"We're being audited" is a phrase that strikes fear into the hearts of even the most honest storage managers.
Understand, though, that the purpose of a storage audit really is to help you. A storage audit will show you what storage resources you have and will suggest areas for improvement.
There are three main types of storage audit today:
- A general storage audit looks at your overall storage system from the standpoint of efficiency, security and cost effectiveness.
A general storage audit is aimed at discovering ways you can get more out of your existing storage and how to grow your storage architecture in the most effective manner. It also looks at how well your storage supports your present and future business needs. Typical areas include storage utilization, storage capacity management, storage growth and cost effectiveness.
- storage security audit focuses on data security. Typically, it looks at the entire storage system, from hardware to architecture to policies and procedures, to identify weaknesses that could be used to penetrate your system. Like a general audit, a storage security audit will usually be somewhat limited in scope. For example, it may or may not include an examination of backup systems and disaster recovery plans.
A storage security audit examines your operation in light of best practices to maximize your protection against information theft and other forms of data loss. Ideally, a storage security audit should make sure your organization understands its security exposures and recommend possible corrective action.
- A storage compliance audit is a special kind of storage security audit designed to check your storage against legal and regulatory requirements. Compliance audits are used by public companies and organizations subject to Securities and Exchange Commission (SEC) and other regulations dealing with protecting and preserving certain specific types of information. A storage compliance audit checks your storage and practices against the requirements of laws, such as the Sarbanes-Oxley Act (SOX) and other regulations your enterprise may be required to follow. Equally importantly, a compliance audit helps to document your compliance with requirements. It is usually more limited than the other types of audits.
All kinds of storage audits will give you an up-to-date inventory of your storage and related resources, as well as a map of how they are deployed.
The audit process generally starts with a meeting or a series of meetings to define precisely the scope of the audit and to gather existing information within the organization. Typically, the auditor will be interested in existing policies and procedures, as well as strategic goals and business plans. The next step is usually reviewing documentation on the storage system and the way it is used. The audit will include a complete inventory of storage resources and use levels, as well as an examination of how the policies and procedures are implemented.
The final product will be a report typically presented at a meeting or meetings with the appropriate level of management. The auditor's report should show the strengths and weaknesses of your storage organization and recommend improvements.
For the storage administrator, one of the significant outcomes of a storage audit is identifying areas where the organization can save money through storage consolidation or other means. The recommendations are typically based on industry best practices and usually offer methods of improving performance, as well.
About the author: Rick Cook specializes in writing about issues related to storage and storage management.
This was first published in June 2007