• United States



by No Analyst or Consultant

PATRIOT: Compliance Is Now Everyone’s Concern

Apr 05, 20066 mins
CSO and CISOData and Information Security

PATRIOT: Compliance Is Now Everyone’s Concern

By Ross Armstrong, Senior Research Analyst, Info-Tech Research Group (

The recent renewal of the USA PATRIOT Act heralds the beginning of a new requirement for pan-American and pan-Atlantic compliance. Enterprises across the globe must prepare for a brave new world where compliance is everyone’s buzzword.

What PATRIOT Means for Compliance

The recent renewal of the USA PATRIOT Act in perpetuity means that all U.S. companies and organizations are required to comply with this law on a permanent basis. It also indicates the need for a nationwide compliance plan. Legislation such as Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, and Basel II each affect certain industries or company types, but the PATRIOT Act’s requirements directly affect IT departments that never before had to worry about compliance at any meaningful level.

U.S.-based IT departments may be subpoenaed by the FBI at any time to produce any business records. Unfortunately, there is a large percentage of enterprises that don’t understand what compliance actually means, nor do they know how to build a framework for compliance and risk management. After all, the FBI simply won’t accept a shoebox filled with scraps of paper when it requests or subpoenas business records.

The PATRIOT Act should serve as a catalyst for change within IT departments everywhere. Best practices used for SarbOx must be adopted to comply with the PATRIOT Act, as compliance requirements for both laws are remarkably similar. This type of cross-pollination has global – as well as national – implications.

PATRIOT Act Creates Global Business Risk There are a number of scenarios where the PATRIOT Act could disrupt processes, possibly causing loss of business to U.S. and international companies. Use scenario planning to determine if corporate strategies are strong enough to ensure business continuity in the face of PATRIOT Act compliance. Scenario planning is an exercise in speculation, where multiple “worst case” PATRIOT Act situations are imagined and response strategies for dealing with them are mapped out.



Inability to quickly retrieve data from non-American companies to which tasks are being outsourced.

Assume that an American enterprise outsources its data processing to an offshore company. If the FBI demands to see records, is the American firm able to quickly obtain those records from the outsourcer?

Contract invalidation with countries to which American services are provided.

For example, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) privacy law protects personal information of its citizens. If a Canadian bank outsources its credit card processing to an American firm, does seizure of the Canadian data invalidate the contract with the data processing company?

Compliance of offshore subsidiaries of American companies.

A U.S. firm is targeted by the FBI for search-and-seize, but the data officially belongs to a subsidiary in another country. Is the data still obtainable under that country’s privacy laws?

 Global Compliance Is a Certainty

Financial disasters such as Enron and WorldCom, and the fallout from 9/11, rattled the business world, with repercussions that will be felt for years. It’s difficult to think about this impact beyond the borders of one’s own country. But as can be seen from Basel II implementation, globally-applied compliance initiatives are already a reality.

Given the PATRIOT Act’s renewal, it becomes clear that countries wishing to do business with the U.S. will have to comply as well. SarbOx audits have so far proven effective in enforcing the law. To this end, SarbOx-style auditing procedures and the CoBIT governance protocol should become level-sets for PATRIOT Act compliance initiatives worldwide.

CoBIT is a standardized security and control best practices framework. The Securities and Exchange Commission (SEC), which oversees SarbOx compliance, acknowledges that IT frameworks are acceptable as long as they meet the intent of the legislation. While CoBIT adoption is not mandatory for SarbOx compliance, it has become the de facto frameworkfor making IT compliant with SarbOx regulations.

Key Takeaways

Enterprises worldwide are in an excellent position to learn from the SarbOx/CoBIT implementation experience in order to comply with the PATRIOT Act.

  1. Establish a risk management office within the enterprise. Centralize the management of compliance and risk management initiatives across all business units through a dedicated office or officer. This department or individual should oversee the creation, adoption, and enforcement of formalized policies.
  • The risk management office(r) should think not only about current legal requirements but future developments as well. One way to accomplish this is through a SWOT-type assessment (Strengths, Weaknesses, Opportunities, Threats) similar to disaster recovery planning (i.e. imagine the unthinkable and develop a plan to mitigate risk).
  • The risk management office(r) should use an enterprise compliance dashboard to monitor, report, and analyze risk.
  • The risk management office(r) should also coordinate compliance efforts with external business partners to ensure everyone is working from the same page.
  1. Adopt the CoBIT framework. Transparency, auditability, security, and strong internal controls will be fundamental in complying with all legislation moving forward. To establish these four tenets, Info-Tech advocates CoBIT as a universal standard for compliance management. CoBIT is based on principles and best practices that can, should, and must apply to all organizations.
  • When it comes to compliance, all that auditors and investigators want to see is that the enterprise has put reasonable controls in place to protect data.
  • CoBIT’s control objectives help assure that the “right” employees are performing the “right” processes with the “right” tools.
  • More than compliance, CoBIT also promotes tight alignment with IT processes and business objectives.
  1. Map workflows and key processes. Identifying gaps, overlaps, and redundancies in processes is integral to a holistic approach. The enterprise must always be able to identify who completed what, submitted what, authorized and approved what, and when.
  • Track and streamline processes to help facilitate disclosure and create a more auditable structure.
  • Ensure that data is accounted for and backed up at all points. Create an audit trail of all data, and ensure that data integrity and quality are maintained.
  1. Automate internal controls. Automation is an umbrella term for a technology solution or set of procedures that mechanizes manual controls under a sustainable and repeatable compliance framework. These controls may include documentation, application testing, access monitoring, and enforcement processes. Most of the pure-play automation solutions on the market integrate with the IT infrastructure to provide secure documentation of internal controls for financial reporting across the enterprise.
  1. Deploy Information Lifecycle Management (ILM). Avoid a shotgun approach that stores every bit of data, documentation, and messaging generated by the enterprise. Well-planned classification schemas and retention policies should be put into action to help IT determine what must be kept and what must be destroyed. ILM and archiving solutions are the best ways to ensure that the appropriate files are quickly retrievable in case of an audit or investigation.

Bottom Line

Corporate governance, data security/privacy, and sound financial reporting will soon become a global mandate for all enterprises. For U.S. companies, this is already the case thanks to the PATRIOT Act’s renewal. Begin plans now for holistic compliance.