What it means to be ‘Compliant’ in the I.T. environment

More specifically, the question is ‘What does it mean for a technology company to be compliant in the competitive technology landscape?’

In July 2002, the United States Congress passed the Sarbanes-Oxley Act which was designed to require that over 8,000 corporations publicly traded on U.S. financial markets certify financial results as well as the effectiveness of internal financial controls and related processes. This new legislation has dramatically increased pressure on management teams to ensure transparent and reliable processes aimed at improving trust and investor confidence.

As an example, in 2003 and early 2004, the Securities Exchange Commission completed investigations into ‘creative’ (meaning unethical) accounting practices by several publicly traded companies. Subsequently, legislation was enacted that requires companies to alter the process in which they manage and maintain their records, including but not limited to email communications and any attachments submitted therein.

SEC Rule 17a

Requires that certain business records and communications be readily accessible for two years and at least accessible for a year after that. It further requires that transaction-related records and communications be kept and accessible for seven years after the event.

    National Association of Securities Dealers (NASD) Conduct Rules 3010 and 3110

  • Requires NASD members to designate a supervisory role within the company to ensure compliance with regulations, and have a system in place to supervise the activities of its employees and associates. This system must enable the retention and review of transactions and correspondence.
  • Requires members to preserve all books and correspondence, including customer order tickets, account information, and complaints. Much of this material is in the form of e-mail.

    The Sarbanes-Oxley Act

    Specifically related to document retention, the Act states the following:

  • A failure to maintain audit or review of work papers for at least five years is punishable by up to five years in prison, and/or a fine.
  • Corruptly altering, destroying, or concealing records or documents in order to compromise the integrity of the record for use in an official proceeding is punishable by up to 20 years in prison, and/or an unspecified fine amount.
  • The alteration, destruction, or concealment of any records with the intent of obstructing a federal investigation carries an unspecified fine amount, and/or jail time of up to 10 years.

    Other examples of compliance, that are not exclusive to information Technology, include the development of what is referred as a Compliance Framework. 

    A Compliance Framework consists of three key components:

    Governance, or more to the point, Governance Policies, which describe the overall management approach through which senior executives direct and control the entire organization, using a combination of management information and hierarchical management control structures. These activities ensure that critical management information reaching the executive team is sufficiently complete, accurate and timely to enable appropriate management decision making, and provide the control mechanisms to ensure that strategies, directions and instructions from management are carried out systematically and effectively.
    Risk Management is the set of processes through which management identifies, analyses and where necessary responds appropriately to risks that might adversely affect realization of the organization’s business objectives. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting or transferring them to a third party. Whereas organizations routinely manage a wide range of risks (e.g. technological risks, commercial/financial risks, information security risks etc.), external legal and regulatory compliance risks are arguably the key issue in GRC.

    Compliance, as used in the business world, means conforming with stated requirements. At an organizational level, it is achieved through management processes which identify the applicable requirements (defined for example in laws, regulations, contracts, strategies and policies), assess the state of compliance, assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance, and hence prioritize, fund and initiate any corrective actions deemed necessary.

    Of course no single article could possibly cover the entire realm of IT Compliance. but CETS will always be committed to the highest possible ethical standards.


ENTERPRISE TECHNOLOGY SOLUTIONS ARCHITECT, PRINCIPAL CONSULTANT and TECHNOLOGY, MEDIA & TELECOMMUNICATIONS CONSULTING MANAGER - Highly disruptive, non – standard approach in the Information Systems & Technology Industry of initiating game – changing strategies to overturn the status quo and make the biggest, longest – lasting impact possible Demonstrable abilities in fostering personal and business - professional processes that allow people to overcome adversity and a firm belief in protecting developments in evolving technologies further allowing me to: A) Provide professional real – time technology advice and consultation to: Ø C - level Ø B2B / B2E Ø Individual Clients thereby being regarded as a valued advisor to all, including formerly by senior management B) Bridge communication gap between: ØØ Technical projects and organizational management / client objectives ØØ Projects with differing objectives ØØ Technicians and non-technical management and users ØØ Diverse specialists integrating diverse and often conflicting viewpoints; thereby facilitating communication between each VAR / CHANNEL PARTNER RELATIONSHIPS: Current: Intel, Seagate, AMD Fusion Partner, Kaspersky Labs, Crucial, Microsoft, NVidia, Oracle Networks, Novell Networks, Sun Microsystems (Current VAR / CP Applications Pending: Cavium Networks, NetLogic Microsystems, ASUSTek, Tyan, Targus) Past: Intel, Adobe Systems, AMD, Belkin, Creative Labs, Logitech, Microsoft, Oracle Networks, Novell Networks, Panasonic, Philips Electronics Research, Seagate, Sharp Electronics Corp., Sun Microsystems, Toshiba, Trend Micro CORE DISRUPTIVE MANAGEMENT COMPETENCIES / DISRUPTIVE MANAGEMENT VALUE OFFERINGS: Revenue Growth Initiatives, Technology Collaboration, Sarbanes Oxley Compliance, Cost Optimization, SLA Targets, Infrastructure Technologies, Due Diligence Reviews, Change Management, E – Business, Web 2.0, New Business Development, Process Re – engineering ASSET MANAGEMENT COMPETENCY / OFFERING: Cumulatively managed over $1.2 billion in military POL and civilian technological and computing solutions assets. CORE TECHNOLOGY COMPETENCIES / TECHNOLOGY VALUE OFFERINGS: Industry Standard Architecture, System Design, Network Planning / Design, Network Integration, Tier I / Tier II Software / Hardware Support, Technology Deployment, Software Lifecycle, IT Service Management, Enterprise Consulting, Technology QA / QC

Tagged with: , , , , , , , ,
Posted in Compliant in the I.T. Environment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: