THE STRONG ARM OF COMPLIANCEFrom STORAGE Magazine
Vol 6, Issue 2 - March 2006 Rumour has it that most I.T. managers and other decision makers in the UK still do not have a proper grasp on their statutory obligations in relation to data storage compliance. That puts their businesses at grave risk of heavy financial penalties by failing to prepare for the growing number of regulations surrounding what have become complex and often confusing compliance issues. Editor Brian Wall reports It has been suggested that more than a third of IT directors were unable to advise their CEOs on how long their company was legally required to store its business data. And more than half were unable to confirm whether they even had a policy covering how long they were required to keep company emails. So compliance may well matter - but what are the options available when it comes to achieving that goal? How should the right processes be put into place? What are the pitfalls? Who needs to take responsibility in the chain of command and how should this be communicated across the organisation? According to Mike Walters, consultant systems engineer, NetApp, while IT managers are very accustomed to identifying and deploying technical solutions to business problems, the use of IT to help businesses meet compliance is relatively new. "This is compounded by the fact that many compliance requirements are laid down by organisations external to the company and also that compliancy inevitably touches more than just IT," he points out. "It will usually involve business processes and applications, as well as the more obvious storage requirements. The time for which information may require 'locking down' also frequently extends beyond the normal refresh lifecycle of equipment used and this, in turn, brings challenges outside of the ordinary." Choosing the simplest secure solution to meet the requirements will reap rewards in future years. Some companies now have 'compliance officers' and these, Walters adds, should work hand-in-hand with their IT colleagues to help identify the correct solutions for their environment, particularly in helping identify the company's own processes. "In general, storage vendors cannot provide a solution to customers with a
'certified for compliance' stamp. Most current regulations do not provide
'certification' of technologies. What they can do is provide independent
certifications for the industry concerned, as well as giving examples of
customers who have had their overall solutions 'ratified' by the regulatory
requirements, including the storage element in question. This ability to
demonstrate evidence by experience is preferable to being the first to use Where many IT projects are focused more on reducing total cost of ownership of a solution, regulatory compliance introduces risk as a primary objective for many customers to reduce. Since 'locked data' may need to be kept for many years, it is important for customers to build simplified solutions using open protocols that can help reduce the risk. Designing a solution with the ability to scale is critical, since the dataset could grow exponentially, and migrating regulated data between disparate (or non-unified) platforms is undesirable. Certainly, compliance is a tricky issue and there are no quick fixes. "The storage industry often thinks that technology is the most important piece of the compliance puzzle," comments Steve Tongish, director of marketing (EMEA), Plasmon, "and while selecting appropriate products is critical, there are other elements that must be considered. The only way to successfully attack compliance long-term is by viewing it as an issue of corporate culture. "To begin with, compliance cannot be left to the over-worked IT manager. Generally, IT professionals understand the technology but do not have a clear vision on the value of the information itself. For this reason, those people who do understand the business priorities and processes must be involved in compliance. Key to compliance is establishing the ownership, value and record retention requirements for strategic data sets. There is a much greater chance of success if the classification of records is limited to a handful of categories and initially restricted to more structured applications." Tongish argues that it is extremely difficult to select the most appropriate software and hardware, if this initial groundwork has not been put in place. "For example, the data categories that are established can have a major influence on the storage technology. If retention periods are short and data value is low, a magnetic disk archive could be satisfactory. On the other hand, if there is strong need to establish record authenticity and retention periods are high, optical storage like UDO would be more appropriate. If individual records need to be physically destroyed when they reach end-of-line, tape is not a practical option, but disk or UDO could be used." The downside risk to poor compliance management simply cannot be ignored. It has become an 'in your face' issue for all businesses, a driving force in information management and data storage. The immediate availability of records can now be demanded, whether that might relate to BSI (IS0) 5000: 2002, 7799. The Data Protection Act, Basel II, Sarbanes Oxley, the Financial Services Authority or any other similar regulation or law around the world. Moreover, as Chris James, EMEA marketing director at Overland Storage, points out, Sarbanes Oxley has, for the first time, made CEOs and CFOs personally responsible when signing company accounts. "To be compliant, the challenge is for companies to capture, control and audit the information. You cannot ignore compliance, so it should be used positively to improve the way you do things right now. It is important to involve areas of non-compliance in your organisation's management of its electronic data - all importantly from a people perspective, as well as technology. "CIOs need to ensure that, no matter where data resides, it is appropriately
