• Home
• Articles Archive
• Features List

• Media Pack
• Contact Us
• Subscribe

DOES ANYONE REALLY CARE?

From STORAGE Magazine Vol 9, issue 5- September 2009

THOSE WHO TREAT COMPLIANCE AS IF IT WERE THE ELEPHANT IN THE ROOM ARE TAKING QUITE A RISK - FOR THEY IGNORE IT AT THEIR PERIL, SAYS EDITOR BRIAN WALL

We live in a business world today seemingly hamstrung by compliance requirements. It is eye-opening, though, to see how differently the 'C' word can be defined, says Andrew Moloney, EMEA marketing director for RSA, The Security Division of EMC. "In my experience, most will immediately gravitate towards the notion of meeting the stated or implied security requirements within government legislation, such as Sarbanes-Oxley or implementations of the Data Privacy Directive.

"What we often don't tend to see, at least initially, is a broader view of compliance - one that recognises that IT security requirements may come from any number of entities, including customers and business partners. But while governments and industry groups, such as the credit card brands, are clearly important, they are hardly the end of the line when it comes to information security and compliance.

There are certainly businesses that do think about compliance more horizontally. "But I don't think we've yet seen the tipping point where 'compliance' immediately = government

+ industry + partner + customer + internal policy + whatever else we're forced to manage from an IT security standards perspective. As these requirements become more common, though, I do expect we'll see a more horizontal focus on compliance and, in doing so, I hope we'll see a change in emphasis in compliance initiatives, away from doing what is required to get 'over the bar' and instead start to consider compliance more holistically, as a method by which the business can be made more transparent, efficient and (ultimately) secure." The key is to start thinking about compliance requirements within a broader framework, he advises. "A framework approach enables you to map current requirements and available controls into a single methodology. Going through this process once means that, as new compliance requirements emerge, as they no doubt will, you will be able to quickly map these against controls already in place."

INFORMATION VALUE

Process automation technologies have existed for some time, of course, and technological advances mean that information management no longer has to be a manual process, which is prone to human error. "Additionally, data retention policies are not just about when to delete data; they are about intelligently classifying information, based on its value," states Sharon White, Symantec's EMEA

product marketing manager. "Not all information is created equal and its lifecycle should reflect this.

"The sheer volume of information that passes through an organisation has meant that storage consumption remains a major budget drain on IT resources. Automating data retention policies, as well as introducing data classification and deduplication provides the ability to store what you need, for as long as you need. This not only reduces the cost of storage, but allows for smarter and cheaper retrieval when required. Storing everything means that the cost of information retrieval can be astronomical, as expensive lawyers employed for eDiscovery purposes are paid to collect and process data.

COST IMPLICATIONS

The cost of outsourcing can range from anything between $1,500 and $4,000 per gigabyte to collect, process, cull and review. While costs for external collection may be decreasing, processing by outside counsel can still be very expensive. The ability to reduce the amount of information to be processed through effective data retention policies, alongside collecting, culling and placing information on legal hold in-house, not only brings huge cost savings to the business, but also demonstrates the organisation's willingness to be responsible and accountable, which is often looked on favourably in the courtroom," she adds.

According to the independent research report 'Corporate Hide & Seek', carried out by

CommVault, almost three quarters of UK organisations have already suffered when IT systems failed to find and deliver - on time documents, files and emails needed during company legal disputes; often resulting in financial penalties. But, if this is such a common occurrence, why has so little been done to address the problem?

"I believe that there are four key reasons why," says Joanna Woodley, EMEA product specialist, CommVault. "First, despite the regularity of problems of data retrieval, companies overall believe they have adequate technology to ensure 'on demand' production of critical data for legal disclosure. Secondly, companies are very often unaware of the full and true costs of legal actions and so don't prioritise systems accordingly. Thirdly, the threat of personal liability has not yet been truly understood. And, finally, the capabilities of many data management tools are yet to be fully appreciated by the IT department and so haven't yet been extensively adopted."

The real costs of failing to be compliant go far beyond those handed down by courts. Businesses should also consider the potential damage that could be done to the company reputation, she adds, and the impact of lost customers as a result, as well as the damage to staff morale, leading to missed opportunities, and the hidden cost of management time dealing with all this.

TAKING CONTROL

There are many examples of companies that have fallen foul to penalties, of course, with severe financial impact, both here and in the US. Accordingly, most organisations have a policy, whether formally documented and signed off at an executive level or informally orchestrated within the IT department that addresses compliance from an email management perspective. "What we at C2C suggest is that companies take full control, creating a failsafe email records management system that fulfils compliance requirements and, at the same time, facilitates effective email management," suggests Dave Hunt, CEO, C2C.

"Frequently, confusion arises over compliance management, as the requirements for compliance can differ and be enforced

Andrew Moloney, RSA, The Security Division of EMC: compliance has to be considered within a broader framework.

differently, depending on which regulated industry and country you are in. Compliance laws vary; some may require emails to/from certain people, executives or departments to be copied and stored for safe-keeping for specific periods of time, while others can state that, if a document/email exists, it must be found.

Compliance is about meeting the laws such as Data Protection Act, Freedom of Information Act, Financial Services Act and, if a global company with offices in the UK, can be influenced by US- originated compliance laws such as Sarbanes-Oxley, HIPAA and SEC. Largely, all these acts dictate what must be kept and for how long."

BURDEN OF PROOF

If a company does come under investigation, the obligation it faces is to demonstrate that it has a records management system that has the ability to interrogate the contents of both the live email stores, as well as the archive; search amongst deleted items; support delegated supervisor searches; and help to meet the latest e-disclosure legislation and associated legislative rules.

"Once proven that certain data exists, you are almost certainly required to ensure it is retained it until the case is closed," adds Hunt. "But beware vendors who argue that, to control email records, one needs to archive them and index them. Writing into an archive adds a level of complexity to the problem and may well cause your legal counsel more headaches when investigating an action or defending a suit. Putting data into an archive is equivalent to fingerprinting it. Once it has been indexed, the fingerprint exists and expunging it is nontrivial. Better to remove it before archive, if your legal counsel agrees."

WHAT IT TAKES

Ultimately, a well-designed active archival solution that provides for data permanence, E- discovery and automated management should be deployed, says Eric Herzog, vice president of sales and marketing, Tarmin. The key compliance related features he singles out to look for are:

• Data permanence: the solution must support Write Once Read Many (WORM) technology to ensure the data will be there when needed
• Data reliability and data validation: since data can 'spoil' over time, the solution should have both reliability and validation mechanisms that guarantee data is always good and usable
• Data retention: depending on the compliance laws and regulations, data must be retained in usable condition for varying periods of time. A data retention manager assures data is retained for the proper mandated time
• E-discovery: a comprehensive E-discovery capability is critical to finding the right data quickly, accurately and cost- effectively to respond to a compliance or legal request
• Data disposition and shredding: data must be kept for the period required, but at the end of its legal and useful life data can legally be destroyed
• Audit management: as part of the compliance process, organisations may be asked to produce an audit trail of the data. Having a strong audit manager is essential
• Data replication: since storage systems are subject to failure and natural disaster, data must be replicated to a secondary site
• Automated and flexible policy management: an automated and flexible policy manager is critical to meet the legal requirements of different data sets, ensuring consistent treatment of data and reducing IT compliance costs.

With the multitude of legal requirements at various governmental levels, across different geographies, with different data sets, plus the internal compliance rules that can vary widely, it is essential to have a strong, active archival solution that assists in meeting these often exacting specifications. The right solution will have to be able to meet the needs of a number of departmental constituencies and business owners right across an organisation and, indeed, outside that organisation, too.