Recently i've had several conversations with clients about compliance and its relationship to storage. The tenor of the discussions has been generally the same: The organization is planning an evaluation or audit of its IT infrastructure to determine how well it complies with Sarbanes-Oxley, SEC 17a, HIPAA, FDA 21CFR11, internal corporate auditing standards or some combination of the above. Currently, the hottest topic of regulatory interest is the U.S. Public Company Accounting Reform and Investor Protection Act of 2002, better known as Sarbanes-Oxley (SOX). Enacted in response to such high-profile corporate mishaps as Enron and WorldCom, this law is taking effect in several stages.
IT audits aren't new, but with the continuing flow of news stories concerning investigations and indictments, corporate executives are highly motivated to keep their organizations out of the news. So compliance initiatives are underway in many companies, and their impact ripples throughout the IT organization.
When you get past the particulars of SOX compliance and consider the overall objective of SOX and similar regulations, they can be viewed as essentially evaluation tools for overall operational capabilities. In reality, these new demands require little more than striving for excellence in storage management, and that's what you should focus on.
Data retention only part of it
SOX isn't just about data retention. In fact, its primary concern is the accuracy and verifiability of financial reporting. It strives to ensure that all inputs supporting financial data are above suspicion--in other words, it's about policy, process and good management practices.
Up until now, SOX has almost exclusively been the concern of the finance department. However, a new section of the law--Section 404--is scheduled to be phased in starting in November 2004 (recently delayed from June 2004). It requires a company to file an internal control statement with its annual report that includes "an assessment, as of the end of the most recent fiscal year ... of the effectiveness of the internal control structure and procedures of the issuer for financial reporting."
Essentially, the government is demanding not just that data be retained, but that companies must provide evidence that they're managing and protecting this information in a way that ensures compliance. In other words, show us some proof!
While IT is not specifically mentioned in the law, practically speaking, all of the financial systems--as well as other systems that support financials--are managed and controlled by IT. The need to demonstrate proper control and process management of this information impacts IT at both the application and infrastructure levels.
So if you were a CEO or CFO and had to sign this document under threat of fines or imprisonment, you would want to be certain that the statements are accurate. You would most likely demand of your CIO an assessment or audit of your IT organization to verify that the controls and processes are in place to ensure that the information affected by the law is being managed appropriately. If it hasn't happened in your organization, get ready, it probably will.
The basics of storage compliance
At its fundamental level, compliance is essentially about good management practices: establishing a set of policies and procedures and defining related measurement criteria to demonstrate conformance to those policies and procedures. How does this specifically impact storage management?
Let's begin by looking at what makes up an audit. Auditors speak in terms such as "governance" and "control." Governance relates to the overall policies and ethical climate with regard to reporting information. Control is the set of processes and measurement that enforces these policies. (See "IT auditing basics")
