Important considerations in compliance tool selection
Most storage administrators use management software tools to organize and track email and other data types, helping them locate data in the proper storage locations, move aging data between storage systems and search for relevant data as required. Archiving systems accommodate long-term data storage, preserving important records on disk or other media. Archiving software provides the retention and search capabilities that allow administrators to locate records that may be years or even decades old. E-discovery tools offer specialized search mechanisms designed to quickly locate and secure files needed for litigation. This guide covers the criteria involved in buying these kinds of products. Each chapter offers a set of buying points and product specifications that can help readers identify prospective management tools, archive platforms, archive software and e-discovery tools. Before we look at specific product categories, let's start by identifying the concerns behind compliance purchases.
Understand the data that you need to keep. Businesses with different compliance needs will have different storage requirements. Once you identify important applications and data types, understand what data must be kept to satisfy industry and government regulations. For example, a healthcare business in the U.S. will be governed by HIPAA, requiring deep nearline archiving of patient records. By contrast, a public company in the service sector may simply be governed by SOX, requiring shorter retention periods for financial and legal data, but may use data deduplication to reduce data volume or a virtual tape library (VTL) to speed everyday backup tasks.
Understand how long important data should be kept. Once you understand the data that you have and know what data is important to the enterprise, decide how long each data type should be kept. Attaching a retention period and deletion scheme to each data type allows you to set up retention and deletion policies for stored data. Again, this is not solely an IT task, but an enterprise-wide task involving principals from each department. In many cases, data retention is based on retention requirements for similar paper records. For example, if paper employment records must be kept for seven years, the electronic equivalent often must be kept for the same period. Also, it is important to identify an acceptable means of deletion. Do not keep data past its accepted deletion date, and ensure that you can confirm that the data was deleted in an acceptable manner.
Employ technology to lower costs and automate processes. Now that you have a handle on the data you have, the data you need to keep and how long that data needs to be kept, you can employ tools to reduce storage demands and automate migration, retention and deletion tasks. Data deduplication technologies can significantly reduce storage costs. Policy managers can help organize data storage, move data to lower storage tiers as the data ages, prevent premature data deletion, secure data under litigation hold and then securely delete the data when its retention period expires. Policy managers, as well as written company policies, can also help reduce inappropriate data, like employee photos and music files. Capacity planning tools can help manage capital storage investments, reducing money wasted in unnecessary storage purchases.
Evaluate licensing and maintenance costs. Compliance and e-discovery product costs typically do not end with the initial purchase. Hardware will require regular service or repair and software will involve periodic updates or bug fixes. Budget for maintenance contracts that will add to each product's total cost of ownership (TCO).
Use audit trails and access controls. Compliance requires regulated access: ensuring that only authorized personnel access files and any changes to data are closely tracked. When evaluating a compliance product, consider audit and access features that prevent unauthorized changes or deletions. Even the activities of authorized users should be closely monitored and recorded, so an activity trail will evolve for every file. Auditors and lawyers can then follow the trail to ensure compliance or handle litigation.
Run practice drills to simulate compliance audits and discovery requests. Organizations are typically unprepared to handle the audit and discovery demands. Auditors typically arrive unannounced, and discovery requests often come without warning. Many IT organizations must scramble to address the audit or discovery under threat of significant penalties. Simulate periodic audits and use compliance tools to address mock discovery requests. Training helps personnel prepare for real issues and can reveal weaknesses in tools or procedures that should be updated.
Seek the assistance of a compliance consulting firm. Rather than risking financial penalties of other punishments, businesses may seek the assistance of consultants trained in compliance matters. Consultants can help to test and refine current compliance processes, as well as run practice audits and e-discovery drills. Allconsultants should have extensive experience in your industr, and provide suitable references.
02 Jan 2008