Get ready for Sarbanes-Oxley

This November, a new portion of Sarbanes-Oxley will go into effect. Here's how to set up the right storage management practices so your organization will be ready.

This article can also be found in the Premium Editorial Download: Storage magazine: Who owns storage in your organization?

IT auditing basics
While several published auditing frameworks exist, when it comes to Sarbanes-Oxley, the one to become familiar with is the "COSO Internal Control--Integrated Framework." The Committee of Sponsoring Organizations of the Treadway Commission (COSO) (, is a voluntary private organization focused on addressing fraudulent financial reporting. This framework has been endorsed by a number of auditing and accounting organizations.
There are five key components to COSO:
  1. Control environment: the "the tone at the top" of the organization is demonstrated by corporate standards and objectives and a good understanding of roles and responsibilities.
  2. Risk assessment: identification and management of both internal and external risks.
  3. Control activities: the defined policies, procedures and practices that are in place to achieve business objectives and address risk.
  4. Information and communication: making sure that information required to perform control activities is appropriate, accurate, current and available.
  5. Monitoring: overseeing and assessing the entire control operation.
These components are broad, and while it is clear that IT has a role in this, a clearer definition of IT responsibilities is needed. Fortunately, the IT Governance Institute has mapped the COSO guidelines into its Control Objectives for Information Technology (CobiT). While CobiT is a comprehensive and far-reaching IT control framework, a subset of the framework maps well into the COSO structure. For details, refer to the document "IT Control Objectives for Sarbanes-Oxley," which is available at the ITGI Web site (

Recently i've had several conversations with clients about compliance and its relationship to storage. The tenor of the discussions has been generally the same: The organization is planning an evaluation or audit of its IT infrastructure to determine how well it complies with Sarbanes-Oxley, SEC 17a, HIPAA, FDA 21CFR11, internal corporate auditing standards or some combination of the above. Currently, the hottest topic of regulatory interest is the U.S. Public Company Accounting Reform and Investor Protection Act of 2002, better known as Sarbanes-Oxley (SOX). Enacted in response to such high-profile corporate mishaps as Enron and WorldCom, this law is taking effect in several stages.

IT audits aren't new, but with the continuing flow of news stories concerning investigations and indictments, corporate executives are highly motivated to keep their organizations out of the news. So compliance initiatives are underway in many companies, and their impact ripples throughout the IT organization.

When you get past the particulars of SOX compliance and consider the overall objective of SOX and similar regulations, they can be viewed as essentially evaluation tools for overall operational capabilities. In reality, these new demands require little more than striving for excellence in storage management, and that's what you should focus on.

Data retention only part of it
SOX isn't just about data retention. In fact, its primary concern is the accuracy and verifiability of financial reporting. It strives to ensure that all inputs supporting financial data are above suspicion--in other words, it's about policy, process and good management practices.

Up until now, SOX has almost exclusively been the concern of the finance department. However, a new section of the law--Section 404--is scheduled to be phased in starting in November 2004 (recently delayed from June 2004). It requires a company to file an internal control statement with its annual report that includes "an assessment, as of the end of the most recent fiscal year ... of the effectiveness of the internal control structure and procedures of the issuer for financial reporting."

Essentially, the government is demanding not just that data be retained, but that companies must provide evidence that they're managing and protecting this information in a way that ensures compliance. In other words, show us some proof!

While IT is not specifically mentioned in the law, practically speaking, all of the financial systems--as well as other systems that support financials--are managed and controlled by IT. The need to demonstrate proper control and process management of this information impacts IT at both the application and infrastructure levels.

So if you were a CEO or CFO and had to sign this document under threat of fines or imprisonment, you would want to be certain that the statements are accurate. You would most likely demand of your CIO an assessment or audit of your IT organization to verify that the controls and processes are in place to ensure that the information affected by the law is being managed appropriately. If it hasn't happened in your organization, get ready, it probably will.

The basics of storage compliance
At its fundamental level, compliance is essentially about good management practices: establishing a set of policies and procedures and defining related measurement criteria to demonstrate conformance to those policies and procedures. How does this specifically impact storage management?

Let's begin by looking at what makes up an audit. Auditors speak in terms such as "governance" and "control." Governance relates to the overall policies and ethical climate with regard to reporting information. Control is the set of processes and measurement that enforces these policies. (See "IT auditing basics")

Elements of storage management

"Elements of storage management" outlines the four component levels (policy, practice, procedure and performance) of governance and control. If applied appropriately to the elements of storage management, these levels can form an effective compliance support structure.

Policies are established by IT management in support of overall corporate requirements. They can be strategic, operational or tactical, and can apply to a broad spectrum of IT functions. These tend to be broad statements that apply across all areas of IT.

From a compliance standpoint, the most critical areas of concern are risk elements such as:

  • Security
  • Change management
  • Availability
  • Recoverability
  • Monitoring and reporting

At GlassHouse, we often apply the Capability Maturity Model (CMM) as one important measurement tool to help our clients improve their storage operations.

Procedures are required within each area of a practice framework, such as the storage management life cycle. You must define and document a set of standard operating procedures (SOPs). This is the third level of our compliance framework. The SOPs must address all relevant storage practice areas, including the management of primary storage, backup, disaster recovery and archiving.

Lastly, you must measure your performance in carrying out those procedures. That consists of identifying, configuring and managing storage control points for event notification purposes (failures, capacity thresholds, backups, etc.) that are in line with established SOPs. These control points will be measured by a combination of output from completed tasks, such as reports and logs (artifacts), as well as other defined criteria such as an evaluation against defined benchmarks like the CMM.

In coping with the new laws, your organization will probably fall into one of three categories:

  • If you have a high quality environment that is documented, you won't have much to worry about.
  • If you are doing most of the right things, you may need to add some documentation or establish the appropriate reporting to demonstrate that you are doing so.
  • If you aren't doing these things, you have a lot of work to do. You must begin to implement a plan to establish policies and processes. If you don't have the time to do this, make time or find some help.

T he drive to SOX compliance will have significant impact in the next few years, but keep in mind that IT has been through things like this before. Consider, for example, the Y2K ordeal. However, compliance has one significant difference--Y2K was a one time effort, compliance is forever.

This was last published in May 2004

Dig Deeper on Data storage compliance and regulations

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.