Legal Compliance – Where to Begin? – Fishing Out Way to Compliance Management

By Leslie June

It was a hot afternoon in late July. We were approaching our “secret spot” on the West Fork of the Salmon River in the Challis National Forest in Idaho. We had already spent the better part of a week there in early July fishing for Chinook salmon, Dolly Vardens, and Rainbows before moving on to the Big Hole River in Montana, taking respite on serene Swan Lake and soaking in Glacier Park. It had been a rough summer and my fishing gear was beginning to show the signs of wear – strained leaders, wobbly guides, the kind of stuff I knew would be subject to an overall house cleaning when I got home. But for now, we had one more day to relish Sawtooth Mountains and maybe catch a fish or two. The Game Warden was there to greet us – who had told him about our special place? He wanted to be sure we knew the spawning season was under way, salmon now being off limits – could we please use lightweight gear – 10 lb. test or less? That way, the salmon would be sure to snap our line and we would still get our favorite trout.

Was that Game Warden wrong! Just as the sun was going down on the other side of the river, my salmon-to-be grabbed the line and ran right up the river with hook, line and sinker! I played that fish for a good 30 minutes – reeling him in, letting him go, reeling him in, letting him go. A friend of mine remarked knowingly, “Leslie, that feller is gonna bust your line it being so weathered from the elements and all!” Then, as if cued by his prediction, the line snapped…

But wait! The last guide on the pole had sprung loose on one side and the line got tangled around it – still attached at the end of the pole! By now, my fish was tired from running, so I was able to reach up, grab the line, and simply pull him in by hand! A 34” Chinook Salmon! Prettiest thing I’d ever seen glimmering in the water. We wasted no time cheering him and the occasion, taking photos in our minds (no cameras nearby!) and promptly releasing him.

It was an exhilarating experience in my young life, more so because I had played by the rules, and nevertheless won! Thanks to the trusty Game Warden, I knew what the rules were – for that particular location on that day.

I have had other interesting experiences in other locales. On portions of the Garden River in Ontario that lay in the Garden River Indian Reserve, it is required to have a tribe member escort your party. Invariably when vacationing, I would find that as soon as I arrived, my target species of fish would go out of season. When hunting in Montana as an out of stater, we were only allowed to hunt does. You only get long shots there so checking through the scope for antlers often spelled enough time for detection and escape.

Keeping track of the rules is not an easy task when you move around and fish different streams in different places over time. Each state has its own rules. National forests are managed by the Bureau of Land Management (BLM) in the Department of Agriculture, which has its rules. National parks are managed by the National Park Service in the Department of the Interior which has – you guessed it – its own rules. The Yellowstone / Grand Teton Park area is subject to the regulations of 3 states, 2 federal departments, and several local jurisdictions, each with their own fish & game regulations.

Similar challenges confront IT Asset Management, particularly for national and global companies. We are confronted with varying state and local taxes, trade zones with special customs requirements, and labor laws that impact:

  • Different trade zones within a single metropolitan area (e.g., parts of India) that require in-person customs payments at receipt of imported hardware and restrict the ability to move that hardware across town for transfers or redeployment
  • The assignment of computer hardware and software to employees and the eventual inability to reclaim them at termination
  • Privacy laws that restrict employers access to employee phone records even when the employer is paying the bill in order to manage costs
  • Hazardous waste disposal laws that regulate by metal or device type where, when, and how computer equipment can be disposed
  • Vertical industry regulations such as DoD requirements that a representative must witness a hard drive destruction

Don’t get me wrong, I am a believer in protecting the rights of all good citizens, it’s just that the keeping track of things that becomes a challenge. How do we keep track of the many different locales and their varied requirements? When do we reference the rules? Which processes are at highest risk, requiring the addition of controls that ensure compliance? Which asset types are impacted?

The answers are often as many as the questions. That’s where a well-planned ITAM program comes in! To successfully manage all of the compliance requirements we need policies, processes, and data, all wrapped with smooth governance. Our focus here is tracking the details so let’s take a look at the data.

