comply with in order to keep their customers and employees personal information safe. These compliance regulations are designed to help to support the idea that you will be free to pursue your life in an information-driven, digital world —  without jeopardizing your privacy.

Data Breaches: How Safe is Your Private Information?

Image of IAPP Global Privacy Summit logo and date of eventPrivacy is so important that when you do a quick Google search on “data privacy” you see that the EU, US, UK, Australia, France and Germany are all putting new laws in place or debating new privacy concerns to ensure personal data is kept safe.

It doesn’t however stop data breaches from occurring. As of February 18th, the Identify Theft Resource Center reported 93 breaches in 2014 with 1,879,313 records exposed in the US alone. On the other side of the pond, the NHS admitted that there is a risk of patient data being identified following the launch of a new central database. The high profile Target incident, as well as other breaches involving protected healthcare information (PHI), leaves you wondering how safe is your private information?

Healthcare IT Priorities: Patient Data and Meeting Regulatory Requirements

stethoscopeThe InformationWeek 2013 Healthcare IT Priorities survey showed that “more than 60% of health IT pros…cite managing digital patient data and meeting regulatory requirements among their top priorities, rating each a 5 on a 1-to-5 scale.”

The survey also highlighted that healthcare IT pros are struggling to keep pace with the change in the industry. One respondent said, “Most healthcare CIOs are supportive of the majority of the new functional requirements that are being forced on us. However, federal requirements are coming too many, too fast. … The rate of change is such that systems and changes are being implemented less than optimally.”

Another key point within the report is that “less than 15% of healthcare providers have qualified for federal subsidies based on meeting Meaningful Use requirements.” Not only are healthcare organizations struggling to keep up, but they are also losing out on incentive payments.

How can healthcare organizations keep patient data protected, meet regulatory requirements and comply with the Meaningful Use standards to receive subsidies?

SharePoint Security: Comments from the AIIM Survey

Wordle: Content Security within SharePoint In the AIIM, SharePoint Security – A Survey on Compliance with Recommendations for Improvement, author David Jones asked if respondents had any general comments to make about their compliance and information security issues. They had a lot to say. We’ve compiled and provided some commentary on eight responses that caught our attention:

1.        “Even though governance is established, compliance is faulty and monitoring is sketchy at best.”

 2.       “If you want compliance don’t use SharePoint.”

Content compliance and monitoring do not need to be faulty or sketchy. SharePoint can absolutely offer secure collaboration and compliance with the right tools in place. The points below offer a close look at some of the steps and solutions that can assist you.

3.       “After migrating content it is difficult to retroactively apply rules.”

Many will face the migration obstacle as they move to SharePoint 2010/2013 or hybrid environments. What’s important here is that organizations can take proactive steps to clean and check content against compliance both before and after migration, and regardless of where it resides. Using third party solutions, compliance and security policies can easily be applied to scan of all the content within the platform. Some policies will be based on regulatory and industry standards, while others will be custom to the requirements of a specific organization. Rules can be set-up to determine what to do when confidential or regulated content is discovered to restrict access to it and control what actions can be taken with it. This helps to ensure that all content in SharePoint, regardless of whether it is new or old, is compliant with policies. Adding additional security around sensitive content helps reduce organizational risk and the threat of breaches.

4.      “Currently taking a cautious approach until third party tools are in place.”

5.       “As with many organizations that are using SharePoint, we know/understand the current and potential risks associated with it, but are still in the process of trying to “get our hands around it” from an organization/enterprise perspective.”

SharePoint can be a mammoth task to secure; and trying to secure it without content compliance and security solutions is an impossible task. Third party solutions for automated, content-aware compliance and security for SharePoint will ensure you are reducing risk while also maximizing your collaboration investment.

6.      “Our organization lacks understanding of what’s actually in SharePoint, from a sensitive/regulated information perspective.”

The best thing about SharePoint is you can put anything in it, and the worst thing about SharePoint is you can put anything in it. Organizations need to balance an increasingly social collaborative environment while still meeting regulatory requirements. Many SharePoint sites seem to be a Wild West of unstructured content. But, there are solutions out there that can audit your site content to help you identify and secure sensitive and regulated information, helping you rein in compliance.

7.       “Committing resources to tighten and maintain proper security requires a major, visible commitment from upper management to initiate and maintain the effort and incorporate it into the corporate culture.”

There are a lot of important take-aways from this comment. There is absolutely a need to have management buy-in and engagement on implementing proper SharePoint security features, but it’s too much to cover in one blog post. The emphasis should be on making compliance and security a seamless part of corporate culture. Training takes time and relying on staff to remember all the rules opens you up to those dreaded “whoops” moments. Using solutions that monitor content for compliance issues, taking the onus off the individual is the best way to ensure policies are enforced. After all balancing the need to collaborate with the need to maintain SharePoint security is essential to reducing organizational risk. Read how policy management can impact corporate culture.

8.      “Compliance, security and record retention are must haves for us.”

