Compliance, compliance and more compliance

Recently the word “compliance” has been used, reused and over-used. The problem is that vendors are using the term to describe totally different things, which makes it very confusing and difficult to know what they’re talking about.

First, there are the regulatory compliance issues many companies are dealing with, such as Sarbanes-Oxley, HIPAA and so forth. The use of the word “compliance” in this situation is descriptive because companies are required to comply with governmental regulations, such as HIPAA, which deals with the privacy of patient information. Many companies have been struggling to meet the compliance timetables of some of these regulations.

Then there is the use of “compliance” to describe the compliance of IT infrastructure and user behavior with corporate policies. In IT management, this can touch a wide range of areas and issues. Some of these policies affect areas such as data retention, e-mail archiving, software (application) use, server configurations, desktop configurations, network device configurations, e-mail use, personal firewall use, virus scanning, security, data access and use, PDA applications and usage, and more.

Although each of these areas involves compliance with corporate policies, the areas of compliance are so disparate that this is one of the areas in which using the word presents the potential for a lot of confusion.

Just take a look at the security area alone. There are compliance issues with network and system configurations, virus scanning, securing access to data and applications, firewall use, role-based access and so forth. Security-related “compliance” not only spans across all areas of security but also touches all other areas of the infrastructure, including systems, networks, databases, storage, applications and so forth.

Compliance has also been used to describe software-licensing compliance, as in making sure that you are only using the number of copies of software that your company has licensed from a vendor. This kind of compliance would involve using management tools that deal with software inventories, software metering and software usage.

I’m sure I’ve missed some other uses of the term “compliance” in management. It’s not possible to cover every usage, at least not in the amount of space that Network World allots me.

Nevertheless, it’s clear that we’re certainly already exposed to a lot of different usages of the word. So here are a few tips when looking for tools related to compliance.

First, if you’re looking for something to help you solve a compliance issue that you’re dealing with, be sure to clearly define your requirements and understand exactly what you’re looking for.

Second, have a clear understanding of what each vendor means by compliance, and how their products address it.

Third, be sure you’re comparing apples to apples. Some products may tout “compliance” because a subset of what they do can be used in the process of compliance, while other products are specifically designed to help solve compliance problems.

I wish you good luck in sifting through all the compliance tools and services out there. It’s not an easy task, and it’s not for the faint of heart.