By: Dr Dave Waddington, Senior VP and Head of Research, The Information Difference Posted: 4th July 2008 Copyright The Information Difference © 2008

Data Integration is expensive but does it need to be? expressor software (see also the recent article by Philip Howard), a new entrant to the data integration space, says not. The company takes a very different approach to data integration and ETL (extract, transform and load). Many of the features and functionality that other vendors have added on over time to their products have been designed into expressor up front. The new product, scheduled to ship in mid July, is semantically aware and incorporates ‘hundreds and thousands’ of built-in data item correlations covering a broad range of vertical markets. But its key differentiator is its low TCO (total cost of ownership) setting it apart from the pack.

The vendor maintains that using expressor allows companies to reduce their total cost of ownership while delivering better quality and faster data integration applications. expressor points to four key areas for reduced costs.

Role-based graphic design and development tools enable rapid application development and deployment. Centrally stored data descriptions and application metadata held in a common repository facilitate efficient reuse in applications across the organization. expressor makes extensive use of semantic rationalisation to ensure data objects and business rules can be easily identified and reused – thus overcoming one of the major drawbacks of current data integration technologies. The software helps drive down hardware infrastructure costs since the expressor processing engine is less CPU hungry and more efficient than other solutions. Since it can also be installed in an existing network of computers, companies can avoid new capital investment in hardware.

This new vendor also claims that customers can reduce the cost of development staff with the role-based implementation approach introduced by expressor. Essentially this means that instead of an expensive developer carrying out all the tasks associated with an implementation, the roles can be assigned to a wider range of business staff so leveraging expertise and skills where they provide the biggest payback for the business.

However, the most important novel approach is the expressor pricing policy. The vendor is introducing a unique usage based runtime pricing approach in which you only pay for a maximum level of parallelism on a given machine. List prices start at US $20,000 (see also the expressor price list) for perpetual licenses and are even less for 6 month to 2-year term licenses. Effectively and significantly this means that you can start small and grow without the initial high investment cost in data integration infrastructure.

expressor is the first company in the industry to promote a ‘channel based’ pricing model potentially leading to cost saving when compared with the current outdated CPU‐based licensing models. You buy only as much as you need making it easy to initiate a new project without it having to bear the brunt of the total infrastructure cost. This is a significant step forward and a product with the potential to disrupt the somewhat stale data integration market. This new kid is one to watch closely!

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Dr Dave Waddington (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Simon Holloway, Practice Leader - Process Management & RFID, Bloor Research Posted: 13th June 2008 Copyright Bloor Research © 2008

Bloor Research has just released a technical report and market update covering RFID middleware. But what does this mean?

RFID middleware is the first level of software that one comes across in the complete RFID stack. This software performs the necessary tasks of converting the information picked up by readers, event processing, applying business rules, performing a series of functions from aggregations and filtering to looking-up data that converts this data into meaningful business information. Of course it also has to co-ordinate he management of the readers and the writing of data onto the RFID tags.

Many flavours of RFID middleware are currently available. A number of start-up companies typified by OATSystems, GlobeRanger and RF-it Solutions have developed solutions. The EAI vendors, such as IBM, Oracle, Microsoft and SEEBURGER were very quick to adapt and enhance their offering to support the requirements of RFID middleware. Traditional RFID middleware also often offers some degree of device management, such as remote monitoring or configuration. A number of application vendors have developed RFID middleware. In this case there are two distinct approaches:

• Build it yourself: in this category are vendors such as SAP and Manhattan Associates
• Build on top of a middleware product: in this category fall vendors such as Infor, 3M Supply Chain Solutions and Red Prairie

RFID Middleware Architecture
Figure 1 shows the architectural model that Bloor sees as necessary to support all of the requirements.

Figure 1: The Bloor Sensory Network middleware architecture 2008

The components of RFID middleware include:

• Device Management, in a RFID/Sensory Network sense, is about activating, configuring and controlling the peripheral devices in the network, be these mobile or fixed. This includes routines to distribute applications, data and configuration settings to these remote devices
• Edge Event Process Management is concerned with an environment for the development of business processes usual through BPEL, a runtime engine with an associated API, and a management environment (often referred to as business activity monitoring - BAM). Simulation is a key deliverable.
• Business Rule Management System (BRMS) is a software system used to manage and support the business rules of an organisation. The main class of BRMSs maintains rules that are executed in a production rule system but also maintained in a repository with a user interface suitable for business users to create, read, update and delete them.
• Integration is concerned with the ability to interface to the back-office applications that run enterprises. In the main this facility is provided by another product in the portfolio.
• Device API is where the information collected on the devices, such as RFID readers or barcode readers is translated into business information. The device API is used to disconnect the devices from the implementation in the RFID middleware itself, in such a way that you can "hot-swap" devices.
• A development environment which should interface with standard development environments such as Microsoft Visual Studio for .NET and ECLIPSE for Java. The key is for IT developers to be able to work in a familiar environment and to be able to exploit these existing tools. The same is true for business users but here the tools they are most familiar with will be Microsoft Office Suite or other office suites.
• Master Data Management capability to support EPCCIS

Market Overview
Since Bloor published their first list of vendors in December 2007, there have been some additions to the list as well as some departures. The departures include 2 well-known names: TIBCO and SoftwareAG webMethods.

There are 3 vendors who are offering a repository (really a master data management database) to support the EPCIS standard. These are IBM, Oracle and SAP. There are a number of new entrants (SkandSoft's Setu, Omnitrol Networks, Supply Insight) who are also providing support for EPCIS but without seeming to use a repository.

The market is also seeing the entrance of a number of combined software and hardware solutions, particularly in terms of network boxes. For organisations that are cost conscious, combining RFID middleware on to existing network routers is a very compelling consideration. There are 3 key vendors offering solutions in this space: Cisco Application-Oriented Networking (AON) for RFID; Reva Systems Tag Acquisition Processor (TAP); and Omnitrol Networks.

Because SAP's AII solution provides no device management capabilities, a market of specialist products from niche vendors has grown up to provide this capability. Two that caught Bloor's eye were: Advanco SA of Belgium's Advanco RFID Controller (ARC); and noFilis Ltd of Germany's CrossTalk.

The final market trend is the support for mobility. Microsoft made an announcement at the beginning of May 2008 and others already there are Allixon Corp with their URUS mobile RFID platform and NoFilis CrossTalk.

Vendors researched for the paper include:

The technical report and market update can be downloaded free of charge from www.blooranswers.com. There are also a number of product evaluations available on the site.

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Simon Holloway (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Rob Bamforth, Principal Analyst, Quocirca Posted: 4th June 2008 Copyright Quocirca © 2008

Almost half of UK organisations subsidise employees' personal calls made on company supplied mobile phones—either completely or only requiring a partial contribution from the employee—according to recent Quocirca research. With the average personal usage on company mobile phones estimated to be as much as a third of the total bill, why are companies letting this through? Is it intended as a perk for employees or are those in control of the purse strings just being casual with money they could add to the value of dividends paid out to shareholders?

