While commentators pay attention to the mainframe's role in security, data serving, disaster recovery and running the business, relatively little attention has been paid to its role in business compliance. And yet, the mainframe has a central role to play as enterprises seek to comply with government regulations such as Sarbanes-Oxley (SOX) and regulation-like standards such as Basel II (for banking). In these cases, the mainframe can act as a "compliance hub," adding to its usual duties the task of acting as a central repository of the information needed to carry out key compliance activities such as monitoring and reporting.
What are the key business-compliance tasks that a mainframe can enhance? And how can users leverage the mainframe, not only to undergo the pain of compliance, but also to achieve the gain of leveraging the resulting information for corporate benefit?
The last five years have seen a bumper crop of new regulations affecting businesses, as governments seek to avoid scandals (SOX, SEC 17-4), fight terrorism (Patriot Act), and ensure individual privacy (HIPAA). At the same time, new regulatory standards raise the bar for corporate "good practices" in such industries as banking (Basel II). These new requirements are loosely grouped as Business Compliance tasks.
As Table 1 shows, each regulation to be met involves one or more business or IT functions that the enterprise may or may not have implemented up to now. As Table 1 also shows that each such function, once implemented, may also be leveraged for other purposes.
Table 1: Regulations and related business/IT functions
|Business or IT function||Example of regulation involved||Potential additional users|
|Business process management||SOX (evaluate internal business controls||Streamline business processes for better ROI|
|Risk management||Basel II (evaulate operational risk)||Reduce business risks or costs of a given level of risk|
|Compliance monitoring||HIPPA (check if security is up to date)||Capture problems with such systems as access control, budgeting|
|Compliance reporting||SOX (report to government on compliance, or to lawyers during discovery)||Access historical information for analysis|
|Fraud detection||Patriot Act (money laundering)||Detect and analyze customer and business patterns|
|Training||SOX (to allow corporate to take responsibility for financial reports)||Disseminate ethical and other standards throughout the organization|
|Archival||SEC 17a-4 (maintain duplicate record copies separate from original)||Disaster recovery|
|Records management||SEC 17-4 (brokers must retain records 3 years after employment termination)||Access historical information for analysis|
|Privacy management||GLBA (must fulfil obligations to protect against disclosure of personal information)||Test and improve security|
|Audit control||SEC 17a-4 (broker must have audit system available for examination)||Improve finance function's audit system|
Source: Infostructure Associates and IBM Corp., February 2006
At the same time, as Table 1 also shows, business compliance efforts can play a positive role in overall business strategies such as business risk management, business resilience, and information lifecycle management.
System z9's present uses in business compliance
Today, System z9 is used especially to store and process sensitive and/or business-critical data. Thus, as an organization implements business compliance, the data on the mainframe is the target of much of the new functionality. In response, IBM has added such System z9 features as the Encryption Facility for z/OS version 1.1, which protects data stored on external disk/tape for privacy or security purposes. Additional checks and policies for privacy and security include features in z/OS Communications Server (IP security) and z/OS Network Security Configuration, Health Checker (software integrity and patch management), and other features integrated into the platform for processing integrity, authentication, access, and audit/reporting.
System z9 customers can also take advantage of IBM's services and software. In particular, IBM Business Consulting Services offers a risk and compliance framework, general and industry-specific (banking, energy/utilities, financial, and healthcare/life sciences) services, and solutions combining services, software, and the System z9. For example, Tivoli software includes Tivoli Identity Manager for auditing and reporting identity information, and Tivoli Access Manager for auditing and reporting authentication and access control. Vanguard Enforcer provides System z9 intrusion management, enforcing and monitoring standards, policies, rules, and settings defined by an organization's compliance experts. These services often extend beyond the System z9 itself to support business compliance across all major enterprise platforms.
Perhaps the most outstanding IBM business-compliance offering for System z9 users is IBM Federated Records Management, which combines DB2 Records Manager and Information Integrator Content Edition. This tool allows users to manage records throughout their lifecycle without moving them from their existing content stores (e.g., DB2, FileNet, Documentum), with rapid querying and reporting via Information Integrator and the ability to "suspend" records (preserve them from alteration) during litigation or auditing.
Potential system z9 business-compliance uses: Compliance hub
However, just as System z9 is now being positioned as an "information hub," it makes sense for users to consider employing System z9 as a compliance hub. That is, System z9 can act as the central coordinator of the enterprise's effort to meet regulatory requirements and to leverage business-compliance solutions for corporate benefit.
System z9 has several characteristics that make it an especially suitable hub for a business-compliance effort:
- It already boasts a high level of security.
- It has long experience with managing records for audits, for disaster recovery, and for archival.
- Much of the data needed in a business-compliance effort typically already resides on the mainframe.
Also, recent IBM efforts in Web-servicizing mainframe applications, supporting Linux, and providing features such as zIIP for integrating with outside applications mean that System z9 can integrate with the rest of the systems and data stores needed for business compliance far better than ever before.
Relatively little effort is needed to turn System z9 into a business compliance hub. Existing IBM solutions already allow the user to create a central repository to manage the IBM risk and compliance framework; all the user need do implement the solution and place the repository on the System z9.
However, leveraging System z9 as a business-compliance hub for major business strategies, like leveraging any other business-compliance solution for these strategies, requires significant additional work. For example, leveraging its content management capabilities for information lifecycle management (ILM) might require a careful assessment of the age of all of the System z9's (and the enterprise's) data, then addition of virtual tape for performance speedup and re-allocating data among nearline and slower disk and tape, and then meshing the business-compliance hub's archiving with the needs of ILM.
Many enterprises report significant problems implementing business compliance; few report commensurate benefits. And yet, the benefits are there, over the long term, as solutions aimed at business compliance are leveraged for other purposes, and especially for business strategies such as risk management or business-process streamlining.
As the repository of business-critical data, the mainframe should naturally stand at the center of these efforts, and typically does; but it can also be refurbished purposefully to leverage business compliance for business benefit, and this typically has not been done. Yet making the mainframe a business-compliance hub should require relatively little effort. Infostructure Associates suggests that enterprises with existing mainframes that are beginning to move from merely meeting requirements to leveraging their business-compliance efforts, examine the possibility of turning System z9 into a business-compliance hub.
About the author: Wayne Kernochan is president of Infostructure Associates, LLC, a Lexington, Mass.-based analyst firm.