Governance considerations
Compliance dictates that data must be retained, retrievable, secure and properly handled. But an organization must also be able to act on its policies and provide evidence that it's doing so. This is the realm of governance. Governance relates to the people, processes and metrics within an organization, and the ability to achieve required objectives. Governance questions include:

• Does the organization's leadership demonstrate a clear commitment to ensuring compliance?
• Are all appropriate policies documented and understood by employees?
• How well does the organizational structure support these policies? Are appropriate roles in place and responsibilities understood?
• Are there documented standard operating procedures (SOPs) in place that directly implement and support organizational compliance policies?
• Are controls in place with an auditing and reporting structure to confirm that policies and processes are adhered to?

A comprehensive governance framework touches all aspects of an organization. Here are several items to consider:

Infrastructure mapping. The storage infrastructure should be mapped and current. Clear logical and physical schematics with supporting documentation that demonstrates and supports data management policies relating to availability, security, etc. are a prerequisite for compliance.

Metrics and reporting. Appropriate metrics and reporting related to data management often don't exist or are in a format that's difficult to consolidate and analyze. In most IT infrastructures, each functional area has low-level performance metrics related to devices and other elements. However, most organizations aren't able to correlate and merge the disparate data to produce high-level reporting that demonstrates appropriate management of critical data.

Organizational structure. Well-defined roles and responsibilities are required for good governance. Each individual must understand their role and how particular regulations affect it. This includes interactions within the storage organization, as well as with lines of business and other groups.

SOPS. Documented procedures and processes designed to support corporate policies are essential to achieve compliance. If the policies don't exist, address this deficiency.

There are plenty of resources available to support a compliance effort. The Information Systems Audit and Control Association and its sister organization the IT Governance Institute provide an internationally accepted framework called Control Objectives for Information and related Technology (COBIT). COBIT provides best-practice guidelines for the control of information, and includes high-level performance measurement elements, critical success factors and maturity models that can be used to build an IT governance strategy.

For storage, specifically adapting such a framework requires defining the necessary policies, and then developing the processes and metrics to support them. It also means obtaining the appropriate tools to provide the metrics necessary to demonstrate policy adherence. Above all, compliance requires organizational discipline, commitment to a good governance approach and conscientiously following through with each of these components.

< PREV PAGE   |   1  |   2  |   NEXT PAGE  >