When Travelers Guarantee, a Canadian property and casualty insurer, was looking to replace its outdated tape backup system a few years ago, it did so with the aim of improving its disaster recovery capabilities. Little did the firm realize the move consequently helped the company’s state of compliance.
Travelers Guarantee, which has locations in Toronto, Montreal and Vancouver, chose Asigra Inc.’s Televaulting, an agentless, multi-site backup/recovery software that combines utility service provisioning with a disk-based WAN-optimized architecture.
“Recovery was a hassle, and doing any kind of DR (disaster recovery) testing was incredibly painful,” says network administrator Tim Van Dusen. “It would consume days.”
Now, he says, the IT department can do a restore of the server in 20 minutes, where it would have taken 24 hours using tape.
When his company made the move to Asigra, compliance was not yet an issue. And it’s still not, because many of the strategies the firm used for disaster recovery have helped prepare it for upcoming Canadian compliance regulations.
One in particular is the C-SOX, which requires publicly traded Canadian companies to provide the same financial transparency demanded of U.S. firms under Sarbanes-Oxley (SOX).
“Today you can’t really get away from one without the other,” says Van Dusen. “You can’t build a DR site without having to worry about some kind of privacy or security compliance.”
Using Asigra’s tool, the company runs a local client in each branch, says Van Dusen, which backs up everything to local storage and replicates to a vault in Montreal. “It’s a matter of finding the bandwidth and security to make sure that communication itself is secure,” he explains.
The Asigra tool also enables Travelers Guarantee to perform audits on each of the backups to make sure everything is there, adds Van Dusen.
As well, he says, there’s no chance of tapes or cassettes walking off. “Everything is stored on disk and the disk is stored in a secure room.”
According to a recent survey, only 10 per cent of C-level executives at publicly traded companies across the country believe businesses are prepared to conform to C-SOX. Only 67 per cent of C-level respondents reported having a clearly defined role in supporting compliance processes, while 45 per cent said they thought the legislation unnecessary. Moreover, 54 per cent of C-level executives were unsure how their companies would meet C-SOX requirements and almost a third indicated they are not automating compliance processes with software.
It’s just not fair!
“There seemed to be this reaction that it was unfair somehow,” says Ed Daugavietis, senior analyst, Info-Tech Research Group.“I think it came as a shock to them that they had to jump through these hoops and invest this kind of money in something that didn’t appear to yield direct business benefits.”
Constantine Karbaliotis, Canadian senior compliance business specialist at Symantec Corp., says part of being compliant has to do with getting the right people to sign off on things like background checks.
Automating many manual tasks to reduce the repetitive nature of the job is important, he says, because becoming compliant isn’t a one-off undertaking.
“One of the big problems we see is enterprises viewing this as a project that will be over at some point,” he says. “It’s never over. It’s a process that has to be repeated at every quarter and every year-end from now on, and the sooner they realize that the better.”
Info-Tech’s Daugavietis agrees. “This is a trigger to look at as your company is growing: Do you have the right processes in place and the right set of software tools, are you reporting in a consistent and reliable way?”
Info-Tech data shows companies spend about 70 per cent of their compliance budget on consultants and about 30 per cent on software to automate business processes, he says.
He expects that the balance on compliance spending will change to about 50-50 once companies have gone through the initial audits.
“They realize, ‘We’ve survived the audit, we know we’ve got something, let’s take steps now to make this easier and easier to repeat on an ongoing basis,’ and that will start to yield benefits for them.”
C-SOX compliance Dos and Don’ts
Mary Kirwan, founder of Toronto-based security consulting firm Headfry Inc., offers some advice for companies struggling to get ready for Canada’s compliance legislation.
Do:Keep the spirit of the legislation in mind. “What we saw happen on SOX was everybody was going nuts auditing the IT infrastructure from here to Christmas, but they were losing sight of the focus of the legislation, which was to ensure financial results and filings were accurate,” says Kirwan. “It was not the intent of the regulators to have this level of scrutiny — they were only interested in making sure the data that ended up in applications that impacted financial reporting and results were protected, that there were proper levels of access control to ensure the people who were using and seeing data were the people who should be and that the integrity of the data was protected, but in many cases it became a cash cow for many players who turned it into something it was not supposed to be.”
Take advantage of the experiences of U.S. companies. “There are a million case studies,” she says. “Even the accounting firms have a lot of free material on their Web sites.”
Keep in mind that your IT investment should be proportionate to the size of your organization — and of the risks. “The thing about the new regulation is they’ve made it very clear that it’s not a one-size-fits-all,” she says. “They’re not telling you how to run your business.”
Manage compliance like a project. “(You) need to budget for it and…if you’re starting from ground zero you don’t have unlimited resources, so they have to go where they have the greatest value.”
Don’t: Reinvent the wheel. Companies may have more than enough in-house resources already to do a lot of what is required, but it just takes coordination of effort between top-level executives and the people who understand the business to really focus on identifying the high areas of risk, she says.
Take a scattershot approach. In the U.S., she says, companies “massively overspent” on external auditors. “The level of scrutiny was to the point where it almost froze the business,” she says. “Companies were spending multi-millions of dollars doing these audits where every line of database entry was scrutinized like it was the Bible. In a way it was analogous to the way some companies treat the privacy debate — if you can’t figure out what you’re supposed to be protecting, you store everything rather than thinking about where the real risk is.”