Printer Friendly Version

Years from now, two events at the dawn of the 21st century will likely stand out in textbooks that deal with American history — the terrorist attacks of Sept. 11, 2001, and the corporate accounting scandals of 2002 (and beyond). In addition to spawning books of their own, each of these events seems to have had a profound effect on IT. Or at least that's what software vendors would like you to think.

After the Sept. 11 attack, software and IT strategies that promoted business continuity received a great deal of coverage. In the wake of the corporate accounting scandals, a number of federal and state regulations have been passed, the most talked about being the Sarbanes-Oxley Act of 2002. Sarbanes-Oxley essentially demands that companies leave an audit trail so all the information in their financial reports can be verified. (It also requires codes of ethics for senior financial officers, but software can only do so much.)

Compliance with Sarbanes-Oxley and all other existing and future regulatory demands has been a hot topic among hardware and software companies from all corners of the industry, not only because they themselves have to be in compliance with certain regulations if they are publicly traded, but because software (if you listen to software companies) is the key to being in compliance.

(In addition to Sarbanes-Oxley, other regulations garnering a lot of attention include the Department of Defense 5015.2 Standard and the Security and Exchange Commission's Rule 17a.)

Compliance Through Storage

According to a study by Enterprise Storage Group, compliance-related storage products and services could be worth as much as $6 billion over the next four years. With this in mind, a number of storage firms have released new products, or new versions of existing products, with an eye toward serving compliance needs. Here is a small sampling:

• EMC released what it calls a Compliance Edition of its Centera content-addressed storage platform in April. It includes retention enforcement and enhanced disposition (aka, shredding).

• Ottawa's KOM Networks released in June version 3.1 of Shieldworx, which the company says offers data protection that converts any Network Attached Storage (NAS) appliance or file server into a SEC-compliant online archive without impacting existing data. "With ShieldWorx, documents can be stored in a designated archive volume on disk so that they are unalterable, even by their owners, privileged administrators, and viruses — even unknown or undiscovered viruses — that successfully impersonate owners," said Dan Tanner, vice president for business development at KOM Networks.

• Evertrust's AEStore works similar to Centera by tagging each digital asset it stores with both a retention date and a retention rule. AEStore offers control of digital assets that are stored offline or on distributed computers (servers or laptops), and it works with new or existing storage systems. All documents and files can be stored in an encrypted format using the Advanced Encryption Standard (AES, thus the name). When a document expires, the key used to unlock the document is deleted and scrubbed from the system. Because there is no way of unencrypting an AES-encrypted file, the documents are effectively destroyed.

Document and Content Management

While storage is a natural fit for the intersection of compliance and IT, many document and content management systems are beginning to sell themselves as answers to corporate compliance issues. Most enterprise-level content managers already have many of the features that will help companies comply with numerous state and local regulations by defining workflow and approval processes and by making content accessible and searchable. Here's a small sampling:

• Steelpoint Technologies and FileNet have partnered to include Steelpoint's Introspect eCM compliance application with FileNet's FileNet P8 content management architecture to help organizations comply with new regulations and laws. The result is an integrated workflow and content management solution.

• Documentum and financial service consultants BearPoint developed a Corporate Governance and Compliance solution, which combines enterprise content management and collaboration technology from Documentum and BearingPoint's financial and content management consulting services. It focuses on helping corporations plan, assess, and implement the procedures needed to meet mandatory Sarbanes-Oxley requirements for internal controls and certification of financial statements.

• In June, Open Text released what it calls a corporate governance platform for its Livelink knowledge management and collaboration product. Open Text's Kevin Northover, director of financial services solutions, said a collaboration platform geared toward compliance makes a lot of sense.

According to Open Text's Northover, Sarbanes-Oxley compliance is a lot like ISO 9000 compliance, an area where Open Text's Livelink has been put to use in the past. Like ISO 9000, Sarbanes is not specific, but rather instructs where certain checkpoints should be located in the process without going into detail about how the checking should be done.

Livelink sits at the heart of corporate culture, Northover said. Its collaboration tools define how people work together, its content management component produces the output of employees' work, and by providing training it develops people.

Is Software Crucial to Compliance?

This leads to what is, literally, a thousand-dollar question: if compliance is all about a company's culture and its people, is all of this hardware and software being pitched really the answer to compliance? Not necessarily.

"In the end, this is about culture," Northover said. "Fundamentally, the blunt truth is you can do Sarbanes compliance without software." For a large company, however, compliance with mutiple government regulations is a very tall order.

Northover said he doesn't think companies even have a grasp of how much work these regulations are going to require. At this point, many companies are just beginning to talk with consultants about what will be required for compliance. With all the products claiming to be the answer, at least they won't have a shortage of ideas on how to tackle it. But at some point companies will have to decide which companies offer a true compliance solution and which are labeling themselves compliance solutions to grab the low-hanging fruit.

"I myself personally don't think compliance is low-hanging fruit," Northover said. "I think compliance done fully is a lot of work. There's a lot of gritty details."

Any software product that companies call on to help with compliance will need to be very flexible to deal with changing regulations. In addition to more U.S. federal and state regulations, large companies that do business internationally will have to comply with regulations coming from Canada, as well as the E.U., where compliance will likely clash with strict privacy guidelines.

Another factor that could complicate rollouts of IT projects dealing with compliance is the clash of the IT and business faces of many organizations. Northover compared Sarbanes-Oxley compliance with deadlines for having Y2K fixes in place three years ago. Y2K, he said, was a technically understood problem with a nice, hard deadline. And it was an IT problem with a fix coming from the IT department. Compliance issues come from the general business side, and they will be looking for an IT fix.

Much will be written about the corporate culture changes and how technology is used to enforce compliance in the near future. But the really interesting question regards which will be more powerful: the technology companies will employ to keep themselves in compliance, or executive greed.