Business Processes and Infrastructure

There are two important aspects to working in a compliant information technology environment:

  • The technology infrastructure, which includes hardware and software
  • The business process, which is how people do their work

The laws or regulations require that certain measures and controls are put in place to ensure confidentiality, integrity, and availability of the infrastructure and the data in it, as described underĀ Regulatory Compliance.

For example, the Health Insurance Portability and Accountability Act (HIPAA) requires that only people who have the need to work with certain Protected Health Information (PHI) should have access to it and any access must be recorded in suitable audit logs. Traditional infrastructure developed over a decade ago uses network access controls to isolate computers and stores data on network shares with access permission controlled by groups. Logs are not always produced with adequate detail because they would impose unacceptable performance costs. As a result, some organizations have been operating in violation of the law by not following business processes that comply with the law. Rather, they are working within the boundaries imposed by the infrastructure which is unable to enforce the law completely.

When new technology becomes available that can implement the requirements of the law more closely, the adoption of that technology can then be perceived by these organizations as hard or onerous. The truth is that the old ways are not compliant and the organizations may need to revisit and update their business processes so that they comply with the law and can be supported by the new technology infrastructure.

ResVault is an example: through end-to-end encryption ResVault offers full confidentiality and a complete audit trail of all access and sharing activities. Files can be shared with individuals and groups. Controls can be put in place to require approval by a supervisor or honest broker who verifies that the data can be shared with anyone specified in the IRB.

ResVault training will address not only how to use the software, but also how to analyze business processes and workflows and modify them if necessary.