This article can also be found in the Premium Editorial Download "Storage magazine: Using file virtualization to improve network-attached storage."
Download it now to read this article plus other related content.
|Compliance requirements and litigation-readiness strategies, along with operational business needs, should be reflected in up-to-date policies and procedures for records retention and destruction. A corporate records-retention schedule (RRS) is an essential tool for defining what records--on paper or in electronic form--you need to keep and for how long. A properly maintained RRS can establish requirements for electronic records storage and management. It can also identify the records that shouldn't be kept, as well as those eligible for deletion to reduce storage and management costs. It's important to set up processes for obtaining agreement from data owners and legal staff to determine which expired records can be deleted.|
Storage technologies for compliance
How do you figure out what technology solutions are needed to meet compliance requirements and other business needs around records management? Many compliance requirements can and should be addressed at the application layer, not the storage layer. These include email archiving, file-system archiving, content and records management, litigation support tools and case management platforms. The overall compliance program should address all of these components. But storage management tools can also address specific compliance requirements, particularly for unstructured data, the files stored on network file servers (see "Records retention," this page).
Document-authoring applications provide functionality for creating and editing memos, spreadsheets and presentations. They provide very little built-in functionality for version control, document retention and lifecycle management. Content management systems can manage some of these file types, but are typically cost-effective only for documents within structured business processes with defined workflows and extensive user education. Most organizations find that unstructured document files represent a large and rapidly growing area of cost and risk. Content-addressed storage (CAS) systems and data classification tools can help reduce costs and risks.
CAS systems: These systems help with unstructured data files by eliminating duplicate copies and providing a single-instance store of unique files. They can manage retention periods in accordance with defined policies, and their search tools find files that have been placed in the repository by a variety of applications. They can also ensure that expired files within the CAS repository are deleted, using techniques such as "digital shredding" of encrypted files by erasing the encryption keys. Does this mean that unless all of your unstructured data is kept on CAS systems you'll fail your compliance audits and be slapped with fines or hauled off to jail? Of course not. CAS is one tool among many. When appropriate, it may be used alone or combined with application-layer capabilities such as archiving or content management software. But you should take care to classify your data before sending it to a CAS system. Once the files are classified, you can eliminate those that don't need to be retained and set appropriate retention periods for those to be kept.
Data classification tools: These tools identify files that represent compliance and legal risks in terms of privacy laws (personal data contained in files). With proper data classification, you may also be able to greatly reduce the number of files to be retained and managed--or searched, reviewed and produced under legal discovery orders. Some data classification tools can classify already-stored files based on content. Other tools classify files or messages before they're moved to a specific repository such as an email archive. And some tools perform both functions for specific data types or sources.
Other storage technologies: Encryption software may be appropriate for some classes of data, or for data stored on removable media or portable systems. Many companies are considering encrypting backup tapes before transporting them offsite to avoid costly and damaging breaches of privacy laws. Other organizations are eliminating physical transportation of backup tapes and adopting disk-to-disk backup over secure networks as an alternative approach to data protection and recovery.
There's no single technology solution that meets all compliance requirements. The first step is to define your unique requirements, including compliance and litigation-readiness needs, as well as business productivity and service-level objectives. To determine compliance requirements, look beyond the vendor hype and work with your legal, compliance and records management teams to define the necessary processes.
This was first published in March 2007