"Elements of storage management" outlines the four component levels (policy, practice, procedure and performance) of governance and control. If applied appropriately to the elements of storage management, these levels can form an effective compliance support structure.
Policies are established by IT management in support of overall corporate requirements. They can be strategic, operational or tactical, and can apply to a broad spectrum of IT functions. These tend to be broad statements that apply across all areas of IT.
From a compliance standpoint, the most critical areas of concern are risk elements such as:
- Security
- Change management
- Availability
- Recoverability
- Monitoring and reporting
At GlassHouse, we often apply the Capability Maturity Model (CMM) as one important measurement tool to help our clients improve their storage
operations.
Procedures are required within each area of a practice framework, such as the storage management life cycle. You must define and document a set of standard operating procedures (SOPs). This is the third level of our compliance framework. The SOPs must address all relevant storage practice areas, including the management of primary storage, backup, disaster recovery and archiving.
Lastly, you must measure your performance in carrying out those procedures. That consists of identifying, configuring and managing storage control points for event notification purposes (failures, capacity thresholds, backups, etc.) that are in line with established SOPs. These control points will be measured by a combination of output from completed tasks, such as reports and logs (artifacts), as well as other defined criteria such as an evaluation against defined benchmarks like the CMM.
In coping with the new laws, your organization will probably fall into one of three categories:
- If you have a high quality environment that is documented, you won't have much to worry about.
- If you are doing most of the right things, you may need to add some documentation or establish the appropriate reporting to demonstrate that you are doing so.
- If you aren't doing these things, you have a lot of work to do. You must begin to implement a plan to establish policies and processes. If you don't have the time to do this, make time or find some help.
The drive to SOX compliance will have significant impact in the next few years, but keep in mind that IT has been through things like this before. Consider, for example, the Y2K ordeal. However, compliance has one significant difference--Y2K was a one time effort, compliance is forever.
