Feature

Vital steps for creating an effective compliance strategy

Ezine

This article can also be found in the Premium Editorial Download "Storage magazine: Tools for successful data migrations."

Download it now to read this article plus other related content.

There's more to regulatory compliance than data retention--other exposures could present significant problems.

It's safe to say that compliance is having a major impact on the IT infrastructure. Data protection is now viewed with greater scrutiny. Senior managers are showing a newfound interest in once-mundane topics like backup, as well as demanding more information. CIOs now want to know: "Does allowing end users to restore their own files violate Sarbanes-Oxley (SOX)?" and "How does our incremental backup rotation policy impact our ability to recover?"

Storage managers are responding in a variety of ways. Some are educating themselves about the regulations that affect their organizations. Many are looking at the data-retention requirements of SOX, HIPAA, SEC 17a and so on, and are modifying backup policies accordingly. Others are considering technology solutions to assist in compliance efforts.

Despite these efforts, the risk of not adequately addressing all the elements required to successfully withstand a compliance audit remains. That's because compliance goes beyond just data retention. For storage, compliance can be grouped into two focus areas: data management and governance. Retention policy is an important element of data management, but there are other factors to consider, including security and retrievability. On the other hand, good governance represents a significant challenge that often doesn't receive the attention it deserves.

Requires Free Membership to View

Compliance foundation--the prudent man
A company must demonstrate a good faith effort to meet regulatory requirements. This may sound obvious, but compliance legislation rarely spells out exactly what needs to be done. A great deal is left open to interpretation. For example, a regulation may require e-mail to be retained for seven years. But which e-mail messages need to be retained--every message, including spam? And the question of how it must be maintained isn't addressed in most legislation. While SEC Rule 17a-4 for the financial industry says data must be stored offsite on non-rewritable media that's indexed and easily retrievable, most regulations are much less specific. The implicit expectation is that the company is acting prudently and in good faith, subjective terms that are open to legal interpretation. So it's essential that compliance policies be driven by corporate legal counsel or compliance officers. IT should take direction from them to determine the appropriate data management policies that demonstrate that the company is acting prudently. The policies must then be formally documented.

Data management for compliance
The data management aspect of compliance includes several elements. To be compliant, an organization should have policies for each element. Briefly, they're as follows:

Retention. Retention has been the primary focus of storage compliance, and represents how long a set of data must be preserved by the organization.

Retrievability. Retrievability defines how quickly a set of retained data needs to be accessed. Much retained information is rarely accessed but, when it's needed, a quick turnaround may be required to be in compliance.

Security. Compliance regulation is fundamentally about managing data risk, and security is one of the primary risks to be addressed. Until recently, security received scant attention within most storage environments. Policies regarding data access are central to regulations such as HIPAA, the Gramm-Leach-Bliley (GLB) Act and California SB 1386, as well as implicit in SOX and other financial regulations.

Integrity. Integrity is the assurance that retained data hasn't been altered or corrupted. Integrity requires retained information to be maintained on read-only media, with policies and procedures to protect and recover data from corruption. Long-term implications of legislation such as HIPAA have significant consequences on ensuring integrity.

Renderability. While integrity ensures that data hasn't changed, renderability relates to the ability to read the data. A 20-year-old file or database presents renderability challenges because it may be stored on media that can't be read by current devices or the software used to create it is no longer available. There should be data-conversion processes in place that transform and migrate data over time to enable continued renderability while ensuring data integrity.

Data copy/Relocation. To support retention, integrity and renderability, data is copied/moved on a scheduled and ad hoc basis. Policies and processes that demonstrate and document that data copy activities such as backup and archiving have been completed successfully are critical.

Restorability. Apps and data must be restorable to specific RTOs and RPOs to protect against unacceptable data loss. A prudent IT department will be able to demonstrate a testing process that proves recoverability at the file, server, application, app group and data center levels.

Each of these data management elements is important from an overall data protection perspective. But some may be more critical than others depending on specific regulations. SOX focuses on availability, integrity and protection of financial data. HIPAA stresses long-term data retention and security. GLB addresses privacy and security, and isn't concerned with retention beyond consumer privacy implications. The specific regulations affecting a company will be the key to formulating a data management policy and selecting technology.

This was first published in September 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: