Organizations today are facing increased pressure to collect and store massive amounts of data. Regulatory guidelines, storage costs, and the promise of Big Data have encouraged and allowed this growth. With this explosion of data collection and the influx of information flooding inboxes, enterprise collaboration systems, and interactive gateways, previously effective approaches to monitoring and regulation of electronic data are becoming impractical. With data everywhere, people, processes, education and automation become more critical to the successful implementation of a compliance program.
Generally, managing risk and compliance is a twofold, manual process. First, compliance professionals create standards and policies to dictate organizational behavior – written based on overall organizational goals, internal controls, and industry/government regulations. Next, employees receive training on these policies. This training often happens once to a few times a year and include all employees. However, this method is incomplete. The expectation that every employee will take the time to thoroughly understand corporate compliance, and then follow these policies without assistance or direct incentive, is dangerously misguided.
A manual compliance approach also lacks the ability to measure the effectiveness or verify that these policies achieve business goals. The key here is feedback: without it, compliance professionals are left relying on intuition and outdated existing standards. This approach also fails to measure the effectiveness of training. Even if the policy is appropriate for the business, how do we know that the employees and partners will apply these rules? How much training do we need in order to create new behaviors in system users to execute correctly?
It is unrealistic and perhaps inappropriate to expect business users to be compliance experts, and beyond that, employee knowledge of corporate policy is typically limited to what they “need to know” to be successful in their day-to-day jobs. Also, wide-scope periodic training generally fails to address individual employees’ regular interaction with sensitive data – which makes it harder to recognize when to apply what was learned. This is not enough to create meaningful change. Users are focused on their own disciplines and rarely adopt the skills required to become compliance experts.
Automation is the key to your compliance success
By applying automation to your organization’s compliance policies, the entire data set can be reviewed and measured in real time – training system users on the policy in question when they are faced with it. With the use of transparent controls, systems can identify when a user violates a policy and recommend a corrective action. The user can review the violation, determine if it has merit, and then correct the problem. This on-demand model for policy adherence not only keeps a system compliant, but also increases the probability of information retention.
Automation also provides feedback to the organization by measuring adherence to policies. This is a critical step to help companies understand where they need to improve their systems and where to pinpoint training. If users are violating policy because they feel it impedes their ability to get their job done – or sheer ignorance of the policies themselves – the organization should identify this and focus on finding a mutually beneficial solution.
Adding human oversight to automation
Remember that systems do not remain static: your compliance polices need to change to suit the environment. An audit of a system at a single point in time will only generate meaningful data at the time of the audit. Since new content is always being added, an audit does not show the whole picture. Organizations need to be able to review the conformance of a system at any time.
Also, replacing user decision and oversight with computers has historically failed to produce meaningful data. Automation tends to miss context and other subtleties that are easy for people to spot but, when computed, results in false positives.
Human Computation, or the combination of machine and human tasks to solve a problem such as the identification of non-compliance data within large data sets, is a realistic solution for Information Assurance. Joseph Carl Robnett Licklider, an American psychologist and computer scientist from the mid-twentieth century, once stated, “Connections between humans and technology will always be able to do more than machines on their own or humans on their own.” This still holds true today. Some tasks are best suited for computers and others are best suited for people. The challenge is building a system that takes advantage of both.
Choosing the right solution for your organization
There are already a number of solutions available that provide compliance automation to organizations. However, not all solutions are created equal. When selecting the correct technology for your organization, be sure to select a solution that can do the following:
- Discover data across multiple information gateways in your enterprise in order to shed light on dark data and other potential sources of risk.
- Scan content in motion or at rest against out-of-the-box or customized checks for a wide range of privacy, information assurance, operational security, sensitive security information, and accessibility requirements.
- Drive enterprise classification and taxonomy with user-assisted and automated classification for all content.
- Take corrective action automatically to secure, delete, move, quarantine, encrypt, or redact risk defined content. These automated actions can reduce costs by eliminating the need for increased hiring to continuously monitor information security initiatives.
- Enhance incident tracking and management with an integrated incident management system in addition to trend reports and historical analysis to measure your organization’s improvements over time.
- Monitor data and systems on an ongoing basis to demonstrate and report on conformance across your enterprise wide information gateways and systems.
For organizations implementing policies for the handling of electronic data, automation can be applied to review vast data sets and compare the information to a set of pre-defined rules. Electronic data system users can quickly assess the context and environment in which the information is produced and stored. By combining automation and user activity, organizations can achieve true system compliance and information assurance that doesn’t degrade, trains users as they work, and informs the organization on how policies impact their business.