SearchStorage.com: Who is ultimately going to be responsible for compliance -- backup and archiving vendors, storage management vendors, a combination of vendors?
End users will continue to be responsible for compliance. Vendors can help, by providing the needed technical capabilities at each software and hardware layer. IT organizations and system integrators can combine products into complete solutions, using a layered approach to information security and compliance. But a large part of compliance is built on administrative controls -- the policies and procedures that define the goals and capabilities that the technology must deliver, and manage the infrastructure once it is deployed. SearchStorage.com: What tools aren't available to manage compliance that users should be requesting from their vendors?
Good integration of IM into e-mail archiving systems is one of those. Integration of email and content into records management applications is another. SearchStorage.com: For compliance sake, how can users best manage their organization's peripheral storage? (Instant Messenger, Blackberries, 2-way pagers, etc.)
The recordkeeping requirements depend on the regulatory environment, so companies need to assess the external and internal requirements, and forge agreement among all their stakeholders on data capture and retention for these forms of electronic messages. The requirements for broker-dealers under SEC Rule 17a-4 are well defined, and company policies may restrict the use of such devices by specifying approved service providers or by employing special IM management and compliance software. For example, Bloomberg and Reuters instant messaging services provide a secure IM environment intended to meet SEC compliance requirements.
For most other companies, the current regulations do not yet address messaging very explicitly. However, as we learned from the SEC's enforcement actions in the securities industry, it's likely that regulators will take the position that companies "should have known" that these were business communications. And since it's feasible to capture and save them, companies should recognize their duty to do so, as part of their business records.
Certainly lawyers and courts recognize emails as business records that are subject to discovery, and it won't be long before IM records are covered by the same logic. Stakeholders will continue to raise the bar, and expectations will be set by society's perceptions of what is possible and feasible in terms of message capture and retention. Companies can go the extra mile, and take steps now to enhance their credibility with their auditors, regulators and litigators -- or they can wait until events force their hand on these issues. These are policy choices, and should be made explicitly after assessing the requirements, risks and costs.SearchStorage.com: Will compliance spell the end of optical storage?
Not necessarily. Optical storage can be good for long-term archiving (off line vaults), especially if you're saving data -- such as key documents and reports -- for more than 10 years. Optical media is probably more stable and readable over the years than tape media. The issue is technological obsolescence: do the drives and software still exist, that can read the data? This was a big problem with unique 14" and 5.25" WORM formats, but current CD-ROM formats are likely to be readable for many years, due to the format's use in consumer products.
At the logical level, saving data in standard formats like XML or PDF -- rather than proprietary database formats -- is another good approach for long-term archiving.SearchStorage.com: Is it true that most backup software suites does not support WORM media? If not, is this a big problem for users?
Some backup software products support WORM devices, but not elegantly. The main problem is that writing backup copies to WORM devices would fill up lots of media that cannot be re-used, so most backup users prefer to use rewritable tape or disk storage.
Users who are looking to archive data on WORM -- such as broker-dealer emails covered by SEC Rule 17a-4 -- should be using archiving software, not relying on backup software to do the job. Most archiving software supports WORM.