% fortune -ae paul murphy

Compliance and IT

Some common wisdom:

In all three cases the common wisdom is dead wrong - these are all IT failures. More subtly, these all resulted from failures by top management to tell their IT people to do the right things to avoid these problems - and arguably, therefore, these are the fault of the IT people who didn't successfully sell top management on the need to authorize and fund appropriate pre-emptive measures.

The first one's easy: every document, every record from the phone switch to board minutes, should go on a write once device, be duplicated once, with both copies stored separately on removable media tracked using standard chain of evidence methods. For Intel the costs wouldn't have amounted to a million a year - and for the average company with three or four sites and a few thousand employees it's typically in the hundred thousand a year range.

The second one depends on what's installed at the packing plants. Fundamentally it's not hard to track most cuts from the animal to the retailer, but things get rather more difficult on standardized, higher volume, composite products like hamburger and sausages where the right answer involves breaking production into batches separated by environmental and machine testing. That's practical with modern automated gear but impractical with older stuff - so if you've got older gear and manual processes remediation starts with plant floor change, but all of it gets driven from IT abilities to limit the costs of compliance.

The third one is the most directly IT related - and correspondingly easy to deal with: a matter of getting top level management to accept and enforce sensible policies on data access.

Notice that all three examples, (and as many more as you may want to come up with) require top management to either take, or agree to and enforce, IT action. To get them to do it, focus on the cost of litigation and related insurance, and go from there to whatever intangible costs - like loss of market credibility for them as well as the company - apply in your business.

Now as far as I know - which isn't very far given that I'm distant from these kinds of discussions - no major insurer currently focuses on positive IT action in terms of risk reduction and loss prevention, but all of the majors have people who provide risk reviews and offer to help customers understand and mitigate risk. So talk to your own senior managers first, then get your insurer involved - because the bottom line is simple: it can't hurt to do your homework and you could end with some additional budget and a lot more credibility in the executive suite.


Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specializing in Unix and Unix-related management issues. The