/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsConformance to compliance is no longer driven solely by regulatory fear, as
has been the case traditionally. It is rather a matter of business and
competitive requirements becoming the prime driving force behind adherence to
compliance.
As compliance becomes a business imperative, its becoming increasingly
important for CIOs to understand its landscape and impact on the organizations
IT infrastructure and strategy.
Fitting in with IT
In todays compliance scenario, information storage, management, and
protection have become the most pressing issues which businesses across
verticals like telecom, BFSI, BPO/ITeS, healthcare, and even the government have
to deal with.
Nowadays, CIOs are more involved in not only functional but also strategic
decisions made in the company. So, CIOs need to understand the importance of
making an investment on compliance and the benefits of RoI.
/dq/media/post_attachments/6a4ca224d0a6f691715f0d563d77eb07b9e820f605395407ae5c8b20eba224f1.jpg)
Compliance is a broad topic and encompasses factors like ability to retrieve
data within the recovery point objectives (RPOs) and recovery time objectives (RTOs),
ability to secure data against unauthorized access, the ease of portability of
data, in line with the technology changes, and protection against
accidental/fraudulent modifications.
Business Imperatives
Compliance has witnessed a transition from just being a buzzword that the
whole world was talking about to an imperative survival issue for the corporate
world. Fines, penalties, legal hassles, and loss of reputation for
non-compliance are driving companies to pay heed to this issue on a serious
note.
Compliance rules could originate from various sources including government
regulations, corporate governance requirements, and internal company policies,
among others.
In India, SEBI has recently initiated adjudication proceedings against twenty
companies for non-compliance with Clause 49 (which deals with corporate
governance) norms under their listing agreement with stock exchanges.
Additionally, there are numerous examples of financial malfeasance due to
fraudulent accounting practicesEnron, WorldCom, Tyco Global, and Computer
Associates.
The Takers
The main takers of compliance are the companies which deal with the US or
European clients. There is a need to have adequate safeguards and policies in
place to comply with the regulations and data privacy norms in their clients
home countries.
Overall, the industry verticals most affected are: banking and financeneed
to comply with BASEL II, GLBA, PCI/DSS, and SOX (if the bank is listed in the
US) and rules laid down by the regulator; IT and ITESneed to comply with SOX
(if the company is listed in the US) and privacy laws of the countries where
they operate; healthcareHIPPA.
Compliance Diary
Almost all Indian companies doing business with Nasdaq-listed companies fall
under the purview of SOX (Sarbanes Oxley Act). BPO companies in India are
legally obliged to abide by the regulations that their clients followthe
Sarbanes Oxley Act, the Gramm Leach Bliley Act, the EU Data Protection Act, and
the HIPAA. Specific regulations in India mandate how companies need to manage
and store their information assets. These include the IT Act, the Indian
Evidence Act, and SEBI Clause 49.
/dq/media/post_attachments/b7006c38d2dbd6a8394d72fc8f17fef71179220d92cf1e239d296ce3aae5b2de.jpg)
In the banking vertical, one of the most important regulatory compliances is
Basel II (the RBI has specified that all banks have to confirm to the Basel II
guidelines).
Taking the example of the banking industry, the RBI has indicated a
requirement for record retention so that messages required for business and
regulatory reasons are safely stored and easily retrievable.
For government departments/agencies coming under the ambit of the RTI, 2005,
the concerned organization needs to ...maintain all its records duly catalogued
and indexed in a manner that facilitates the right to information under this
Act, and ensure all records that are appropriate to be computerized are
computerized and connected through a network all over the country on different
systems so that access to such records is facilitated.
With increasing reliance on electronic records to support litigation efforts,
the need to prove that those records are not tampered with is becoming another
requirement.
There are corporate governance norms like Basel II in the banking industry,
and SEBIs Clause 49 that, in general, dont mandate specific compliance
requirements from a technical perspective, but are nevertheless important
guiding factors when organizations look at their internal control policies with
regard to data retention, data access, and data security.
In response to IT compliance challenges, organizations are increasingly
looking at ways to minimize fragmented initiatives, automate procedures and IT
security controls, and apply best practices to reduce risk and to comply with
different regulatory compliance.
Shipra Malhotra
shipram@cybermedia.co.in