This article can also be found in the Premium Editorial Download "Storage magazine: Email storage lessons learned from Citigroup."
Download it now to read this article plus other related content.
|Regulatory compliance storage to soar|
The total storage required worldwide to accommodate records retained for regulatory compliance will grow from 376PB in 2003 to 1,644PB in 2006--a 64% compound annual growth rate--according to the Enterprise Storage Group, a storage analyst firm based in Milford, MA.
Although thousands of laws requiring the retention and securing of business and public records have been on the books for decades, new regulations such as Sarbanes-Oxley (SOX) and The Health Insurance Portability and Accountability Act (HIPAA), are in the forefront these days because of their widespread effect and stringent requirements (See "SOX, HIPAA in a nutshell.") But SOX and HIPAA are just the tip of the regulatory iceberg, as nearly every business, healthcare organization and government institution is faced with complying with more and more federal and state regulations. And there's not much doubt that compliance will impose unprecedented demands on storage infrastructures. (See "Regulatory compliance storage to soar.")
An effective regulatory compliance program requires these four general efforts:
- Defining what data must be retained
- Determining how long it must be kept
- Ensuring that it can't be altered
- Producing the information in a timely manner while ensuring its authenticity
Regulators are essentially letting businesses determine the most practical and effective retention methods, rather than dictating specific storage formats. Public auditing firms will play a big role in deciphering the rules. Casey points out that the auditors "will be helping to interpret what Sarbanes-Oxley means to you in terms of what kind of records you need to keep, how long you need to keep them and how you protect them from loss or damage."
A company's auditors and legal specialists should work closely with its storage managers to certify that the process ultimately devised to satisfy compliance is verifiable and well documented. Jose Carrera, enterprise risk management practice leader for Singer Lewak Greenbaum & Goldstein LLP, an SEC-registered CPA firm in Los Angeles, says his firm reviews its clients' information technology controls and stresses the importance for storage managers to have a formalized approach to developing internal controls for compliance. "There has to be an electronic depository because you need a snapshot of what happens," says Carrera, adding that procedures should be "monitored and updated for future reviews of those internal controls."
For storage managers, the keys to a successful compliance program include:
- Working closely with business units to understand the specific types of information that must be retained
- Determining if specialized tools will be needed to extract the data
- Ascertaining the appropriate storage media for retention data
- Ensuring that retained information can be easily and quickly retrieved in the future
This was first published in July 2004