Storage Magazine - UK
  THE STRONG ARM OF COMPLIANCE

THE STRONG ARM OF COMPLIANCE

From STORAGE Magazine Vol 6, Issue 2 - March 2006
 

Rumour has it that most I.T. managers and other decision makers in the UK still do not have a proper grasp on their statutory obligations in relation to data storage compliance. That puts their businesses at grave risk of heavy financial penalties by failing to prepare for the growing number of regulations surrounding what have become complex and often confusing compliance issues. Editor Brian Wall reports

It has been suggested that more than a third of IT directors were unable to advise their CEOs on how long their company was legally required to store its business data. And more than half were unable to confirm whether they even had a policy covering how long they were required to keep company emails. So compliance may well matter - but what are the options available when it comes to achieving that goal? How should the right processes be put into place? What are the pitfalls? Who needs to take responsibility in the chain of command and how should this be communicated across the organisation?

According to Mike Walters, consultant systems engineer, NetApp, while IT managers are very accustomed to identifying and deploying technical solutions to business problems, the use of IT to help businesses meet compliance is relatively new. "This is compounded by the fact that many compliance requirements are laid down by organisations external to the company and also that compliancy inevitably touches more than just IT," he points out.

"It will usually involve business processes and applications, as well as the more obvious storage requirements. The time for which information may require 'locking down' also frequently extends beyond the normal refresh lifecycle of equipment used and this, in turn, brings challenges outside of the ordinary."

Choosing the simplest secure solution to meet the requirements will reap rewards in future years. Some companies now have 'compliance officers' and these, Walters adds, should work hand-in-hand with their IT colleagues to help identify the correct solutions for their environment, particularly in helping identify the company's own processes.

"In general, storage vendors cannot provide a solution to customers with a 'certified for compliance' stamp. Most current regulations do not provide 'certification' of technologies. What they can do is provide independent certifications for the industry concerned, as well as giving examples of customers who have had their overall solutions 'ratified' by the regulatory requirements, including the storage element in question. This ability to demonstrate evidence by experience is preferable to being the first to use
a technology in an area where compliance can lead to executives facing prison for lack of compliance!"

Where many IT projects are focused more on reducing total cost of ownership of a solution, regulatory compliance introduces risk as a primary objective for many customers to reduce. Since 'locked data' may need to be kept for many years, it is important for customers to build simplified solutions using open protocols that can help reduce the risk. Designing a solution with the ability to scale is critical, since the dataset could grow exponentially, and migrating regulated data between disparate (or non-unified) platforms is undesirable.

Certainly, compliance is a tricky issue and there are no quick fixes. "The storage industry often thinks that technology is the most important piece of the compliance puzzle," comments Steve Tongish, director of marketing (EMEA), Plasmon, "and while selecting appropriate products is critical, there are other elements that must be considered. The only way to successfully attack compliance long-term is by viewing it as an issue of corporate culture.

"To begin with, compliance cannot be left to the over-worked IT manager. Generally, IT professionals understand the technology but do not have a clear vision on the value of the information itself. For this reason, those people who do understand the business priorities and processes must be involved in compliance. Key to compliance is establishing the ownership, value and record retention requirements for strategic data sets. There is a much greater chance of success if the classification of records is limited to a handful of categories and initially restricted to more structured applications."

Tongish argues that it is extremely difficult to select the most appropriate software and hardware, if this initial groundwork has not been put in place. "For example, the data categories that are established can have a major influence on the storage technology. If retention periods are short and data value is low, a magnetic disk archive could be satisfactory. On the other hand, if there is strong need to establish record authenticity and retention periods are high, optical storage like UDO would be more appropriate. If individual records need to be physically destroyed when they reach end-of-line, tape is not a practical option, but disk or UDO could be used."

The downside risk to poor compliance management simply cannot be ignored. It has become an 'in your face' issue for all businesses, a driving force in information management and data storage. The immediate availability of records can now be demanded, whether that might relate to BSI (IS0) 5000: 2002, 7799. The Data Protection Act, Basel II, Sarbanes Oxley, the Financial Services Authority or any other similar regulation or law around the world.

Moreover, as Chris James, EMEA marketing director at Overland Storage, points out, Sarbanes Oxley has, for the first time, made CEOs and CFOs personally responsible when signing company accounts. "To be compliant, the challenge is for companies to capture, control and audit the information. You cannot ignore compliance, so it should be used positively to improve the way you do things right now. It is important to involve areas of non-compliance in your organisation's management of its electronic data - all importantly from a people perspective, as well as technology.

"CIOs need to ensure that, no matter where data resides, it is appropriately managed at every stage in the information lifecycle. When policy is set, the system manages the data, rather than relying on an overworked IT manager or worse, non-technical resource, such as a package delivery or courier service to transport tapes. The people issues in all of this cannot be emphasised too strongly, including education, involvement of the whole organisation and communication with everyone on an on-going basis."
James believes the key to compliance is to establish up-front policies that dictate where data is stored, and in what format, to ensure appropriate recovery times. The policies must cover managing and protecting remote data, as well as ensuring the redundancy of central data.

