Keep it Legal: Regulatory Process and Compliance
Author: Scott Davidson
September 2007
Small businesses may hesitate at getting caught up in the intricacies of regulatory compliance, but many smaller companies work in arenas—such as health care or financial services—where protecting customer data is essential. Others perform services for customers that are regulated, and those compliance requirements pass through to service provider. A printer, for example, must ensure that data in a corporation’s financial reports is not leaked prematurely. An online store must keep credit-card information secure. So many regulations designed for large enterprises directly impact small businesses, as well.
To understand how to deal effectively with regulatory requirements, small businesses should view compliance as a business issue, not a technical one. No piece of technology automatically will ensure that a company is in compliance. Regulatory compliance is a process, not a product.
This process often is governed by federal and state laws impacting individual business sectors or various operations within a business. For example, Sarbanes-Oxley sets down strict requirements for financial reporting and accountability for public companies. Health services must meet provisions of HIPAA, which protects the privacy of medical information. In the banking field, the Gramm-Leach-Bliley Act requires financial institutions to disclose their privacy policies to consumers and customers. In California, state law dictates that if a business discloses or loses personal information about customers, it must notify those customers.
While the rules may seem daunting, small businesses really need to focus on just four key areas of interest; and if they manage these areas well, compliance should follow as a matter of course. These four touch points of compliance are accountability, auditability, privacy and data integrity. Businesses need to keep track of who is accessing what data, ensure that personal and financial information does not become available to unauthorized individuals, and be certain that data cannot be changed without the knowledge and approval of responsible parties.
Instead of fretting over compliance, small-business owners are better served by maintaining a higher compliance mindset. Using this approach, business owners spend less time sorting through what the regulations require and instead direct their efforts to considering how they can make compliance an asset to their businesses. By becoming compliant, a business can gain competitive advantage in its relationship with customers, its processes and its ability to maintain operations during times of crisis.
The higher compliance mindset also recognizes that the most valuable aspect of a business is the data stored in its systems, not the software or the hardware or the applications. Companies need to be able to catalog these information assets and protect them.
Companies also must consider the risks to their businesses. Different types of businesses confront different types and levels of risk. What may jeopardize the database of a florist is likely very different than the threats to a credit union or a doctor’s office. Each small- business owner should ask, “What risks affect me and what safeguards can I put in place to protect my company and my customers that provide a reasonable assurance level?” Absolute security is a myth; because, with enough time, money and effort, any security measures can be breached. Business owners, therefore, must decide how much security they need to ward off the most likely hazards to the data for their specific companies.
By setting these safeguards in place, companies improve their business processes. They ensure they have proper backups of data, that the data is not being modified inappropriately and that the business operates overall in a safer manner.
To address the regulatory process, business owners should take steps to protect stored or retrieved data from unwanted access. Windows Small Business Server 2003 R2 allows employees at home or traveling to access company files as if they were sitting at their desk, and small business owners can ensure their employees are getting the most out of the technological innovations offered.
Risk management
To help owners decide the acceptable level of risk for their company, Microsoft offers some free online tools. The Microsoft Security Assessment Tool, which can be downloaded from www.securityguidance.com, scans a company’s computers and offers suggestions for enhancing network security. Microsoft’s Security Guidance Center, at www.microsoft.com/smallbusiness/support/computer-security.mspx, also provides advice and resources to help improve the computer security of businesses.
The golden rule of regulatory compliance is, “If you treat your business and customer information with the same respect that you would like for your own sensitive information, generally you are on the right track.” Follow the five rules and you shouldn’t have to worry about what compliance standards say. You’ll be positioning your company to meet those requirements and to use your secure network to advance your business.
About the Author: Scott Davidson is the Heartland Area General Manager for Microsoft’s Small and Mid-market Solutions and Partners (SMS&P) group, which consists of Kentucky, Michigan, Ohio and Tennessee.
