Storage Magazine - UK
  Untitled Document

Compliance Part 1 - A weapon of mass persuasion?

From STORAGE Magazine Vol 4 No 02 - April 2004

In the first of a two-part feature, Ray Smyth examines the issues surrounding compliance for electronic data storage.

Death and taxes we are told are the only certainties. Well there's another - regulatory and legislative compliance for the electronic storage of data. Is it an invitation for the suppliers to market their products in a climate of fear, or is it a real issue that requires a professional and considered response?

There was a time when storage didn't figure in the duties of even the most diligent IT management professionals - in fact it was carried out by the admin team as it was largely paper based. Electronic storage was cheap and ubiquitous and as a result the maxim used by photographers - "film is cheap" - was adapted into IT. The result was data everywhere, loss of control and company directors realising they have a problem. Some of this data has a habit of coming back and biting and in this respect, emails are at the top of the list. In parallel to this, there has been a strong push for the more general acceptance of electronic records in all walks of life and across all business sectors, combined with an increasing acceptance within the legal world.

Each area brings its own special demands, for example pharmaceutical companies would need to meet a range of demands specified by its regulatory authority and legal advisors, as well as a broad set of practices that must be embraced by all. It is the case that for some industry sectors their house is in good order; others have work to do. Fact is that everyone needs to have a compliant system for the storage and retrieval of electronically stored data. But although this will be driven by legislation is it really any more than good Corporate Governance and best practice?

At the heart of this challenging area are two separate categories of data - Working Records and Fixed Content. In establishing a strategy it is important to look at these separately, understand what is required and then plan to implement. In fact another important point arises; if you consider the storage of your data as a life cycle, starting with creation and ending in destruction, you are well on the way to establishing a good basis for a compliant solution. Working records are those we are all most familiar with and will mostly be driven by the need of each organisation or business. They are the records created and used through normal day-to-day operations; the information management policy and process determine the way these are handled.

Fixed content is much more specific - these are the [official] archived records that an organisation will preserve as evidence of an event or transaction. They are the electronic equivalent of keeping an original copy of a letter that cannot be altered or tampered with in any way. In fact this association with paper archiving is a good one, and again serves as a useful yardstick against which to build. The legislation and regulations rarely are specific about what technology to use. Rather they establish rules and conditions and it is these that must be used. That said, there is a growing confidence in WORM (Write Once Read Many) storage devices.

Whilst you will find it hard to get a storage device or technology approved per se, deployments governed by the likes of the American securities regulatory body SEC, are being successfully audited with WORM based storage solutions. At this stage it would be easy to think of records as documents - but they may not be.

Think about database information that is contained in tables. Whilst as a working record this must be backed-up, for archiving a different approach will be required. Interestingly, I wasn't able to find too much guidance on this, but the consensus suggests that you will need to produce individual records from the database to archive and store. This one example illustrates the intellectual complexity of the challenge.

In a world where electronic data growth is enormous and speed of transaction increasing (it is estimated that there is a 50% compound annual growth rate in the need for compliant solutions), no one can doubt the need for adequate protection for both suppliers and customers. I would suggest a well-managed organisation has already thought about this in order to develop some protection. If a case is contested in court, the evidence has to be trustworthy and while technology will help this test, it will largely be made against process & procedures and the quality of auditing and control. There is a lot of activity to achieve this level of compliance both at National and European level. Moreover once achieved the work continues in maintaining the standard against changing business trends and of course the regulations themselves. It is a mistake for any organisation to treat this complex area as a one off event like Year 2000 compliance; this issue is not going away, it is not optional and it is not trivial.

As I have mentioned (and not surprisingly) regulatory and legislative compliance is as much about process and procedure as it is about technology. Some suggest that it is not solely an area of IT responsibility and I think this is so. Many large insurance companies and banks have formed well funded and empowered Compliance Committees to direct this cross Enterprise obligation. Technology can absolutely help, but Compliance needs to become part of the business fabric, owned by all operational heads and not just the CIO. In fact the technology gives rise to the problem but the problem is not really that new, as the new regulations are in the main an upgrade of those which already exist for storage of paper based records. The most notable difference is the hugely increased volume of records and the apparent ease with which they could be altered. Ultimately this is about risk management and best practice, though even the best system will not guarantee protection against deliberate fraud. That said, there is a strengthening argument that electronically stored data may well offer organisations better control and protection than paper. Digital signing and unalterable records have a huge part to play here.