"The most important piece of compliance advice is 'plan first'. In Overland's experience, many businesses are taking on compliance projects ad hoc, addressing requirements as they emerge and treating them as one-time, just-in-time projects. There is no 'one-size-fits-all' answer to the question of how businesses need to react to the emergence of new regulations, in terms of processes, IT, business strategy and storage. Getting back to basics with objectives, clear focus and strategy is the way to develop your 'compliance engine' - and to gain business benefit in so doing."

But what exactly do today's government regulations require from IT professionals? What are the best solutions available for meeting those requirements in times of constrained budgets and increasing business requirements? And more specifically, what technologies are best suited to help IT professionals meet those requirements, while maintaining or improving committed service levels?

Michael Joyce, director of channel marketing, AMCC Storage, points to the storage solution providers that now offer serial I/O connections to the disk drive and, more specifically, to Serial ATA (SATA). The rationale for this direction, he contends, relates to the tremendous scale, reliability and performance benefits associated with serial connectivity and to the increasing regulatory burden placed on IT shops.

"In a period of flat or shrinking IT budgets and heightened scrutiny of medical costs, for example," says Joyce, "the additional regulatory burdens for standardisation, protection and auditability of individually identifiable health data and metadata will force some difficult choices for IT managers in environments required to comply with the provisions of the Health Insurance Portability and Accountability Act of 1996.

"And, because the primary attributes of SATA storage are its performance, value and density, it is also ideally suited to the extensive record retention requirements placed on US companies as a result of the new Sarbanes-Oxley legislation. This introduced highly significant legislative changes to financial practice and corporate governance regulation. It brought in stringent new rules, with the stated objective 'to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws', according to the online source, the Sarbanes-Oxley-Forum.com.

And, as is all too evident from recent past experience in the area of compliance and other regulatory issues, whatever is hitting US business will soon impact UK ones as well.

"Serial ATA (SATA) offers increased performance, easier integration based on reduced pin count, lower voltage requirements and improved cable and connector plants," adds Joyce. "The availability of sophisticated RAID solutions based on SATA, such as the 3ware line of hardware RAID controllers from AMCC, enhances the inherent applicability of SATA to the issues of regulatory compliance and makes it a compelling technology for satisfying current legal and regulatory requirements."

Just working out which regulations apply to stored data can be a challenge. In an extreme example, cited by Gary Watson, chief technology officer, Nexsan Technologies, a UK subsidiary of a publicly-traded American pharmaceutical research company might have to simultaneously comply with the UK Data Protection Act, Sarbanes Oxley, FDA rule 21 CFR and HIPAA. "As each of these regulations affects how information is handled across the entire enterprise, a high-level executive must be assigned the responsibility of ensuring that each department comports itself responsibly," says Watson.

"In the USA, where non-compliance can result in the CEO being frog-marched out the door in handcuffs, a powerful chief compliance officer position is often designated, reporting directly to the CEO. In the UK, where enforcement is rather less dramatic, a data protection manager may be given equivalent responsibilities, but at a slightly lower level in the company."
Fortunately, adds Watson, from the data storage perspective, the compliance regulations select mandatory features from a finite menu:

• Time-stamping of records to prove when they were created
• Encryption of data to protect privacy
• Serialisation of records to assist with auditing
• Replication of data offsite to ensure retention after a disaster
• Access logging to record who is looking at what
• Immutability to ensure records may not be tampered with, even by an administrator
• Auditing to verify periodically that records are complete and have integrity
• Disposition to ensure records are kept for a minimum period of time and, in the case of the Data Protection Act (DPA), deleted when no longer needed.

"Professional guidance is usually required to work out which regulations apply to the business and which kinds of data are subject to which of these regulations," states Watson. "In some cases, apparent conflicts in regulations must be worked out, such as when the DPA mandates that a personal record be destroyed, yet Sarbanes Oxley appears to require the record be kept for a defined number of years. In these cases, legal guidance is needed to negotiate a policy acceptable to all regulatory agencies.

Watson closes with a wry and crucial observation - that there is no such thing as 'compliance in a box', vendor claims notwithstanding.

"Compliance is an holistic issue, covering the entire enterprise, its procedures, training and, of course, the storage hardware and software. Your storage vendor should provide enough compliancy features to make the job easy today - and in the future, as regulations change."

The overall message is clear and uncompromising: ignore compliance
at your peril. And while the financial penalties likely to be incurred for failure to comply will certainly act as one level of deterrent, the prospect of untold - and possibly irreparable - damage to the business should help to concentrate the minds of even the most intractable of businesses. ST
The products referenced in this site are provided by parties other than BTC. BTC makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be directed to the appropriate manufacturer or vendor. Click here for usage terms and conditions.

©2006 Business and Technical Communications Ltd. All rights reserved.
No part of this site may be reproduced without written permission of the owners.
For Technical problems with this site contact the Webmaster