This article can also be found in the Premium Editorial Download "Storage magazine: Tools for successful data migrations."
Download it now to read this article plus other related content.
There's more to regulatory compliance than data retention--other exposures could present significant problems.
It's safe to say that compliance is having a major impact on the IT infrastructure. Data protection is now viewed with greater scrutiny. Senior managers are showing a newfound interest in once-mundane topics like backup, as well as demanding more information. CIOs now want to know: "Does allowing end users to restore their own files violate Sarbanes-Oxley (SOX)?" and "How does our incremental backup rotation policy impact our ability to recover?"
Storage managers are responding in a variety of ways. Some are educating themselves about the regulations that affect their organizations. Many are looking at the data-retention requirements of SOX, HIPAA, SEC 17a and so on, and are modifying backup policies accordingly. Others are considering technology solutions to assist in compliance efforts.
Despite these efforts, the risk of not adequately addressing all the elements required to successfully withstand a compliance audit remains. That's because compliance goes beyond just data retention. For storage, compliance can be grouped into two focus areas: data management and governance. Retention policy is an important element of data management, but there are other factors to consider, including security and retrievability. On the other hand, good governance represents a significant challenge that often doesn't receive the attention it deserves.
Data management for complianceThe data management aspect of compliance includes several elements. To be compliant, an organization should have policies for each element. Briefly, they're as follows:
Retention. Retention has been the primary focus of storage compliance, and represents how long a set of data must be preserved by the organization.
Retrievability. Retrievability defines how quickly a set of retained data needs to be accessed. Much retained information is rarely accessed but, when it's needed, a quick turnaround may be required to be in compliance.
Security. Compliance regulation is fundamentally about managing data risk, and security is one of the primary risks to be addressed. Until recently, security received scant attention within most storage environments. Policies regarding data access are central to regulations such as HIPAA, the Gramm-Leach-Bliley (GLB) Act and California SB 1386, as well as implicit in SOX and other financial regulations.
Integrity. Integrity is the assurance that retained data hasn't been altered or corrupted. Integrity requires retained information to be maintained on read-only media, with policies and procedures to protect and recover data from corruption. Long-term implications of legislation such as HIPAA have significant consequences on ensuring integrity.
Renderability. While integrity ensures that data hasn't changed, renderability relates to the ability to read the data. A 20-year-old file or database presents renderability challenges because it may be stored on media that can't be read by current devices or the software used to create it is no longer available. There should be data-conversion processes in place that transform and migrate data over time to enable continued renderability while ensuring data integrity.
Data copy/Relocation. To support retention, integrity and renderability, data is copied/moved on a scheduled and ad hoc basis. Policies and processes that demonstrate and document that data copy activities such as backup and archiving have been completed successfully are critical.
Restorability. Apps and data must be restorable to specific RTOs and RPOs to protect against unacceptable data loss. A prudent IT department will be able to demonstrate a testing process that proves recoverability at the file, server, application, app group and data center levels.
Each of these data management elements is important from an overall data protection perspective. But some may be more critical than others depending on specific regulations. SOX focuses on availability, integrity and protection of financial data. HIPAA stresses long-term data retention and security. GLB addresses privacy and security, and isn't concerned with retention beyond consumer privacy implications. The specific regulations affecting a company will be the key to formulating a data management policy and selecting technology.
This was first published in September 2005