Almost every IT product out there – especially when you get to the enterprise level -- includes some form of compliance module or report. Some of them are useful, some not so much. Whether they’re helpful or not, compliance is a tricky issue you’ve got to be familiar with. Among other things, you have to undertake some careful thought about what you are actually complying with, and for whom:
- The particular government regulations that cover your industry.
- Your legal or audit departments who have asked for the reports.
- A sense that you are trying to keep your network secure and personal information from getting into the wrong hands.
- Monitoring your external communications.
- Some combination of all of the above.
Dozens of different firms are vying for dominance in this space. Still, what’s obvious is that a lot of people don't understand what compliance audits are and how often they should be done.
Take the case of Francesca Holdings' CFO Gene Morphis. In March 2012, he
sent out tweets about his board of directors meeting. While the tweets seem innocuous, he was challenged by the SEC about providing earnings results ahead of the official announcement. He was fired two months later. There are a number of data leak protection products and social media monitoring products that have compliance features. Let's take a look and see how a few rise above the norm.
- Compliance is a state of mind, not a destination. You need to be continuously monitoring things: your company’s social media posts, emails, websites and conversations with customers and suppliers. "Employees now have an easily accessible channel where they can represent their companies to millions of fans, followers, and subscribers,” says Eric Berkowitz, a senior product manager at social monitoring software vendor Tracx. Like other tools in this genre, Tracx has custom approval chains that can be embedded so that content is filtered through channels such as PR or Legal before going live.You also need to be monitoring your business-related accounts on a continuous basis to ensure no violations happen. Someone or something should always be watching.
- Know the rules. "Before you encourage your CEO to start posting your company’s financial reports or latest product releases to your social media channels, make sure you both fully understand all the rules and regulations surrounding social media in your industry," says Gremln's CEO Ryan Bell. His company has put together this handy page of links to financial services compliance regulations that pertain to social media."Depending on the regulatory body involved, there are various guidelines. Some equate social media to email and other communications regulations. And it is rapidly changing, too," he points out.
- Compliance is for everyone. "It isn't just college interns who are tweeting,” says Bell. “No matter how high a level executive you are, you still can make mistakes.” Training and understanding the broad impact of every employee's actions is critical.
- Don't forget about mobile. These days, more and more work gets done via mobile devices. Many traditional Data Loss Prevention tools don't capture what’s going on there, especially since many employees are using personal phones for work. "You need real time feedback and [must] be able to track changes to the states of your mobile devices," says Tyler Lessard, a product manager at Fixmo. The company’s Sentinel tool ensures that all of your mobile devices start and remain in a trusted state.
- Don't forget about the cloud. Finally, tech services company SunGard points out that most compliance approaches only cover physical infrastructure and facilities – not the cloud. Like many providers, the company offers services that try to close this loophole. Be sure to investigate the possibilities for your company. If you don’t, you haven’t done your job.