It might seem like mean penny-pinching to some, but pennies saved quickly add into pounds, which might be important in harder economic times. Take a simple example, where an organisation has 3,000 mobile phones with an average airtime cost per user of £30 per month. The total annual expenditure would be £1,080,000. Using an average of around 30% for personal use (probably optimistically low), the total cost of this would be £324,000.

The values per person might be deemed to be low and, as such, many organisations may see this as a minimal or acceptable loss, but when equated to the entire mobile fleet this becomes a significant sum to be given away as an informal benefit. In most cases it is unlikely to be recognised as forming part of the employees' benefit packages.

This could be only the tip of the mobile personal usage iceberg, with many new elements contributing and becoming more appealing. For example, ‘personal content’ on the mobile phone such as premium text messaging (voting for reality TV shows), services that cannot be barred by the networks, the increase of personal text messaging (over two-thirds of company text messages are thought to be personal), then there is the possibility of making payments via the mobile phone.

In addition to the loss there is also a compliance issue, in particular relating to VAT, which cannot be reclaimed on personal calls. According to Quocirca's research, in many instances companies use a ‘finger in the air’ estimation, or leave it to the employee to work out a value to assign for personal use in order to satisfy HMRC requirements. The issue with this is that organisations have no or very few processes in place to actually audit their employees’ personal usage levels and, as such, could be under-declaring the VAT value and, in some instances, over valuing.

As organisations begin to deploy more and more mobile data applications this adds further complexities in understanding and in managing such expenditure. In one anecdotal example a company was stunned to receive a mobile data bill for one user in excess of £8,000. When investigated, it turned out the user had been streaming a live football match to their smartphone whilst away on holiday. The employee's response—"I thought we were allowed personal use of the mobile?"

There is a further issue most organisations do not even consider that could have greater repercussions from a HR perspective. If the company allows employees with business-supplied mobile phones to benefit from free personal calls then, in practice, they are excluding all other employees that have not been issued with one from receiving this benefit. This is an unwelcome potential headache that could lead to claims of unfair treatment from the many employees without them, or those expected to provide their own.

Overall, the need to make personal mobile use visible and to effectively manage that use is evident from the impact it might have on the bottom line. Brushing it under the carpet is no longer acceptable in times when companies should be prudently managing their costs, or at the very least understanding the true value of all the benefits they are providing their employees.

Some companies will dismiss the amounts involved as of little consequence, but their shareholders might like to ask if the business's decision to ignore personal calls is taken by default by being unaware of their true cost, or whether it is deliberate, based on the facts.

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Rob Bamforth (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Peter Williams, Practice Leader - IT Infrastructure Mgmt., Bloor Research Posted: 29th May 2008 Copyright Bloor Research © 2008

It was good to see the Storage Network Industry Association (SNIA) Academy finally make footfall in the UK, with its all-day event last Tuesday in London.

The Academy has been staged in locations around Europe since 2005, and the emphasis is on education, especially about the latest storage technology, and the trends, challenges and issues. The material throughout the day was high quality and hit the major topical themes those involved with IT storage would want to hear more about. So well done SNIA.

I can only skim the surface here and it is only my take anyway. So my apologies to those I fail to mention (or even hear, as there were break-out sessions running in parallel and I could not attend everything).

Jon Tate, SNIA Europe UK committee chair, opened the proceedings by saying the Association had been in transition since 2004–5, emphasising not just storage but also information—an obvious move since all stored data is information and, increasingly, decisions on storage need to be made based on what the actual information consists of.

Then followed a very sobering presentation from Ann La France, worldwide legal counsel for Squire, Saunders and Dempsey, who knows a thing or three about the thorny subjects of compliance, and data protection versus freedom of information. One of her themes was data retention (backed by the EU data retention directive of 2006). She pointed out that the best solution to protect against data breaches was to delete the data after the minimum time period. The average cost of a breach, with the loss of unencrypted data was estimated at £45–£70 per record—just in lost business and administration—while the loss of consumer confidence was unquantifiable, she said.

The two opposing forces pulling against one another were privacy encouraging an early purge and governments wanting to access personal data because of national security concerns—with the UK government currently in breach of EU directives in this! In the middle sits regulatory compliance requiring certain information but also demanding security including deletion. Frankly, nobody much is deleting anything at present, and La France thought many were ignoring the problem hoping it would go away. Meanwhile the storage mountain grows.

It might have been useful to put La France in a panel debate alongside Nick Baker of Sun Microsystems, whose theme was ‘best practices for long-term retention of digital information'. He qualified this title with the word ‘preservation'—pointing out a major problem of retrieving long-held data. SNIA had carried out a 100 year archive survey. Frighteningly, 68% of the companies contacted have data they say needs retaining over 100 years rising to 83% over 50 years. 53% even said they had data needed in perpetuity.

In some cases this longevity stemmed from requests by government. So shouldn't governments defray the costs? (Oh, that means the tax-payer pays; perhaps I should retract that.) Preservation, said Baker, was a bigger problem for semi-structured or structured data; for instance, Oracle objects and tables relate to each other so metadata is needed to describe the information stored to make it genuinely discoverable.

Apart from a regular technical refresh involving migration to latest software versions there was the matter of physical and logical migration as formats became out of date. Baker emphasised that logical and physical should not be mixed—and, he said, only some 30% were doing this correctly on disk while nobody was for tape or optical. In other words this was: "record to tape and lose."

SNIA's answer was a ‘holistic approach', not stove-piped with silos of uncorrected information, which required an understanding of what an object was in every case. The metadata format had to be correct and an audit trail maintained from the original object with an archive object versionary needed.

He also put in a plug for SNIA's XAM emerging standard for metadata (which I have previously covered and believe has longer-term potential).

Despite this, it all sounds expensive and time-consuming to me. Worse, said Baker, it was at the bottom of the IT hierarchy so lacked adequate funding, therefore should be pushed back to business as a serious risk.

Among some of the other main items was John Rollason (SNIA UK committee and NetApp) covering every aspect of storage virtualisation and how to use it effectively and Bill Bolton (SNIA UK and Brocade) giving us just about all we should ever need to know about Fibre Channel, its history and clear road ahead. Mark Galpin of Quantum's overview of de-duplication technologies highlighted major differences in de-dupe approaches, while Steve Collins of Pillar Data Systems covered various current trends in data protection and restoration technologies, not least CDP.

The final presentation of the day, by Sol Squire (SNIA Europe Nordic Committee and Data Islandia) on building a green data centre, was full of practical tips for data centre managers, overwhelmed by their challenges. Not the least of these was spending a little money on data centre sensors so as to plot the power flow in the data centre. "60% of cooling is wasted; measure what you have," he said.

