Regulatory compliance--it's no longer coming, it's here. Recent legislation, much of which arose in response to high-profile corporate scandals, promises to provide greater corporate transparency and accountability. And much of the compliance burden--from storage policies to procedures--will fall into storage managers' laps. While the work of determining what information is required to retain will be in the hands of a slew of legal specialists and internal and external auditors, the task of ensuring that the data is properly retained and accessible will fall squarely on the shoulders of storage professionals.
Although thousands of laws requiring the retention and securing of business and public records have been on the books for decades, new regulations such as Sarbanes-Oxley (SOX) and The Health Insurance Portability and Accountability Act (HIPAA), are in the forefront these days because of their widespread effect and stringent requirements (See "SOX, HIPAA in a nutshell.") But SOX and HIPAA are just the tip of the regulatory iceberg, as nearly every business, healthcare organization and government institution is faced with complying with more and more federal and state regulations. And there's not much doubt that compliance will impose unprecedented demands on storage infrastructures. (See "Regulatory compliance storage to soar.")
An effective regulatory compliance program requires these four general efforts:
- Defining what data must be retained
- Determining how long it must be kept
- Ensuring that it can't be altered
- Producing the information in a timely manner while ensuring its authenticity
While all four of these components will undoubtedly affect storage operations, the storage manager becomes a key player for the last two, and will be expected to come up with the appropriate technology solutions to satisfy a murky confluence of regulations. Complicating matters is the fact that the regulations are often unclear or seemingly ambiguous. "Sarbanes-Oxley is fairly vague," says Mike Casey, vice president of practice development at Contoural, a compliance and storage consulting firm in Los Altos, CA. "You need to provide reasonable assurance that you're keeping the correct records to support your externally reported financial results."
Regulators are essentially letting businesses determine the most practical and effective retention methods, rather than dictating specific storage formats. Public auditing firms will play a big role in deciphering the rules. Casey points out that the auditors "will be helping to interpret what Sarbanes-Oxley means to you in terms of what kind of records you need to keep, how long you need to keep them and how you protect them from loss or damage."
A company's auditors and legal specialists should work closely with its storage managers to certify that the process ultimately devised to satisfy compliance is verifiable and well documented. Jose Carrera, enterprise risk management practice leader for Singer Lewak Greenbaum & Goldstein LLP, an SEC-registered CPA firm in Los Angeles, says his firm reviews its clients' information technology controls and stresses the importance for storage managers to have a formalized approach to developing internal controls for compliance. "There has to be an electronic depository because you need a snapshot of what happens," says Carrera, adding that procedures should be "monitored and updated for future reviews of those internal controls."
For storage managers, the keys to a successful compliance program include:
- Working closely with business units to understand the specific types of information that must be retained
- Determining if specialized tools will be needed to extract the data
- Ascertaining the appropriate storage media for retention data
- Ensuring that retained information can be easily and quickly retrieved in the future
