Solving the compliance vs. mobile dilemma
How to comply with regulations when users walk out the door carrying high-risk data on mobile devices
September 14, 2006 12:00 PM ETComputerworld - It's like an irresistible force about to crash head-on into an immovable object. On one side is a growing army of mobile employees, many of whom carry sensitive information with them when they leave the office. On the other side are federal regulations protecting the confidentiality, integrity and availability of that sensitive data.
Devices such as laptops, handhelds, smart phones and thumb drives are easily lost or stolen. If that happens, and if the device carries regulated data, your organization likely will be out of compliance with regulations. For Bill Bergen, the need to prevent that problem became obvious one day in a routine meeting.
"I was in a boardroom, and there was a thumb drive in the crack of a chair," recalled Bergen, CIO and vice president of technology services at Workscape Inc., a software and services provider focused on benefits administration and compensation planning.
"I pulled it out and said, 'OK, we just funded a project.' It turned out the thumb drive didn't have any data on it that was subject to regulation, but if you aren't on top of it every day, you lose touch with the risk."
Bergen and other experts said that while mobile technology can significantly increase productivity, it puts the compliance efforts of many organizations at risk. It's an issue that many organizations haven't dealt with head-on, they said.
Conflicting demands
The most widely discussed federal regulations that enterprises must comply with are the Sarbanes-Oxley Act, which covers publicly traded companies; the Health Insurance Portability and Accountability Act (HIPAA), which covers organizations that handle health-related records that can be linked to specific individuals; and the Gramm-Leach-Blilely Act, which covers financial transactions. IT managers and executives have spent an increasing amount of time in recent years helping their organizations comply with these and other federal and state regulations.
During that time, many of the same IT managers have helped their companies become mobile, sending employees into the field with easy access to e-mail and key enterprise data. Most IT managers readily understand that mobility brings risk to all enterprise data, not just information covered by regulations.
"There are all kinds of data, like marketing plans and the like that you have to protect," said Bryan Palma, principal of Ponic, a Plano, Texas, information risk consulting and management service.
"If you lose a marketing plan and a competitor sees it, that's bad," Palma said. "But it's not a compliance issue."
In other words, he said, it's bad if sensitive information falls into the hands of a competitor. But noncompliance could result in long, expensive rounds of audits, system changes, and civil and criminal litigation. And because of the untethered and free-floating nature of mobile employees, it's harder to craft policies that make data secure and compliant.
mobile
Additional Resources



White Papers & Webcasts
Ponemon Study: The Business Risk of a Lost Laptop
Download Now
How Computrace Tracks and Secures Laptops
View this flash demo to see Absolute in action.
Airport Insecurity: The Case of Lost Laptops
Download Now
Managing Laptops Outside the Office
Learn how you can reduce costs by tracking mobile computers no matter where they are located.
Notebook And Netbook Adoption In The Enterprise
Download Now
Extending Client Refresh - 11 Steps to Maximize Savings
Register Now!
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Understanding Alternative Compute Models
Download Now
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
