The Sarbanes-Oxley Act is getting quite a bit of press these days. White papers from information technology (IT) vendors argue that document management, portals and even extract, transform and load (ETL) tools are integral parts of complying with the financial disclosure act. Certainly these and other applications can help with compliance, but they are not enough. Meeting regulations of Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), FDA regulation 21 CFR Part II, Gramm-Leach-Bliley or other regulations that dictate controls on enterprise information requires comprehensive processes for tracking and managing change.

Getting a handle on compliance is an enterprise-scale challenge. Regulations can describe a logical object such as "protected health information" that spans multiple data sources and is subject to a range of processes. How can you manage such amorphous entities? The first step is to understand the problem from an organizational perspective.

As compliance expert Donna J. Edwards of Tenax Corporation noted, "There is often lack of understanding between IT, legal and/or compliance and upper management of the pertinent compliance issues and the corresponding technical resolutions." Clearly, we need a way to describe both the business and technical aspects in a single model.

The emerging practice of enterprise change management (ECM) offers a framework for processes that supports compliance from both business and technical perspectives. ECM models consist of: assets, dependencies, workflows, policies and roles.

Assets are objects subject to management rules. Examples include servers, network infrastructure, custom applications, customer information, patient records and audit records. As varied as they are, assets have several common characteristics. First, we can isolate and identify specific assets such as "PortalServer1" and Jane Smith's customer profile in a customer relationship management (CRM) system. Second, assets change over time. Applications are upgraded, documents are revised and data is changed. Finally, assets depend on other assets.

To effectively control and audit assets, especially information assets, we need to understand the role of other assets in their life cycle. If a regulation requires access controls on information (an asset), then we depend on security within a host application (another asset). When confidential information is moved beyond a firewall, we might depend on virtual private networks to encrypt and protect the confidentiality of the data. Protecting assets across an integrated enterprise requires clear understanding of all systems that manipulate an asset and the role those systems play in maintaining the integrity of assets.

Assets, especially information assets, are dynamic, and meeting regulations often requires demonstrating control over the changes in an asset. For example, to demonstrate compliance with a regulation, we might need to show how any change to a record is tracked for auditing. This would require identifying all applications that can change a record, including the source system that maintains the original data, data cleansing tools that correct errors and application integration tools that copy and reformat data for other applications. ECM models include workflows that describe a starting point for a process (e.g., create a customer record), transition rules for moving to another point, (e.g., changing the credit limit of a customer) and end points (e.g., archiving records of a closed account). Workflows describe how compliance regulations are met. Policies dictate what is to be done within those workflows.

Policies play a central role in enterprise change management and can have similar prominence in regulation compliance. Policies are rules that govern how assets are changed, who can change them and what workflows are relevant to particular assets. Policies are the operational guidelines that describe how to meet compliance requirements. Typically, policies make specific reference to asset types, operations on those assets and roles of those who perform those operations.

Roles, the final component of ECM models, are assigned to groups or individuals who perform particular actions or workflows. Policies and workflows use roles to specify who is allowed to perform specific processes.

Compliance has always been an issue in many industries. Today, the breadth of regulations requires organizations to have much tighter control on their processes, including enterprise content management. In some cases, compliance is not enough; you have to be able to prove you are in compliance. Using a methodical strategy based on the principles of ECM is one approach to the problem. With an emphasis on modeling assets, dependencies, workflows, policies and roles, ECM provides a foundation from which you can build a compliance infrastructure.

For more on ECM, please see my e-book, The Definitive Guide to Enterprise Change Management, at, especially Chapter 2: "Examining the Nature of Enterprise Change."

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access