A senior manager once asked me why his organization needed to be prepared for audit of their software development processes. It wasn't a simple question, as his organization had a common perception that any requirement not explicitly traced to the highest levels of the regulatory environment had no basis and therefore no need to comply. If there's no need to comply, there's no need to be prepared for an audit, and no need to do any of those expensive quality assurance activities like design, documentation, and testing. It says a lot when an organization is focused on cost minimization by sacrificing quality assurance, but I've learned not to mention that subject when walking their hallowed halls.
I spent an afternoon building a presentation that traced the requirements from their own corporate policy all the way to Congress. It occurred to me that others out there might benefit from a skeleton review of the top-level requirements.
Congress and the Executive Branch
The top of the food chain, of course, is Congress. Congress tends to act in a patch-the-holes manner, resulting in a set of laws that focus on different industries as well as the federal government:
- The Clinger-Cohen Act applies to federal agencies and requires formal management, acquisition, and planning of technology.
- The Health Insurance Portability and Accountability Act (HIPPA) focuses on establishing standards for health information and records, including record structures, retention, and security.
- The Gramm-Leach-Bliley (GLB)Act focuses on financial institutions and the security and privacy of customer information.
- The Sarbanes-Oxley (SARBOX) Act focuses on curbing corporate fraud and abuse and covers all publicly traded companies and their auditors and attorneys by mandating internal controls on financial reporting systems.
Basically, every time Congress has been faced with a problem, their response has been to tighten the contols applied to information management systems. The intent of congress is absolutely clear: We have to manage our information systems in a professional manner. If it takes another law or twenty, or the engagement of DHHS, DHS, or OMB to add some teeth to the conversation, they're perfectly willing to do so.
Mostly as a result of Clinger-Cohen and the OMB, virtually all federal agencies now have CIOs in place and established requlations to monitor and manage IT investments, including software. These regs impact agency operations and are normally driven by reference into the operations of prime contractors.
Publicly traded organizations
If you're in the financial or medical field, you get a double hit from either GLB or HIPPA in addition to the all-encompassing SARBOX.
Financial, sales, and health organizations are impacted by either GLB or HIPPA. All the rest of us have sales and customer information but we're not specifically required to do anything -- yet. On the other hand, who wants to be the next guy on the front page after releasing a bunch of customer data to the wild?
The policy chain
The basic approach is to build a set of organizational policies covering the following:
- Acknowledging specific regulatory impacts
- Ensuring privacy of information
- Managing records and their retention
- Integrity of processes as well as their associated information
Those four little bullet points are the main reasons CIOs have grey hair. Unfortunately, most mid-range and small businesses don't have CIOs in place to worry about all this. Is your organization exposed? What's your worst-case scenario?