A road map for UC compliance

Opinion
Apr 20, 20093 mins

Are you holding back on deploying unified communications because of compliance concerns? If so, you’re in good company. Roughly a third of the organizations we work with say that compliance issues — or concerns about them — limit their ability to deploy UC.

Here’s the thing: Although it’s dangerous to underestimate compliance concerns with UC, it’s equally dangerous to put an entire UC project on ice because of vague or overly generalized fears. After all, networking by its very nature introduces security vulnerabilities, but nobody can afford not to network in this day and age.

The best approach is to be sure you understand exactly which compliance issues affect your organization’s UC strategy — and how. That means examining UC and compliance component by component. The simplest way is by building out a matrix approach, as follows:

First, start with compliance: Requirements typically fall into two buckets: privacy and governance. IT executives we work with cite the top privacy regulations as Payment Card Industry, Data Security Standard, and Health Insurance Portability Accountability Act. For governance, Sarbanes-Oxley and Securities and Exchange Commission are the two most popular. Then there are e-discovery regulations, such as the Federal Rules of Civil Procedure.

Beyond that, there are literally hundreds of compliance requirements when one considers corporate, state, federal, international and vertical market regulation and legislation. Your compliance department should have a comprehensive list for your specific organization, location and situation.

Second, remember that each UC technology — such as presence, conferencing, unified messaging, contact centers and mobility —carries its own compliance implications and concerns. So to assess the impact of compliance on your UC strategy, you need to examine each individually.

Third, create a matrix of compliance requirements on one axis and UC technologies you’re deploying (or might potentially deploy) on the other. Note that it’s critical to list all UC technologies, even if you don’t have immediate plans for them, because it’s good to be proactive. For example, you may decide not to support unified messaging (integrating voice mail with e-mail), since it has direct implications for e-discovery. Nonetheless, your systems may support it by default, and you have to assume that some admin will turn on this feature (“Hey, check this out!”) and you’ll need a prepared response. Moreover, you can’t make a final go/no-go decision on a technology until you know the potential impact of compliance impact.

Fourth, assess each box on the matrix and assign a weight to the potential effect of compliance on the UC component. This is the most challenging and important step, and at Nemertes, we work closely with clients to ensure they get it right, and to ensure that potential compliance challenges are clearly highlighted.

Finally, once the compliance challenges are identified, you need to evaluate each compliance challenge against the corporate risk appetite. This is important in assessing whether a particular technology’s worth deploying — some companies are willing to take greater risk for greater benefits, others are necessarily (or by culture) more conservative. Even for “high-risk” technologies, though, there are controls you can bring to bear — whether technical, operational or management — to mitigate the risk.

The upshot? Don’t let compliance concerns derail your UC deployment.