Ensuring the ‘C’ in GRC: How to Keep Cloud BI in Order
Tue 16 Mar 2021 | Stefan Vucicevic
Why companies need to adopt a systemic, multi-layered approach to cloud compliance
Cloud-hosted business intelligence (BI) applications bring scalability that’s vital for modern businesses. By combining the potency of a cloud architecture with BI systems, stakeholders in each department can easily access important business information at any point in time, from any device. This allows them to make data-driven decisions and ensure long-term sustainability and market profitability.
At the same time, this increasing volume of data is a minefield for non-compliance. Information always needs to be properly captured, stored, preserved, and disclosed when required. This issue is exacerbated further in the case of cloud storage, where business records are located outside the company’s perimeter.
Challenges to Cloud BI Realm
As a result, companies are investing a great deal of effort to ensure they can follow up with increasingly stringent regulatory requirements. This particularly applies to regulated industries, including government agencies, healthcare, education, and financial institutions among others, which deal with highly sensitive information daily.
To tackle this complex task, companies rely on GRC (government, risk, compliance) tools to help tie compliance together with day-to-day business operations.
Essentially, GRC tools equip companies with an operational take on compliance: they help customise roles and permissions, ensure periodic risk assessments, detect fraud attempts, all the while bringing to life pragmatic policies and procedures that help every role and function do their part of the job in compliance with regulations, thus ensuring fail-safe compliance across the board.
Manual compliance is a thing of the past. The volume of data and the speed which the market dictates, require companies to fully automate their compliance procedures, which requires establishing comprehensive data strategies and procedures, archiving enterprise records, ensuring technical functionalities that support these daily compliance activities, and raising awareness of compliance issues as part of securing the buy-in from everyone on the team.
Business Records Preservation Regulations
While regulations that dictate the operation of each industry somewhat differ, we’ve seen convergence over the recent years. As GDPR paved the way for regulations that give more leverage to customers, the likes of CCPA and similar laws have followed.
Meanwhile, FERPA, FINRA, SEC rules and SOX are starting to encompass the emerging file formats and technologies, so that the vast landscape of online business operations is subject to greater transparency and accountability.
All these laws give a pivotal role to business records, which have evolved rapidly over the past two decades. From just emails to Facebook status updates and tweets, to Instagram stories and WhatsApp calls, and business files in the most traditional sense, companies truly need to make sure none of these slip through the cracks.
But it doesn’t end with the ‘snapshot’ of business records. In most legal proceedings, companies will be asked to disclose the complete trajectory of business records: from their creation to their preservation, modification, deletion, or removal.
This history of records is essential to prove the authenticity of business records that often serve as vital pieces of evidence in legal disputes. If a company fails to produce unaltered business records or fails to locate and retrieve them at all, their case will be significantly weakened and reduced to hearsay.
Multi-Layered Approach to Cloud Compliance
So what can be done to meet compliance requirements? In short: a systemic approach. This means securing a thorough understanding of requirements from each employee, documenting and enforcing procedures consistently, and introducing tools that allow for an automated record management ‘backbone’ of these efforts.
If employees discuss business via instant messaging tools that aren’t monitored and archived, the company might be missing important bits of information that could prove useful in subsequent audits, but also risking data theft.
This is a comprehensive topic, but it can be summarised shortly:
- Create a data strategy, preferably the one that ensures buy-in from everyone; the more the strategy reflects daily business communication and process, the more it will be followed
- Within the strategy, identify do’s and don’ts for each role and each department; it’s essential that everyone understands how they contribute to overall compliance
- Identify and select business tools and communication channels used across the board; include everyone who works with data, which essentially means 99% of your organisation
- Introduce a central data repository that allows roles with meaningful needs to access the data; this also helps with efficiency and better record-management. It might seem like an obvious thing to do, but isn’t that often encountered in practice
Only once you lay the groundwork should you start with technical aspects. Without understanding the bigger picture, it’s likely that vital information will be misinterpreted or disclosed inadequately. Let’s now have a look at technical capabilities that companies should ensure
Supporting Compliance Efforts from a Technical Perspective
While it’s impossible to speak of one-size-fits-all compliance features, there are some that help bear the brunt of compliance tasks and allow for more efficient compliance management.
- Make sure that each bit of information comes with audit trails. This helps identify what each role was up to and how they interacted with the data. Coupled with AI robustness, you’re looking at powerful tools that automatically warn of faulty actions across the board before in real-time, which is a lot easier to contain or stop.
- Preserve metadata. Metadata is the backbone of compliance. If you can’t prove the authenticity of your records, it is worth as much as a screenshot. It’s easily tempered and doesn’t bear as much gravity as properly stored data that come with metadata trials of every single action performed on the data; if an employee runs a query in your cloud BI you’ll want to know when and what the query was, and what was done with the output.
- Redaction helps with customisable disclosure. If a data retrieval request comes your way, redaction will help you remove all sensitive information that isn’t relevant to the case in question. That way you can ensure compliance without jeopardising third parties.
- Customisable roles and permissions are becoming a norm, and their importance is difficult to stress enough. The more you can fine-grain your roles and permissions, the easier it will be to strike balance between data accessibility and data security, which helps keep compliance in check while not compromising business efficiency.