Illustrating the point he told of data centre managers identifying the flows then strategically placing a shower curtain to save 40% of the cooling bill at a stroke! On a similar theme of heat output versus cooling, he said (perhaps to the consternation of some company security managers), "You can open a window in the data centre." (The ultimate alternative of building a new data centre when resources run out has an average cost £20m.)

Squire also advocated investigating renewable energy. (Iceland, where he is based, runs on 100% renewable energy, but only has 300,000 population.) He also recommended having small realisable goals as little things had greater effect down the line. Then, he said, "hopefully our grandchildren will still look up and see a blue sky."

Finally, couple of points from two vendor-specific break-out sessions I attended, are worthy of a mention.

Trevor Kelly, EMEA systems engineering manager for 3PAR, was discussing thin provisioning. In the course of this he cited a recent Glasshouse Technolies' survey of 350 host systems in 12 large companies - which showed storage utilisation still below 30%. Frankly, with the virtualisation and other technologies now available and the green impact moving up the agenda, this is now an unacceptable waste of resources.

Meanwhile, Rick Terry of IBM provided interesting - nay, alarming - slides about how disk areal density improvements which had for decades kept pace with Moore's Law for computer chips - were now tailing off. So, he predicted a disk price crunch as it was going to be more difficult to get larger capacities - and, with the huge data capacities now needed, small error rates extrapolated to more frequent failures. So, he said, "A 1PB (petabyte) drive fails every 10 days."

Maybe there's an overall message on the day: Try and tackle the storage mountain itself and do some serious data deletion. That way, all the other issues and concerns will reduce in size and cost.

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Peter Williams (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Peter Williams, Practice Leader - IT Infrastructure Mgmt., Bloor Research Posted: 28th May 2008 Copyright Bloor Research © 2008

A silo'd approach to information management—with each department or division jealously protecting its IT information assets—is common in a large organisation. There may be some security benefits in this structure, but appropriate information from each department has to be made available to the central management systems.

A similar silo'd situation arises in regard to corporate governance, risk and compliance (GRC) tasks. GRC needs to pervade the whole enterprise to be efficient and effective, with a silo'd approach generally to the detriment of its functioning.

This is typically exacerbated by a series of overlapping functions. Although titles vary, there is nowadays commonly the equivalent of a chief risk officer (CRO), chief finance officer (CFO), chief compliance officer (CCO), security manager, and an internal audit manager function—and, somewhere in the middle of this, because everything nowadays revolves around IT systems, the CIO.

Each of these will be backed by a group of people and systems—who are all after some of the same information (mixed with some specific to their needs alone), but presented in the way they are used to using it, historically different for each. Nor is any one them going to roll over and change to fit software for one of the other functions; this will not give them what they need in the way that they want it.

A knock-on effect of the silo'd approach is that each group will typically gather this common information from other departments separately. Where this means other departments need to complete questionnaires and complying with assessment requests, those departments could be wasting time gathering overlapping information and repeating answers on forms for one or other of them.

According to Gordon Burnes, VP of sales and marketing at GRC software supplier OpenPages, one enterprise the company dealt with was using no less than 40 different solutions at once. Whatever else this achieved, it certainly did not make for good governance. "Assessment fatigue from constantly supplying information means quality goes down," Burnes told me.

Unsurprisingly, OpenPages believes it has cracked the problem. It has certainly come face to face with it in many big-named enterprises which it can name among around 250 customers in the US and elsewhere. The principle OpenPages uses is simple enough but that does not mean it is easy to do.

OpenPages (version 5.5 recently released) uses a central repository for all risk and compliance data, and this includes frameworks, libraries, policies, entities, processes and accounts. So the repository can hold all the information—both quantitative and qualitative—that all the GRC-affected departments normally collect.

Parameters are set for each piece of collected data to denote which departments need it and which do not—immediately revealing the potential for consolidation, including consolidation of common activities such as the assessments, into a single platform which is process-driven. A flexible front end means each compliance or risk group can view the information in the format it prefers (even down to one department using "A, B, C" and another "1, 2, 3" for the same information).

Probably the biggest benefit of this approach is that it is adaptable to fit the existing company risk and compliance methodology; risk assessments, for instance, can be applied at any enterprise level. Risk and compliance management can then be integrated into the everyday business processes with the minimum of disruption—and the new software can be gradually implemented over time.

I am sure most serious GRC software vendors will ultimately conclude this is the most practical approach to go for the large enterprises. (Where other software does this it should then only be a matter of features, functionality and benefits, despite what major vendor consultancies who advise on GRC may say.) However, there is one other thing that is needed in order to make this happen.

"It needs a mandated approach," said Burnes. In other words, this needs to be driven with top-down authority. It needs the CEO's blessing and possibly more than that to make sure the CFO, CRO, CCO et al all give it whole-hearted support, and the CIO gives priority to its implementation.

In the end, this has to be done top-down and enterprise-wide—or the business will be left with even more exposure to risk and legal sanction for non-compliance than it is already.

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Peter Williams (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Philip Howard, Research Director - Data Management, Bloor Research Posted: 15th May 2008 Copyright Bloor Research © 2008

I have for sometime been extolling the importance of discovering your spreadsheets, assessing the risks associated with them, and the need to take control of significant spreadsheets, as a part of any data governance initiative. However, I have not previously written about the role of spreadsheet management within the emerging market for GRC (governance, risk and compliance) software.

The big players in the GRC market are the 800lb gorillas of the software world, companies like SAP, Oracle, CA and IBM. If we take SAP as an example, it has a variety of software offerings that "automate end-to-end GRC processes to address corporate governance and oversight, risk management, and compliance management and reporting". These options work directly with SAP application software and the company sees its ability to offer such capability as a competitive advantage.

However, the downside to this GRC approach is that it is limited to SAP applications and the databases and infrastructure that support the SAP environment. Which is fine, up to a point, if you are a dedicated SAP shop and don't have, say, Oracle applications also running in your environment. Of course, CA and IBM are less proprietary when it comes to application software so a GRC solution from one of these vendors will not force you to have multiple solutions.

Except that none of these vendors (as far as I know) have any support for end user computing (EUC) such as Access databases, spreadsheets and so forth. And given that research indicates that upwards of a third of all corporate data resides in spreadsheets this would seem to leave a large hole. Of course, there are tools from a variety of vendors for managing spreadsheets but they have, hitherto, been separate and distinct from any conventional GRC solutions, which means that to do a complete job of GRC you have been obliged to have multiple systems supporting multiple dashboards to monitor your GRC environment—which is clearly a bad thing.

However, Compassoft has just released version 4.0 of its Compassoft Enterprise product and, apart, from beefing up its spreadsheet management capabilities the big news in this release is that it has opened up its environment, so that you can either import (typically by means of web services though there are other mechanisms available) other GRC information into the Compassoft environment and present data through its dashboard or, conversely, you can export data in the same fashion so that you can present EUC management information within the dashboard of your (say) SAP GRC portal.

