In my last blog post, I discussed the value of metadata and AvePoint Compliance Guardian’s capabilities as related to classification and management of metadata. This post discusses Compliance Performance Monitoring as an integral part of your compliance program, whether it be compliance with an internal standard or to an external statute, regulatory requirement, ISO Standard, or an external requirement. As part of any program, you need to follow some basic steps:
1. Establish a Policy
2. Train your Staff
3. Implement the policy
4. Validate Performance
While these are fairly basic concepts, these main points demonstrate in practice what is necessary in order to be successful. In establishing your policy, you must not look to something that is either unattainable or unachievable, something that is “pie in the sky”. Rather, the policy must be developed to be both manageable and enforceable through controls. This is an important part of your program. Beyond initial training, it is the program manager or officer in charge that is responsible for making sure there is ongoing training and/or refresher training when deemed necessary.
Implementation of the policy must be accomplished with a mind to IT controls that make it easier for your employees to be compliant than non-compliant. How will your employees and IT systems protect customer lists and contact information, employee salary information, accounts payable, and/or competitive strategy? Controls around this type of information can be achieved through automation as well. Unfortunately, the final step of validation is where many companies get into trouble.
Without validation there is no way for a program manager to understand if the policy is working unless there is a serious breach. By the time there is a breach, the damage is done – and in most cases the breach itself could have been prevented. By being proactive instead of reactive, you can protect your secure, sensitive, and other competitive intelligence information. Compliance Performance Monitoring is how you can take control of your data and implement a data security policy.
There are many ways to monitor your organization’s compliance. First, you should put in place a system that can scan all content: site, structure, dynamic content, and of course the public and private sources from which this data is available and generated in accordance to your organization’s policy. Compliance Guardian enables organizations to scan sites and sources ranging from SharePoint to file systems, including the ability to crawl public and private web sites. Regardless of the policy or regulation that you are following, a systematic scan of all existing content and then all new content is the pragmatic approach to compliance.
In addition, monitoring across different system types can provide other related actions: moving, quarantining, deleting, and tagging content as well as alerting. This becomes essential because you also will have to manage the human element and, unlike machines, people are not perfect and will make mistakes. For example: What if an employee is editing a sensitive document and she saves it to a local file share? The employee edits the document and then once she’s satisfied, she saves it back to the secure SharePoint site. Now the permissions on the SharePoint site make it so only those with permission can view the document or edit the document, but the employee also has left a copy of the document on a public drive. So all the permissions that may have been set in SharePoint have done nothing to protect the data, and because of this, the organization is at risk.
The antidote to the risk is monitoring. Organizations could scan all new content on their file shares, web sites and SharePoint sites to catch and then move documents that violate policy to a secure location by automatic and/or manual means, as required. Perhaps more importantly, a program manager could log who made the mistake and then assign appropriate training or other related actions to better support the organization policy.
Assigning Human Monitoring
Human evaluation is important and it should be part of any compliance performance monitoring program, but manual inspection alone or by itself cannot complete the task. The sheer volume of electronic content these days make it impossible to rely on human evaluation alone. Rather, having a human evaluation augmented monitoring system makes the most sense. In fact, Compliance Guardian builds in a complete logic system for human evaluation augmentation and tracking. Privacy and security of information requires this type of layered and multi-pronged approach.
Custom Content Management Applications
Monitoring solutions need to be open enough to be easily strapped to an existing test harness. It is important to note that organizations deal with content and content quality in different ways, and many will need to control/monitor multiple data entry and/or access points. This extensibility is also central to the design of Compliance Guardian. Thus, organizations can use Compliance Guardian via its API to integrate with not only enterprise collaboration and content management systems but also with existing quality assurance systems.
Compliance Performance Monitoring is the most important part of your compliance program. Without monitoring, there is no realistic way to assure that the policies you have developed are being followed, assure that compliance policy training was effective, and manage risk effectively. There are many breaches that must be reported to the authorities, but there are also incidents that may not violate any laws but could still bring great harm to your organization. Compliance Performance Monitoring introduces effective and layered risk management controls that augment our trust in our employees with a little extra verification, understanding that while everyone is human, we can utilize Compliance Guardian to monitor our actions to make us safer and more secure.