This is the ultimate comment because compliance and security are must haves for all organizations using SharePoint. Effective compliance is the ability to not only have a governance strategy in place, but to also be able to manage risk by identifying issues and potential violations, and have a process in place for resolution and fine tuning. The most effective method for managing compliance and security risk in SharePoint is to protect sensitive information at the file level using automated solutions for classification, encryption and content restriction.  To better protect your organization, you should consider how automated compliance and security products can remove some of the vulnerabilities and human diligence required to maintain SharePoint content security over the longer term.

Read more findings from the report including recommendations on improving SharePoint security or find out how selecting the right content compliance and security solution will help your organization achieve the full benefits of SharePoint by reading Microsoft SharePoint Security: Evaluating a Content Security Solution.


Do You Know Where Your Policies Are?

Pencil image of Michael Rasmussen, author of the guest blog postWhen an organization fails to manage policies, the organization quickly becomes something it never intended.

Policies define the organization’s governance culture and objectives. With­out the guidance provided by well-writ­ten and effectively managed policies, cor­porate culture may morph and take the organization down unintended paths. Policies set the standard for ac­ceptable and unacceptable conduct by defining boundaries for the behavior of individuals, the operation of business processes, and the establishment of rela­tionships.

Let’s be clear. Policies in and of them­selves do not ensure the right corporate culture. Merely cre­ating thousands of policies is not the answer; in the case of policies often “less is more.” Even when well-written poli­cies are issued, the game isn’t over. An organization can have a wide array of policies that “sit on the shelf” or are not adhered to resulting in the organization ending up in very hot water.

In my experience, policy management processes are in disarray introducing risk in today’s complex, dynamic, and distributed business environment. The typical organization lacks a structured means of policy management with an inconsistent maze of templates and processes with policy documents that are out of date (e.g., old versions), unauthorized, and scattered across file shares, SharePoint sites, and other content management systems. Inconsistency in policy management means processes, partners, employees, and systems behave like leaves blowing in the wind. Organizations struggle with policies that are out-of-date, ineffective, and not aligned to business needs. Policy inconsistency opens the doors to liability, as an organization may be held accountable for policy that is not appropriate or complied with.

Video: Managing Compliance Risk & Security in SharePoint

Video: Managing Compliance & Security Risk in SharePointDo you know where the unstructured content in your organization is being created, shared and stored?

Are you sure that the sensitive information your business currently manages is secure and only available to the appropriate individuals?

Effective compliance is the ability to not only have a governance strategy in place, but also be able to manage risk by identifying issues and potential violations, and have a process in place for resolution and fine tuning.

Watch this six step compliance and security process that illustrates how to:

Identify Red Flag Risks

Establish the Compliance & Security Strategy

Design Policies & Deploy

Automate Content Compliance

Secure Content

Report, Remediate & Refine

Getting Your GRC House in Order

House with compliance, governance and risk written on it in puzzle piecesIn my previous blog Inevitable Failure: Managing Scattered GRC Information, I argued that success in today’s business environment requires organizations to integrate, build and support business processes with an enterprise view of governance, risk management and compliance (GRC). Without an integrated view of GRC information and processes, scattered and disconnected approaches expose the business to unanticipated risk.

Organizations are focused on improving how they manage risk and compliance. The larger and more distributed the organization, the greater the need for integrated GRC. Strategy must focus on efficiency in human and financial resources, agility to meet the demands of a dynamic environment, and effectiveness at managing risk and compliance.

Effective GRC does not begin with buying a GRC platform. Effective GRC begins with understanding context — external and internal context. GRC strategy begins with understanding the organization’s context. This means its culture, values, external business environment and internal environment. A strong understanding of context prepares the organization to understand and scope GRC. The goal is to design GRC strategy that is resilient to change and can adapt and evolve. Companies fail when they lead with a GRC technology platform purchase and then come back and ask the question — so what are we trying to accomplish in the first place?

Inevitable Failure: Managing Scattered GRC Information

Pencil image of Michael Rasmussen, author of the guest blog postBusiness risk is like the Hydra in mythology — organizations combat risk, and more risk springs up to threaten it. Executives are constantly reacting to risk, and often fail to actively manage and understand the interrelationship of risk across the enterprise. The dynamic and global nature of business is particularly challenging to risk management. As organizations expand, their processes, operations, business relationships and risk profiles grow exponentially.

In regulatory risk, organizations face expanding global legislation with rapidly increasing requirements that burden the business. Organizations face increased fines and sanctions and aggressive regulators and prosecutors around the world. Reputation, social accountability/responsibility and brand protection are also significant compliance and risk management issues.

Reactive, document-centric and manual GRC processes fail to actively manage risk and leave the organization blind to intricate risk relationships. Siloed GRC processes cannot consider the big picture; resulting in complexity, redundancy and failure. Poor visibility means there is no integrated strategy for managing risk and compliance. There is no possibility to be intelligent about risk and truly understand its impact. This results in:

  • Redundant and inefficient processes: A Band-Aid, siloed approach to risk loses an opportunity to leverage and integrate data for greater effectiveness, efficiency and agility. Building multiple GRC systems and technologies also takes time and resources resulting in inefficiencies.
Powered by WordPress