While it is likely in the future that the major vendors will buy up spreadsheet management suppliers (or build their own capabilities—less likely) precisely so that they can include this sort of functionality within their GRC suites in the future, such consolidation has not yet started to happen. At present, therefore, this leaves in Compassoft in an enviable position, with a distinct advantage over its rivals in terms of GRC functionality.

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Philip Howard (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Simon Parums, Managing Director, Themis Posted: 8th May 2008 Copyright Themis © 2008

Although IT department employees are covered by the same Health and Safety laws as other workers, there are many issues specific to the industry. Staff working in IT are required to spend much of their time sitting at a computer so the most common complaints are limb disorders such as repetitive strain injury and eye strain from long spells working at a computer screen.

Computer screens are wrongly blamed for a wide range of health problems. In fact, only a small proportion of computer users actually suffer ill health as a result of working at a screen. Where problems do occur, they are generally caused by the way in which they are being used, rather than the computers themselves.

Employers can avoid claims from staff for these issues by ensuring a good working environment and examining the ways computers are used. All employers should also have a Risk Assessment. This will help them identify the risks so they can take the relevant steps to reduce them.

IT employers should have:

• A full written Health & Safety Policy in place;
• A Fire Risk Assessment carried out on their premises;
• Adequate First Aid cover;
• Training in Display Screen Equipment (DSE); and should
• Look into obtaining separate Risk Assessments for groups of employers including young workers, pregnant workers, noise, stress etc.

All of the above should be carried out on a regular basis and not just as a one off.

Here are some other common complaints from IT workers and tips on how employers can combat them:

Aches and pains
Repetitive Strain Injury (RSI) has become the common term for all manner of aches, pains and disorders, but it's not always correct and can mean different things to different people. A better medical name for the whole group of conditions is ‘upper limb disorders'. Usually these disorders do not last, but in a few cases they may become persistent or even disabling.

Employers can avoid problems by good workplace design, to make sure staff can work comfortably, and that they take regular breaks from the workstation. Short and frequent breaks are thought to be more beneficial than longer, less frequent ones. Preventing upper limb disorders is easier than ever.

Limb complaints can arise from employees who use laptops and portable computers. Make sure are compact and easy to carry. Design features such as small keyboards can make prolonged use uncomfortable so consider advising staff to use a docking station.

If full-sized equipment is available advise staff to use it. Like other computer users, people who habitually use a portable should be trained how to minimise the risks. This includes sitting comfortably, angling the screen so it can be seen clearly with minimal reflections, and taking frequent breaks if work is prolonged. Wherever possible, portables should be placed on a solid surface—importantly this should be at the right height for the user to prevent back injuries

Damage to eyesight
Extensive research has found no evidence that working at a computer can cause disease or permanent damage to eyes. However, long spells of screen work can lead to tired eyes and discomfort. Also, by giving eyes more demanding tasks, it might make users aware of an eyesight problem they have not noticed before. To prevent problems employers can help ensure screens are well positioned and properly adjusted, and that the workplace lighting is suitable.

The heat generated by computers and other equipment can make the air seem drier and some contact lens wearers find this uncomfortable. Where the air is dry, employers should increase the humidity.

Employees covered by Health and Safety regulations can ask their employer to provide and pay for an eye test from an optometrist or doctor. Employers only have to pay for spectacles if special ones (for example, prescribed for the distance at which the screen is viewed) are needed and normal ones cannot be used.

Headaches
Headaches are a common complaint in the workplace and it's often assumed they are caused by working at a computer screen, but this isn't always the case. Headaches may result from several factors, such as:

• Screen glare
• Poor image quality
• A need for different spectacles
• Stress and anxiety
• Reading the screen for long periods without a break
• Poor posture

Try to identify the reason for any headache complaint as it can usually be put right quite easily. It could be something as simple as adjusting the employees chair, changing the monitor or providing further training on how to use the computer. This is something that will be identified if you have a full Risk Assessment carried out.

It's extremely important to remember that, no matter what size of the business, all employers have Health and Safety obligations to ensure staff have a safe working environment. If you are confused about any of the information given in this article it's essential you speak to an expert. A small cost to seek advice could save you thousands in the long run from claims brought against the company. Good Health and Safety practice also increases productivity which will have an impact on bottom line profitability.

If you require further information please visit http://www.themissupport.co.uk/

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Simon Parums (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Rob Bamforth, Principal Analyst, Quocirca Posted: 22nd April 2008 Copyright Quocirca © 2008

The importance of assessing and measuring records management policy and the subsequent procedures used has been thrown into sharp relief by the disaster that last year befell the UK's Revenue and Customs organisation. The personal records of 25 million of the UK population were sent protected only by a password in an internal postal system, and lost.

It's bad enough that it happened at least once, but worse still to think that organisations get away with bad procedures for some time, before only a combination of circumstances cause them to be revealed. Even if the strategic policy is robust, when a system breaks down in the implementation of the policy, its effectiveness isn't being correctly measured.

Organisations need to know how their systems and processes are performing—well or badly—before any fallibilities are exposed with potentially far more catastrophic results. There is also the more basic and straightforward reason for checking—having invested in a records management system, is it providing good value?

Most organisations will have justified the expenditure on some combination of expected benefits—strategic and tactical. In both cases, they need to know if these benefits are being realised and must put some form of measurement and benchmarking systems in place.

There are two main drivers for this. The first is to demonstrate the short term benefits to stakeholders to show where the investment has been a success, and where there needs to be changes or enhancements based on lessons learned. It should not just be a set of check boxes as part of the project review and seen by only a few, but a broad internal presentation of current and expected progress. This should have been set out as a main part of the initial plan, and have straightforward measurement criteria set against each benefit, including:

• improved productivity
• competitive gains
• costs savings
• reductions in storage space
• better workflow

The second reason for measurement is for the longer term, more strategic or indirect benefits that need to be enhanced and protected. This includes those that might form part of an external vision or message, both for ongoing present promotion, but also for defence in the event of some future failure. These benefits are harder to quantify, but should also have been outlined from the beginning:

• image or brand value
• the need to meet statutory requirements
• enhanced knowledge management
• improved customer service
• business resilience or disaster recovery

How should an organisation start to quantify what they might need to measure in their records management projects? Well there are established standards to address this, such as ISO 15489, which covers plenty of ground in addition to providing a benchmark for best practice.

ISO 15489 is about the entire approach, methodology and processes for ensuring that an organisation's records are properly managed and made usable and accessible throughout their lifecycle. For the sake of external validation and verification, the standard also ensures that critical stages, such as final disposal, are carried out in an open and transparent manner and according to pre-determined criteria. This is particularly important where there are regulatory or data protection requirements from legislation.

The value of measurement is not only for the benefit of external stakeholders. Improvements made in information access and workflow can have a huge impact on individuals, both in terms of their effectiveness and their job satisfaction. Office workers can waste many hours searching for badly labelled, badly filed or simply ‘mislaid' records, which eats into their time and morale. So as part of the introduction of new procedures and systems, the personal benefits can be identified, and then captured over time to show even the most reluctant individuals and, perhaps, more importantly, their industrial relations representatives, that improvements are being generated for both organisation and individual.