The policy and procedures that you create and adopt must be based on a thorough understanding of your own business and updated as it inevitably changes. You need to establish classes of data with handling procedures clearly set out for each. You also need to understand and set out the data life cycle for each class, ultimately recognising that data can and probably should be destroyed.

In fact there is already emerging signs of contradiction. The 1998 Data Protection Act says that personal records must be destroyed after four years. However for UK companies operating in North America, they will be governed by the Sarbanes-Oxley Act (an act applying unilaterally to all US companies) and this stipulates seven years; such an organisation is therefore going to be in breach of one of these! With such a huge and ongoing challenge it is as well to identify the biggest threat to your organisation and tackle that first. The universal class of data that undoubtedly poses the biggest problem for all organisations is email.

So, the starting point for all organisations needs to be some form of audit to look at electronically stored data, existing processes and the changes needed to establish clear compliance. To prevent a myopic view and to fast track expert knowledge into the organisation, it is without doubt of immense value to consider using an independent and recommended consultant in this task. In these early planning stages, there is much to be considered and a lot to get into perspective. For example consideration must be given to the format and readability of stored data. It is no good storing it, if you can't read it and similarly if you can't locate in a realistic time. Having said that, there is no point in providing for migration of data to new formats over a ten-year period if the maximum storage time for a class of data is four years. This is why it is important to lay the foundation carefully.

One you have a system that is compliant, it is necessary to maintain it and for you to remain updated on the rules. Unless you are a very big organisation, it is probably best to consider using the same consultant to audit your solution perhaps twice in the first year and annually thereafter. Another thing not to get confused about is the industry jargon and hype that abounds. In considering compliance in this context, you must be thinking about Records Management and not Document Management - they are different. Also don't forget that most of the work that will secure a scaleable, compliant solution will be done before you record your first compliant record onto media.

In closing this first part of this article, I cannot over emphasise the importance of process and procedure. It is upon this foundation that you can proceed to build elegance and efficiency and it is the storage and management technology, along with other available resources, that I will focus on during the concluding part, in the next issue.

Finally, don't panic! Compliance with the legislation is within the grasp of all organisations that are professional and systematic in their approach. It will cost you money, but throwing money at it won't necessarily produce a solution. Its time to get organised, its time to be smart, its time to plan carefully and execute with precession and regular review. ST

A foundation for compliance…

  • Understand the specific nature of your own organisation
  • Define the classes of data you use and create clear principles for using each class. Focus hard on email and include use/misuse policy
  • Determine precisely what records you need to create and archive to establish compliance and develop and articulate a clear life cycle
  • Write, communicate, publish and train on process and pro cedures that will deliver the results you need
  • Establish an early relationship with a trusted advisor - a con sultant or suitably qualified employee
  • Plan for adoption of a "compliance culture" - this is not a project
  • Establish a clear and reasoned policy for the storage
    and access to your archive
  • Make sure you have a clear policy for data destruction
  • Serialise recorded media so that it is traceable
  • Index records for access
  • Understand current rate of record generations and plan for growth and contingency. NB. Contingency planning does not mean overbuy on capacity
  • Don't allow compliance to become an IT task. It must be driven from the point of Corporate Governance and best practice. Ideally create a cross-functional team that includes representation form each operational area.
  • Audit and apply sensible tests to process and procedure to ensure on-going compliance
  • Do ensure that your organisation is kept fully briefed on new regulations and legislation and don't forget to watch out for groundbreaking test cases in the courts - don't be one!
  • Manage by exception and once you have a stable program, consider the use of software-based tools to automate
The products referenced in this site are provided by parties other than BTC. BTC makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be directed to the appropriate manufacturer or vendor. Click here for usage terms and conditions.

©2006 Business and Technical Communications Ltd. All rights reserved.
No part of this site may be reproduced without written permission of the owners.
For Technical problems with this site contact the Webmaster