During my fishing trip I kept a small notebook with me at streamside. In it, I had a page for each ecosystem of streams that I planned to visit. The size of the ecosystem depended on the rules – it could be a whole state, but more generally it was a set of streams in a particular area. A simple table listing my favorite species with columns for the time periods of the trip when rules were subject to change was the starting point. Additional notes on detailed requirements followed. At the bottom of the page I made a few tactical notes – rod, line, & fly selection and locations. A similar table helps for ITAM and it can be maintained in your IT Asset Management tool of choice!

Managing ITAM Compliance Requirements

The first step is to identify the various jurisdictions or legal entities that we care about. In some cases it may be a whole country or state; however in most cases there are smaller areas within those that have their own set of taxes and regulations. The finance department at your company is generally aware of the tax locales. Your human resources and legal departments may be able to help you identify other jurisdictions that will have an impact on your hardware and software asset management policies and processes.

Once the jurisdictions have been identified and labeled, a simple table can be created in your ITAM tool identifying each locale, describing the tax details, and listing any special regulations. I always recommend including a field for policy notes – guidelines for deployment, management, and reclamation. These policies should be reviewed and approved by your ITAM governance board.

The second step is to associate assets with the governing jurisdictions. This is accomplished by identifying the assigned location of the asset and its governing legal entity or jurisdiction. The smallest geographical location we care about is the office where the asset is at home. This does not necessarily equate to site. I have worked at a company site where the two buildings less than 20 feet apart were actually in two different legal townships, each with different taxes and regulations. The office is a single entry in the locations table and belongs to a legal jurisdiction – the largest geo-political entity in which the office resides with a unique set of tax rates and legislation that impact assets. Each office site that is listed as a separate location in your locations table should be associated to one of your legal jurisdictions. Then, each asset that is assigned to that office location inherits the association to the correct legal entity.

As a note, in the case of remote workers, local regulations will dictate whether it is more strategic to have the user and the asset tied to a physical office site or their home address – and the rules about how often they must physically work at the office to count that.

The third step is to ensure that your ITAM processes are grounded in the policies you have identified that govern the deployment, movement, and reclamation of assets that respect the local guidelines. This does not translate into different request processes for each locale but a single global request process that references the local guidelines at decision or control points. For example, when checking for available “in stock” hardware devices to fulfill a user’s computer request, we need to know where the requested device is going to be housed and compare it to the legal entity assigned to the in stock asset. If the legal entities match or, if regulations permit we can freely redeploy the available asset. If not, we may have to purchase a new device. When an employee is being transferred or simply moved, we need to check whether the transfer from location and transfer to location are associated to different legal entities and the respective policies of each. During asset disposal, we need to be sure of adherence to the local regulations by adding procedural details to the process. For software deployment we may already be doing a great job of managing license compliance, now we add details to check for legal compliance. Thus, we establish control points in each lifecycle process – Install, Move/Add/Change, and Retire / Dispose to cover the various requirements.

The fourth and final step is to optimize our efforts through strategic planning. We can establish regionalized staging areas in low tax, low regulatory locations to receive devices, stage them for deployment, and prepare end of life devices for disposal. We can further reduce costs by using a single staff smaller office footprint for these operations. Location selection depends on the ability to move devices to and from a candidate staging area among the sites where the devices will actually be used. In some cases, you will be able to use a regionalized staging location to handle the needs of many users at many local sites. In other cases, you will be required to manage deployment and reclamation at the end point where the user is housed.

In conclusion, it is important to track and manage the varied legal regulations that govern the IT hardware and software assets under your management. As in the fishing example, keeping an easily accessed table of jurisdictions, or legal entities, and the regulations they impose is vital, but only if you institute controls in your processes that systematically check regulations when making critical decisions regarding the deployment, movement, and disposition of your assets.

Until next time, keep your lines tight!

About the Author

Leslie June is the Business Process Consultant for Linium, LLC.