Tackling measurement from an early stage can also help if a project is struggling to obtain sufficient management resources by identifying some early success stories. If some of the expected benefits have not been achieved there will be a need to look for reasons and seek to overcome them so that later phases can be directed to address the shortfall.

However, it is best not to over-rely on measurement, and more useful to measure what is important, rather than making important what it is often too easy to measure. Always feed back good news items with reasons as to why they have happened and how they will be capitalised upon, but don't shy away from making clear where there are problems, and what corrective action will need to be undertaken.

Finally, if internal measurement or external exposure in the media highlights major flaws, take prompt action to tighten up procedures and communicate them so that all staff understand why processes have become more restrictive. These can always be relaxed later, but everyone needs to know that the organisation takes its records management seriously and effectively measures how well it is being performed. No one wants to discover inadequacies after a public failure—just ask the UK's Revenue and Customs, or any of the other large organisations that have recently inadvertantly hit the media.

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Rob Bamforth (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Rob Bamforth, Principal Analyst, Quocirca Posted: 18th April 2008 Copyright Quocirca © 2008

There is no doubt that many markets are facing challenging or at least uncertain times. Those predicting a falling market are known as "bears" and are often thought of as pessimistic. The term is thought to originate from the inverse of the concept of "don't sell the bearskin before you've killed the bear", known in trading circles as selling short. The other strategy in bear markets is to stay away, but that's not possible if you want to keep a company in business in a bear-ish economy.

A hunting story might indicate a better direction to take in a falling market. Two hunters out tracking bears suddenly encounter one and realise they have no ammunition for their guns. While the first hurriedly tries to drop rucksack and surplus weight, the second stops to put on running shoes. "You won't outrun the bear in those" says the first. "No, but I'll outrun you" is the reply.

In almost all industries except the stock market and gambling, the object is to stay ahead of the other participants, not the market itself. When times are hard, it's better to be more competitive than simply slashing budgets. This is particularly true in the area of telecommunications where companies have put useful or even vital tools in the hand of employees, only to now apparently say, use fewer of them and less often.

These capabilities were put in place for valid reasons, such as making the company more flexible, more customer-centric and competitive, or enabling employees to be more responsive, efficient and effective. So why would any company want to compromise these advantages by adopting blanket restrictions that might just put it in the jaws of the bear?

Communications costs are an easy target. They spread right across the organisation, can be identified to an individual, have been seen as growing rapidly in recent years and there is a general undercurrent feeling that the organisation is subsidising inappropriate personal, as well as legitimate business, use. Not only does that raise an issue of potentially avoidable expense, it also brings in both personal and corporate taxation, most especially VAT.

Applying swingeing cuts across the board might seem right the right thing to do as it appears to be evenly unfair to everyone, but it doesn't tackle root causes and runs the risk of disabling functions that are important to the business. There are, however, a number of things that organisations can do to try to outrun the competition:

• First decide on policy. Will employees be charged for personal phone calls and will they have to pay for their broadband at home when it's partly used for business? What sort of restrictions will there be on making international calls, accessing the internet from the office, using Wi-Fi on laptops, or using premium rate services? Any or all of these may be supported by some technology, but first the rules have to be decided, then made clear to everyone, then enforced.
• Converge thinking on communications. Different technologies, mobile phones, desk phones, landlines, laptops with datacards—historically may have been the responsibility of different groups or individuals in IT, procurement, finance and facilities. Move the overall responsibility into one place, so that decisions are more strategic and less territorial. The technology is converging, so apply the same attitude to budgets.
• Find out what is already in use. Do a proper audit of the telecoms estate, and if internal resources or skills are in short supply, get outside help. Make sure this is not a one off exercise, as the portfolio of assets shifts as employees leave the company, or new services and suppliers are brought in. Mind the gaps and don't pay for things that are necessary or people who have left.
• Face up to personal usage. Measure it, manage it and bill for it. It not only does employees good to see and agree what they've used, it also makes managers able to sign it off as appropriate and allows the company to verify the suppliers bills are correct. Errors frequently occur, for many innocuous reasons.
• Take a longer view than simply negotiating a better deal with each supplier in turn. That only provides a short term boost to the budget, but doesn't address underlying issues or costs that could be avoided. The longer term view also has to take into account the broader goals and needs of the business, rather than the pressure on one individual to squeeze a budget to hit an objective.

Companies need to put in a little effort to optimise their current spending on communications and avoid unnecessary future expense. Rather than simply lightening their loads, they need to invest wisely on ways to be nimble. To look in more detail at obtaining value from telecoms, download this free report from the Quocirca website, "Total telecoms expense management".

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Rob Bamforth (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Peter Williams, Practice Leader - IT Infrastructure Mgmt., Bloor Research Posted: 15th April 2008 Copyright Bloor Research © 2008

Some of us interested in full information lifecycle management (ILM) have long pointed to a need for an industry standard format for metadata that describes the data content of files to a more granular degree. Currently, software using metadata in this way has first to create it to its own proprietary format—which is typically unusable by any other vendors' software wanting to access the same data.

This being primarily a storage problem, the obvious body to drive development of a standard is the Storage Network Industry Association (SNIA). SNIA's response has been the development of eXtensible Access Method (XAM) specification, version 1.0 of which was released last week. The SNIA has yet to gain member approval but, assuming this is achieved by mid-year as intended, it will then submit the specification to ANSI and ISO for accreditation. Mid-2008 should also see release of the XAM SDK available under licence for industry developers.

Hold on a moment. I understand XAM is only addressing fixed format content at this time. This, though, is not the biggest problem. It may be a little inefficient but a user can, if needs be, hard-code access to a particular file type if the format of the individual fields is known; the code can then do field checks and be as granular as needed to decide to which storage tier to assign the data or move it—even without creating metadata.

Don't get me wrong, I can understand that creating a standard metadata mapping to the important fields of all fixed format files using standard syntax means standard routines can be used instead of reinventing the wheel for each file. If the process is not made too complicated and long-winded to set up and inefficient and slow in use there is good reason to see XAM adopted over time.

Yet the bigger problem is handling free-format content. This is necessary not least because the increasing regulatory burden includes maintaining documents (including e-mails and, soon, voice-mails) which contain free-format text. Software generally ducks the problem of looking at the content of these files as received, creating metadata for them, and assigning them to appropriate storage tiers and—most importantly—properly managing it so that the vast majority can be moved to low-cost off-line storage in a matter of weeks. (A few vendors, notably Njini, have tackled this.)

Instead, organisations keep the data for years "just in case," much of it clogging up their on-line systems. If a specific compliance request comes in, a search engine may be used to try and pull out the most likely candidates by matching against appropriate key words.

