Is ‘Good Enough’ Technology, Good Enough for Compliance?
Difficult economic conditions lead to fiscal belt tightening, however, the ever-increasing demand for data continues; accelerating the requirement for hardware to manage the data. Big data and its appetite for hardware become prominent line items which appear like ripe, low hanging fruit to many cost-cutters. Buying low priced, ‘good enough’ or mediocre equipment starts to emerge as an opportunity to reduce a burgeoning budgetary item. Price of the hardware however, is only one part of the total cost equation.
Low-cost gear costs less not just because of limited functionality; it is lower cost because a number of engineering short cuts are taken during manufacturing. For example, using lower-tolerance components that have higher failure-rates or removing redundant components are common ways to reduce production cost. These short-cuts, however, negatively impact overall reliability and increase the failure rate.
Lower reliability means a greater number of outages; outages that require restores, rebuilds, restarts, and reboots. The extra expense of these recovery actions as well as the lost productivity of diverting attention from more important productive activities can quickly exceed the one-time savings gained from buying cheap equipment.
Mediocre equipment can cause much greater danger to the organization than just increasing operating expense. Mediocre devices have a greater vulnerability to reliability problems and, therefore, they expose the organization to a higher level of data integrity risk and, more seriously, expose the organization to the risk of data loss.
Data is not an off-the-shelf commodity; you can’t buy replacement data if it is lost. Without a duplicate copy of critical data the loss is irreversible and permanent. In addition, transactional data has not only increased in both value and volume but the reconstruction of transactional data is much more difficult if not impossible without a duplicate copy. The reason transactions must be duplicated is because there is no longer a hard-copy source for the transaction, most transitions come directly from over the network.
Data is one of three irreplaceable corporate resources, Loss of time and loss of life being the other two irreplaceable resources. ‘Oh, come on, really; compare loss of data to loss of life?’ Research has shown that over 50% of companies that lose critical business systems for more than 10 days never recover, 43% of companies experiencing a disaster never reopen, and 29% of the remaining close within two years. Going out of business, that’s death of a corporation.
Technology is tightly woven into the operating fabric of the today’s organizations and in many ways technology has become the business. Using mediocre, ‘good enough’ equipment creates an untrustworthy business environment for critical corporate information by placing vital data at risk. Good enough equipment not only increases operational risks but it creates a material internal control weakness by contributing to data integrity problems and increasing the risk of data loss. The risk of data loss compromises compliance with a growing number of governmental regulations.
The heart of this growing government regulation of business is internal controls and operational risk. Not since the Nixon-era’s Foreign Corrupt Practices Act (FCPA) has so much attention been given to corporate governance. These new regulations have a big bite and very sharp teeth. The Sarbanes-Oxley Act holds senior executives personally liable and can result in penalties of up to $1 million in fines, up to 10 years in prison or, both. To say the least this has gripped the attention of all corporate senior officers
Sarbanes-Oxley Section 302 addresses material weakness in internal controls. A material weakness is a condition in which there is a high probability that material financial errors, irregularities, or risk events could occur and not be detected by employees or existing control processes. Implementing acceptable internal controls is the key to satisfying the requirements of Sarbanes-Oxley. Although most IT organizations set policies and practices to limit vulnerabilities and reduce security incidents, this best-effort scenario is no longer enough for the federal government. An untrustworthy operation leads to serious noncompliance implications in today’s corporate governance environment. Is a nominal, one time savings from purchasing mediocre equipment worth the risk of prison?
Sarbanes-Oxley controls are not unlike those found in the Gramm-Leach-Bliley Act (GLBA) of 1999 and the Health Insurance Portability and Accountability Act (HIPPA) of 1996 that were enacted to safeguard data against unauthorized and improper use. However, in this case the SEC is squarely focused on corporate accountability. Negligence, ignorance, or a ‘good enough’ effort is no longer acceptable under this new law. Blind trust in an IT system will not be an acceptable defense. The law formally establishes corporate responsibility to create and maintain controls to identify and manage risks that result in inaccurate data.
Technology is tightly woven into the operating fabric of today’s organizations and in many ways technology has become the business. Internal controls are largely in the realm of IT and compliance is no longer an option for the modern organization. Sound internal controls include policies and procedures to maintain accurate records, properly record and report transactions; and safeguard assets against unauthorized or improper use. Since mediocre equipment puts data in jeopardy; ‘Good enough’, mediocre equipment is not really ‘good enough’ for compliance.
If mediocre equipment weakens an organization’s internal controls then its reverse, an increase in quality, would also be valid. Quality has value with respect to compliance. Quality solutions improve operational effectiveness by reducing operational risk and strengthening internal controls. Quality solutions with superior high quality design standards including redundancy of critical components which will increase the protection of data assets by sharply reducing the likelihood of data loss. Quality is technology’s ‘Keep Out of Jail’ card.