Business Processes and Infrastructure

There are two important aspects to working in a compliant information technology environment

  • The technology infrastructure, which includes hardware and software, and
  • The business process, which is how people do their work.

The laws or regulations require that certain measures and controls are put in place to ensure confidentiality, integrity, and availability of the infrastructure and the data in it, as described under Regulatory Compliance.

The law HIPAA, as an example, requires that only people who have the need to work with certain protected health information data should have access to it and any access must be recorded in suitable audit logs. Traditional infrastructure developed over a decade ago uses network access controls to isolate computers and stores data on network shares with access permission controlled by groups. Logs are not always produced with adequate detail because they would impose unacceptable performance costs. As a result certain organizations have been operating in violation of the letter and, certainly, of the spirit of the law by not following business processes that comply with the law. Rather, they are working within the boundaries imposed by the infrastructure which is unable to enforce the law completely.

When new technology becomes available that can implement the requirements of the law more closely, the adoption of that technology can then be perceived by these organizations as hard or onerous because the “old way of doing things” is not supported. The truth is that the old ways are not compliant and the organizations may need to revisit and update their business processes so that the processes comply with the law and can be supported efficiently and effectively by the new technology infrastructure.

ResearchVault is an example: by end-to-end encryption ResearchVault offers full confidentiality and a complete and unforgeable audit trail of all data accesses and sharing activities. Files can be shared with individuals and groups. Controls can be put in place to require approval by a supervisors or honest broker who verifies that the data can be shared with the individuals or groups are specified in the IRB for the project data.

Therefore ResearchVault training will address not only how to use ResearchVault software, but also how to analyze business processes and workflows and modify them if necessary.