Now switch that around. If appropriate key words are used on the free-format data when received as part of creating fixed format metadata to accompany the data and you have largely solved the ILM data tiering problem. (This is essentially the approach used by Njini.) Once the metadata is created the software works from the metadata and applies policies or rules to it (and they may update it if a data change occurs). Apart from a speed challenge when the data is first received—it may arrive too fast for real-time metadata creation—this procedure can work. So I wonder why SNIA has not started getting into this.

Fifty companies are already participating in the SNIA initiative and its two associated technical workgroups. These include both application developers from storage vendors and some academic bodies. Among these are some of the "big boys" who are clearly anxious to push the specification. EMC has contributed a C++ with Java Native Interface (JNI) wrapper XAM Library while HP has donated a Java version of the XAM Library. Sun has added code from its Sun StorageTek 5800 (previously "Project HoneyComb") for the Hypertext Transfer Protocol (HTTP) and reference vendor implementation modules (VIMs). This tells me several things:

1. XAM has lift-off and the potential to become the de facto metadata standard for fixed format data. SNIA has the capability and the intention to cultivate a SNIA community for pushing the XAM standard, with an approvals procedure for XAM-compatibility and conformance within software products. It can back this by industry education programmes. That's the good news.
2. There is a danger that, because it is being developed by committee with lots of vested interests, the resulting solution may contain lots of bells and whistles that most do not need and which make it inordinately complicated, slow and unwieldy to use. The best ways of doing things might sometimes be circumvented because one or more of the biggest vendors realise that that approach will undermine their competitive position.
   Storage vendors are first and foremost in the business of making money so the biggest are especially unlikely to support an elegant approach if it cuts them out. Yet such baggage has in the past resulted in standards being ratified, only to be neglected and overtaken by other better approaches.
3. Because of other objectives associated with data management, the primary ILM focus may be lost. There is evidence of this in SNIA's XAM announcement which, by the way, never mentions compliance. SNIA also announced that its Data Management Forum (DMF) is now starting to develop an application-centric standard called a Self-Describing Self-Contained Data Format (SD-SCDF); this, SNIA says, will be coupled with the XAM specification over time. SNIA says: "The SD-SCDF is aimed at providing application developers who adopt XAM, the ability to write a standard, interoperable, long-term preservation format and XAM provides SD-SCDF a strategic catalyst enabling adoption."

Without, admittedly, having investigated the detail, this very description tells me it will introduce a diversion and complexity to what is conceptually a simple enough task. So could XAM end up as a camel (a horse designed by a committee) or perhaps a submerged hippopotamus (a waterhorse designed by several committees)?! That is probably unfair to all the people working hard to produce a good spec covering all eventualities. However, if compliance matters are not central to XAM thinking I am not sure how this horse will be able to stay afloat in practice. I would be more confident if free format content was also being urgently and sensibly addressed within a very short time-frame.

XAM looks interesting and needs to be investigated closely. So I am raising these as my concerns about what will happen to XAM because there is a need and a great opportunity it can address—but I fear this will be missed. My concerns may, of course, be completely unfounded, and I would be delighted to hear from anyone who can put my mind at rest. With the right motivation and full attention to handling free format, XAM could then be of real value in achieving something like full ILM.

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Peter Williams (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: John Brand, Research Director, Hydrasight Posted: 25th February 2008 Copyright Hydrasight © 2008

In the lead-up to the proposed ratification of OOXML as an international standard, I wonder what all the fuss is about. For starters, even if OOXML becomes ratified, it doesn't necessarily mean it will become adopted. There are plenty of standards that no-one uses. Moreover, no-one more than Microsoft knows that "the only standard that matters is ubiquity". So what is this argument really all about? The people involved in this war on document formats always seem to come down to the issue of functional richness. ODF is criticised for being simplistic and OOXML is applauded for being richer in capability.

I do agree that ODF is simplistic. But that can be a good thing. HTML is also simplistic and that's why the web took off with such incredible velocity—anyone who could find the angle braces on their computer keyboard could publish an HTML page. However, when people are arguing over document formats in the context of ODF vs. OOXML it does make somewhat of a difference. OOXML is a richer file format—but then, that's what everyone (that doesn't like Microsoft) always complains about. Microsoft has a history of taking something simple (and often an agreed standard) and adding their own "usability flair" to it. So yes, ODF is more simplistic than OOXML but that's not really the point most people should be concerned about.

The dispute over ODF and OOXML is a holy war over no-man's land. The argument about "which is the right document format" is masking the fact that it's still just about a document format. What people are trying to do with the document format now however, is fundamentally different than in the past. Organisations are trying to create applications around a document format which in effect makes the document become a database (refer "Multi-dimensional documents compound information management problems"). It's therefore essentially the same issue as people arguing about which database format is the best one to use.

Organisations are confusing this issue about document formats with issues around application and information lifecycle management (refer "Open Document Format won't solve long term archiving issues"). For example, can you still access data in a DBASE application you wrote 15 years ago on your PC XT machine? Some organisations probably can, most probably not. But can they access the data from those databases? Generally they can today if:

1. They transferred the data to another format and media over that period (possibly even several times over that period with the change of technology)
2. They archived the data to a final form document—usually hardcopy print.

Some organisations had the forethought to output their document records to film 50 years ago and they're still always available today. So the issue is not really whether you can access the data in the documents in their original format in 50–100 years time, but whether you have considered the most appropriate method of retrieval in 50–100 years time (refer "ODF: 'Open' is not something end users even care about"). In this sense, the argument about document formats is really; "what benefits do you get from creating applications around a document format by using it as a database?"

When you look at how documents are evolving they are becoming collaborative applications in themselves (refer "The future of document sharing: collaborative online document editing"). Google Docs for example allows two (or more) people to edit a document simultaneously and to retrace your steps through those edits later if need be. Documents are therefore becoming multilayered databases, and word processing software is morphing into sophisticated collaborative applications.

To sum up, I think the war on document formats was over long before it began!

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact John Brand (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Bob Tarzey, Service Director, Quocirca Posted: 15th February 2008 Copyright Quocirca © 2008

Every so often the mainstream press gets its teeth into a story and can't let go. In the second half of 2007 and continuing into 2008 the UK press started to uncover a series of stories about data losses. There is always a degree of opportunism and scaremongering with news runs; a chance to bash a new government, an appeal to a reader's sense of insecurity and so on. So does a more rational look allow the wood to be seen through the trees?

There is one overriding issue that will worry readers of such stories—is their money safe? Whether it is a government department, a retailer or a bank that has been careless with data, it is the prospect of financial fraud that is most scary (although potential recruits to the UK armed forces whose details were stolen in January may be pondering what a terrorist might do with these).

Ultimately, fraudsters are after money so it is banks that have the most to lose whatever the source of the leak. It is not just the direct loss if a bank is duped into making a loan that will never be repaid or allows a thief access to customers' accounts. There are also potential fines from regulators and business lost through loss of confidence. Brand damage is likely to be the most serious long term consequence.

