Almost every IT product has some form of compliance module or report: some of them are useful, some not as much. But navigating these waters is tricky and will require some careful thought about what you are actually complying with:
- The particular government regulations that cover your industry,
- Your legal or audit departments who have asked for these reports,
- A sense that you are trying to keep your network secure and personal information from getting into the wrong hands,
- Monitoring your external communications,
- Or a combination of all of the above?
There are dozens of different firms that are vying in this space. What is obvious from the start is that a lot of people don’t understand what compliance audits are and how often they should be done. And the landscape is shifting.
Take the case of Francesca Holdings’ CFO Gene Morphis. In March 2012, he sent out two Tweets about the state of his board of directors meeting. While the Tweets seem innocuous, he was challenged by the SEC as providing earnings results ahead of the official announcement and eventually fired two months later.
There are a number of data leak protection products and social media monitoring products that have compliance features. Let’s take a closer look and show how a few products rise above the norm.
First, compliance is a state of mind, not a destination. You need to be continuously monitoring various things: your social media posts, your emails, your websites, and your conversations with customers and suppliers. “Employees now have an easily accessible channel where they can represent their companies to millions of fans, followers, and subscribers,’ says Eric Berkowitz, a senior product manager at social monitoring software vendor Tracx. Like other tools in this genre, Tracx has custom approval chains can be embedded too, so that content is filtered through regulatory channels (such as PR or Legal) before going live. You also need to be monitoring your business-related accounts on a continuous basis to ensure no violations happen. Someone or something should be watching.
Second, know the rules. “Before you encourage your CEO to start posting your company’s financial reports or latest product releases to your social media channels, make sure you both fully understand all the rules and regulations surrounding social media in your industry,” says Gremln’s CEO Ryan Bell. The company has put together this handy page of links to financial services compliance regulations that pertain to social media on its website. “Depending on the regulatory body involved, there are various guidelines. Some equate social media to email and other communications regulations. And it is rapidly changing, too.” He mentions that one regulatory body, FINRA, is doing spot checks and is demanding everyone who is using social media for business, along with supervisory procedures for external communications, and how a company is monitoring its ongoing communications.
Next, compliance is for everyone. “It isn’t just college interns who are tweeting, no matter how high a level executive you are, you still can make mistakes,” says Bell. Training and understanding the broad impact of every employee’s actions is critical.
Next, don’t forget about mobile. More and more work gets done via mobile devices these days, and many of the traditional DLP tools don’t capture what is going on here, especially as many phones are personally owned. “You need real time feedback and be able to track changes to the states of your mobile devices,” says Tyler Lessard, a product manager at Fixmo. Fixmo sells its Sentinel tool that ensures all of your mobile devices start and remain in a trusted state.
Finally, don’t forget about the cloud. “Most compliance scopes only cover physical infrastructure and facilities, and enterprises only control compliance within their own virtual machines, leaving the middle virtualization layer unaccounted for,” according to a press release from SunGard. They, and numerous others, have services to try to close this loophole.