News Stay informed about the latest enterprise technology news and product updates.

IT shouldn't be a compliance beast of burden

It's a given that IT plays a critical role in complying with regulatory mandates. It's a serious mistake for an enterprise to expect IT to do it all.

Third in a series.

High-level directives that set the tone for managing compliance policies may come from corporate accounting or, in the largest companies, from the office of the chief financial officer or chief information officer.

But most of the day-to-day planning and responsibility for the operational success of a compliance program

In reality, everyone from the top executives to the help desk employees must play a role ...

Scott Crawford, analyst

will fall to IT managers and administrators. In typical cases, it adds hours of extra work in the day of IT staff members.

For example, the finance department at Paxson Communications Corp., in West Palm Beach, Fla., is the source of decision making when it comes to the Sarbanes-Oxley Act (SOX) of 2002. Scott Saunders, director of systems technology at Paxson, said he spent more than 50% of his time between May and December writing narratives that describe process controls.

Since policy is really about governing behavior across the whole company, putting the compliance burden on the IT staff is not always helpful, said Scott Crawford, an analyst at Enterprise Management Associates, a Boulder, Colo., consulting firm. "In reality, everyone from the top executives to the help desk employees must play a role in helping to guide process management," he said.

But it is important to make sure there is one department in charge of all compliance. Michael Rasmussen, an analyst at Forrester Research Inc., a Cambridge, Mass., consulting firm, cited an example of an insurance company that had a

For more information

Special report: Coming to terms with compliance

compliance office that was only concerned with insurance regulation, not IT practices. SOX compliance was handled from the company controller's office.

Rasmussen envisions a corporate security team -- led by either a chief security officer or a chief policy officer -- as the most logical group to develop an organization's compliance policy. However, he said, an operations staff must also be in the loop so it can install technologies that support the requirements of compliance.

Dig Deeper on Enterprise infrastructure management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.