Life is not made any easier for banks, given that they have to share data: governments demand financial information from banks to check they are maximising tax returns from citizens and businesses, retailers store details of customers credit cards—they could not operate otherwise and customers like having direct access to their accounts via internet banking. Opening up their systems to customers and third parties is the only pragmatic way for banks to operate today. So what can they do to minimise fraud?

First they need to get their IT infrastructure in order. This requires strict asset management and auditing of activities—understanding what equipment is in place and who is using it. Second, software development processes need to be watertight, making sure applications are secure and that rogue developers are not building back doors.

On top of this, processes need to be well defined. Who is authorised to do what and how should it be done? Many of the recent data leaks have happened because of the sloppy way data has been transferred, sending CD ROMs rather than making network transfers. Some banks have been all too quick to blame junior employees for leaks that have occurred due to poor processes that senior managers have overseen.

At the end of the day consumers and businesses do not want their identities stolen and to become the victims of fraud. Nearly all are on the same side as the banks, so awareness campaigns need to be continuous and lucid. Most of all banks need to lead by example by demonstrating they, at least, are very careful with their customers' data.

Many stories of data leaks turn out to be scaremongering by the press because there is little evidence that data has actually got in the wrong hands, but sometimes it does and there are plenty of examples of online financial fraud, however perpetrated.

However clever thieves are, however careless government departments, retailers or their own customers and employees are, it is banks that are responsible for the security of their IT systems and it is only banks that ultimately are responsible for what cash they dish out cash to whom.

Quocirca's report Banks and data leak prevention is free to readers to download.

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Bob Tarzey (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Nigel Stanley, Practice Leader - IT Security, Bloor Research Posted: 7th February 2008 Copyright Bloor Research © 2008

For many, IT security has been a long journey that is starting to come to an end as perimeters (at least those that exist) are secured, data is encrypted, viruses killed and leaks plugged using the latest vendor offerings.

Unfortunately the journey is far from over, as those that undertake systems implementation and development are finding out.

The issue? Data de-identification.

For those unfamiliar with the term some explanation is necessary.

Imagine that you run the software development function for a bank. You employ teams of developers who cut code all day creating bespoke applications for the various end user departments. Maybe trading solutions, maybe back office process solutions.

How are you going to test the software?

Easy, simply take a cut of data from the production database, populate the development server and start running the tests. This is a practice that would be familiar to development shops all over the world and happens all the time. The inherent problem this poses, from a security view point, is that the cut of production data now sitting on the development server is a full and frank copy of some, probably, very sensitive information. The fact the data has been extracted from the production server and now sits in software development almost inevitably means that it now resides below the radar of the corporate security team and therefore represents a potentially huge data leak waiting to be exploited.

For some this practice may seem a bit far fetched, but I would suggest that for the majority of development shops, either internal departments or external consultancies, this is exactly what happens day in, day out. By the nature of software development, security is often seen as way down the list of concerns. As long as the daily build does just that, and the latest code is put into a fireproof safe overnight, few give a thought as to the nature of the test data.

Some smarter developers see a way around this problem and decide to create their own test data using some clever algorithms that churn out random data sets for customer names or credit card details. In fact quite a few database administrators have become quite adept at writing SQL code to generate test data, maybe using a vendor's sample database as seed values. The problem with this approach is that it is very one dimensional. How can you be certain that you have quality of data as well as volume? Creating volumes of data is easy, it's creating meaningful data that actually looks and behaves as your production data would do which is tough.

Realistic data not only creates a system that looks and works as it should it also helps engage with the end user customer as they get to see the type of data they process daily.

Another difficulty with the DIY approach is how you create meaningful data that stretches across a relational database structure, preserving referential integrity and ensuring correct data types sit in correct columns. In fact when you start to look over the complexities of the problem populating a database with more than a few tables with meaningful, realistic data that actually works is now looking like a very ugly herd of elephants storming over the horizon.

Aside from internally developed applications we also need to consider the implementation of solutions such as JDE, SAP and Siebel. These are complicated implementations by anyone's ranking and demand to be taken very seriously when it comes to testing and deployment. For many, the only way they can undertake proper testing would be to use production data and hope that it remains secure inside the development team.

Security of the development team also needs consideration. The fashion for off shoring may or may not be shrinking but the reality is that many corporate applications are developed using overseas resources based in countries many development managers commissioning the work have never even visited. How are these people supposed to test their code? Fine, it could be sent back for testing but what if you don't have the resources available? For many companies it results in data being sent overseas and ending up completely out of the control of the original security team.

This is where data de-identification comes into play.

This is the process of masking original data by scrambling the source information so that it becomes useless as a data set, but still retains the look, feel and consistency of the original data. The type of data obfuscation that can result may be the random swapping around of first and last names, the random substitution of certain credit card details or artificial data aging. This is still extremely useful data for the system testers and implementers but of no value to those tempted to run off with it as part of a data theft scheme.

Optim, a product originally from Princeton Softech but now part of IBM, provides just such a solution to large enterprises struggling with the difficulties of testing solutions with production data. Using Optim, DBAs and developers get more than a secure test data generator, they get system tools that will look into the structure of the development database and ensure that all referential integrity rules are maintained even though the data is being obfuscated. This would be horrendous to undertake manually but using a solution such as Optim this problem is automatically catered for.

As well as maintaining the look of data the Optim solution ensures that data still passes elementary tests such as year of birth matching a person's age and that postcode/phone area code and address all reconcile, as in real life.

Demands on security officers to ensure adequate governance, regulation and compliance has focussed lots of energy on production systems but I would suggest that few have considered the issue of development test data. In fact the Payment Card Industry (PCI) regulations insist that credit card data be masked during the software testing environment, so if you are subject to these rules and not implementing data de-identification you are immediately open to action.

With the final IBM acquisition of Princeton Softech now complete this new business unit has an opportunity to take Optim forward under the watchful eye of the IBM engagement engine. Opportunities will now undoubtedly present themselves for the Optim team to work alongside the well respected Rational business unit and create more demand for this somewhat overlooked but vital area of IT security. I'll watch its progress with interest.

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Nigel Stanley (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Fran Howarth, Principal Analyst, Quocirca Posted: 6th February 2008 Copyright Quocirca © 2008

In today's world, companies face a minefield of regulations, both governmental and industry-specific and the list seems to be getting longer all the time. Does complying with these regulations just add cost to the business, or do they provide companies with business advantage, such as improved customer service?

It depends on who you ask. The Financial Times estimates that the cost of complying with just Sarbanes-Oxley alone for the average large Fortune 1000 company in the US amounts to a one-off cost of $5.1 million for implementing a qualifying corporate governance policy, plus a further ongoing cost of $3.7 million, on average, for continuing compliance measures over time. Other sources state that annual IT spending by companies that is specifically earmarked for compliance efforts is growing by around 10 percent per year.

For some companies, these costs are just too high and there have been a number of companies that have de-listed from U.S. stock exchanges in order to avoid the cost of complying with the onerous requirements of Sarbanes-Oxley, which has had the knock on effect of fuelling the boom in private equity spending. There are many examples, but just one is that of technology vendor SafeNet, which was de-listed and acquired by private equity firm Vector Capital in April 2007. But that is not the end of the story and de-listing will not reduce the burden of compliance with a range of other regulations, such as data protection legislation.

Because of this—and because the burden of regulation is likely to increase in the future, with legislation that will potentially be introduced including e-disclosure rules in the EU and a strengthening of privacy rules at a federal level in the U.S.—companies need to view their regulatory compliance efforts as a strategic investment that covers all parts of the business. This means that compliance must involve input from multiple stakeholders in the organization, including the board of directors, legal resources, operations and IT. Organizations taking just a tactical or piecemeal approach by considering each regulation with which they must comply in isolation will fail to see the bigger picture and are likely to end up spending more in the long run.

Before any technology investments are made, companies need to perform an assessment of which regulations affect their business, as well as taking into account future regulations that are on the horizon, and what the provisions of those regulations are. This will provide insight into overlaps between regulations, such as the requirement included in many regulations for maintaining email records for long periods of time, and where common business processes can be implemented to achieve multiple goals. This assessment will form the basis of a company's strategy and plan for investing in technology—for example in automated controls for managing information produced within an organization to achieve goals of privacy and operational transparency required by many of the regulations that exist today. Many of the technology solutions available for helping companies to achieve regulatory compliance include templates or model policies relating to the requirements of the most common pieces of legislation and these can be used to aid companies in ensuring that their investments cover multiple rules.

An essential investment that companies must make in their compliance efforts is in tools for automating and improving auditing and reporting capabilities. A common complaint in recent years has been that regulatory compliance involves increased audit fees. For example, British Telecom says that its spend on audit fees increased by almost one-third due to Sarbanes-Oxley alone. Other companies have complained that compliance burdens caused by the increased level of investment required have reduced the level of dividends that they are able to pay their shareholders.

The benefits of achieving compliance
All this said, there are actually many benefits to compliance—not the least of which is the avoidance of penalties and other costs, such as lawyers' bills. Companies will also be in a better position to prevent their reputation being damaged, which can cause customers to shun their products and partners to cancel deals. Many of the regulations have been developed as a result of corporate scandals such as Enron that have forced companies out of business and the provisions of some of them could lead to more corporate executives languishing in jails in the future.

The benefits that will accrue to companies that achieve regulatory compliance include improved internal processes, with enhanced accuracy of financial reporting reducing the risk of fraud, and a better audit trail of all processes ultimately leading to the goal of lower audit costs. For large companies, the costs of restating earnings owing to poor financial reporting can run into billions—a spend that can be avoided by putting in place more efficient operations in the first place. And because of controls such as improved security mechanisms, better records retention and data recovery capabilities, companies may even be in the position to command reduced insurance premiums owing to reduced risk exposure to fraud and other problems caused by data leakage.

As well as internal process benefits, companies that can demonstrate that they have the tools and processes in place for achieving regulatory compliance will benefit from being seen as ethical, improving shareholder value and, potentially, competitive advantage if customers and business partners have greater confidence in the business. Companies will also be in a better position to defend themselves against litigation, such as e-disclosure lawsuits, where the costs of manually finding poorly stored documents can run into the millions.

The investment required for compliance efforts may be a bitter pill for a company to swallow upfront. But, when a holistic approach is taken to compliance covering all parts of the business, all processes used, and taking all regulations into account in one company-wide exercise, the benefits will eventually outweigh the costs. In the long run, regulatory compliance will even be good for the business, allowing a company to improve its performance, avoid fines and penalties, and achieve the ultimate goal for any company—that of getting closer to its clients and improving customer service.

Useful Links:

• Post Comment | Read Comments
• Send Page Referral
• Contact Fran Howarth (Private)
• Social Bookmarks: Delicious | Digg | Reddit | Facebook | StumbleUpon

By: Rob Bamforth, Principal Analyst, Quocirca Posted: 25th January 2008 Copyright Quocirca © 2008

All organisations depend on safe, reliable and secure storage of their digital records, but the challenge of securing this information is becoming more difficult due to expansive global networks, more users and increased data portability and mobility. This internetworking means that physical and logical perimeters around the organisation no longer apply, so the security of applications, the end points of access and the data itself needs to be taken even more seriously and become more fine grained—focused directly around the items being secured.

In addition, despite the melting away of the perimeter, the security risks for all organisations have always been from internal as well as external sources. These can come from the deliberate or accidental acts of employees, or weaknesses in business processes. External threats vary from those that threaten the resilience of the business—terrorism, weather disruption or communications breakdown—where records might still be ‘lost', to those that are malicious or deliberate acts for financial gain, sabotage, notoriety or a prank—stealing, spying and hacking.

Whether as a result of an accident or deliberate act, the end result is that data has leaked outside the organisation, with potentially disastrous consequences. Some accidental data loss may appear to only necessitate a simple short term cost to repair or recreate, but could have further negative impact on corporate image or increased regulatory scrutiny in the longer term. Deliberate acts are likely to have far more direct consequences to actual data and the concern that it may have fallen into the wrong hands, but the accidental leaks are more likely to cause indirect consequences, such as damage to a brand.

The first objective in mitigating internal or external vulnerabilities is to define which particular resources need to be protected the most, and identify the range of threats they face so that appropriate measures can be put in place. It is important to distinguish between information that is critical or sensitive—for example customer, patient or accounting records—and information that is simply a collection of public knowledge. Somewhere in between lays general purpose internal information, such as emails, where content may vary from mundane to secret and care needs to be taken to ensure suitable protection is in place.

While the organisation's physical perimeter could at one time be relied upon to provide a level of protection, the use of open networks like the internet, wireless and public cellular networks, mobile devices and tiny high capacity storage devices mean this is no longer the case. Information can be detected and snooped while travelling over these networks and small smart devices are highly vulnerable to loss or theft. Organisations now have to focus their security efforts on specific resources—the applications/databases, end devices used for access, the users and the records themselves.

Those with access to managed information need to understand how and why the information is being protected, and their role in ensuring it is kept secure. The onus is then on the organisation to keep security processes as simple as possible to accomplish the level of security required. This means identifying where security needs to be tight, and where it can be relaxed, and to distinguish how policy or controls should be applied. If the organisation is providing tools that can offer more security, users need to be fully educated in the effective use, and must appreciate the consequences of incorrect actions. The best way to set this out is as follows:

• Start with a pragmatic and granular security policy based on business needs. This should follow good common business sense that can be easily justified as a means of protecting the organisation's assets, but still operating to fit within day to day working practices.
• Engage users with consultation, not prescription. Any policy must be well communicated throughout the organisation and delivered using well understood business procedures. Involving users early