managed at every stage in the information lifecycle. When policy is set, the
system manages the data, rather than relying on an overworked IT manager or
worse, non-technical resource, such as a package delivery or courier service to
transport tapes. The people issues in all of this cannot be emphasised too
strongly, including education, involvement of the whole organisation and
communication with everyone on an on-going basis." "The most important piece of compliance advice is 'plan first'. In Overland's experience, many businesses are taking on compliance projects ad hoc, addressing requirements as they emerge and treating them as one-time, just-in-time projects. There is no 'one-size-fits-all' answer to the question of how businesses need to react to the emergence of new regulations, in terms of processes, IT, business strategy and storage. Getting back to basics with objectives, clear focus and strategy is the way to develop your 'compliance engine' - and to gain business benefit in so doing." But what exactly do today's government regulations require from IT professionals? What are the best solutions available for meeting those requirements in times of constrained budgets and increasing business requirements? And more specifically, what technologies are best suited to help IT professionals meet those requirements, while maintaining or improving committed service levels? Michael Joyce, director of channel marketing, AMCC Storage, points to the storage solution providers that now offer serial I/O connections to the disk drive and, more specifically, to Serial ATA (SATA). The rationale for this direction, he contends, relates to the tremendous scale, reliability and performance benefits associated with serial connectivity and to the increasing regulatory burden placed on IT shops. "In a period of flat or shrinking IT budgets and heightened scrutiny of medical costs, for example," says Joyce, "the additional regulatory burdens for standardisation, protection and auditability of individually identifiable health data and metadata will force some difficult choices for IT managers in environments required to comply with the provisions of the Health Insurance Portability and Accountability Act of 1996. "And, because the primary attributes of SATA storage are its performance, value and density, it is also ideally suited to the extensive record retention requirements placed on US companies as a result of the new Sarbanes-Oxley legislation. This introduced highly significant legislative changes to financial practice and corporate governance regulation. It brought in stringent new rules, with the stated objective 'to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws', according to the online source, the Sarbanes-Oxley-Forum.com. And, as is all too evident from recent past experience in the area of compliance and other regulatory issues, whatever is hitting US business will soon impact UK ones as well. "Serial ATA (SATA) offers increased performance, easier integration based on reduced pin count, lower voltage requirements and improved cable and connector plants," adds Joyce. "The availability of sophisticated RAID solutions based on SATA, such as the 3ware line of hardware RAID controllers from AMCC, enhances the inherent applicability of SATA to the issues of regulatory compliance and makes it a compelling technology for satisfying current legal and regulatory requirements." Just working out which regulations apply to stored data can be a challenge. In an extreme example, cited by Gary Watson, chief technology officer, Nexsan Technologies, a UK subsidiary of a publicly-traded American pharmaceutical research company might have to simultaneously comply with the UK Data Protection Act, Sarbanes Oxley, FDA rule 21 CFR and HIPAA. "As each of these regulations affects how information is handled across the entire enterprise, a high-level executive must be assigned the responsibility of ensuring that each department comports itself responsibly," says Watson. "In the USA, where non-compliance can result in the CEO being frog-marched out
the door in handcuffs, a powerful chief compliance officer position is often
designated, reporting directly to the CEO. In the UK, where enforcement is
rather less dramatic, a data protection manager may be given equivalent
responsibilities, but at a slightly lower level in the company." Watson closes with a wry and crucial observation - that there is no such thing as 'compliance in a box', vendor claims notwithstanding. "Compliance is an holistic issue, covering the entire enterprise, its procedures, training and, of course, the storage hardware and software. Your storage vendor should provide enough compliancy features to make the job easy today - and in the future, as regulations change." The overall message is clear and uncompromising: ignore compliance |
|
The products referenced in this site are
provided by parties other than BTC. BTC makes no representations regarding
either the products or any information about the products. Any questions,
complaints, or claims regarding the products must be directed to the appropriate
manufacturer or vendor. Click here for usage terms
and conditions.
©2006 Business and Technical Communications Ltd. All rights
reserved. |