Every day, I receive around a dozen emails detailing some aspect of compliance and data security. Some I immediately delete, some I briefly scan over and others I really dig into. There is no formula behind this. It simply depends on the timing of the email. Looking back at the history of the ARM industry, compliance is certainly one of the newer topics of conversation. The conversation has been steadily growing and the concerns surrounding compliance have exploded in recent years. On most days, it seems one could attend several compliance webinars covering everything from implementation strategies to costs.
Technology changes very rapidly and in many cases, technology introduced today will be outdated in fewer than six months. That statement is not enlightening for any of us but what we may overlook is how much technology is taking over the everyday aspects of our lives. For example, think about how we communicate, receive our news, and manage finances. With such a dependence on technology and increasing regulation surrounding compliance and data security, what is an agency to do?
Many agencies have taken the approach of staging a fully compliant and secure environment for individual clients, for different lines of business or for employee training purposes. I recently visited a client that prepared this type of environment for their Department of Education accounts and it has allowed them to control the data and access to sensitive data. Furthermore, the environment can be cloned and the data can be masked or scrambled to create a fully compliant and secure environment for training, related to an individual client or business line. This is a sound approach but there are several considerations before making a move like this.
First, costs should be evaluated. The raw costs to start up another environment, purchase additional licenses from your software provider, and add more support and maintenance is easy to calculate but do not neglect the costs of working the business. Costs such as staff training, integrating with outside service vendors, and completing security audits need to be added to the raw environment costs and then compared against anticipated revenue from working the business. You may find it difficult to justify.
Second, if costs can be justified, access to the environment and certain data elements within the environment must be a top priority. Even if employees have all the necessary training and clearance permissions, they probably do not need access to everything in the environment. Utilize user profile features and permission sets in your software to control user access and to ensure users can only access the information necessary for their job.
Finally, ensure your software is up-to-date with the latest upgrades and releases from your software provider. Included in this is the operating system and software running on your servers and employee workstations. In most cases, updates and upgrades are simple to retrieve and install. Be careful though and make sure you have a testing plan in place for upgrades and a rollback procedure in the event the update or upgrade fails or takes longer to install than anticipated. Running the latest software versions will help protect your organization from cyber-attacks and data breaches.
Agencies, as they should, want to benefit from technology investments but when it comes to compliance, you must recognize that technology alone will not protect you. Even the best and most detailed compliance practices can fail without collective buy in from the members of the organization.